diff options
| author | Florence Blanc-Renaud <flo@redhat.com> | 2018-11-09 17:25:12 +0100 |
|---|---|---|
| committer | Christian Heimes <cheimes@redhat.com> | 2018-11-13 13:04:19 +0100 |
| commit | 8b7e17aa16fa20b2917ee6bb2343b2658306b548 (patch) | |
| tree | 30ebf401f10149acb46bcbc69b24d2f7afcf1d42 | |
| parent | 1be415cd04a0fcadaa12ecf5dd2c34a7e741a504 (diff) | |
| download | freeipa-8b7e17aa16fa20b2917ee6bb2343b2658306b548.tar.gz freeipa-8b7e17aa16fa20b2917ee6bb2343b2658306b548.tar.xz freeipa-8b7e17aa16fa20b2917ee6bb2343b2658306b548.zip | |
ipatests: update tests for ipa-server-certinstall
The test test_http_intermediate_ca was expecting success when
it should expect a failure. Scenario:
- install IPA ca-less with certs signed by rootCA
- call ipa-server-certinstall with a cert signed by a subCA
to replace http cert.
In this case, the command should refust changing the cert
(otherwise the clients won't be able any more to use
ipa * commands as the subca is not installed in /etc/ipa/nssdb
or in /etc/ipa/ca.crt).
The commit fixes the test expectation and marks the test as
xfail (see ticket 7759).
The test test_ds_intermediate_ca was expecting success when
it should expect a failure. Same scenario as above, but for
the ldap server cert.
The commit fixes the test expectation and removes the xfail
(ticket 6959 was closed as invalid).
Note:
The behavior differs for ldap and http cert because LDAP server
is using a NSSDB and http server is using openssl, hence
ipa-server-certinstall follows 2 different code paths when
changing the server cert.
Related to https://pagure.io/freeipa/issue/7759
Related to https://pagure.io/freeipa/issue/6959
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
| -rw-r--r-- | ipatests/test_integration/test_caless.py | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index ce56edff4..182488f11 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -1452,18 +1452,24 @@ class TestCertInstall(CALessBase): assert result.returncode > 0 + @pytest.mark.xfail(reason='freeipa ticket 7759', strict=True) def test_http_intermediate_ca(self): "Install new HTTP certificate issued by intermediate CA" result = self.certinstall('w', 'ca1/subca/server') - assert result.returncode == 0, result.stderr_text + # As the intermediate CA is not trusted, command must fail + assert_error(result, + "Peer's certificate issuer is not trusted") - @pytest.mark.xfail(reason='freeipa ticket 6959', strict=True) def test_ds_intermediate_ca(self): "Install new DS certificate issued by intermediate CA" result = self.certinstall('d', 'ca1/subca/server') - assert result.returncode == 0, result.stderr_text + # As the intermediate CA is not trusted, command must fail + assert_error(result, + "Peer's certificate issuer is not trusted " + "(certutil: certificate is invalid: Peer's Certificate " + "issuer is not recognized.") def test_self_signed(self): "Install new self-signed certificate" |