def test_ipa_management_run_as_aduser(self):
"""Test if adding AD user to a role makes it an administrator"""
ipauser = u'tuser'
ad_admin = 'Administrator@%s' % self.ad_domain
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
self.master.run_command(
['ipa', 'idoverrideuser-add', 'Default Trust View', ad_admin])
self.master.run_command([
'ipa', 'role-add-member', 'User Administrator',
'--idoverrideusers', ad_admin
])
tasks.kdestroy_all(self.master)
tasks.kinit_as_user(self.master, ad_admin,
self.master.config.ad_admin_password)
# Create a user in IPA as Active Directory administrator
self.test_ipauser_authentication_with_nonposix_trust()
tasks.kdestroy_all(self.master)
tasks.kinit_as_user(self.master, ad_admin,
self.master.config.ad_admin_password)
self.master.run_command(['ipa', 'user-del', ipauser], raiseonerr=False)
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
def test_add_agent_not_allowed(self):
"""Check that add-agents can be run only by Admins."""
user = "******"
passwd = "Secret123"
host = self.replicas[0].hostname
data_fmt = '{{"method":"trust_enable_agent","params":[["{}"],{{}}]}}'
try:
# Create a nonadmin user that will be used by curl
tasks.create_active_user(self.master,
user,
passwd,
first=user,
last=user)
tasks.kinit_as_user(self.master, user, passwd)
# curl --negotiate -u : is using GSS-API i.e. nonadmin user
cmd_args = [
paths.BIN_CURL, '-H', 'referer:https://{}/ipa'.format(host),
'-H', 'Content-Type:application/json', '-H',
'Accept:applicaton/json', '--negotiate', '-u', ':', '--cacert',
paths.IPA_CA_CRT, '-d',
data_fmt.format(host), '-X', 'POST',
'https://{}/ipa/json'.format(host)
]
res = self.master.run_command(cmd_args)
expected = 'Insufficient access: not allowed to remotely add agent'
assert expected in res.stdout_text
finally:
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', user])
def test_delete_group_by_user_administrator(self):
"""
Test that a user with sufficient privileges can delete group
This is a Automation for issue 6884
"""
# Create a new testadmin user with a password
testadmin = 'tuser'
password = '******'
testgroup = 'gtest'
try:
tasks.create_active_user(self.master, testadmin, password)
# Add testadmin user to role "User Administrator"
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'role-add-member', '--users', testadmin,
'User Administrator'
])
tasks.kdestroy_all(self.master)
# Create a test group
tasks.kinit_as_user(self.master, testadmin, password)
self.master.run_command(['ipa', 'group-add', testgroup])
# Call ipa-group-del to check if user can delete group
self.master.run_command(['ipa', 'group-del', testgroup])
finally:
# Cleanup
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', testadmin])
self.master.run_command(
['ipa', 'group-del', testgroup, '--continue'])
def test_subid_selfservice(self):
uid1 = "testuser_selfservice1"
uid2 = "testuser_selfservice2"
password = "******"
role = "Subordinate ID Selfservice User"
tasks.create_active_user(self.master, uid1, password=password)
tasks.create_active_user(self.master, uid2, password=password)
tasks.kinit_user(self.master, uid1, password=password)
self.assert_subid(uid1, match=False)
result = self.subid_generate(uid1, raiseonerr=False)
assert result.returncode > 0
result = self.subid_generate(None, raiseonerr=False)
assert result.returncode > 0
tasks.kinit_admin(self.master)
self.master.run_command(
["ipa", "role-add-member", role, "--groups=ipausers"])
try:
tasks.kinit_user(self.master, uid1, password)
self.subid_generate(uid1)
self.assert_subid(uid1, match=True)
# add subid from whoami
tasks.kinit_as_user(self.master, uid2, password=password)
self.subid_generate(None)
self.assert_subid(uid2, match=True)
finally:
tasks.kinit_admin(self.master)
self.master.run_command(
["ipa", "role-remove-member", role, "--groups=ipausers"])
def test_hostgroup_member_manager_user(self):
master = self.master
# mmuser: add a host to host group
tasks.kinit_as_user(master, USER_MM, PASSWORD)
master.run_command([
'ipa', 'hostgroup-add-member', HOSTGROUP1,
'--hosts', master.hostname
])
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
assert master.hostname in result.stdout_text
master.run_command([
'ipa', 'hostgroup-remove-member', HOSTGROUP1,
'--hosts', master.hostname
])
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
assert master.hostname not in result.stdout_text
# indirect:
tasks.kinit_as_user(master, USER_INDIRECT, PASSWORD)
master.run_command([
'ipa', 'hostgroup-add-member', HOSTGROUP1,
'--hosts', master.hostname
])
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
assert master.hostname in result.stdout_text
def mount_smb_share(self, user, password, share, mountpoint):
tasks.kdestroy_all(self.smbclient)
tasks.kinit_as_user(self.smbclient, user, password)
self.smbclient.run_command(['mkdir', '-p', mountpoint])
self.smbclient.run_command([
'mount', '-t', 'cifs', share['unc'], mountpoint,
'-o', 'sec=krb5i,multiuser'
])
tasks.kdestroy_all(self.smbclient)
def test_group_member_manager_group(self):
master = self.master
# mmuser: add group2 to group
tasks.kinit_as_user(master, USER_MM, PASSWORD)
master.run_command([
'ipa', 'group-add-member', GROUP1, '--groups', GROUP2
])
result = master.run_command(['ipa', 'group-show', GROUP1])
assert GROUP2 in result.stdout_text
def test_group_member_manager_nopermission(self):
master = self.master
tasks.kinit_as_user(master, USER1, PASSWORD)
result = master.run_command(
[
'ipa', 'group-add-member-manager', GROUP1, '--users', USER1
],
raiseonerr=False
)
assert result.returncode != 0
expected = (
f"member user: {USER1}: Insufficient access: Insufficient "
"'write' privilege to the 'memberManager' attribute of entry"
)
assert expected in result.stdout_text
def test_group_member_manager_user(self):
master = self.master
# mmuser: add user1 to group
tasks.kinit_as_user(master, USER_MM, PASSWORD)
master.run_command([
'ipa', 'group-add-member', GROUP1, '--users', USER1
])
result = master.run_command(['ipa', 'group-show', GROUP1])
assert USER1 in result.stdout_text
# indirect: add user2 to group
tasks.kinit_as_user(master, USER_INDIRECT, PASSWORD)
master.run_command([
'ipa', 'group-add-member', GROUP1, '--users', USER2
])
# verify
master.run_command(['ipa', 'group-show', GROUP1])
result = master.run_command(['ipa', 'group-show', GROUP1])
assert USER2 in result.stdout_text
def test_ipa_commands_run_as_aduser(self):
"""Test if proper error thrown when AD user tries to run IPA commands
Before fix the error used to implies that the ipa setup is broken.
Fix is to throw the proper error. This test is to check that the
error with 'Invalid credentials' thrown when AD user tries to run
IPA commands.
related: https://pagure.io/freeipa/issue/8163
"""
tasks.kdestroy_all(self.master)
ad_admin = 'Administrator@%s' % self.ad_domain
tasks.kinit_as_user(self.master, ad_admin,
self.master.config.ad_admin_password)
err_string = ('ipa: ERROR: Insufficient access: SASL(-14):'
' authorization failure: Invalid credentials')
result = self.master.run_command(['ipa', 'ping'], raiseonerr=False)
assert err_string in result.stderr_text
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
def test_add_agent_not_allowed(self):
"""Check that add-agents can be run only by Admins."""
user = "******"
passwd = "Secret123"
host = self.replicas[0].hostname
data_fmt = '{{"method":"trust_enable_agent","params":[["{}"],{{}}]}}'
try:
# Create a nonadmin user that will be used by curl.
# First, display SSSD kdcinfo:
# https://bugzilla.redhat.com/show_bug.cgi?id=1850445#c1
self.master.run_command([
"cat",
"/var/lib/sss/pubconf/kdcinfo.%s" % self.master.domain.realm
],
raiseonerr=False)
# Set krb5_trace to True: https://pagure.io/freeipa/issue/8353
tasks.create_active_user(self.master,
user,
passwd,
first=user,
last=user,
krb5_trace=True)
tasks.kinit_as_user(self.master, user, passwd, krb5_trace=True)
# curl --negotiate -u : is using GSS-API i.e. nonadmin user
cmd_args = [
paths.BIN_CURL, '-H', 'referer:https://{}/ipa'.format(host),
'-H', 'Content-Type:application/json', '-H',
'Accept:applicaton/json', '--negotiate', '-u', ':', '--cacert',
paths.IPA_CA_CRT, '-d',
data_fmt.format(host), '-X', 'POST',
'https://{}/ipa/json'.format(host)
]
res = self.master.run_command(cmd_args)
expected = 'Insufficient access: not allowed to remotely add agent'
assert expected in res.stdout_text
finally:
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', user])
