Adjust test to handle revocation reason REMOVE_FROM_CRL

The dogtag REST API has a change of behavior regarding
revocation reason 8, REMOVE_FROM_CRL. The XML interface
accepts it blindly and marks the certifiate as revoked.

This is complicated within RFC 5280 but the jist is that
it only affects a certificate on hold and only for delta
CRLs.

So this modifies the behavior of revocation 8 so that
the certificate is put on hold (6) first.

Fixes: https://pagure.io/freeipa/issue/9345

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

ipatests/test_xmlrpc/test_cert_plugin.py

@@ -473,14 +473,23 @@ class test_cert_revocation(BaseCert):
                                           add=True, all=True)['result']
         serial_number = res['serial_number']
 
+        # REMOVE_FROM_CRL (8) needs to be on hold to revoke per RFC 5280
+        if reason == 8:
+            assert 'result' in api.Command['cert_revoke'](
+                serial_number, revocation_reason=6)
+
         # revoke created certificate
         assert 'result' in api.Command['cert_revoke'](
             serial_number, revocation_reason=reason)
 
         # verify that certificate is revoked with correct reason
         res2 = api.Command['cert_show'](serial_number, all=True)['result']
-        assert res2['revoked']
-        assert res2['revocation_reason'] == reason
+
+        if reason == 8:
+            assert res2['revoked'] is False
+        else:
+            assert res2['revoked']
+            assert res2['revocation_reason'] == reason
 
         # remove host
         assert 'result' in api.Command['host_del'](self.host_fqdn)