On Sun, Feb 28, 2016 at 08:19:57PM -0500, Dan Lavu wrote: > I've made most of the the suggested changes but I'm going to take sometime > and get the test running on Debian as well (Mostly to find out if /etc/pki > is a Red Hat thing or not). Fedora and Debian are the only distros we are > testing/supporting against correct?
Yes, we support RHEL >= 6, Fedora (all supported versions) and Debian Testing. > Also wondering if the ci setup issue I'm > seeing applies to apt. > > Dan > > > On 2/26/16 5:53 AM, Jakub Hrozek wrote: > >On Thu, Feb 25, 2016 at 05:18:09PM -0500, Dan Lavu wrote: > >>Here is a patch for https://fedorahosted.org/sssd/ticket/2820 > >> > >>First real patch... criticisms to for what I need to improve on are welcome, > >>including concepts that I should learn, thanks. > >Thanks a lot for the patch! > > > >See my comments inline: > > > >> From 529adb3e0d763a8ee9ba9b4c5b13f933d723e8de Mon Sep 17 00:00:00 2001 > >>From: Dan Lavu <dl...@redhat.com> > >>Date: Fri, 5 Feb 2016 08:51:07 -0500 > >>Subject: [PATCH] Adding SSL encryption to integration tests. > >> > >>--- > >> src/tests/intg/ca.py | 166 > >> ++++++++++++++++++++++++++++++++++++++++++ > >> src/tests/intg/ds_openldap.py | 14 ++++ > >> 2 files changed, 180 insertions(+) > >> create mode 100644 src/tests/intg/ca.py > >> > >>diff --git a/src/tests/intg/ca.py b/src/tests/intg/ca.py > >>new file mode 100644 > >>index > >>0000000000000000000000000000000000000000..a44a92e5d5053338dabd7d8d82d2b1d50ec7594e > >>--- /dev/null > >>+++ b/src/tests/intg/ca.py > >>@@ -0,0 +1,166 @@ > >>+# > >>+# SSSD LOCAL domain tests > >>+# > >>+# Copyright (c) 2016 Red Hat, Inc. > >>+# Author: Dan Lavu <d...@redhat.com> > >>+# > >>+# This is free software; you can redistribute it and/or modify it > >>+# under the terms of the GNU General Public License as published by > >>+# the Free Software Foundation; version 2 only > >>+# > >>+# This program is distributed in the hope that it will be useful, but > >>+# WITHOUT ANY WARRANTY; without even the implied warranty of > >>+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > >>+# General Public License for more details. > >>+# > >>+# You should have received a copy of the GNU General Public License > >>+# along with this program. If not, see <http://www.gnu.org/licenses/>. > >>+# > >>+ > >>+from OpenSSL import crypto > >>+from os.path import exists, join > >>+ > >>+import socket > >>+import os > >>+import fnmatch > >>+ > >>+ > >>+class CA: > >It would be nice to use the new-style classes, so class CA(object) > > > >>+ """CA Class""" > >>+ > >>+ def __init__(self, subject=None, country=None, state=None, > >>+ city=None, organization=None, unit=None, config_dir=None): > >>+ if subject is None: > >>+ self.subject = socket.gethostname() > >>+ if country is None: > >>+ self.country = 'US' > >>+ if state is None: > >>+ self.state = 'NC' > >>+ if city is None: > >>+ self.city = 'Raleigh' > >>+ if organization is None: > >>+ self.organization = 'Red Hat' > >>+ if unit is None: > >>+ self.unit = 'SSSD' > >>+ if config_dir is None: > >>+ self.config_dir = '/etc/pki' > >/etc/pki is not writable unless you're root. We should store the certs > >in another directory writable by any user. Maybe this is something > >Nikolai (CC) could help us with, I know we use fakeroot to set up the > >directory structure, but I'm fuzzy on the details, so I don't know > >myself which part of the tests we should exactly touch.. > > > >Also, does the /etc/pki path exists on Debian and other distributions or > >is it Red Hat-centric? > > > >When we have this done, hopefully we can remove the use of > >'ldap_auth_disable_tls_never_use_in_production' from our tests? > > > > > >>+ > >>+ self.hostname = socket.gethostname() > >This is maybe something to fix in a later iteration of the patch, but I > >wonder if it was useful to override the hostname to something else than > >what gethostname() reports. Not sure at the moment.. > > > >>+ self.csr_dir = self.config_dir + '/CA/newcerts' > >>+ self.key_dir = self.config_dir + '/tls/private' > >>+ self.cert_dir = self.config_dir + '/tls/certs' > >>+ > >>+ self.index = int(1000) > >>+ > >>+ > >>+ def setup(self): > >>+ """Setup CA using OpenSSL""" > >>+ cacert = socket.gethostname() + '-ca.crt' > >>+ cakey = socket.gethostname() + '-ca.key' > >Instead of using socket.gethostname(), maybe using self.hostname would > >be better here (and elsewhere) ? > > > >>+ > >>+ if not exists(join(self.cert_dir, cacert)) or not > >>exists(join(self.key_dir, cakey)): > >>+ key = crypto.PKey() > >>+ key.generate_key(crypto.TYPE_RSA, 2048) > >>+ > >>+ ca = crypto.X509() > >>+ ca.get_subject().C = self.country > >>+ ca.get_subject().ST = self.state > >>+ ca.get_subject().L = self.city > >>+ ca.get_subject().O = self.organization > >>+ ca.get_subject().OU = self.unit > >>+ ca.get_subject().CN = self.subject > >>+ ca.set_serial_number(self.index) > >>+ ca.gmtime_adj_notBefore(0) > >>+ ca.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) > >>+ ca.set_issuer(ca.get_subject()) > >>+ ca.set_pubkey(key) > >>+ ca.sign(key, 'sha1') > _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
