def setup_ipa_client(session_multihost, request): """ Setup ipa client """ sssd_client = sssdTools(session_multihost.client[0]) client_hostname = session_multihost.client[0].sys_hostname server_hostname = session_multihost.master[0].sys_hostname ipa_client = ipaTools(session_multihost.client[0]) ipa_server = ipaTools(session_multihost.master[0]) ipa_client.install_common_pkgs() ipa_server.install_common_pkgs() ipa_client_uuid = ipa_client.get_default_nw_uuid() ipa_client_ip = ipa_client.get_interface_ip(ipa_client_uuid) ipa_server_uuid = ipa_server.get_default_nw_uuid() ipa_server_ip = ipa_server.get_interface_ip(ipa_server_uuid) sssd_client.update_resolv_conf(ipa_server_ip) options = "--ip-address=%s --hostname %s "\ "--server %s --domain %s "\ "--realm %s -w %s -p %s -U --mkhomedir" % (ipa_client_ip, client_hostname, server_hostname, "testrealm.test", "TESTREALM.TEST", "Secret123", "admin") client_install_cmd = "ipa-client-install %s" % options try: session_multihost.client[0].run_command(client_install_cmd) except subprocess.CalledProcessError: pytest.fail("ipa client install failed") def teardown_session(): """ Uninstall ipa client from server """ client_uninstall_cmd = 'ipa-client-install --uninstall -U' session_multihost.client[0].run_command(client_uninstall_cmd) request.addfinalizer(teardown_session)
def test_hbac_refresh_time(self, multihost): """ :title: hbac: Verify cached hbac rule is applied for the refresh time period :id: c839fd33-65da-4252-82cf-5ba88ad02f55 """ ipa_server = ipaTools(multihost.master[0]) ipa_client = ipaTools(multihost.client[0]) sssd_client = sssdTools(multihost.client[0]) domain_name = '%s/%s' % ('domain', sssd_client.get_domain_section_name()) client_host = multihost.client[0].sys_hostname sshClient1 = pexpect_ssh(client_host, 'foobar1', 'Secret123', debug=False) ipa_server.add_hbac_rule('test1', 'foobar1', client_host, 'sshd') multihost.client[0].service_sssd('stop') sssd_client.remove_sss_cache('/var/lib/sss/db') hbac_params = {'ipa_hbac_refresh': '60'} sssd_client.sssd_conf(domain_name, hbac_params) multihost.client[0].service_sssd('start') login_status = ipa_client.ssh_login('foobar1', 'Secret123', client_host, command='id') if login_status: status = 'PASS' # update the rule update_rule = "ipa hbacrule-remove-user --users='foobar1' test1" # sleep for 20 seconds time.sleep(20) multihost.master[0].run_command(update_rule) login_status = ipa_client.ssh_login('foobar1', 'Secret123', client_host, command='id') if login_status: status = 'PASS' time.sleep(45) # now it should not allow login login_status = ipa_client.ssh_login('foobar1', 'Secret123', client_host) if not login_status: status = 'PASS' sssd_client.sssd_conf(domain_name, hbac_params, action='delete') multihost.client[0].service_sssd('restart') ipa_server.del_hbac_rule('test1') assert status == 'PASS'
def test_multiple_ad_groups(self, multihost): """ :title: Verify hbac evaluation when user is member of multiple AD Groups and with different hbac rules :id: eb78448d-8a4d-4800-9334-8d8cdb8b0af2 """ ipa_server_tools = ipaTools(multihost.master[0]) ipa_client = sssdTools(multihost.client[0]) ipa_server = sssdTools(multihost.master[0]) client_host = multihost.client[0].sys_hostname ad_domain_name = multihost.ad[0].domainname.lower() aduser = '******' % ad_domain_name adgroup = 'idm_group3@%s' % ad_domain_name status = '' for i in range(3, 5, 1): ext_group = 'idm_ext_group%d' % i adgroup = 'idm_group%d@%s' % (i, ad_domain_name) posix_group = 'idm_posix_group%d' % i hbac_rule_name = 'ad_test%d' % i try: ipa_server_tools.create_group(ext_group, external=True) except SSSDException: status = 'FAIL' try: ipa_server_tools.group_add_member(adgroup, ext_group, external=True) except SSSDException: status = 'FAIL' try: ipa_server_tools.create_group(posix_group) except SSSDException: status = 'FAIL' try: ipa_server_tools.group_add_member(ext_group, posix_group) except SSSDException: status = 'FAIL' ipa_server_tools.add_hbac_rule('ad_test3', 'idm_posix_group3', client_host, 'sshd', group=True) ipa_server_tools.add_hbac_rule('ad_test4', 'idm_posix_group4', client_host, 'sudo', group=True) sssctl_cmd = 'sssctl user-checks -s sshd %s' % aduser test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success') cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False) result = test_pam.search(cmd.stderr_text) if not result: status = 'FAIL' else: status = 'PASS' for i in ['idm_ext_group3', 'idm_ext_group4', 'idm_posix_group3', 'idm_posix_group4']: cmd = 'ipa group-del %s' % i multihost.master[0].run_command(cmd, raiseonerr=False) ipa_server_tools.del_hbac_rule('ad_test3') ipa_server_tools.del_hbac_rule('ad_test4') ipa_client.clear_sssd_cache() ipa_server.clear_sssd_cache() assert status == 'PASS'
def test_disallowed_ad_group(self, multihost, create_aduser_group): """ :title: Verify Member of denied AD Group through hbac is not able to login :id: 7092f403-ca58-4683-89b8-400c64dd0a1d """ (aduser, adgroup) = create_aduser_group ipa_server_tools = ipaTools(multihost.master[0]) ipa_client = sssdTools(multihost.client[0]) ipa_server = sssdTools(multihost.master[0]) client_host = multihost.client[0].sys_hostname ad_domain_name = multihost.ad[0].domainname.lower() allow_aduser = '******' % ad_domain_name allow_adgroup = 'idm_group1@%s' % ad_domain_name status = '' try: ipa_server_tools.create_group('idm_ext_group2', external=True) except SSSDException: status = 'FAIL' try: ipa_server_tools.group_add_member(allow_adgroup, 'idm_ext_group2', external=True) except SSSDException: status = 'FAIL' try: ipa_server_tools.create_group('idm_posix_group2') except SSSDException: status = 'FAIL' try: ipa_server_tools.group_add_member('idm_ext_group2', 'idm_posix_group2') except SSSDException: status = 'FAIL' ipa_server_tools.add_hbac_rule('ad_test2', 'idm_posix_group2', client_host, 'sshd', group=True) diallowed_user = '******' % (aduser, ad_domain_name) sssctl_cmd = 'sssctl user-checks -s sshd %s' % diallowed_user test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Permission denie') cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False) result = test_pam.search(cmd.stderr_text) if not result: status = 'FAIL' else: status = 'PASS' for i in ['idm_ext_group2', 'idm_posix_group2']: cmd = 'ipa group-del %s' % i multihost.master[0].run_command(cmd, raiseonerr=False) ipa_server_tools.del_hbac_rule('ad_test2') ipa_client.clear_sssd_cache() ipa_server.clear_sssd_cache() assert status == 'PASS'
def test_allowed_ad_group(self, multihost): """ :title: Verify Member of allowed AD Group through hbac is able to login :id: 401fb710-b876-4693-92d0-86a75b94973f """ ipa_server_tools = ipaTools(multihost.master[0]) ipa_client = sssdTools(multihost.client[0]) ipa_server = sssdTools(multihost.master[0]) client_host = multihost.client[0].sys_hostname ad_domain_name = multihost.ad[0].domainname.lower() aduser = '******' % ad_domain_name adgroup = 'idm_group1@%s' % ad_domain_name status = '' try: ipa_server_tools.create_group('idm_ext_group1', external=True) except SSSDException: status = 'FAIL' try: ipa_server_tools.group_add_member(adgroup, 'idm_ext_group1', external=True) except SSSDException: status = 'FAIL' try: ipa_server_tools.create_group('idm_posix_group1') except SSSDException: status = 'FAIL' try: ipa_server_tools.group_add_member('idm_ext_group1', 'idm_posix_group1') except SSSDException: status = 'FAIL' ipa_server_tools.add_hbac_rule('ad_test1', 'idm_posix_group1', client_host, 'sshd', group=True) sssctl_cmd = 'sssctl user-checks -s sshd %s' % aduser test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success') cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False) result = test_pam.search(cmd.stderr_text) if not result: status = 'FAIL' else: status = 'PASS' for i in ['idm_ext_group1', 'idm_posix_group1']: cmd = 'ipa group-del %s' % i multihost.master[0].run_command(cmd, raiseonerr=False) ipa_server_tools.del_hbac_rule('ad_test1') ipa_client.clear_sssd_cache() ipa_server.clear_sssd_cache() assert status == 'PASS'
def test_hbac_nested_group(self, multihost): """ :title: Verify hbac evaluation of AD Nested Groups :id: f7fc6349-daba-43c2-be4e-e13923e201f9 """ ipa_server_tools = ipaTools(multihost.master[0]) ipa_client = sssdTools(multihost.client[0]) ipa_server = sssdTools(multihost.master[0]) client_host = multihost.client[0].sys_hostname ad_domain_name = multihost.ad[0].domainname.lower() aduser = '******' % ad_domain_name adgroup = 'nested_group1@%s' % ad_domain_name status = '' try: ipa_server_tools.create_group('idm_ext_group5', external=True) except SSSDException: status = 'FAIL' try: ipa_server_tools.group_add_member(adgroup, 'idm_ext_group5', external=True) except SSSDException: status = 'FAIL' try: ipa_server_tools.create_group('idm_posix_group5') except SSSDException: status = 'FAIL' try: ipa_server_tools.group_add_member('idm_ext_group5', 'idm_posix_group5') except SSSDException: status = 'FAIL' ipa_server_tools.add_hbac_rule('ad_test5', 'idm_posix_group5', client_host, 'sshd', group=True) sssctl_cmd = 'sssctl user-checks -s sshd %s' % aduser test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success') cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False) result = test_pam.search(cmd.stderr_text) if not result: status = 'FAIL' else: status = 'PASS' for i in ['idm_ext_group5', 'idm_posix_group5']: cmd = 'ipa group-del %s' % i multihost.master[0].run_command(cmd, raiseonerr=False) ipa_server_tools.del_hbac_rule('ad_test5') ipa_client.clear_sssd_cache() ipa_server.clear_sssd_cache() assert status == 'PASS'
def hbac_sshd_rule(session_multihost, request): """ Setup hbac rule for service sshd which allows user foobar1 to ssh from client host. """ ipa_server_tools = ipaTools(session_multihost.master[0]) client_host = session_multihost.client[0].sys_hostname ipa_server_tools.add_hbac_rule('test1', 'foobar1', client_host, 'sshd') def delete_hbac_rule(): """ Delete hbac rule """ ipa_server_tools.del_hbac_rule('test1') request.addfinalizer(delete_hbac_rule)
def test_nested_groups(self, multihost): """ :title: hbac: Verify hbac evaluation works as expected with nested group evaluation :id: fb2fd287-b217-487c-a59a-d827c426b0bb """ ipa_server = ipaTools(multihost.master[0]) client_host = multihost.client[0].sys_hostname groups = ['std_group', 'admin_group'] for grp in groups: cmd = 'ipa group-add %s' % grp multihost.master[0].run_command(cmd) # Add members cmd1 = 'ipa group-add-member --users=foobar1 std_group' cmd2 = 'ipa group-add-member --users=foobar2 admin_group' multihost.master[0].run_command(cmd1, raiseonerr=False) multihost.master[0].run_command(cmd2, raiseonerr=False) # make admin_group member of std_group nested_group = 'ipa group-add-member --groups=admin_group std_group' multihost.master[0].run_command(nested_group, raiseonerr=False) # add rule ipa_server.add_hbac_rule('allow_ssh_access', 'std_group', client_host, 'sshd', group=True) ipa_server.add_hbac_rule('allow_sudo_access', 'admin_group', client_host, 'sudo', group=True) users = ['foobar1', 'foobar2'] for user in users: sssctl_cmd = 'sssctl user-checks -s sshd %s' % user cmd1 = multihost.client[0].run_command(sssctl_cmd) test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success') result = test_pam.search(cmd1.stderr_text) if not result: STATUS = 'FAIL' else: STATUS = 'PASS' ipa_server.del_hbac_rule('allow_ssh_access') ipa_server.del_hbac_rule('allow_sudo_access') for grp in groups: cmd = 'ipa group-del %s' % grp multihost.master[0].run_command(cmd) assert STATUS == 'PASS'
def test_auto_private_group(self, multihost): """ :title: hbac: Verify hbac rule associated with User private Groups :id: 99904ccd-bf2f-4c09-9636-92e036e19a0e """ ipa_server = ipaTools(multihost.master[0]) sssd_client = sssdTools(multihost.client[0]) domain_name = '%s/%s' % ('domain', sssd_client.get_domain_section_name()) client_host = multihost.client[0].sys_hostname sshClient1 = pexpect_ssh(client_host, 'foobar1', 'Secret123', debug=False) multihost.client[0].service_sssd('stop') sssd_client.remove_sss_cache('/var/lib/sss/db') enable_pvtgroups = {'auto_private_groups': 'True'} sssd_client.sssd_conf(domain_name, enable_pvtgroups) multihost.client[0].service_sssd('start') cmd = 'ipa group-add std_group' multihost.master[0].run_command(cmd) # Add members cmd1 = 'ipa group-add-member --users=foobar1 std_group' multihost.master[0].run_command(cmd1, raiseonerr=False) # add rule ipa_server.add_hbac_rule('allow_ssh_access', 'std_group', client_host, 'sshd', group=True) sssctl_cmd = 'sssctl user-checks -s sshd foobar1' cmd1 = multihost.client[0].run_command(sssctl_cmd) test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success') result = test_pam.search(cmd1.stderr_text) if not result: STATUS = 'FAIL' else: STATUS = 'PASS' ipa_server.del_hbac_rule('allow_ssh_access') cmd = 'ipa group-del std_group' multihost.master[0].run_command(cmd) sssd_client.sssd_conf(domain_name, enable_pvtgroups, action='delete') multihost.client[0].service_sssd('restart') assert STATUS == 'PASS'
def test_multiple_hbac_rules(self, multihost): """ @Title: hbac: Verify HBAC Evaluation happens per service when user is associated with multiple hbac rules """ ipa_server = ipaTools(multihost.master[0]) client_host = multihost.client[0].sys_hostname ipa_server.add_hbac_rule('test1', 'foobar1', client_host, 'sshd') ipa_server.add_hbac_rule('test2', 'foobar1', client_host, 'sudo') sssctl_cmd = 'sssctl user-checks -s sshd foobar1' test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success') cmd = multihost.client[0].run_command(sssctl_cmd) result = test_pam.search(cmd.stderr_text) if not result: STATUS = 'FAIL' else: STATUS = 'PASS' ipa_server.del_hbac_rule('test1') ipa_server.del_hbac_rule('test2') assert STATUS == 'PASS'