Exemple #1
0
    def test_subid_useradmin(self):
        tasks.kinit_admin(self.master)

        uid_useradmin = "testuser_usermgr_mgr1"
        role = "User Administrator"
        uid = "testuser_usermgr_user1"
        password = "******"

        # create user administrator
        tasks.create_active_user(self.master, uid_useradmin, password=password)
        # add user to user admin group
        tasks.kinit_admin(self.master)
        self.master.run_command(
            ["ipa", "role-add-member", role, f"--users={uid_useradmin}"], )
        # kinit as user admin
        tasks.kinit_user(self.master, uid_useradmin, password)

        # create new user as user admin
        tasks.user_add(self.master, uid)
        # assign new subid to user (with useradmin credentials)
        self.subid_generate(uid)

        # test that user admin can preserve and delete users with subids
        self.master.run_command(["ipa", "user-del", "--preserve", uid])
        # XXX does not work, see subordinate-ids.md
        # subid should still exist
        # self.assert_subid(uid, match=True)
        # final delete should remove the user and subid
        self.master.run_command(["ipa", "user-del", uid])
        self.assert_subid(uid, match=False)
Exemple #2
0
    def install(cls, mh):
        if cls.domain_level is not None:
            domain_level = cls.domain_level
        else:
            domain_level = cls.master.config.domain_level
        tasks.install_topo(cls.topology,
                           cls.master, cls.replicas,
                           cls.clients, domain_level,
                           clients_extra_args=('--mkhomedir',))

        cls.ad = cls.ads[0]
        cls.smbserver = cls.clients[0]
        cls.smbclient = cls.clients[1]
        cls.ad_user = '******'.format(cls.ad_user_login, cls.ad.domain.name)

        tasks.config_host_resolvconf_with_master_data(cls.master,
                                                      cls.smbclient)
        tasks.install_adtrust(cls.master)
        tasks.configure_dns_for_trust(cls.master, cls.ad)
        tasks.configure_windows_dns_for_trust(cls.ad, cls.master)
        tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name,
                                      extra_args=['--two-way=true'])

        tasks.create_active_user(cls.master, cls.ipa_user1,
                                 password=cls.ipa_user1_password)
        tasks.create_active_user(cls.master, cls.ipa_user2,
                                 password=cls.ipa_user2_password)
        # Trigger creation of home directories on the SMB server
        for user in [cls.ipa_user1, cls.ipa_user2, cls.ad_user]:
            tasks.run_command_as_user(cls.smbserver, user, ['stat', '.'])
 def test_ipa_user_pac(self):
     """Test that a user can request a service ticket with PAC"""
     user = '******'
     user_princ = '@'.join([user, self.master.domain.realm])
     passwd = 'Secret123'
     # Create a user with a password
     tasks.create_active_user(
         self.master,
         user,
         passwd,
         extra_args=['--homedir', '/home/{}'.format(user)])
     try:
         # Defaults: host/... principal for service
         # keytab in /etc/krb5.keytab
         self.master.run_command(["kinit", '-k'])
         # Don't use enterprise principal here because it doesn't work
         # bug in krb5: src/lib/gssapi/krb5/acquire_cred.c:scan_cache()
         # where enterprise principals aren't taken into account
         result = self.master.run_command([
             os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"), "ticket",
             user_princ
         ],
                                          stdin_text=(passwd + '\n'),
                                          raiseonerr=False)
         assert "PAC_DATA" in result.stdout_text
     finally:
         tasks.kinit_admin(self.master)
         self.master.run_command(['ipa', 'user-del', user])
Exemple #4
0
    def test_add_agent_not_allowed(self):
        """Check that add-agents can be run only by Admins."""
        user = "******"
        passwd = "Secret123"
        host = self.replicas[0].hostname
        data_fmt = '{{"method":"trust_enable_agent","params":[["{}"],{{}}]}}'

        try:
            # Create a nonadmin user that will be used by curl
            tasks.create_active_user(self.master,
                                     user,
                                     passwd,
                                     first=user,
                                     last=user)
            tasks.kinit_as_user(self.master, user, passwd)
            # curl --negotiate -u : is using GSS-API i.e. nonadmin user
            cmd_args = [
                paths.BIN_CURL, '-H', 'referer:https://{}/ipa'.format(host),
                '-H', 'Content-Type:application/json', '-H',
                'Accept:applicaton/json', '--negotiate', '-u', ':', '--cacert',
                paths.IPA_CA_CRT, '-d',
                data_fmt.format(host), '-X', 'POST',
                'https://{}/ipa/json'.format(host)
            ]
            res = self.master.run_command(cmd_args)
            expected = 'Insufficient access: not allowed to remotely add agent'
            assert expected in res.stdout_text
        finally:
            tasks.kinit_admin(self.master)
            self.master.run_command(['ipa', 'user-del', user])
Exemple #5
0
    def test_subid_selfservice(self):
        uid1 = "testuser_selfservice1"
        uid2 = "testuser_selfservice2"
        password = "******"
        role = "Subordinate ID Selfservice User"

        tasks.create_active_user(self.master, uid1, password=password)
        tasks.create_active_user(self.master, uid2, password=password)

        tasks.kinit_user(self.master, uid1, password=password)
        self.assert_subid(uid1, match=False)
        result = self.subid_generate(uid1, raiseonerr=False)
        assert result.returncode > 0
        result = self.subid_generate(None, raiseonerr=False)
        assert result.returncode > 0

        tasks.kinit_admin(self.master)
        self.master.run_command(
            ["ipa", "role-add-member", role, "--groups=ipausers"])

        try:
            tasks.kinit_user(self.master, uid1, password)
            self.subid_generate(uid1)
            self.assert_subid(uid1, match=True)

            # add subid from whoami
            tasks.kinit_as_user(self.master, uid2, password=password)
            self.subid_generate(None)
            self.assert_subid(uid2, match=True)
        finally:
            tasks.kinit_admin(self.master)
            self.master.run_command(
                ["ipa", "role-remove-member", role, "--groups=ipausers"])
 def test_ipa_user_s4u2self_pac(self):
     """Test that a service can request S4U2Self ticket with PAC"""
     user = '******'
     user_princ = '@'.join([user, self.master.domain.realm])
     passwd = 'Secret123'
     # Create a user with a password
     tasks.create_active_user(
         self.master,
         user,
         passwd,
         extra_args=["--homedir", "/home/{}".format(user)],
         krb5_trace=True)
     try:
         # Defaults: host/... principal for service
         # keytab in /etc/krb5.keytab
         self.master.run_command(["kinit", '-k'])
         result = self.master.run_command([
             os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"), "-E",
             "impersonate", user_princ
         ],
                                          raiseonerr=False)
         assert "PAC_DATA" in result.stdout_text
     finally:
         tasks.kinit_admin(self.master)
         self.master.run_command(['ipa', 'user-del', user])
    def test_selinux_user_optimized(self):
        """
        Check that SELinux login context is set on first login for the
        user, even if the user is not mapped to a specific SELinux user.

        Related ticket https://pagure.io/SSSD/sssd/issue/3819.
        """

        # Scenario: add an IPA user with non-default home dir, login through
        # ssh as this user and check that there is a SELinux user mapping
        # for the user with `semanage login -l`.

        test_user = '******'
        password = '******'

        tasks.kinit_admin(self.master)
        tasks.create_active_user(
            self.master,
            test_user,
            password=password,
            extra_args=['--homedir', '/root/{}'.format(test_user)])

        tasks.run_ssh_cmd(to_host=self.master.external_hostname,
                          username=test_user,
                          auth_method="password",
                          password=password)

        # check if user listed in output
        cmd = self.master.run_command(['semanage', 'login', '-l'])
        assert test_user in cmd.stdout_text

        # call ipa user-del
        tasks.kinit_admin(self.master)
        self.master.run_command(['ipa', 'user-del', test_user])
    def test_delete_group_by_user_administrator(self):
        """
        Test that a user with sufficient privileges can delete group
        This is a Automation for issue 6884
        """
        # Create a new testadmin user with a password
        testadmin = 'tuser'
        password = '******'
        testgroup = 'gtest'

        try:
            tasks.create_active_user(self.master, testadmin, password)

            # Add testadmin user to role "User Administrator"
            tasks.kinit_admin(self.master)
            self.master.run_command([
                'ipa', 'role-add-member', '--users', testadmin,
                'User Administrator'
            ])
            tasks.kdestroy_all(self.master)

            # Create a test group
            tasks.kinit_as_user(self.master, testadmin, password)
            self.master.run_command(['ipa', 'group-add', testgroup])

            # Call ipa-group-del to check if user can delete group
            self.master.run_command(['ipa', 'group-del', testgroup])
        finally:
            # Cleanup
            tasks.kinit_admin(self.master)
            self.master.run_command(['ipa', 'user-del', testadmin])
            self.master.run_command(
                ['ipa', 'group-del', testgroup, '--continue'])
Exemple #9
0
    def test_sss_ssh_authorizedkeys(self):
        """Login via Ssh using private-key for ipa-user should work.

        Test for : https://pagure.io/SSSD/sssd/issue/3937
        Steps:
        1) setup user with ssh-key and certificate stored in ipaserver
        2) simulate p11_child timeout
        3) try to login via ssh using private key.
        """
        user = '******'
        passwd = 'Secret123'
        user_key = tasks.create_temp_file(self.master, create_file=False)
        pem_file = tasks.create_temp_file(self.master)
        # Create a user with a password
        tasks.create_active_user(
            self.master,
            user,
            passwd,
            extra_args=['--homedir', '/home/{}'.format(user)])
        tasks.kinit_admin(self.master)
        tasks.run_command_as_user(self.master, user,
                                  ['ssh-keygen', '-N', '', '-f', user_key])
        ssh_pub_key = self.master.get_file_contents('{}.pub'.format(user_key),
                                                    encoding='utf-8')
        openssl_cmd = [
            'openssl', 'req', '-x509', '-newkey', 'rsa:2048', '-days', '365',
            '-nodes', '-out', pem_file, '-subj', '/CN=' + user
        ]
        self.master.run_command(openssl_cmd)
        cert_b64 = self.get_cert_base64(self.master, pem_file)
        sssd_p11_child = '/usr/libexec/sssd/p11_child'
        backup = tasks.FileBackup(self.master, sssd_p11_child)
        try:
            content = '#!/bin/bash\nsleep 999999'
            # added sleep to simulate the timeout for p11_child
            self.master.put_file_contents(sssd_p11_child, content)
            self.master.run_command(
                ['ipa', 'user-mod', user, '--ssh', ssh_pub_key])
            self.master.run_command(
                ['ipa', 'user-add-cert', user, '--certificate', cert_b64])
            # clear cache to avoid SSSD to check the user in old lookup
            tasks.clear_sssd_cache(self.master)
            result = self.master.run_command(
                [paths.SSS_SSH_AUTHORIZEDKEYS, user])
            assert ssh_pub_key in result.stdout_text
            # login to the system
            self.master.run_command([
                'ssh', '-o', 'PasswordAuthentication=no', '-o',
                'IdentitiesOnly=yes', '-o', 'StrictHostKeyChecking=no', '-o',
                'ConnectTimeout=10', '-l', user, '-i', user_key,
                self.master.hostname, 'true'
            ])
        finally:
            # cleanup
            self.master.run_command(['ipa', 'user-del', user])
            backup.restore()
            self.master.run_command(
                ['rm', '-f', pem_file, user_key, '{}.pub'.format(user_key)])
Exemple #10
0
    def user_creation_deletion(self):
        # create user
        self.testuser = '******'
        tasks.create_active_user(self.master, self.testuser, 'Secret123')

        yield

        # cleanup
        tasks.kinit_admin(self.master)
        self.master.run_command(['ipa', 'user-del', self.testuser])
Exemple #11
0
    def install(cls, mh):
        super(TestSSSDAuthCache, cls).install(mh)

        cls.ad = cls.ads[0]  # pylint: disable=no-member

        tasks.install_adtrust(cls.master)
        tasks.configure_dns_for_trust(cls.master, cls.ad)
        tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)

        cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format(
            domain=cls.ad.domain.name)
        tasks.user_add(cls.master, cls.intermed_user)
        tasks.create_active_user(cls.master, cls.ipa_user,
                                 cls.ipa_user_password)
Exemple #12
0
    def install(cls, mh):
        super(TestSSSDWithAdTrust, cls).install(mh)

        cls.ad = cls.ads[0]

        tasks.install_adtrust(cls.master)
        tasks.configure_dns_for_trust(cls.master, cls.ad)
        tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)

        cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format(
            domain=cls.ad.domain.name)
        cls.users['ad']['group'] = cls.users['ad']['group_tmpl'].format(
            domain=cls.ad.domain.name)
        tasks.user_add(cls.master, cls.intermed_user)
        tasks.create_active_user(cls.master, cls.ipa_user,
                                 cls.ipa_user_password)
Exemple #13
0
    def install(cls, mh):
        super(TestSSSDWithAdTrust, cls).install(mh)

        cls.ad = cls.ads[0]

        tasks.install_adtrust(cls.master)
        tasks.configure_dns_for_trust(cls.master, cls.ad)
        tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)

        cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format(
            domain=cls.ad.domain.name)

        # Regression tests for cached_auth_timeout option
        # https://bugzilla.redhat.com/show_bug.cgi?id=1685581
        tasks.user_add(cls.master, cls.intermed_user)
        tasks.create_active_user(cls.master, cls.ipa_user,
                                 cls.ipa_user_password)
Exemple #14
0
    def test_2fa_disable_single_prompt(self):
        """Test ssh with 2FA when single prompt is disabled.

        Test for : https://pagure.io/SSSD/sssd/issue/3264

        When [prompting/2fa/sshd] with single_prompt = False is set
        then during ssh it should be prompted with given message
        for first factor and then for second factor.

        This requires paramiko until the 2-prompt sshpass RFE is
        fulfilled: https://sourceforge.net/p/sshpass/feature-requests/5/
        """
        if self.master.is_fips_mode:
            pytest.skip("paramiko is not compatible with FIPS mode")

        master = self.master
        USER2 = 'sshuser2'
        sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF)
        first_prompt = 'Enter first factor:'
        second_prompt = 'Enter second factor:'
        add_contents = textwrap.dedent('''
            [prompting/2fa/sshd]
            single_prompt = False
            first_prompt = {0}
            second_prompt = {1}
            ''').format(first_prompt, second_prompt)
        set_sssd_conf(master, add_contents)
        tasks.create_active_user(master, USER2, PASSWORD)
        tasks.kinit_admin(master)
        master.run_command(['ipa', 'user-mod', USER2, '--user-auth-type=otp'])
        try:
            otpuid, totp = add_otptoken(master, USER2, otptype='totp')
            master.run_command(['ipa', 'otptoken-show', otpuid])
            otpvalue = totp.generate(int(time.time())).decode('ascii')
            answers = {
                first_prompt: PASSWORD,
                second_prompt: otpvalue
            }
            ssh_2f(master.hostname, USER2, answers)
            # check if user listed in output
            cmd = self.master.run_command(['semanage', 'login', '-l'])
            assert USER2 in cmd.stdout_text
        finally:
            master.run_command(['ipa', 'user-del', USER2])
            self.master.run_command(['semanage', 'login', '-D'])
            sssd_conf_backup.restore()
Exemple #15
0
    def install(cls, mh):
        super(TestOTPToken, cls).install(mh)
        master = cls.master

        tasks.kinit_admin(master)
        # create service with OTP auth indicator
        cls.service_name = f"otponly/{master.hostname}"
        master.run_command(
            ["ipa", "service-add", cls.service_name, "--auth-ind=otp"])
        # service needs a keytab before user can acquire a ticket for it
        keytab = "/tmp/otponly.keytab"
        master.run_command(
            ["ipa-getkeytab", "-p", cls.service_name, "-k", keytab])
        master.run_command(["rm", "-f", keytab])

        tasks.create_active_user(master, USER, PASSWORD)
        tasks.kinit_admin(master)
        master.run_command(["ipa", "user-mod", USER, "--user-auth-type=otp"])
Exemple #16
0
    def nested_group_setup(self, tmpdir):
        """Setup and Clean up groups and user created"""
        master = self.master
        client = self.clients[0]

        # add a user and set password
        tasks.create_active_user(master, self.username, self.userpasswd)
        tasks.kinit_admin(master)

        privkey, pubkey = tasks.generate_ssh_keypair()
        with open(os.path.join(
                tmpdir, 'ssh_priv_key'), 'w') as fp:
            fp.write(privkey)

        master.run_command([
            'ipa', 'user-mod', self.username, '--ssh', "{}".format(pubkey)
        ])

        master.put_file_contents('/tmp/user_ssh_priv_key', privkey)
        master.run_command(['chmod', '600', '/tmp/user_ssh_priv_key'])

        # add group groupa
        cmd_output = master.run_command(['ipa', 'group-add', 'groupa'])
        assert 'Added group "groupa"' in cmd_output.stdout_text

        # add group groupb
        cmd_output = master.run_command(['ipa', 'group-add', 'groupb'])
        assert 'Added group "groupb"' in cmd_output.stdout_text

        # add group groupc
        cmd_output = master.run_command(['ipa', 'group-add', 'groupc'])
        assert 'Added group "groupc"' in cmd_output.stdout_text

        client.put_file_contents('/tmp/user_ssh_priv_key',
                                 privkey)
        client.run_command(['chmod', '600', '/tmp/user_ssh_priv_key'])
        yield
        # test cleanup
        for group in ['groupa', 'groupb', 'groupc']:
            self.master.run_command(['ipa', 'group-del', group, '--continue'])
        self.master.run_command(['ipa', 'user-del', self.username,
                                 '--no-preserve', '--continue'])
        tasks.kdestroy_all(self.master)
        tasks.kdestroy_all(self.clients[0])
    def test_add_agent_not_allowed(self):
        """Check that add-agents can be run only by Admins."""
        user = "******"
        passwd = "Secret123"
        host = self.replicas[0].hostname
        data_fmt = '{{"method":"trust_enable_agent","params":[["{}"],{{}}]}}'

        try:
            # Create a nonadmin user that will be used by curl.
            # First, display SSSD kdcinfo:
            # https://bugzilla.redhat.com/show_bug.cgi?id=1850445#c1
            self.master.run_command([
                "cat",
                "/var/lib/sss/pubconf/kdcinfo.%s" % self.master.domain.realm
            ],
                                    raiseonerr=False)
            # Set krb5_trace to True: https://pagure.io/freeipa/issue/8353
            tasks.create_active_user(self.master,
                                     user,
                                     passwd,
                                     first=user,
                                     last=user,
                                     krb5_trace=True)
            tasks.kinit_as_user(self.master, user, passwd, krb5_trace=True)

            # curl --negotiate -u : is using GSS-API i.e. nonadmin user
            cmd_args = [
                paths.BIN_CURL, '-H', 'referer:https://{}/ipa'.format(host),
                '-H', 'Content-Type:application/json', '-H',
                'Accept:applicaton/json', '--negotiate', '-u', ':', '--cacert',
                paths.IPA_CA_CRT, '-d',
                data_fmt.format(host), '-X', 'POST',
                'https://{}/ipa/json'.format(host)
            ]
            res = self.master.run_command(cmd_args)
            expected = 'Insufficient access: not allowed to remotely add agent'
            assert expected in res.stdout_text
        finally:
            tasks.kinit_admin(self.master)
            self.master.run_command(['ipa', 'user-del', user])
Exemple #18
0
    def test_2fa_enable_single_prompt(self):
        """Test ssh with 2FA when single prompt is enabled.

        Test for : https://pagure.io/SSSD/sssd/issue/3264

        When [prompting/2fa/sshd] with single_prompt = True is set
        then during ssh it should be prompted with given message
        for first and second factor at once.
        """

        master = self.master
        USER1 = 'sshuser1'
        sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF)
        first_prompt = 'Please enter password + OTP token value:'
        add_contents = textwrap.dedent('''
            [prompting/2fa/sshd]
            single_prompt = True
            first_prompt = {0}
            ''').format(first_prompt)
        set_sssd_conf(master, add_contents)
        tasks.create_active_user(master, USER1, PASSWORD)
        tasks.kinit_admin(master)
        master.run_command(['ipa', 'user-mod', USER1, '--user-auth-type=otp'])
        try:
            otpuid, totp = add_otptoken(master, USER1, otptype='totp')
            master.run_command(['ipa', 'otptoken-show', otpuid])
            otpvalue = totp.generate(int(time.time())).decode('ascii')
            password = '******'.format(PASSWORD, otpvalue)
            tasks.run_ssh_cmd(to_host=self.master.external_hostname,
                              username=USER1,
                              auth_method="password",
                              password=password)
            # check if user listed in output
            cmd = self.master.run_command(['semanage', 'login', '-l'])
            assert USER1 in cmd.stdout_text
        finally:
            master.run_command(['ipa', 'user-del', USER1])
            self.master.run_command(['semanage', 'login', '-D'])
            sssd_conf_backup.restore()
Exemple #19
0
    def test_auto_generate_subid(self):
        uid = "testuser_auto1"
        passwd = "Secret123"
        tasks.create_active_user(self.master, uid, password=passwd)

        tasks.kinit_admin(self.master)
        self.assert_subid(uid, match=False)

        # add subid by name
        self.subid_generate(uid)
        info = self.assert_subid(uid, match=True)

        # second generate fails due to unique index on ipaowner
        result = self.subid_generate(uid, raiseonerr=False)
        assert result.returncode > 0
        assert f'for user "{uid}" already exists' in result.stderr_text

        # check matching
        subuid = info["ipasubuidnumber"]
        for offset in (0, 1, 65535):
            result = self.master.run_command(
                ["ipa", "subid-match", f"--subuid={subuid + offset}", "--raw"])
            match = self._parse_result(result)
            self.assert_subid_info(uid, match)
Exemple #20
0
    def install(cls, mh):
        super(TestMemberManager, cls).install(mh)
        master = cls.master

        tasks.create_active_user(master, USER_MM, PASSWORD)
        tasks.create_active_user(master, USER_INDIRECT, PASSWORD)
        tasks.create_active_user(master, USER1, PASSWORD)

        tasks.kinit_admin(master)
        tasks.group_add(master, GROUP_INDIRECT)
        master.run_command([
            'ipa', 'group-add-member', GROUP_INDIRECT, '--users', USER_INDIRECT
        ])

        tasks.user_add(master, USER2)
        tasks.group_add(master, GROUP1)
        tasks.group_add(master, GROUP2)
        master.run_command(['ipa', 'hostgroup-add', HOSTGROUP1])

        # make mmuser a member manager for group and hostgroup
        master.run_command([
            'ipa', 'group-add-member-manager', GROUP1,
            '--users', USER_MM
        ])
        master.run_command([
            'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
            '--users', USER_MM
        ])
        # make indirect group member manager for group and hostgroup
        master.run_command([
            'ipa', 'group-add-member-manager', GROUP1,
            '--groups', GROUP_INDIRECT
        ])
        master.run_command([
            'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
            '--groups', GROUP_INDIRECT
        ])
        tasks.kdestroy_all(master)
Exemple #21
0
 def install(cls, mh):
     tasks.install_master(cls.master)
     tasks.create_active_user(cls.master, USER1, PASSWORD)
     tasks.create_active_user(cls.master, USER2, PASSWORD)