New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding test-cases for ipa-cacert-manage #1849
Conversation
Since this PR is part of Extending test coverage in upstream for ipa-cacert-manage, so no pagure ticket linked with this. |
Hello @amore17 Can you please add a commit to your PR and add tests you've implemented into It would be good to remove all others tests from this file and add only ones you need to test. Also, don't delete |
86032fc
to
eb176a4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your patch. Please check my inline comments.
|
||
class TestMultipleExternalCA(IntegrationTest): | ||
"""setup ext-ca1 install ipa-server with ca1 | ||
setup ext-ca2 renew ipa-server with ext-ca2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds a little confusing. Could you re-phrase pls?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In commit it is changed to "Setup externally signed ca1
install ipa-server with with externally signed ca1
Setup externally signed ca2 and renew ipa-server with
externally signed ca2 and check the difference in certificate"
install_server_external_ca_step1(self.master) | ||
# Sign CA, transport it to the host and get ipa a root ca paths. | ||
|
||
test_dir1 = os.path.join(self.master.config.test_dir, 'CA1') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would recommend to create temporary directory here e.g.:
tempfile.mkdtemp(prefix="extCA1-")
This way you do not need to do cleanup (which is missing here) later.
Applies to all other directories.
install_server_external_ca_step2(self.master, ipa_ca_fname1, | ||
root_ca_fname1) | ||
|
||
str1 = "caSigningCert cert-pki-ca" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use a little bit descriptive variable names. E.g. instead of "str1" you can use "ca_nick".
root_ca_fname1) | ||
|
||
str1 = "caSigningCert cert-pki-ca" | ||
info1 = self.master.run_command(['certutil', '-L', '-d', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here e.g. "certutil_out"
self.assertCARenewalMaster(replica, replica.hostname) | ||
# set master back to ca-renewal-master | ||
master.run_command([paths.IPA_CACERT_MANAGE, 'renew']) | ||
self.assertCARenewalMaster(master, master.hostname) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would also check how other server (replica in this case) sees the situation. So:
self.assertCARenewalMaster(master, master.hostname)
self.assertCARenewalMaster(replica, master.hostname)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As per your suggestion, I have added check for replica also on line 498
fda2571
to
8e3439d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your patch.
The code is technical correct. I added a couple of code style nit-picks to improve readability of code.
|
||
|
||
class TestMultipleExternalCA(IntegrationTest): | ||
"""Setup externally signed ca1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use PEP 8 / PEP 257 doc strings. You are missing an empty line after the headline. The other lines are not properly indented, too.
https://www.python.org/dev/peps/pep-0008/#documentation-strings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your review.
I have added all changes requested by you.
externally signed ca2 and check the difference in certificate""" | ||
|
||
def test_master_install_ca1(self): | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unnecessary new line
ipa_ca_fname1 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP) | ||
|
||
# Get IPA CSR as bytes | ||
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR,) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unnecessary trailing comma
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR,) | ||
|
||
external_ca = ExternalCA() | ||
# Create root CA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments like Create root CA
are unnecessary noise. The following code line is already self-explaining. You are literally doing
# do action
do_action()
Either remove noisy comments completely or explain the reason for each code block
# Create external root CA in order to <insert action here>
external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA1')
ipa_ca = external_ca.sign_csr(ipa_csr)
cert_out1 = self.master.run_command(['certutil', '-L', '-d', | ||
paths.PKI_TOMCAT_ALIAS_DIR, | ||
'-n', cert_nick]).stdout_text | ||
assert "CN=RootCA1" in cert_out1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This block is a bit hard to read because the function arguments are heavily indented. The .stdout_text
attribute access is easy to mess, too. Other test codes commonly assigns the output of run_command
to a name result
and then checks its stdout_text
property.
result = self.master.run_command([
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
'-n', "caSigningCert cert-pki-ca"
])
assert "CN=RootCA1" in result.stdout_text
assert "CN=RootCA1" in cert_out1 | ||
|
||
def test_master_install_ca2(self): | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unnecessary new line
root_ca_fname2 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP) | ||
ipa_ca_fname2 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP) | ||
|
||
self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Try to make code more readable by minimizing indention levels and keeping arguments on line line:
self.master.run_command([
paths.IPA_CACERT_MANAGE, 'renew', '--external-ca'
])
ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR) | ||
|
||
external_ca = ExternalCA() | ||
# Create root CA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unnecessary comments like in the other function
cert_out2 = self.master.run_command(['certutil', '-L', '-d', | ||
paths.PKI_TOMCAT_ALIAS_DIR, | ||
'-n', cert_nick]).stdout_text | ||
assert "CN=RootCA2" in cert_out2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reindent both run_command
calls and use result.stdout_text
root_ca_fname1 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP) | ||
ipa_ca_fname1 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP) | ||
|
||
# Get IPA CSR as bytes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a good idea to separate logical blocks by comments or empty. But both new line and comment is a bit much and bloats the code. In most cases, a new line is a sufficient visual separator.
88ea20e
to
6e60e5d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @amore17
Thanks for the patch. Please find inline comments, as well as the following suggestion:
Your PR is currently removing a bunch of tests from PR-CI and adding your new tests:
- if you want to run the new tests only in this PR (but not add them in PR-CI), then you may consider adding a temp commit with changes in .freeipa-pr-ci.yaml. The temp commit would have to be removed before the maintainer pushes the PR to git repo.
- otherwise add the new tests in this commit, but do not remove the other ones. They guarantee that the modifications from this PR do not break anything on the other tests.
.freeipa-pr-ci.yaml
Outdated
@@ -11,6 +11,10 @@ topologies: | |||
name: master_1repl_1client | |||
cpu: 4 | |||
memory: 6700 | |||
master_2repl_1client: &master_2repl_1client | |||
name: master_1repl_1client |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Is it a typo, shouldn't this new topology user master_2repl_1client instead?
- I am not sure there is a need for a new topology since the test test_replica_promotion uses only a single replica.
class TestMultipleExternalCA(IntegrationTest): | ||
"""Setup externally signed ca1 | ||
|
||
install ipa-server with with externally signed ca1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo with with
@amore17 please rebase your PR on master and fix the merge conflict. |
Github is still complaining about merge conflicts. Please squash all commits into a single commit and force-push your branch again. |
Scenario1: Setup external CA1 and install ipa-server with CA1. Setup exteranal CA2 and renew ipa-server with CA2. Get information to compare CA change for ca1 and CA2 it should show different Issuer between install and renewal. Scenario2: Renew CA Cert on Replica using ipa-cacert-manage verify that replica is caRenewalMaster Signed-off-by: Anuja More <amore@redhat.com>
@flo-renaud Thanks for your suggestion. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, good work!
@Rezney are you fine with the current state of the PR, too?
@tiran Sure, LGTM. Thanks all for your work here... |
master:
|
Scenario1: Setup external CA1 and install ipa-server with CA1.
Setup exteranal CA2 and renew ipa-server with CA2.
Get information to compare CA change for ca1 and CA2
it should show different Issuer between install
and renewal.
Scenario2: Renew CA Cert on Replica using ipa-cacert-manage
verify that replica is caRenewalMaster
Signed-off-by: Anuja More amore@redhat.com