Extend Sub CA replication test

Test more scenarios like replication replica -> master. Verify that master and replica have all expected certs with correct trust flags and all keys. See: https://pagure.io/freeipa/issue/7590 See: https://pagure.io/freeipa/issue/7589 Fixes: https://pagure.io/freeipa/issue/7611 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-06-20 11:09:35 +02:00
parent dcaa62f6a4
commit 6896c90eb2
3 changed files with 175 additions and 41 deletions
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -205,6 +205,17 @@ def verify_kdc_cert_validity(kdc_cert, ca_certs, realm):
            raise ValueError("invalid for realm %s" % realm)


+CERT_RE = re.compile(
+    r'^(?P<nick>.+?)\s+(?P<flags>\w*,\w*,\w*)\s*$'
+)
+KEY_RE = re.compile(
+    r'^<\s*(?P<slot>\d+)>'
+    r'\s+(?P<algo>\w+)'
+    r'\s+(?P<keyid>[0-9a-z]+)'
+    r'\s+(?P<nick>.*?)\s*$'
+)
+
+
 class NSSDatabase(object):
    """A general-purpose wrapper around a NSS cert database

@@ -465,10 +476,10 @@ class NSSDatabase(object):
        # FIXME, this relies on NSS never changing the formatting of certutil
        certlist = []
        for cert in certs:
-            match = re.match(r'^(.+?)\s+(\w*,\w*,\w*)\s*$', cert)
+            match = CERT_RE.match(cert)
            if match:
-                nickname = match.group(1)
-                trust_flags = parse_trust_flags(match.group(2))
+                nickname = match.group('nick')
+                trust_flags = parse_trust_flags(match.group('flags'))
                certlist.append((nickname, trust_flags))

        return tuple(certlist)
@@ -481,10 +492,14 @@ class NSSDatabase(object):
            return ()
        keylist = []
        for line in result.output.splitlines():
-            mo = re.match(r'^<\s*(\d+)>\s+(\w+)\s+([0-9a-z]+)\s+(.*)$', line)
+            mo = KEY_RE.match(line)
            if mo is not None:
-                slot, algo, keyid, nick = mo.groups()
-                keylist.append((int(slot), algo, keyid, nick.strip()))
+                keylist.append((
+                    int(mo.group('slot')),
+                    mo.group('algo'),
+                    mo.group('keyid'),
+                    mo.group('nick'),
+                ))
        return tuple(keylist)

    def find_server_certs(self):