[Freeipa-devel] [freeipa PR#768][comment] Ticket#6854 caless
URL: https://github.com/freeipa/freeipa/pull/768 Title: #768: Ticket#6854 caless Rezney commented: """ Ah, sorry I was not descriptive enough. I meant a temporary nssdb which is created by the script on the controller which is running the integration tests. However thanks for your input. Good to know this. """ See the full comment at https://github.com/freeipa/freeipa/pull/768#issuecomment-300420449 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#769][synchronized] test_caless: add pkinit option and test it
URL: https://github.com/freeipa/freeipa/pull/769
Author: Rezney
Title: #769: test_caless: add pkinit option and test it
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/769/head:pr769
git checkout pr769
From 1c517ee628fb31f765e21149fcaa3d26fd07d0fa Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Tue, 9 May 2017 16:39:45 +0200
Subject: [PATCH] test_caless: add pkinit option and test it
change "caless-create-pki" so pkinit certificates can be
generated.
See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.
add pkinit option to the ipa installer and test both master and replica
install with pkinit.
Signed-off-by: Michal Reznik <mrez...@redhat.com>
---
.../test_integration/scripts/caless-create-pki | 112 -
ipatests/test_integration/test_caless.py | 76 --
2 files changed, 151 insertions(+), 37 deletions(-)
diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
index 8928e95..816e7dc 100644
--- a/ipatests/test_integration/scripts/caless-create-pki
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -1,14 +1,29 @@
#!/bin/bash -e
-profile_ca=(-t CT,C,C -v 120)
-profile_server=(-t ,, -v 12)
-
-crl_path=${crl_path-$(readlink -f $dbdir)}
-
-serial_number=0
+profile_ca_request_options=(-1 -2 -4)
+profile_ca_request_input="\$'0\n1\n5\n6\n9\ny\ny\n\ny\n1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
+profile_ca_create_options=(-v 120)
+profile_ca_add_options=(-t CT,C,C)
+profile_server_request_options=(-4)
+profile_server_request_input="\$'1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
+profile_server_create_options=(-v 12)
+profile_server_add_options=(-t ,,)
+
+write_chain() {
+local nick="$1"
+
+chain=`certutil -O -d $dbdir -n "$nick" |
+ sed -e '/^\s*$/d' -e "s/\s*\"\(.*\)\" \[.*/\1/g"`
+
+while read -r name; do
+# OpenSSL requires a reverse order to what we get from NSS
+echo -e "`certutil -L -d "$dbdir" -n "$name" -a`\n`cat $dbdir/$nick.pem`
+" > "$dbdir/$nick.pem"
+done <<< "$chain"
+}
gen_cert() {
-local profile="$1" nick="$2" subject="$3" ca options pwfile noise csr crt
+local profile="$1" nick="$2" subject="$3" ca request_options request_input create_options serial add_options pwfile noise csr crt
shift 3
echo "gen_cert(profile=$profile nick=$nick subject=$subject)"
@@ -18,13 +33,20 @@ gen_cert() {
ca="$nick"
fi
-eval "options=(\"\${profile_$profile[@]}\")"
+eval "request_options=(\"\${profile_${profile}_request_options[@]}\")"
+eval "eval request_input=\"\${profile_${profile}_request_input}\""
+
+eval "create_options=(\"\${profile_${profile}_create_options[@]}\")"
if [ "$ca" = "$nick" ]; then
-options=("${options[@]}" -x -m 1)
+create_options=("${create_options[@]}" -x -m 1)
else
-options=("${options[@]}" -c "$ca")
+eval "serial_${ca//\//_}=\$((\${serial_${ca//\//_}:-1}+1))"
+eval "serial=\$serial_${ca//\//_}"
+create_options=("${create_options[@]}" -c "$ca" -m "$serial")
fi
+eval "add_options=(\"\${profile_${profile}_add_options[@]}\")"
+
pwfile="$(mktemp)"
echo "$dbpassword" >"$pwfile"
@@ -38,22 +60,14 @@ gen_cert() {
csr="$(mktemp)"
crt="$(mktemp)"
-certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 -2 >/dev/null </dev/null <<<"$request_input"
+certutil -C -d "$dbdir" -f "$pwfile" -i "$csr" -o "$crt" "${create_options[@]}" "$@"
+certutil -A -d "$dbdir" -n "$nick" -f "$pwfile" -i "$crt" "${add_options[@]}"
+
+mkdir -p "$(dirname $dbdir/$nick.pem)"
+write_chain "$nick"
+pk12util -o "$dbdir/$nick.p12" -n "$nick" -d "$dbdir" -k "$pwfile" -w "$pwfile"
rm -f "$pwfile" "$noise" "$csr" "$crt"
}
@@ -102,6 +116,49 @@ gen_server_certs() {
revoke_cert "$nick-revoked"
}
+gen_pkinit_extensions() {
+ echo "[kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage=no
[Freeipa-devel] [freeipa PR#769][opened] test_caless: add pkinit option and test it
URL: https://github.com/freeipa/freeipa/pull/769
Author: Rezney
Title: #769: test_caless: add pkinit option and test it
Action: opened
PR body:
"""
What was done?
~~~
1.) caless-create-pki
The script was kind of merged with
https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took
care of PKINIT certificates generation so that write_chain() function was
introduced which handles cert chain in the pkcs12 files and also reverse chanin
order for openssl command.
Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT
certificate generation. See
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.
2.) test_caless.py
As the tests are currently failing due to the pkinit option not provided
"pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to
both install_server() and prepare_replica methods and particular options are
added to installator. Then copy_pkinit() is handling pkinit certs transfer.
TestPKINIT class contains test_server_replica_install_pkinit() test which
checks both server and replica install with pkinit for a starter.
Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were
failing there but that whole workaround for ticket 4639 will be removed in
different commit.
~~~
What can be improved? (at least what I am aware of)
~~~
Currently pkinit certificates are not inside nss db so we copy it separately
(we could also move it to certdir and copy as whole). Tried to put it there
with pk12util but the certs were getting nicknames from openssl friendly names
(I guess). Added -name parameter to "openssl pkcs12 -export" command and the
nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after
the "caless-create-pki" script was done all pkinit cert nicknames were just
prefixed with "ca1/" (instead of ca1/ ca2/ etc.).
~~~
Issues found:
~~~
Replica install with pkinit is not failing anymore with "Certificate issuance
failed (CA_UNREACHABLE)", however the ERROR message is still presented:
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/1]:
installing X509 Certificate for PKINIT
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa :
ERRORPKINIT certificate request failed: Certificate issuance failed
(CA_UNREACHABLE)
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa :
ERRORFailed to configure PKINIT
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done
configuring Kerberos KDC (krb5kdc).
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP
updates
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading
IPA:. Estimated time: 1 minute 30 seconds
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/9]:
stopping directory server
~~~
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/769/head:pr769
git checkout pr769
From e8fbb3de2436936370b3be3df5c5dfbd59670333 Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Tue, 9 May 2017 16:39:45 +0200
Subject: [PATCH] test_caless: add pkinit option and test it
change "caless-create-pki" so pkinit certificates can be
generated.
See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.
add pkinit option to the ipa installer and test both master and replica
install with pkinit.
Signed-off-by: Michal Reznik <mrez...@redhat.com>
---
.../test_integration/scripts/caless-create-pki | 112 -
ipatests/test_integration/test_caless.py | 77 +++---
2 files changed, 150 insertions(+), 39 deletions(-)
diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
index 8928e95..816e7dc 100644
--- a/ipatests/test_integration/scripts/caless-create-pki
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -1,14 +1,29 @@
#!/bin/bash -e
-profile_ca=(-t CT,C,C -v 120)
-profile_server=(-t ,, -v 12)
-
-crl_path=${crl_path-$(readlink -f $dbdir)}
-
-serial_number=0
+profile_ca_request_options=(-1 -2 -4)
+profile_ca_request_input="\$'0\n1\n5\n6\n9\ny\ny\n\ny\n1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
+profile_ca_create_options=(-v 120)
+profile_ca_add_options=(-t CT,C,C)
+profile_server_request_options=(-4)
+profile_server_request_input="\$'1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
+profile_server_create_options=(-v 12)
+profile_server_add_options=(-t ,,)
+
+write_chain() {
+local nick="$1"
+
+chain=`certutil -O -d $dbdir -n "$nick" |
+ sed -e '/^\s*$/d' -e "s/\s*\"\(.*\)\" \[.*/\1/g"`
+
+while read
[Freeipa-devel] [freeipa PR#768][closed] Ticket#6854 caless
URL: https://github.com/freeipa/freeipa/pull/768 Author: Rezney Title: #768: Ticket#6854 caless Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/768/head:pr768 git checkout pr768 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#768][edited] Ticket#6854 caless
URL: https://github.com/freeipa/freeipa/pull/768 Author: Rezney Title: #768: Ticket#6854 caless Action: edited Changed field: body Original value: """ What was done? ~~ 1.) caless-create-pki The script was kind of merged with https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took care of PKINIT certificates generation so that write_chain() function was introduced which handles cert chain in the pkcs12 files and also reverse chanin order for openssl command. Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT certificate generation. See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details. 2.) test_caless.py As the tests are currently failing due to the pkinit option not provided "pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to both install_server() and prepare_replica methods and particular options are added to installator. Then copy_pkinit() is handling pkinit certs transfer. TestPKINIT class contains test_server_replica_install_pkinit() test which checks both server and replica install with pkinit for a starter. Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were failing there but that whole workaround for ticket 4639 will be removed in different commit. What can be improved? (at least what I am aware of) ~ Currently pkinit certificates are not inside nss db so we copy it separately (we could also move it to certdir and copy as whole). Tried to put it there with pk12util but the certs were getting nicknames from openssl friendly names (I guess). Added -name parameter to "openssl pkcs12 -export" command and the nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after the "caless-create-pki" script was done all pkinit cert nicknames were just prefixed with "ca1/" (instead of ca1/ ca2/ etc.). Issues found: ~ Replica install with pkinit is not failing anymore with "Certificate issuance failed (CA_UNREACHABLE)", however the ERROR message is still presented: [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/1]: installing X509 Certificate for PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERRORPKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERRORFailed to configure PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP updates [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading IPA:. Estimated time: 1 minute 30 seconds [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/9]: stopping directory server """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#768][opened] Ticket#6854 caless
URL: https://github.com/freeipa/freeipa/pull/768 Author: Rezney Title: #768: Ticket#6854 caless Action: opened PR body: """ What was done? ~~ 1.) caless-create-pki The script was kind of merged with https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took care of PKINIT certificates generation so that write_chain() function was introduced which handles cert chain in the pkcs12 files and also reverse chanin order for openssl command. Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT certificate generation. See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details. 2.) test_caless.py As the tests are currently failing due to the pkinit option not provided "pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to both install_server() and prepare_replica methods and particular options are added to installator. Then copy_pkinit() is handling pkinit certs transfer. TestPKINIT class contains test_server_replica_install_pkinit() test which checks both server and replica install with pkinit for a starter. Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were failing there but that whole workaround for ticket 4639 will be removed in different commit. What can be improved? (at least what I am aware of) ~ Currently pkinit certificates are not inside nss db so we copy it separately (we could also move it to certdir and copy as whole). Tried to put it there with pk12util but the certs were getting nicknames from openssl friendly names (I guess). Added -name parameter to "openssl pkcs12 -export" command and the nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after the "caless-create-pki" script was done all pkinit cert nicknames were just prefixed with "ca1/" (instead of ca1/ ca2/ etc.). Issues found: ~ Replica install with pkinit is not failing anymore with "Certificate issuance failed (CA_UNREACHABLE)", however the ERROR message is still presented: [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/1]: installing X509 Certificate for PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERRORPKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERRORFailed to configure PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP updates [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading IPA:. Estimated time: 1 minute 30 seconds [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/9]: stopping directory server """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/768/head:pr768 git checkout pr768 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#710][synchronized] [ipatests] - added krb5kdc.log to pytest logging
URL: https://github.com/freeipa/freeipa/pull/710 Author: Rezney Title: #710: [ipatests] - added krb5kdc.log to pytest logging Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/710/head:pr710 git checkout pr710 From 7af2789ecc4d9995bb0a50a7b34752b7ca40679d Mon Sep 17 00:00:00 2001 From: Michal Reznik <mrez...@redhat.com> Date: Wed, 12 Apr 2017 16:28:59 +0200 Subject: [PATCH] [ipatests] - added krb5kdc.log to pytest logging KRB5KDC_LOG = '/var/log/krb5kdc.log' added to paths host.collect_log(paths.KRB5KDC_LOG) added to tasks.py Signed-off-by: Michal Reznik <mrez...@redhat.com> --- ipaplatform/base/paths.py| 1 + ipatests/pytest_plugins/integration/tasks.py | 1 + 2 files changed, 2 insertions(+) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 070d3ff..ad41814 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -314,6 +314,7 @@ class BasePathNamespace(object): IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log" IPAUPGRADE_LOG = "/var/log/ipaupgrade.log" KADMIND_LOG = "/var/log/kadmind.log" +KRB5KDC_LOG = "/var/log/krb5kdc.log" MESSAGES = "/var/log/messages" VAR_LOG_PKI_DIR = "/var/log/pki/" TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat" diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py index 1705e25..172f5b8 100644 --- a/ipatests/pytest_plugins/integration/tasks.py +++ b/ipatests/pytest_plugins/integration/tasks.py @@ -77,6 +77,7 @@ def setup_server_logs_collecting(host): # kerberos related logs host.collect_log(paths.KADMIND_LOG) +host.collect_log(paths.KRB5KDC_LOG) # httpd logs host.collect_log(paths.VAR_LOG_HTTPD_ERROR) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#710][opened] [ipatests] - added krb5kdc.log to pytest logging
URL: https://github.com/freeipa/freeipa/pull/710 Author: Rezney Title: #710: [ipatests] - added krb5kdc.log to pytest logging Action: opened PR body: """ KRB5KDC_LOG = '/var/log/krb5kdc.log' added to paths host.collect_log(paths.KRB5KDC_LOG) added to tasks.py Signed-off-by: Michal Reznik <mrez...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/710/head:pr710 git checkout pr710 From 8bf1913e92050fc06746f70dd21ae5dd90fda05f Mon Sep 17 00:00:00 2001 From: Michal Reznik <mrez...@redhat.com> Date: Wed, 12 Apr 2017 16:28:59 +0200 Subject: [PATCH] [ipatests] - added krb5kdc.log to pytest logging KRB5KDC_LOG = '/var/log/krb5kdc.log' added to paths host.collect_log(paths.KRB5KDC_LOG) added to tasks.py Signed-off-by: Michal Reznik <mrez...@redhat.com> --- ipaplatform/base/paths.py| 1 + ipatests/pytest_plugins/integration/tasks.py | 1 + 2 files changed, 2 insertions(+) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 070d3ff..5e27553 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -355,5 +355,6 @@ class BasePathNamespace(object): GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' KRB5CC_HTTPD = '/tmp/krb5cc-httpd' IF_INET6 = '/proc/net/if_inet6' +KRB5KDC_LOG = '/var/log/krb5kdc.log' path_namespace = BasePathNamespace diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py index 1705e25..172f5b8 100644 --- a/ipatests/pytest_plugins/integration/tasks.py +++ b/ipatests/pytest_plugins/integration/tasks.py @@ -77,6 +77,7 @@ def setup_server_logs_collecting(host): # kerberos related logs host.collect_log(paths.KADMIND_LOG) +host.collect_log(paths.KRB5KDC_LOG) # httpd logs host.collect_log(paths.VAR_LOG_HTTPD_ERROR) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#537][synchronized] test_csrgen: adjusted comparison test scripts for CSRGenerator
URL: https://github.com/freeipa/freeipa/pull/537 Author: Rezney Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/537/head:pr537 git checkout pr537 From fd97f19179c59081936a1dfaefa9c3bbccffa36b Mon Sep 17 00:00:00 2001 From: Michal Reznik <mrez...@redhat.com> Date: Fri, 3 Mar 2017 11:17:17 +0100 Subject: [PATCH] test_csrgen: adjusted comparison test scripts for CSRGenerator Commit ada91c2 introduced changes in "csrgen/templates/openssl_base.tmpl" which broke the following 2 tests: test_CSRGenerator.test_userCert_OpenSSL test_CSRGenerator.test_caIPAserviceCert_OpenSSL The tests use files caIPAserviceCert_openssl.sh and userCert_openssl.sh as expected scripts in order to compare scripts generated by CSRGenerator. E.g. as other parameter was introduced we are now not checking with "if [[ $# -ne 2 ]]" but rather with if "[[ $# -lt 2 ]]". https://pagure.io/freeipa/issue/6724 --- .../data/test_csrgen/scripts/caIPAserviceCert_openssl.sh | 9 + .../test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh | 9 + 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh index c621a69..811bfd7 100644 --- a/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh +++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh @@ -1,14 +1,15 @@ #!/bin/bash -e -if [[ $# -ne 2 ]]; then -echo "Usage: $0 " +if [[ $# -lt 2 ]]; then +echo "Usage: $0 " echo "Called as: $0 $@" exit 1 fi CONFIG="$(mktemp)" CSR="$1" -shift +KEYFILE="$2" +shift; shift echo \ '[ req ] @@ -29,5 +30,5 @@ DNS = machine.example.com subjectAltName = @sec1 ' > "$CONFIG" -openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@" rm "$CONFIG" diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh index cdbe8a1..2edf067 100644 --- a/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh +++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh @@ -1,14 +1,15 @@ #!/bin/bash -e -if [[ $# -ne 2 ]]; then -echo "Usage: $0 " +if [[ $# -lt 2 ]]; then +echo "Usage: $0 " echo "Called as: $0 $@" exit 1 fi CONFIG="$(mktemp)" CSR="$1" -shift +KEYFILE="$2" +shift; shift echo \ '[ req ] @@ -29,5 +30,5 @@ email = testu...@example.com subjectAltName = @sec1 ' > "$CONFIG" -openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@" rm "$CONFIG" -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#537][synchronized] test_csrgen: adjusted comparison test scripts for CSRGenerator
URL: https://github.com/freeipa/freeipa/pull/537 Author: Rezney Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/537/head:pr537 git checkout pr537 From db8ee676d40fb098b0f9db67048ca0e8eb4b3c27 Mon Sep 17 00:00:00 2001 From: Michal Reznik <mrez...@redhat.com> Date: Fri, 3 Mar 2017 11:17:17 +0100 Subject: [PATCH] test_csrgen: adjusted comparison test scripts for CSRGenerator Commit ada91c2 introduced changes in "csrgen/templates/openssl_base.tmpl" which broke the following 2 tests: test_CSRGenerator.test_userCert_OpenSSL test_CSRGenerator.test_caIPAserviceCert_OpenSSL The tests use files caIPAserviceCert_openssl.sh and userCert_openssl.sh as expected scripts in order to compare scripts generated by CSRGenerator. E.g. as other parameter was introduced we are now not checking with "if [[ $# -ne 2 ]]" but rather with if "[[ $# -lt 2 ]]". https://pagure.io/freeipa/issue/6724 --- .../data/test_csrgen/scripts/caIPAserviceCert_openssl.sh | 10 ++ .../data/test_csrgen/scripts/userCert_openssl.sh | 9 + 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh index c621a69..6341b0f 100644 --- a/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh +++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh @@ -1,14 +1,15 @@ #!/bin/bash -e -if [[ $# -ne 2 ]]; then -echo "Usage: $0 " +if [[ $# -lt 2 ]]; then +echo "Usage: $0 " echo "Called as: $0 $@" exit 1 fi CONFIG="$(mktemp)" CSR="$1" -shift +KEYFILE="$2" +shift; shift echo \ '[ req ] @@ -29,5 +30,6 @@ DNS = machine.example.com subjectAltName = @sec1 ' > "$CONFIG" -openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@" rm "$CONFIG" + diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh index cdbe8a1..2edf067 100644 --- a/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh +++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh @@ -1,14 +1,15 @@ #!/bin/bash -e -if [[ $# -ne 2 ]]; then -echo "Usage: $0 " +if [[ $# -lt 2 ]]; then +echo "Usage: $0 " echo "Called as: $0 $@" exit 1 fi CONFIG="$(mktemp)" CSR="$1" -shift +KEYFILE="$2" +shift; shift echo \ '[ req ] @@ -29,5 +30,5 @@ email = testu...@example.com subjectAltName = @sec1 ' > "$CONFIG" -openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@" rm "$CONFIG" -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
