From 317e7061d0f68e6fed671c0fe56cf4db61f3e2d9 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Aug 28 2023 14:21:48 +0000 Subject: Adjust test to handle revocation reason REMOVE_FROM_CRL The dogtag REST API has a change of behavior regarding revocation reason 8, REMOVE_FROM_CRL. The XML interface accepts it blindly and marks the certifiate as revoked. This is complicated within RFC 5280 but the jist is that it only affects a certificate on hold and only for delta CRLs. So this modifies the behavior of revocation 8 so that the certificate is put on hold (6) first. Fixes: https://pagure.io/freeipa/issue/9345 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py index 583c67f..a0bf08d 100644 --- a/ipatests/test_xmlrpc/test_cert_plugin.py +++ b/ipatests/test_xmlrpc/test_cert_plugin.py @@ -473,14 +473,23 @@ class test_cert_revocation(BaseCert): add=True, all=True)['result'] serial_number = res['serial_number'] + # REMOVE_FROM_CRL (8) needs to be on hold to revoke per RFC 5280 + if reason == 8: + assert 'result' in api.Command['cert_revoke']( + serial_number, revocation_reason=6) + # revoke created certificate assert 'result' in api.Command['cert_revoke']( serial_number, revocation_reason=reason) # verify that certificate is revoked with correct reason res2 = api.Command['cert_show'](serial_number, all=True)['result'] - assert res2['revoked'] - assert res2['revocation_reason'] == reason + + if reason == 8: + assert res2['revoked'] is False + else: + assert res2['revoked'] + assert res2['revocation_reason'] == reason # remove host assert 'result' in api.Command['host_del'](self.host_fqdn)