def test_delete_group_by_user_administrator(self):
"""
Test that a user with sufficient privileges can delete group
This is a Automation for issue 6884
"""
# Create a new testadmin user with a password
testadmin = 'tuser'
password = '******'
testgroup = 'gtest'
try:
tasks.create_active_user(self.master, testadmin, password)
# Add testadmin user to role "User Administrator"
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'role-add-member', '--users', testadmin,
'User Administrator'
])
tasks.kdestroy_all(self.master)
# Create a test group
tasks.kinit_as_user(self.master, testadmin, password)
self.master.run_command(['ipa', 'group-add', testgroup])
# Call ipa-group-del to check if user can delete group
self.master.run_command(['ipa', 'group-del', testgroup])
finally:
# Cleanup
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', testadmin])
self.master.run_command(
['ipa', 'group-del', testgroup, '--continue'])
def test_smb_service_s4u2self(self, enable_smb_client_dns_lookup_kdc):
"""Test S4U2Self operation by IPA service
against both AD and IPA users
"""
script = textwrap.dedent("""export KRB5_TRACE=/dev/stderr
kdestroy -A
kinit -kt /etc/samba/samba.keytab {principal}
klist -f
{print_pac} -k /etc/samba/samba.keytab -E impersonate {user_princ}
klist -f
""")
with enable_smb_client_dns_lookup_kdc(self.smbserver):
principal = 'cifs/{hostname}'.format(
hostname=self.smbserver.hostname)
# Copy ipa-print-pac to SMB server
# We can do so because Samba and GSSAPI libraries
# are present there
print_pac = self.master.get_file_contents(
os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"))
result = self.smbserver.run_command(['mktemp'])
tmpname = result.stdout_text.strip()
self.smbserver.put_file_contents(tmpname, print_pac)
self.smbserver.run_command(['chmod', 'a+x', tmpname])
for user in (
self.ad_user,
self.ipa_user1,
):
shell_script = script.format(principal=principal,
user_princ=user,
print_pac=tmpname)
self.smbserver.run_command(['/bin/bash', '-s', '-e'],
stdin_text=shell_script)
self.smbserver.run_command(['rm', '-f', tmpname])
tasks.kdestroy_all(self.smbserver)
def test_krbtpolicy_hardended(self):
"""Test a hardened kerberos ticket policy with 10 min tickets"""
master = self.master
master.run_command([
'ipa', 'user-mod', USER1, '--user-auth-type', 'password',
'--user-auth-type', 'hardened'
])
master.run_command([
'ipa', 'config-mod', '--user-auth-type', 'password',
'--user-auth-type', 'hardened'
])
master.run_command(
['ipa', 'krbtpolicy-mod', USER1, '--hardened-maxlife', '600'])
tasks.kdestroy_all(master)
master.run_command(['kinit', USER1], stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, 600,
slush=600) is True
tasks.kdestroy_all(master)
# Verify that the short policy only applies to USER1
master.run_command(['kinit', USER2], stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
def test_krbtpolicy_hardended(self):
"""Test a hardened kerberos ticket policy with 30min tickets"""
if self.master.is_fips_mode:
pytest.skip("SPAKE pre-auth is not compatible with FIPS mode")
master = self.master
master.run_command(
['ipa', 'user-mod', USER1, '--user-auth-type', 'hardened'])
master.run_command(
['ipa', 'config-mod', '--user-auth-type', 'hardened'])
master.run_command(
['ipa', 'krbtpolicy-mod', USER1, '--hardened-maxlife', '1800'])
tasks.kdestroy_all(master)
master.run_command(['kinit', USER1], stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, 1800,
slush=1800) is True
tasks.kdestroy_all(master)
# Verify that the short policy only applies to USER1
master.run_command(['kinit', USER2], stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
def test_ccache_sweep_valid(self):
"""Test that the ccache sweeper doesn't remove valid ccaches
- Force wipe all existing ccaches
- Run the sweeper
- Verify that all valid ccaches weren't removed
Note: assumed that ccache expiration doesn't happen during test
"""
tasks.kdestroy_all(self.master)
self.master.run_command(
["find", paths.IPA_CCACHES, "-type", "f", "-delete"]
)
for _i in range(5):
tasks.kinit_admin(self.master)
self.master.run_command(["ipa", "user-show", "admin"])
tasks.kdestroy_all(self.master)
result = self.master.run_command(
"ls -1 {0} | wc -l".format(paths.IPA_CCACHES)
)
assert int(result.stdout_text.strip()) == 5
ccache_sweep_cmd = ["/usr/libexec/ipa/ipa-ccache-sweeper", "-m", "0"]
# should be run as ipaapi for GSSProxy
self.master.run_command(
["runuser", "-u", IPAAPI_USER, "--"] + ccache_sweep_cmd
)
result = self.master.run_command(
"ls -1 {0} | wc -l".format(paths.IPA_CCACHES)
)
assert int(result.stdout_text.strip()) == 5
def test_ntlm_authentication_with_upn_with_uppercase_domain(self):
tasks.kdestroy_all(self.smbclient)
mount_options = 'user={user}@{domain},pass={password}'.format(
user=self.ipa_user1,
password=self.ipa_user1_password,
domain=self.master.domain.name.upper())
self.check_repeated_smb_mount(mount_options)
def kinit_otp(host, user, *, password, otp, success=True):
tasks.kdestroy_all(host)
# create armor for FAST
host.run_command(["kinit", "-n", "-c", ARMOR])
host.run_command(
["kinit", "-T", ARMOR, user],
stdin_text=f"{password}{otp}\n",
ok_returncode=0 if success else 1,
)
def test_subordinate_suffix(self):
"""Test subordinate UPN suffixes routing.
Given an AD domain ad.test with additional UPN suffix suffix.ad.test
check that requests from IPA for suffix.ad.test
are properly routed to ad.test.
This is a regression test for https://pagure.io/freeipa/issue/8554
"""
# Create subordinate UPN suffix
subordinate_suffix = 'test_subdomain.' + self.ad_domain
self.ad.run_command([
'powershell', '-c',
'Set-ADForest -Identity {} -UPNSuffixes @{{add="{}"}}'.format(
self.ad_domain, subordinate_suffix)
])
try:
# Verify UPN suffix is created
cmd = ('Get-ADForest -Identity {} '
'| Select-Object -Property UPNSuffixes'.format(
self.ad_domain))
res = self.ad.run_command(['powershell', '-c', cmd])
assert subordinate_suffix in res.stdout_text
# Verify IPA does not receive subordinate suffix from AD
self.master.run_command(
['ipa', 'trust-fetch-domains', self.ad_domain],
ok_returncode=1)
res = self.master.run_command(
['ipa', 'trust-show', self.ad_domain])
assert subordinate_suffix not in res.stdout_text
# Set UPN for the AD user
upn = 'testuser@' + subordinate_suffix
cmd = 'Set-Aduser -UserPrincipalName {} -Identity testuser'.format(
upn)
self.ad.run_command(['powershell', '-c', cmd])
# Check user resolution
res = self.master.run_command(['getent', 'passwd', upn])
expected_regex = (
r'^testuser@{domain}:\*:(\d+):(\d+):'
r'Test User:/home/{domain}/testuser:{shell}$'.format(
domain=re.escape(self.ad_domain),
shell=self.default_shell))
assert re.search(expected_regex, res.stdout_text)
# Check user authentication
self.master.run_command(['kinit', '-E', upn],
stdin_text='Secret123')
finally:
# cleanup
tasks.kdestroy_all(self.master)
cmd = ('Set-ADForest -Identity {} -UPNSuffixes @{{Remove="{}"}}'.
format(self.ad_domain, subordinate_suffix))
self.ad.run_command(['powershell', '-c', cmd])
def mount_smb_share(self, user, password, share, mountpoint):
tasks.kdestroy_all(self.smbclient)
tasks.kinit_as_user(self.smbclient, user, password)
self.smbclient.run_command(['mkdir', '-p', mountpoint])
self.smbclient.run_command([
'mount', '-t', 'cifs', share['unc'], mountpoint,
'-o', 'sec=krb5i,multiuser'
])
tasks.kdestroy_all(self.smbclient)
def test_krbtpolicy_default(self):
"""Test the default kerberos ticket policy 24-hr tickets"""
master = self.master
master.run_command(
['ipa', 'krbtpolicy-mod', USER1, '--maxlife',
str(MAXLIFE)])
tasks.kdestroy_all(master)
master.run_command(['kinit', USER1], stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
def test_krbtpolicy_reset(self):
"""Test a hardened kerberos ticket policy reset"""
master = self.master
tasks.kinit_admin(master)
master.run_command(['ipa', 'krbtpolicy-reset', USER2])
master.run_command(['kinit', USER2], stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
tasks.kdestroy_all(master)
def test_sudorules_ad_users(self):
"""Verify trusted domain users can be added to sudorules"""
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
testuser = '******' % (self.master.config.ad_admin_name, self.ad_domain)
expected = "(root) NOPASSWD: ALL"
with self.check_sudorules_for("user", testuser, testuser, expected):
# no additional configuration
pass
def test_smb_mount_fails_without_kerberos_ticket(self, samba_share_public):
mountpoint = '/mnt/smb'
try:
tasks.kdestroy_all(self.smbclient)
self.smbclient.run_command(['mkdir', '-p', mountpoint])
res = self.smbclient.run_command([
'mount', '-t', 'cifs', samba_share_public['unc'], mountpoint,
'-o', 'sec=krb5i,multiuser'
], raiseonerr=False)
assert res.returncode == 32
finally:
self.cleanup_mount(mountpoint)
def test_krbtpolicy_jitter(self):
"""Test jitter lifetime with no authentication indicators """
master = self.master
tasks.kinit_admin(self.master)
master.run_command(['kinit', USER1], stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE,
slush=60) is True
tasks.kdestroy_all(master)
def test_krbtpolicy_password(self):
"""Test the kerberos ticket policy which issues 20 min tickets"""
master = self.master
master.run_command(
['ipa', 'krbtpolicy-mod', USER2, '--maxlife', '1200'])
tasks.kdestroy_all(master)
master.run_command(['kinit', USER2], stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, 1200,
slush=1200) is True
def test_ntlm_authentication_with_auto_domain(self):
"""Repeatedly try to authenticate with username and password with
automatic domain discovery.
This is a regression test for https://pagure.io/freeipa/issue/8636
"""
tasks.kdestroy_all(self.smbclient)
mount_options = 'user={user},pass={password},domainauto'.format(
user=self.ipa_user1, password=self.ipa_user1_password)
self.check_repeated_smb_mount(mount_options)
def test_ipa_getcert_san_aci(self):
"""Test for DNS and IP SAN extensions + ACIs
"""
hostname = self.clients[0].hostname
certfile = os.path.join(paths.OPENSSL_CERTS_DIR, "test2.pem")
tasks.kinit_admin(self.master)
zone = tasks.prepare_reverse_zone(self.master, self.clients[0].ip)[0]
# add PTR dns record for cert request with SAN extention
rec = str(self.clients[0].ip).split('.')[3]
result = self.master.run_command(
['ipa', 'dnsrecord-add', zone, rec, '--ptr-rec', hostname])
assert 'Record name: {}'.format(rec) in result.stdout_text
assert 'PTR record: {}'.format(hostname) in result.stdout_text
name, zone = hostname.split('.', 1)
self.master.run_command(['ipa', 'dnsrecord-show', zone, name])
tasks.kdestroy_all(self.master)
cmd_arg = [
'ipa-getcert',
'request',
'-v',
'-w',
'-f',
certfile,
'-k',
os.path.join(paths.OPENSSL_PRIVATE_DIR, "test2.key"),
'-K',
f'test/{hostname}',
'-D',
hostname,
'-A',
self.clients[0].ip,
]
result = self.clients[0].run_command(cmd_arg)
request_id = re.findall(r'\d+', result.stdout_text)
# check if certificate is in MONITORING state
status = tasks.wait_for_request(self.clients[0], request_id[0], 50)
assert status == "MONITORING"
certdata = self.clients[0].get_file_contents(certfile)
cert = x509.load_pem_x509_certificate(certdata, default_backend())
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
dnsnames = ext.value.get_values_for_type(x509.DNSName)
assert dnsnames == [self.clients[0].hostname]
ipaddrs = ext.value.get_values_for_type(x509.IPAddress)
assert ipaddrs == [ipaddress.ip_address(self.clients[0].ip)]
def test_ipa_management_run_as_aduser(self):
"""Test if adding AD user to a role makes it an administrator"""
ipauser = u'tuser'
ad_admin = 'Administrator@%s' % self.ad_domain
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
self.master.run_command(
['ipa', 'idoverrideuser-add', 'Default Trust View', ad_admin])
self.master.run_command([
'ipa', 'role-add-member', 'User Administrator',
'--idoverrideusers', ad_admin
])
tasks.kdestroy_all(self.master)
tasks.kinit_as_user(self.master, ad_admin,
self.master.config.ad_admin_password)
# Create a user in IPA as Active Directory administrator
self.test_ipauser_authentication_with_nonposix_trust()
tasks.kdestroy_all(self.master)
tasks.kinit_as_user(self.master, ad_admin,
self.master.config.ad_admin_password)
self.master.run_command(['ipa', 'user-del', ipauser], raiseonerr=False)
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
def test_sudorules_ad_runasuser(self):
"""Verify trusted domain users can be added to runAsUser"""
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
testuser = '******' % (self.master.config.ad_admin_name, self.ad_domain)
expected = "(%s) NOPASSWD: ALL" % (testuser.lower())
with self.check_sudorules_for("user", testuser, testuser,
expected) as sudorule:
# Add runAsUser with the same user
self.master.run_command(['ipa',
'sudorule-add-runasuser', sudorule.name,
'--users', sudorule.subject])
def test_show_member_manager(self):
master = self.master
tasks.kinit_admin(master)
result = master.run_command(['ipa', 'group-show', GROUP1])
out = result.stdout_text
assert f"Membership managed by groups: {GROUP_INDIRECT}" in out
assert f"Membership managed by users: {USER_MM}" in out
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
out = result.stdout_text
assert f"Membership managed by groups: {GROUP_INDIRECT}" in out
assert f"Membership managed by users: {USER_MM}" in out
tasks.kdestroy_all(master)
def kinit_idp(host, user, keycloak_server):
ARMOR = "/tmp/armor"
tasks.kdestroy_all(host)
# create armor for FAST
host.run_command(["kinit", "-n", "-c", ARMOR])
since = time.strftime('%Y-%m-%d %H:%M:%S')
cmd = ["kinit", "-T", ARMOR, user]
with host.spawn_expect(cmd, default_timeout=100) as e:
e.expect('Authenticate at .+: ')
uri = get_verification_uri(host, since, keycloak_server.hostname)
if uri:
add_user_code(keycloak_server, uri)
e.sendline('\n')
e.expect_exit()
test_idp = host.run_command(["klist", "-C"])
assert "152" in test_idp.stdout_text
def test_sudorules_ad_runasgroup(self):
"""Verify trusted domain groups can be added to runAsGroup"""
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
testuser = '******' % (self.master.config.ad_admin_name, self.ad_domain)
testgroup = 'Enterprise Admins@%s' % self.ad_domain
expected = '(%s : "%%%s") NOPASSWD: ALL' % (testuser.lower(),
testgroup.lower())
with self.check_sudorules_for("group", testuser, testuser,
expected) as sudorule:
# Add runAsGroup with the same user
self.master.run_command(['ipa',
'sudorule-add-runasgroup',
sudorule.name,
'--groups', testgroup])
def test_sudorules_ad_groups(self):
"""Verify trusted domain groups can be added to sudorules"""
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
testuser = '******' % (self.master.config.ad_admin_name, self.ad_domain)
testgroup = 'Enterprise Admins@%s' % self.ad_domain
expected = "(root) NOPASSWD: ALL"
with self.check_sudorules_for("group", testuser, testuser,
expected) as sudorule:
# Remove the user and instead add a group
self.master.run_command(['ipa',
'sudorule-remove-user', sudorule.name,
'--users', sudorule.user])
self.master.run_command(['ipa', 'sudorule-add-user', sudorule.name,
'--groups', testgroup])
def test_password_login_as_aduser(self):
"""Test if AD user can login with password to Web UI"""
ad_admin = 'Administrator@%s' % self.ad_domain
tasks.kdestroy_all(self.master)
user_and_password = ('user=%s&password=%s' %
(ad_admin, self.master.config.ad_admin_password))
host = self.master.hostname
cmd_args = [
paths.BIN_CURL, '-v', '-H', 'referer:https://{}/ipa'.format(host),
'-H', 'Content-Type:application/x-www-form-urlencoded', '-H',
'Accept:text/plain', '--cacert', paths.IPA_CA_CRT, '--data',
user_and_password,
'https://{}/ipa/session/login_password'.format(host)
]
result = self.master.run_command(cmd_args)
assert "Set-Cookie: ipa_session=MagBearerToken" in result.stderr_text
tasks.kinit_admin(self.master)
def test_subordinate_suffix(self):
"""Test subordinate UPN Suffixes"""
tasks.configure_dns_for_trust(self.master, self.ad)
tasks.establish_trust_with_ad(
self.master, self.ad_domain,
extra_args=['--range-type', 'ipa-ad-trust'])
# Clear all UPN Suffixes
ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null"
self.ad.run_command(["powershell", "-c", ps_cmd])
result = self.master.run_command(["ipa", "trust-show", self.ad_domain])
assert (
"ipantadditionalsuffixes: {}".format(self.upn_suffix)
not in result.stdout_text
)
# Run Get-ADForest
ps_cmd1 = "Get-ADForest"
self.ad.run_command(["powershell", "-c", ps_cmd1])
# Add new UPN for AD
ps_cmd2 = (
'Get-ADForest | Set-ADForest -UPNSuffixes '
'@{add="new.ad.test", "upn.dom"}'
)
self.ad.run_command(["powershell", "-c", ps_cmd2])
self.ad.run_command(["powershell", "-c", ps_cmd1])
self.master.run_command(
["ipa", "trust-fetch-domains", self.ad_domain],
raiseonerr=False)
self.master.run_command(["ipa", "trust-show", self.ad_domain])
# Set UPN for the aduser
ps_cmd3 = (
'set-aduser -UserPrincipalName '
'[email protected] -Identity Administrator'
)
self.ad.run_command(["powershell", "-c", ps_cmd3])
# kinit to IPA using AD user [email protected]
result = self.master.run_command(
["getent", "passwd", "*****@*****.**"]
)
assert result.returncode == 0
self.master.run_command(
["kinit", "-E", "*****@*****.**"],
stdin_text="Secret123",
)
tasks.kdestroy_all(self.master)
def nested_group_setup(self, tmpdir):
"""Setup and Clean up groups and user created"""
master = self.master
client = self.clients[0]
# add a user and set password
tasks.create_active_user(master, self.username, self.userpasswd)
tasks.kinit_admin(master)
privkey, pubkey = tasks.generate_ssh_keypair()
with open(os.path.join(
tmpdir, 'ssh_priv_key'), 'w') as fp:
fp.write(privkey)
master.run_command([
'ipa', 'user-mod', self.username, '--ssh', "{}".format(pubkey)
])
master.put_file_contents('/tmp/user_ssh_priv_key', privkey)
master.run_command(['chmod', '600', '/tmp/user_ssh_priv_key'])
# add group groupa
cmd_output = master.run_command(['ipa', 'group-add', 'groupa'])
assert 'Added group "groupa"' in cmd_output.stdout_text
# add group groupb
cmd_output = master.run_command(['ipa', 'group-add', 'groupb'])
assert 'Added group "groupb"' in cmd_output.stdout_text
# add group groupc
cmd_output = master.run_command(['ipa', 'group-add', 'groupc'])
assert 'Added group "groupc"' in cmd_output.stdout_text
client.put_file_contents('/tmp/user_ssh_priv_key',
privkey)
client.run_command(['chmod', '600', '/tmp/user_ssh_priv_key'])
yield
# test cleanup
for group in ['groupa', 'groupb', 'groupc']:
self.master.run_command(['ipa', 'group-del', group, '--continue'])
self.master.run_command(['ipa', 'user-del', self.username,
'--no-preserve', '--continue'])
tasks.kdestroy_all(self.master)
tasks.kdestroy_all(self.clients[0])
def test_ccache_sweep_expired(self, reset_to_default_policy):
"""Test that the ccache sweeper works on expired ccaches
- Force wipe all existing ccaches
- Set the ticket policy to a short value, 20 seconds.
- Do a series of kinit, ipa command, kdestroy to generate ccaches
- sleep() for expiration
- Run the sweeper
- Verify that all expired ccaches are gone
"""
MAXLIFE = 20
reset_to_default_policy(self.master) # this will reset at END of test
tasks.kinit_admin(self.master)
self.master.run_command(
['ipa', 'krbtpolicy-mod', '--maxlife', str(MAXLIFE)]
)
tasks.kdestroy_all(self.master)
self.master.run_command(
['find', paths.IPA_CCACHES, '-type', 'f', '-delete']
)
for _i in range(5):
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-show', 'admin'])
tasks.kdestroy_all(self.master)
result = self.master.run_command(
"ls -1 {0} | wc -l".format(paths.IPA_CCACHES)
)
assert int(result.stdout_text.strip()) == 5
# let ccache expire
time.sleep(MAXLIFE)
ccache_sweep_cmd = ["/usr/libexec/ipa/ipa-ccache-sweeper", "-m", "0"]
# should be run as ipaapi for GSSProxy
self.master.run_command(
["runuser", "-u", IPAAPI_USER, "--"] + ccache_sweep_cmd
)
result = self.master.run_command(
"ls -1 {0} | wc -l".format(paths.IPA_CCACHES)
)
assert int(result.stdout_text.strip()) == 0
def test_auth_sudo_idp(self):
"""
Test case to check that sudorule is working as
expected for user configured with external idp.
"""
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
# rule: keycloakuser are allowed to execute yum on
# the client machine as root.
cmdlist = [
["ipa", "sudocmd-add", "/usr/bin/yum"],
["ipa", "sudorule-add", "sudorule"],
['ipa', 'sudorule-add-user', '--users=keycloakuser',
'sudorule'],
['ipa', 'sudorule-add-host', '--hosts',
self.client.hostname, 'sudorule'],
['ipa', 'sudorule-add-runasuser',
'--users=root', 'sudorule'],
['ipa', 'sudorule-add-allow-command',
'--sudocmds=/usr/bin/yum', 'sudorule'],
['ipa', 'sudorule-show', 'sudorule', '--all'],
['ipa', 'sudorule-add-option',
'sudorule', '--sudooption', "!authenticate"]
]
for cmd in cmdlist:
self.master.run_command(cmd)
tasks.clear_sssd_cache(self.master)
tasks.clear_sssd_cache(self.client)
try:
cmd = 'sudo -ll -U keycloakuser'
test = self.client.run_command(cmd).stdout_text
assert "User keycloakuser may run the following commands" in test
assert "/usr/bin/yum" in test
kinit_idp(self.client, 'keycloakuser', self.client)
test_sudo = 'su -c "sudo yum list wget" keycloakuser'
self.client.run_command(test_sudo)
list_fail = self.master.run_command(cmd).stdout_text
assert "User keycloakuser is not allowed to run sudo" in list_fail
finally:
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'sudorule-del', 'sudorule'])
self.master.run_command(["ipa", "sudocmd-del", "/usr/bin/yum"])
def test_idp_backup_restore(self):
"""
Test case to check that after restore data is retrieved
with related idp configuration.
"""
tasks.kinit_admin(self.master)
user = "******"
cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak",
"--client-id=ipa_oidc_client", "--org=master",
"--base-url={0}:8443/auth".format(self.client.hostname)]
self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
self.client.config.admin_password))
tasks.user_add(self.master, user,
extra_args=["--user-auth-type=idp",
"[email protected]",
"--idp=testidp"]
)
backup_path = tasks.get_backup_dir(self.master)
# change data after backup
self.master.run_command(['ipa', 'user-del', user])
self.master.run_command(['ipa', 'idp-del', 'testidp'])
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
try:
list_user = self.master.run_command(
['ipa', 'user-show', 'backupuser', '--all']
).stdout_text
assert "External IdP configuration: testidp" in list_user
assert "User authentication types: idp" in list_user
assert ("External IdP user identifier: "
"*****@*****.**") in list_user
list_idp = self.master.run_command(['ipa', 'idp-find', 'testidp'])
assert "testidp" in list_idp.stdout_text
kinit_idp(self.master, user, self.client)
finally:
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
self.master.run_command(["rm", "-rf", backup_path])
self.master.run_command(["ipa", "idp-del", "testidp"])
def test_ipa_getcert_san_aci(self):
"""Test for DNS and IP SAN extensions + ACIs
"""
hostname = self.clients[0].hostname
certfile = '/etc/pki/tls/certs/test2.pem'
tasks.kinit_admin(self.master)
name, zone = hostname.split('.', 1)
self.master.run_command(['ipa', 'dnsrecord-show', zone, name])
tasks.kdestroy_all(self.master)
cmd_arg = [
'ipa-getcert',
'request',
'-v',
'-w',
'-f',
certfile,
'-k',
'/etc/pki/tls/private/test2.key',
'-K',
f'test/{hostname}',
'-D',
hostname,
'-A',
self.clients[0].ip,
]
result = self.clients[0].run_command(cmd_arg)
request_id = re.findall(r'\d+', result.stdout_text)
# check if certificate is in MONITORING state
status = tasks.wait_for_request(self.clients[0], request_id[0], 50)
assert status == "MONITORING"
certdata = self.clients[0].get_file_contents(certfile)
cert = x509.load_pem_x509_certificate(certdata, default_backend())
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
dnsnames = ext.value.get_values_for_type(x509.DNSName)
assert dnsnames == [self.clients[0].hostname]
ipaddrs = ext.value.get_values_for_type(x509.IPAddress)
assert ipaddrs == [ipaddress.ip_address(self.clients[0].ip)]
