def test_ipa_management_run_as_aduser(self): """Test if adding AD user to a role makes it an administrator""" ipauser = u'tuser' ad_admin = 'Administrator@%s' % self.ad_domain tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master) self.master.run_command( ['ipa', 'idoverrideuser-add', 'Default Trust View', ad_admin]) self.master.run_command([ 'ipa', 'role-add-member', 'User Administrator', '--idoverrideusers', ad_admin ]) tasks.kdestroy_all(self.master) tasks.kinit_as_user(self.master, ad_admin, self.master.config.ad_admin_password) # Create a user in IPA as Active Directory administrator self.test_ipauser_authentication_with_nonposix_trust() tasks.kdestroy_all(self.master) tasks.kinit_as_user(self.master, ad_admin, self.master.config.ad_admin_password) self.master.run_command(['ipa', 'user-del', ipauser], raiseonerr=False) tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master)
def test_add_agent_not_allowed(self): """Check that add-agents can be run only by Admins.""" user = "******" passwd = "Secret123" host = self.replicas[0].hostname data_fmt = '{{"method":"trust_enable_agent","params":[["{}"],{{}}]}}' try: # Create a nonadmin user that will be used by curl tasks.create_active_user(self.master, user, passwd, first=user, last=user) tasks.kinit_as_user(self.master, user, passwd) # curl --negotiate -u : is using GSS-API i.e. nonadmin user cmd_args = [ paths.BIN_CURL, '-H', 'referer:https://{}/ipa'.format(host), '-H', 'Content-Type:application/json', '-H', 'Accept:applicaton/json', '--negotiate', '-u', ':', '--cacert', paths.IPA_CA_CRT, '-d', data_fmt.format(host), '-X', 'POST', 'https://{}/ipa/json'.format(host) ] res = self.master.run_command(cmd_args) expected = 'Insufficient access: not allowed to remotely add agent' assert expected in res.stdout_text finally: tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-del', user])
def test_delete_group_by_user_administrator(self): """ Test that a user with sufficient privileges can delete group This is a Automation for issue 6884 """ # Create a new testadmin user with a password testadmin = 'tuser' password = '******' testgroup = 'gtest' try: tasks.create_active_user(self.master, testadmin, password) # Add testadmin user to role "User Administrator" tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'role-add-member', '--users', testadmin, 'User Administrator' ]) tasks.kdestroy_all(self.master) # Create a test group tasks.kinit_as_user(self.master, testadmin, password) self.master.run_command(['ipa', 'group-add', testgroup]) # Call ipa-group-del to check if user can delete group self.master.run_command(['ipa', 'group-del', testgroup]) finally: # Cleanup tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-del', testadmin]) self.master.run_command( ['ipa', 'group-del', testgroup, '--continue'])
def test_subid_selfservice(self): uid1 = "testuser_selfservice1" uid2 = "testuser_selfservice2" password = "******" role = "Subordinate ID Selfservice User" tasks.create_active_user(self.master, uid1, password=password) tasks.create_active_user(self.master, uid2, password=password) tasks.kinit_user(self.master, uid1, password=password) self.assert_subid(uid1, match=False) result = self.subid_generate(uid1, raiseonerr=False) assert result.returncode > 0 result = self.subid_generate(None, raiseonerr=False) assert result.returncode > 0 tasks.kinit_admin(self.master) self.master.run_command( ["ipa", "role-add-member", role, "--groups=ipausers"]) try: tasks.kinit_user(self.master, uid1, password) self.subid_generate(uid1) self.assert_subid(uid1, match=True) # add subid from whoami tasks.kinit_as_user(self.master, uid2, password=password) self.subid_generate(None) self.assert_subid(uid2, match=True) finally: tasks.kinit_admin(self.master) self.master.run_command( ["ipa", "role-remove-member", role, "--groups=ipausers"])
def test_hostgroup_member_manager_user(self): master = self.master # mmuser: add a host to host group tasks.kinit_as_user(master, USER_MM, PASSWORD) master.run_command([ 'ipa', 'hostgroup-add-member', HOSTGROUP1, '--hosts', master.hostname ]) result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1]) assert master.hostname in result.stdout_text master.run_command([ 'ipa', 'hostgroup-remove-member', HOSTGROUP1, '--hosts', master.hostname ]) result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1]) assert master.hostname not in result.stdout_text # indirect: tasks.kinit_as_user(master, USER_INDIRECT, PASSWORD) master.run_command([ 'ipa', 'hostgroup-add-member', HOSTGROUP1, '--hosts', master.hostname ]) result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1]) assert master.hostname in result.stdout_text
def mount_smb_share(self, user, password, share, mountpoint): tasks.kdestroy_all(self.smbclient) tasks.kinit_as_user(self.smbclient, user, password) self.smbclient.run_command(['mkdir', '-p', mountpoint]) self.smbclient.run_command([ 'mount', '-t', 'cifs', share['unc'], mountpoint, '-o', 'sec=krb5i,multiuser' ]) tasks.kdestroy_all(self.smbclient)
def test_group_member_manager_group(self): master = self.master # mmuser: add group2 to group tasks.kinit_as_user(master, USER_MM, PASSWORD) master.run_command([ 'ipa', 'group-add-member', GROUP1, '--groups', GROUP2 ]) result = master.run_command(['ipa', 'group-show', GROUP1]) assert GROUP2 in result.stdout_text
def test_group_member_manager_nopermission(self): master = self.master tasks.kinit_as_user(master, USER1, PASSWORD) result = master.run_command( [ 'ipa', 'group-add-member-manager', GROUP1, '--users', USER1 ], raiseonerr=False ) assert result.returncode != 0 expected = ( f"member user: {USER1}: Insufficient access: Insufficient " "'write' privilege to the 'memberManager' attribute of entry" ) assert expected in result.stdout_text
def test_group_member_manager_user(self): master = self.master # mmuser: add user1 to group tasks.kinit_as_user(master, USER_MM, PASSWORD) master.run_command([ 'ipa', 'group-add-member', GROUP1, '--users', USER1 ]) result = master.run_command(['ipa', 'group-show', GROUP1]) assert USER1 in result.stdout_text # indirect: add user2 to group tasks.kinit_as_user(master, USER_INDIRECT, PASSWORD) master.run_command([ 'ipa', 'group-add-member', GROUP1, '--users', USER2 ]) # verify master.run_command(['ipa', 'group-show', GROUP1]) result = master.run_command(['ipa', 'group-show', GROUP1]) assert USER2 in result.stdout_text
def test_ipa_commands_run_as_aduser(self): """Test if proper error thrown when AD user tries to run IPA commands Before fix the error used to implies that the ipa setup is broken. Fix is to throw the proper error. This test is to check that the error with 'Invalid credentials' thrown when AD user tries to run IPA commands. related: https://pagure.io/freeipa/issue/8163 """ tasks.kdestroy_all(self.master) ad_admin = 'Administrator@%s' % self.ad_domain tasks.kinit_as_user(self.master, ad_admin, self.master.config.ad_admin_password) err_string = ('ipa: ERROR: Insufficient access: SASL(-14):' ' authorization failure: Invalid credentials') result = self.master.run_command(['ipa', 'ping'], raiseonerr=False) assert err_string in result.stderr_text tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master)
def test_add_agent_not_allowed(self): """Check that add-agents can be run only by Admins.""" user = "******" passwd = "Secret123" host = self.replicas[0].hostname data_fmt = '{{"method":"trust_enable_agent","params":[["{}"],{{}}]}}' try: # Create a nonadmin user that will be used by curl. # First, display SSSD kdcinfo: # https://bugzilla.redhat.com/show_bug.cgi?id=1850445#c1 self.master.run_command([ "cat", "/var/lib/sss/pubconf/kdcinfo.%s" % self.master.domain.realm ], raiseonerr=False) # Set krb5_trace to True: https://pagure.io/freeipa/issue/8353 tasks.create_active_user(self.master, user, passwd, first=user, last=user, krb5_trace=True) tasks.kinit_as_user(self.master, user, passwd, krb5_trace=True) # curl --negotiate -u : is using GSS-API i.e. nonadmin user cmd_args = [ paths.BIN_CURL, '-H', 'referer:https://{}/ipa'.format(host), '-H', 'Content-Type:application/json', '-H', 'Accept:applicaton/json', '--negotiate', '-u', ':', '--cacert', paths.IPA_CA_CRT, '-d', data_fmt.format(host), '-X', 'POST', 'https://{}/ipa/json'.format(host) ] res = self.master.run_command(cmd_args) expected = 'Insufficient access: not allowed to remotely add agent' assert expected in res.stdout_text finally: tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-del', user])