Fix assertion for test_katello_certs_check_output_invalid_input #17002
Conversation
jameerpathan111
added
CherryPick
|
trigger: test-robottelo |
|
This looks like a raw OpenSSL error. Did that change in both EL8 and EL9? |
Hmm, it's failing only for EL9 on 6.16 |
Then ACK on |
|
PRT Result |
Satellite-QE
added
the
PRT-Passed
Can I just keep |
jameerpathan111
force-pushed
the
certs_invalid_input
branch
from
1d8f04b to
0abe434
Compare
Satellite-QE
removed
the
PRT-Passed
|
If the assertion can use a substring, sure |
jameerpathan111
force-pushed
the
certs_invalid_input
branch
from
0abe434 to
770e5bf
Compare
maybe let's not, kept the original message. Updating it based on rhel version. |
|
trigger: test-robottelo |
|
PRT Result |
Satellite-QE
added
the
PRT-Passed
| @@ -73,11 +73,12 @@ class TestKatelloCertsCheck: | |||
| CA cert (a.k.a cacert.crt or rootCA.pem) can be used as bundle file. | |||
| """ | |||
|
|
|||
| error_message = f"error 26 at 0 depth lookup: {'unsupported' if settings.repos.rhel_major_version == '8' else 'unsuitable'} certificate purpose" | |||
There was a problem hiding this comment.
This error surprises me a bit. If we don't assert the explicit message we emit ourselves:
https://github.com/theforeman/foreman-installer/blob/7c2b54267a933bcf0261396c0950d51c8d5bec5c/bin/katello-certs-check#L157-L169
Perhaps that's not needed and we can simply assert the right code path is used by checking for exit code 4?
There was a problem hiding this comment.
this is what I see in logs, no exit code 4
Checking CA bundle against the certificate file:
[FAIL]
The /root/cacert.crt does not verify the /root/certs/invalid.crt
CN=foreman.example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error /root/certs/invalid.crt: verification failed
Checking CA bundle size: 1
[OK]
Checking if CA bundle has trust rules: 0
[OK]
Checking Subject Alt Name on certificate
[FAIL]
The /root/certs/invalid.crt does not contain a Subject Alt Name. Common Name is deprecated, use Subject Alt Name instead. See: https://tools.ietf.org/html/rfc2818#section-3.1
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Checking for use of shortname as CN
stderr:
status: 1
There was a problem hiding this comment.
That signals something is broken. The error function sets the exit code:
https://github.com/theforeman/foreman-installer/blob/7c2b54267a933bcf0261396c0950d51c8d5bec5c/bin/katello-certs-check#L65-L70
Then It's also surprising the command exits unexpectedly, without showing [OK] or [FAIL]. That looks like check-shortname isn't following an expected code path:
https://github.com/theforeman/foreman-installer/blob/7c2b54267a933bcf0261396c0950d51c8d5bec5c/bin/katello-certs-check#L229-L250
Given there was already a warning that it doesn't contain a SAN I think we can conclude it's missing an else statement with success.
There was a problem hiding this comment.
So it's a bug😅. DO you want me to file an issue?
There was a problem hiding this comment.
It would be great to have it covered in our tests: https://github.com/theforeman/foreman-installer/blob/develop/spec/katello_certs_check_spec.rb is what we use in CI.
Do I read it well that these certs are generated using tests/foreman/data/certs.sh? In particular:
robottelo/tests/foreman/data/certs.sh
Lines 48 to 49 in fdad16a
jameerpathan111
force-pushed
the
certs_invalid_input
branch
from
770e5bf to
0ff783f
Compare
Satellite-QE
removed
the
PRT-Passed
jameerpathan111
force-pushed
the
certs_invalid_input
branch
from
0ff783f to
39f990b
Compare
(cherry picked from commit 2908992)
Problem Statement
test_katello_certs_check_output_invalid_input[error0-certs/invalid.crt-certs/invalid.key-certs/ca.crt]is failing with AssertionError because the error message has changed.Solution
Related Issues