Adding test-cases for ipa-cacert-manage

[amore17]

Scenario1: Setup external CA1 and install ipa-server with CA1.
Setup exteranal CA2 and renew ipa-server with CA2.
Get information to compare CA change for ca1 and CA2
it should show different Issuer between install
and renewal.

Scenario2: Renew CA Cert on Replica using ipa-cacert-manage
verify that replica is caRenewalMaster

Signed-off-by: Anuja More amore@redhat.com

[amore17]

Since this PR is part of Extending test coverage in upstream for ipa-cacert-manage, so no pagure ticket linked with this.

[slaykovsky]

Hello @amore17

Can you please add a commit to your PR and add tests you've implemented into .freeipa-pr-ci.yaml file?

It would be good to remove all others tests from this file and add only ones you need to test. Also, don't delete fedora27/build task from there. Another suggestion is to increase timeout just in case if tests will take a lot of time.

[Rezney]

Thanks for your patch. Please check my inline comments.

[Rezney]

Sounds a little confusing. Could you re-phrase pls?

[amore17]

In commit it is changed to "Setup externally signed ca1
install ipa-server with with externally signed ca1
Setup externally signed ca2 and renew ipa-server with
externally signed ca2 and check the difference in certificate"

[Rezney]

I would recommend to create temporary directory here e.g.:
tempfile.mkdtemp(prefix="extCA1-")

This way you do not need to do cleanup (which is missing here) later.

Applies to all other directories.

[Rezney]

Please use a little bit descriptive variable names. E.g. instead of "str1" you can use "ca_nick".

[Rezney]

Same here e.g. "certutil_out"

[Rezney]

I would also check how other server (replica in this case) sees the situation. So:

self.assertCARenewalMaster(master, master.hostname)
self.assertCARenewalMaster(replica, master.hostname)

[amore17]

As per your suggestion, I have added check for replica also on line 498

[tiran]

Thanks for your patch.

The code is technical correct. I added a couple of code style nit-picks to improve readability of code.

[tiran]

Please use PEP 8 / PEP 257 doc strings. You are missing an empty line after the headline. The other lines are not properly indented, too.

https://www.python.org/dev/peps/pep-0008/#documentation-strings

[amore17]

Thanks for your review.
I have added all changes requested by you.

[tiran]

unnecessary new line

[tiran]

unnecessary trailing comma

[tiran]

Comments like Create root CA are unnecessary noise. The following code line is already self-explaining. You are literally doing

# do action
do_action()

Either remove noisy comments completely or explain the reason for each code block

# Create external root CA in order to <insert action here>
external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA1')
ipa_ca = external_ca.sign_csr(ipa_csr)

[tiran]

This block is a bit hard to read because the function arguments are heavily indented. The .stdout_text attribute access is easy to mess, too. Other test codes commonly assigns the output of run_command to a name result and then checks its stdout_text property.

        result = self.master.run_command([
            'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
            '-n', "caSigningCert cert-pki-ca"
        ])
        assert "CN=RootCA1" in result.stdout_text

[tiran]

Unnecessary new line

[tiran]

Try to make code more readable by minimizing indention levels and keeping arguments on line line:

        self.master.run_command([
            paths.IPA_CACERT_MANAGE, 'renew', '--external-ca'
        ])

[tiran]

unnecessary comments like in the other function

[tiran]

Reindent both run_command calls and use result.stdout_text

[tiran]

It's a good idea to separate logical blocks by comments or empty. But both new line and comment is a bit much and bloats the code. In most cases, a new line is a sufficient visual separator.

[flo-renaud]

Hi @amore17
Thanks for the patch. Please find inline comments, as well as the following suggestion:
Your PR is currently removing a bunch of tests from PR-CI and adding your new tests:

• if you want to run the new tests only in this PR (but not add them in PR-CI), then you may consider adding a temp commit with changes in .freeipa-pr-ci.yaml. The temp commit would have to be removed before the maintainer pushes the PR to git repo.
• otherwise add the new tests in this commit, but do not remove the other ones. They guarantee that the modifications from this PR do not break anything on the other tests.

[flo-renaud]

1. Is it a typo, shouldn't this new topology user master_2repl_1client instead?
2. I am not sure there is a need for a new topology since the test test_replica_promotion uses only a single replica.

[flo-renaud]

Typo with with

[tiran]

@amore17 please rebase your PR on master and fix the merge conflict.

[tiran]

Github is still complaining about merge conflicts. Please squash all commits into a single commit and force-push your branch again.

[amore17]

@flo-renaud Thanks for your suggestion.
I added changes as per your review. And I removed changes from .freeipa-pr-ci.yaml
@tiran I resolved conflicts.

[tiran]

LGTM, good work!

@Rezney are you fine with the current state of the PR, too?

[Rezney]

@tiran Sure, LGTM. Thanks all for your work here...

[tiran]

master:

• 51b9a82 Adding test-cases for ipa-cacert-manage