def test_delete_group_by_user_administrator(self): """ Test that a user with sufficient privileges can delete group This is a Automation for issue 6884 """ # Create a new testadmin user with a password testadmin = 'tuser' password = '******' testgroup = 'gtest' try: tasks.create_active_user(self.master, testadmin, password) # Add testadmin user to role "User Administrator" tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'role-add-member', '--users', testadmin, 'User Administrator' ]) tasks.kdestroy_all(self.master) # Create a test group tasks.kinit_as_user(self.master, testadmin, password) self.master.run_command(['ipa', 'group-add', testgroup]) # Call ipa-group-del to check if user can delete group self.master.run_command(['ipa', 'group-del', testgroup]) finally: # Cleanup tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-del', testadmin]) self.master.run_command( ['ipa', 'group-del', testgroup, '--continue'])
def test_smb_service_s4u2self(self, enable_smb_client_dns_lookup_kdc): """Test S4U2Self operation by IPA service against both AD and IPA users """ script = textwrap.dedent("""export KRB5_TRACE=/dev/stderr kdestroy -A kinit -kt /etc/samba/samba.keytab {principal} klist -f {print_pac} -k /etc/samba/samba.keytab -E impersonate {user_princ} klist -f """) with enable_smb_client_dns_lookup_kdc(self.smbserver): principal = 'cifs/{hostname}'.format( hostname=self.smbserver.hostname) # Copy ipa-print-pac to SMB server # We can do so because Samba and GSSAPI libraries # are present there print_pac = self.master.get_file_contents( os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac")) result = self.smbserver.run_command(['mktemp']) tmpname = result.stdout_text.strip() self.smbserver.put_file_contents(tmpname, print_pac) self.smbserver.run_command(['chmod', 'a+x', tmpname]) for user in ( self.ad_user, self.ipa_user1, ): shell_script = script.format(principal=principal, user_princ=user, print_pac=tmpname) self.smbserver.run_command(['/bin/bash', '-s', '-e'], stdin_text=shell_script) self.smbserver.run_command(['rm', '-f', tmpname]) tasks.kdestroy_all(self.smbserver)
def test_krbtpolicy_hardended(self): """Test a hardened kerberos ticket policy with 10 min tickets""" master = self.master master.run_command([ 'ipa', 'user-mod', USER1, '--user-auth-type', 'password', '--user-auth-type', 'hardened' ]) master.run_command([ 'ipa', 'config-mod', '--user-auth-type', 'password', '--user-auth-type', 'hardened' ]) master.run_command( ['ipa', 'krbtpolicy-mod', USER1, '--hardened-maxlife', '600']) tasks.kdestroy_all(master) master.run_command(['kinit', USER1], stdin_text=PASSWORD + '\n') result = master.run_command('klist | grep krbtgt') assert maxlife_within_policy(result.stdout_text, 600, slush=600) is True tasks.kdestroy_all(master) # Verify that the short policy only applies to USER1 master.run_command(['kinit', USER2], stdin_text=PASSWORD + '\n') result = master.run_command('klist | grep krbtgt') assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
def test_krbtpolicy_hardended(self): """Test a hardened kerberos ticket policy with 30min tickets""" if self.master.is_fips_mode: pytest.skip("SPAKE pre-auth is not compatible with FIPS mode") master = self.master master.run_command( ['ipa', 'user-mod', USER1, '--user-auth-type', 'hardened']) master.run_command( ['ipa', 'config-mod', '--user-auth-type', 'hardened']) master.run_command( ['ipa', 'krbtpolicy-mod', USER1, '--hardened-maxlife', '1800']) tasks.kdestroy_all(master) master.run_command(['kinit', USER1], stdin_text=PASSWORD + '\n') result = master.run_command('klist | grep krbtgt') assert maxlife_within_policy(result.stdout_text, 1800, slush=1800) is True tasks.kdestroy_all(master) # Verify that the short policy only applies to USER1 master.run_command(['kinit', USER2], stdin_text=PASSWORD + '\n') result = master.run_command('klist | grep krbtgt') assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
def test_ccache_sweep_valid(self): """Test that the ccache sweeper doesn't remove valid ccaches - Force wipe all existing ccaches - Run the sweeper - Verify that all valid ccaches weren't removed Note: assumed that ccache expiration doesn't happen during test """ tasks.kdestroy_all(self.master) self.master.run_command( ["find", paths.IPA_CCACHES, "-type", "f", "-delete"] ) for _i in range(5): tasks.kinit_admin(self.master) self.master.run_command(["ipa", "user-show", "admin"]) tasks.kdestroy_all(self.master) result = self.master.run_command( "ls -1 {0} | wc -l".format(paths.IPA_CCACHES) ) assert int(result.stdout_text.strip()) == 5 ccache_sweep_cmd = ["/usr/libexec/ipa/ipa-ccache-sweeper", "-m", "0"] # should be run as ipaapi for GSSProxy self.master.run_command( ["runuser", "-u", IPAAPI_USER, "--"] + ccache_sweep_cmd ) result = self.master.run_command( "ls -1 {0} | wc -l".format(paths.IPA_CCACHES) ) assert int(result.stdout_text.strip()) == 5
def test_ntlm_authentication_with_upn_with_uppercase_domain(self): tasks.kdestroy_all(self.smbclient) mount_options = 'user={user}@{domain},pass={password}'.format( user=self.ipa_user1, password=self.ipa_user1_password, domain=self.master.domain.name.upper()) self.check_repeated_smb_mount(mount_options)
def kinit_otp(host, user, *, password, otp, success=True): tasks.kdestroy_all(host) # create armor for FAST host.run_command(["kinit", "-n", "-c", ARMOR]) host.run_command( ["kinit", "-T", ARMOR, user], stdin_text=f"{password}{otp}\n", ok_returncode=0 if success else 1, )
def test_subordinate_suffix(self): """Test subordinate UPN suffixes routing. Given an AD domain ad.test with additional UPN suffix suffix.ad.test check that requests from IPA for suffix.ad.test are properly routed to ad.test. This is a regression test for https://pagure.io/freeipa/issue/8554 """ # Create subordinate UPN suffix subordinate_suffix = 'test_subdomain.' + self.ad_domain self.ad.run_command([ 'powershell', '-c', 'Set-ADForest -Identity {} -UPNSuffixes @{{add="{}"}}'.format( self.ad_domain, subordinate_suffix) ]) try: # Verify UPN suffix is created cmd = ('Get-ADForest -Identity {} ' '| Select-Object -Property UPNSuffixes'.format( self.ad_domain)) res = self.ad.run_command(['powershell', '-c', cmd]) assert subordinate_suffix in res.stdout_text # Verify IPA does not receive subordinate suffix from AD self.master.run_command( ['ipa', 'trust-fetch-domains', self.ad_domain], ok_returncode=1) res = self.master.run_command( ['ipa', 'trust-show', self.ad_domain]) assert subordinate_suffix not in res.stdout_text # Set UPN for the AD user upn = 'testuser@' + subordinate_suffix cmd = 'Set-Aduser -UserPrincipalName {} -Identity testuser'.format( upn) self.ad.run_command(['powershell', '-c', cmd]) # Check user resolution res = self.master.run_command(['getent', 'passwd', upn]) expected_regex = ( r'^testuser@{domain}:\*:(\d+):(\d+):' r'Test User:/home/{domain}/testuser:{shell}$'.format( domain=re.escape(self.ad_domain), shell=self.default_shell)) assert re.search(expected_regex, res.stdout_text) # Check user authentication self.master.run_command(['kinit', '-E', upn], stdin_text='Secret123') finally: # cleanup tasks.kdestroy_all(self.master) cmd = ('Set-ADForest -Identity {} -UPNSuffixes @{{Remove="{}"}}'. format(self.ad_domain, subordinate_suffix)) self.ad.run_command(['powershell', '-c', cmd])
def mount_smb_share(self, user, password, share, mountpoint): tasks.kdestroy_all(self.smbclient) tasks.kinit_as_user(self.smbclient, user, password) self.smbclient.run_command(['mkdir', '-p', mountpoint]) self.smbclient.run_command([ 'mount', '-t', 'cifs', share['unc'], mountpoint, '-o', 'sec=krb5i,multiuser' ]) tasks.kdestroy_all(self.smbclient)
def test_krbtpolicy_default(self): """Test the default kerberos ticket policy 24-hr tickets""" master = self.master master.run_command( ['ipa', 'krbtpolicy-mod', USER1, '--maxlife', str(MAXLIFE)]) tasks.kdestroy_all(master) master.run_command(['kinit', USER1], stdin_text=PASSWORD + '\n') result = master.run_command('klist | grep krbtgt') assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
def test_krbtpolicy_reset(self): """Test a hardened kerberos ticket policy reset""" master = self.master tasks.kinit_admin(master) master.run_command(['ipa', 'krbtpolicy-reset', USER2]) master.run_command(['kinit', USER2], stdin_text=PASSWORD + '\n') result = master.run_command('klist | grep krbtgt') assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True tasks.kdestroy_all(master)
def test_sudorules_ad_users(self): """Verify trusted domain users can be added to sudorules""" tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master) testuser = '******' % (self.master.config.ad_admin_name, self.ad_domain) expected = "(root) NOPASSWD: ALL" with self.check_sudorules_for("user", testuser, testuser, expected): # no additional configuration pass
def test_smb_mount_fails_without_kerberos_ticket(self, samba_share_public): mountpoint = '/mnt/smb' try: tasks.kdestroy_all(self.smbclient) self.smbclient.run_command(['mkdir', '-p', mountpoint]) res = self.smbclient.run_command([ 'mount', '-t', 'cifs', samba_share_public['unc'], mountpoint, '-o', 'sec=krb5i,multiuser' ], raiseonerr=False) assert res.returncode == 32 finally: self.cleanup_mount(mountpoint)
def test_krbtpolicy_jitter(self): """Test jitter lifetime with no authentication indicators """ master = self.master tasks.kinit_admin(self.master) master.run_command(['kinit', USER1], stdin_text=PASSWORD + '\n') result = master.run_command('klist | grep krbtgt') assert maxlife_within_policy(result.stdout_text, MAXLIFE, slush=60) is True tasks.kdestroy_all(master)
def test_krbtpolicy_password(self): """Test the kerberos ticket policy which issues 20 min tickets""" master = self.master master.run_command( ['ipa', 'krbtpolicy-mod', USER2, '--maxlife', '1200']) tasks.kdestroy_all(master) master.run_command(['kinit', USER2], stdin_text=PASSWORD + '\n') result = master.run_command('klist | grep krbtgt') assert maxlife_within_policy(result.stdout_text, 1200, slush=1200) is True
def test_ntlm_authentication_with_auto_domain(self): """Repeatedly try to authenticate with username and password with automatic domain discovery. This is a regression test for https://pagure.io/freeipa/issue/8636 """ tasks.kdestroy_all(self.smbclient) mount_options = 'user={user},pass={password},domainauto'.format( user=self.ipa_user1, password=self.ipa_user1_password) self.check_repeated_smb_mount(mount_options)
def test_ipa_getcert_san_aci(self): """Test for DNS and IP SAN extensions + ACIs """ hostname = self.clients[0].hostname certfile = os.path.join(paths.OPENSSL_CERTS_DIR, "test2.pem") tasks.kinit_admin(self.master) zone = tasks.prepare_reverse_zone(self.master, self.clients[0].ip)[0] # add PTR dns record for cert request with SAN extention rec = str(self.clients[0].ip).split('.')[3] result = self.master.run_command( ['ipa', 'dnsrecord-add', zone, rec, '--ptr-rec', hostname]) assert 'Record name: {}'.format(rec) in result.stdout_text assert 'PTR record: {}'.format(hostname) in result.stdout_text name, zone = hostname.split('.', 1) self.master.run_command(['ipa', 'dnsrecord-show', zone, name]) tasks.kdestroy_all(self.master) cmd_arg = [ 'ipa-getcert', 'request', '-v', '-w', '-f', certfile, '-k', os.path.join(paths.OPENSSL_PRIVATE_DIR, "test2.key"), '-K', f'test/{hostname}', '-D', hostname, '-A', self.clients[0].ip, ] result = self.clients[0].run_command(cmd_arg) request_id = re.findall(r'\d+', result.stdout_text) # check if certificate is in MONITORING state status = tasks.wait_for_request(self.clients[0], request_id[0], 50) assert status == "MONITORING" certdata = self.clients[0].get_file_contents(certfile) cert = x509.load_pem_x509_certificate(certdata, default_backend()) ext = cert.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME) dnsnames = ext.value.get_values_for_type(x509.DNSName) assert dnsnames == [self.clients[0].hostname] ipaddrs = ext.value.get_values_for_type(x509.IPAddress) assert ipaddrs == [ipaddress.ip_address(self.clients[0].ip)]
def test_ipa_management_run_as_aduser(self): """Test if adding AD user to a role makes it an administrator""" ipauser = u'tuser' ad_admin = 'Administrator@%s' % self.ad_domain tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master) self.master.run_command( ['ipa', 'idoverrideuser-add', 'Default Trust View', ad_admin]) self.master.run_command([ 'ipa', 'role-add-member', 'User Administrator', '--idoverrideusers', ad_admin ]) tasks.kdestroy_all(self.master) tasks.kinit_as_user(self.master, ad_admin, self.master.config.ad_admin_password) # Create a user in IPA as Active Directory administrator self.test_ipauser_authentication_with_nonposix_trust() tasks.kdestroy_all(self.master) tasks.kinit_as_user(self.master, ad_admin, self.master.config.ad_admin_password) self.master.run_command(['ipa', 'user-del', ipauser], raiseonerr=False) tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master)
def test_sudorules_ad_runasuser(self): """Verify trusted domain users can be added to runAsUser""" tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master) testuser = '******' % (self.master.config.ad_admin_name, self.ad_domain) expected = "(%s) NOPASSWD: ALL" % (testuser.lower()) with self.check_sudorules_for("user", testuser, testuser, expected) as sudorule: # Add runAsUser with the same user self.master.run_command(['ipa', 'sudorule-add-runasuser', sudorule.name, '--users', sudorule.subject])
def test_show_member_manager(self): master = self.master tasks.kinit_admin(master) result = master.run_command(['ipa', 'group-show', GROUP1]) out = result.stdout_text assert f"Membership managed by groups: {GROUP_INDIRECT}" in out assert f"Membership managed by users: {USER_MM}" in out result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1]) out = result.stdout_text assert f"Membership managed by groups: {GROUP_INDIRECT}" in out assert f"Membership managed by users: {USER_MM}" in out tasks.kdestroy_all(master)
def kinit_idp(host, user, keycloak_server): ARMOR = "/tmp/armor" tasks.kdestroy_all(host) # create armor for FAST host.run_command(["kinit", "-n", "-c", ARMOR]) since = time.strftime('%Y-%m-%d %H:%M:%S') cmd = ["kinit", "-T", ARMOR, user] with host.spawn_expect(cmd, default_timeout=100) as e: e.expect('Authenticate at .+: ') uri = get_verification_uri(host, since, keycloak_server.hostname) if uri: add_user_code(keycloak_server, uri) e.sendline('\n') e.expect_exit() test_idp = host.run_command(["klist", "-C"]) assert "152" in test_idp.stdout_text
def test_sudorules_ad_runasgroup(self): """Verify trusted domain groups can be added to runAsGroup""" tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master) testuser = '******' % (self.master.config.ad_admin_name, self.ad_domain) testgroup = 'Enterprise Admins@%s' % self.ad_domain expected = '(%s : "%%%s") NOPASSWD: ALL' % (testuser.lower(), testgroup.lower()) with self.check_sudorules_for("group", testuser, testuser, expected) as sudorule: # Add runAsGroup with the same user self.master.run_command(['ipa', 'sudorule-add-runasgroup', sudorule.name, '--groups', testgroup])
def test_sudorules_ad_groups(self): """Verify trusted domain groups can be added to sudorules""" tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master) testuser = '******' % (self.master.config.ad_admin_name, self.ad_domain) testgroup = 'Enterprise Admins@%s' % self.ad_domain expected = "(root) NOPASSWD: ALL" with self.check_sudorules_for("group", testuser, testuser, expected) as sudorule: # Remove the user and instead add a group self.master.run_command(['ipa', 'sudorule-remove-user', sudorule.name, '--users', sudorule.user]) self.master.run_command(['ipa', 'sudorule-add-user', sudorule.name, '--groups', testgroup])
def test_password_login_as_aduser(self): """Test if AD user can login with password to Web UI""" ad_admin = 'Administrator@%s' % self.ad_domain tasks.kdestroy_all(self.master) user_and_password = ('user=%s&password=%s' % (ad_admin, self.master.config.ad_admin_password)) host = self.master.hostname cmd_args = [ paths.BIN_CURL, '-v', '-H', 'referer:https://{}/ipa'.format(host), '-H', 'Content-Type:application/x-www-form-urlencoded', '-H', 'Accept:text/plain', '--cacert', paths.IPA_CA_CRT, '--data', user_and_password, 'https://{}/ipa/session/login_password'.format(host) ] result = self.master.run_command(cmd_args) assert "Set-Cookie: ipa_session=MagBearerToken" in result.stderr_text tasks.kinit_admin(self.master)
def test_subordinate_suffix(self): """Test subordinate UPN Suffixes""" tasks.configure_dns_for_trust(self.master, self.ad) tasks.establish_trust_with_ad( self.master, self.ad_domain, extra_args=['--range-type', 'ipa-ad-trust']) # Clear all UPN Suffixes ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null" self.ad.run_command(["powershell", "-c", ps_cmd]) result = self.master.run_command(["ipa", "trust-show", self.ad_domain]) assert ( "ipantadditionalsuffixes: {}".format(self.upn_suffix) not in result.stdout_text ) # Run Get-ADForest ps_cmd1 = "Get-ADForest" self.ad.run_command(["powershell", "-c", ps_cmd1]) # Add new UPN for AD ps_cmd2 = ( 'Get-ADForest | Set-ADForest -UPNSuffixes ' '@{add="new.ad.test", "upn.dom"}' ) self.ad.run_command(["powershell", "-c", ps_cmd2]) self.ad.run_command(["powershell", "-c", ps_cmd1]) self.master.run_command( ["ipa", "trust-fetch-domains", self.ad_domain], raiseonerr=False) self.master.run_command(["ipa", "trust-show", self.ad_domain]) # Set UPN for the aduser ps_cmd3 = ( 'set-aduser -UserPrincipalName ' '[email protected] -Identity Administrator' ) self.ad.run_command(["powershell", "-c", ps_cmd3]) # kinit to IPA using AD user [email protected] result = self.master.run_command( ["getent", "passwd", "*****@*****.**"] ) assert result.returncode == 0 self.master.run_command( ["kinit", "-E", "*****@*****.**"], stdin_text="Secret123", ) tasks.kdestroy_all(self.master)
def nested_group_setup(self, tmpdir): """Setup and Clean up groups and user created""" master = self.master client = self.clients[0] # add a user and set password tasks.create_active_user(master, self.username, self.userpasswd) tasks.kinit_admin(master) privkey, pubkey = tasks.generate_ssh_keypair() with open(os.path.join( tmpdir, 'ssh_priv_key'), 'w') as fp: fp.write(privkey) master.run_command([ 'ipa', 'user-mod', self.username, '--ssh', "{}".format(pubkey) ]) master.put_file_contents('/tmp/user_ssh_priv_key', privkey) master.run_command(['chmod', '600', '/tmp/user_ssh_priv_key']) # add group groupa cmd_output = master.run_command(['ipa', 'group-add', 'groupa']) assert 'Added group "groupa"' in cmd_output.stdout_text # add group groupb cmd_output = master.run_command(['ipa', 'group-add', 'groupb']) assert 'Added group "groupb"' in cmd_output.stdout_text # add group groupc cmd_output = master.run_command(['ipa', 'group-add', 'groupc']) assert 'Added group "groupc"' in cmd_output.stdout_text client.put_file_contents('/tmp/user_ssh_priv_key', privkey) client.run_command(['chmod', '600', '/tmp/user_ssh_priv_key']) yield # test cleanup for group in ['groupa', 'groupb', 'groupc']: self.master.run_command(['ipa', 'group-del', group, '--continue']) self.master.run_command(['ipa', 'user-del', self.username, '--no-preserve', '--continue']) tasks.kdestroy_all(self.master) tasks.kdestroy_all(self.clients[0])
def test_ccache_sweep_expired(self, reset_to_default_policy): """Test that the ccache sweeper works on expired ccaches - Force wipe all existing ccaches - Set the ticket policy to a short value, 20 seconds. - Do a series of kinit, ipa command, kdestroy to generate ccaches - sleep() for expiration - Run the sweeper - Verify that all expired ccaches are gone """ MAXLIFE = 20 reset_to_default_policy(self.master) # this will reset at END of test tasks.kinit_admin(self.master) self.master.run_command( ['ipa', 'krbtpolicy-mod', '--maxlife', str(MAXLIFE)] ) tasks.kdestroy_all(self.master) self.master.run_command( ['find', paths.IPA_CCACHES, '-type', 'f', '-delete'] ) for _i in range(5): tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-show', 'admin']) tasks.kdestroy_all(self.master) result = self.master.run_command( "ls -1 {0} | wc -l".format(paths.IPA_CCACHES) ) assert int(result.stdout_text.strip()) == 5 # let ccache expire time.sleep(MAXLIFE) ccache_sweep_cmd = ["/usr/libexec/ipa/ipa-ccache-sweeper", "-m", "0"] # should be run as ipaapi for GSSProxy self.master.run_command( ["runuser", "-u", IPAAPI_USER, "--"] + ccache_sweep_cmd ) result = self.master.run_command( "ls -1 {0} | wc -l".format(paths.IPA_CCACHES) ) assert int(result.stdout_text.strip()) == 0
def test_auth_sudo_idp(self): """ Test case to check that sudorule is working as expected for user configured with external idp. """ tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master) # rule: keycloakuser are allowed to execute yum on # the client machine as root. cmdlist = [ ["ipa", "sudocmd-add", "/usr/bin/yum"], ["ipa", "sudorule-add", "sudorule"], ['ipa', 'sudorule-add-user', '--users=keycloakuser', 'sudorule'], ['ipa', 'sudorule-add-host', '--hosts', self.client.hostname, 'sudorule'], ['ipa', 'sudorule-add-runasuser', '--users=root', 'sudorule'], ['ipa', 'sudorule-add-allow-command', '--sudocmds=/usr/bin/yum', 'sudorule'], ['ipa', 'sudorule-show', 'sudorule', '--all'], ['ipa', 'sudorule-add-option', 'sudorule', '--sudooption', "!authenticate"] ] for cmd in cmdlist: self.master.run_command(cmd) tasks.clear_sssd_cache(self.master) tasks.clear_sssd_cache(self.client) try: cmd = 'sudo -ll -U keycloakuser' test = self.client.run_command(cmd).stdout_text assert "User keycloakuser may run the following commands" in test assert "/usr/bin/yum" in test kinit_idp(self.client, 'keycloakuser', self.client) test_sudo = 'su -c "sudo yum list wget" keycloakuser' self.client.run_command(test_sudo) list_fail = self.master.run_command(cmd).stdout_text assert "User keycloakuser is not allowed to run sudo" in list_fail finally: tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'sudorule-del', 'sudorule']) self.master.run_command(["ipa", "sudocmd-del", "/usr/bin/yum"])
def test_idp_backup_restore(self): """ Test case to check that after restore data is retrieved with related idp configuration. """ tasks.kinit_admin(self.master) user = "******" cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak", "--client-id=ipa_oidc_client", "--org=master", "--base-url={0}:8443/auth".format(self.client.hostname)] self.master.run_command(cmd, stdin_text="{0}\n{0}".format( self.client.config.admin_password)) tasks.user_add(self.master, user, extra_args=["--user-auth-type=idp", "[email protected]", "--idp=testidp"] ) backup_path = tasks.get_backup_dir(self.master) # change data after backup self.master.run_command(['ipa', 'user-del', user]) self.master.run_command(['ipa', 'idp-del', 'testidp']) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') try: list_user = self.master.run_command( ['ipa', 'user-show', 'backupuser', '--all'] ).stdout_text assert "External IdP configuration: testidp" in list_user assert "User authentication types: idp" in list_user assert ("External IdP user identifier: " "*****@*****.**") in list_user list_idp = self.master.run_command(['ipa', 'idp-find', 'testidp']) assert "testidp" in list_idp.stdout_text kinit_idp(self.master, user, self.client) finally: tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master) self.master.run_command(["rm", "-rf", backup_path]) self.master.run_command(["ipa", "idp-del", "testidp"])
def test_ipa_getcert_san_aci(self): """Test for DNS and IP SAN extensions + ACIs """ hostname = self.clients[0].hostname certfile = '/etc/pki/tls/certs/test2.pem' tasks.kinit_admin(self.master) name, zone = hostname.split('.', 1) self.master.run_command(['ipa', 'dnsrecord-show', zone, name]) tasks.kdestroy_all(self.master) cmd_arg = [ 'ipa-getcert', 'request', '-v', '-w', '-f', certfile, '-k', '/etc/pki/tls/private/test2.key', '-K', f'test/{hostname}', '-D', hostname, '-A', self.clients[0].ip, ] result = self.clients[0].run_command(cmd_arg) request_id = re.findall(r'\d+', result.stdout_text) # check if certificate is in MONITORING state status = tasks.wait_for_request(self.clients[0], request_id[0], 50) assert status == "MONITORING" certdata = self.clients[0].get_file_contents(certfile) cert = x509.load_pem_x509_certificate(certdata, default_backend()) ext = cert.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME) dnsnames = ext.value.get_values_for_type(x509.DNSName) assert dnsnames == [self.clients[0].hostname] ipaddrs = ext.value.get_values_for_type(x509.IPAddress) assert ipaddrs == [ipaddress.ip_address(self.clients[0].ip)]