You are here: TWiki> VOMS Web>VOMSAdminTestPlan (2012-04-27, AndreaCeccanti)

VOMS Admin test plan

1 Version information

Server version: 2.7.0

Client version: 2.0.17

2 Unit tests

3 Deployment tests

3.1 MySQL Backend

yum install emi-voms-mysql

installs cleanly on an SL5 x86_64 and SL x86_64 machine configured as described in the EMI 1 and EMI2 Generic Installation and Configuration guide.

3.2 Oracle Backend

yum install emi-voms-oracle

installs cleanly on an SL5 x86_64 and SL x86_64 machine configured as described in the EMI 1 and EMI2 Generic Installation and Configuration guide.

3.3 System tests

3.3.1 Basic functionality tests

N.B.: All these tests are performed automatically by the VOMS Admin test suite. Administrative registration of a VO member Normal workflow

Use "create-user" to register a new VO member by

  • using a certificate file (PEM format)
  • specifying the user DN, issuer DN, email and name on the command line (--nousercert option) Pass/Fail Criteria

voms-admin create-user exits with code 0 and list-users returns its DN as a registered member. Erroneous workflow

  • Wrong location of the certificate file or not a valid PEM file.
  • Missing parameter when --nousercert is used ( userDN/issuerDN/email/name ).
  • Issuer not trusted by the VOMS server
  • User already registered Pass/Fail Criteria

Test succeeds if an appropriate error message is printed and the exit code is 1. Groups and role creation Normal workflow

Use create-group and create-role to register new VO groups/roles. Pass/Fail Criteria

voms-admin should exit with code 0. list-groups/list-subgroups and list-roles should display the newly created entities. Erroneous workflow

Try to create a role/group that already exists or subgroup that full name does not start with "/vo_name/". Pass/Fail Criteria

An error should be displayed to the user and voms-admin should exit with code 1. Attribute class registration Normal workflow and Pass/Fail Criteria

use create-attribute-class to register a new one. Verify both the creation of classes with UNIQUE enforcement and without. The test succeeds if voms-admin exits with code 0 and list-attribute-classes contains the new ones. Erroneous workflow and Pass/Fail Criteria

If the class already exists or the name contains illegal characters, voms-admin should print an error and exit with code 1. Users/groups/roles/classes deletion.

Use delete-user, delete-group, delete-role, delete-attribute-class to test deletion of VOMS entities. The test succeeds if voms-admin exits with code 0 and subsequent calls to the list command does not show the erased objects. Group membership operations

Tests for adding/removing/listing of group members using add-member, remove-member, list-members Normal workflow and Pass/Fail Criteria

  • the add operations exits with code 0, and list-members shows the newly added member for the context in question. The user should become a member of all of the group's predecessors as well (if not already). This has to be verified with list-members as well.
  • the delete operation exits with code 0 and the user is no longer member of the context in question. Group membership removal is not propagated back to the predecessors. Erroneous workflow and Pass/Fail Criteria

voms-admin should print an error message and exit with code 1 if any of the following events occur:

  • the location of the user certificate file is not valid or the file is not in PEM format
  • adding a member that already exists
  • removing a non-existent member Role assignments/dismissals Normal workflow and Pass/Fail Criteria

Use the assign-role and dismiss-role commands to verify the role management operations. assign-role should be tested with multiple roles for a single context. Erroneous workflow and Pass/Fail Criteria

  • assigning a role which is already granted
  • dismissing a non-assigned role
  • assigning a role for a context the user is not member of

In these cases voms-admin should exit with code 1 and print an error message. Setting/Deleting attribute class values for users, groups, role/group

Test of the voms-admin commands

  • set-user-attribute, delete-user-attribute
  • set-group-attribute, delete-group-attribute
  • set-role-attribute, delete-role-attribute

After the execution of the action, the corresponding list command should be used to verify that the value was actually stored in/removed from the database in which case the test is considered successful. Erroneous workflow and Pass/Fail Criteria

voms-admin should exit with code 1 and print an error message if the commands are

  • called with wrong number of arguments
  • the user is not a VO member
  • group/role does not exist
  • a duplicate value for an attribute with unique constraint enabled
  • the attribute is not set for the specified entity Managing VOMS-ADMIN access control lists

The commands add-ACL-entry and remove-ACL-entry should be tested to modify the ACL for the top VO group and group hierarchy. The test passes if subsequent call to get-ACL for that contexts lists the new ACE.

Access control entries for the following subjects should be checked:

  • registered vo user
  • user which is not a VO member
  • user possessing a role in a context
  • all members of a group
  • any authenticated user (anyone who has a valid certificate issued by the authorities the VOMS-ADMIN server trusts)

The propagation functionality should be checked for adding an ACE down the group hierarchy. Managing VOMS-ADMIN default access control lists Normal workflow and Pass/Fail Criteria

Access control entries are added in the default ACL for a context. Then a subgroup is created and the contents of its ACL is inspected with the get-ACL command. It should correspond to the contents of the default ACL of the parent. In this case the test is considered successful.

3.3.2 Web interface VO registration service

Testing the VOMS-ADMIN web interface as a regular user. Normal workflow and Pass/Fail Criteria

  • VO registration request
  • Confirmation email verification
  • Request timeout
  • VO information page

The test passes if the VOMS server accepts the registration requests, sends the confirmation email containing the valid activation link and subsequent approval of the user make it a regular VO member.

Activation should be tested also after the request expiration time. The VOMS server should display a proper error message.

3.3.3 Regression tests [VOMS Admin] VOMS Admin CA update functionality fails with EGI-trustanchors CA 1.38 (

Check that VOMS Admin installation and configuration works as expected with EGI trust anchors >= 1.38. [VOMS Admin] VOMS-admin AUP signing request behaviour broken for user with no AUP acceptance record (

Create two users without AUP record, have one user sign the AUP and check that the other still receive a Sign AUP email [VOMS Admin] "Add to group" dialog broken (

Create 2 groups in the VO. Create a user. Check the add to group dialog in the user page allows the administrator to select any of the newly created groups [VOMS Admin] "more info" link in group search users tab broken (

Create a user in the VO. Search the VO root group and check that the "more info" referring to the cretead user is not broken. [YAIM VOMS] Adaptive setting of MaxPermSize according to the number of configured VOs (

Configure a large number of VOs with YAIM (> 10) and check that the MaxPermSize Java VM parameter is set in a way that is proportional to the number of VOs [VOMS Admin] Database upgrade fails when usr table contains duplicated entry (

Starting from a VOMS Admin 2.0.x database, insert a duplicated entry in the usr table and try the upgrade of the database. The upgrade script should warn of the presence of a duplicated entry and succed. [VOMS Admin] Confirmed pending VO membership requests are incorrectly deleted from database (

Configure the expired request purger thread to excecute every 10 sec. Request membership to the VO. As a VO admin accept the membership request. Check that the expired request purger does not delete the just confirmed request from the database. [VOMS Admin] Uncaught exception shown in group membership search pane (

Using the voms-admin CLI create two users with the same ceritificate subject and different CAs. Check that the root VO group membership search pane shows the two users as expected and no exception is thrown. [VOMS Admin] VOMS Admin does not resolve correctly email addresses for role an group administrators (

Create a user, assign him the VO-Admin role. Check that the user receives VOMS Admin notifications for incoming user requests. [VOMS Admin] VOMS Admin SIGN AUP default grace period is too short (

  1. Create a user in the VO (via voms-admin cli or the web interface).
  2. Trigger AUP reacceptance for the user from web interface.
  3. Ensure the web interface shows that 14 days (the current default) are given to the user to sign the AUP. [VOMS Admin] VOMS Admin does not send warning message before suspending users due to membership expiration (

  1. Create 10 users in a test V0 (via voms-admin cli or the web interface).
  2. Change the expiration date for 5 of these users to be in the next 10 days.
  3. Check that administrator receives a mail that informs of the 5 expiring users. [VOMS Admin] voms-admin-configure ignores dbhost and dbport parameters for voms core configuration (

  1. Create a test vo using voms-admin-configure specifying the --dbhost and --dbport options
  2. Ensure that the value provided appear in /etc/voms//voms.conf [VOMS Admin] Trim spaces from DN when entered in the web interface (

  1. Add a certificate for an existing user in the VO from the web interface and enter a fake DN surrounded by spaces.
  2. Check that spaces are trimmed in the certificate listed in the user certificate list panel. [VOMS Admin] Use single separator in the output of voms-admin list-users command (

  1. Populate the VO with at least one user
  2. Run voms-admin --vo list-users and check that a single separator is used for dn, ca and email. [VOMS Admin] Small improvements to VOMS Admin WEB UI (

  1. Check that the add certificate page shows the "Certificate subject (DN)" label instead of "Subject".
  2. Check that the registration page displays the "Given name", "Family name" labels insted of "Name", "Surname". [VOMS Admin] voms-admin-ping looking in wrong place to determine list of VOs. (

  1. Configure three different VOs with YAIM
  2. After YAIM configuration is over, stop two of them with service voms-admin stop vo1 vo2
  3. Run voms-admin-ping (as root) and check that one VO is shown as active, while the other two are reported as stopped. [VOMS Admin] AUP URL for active AUP should be editable from the Web interface (

  1. Check that the VOMS Admin web interface provides the ability for administrators to edit the URL of AUPs [VOMS Admin] Provide access to membership statistics (

  1. Check that the voms-admin list-user-stats show correct information about membership in a VO [VOMS Admin] The voms-admin-configure --read-access-to-authenticated-clients options produces no effect (

  1. Configure a VO using the --read-access-to-authenticated-clients.
  2. Check that groups are shown in the VO group list page.

3.3.4 Performance and scalability tests


3.3.5 Standard compliance and conformance tests


3.3.6 Inter-component tests MkGridmap

Check that mkgridmap script work as expected against VOMS Admin service

-- AndreaCeccanti - 2012-04-27

Topic revision: r2 - 2012-04-27 - AndreaCeccanti
This site is powered by the TWiki collaboration platformCopyright © 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback