def test_installclient_as_user_admin(self):
"""ipa-client-install should not use hardcoded admin for principal
In ipaclient-install.log it should use the username that was entered
earlier in the install process at the prompt.
Related to : https://pagure.io/freeipa/issue/5406
"""
client = self.clients[0]
tasks.install_master(self.master)
tasks.kinit_admin(self.master)
username = '******'
password = '******'
password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'user-add', username,
'--first', username,
'--last', username,
'--password'],
stdin_text=password_confirmation)
role_add = ['ipa', 'role-add', 'useradmin']
self.master.run_command(role_add)
self.master.run_command(['ipa', 'privilege-add', 'Add Hosts'])
self.master.run_command(['ipa', 'privilege-add-permission',
'--permissions', 'System: Add Hosts',
'Add Hosts'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Host Enrollment'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Add Hosts'])
role_member_add = ['ipa', 'role-add-member', 'useradmin',
'--users={}'.format(username)]
self.master.run_command(role_member_add)
user_kinit = "%s\n%s\n%s\n" % (password, password, password)
self.master.run_command(['kinit', username],
stdin_text=user_kinit)
tasks.install_client(
self.master, client,
extra_args=['--request-cert'],
user=username, password=password
)
msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
(username, client.domain.name)
install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
encoding='utf-8')
assert msg in install_log
# check that user is able to request a host cert, too
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text
result = tasks.run_certutil(
client,
['-K', '-f', paths.IPA_NSSDB_PWDFILE_TXT],
paths.IPA_NSSDB_DIR
)
assert 'Local IPA host' in result.stdout_text
def get_certinfo(self, host):
result = tasks.run_certutil(
host, ['-L', '-f', paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT],
paths.PKI_TOMCAT_ALIAS_DIR)
certs = {}
for line in result.stdout_text.splitlines():
mo = certdb.CERT_RE.match(line)
if mo:
certs[mo.group('nick')] = mo.group('flags')
result = tasks.run_certutil(
host, ['-K', '-f', paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT],
paths.PKI_TOMCAT_ALIAS_DIR)
keys = {}
for line in result.stdout_text.splitlines():
mo = certdb.KEY_RE.match(line)
if mo:
keys[mo.group('nick')] = mo.group('keyid')
return certs, keys
def install(cls, mh):
super(TestCertsInIDOverrides, cls).install(mh)
cls.ad = config.ad_domains[0].ads[0]
cls.ad_domain = cls.ad.domain.name
cls.aduser = "******" % cls.ad_domain
master = cls.master
# A setup for test_dbus_user_lookup
master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
raiseonerr=False)
# The tasks.modify_sssd_conf way did not work because
# sssd_domain.set_option knows nothing about 'services' parameter of
# the sssd config file. Therefore I am using sed approach
master.run_command("sed -i '/^services/ s/$/, ifp/' %s" %
paths.SSSD_CONF)
master.run_command("sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF,
raiseonerr=False)
master.run_command(['systemctl', 'restart', 'sssd.service'])
# End of setup for test_dbus_user_lookup
# AD-related stuff
tasks.install_adtrust(master)
tasks.sync_time(master, cls.ad)
tasks.establish_trust_with_ad(
cls.master,
cls.ad_domain,
extra_args=['--range-type', 'ipa-ad-trust'])
cls.reqdir = os.path.join(master.config.test_dir, "certs")
cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
cls.pwname = os.path.join(cls.reqdir, "pwd")
# Create a NSS database folder
master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
# Create an empty password file
master.run_command(["touch", cls.pwname], raiseonerr=False)
# Initialize NSS database
tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
# Now generate self-signed certs for a windows user
stdin_text = string.digits + string.ascii_letters[2:] + '\n'
tasks.run_certutil(master, [
'-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert1, '-n', cls.adcert1, '-x', '-t',
'CT,C,C', '-v', '120', '-m', '1234'
],
cls.reqdir,
stdin=stdin_text)
tasks.run_certutil(master, [
'-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert2, '-n', cls.adcert2, '-x', '-t',
'CT,C,C', '-v', '120', '-m', '1234'
],
cls.reqdir,
stdin=stdin_text)
# Export the previously generated cert
tasks.run_certutil(
master, ['-L', '-n', cls.adcert1, '-a', '>', cls.adcert1_file],
cls.reqdir)
tasks.run_certutil(
master, ['-L', '-n', cls.adcert2, '-a', '>', cls.adcert2_file],
cls.reqdir)
cls.cert1_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" %
cls.adcert1_file).stdout_text
cls.cert2_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" %
cls.adcert2_file).stdout_text
cls.cert1_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert1_file).stdout_text
cls.cert2_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert2_file).stdout_text
def test_installclient_as_user_admin(self):
"""ipa-client-install should not use hardcoded admin for principal
In ipaclient-install.log it should use the username that was entered
earlier in the install process at the prompt.
Related to : https://pagure.io/freeipa/issue/5406
"""
client = self.clients[0]
tasks.install_master(self.master)
tasks.kinit_admin(self.master)
username = '******'
password = '******'
password_confirmation = "%s\n%s\n" % (password, password)
self.master.run_command([
'ipa', 'user-add', username, '--first', username, '--last',
username, '--password'
],
stdin_text=password_confirmation)
role_add = ['ipa', 'role-add', 'useradmin']
self.master.run_command(role_add)
self.master.run_command(['ipa', 'privilege-add', 'Add Hosts'])
self.master.run_command([
'ipa', 'privilege-add-permission', '--permissions',
'System: Add Hosts', 'Add Hosts'
])
self.master.run_command([
'ipa', 'role-add-privilege', 'useradmin', '--privileges',
'Host Enrollment'
])
self.master.run_command([
'ipa', 'role-add-privilege', 'useradmin', '--privileges',
'Add Hosts'
])
role_member_add = [
'ipa', 'role-add-member', 'useradmin',
'--users={}'.format(username)
]
self.master.run_command(role_member_add)
user_kinit = "%s\n%s\n%s\n" % (password, password, password)
self.master.run_command(['kinit', username], stdin_text=user_kinit)
tasks.install_client(self.master,
client,
extra_args=['--request-cert'],
user=username,
password=password)
msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
(username, client.domain.name)
install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
encoding='utf-8')
assert msg in install_log
# check that user is able to request a host cert, too
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text
result = tasks.run_certutil(client,
['-K', '-f', paths.IPA_NSSDB_PWDFILE_TXT],
paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text
def install(cls, mh):
super(TestCertsInIDOverrides, cls).install(mh)
cls.ad = config.ad_domains[0].ads[0]
cls.ad_domain = cls.ad.domain.name
cls.aduser = "******" % cls.ad_domain
master = cls.master
# A setup for test_dbus_user_lookup
master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
raiseonerr=False)
# The tasks.modify_sssd_conf way did not work because
# sssd_domain.set_option knows nothing about 'services' parameter of
# the sssd config file. Therefore I am using sed approach
master.run_command(
"sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
master.run_command(
"sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
master.run_command(['systemctl', 'restart', 'sssd.service'])
# End of setup for test_dbus_user_lookup
# AD-related stuff
tasks.install_adtrust(master)
tasks.sync_time(master, cls.ad)
tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
extra_args=['--range-type',
'ipa-ad-trust'])
cls.reqdir = os.path.join(master.config.test_dir, "certs")
cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
cls.pwname = os.path.join(cls.reqdir, "pwd")
# Create a NSS database folder
master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
# Create an empty password file
master.run_command(["touch", cls.pwname], raiseonerr=False)
# Initialize NSS database
tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
# Now generate self-signed certs for a windows user
stdin_text = string.digits+string.ascii_letters[2:] + '\n'
tasks.run_certutil(master, ['-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert1, '-n',
cls.adcert1, '-x', '-t', 'CT,C,C', '-v',
'120', '-m', '1234'],
cls.reqdir, stdin=stdin_text)
tasks.run_certutil(master, ['-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert2, '-n',
cls.adcert2, '-x', '-t', 'CT,C,C', '-v',
'120', '-m', '1234'],
cls.reqdir, stdin=stdin_text)
# Export the previously generated cert
tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
cls.adcert1_file], cls.reqdir)
tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
cls.adcert2_file], cls.reqdir)
cls.cert1_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert1_file
).stdout_text
cls.cert2_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert2_file
).stdout_text
cls.cert1_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert1_file
).stdout_text
cls.cert2_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert2_file
).stdout_text
def install(cls, mh):
super(TestCertsInIDOverrides, cls).install(mh)
cls.ad = config.ad_domains[0].ads[0]
cls.ad_domain = cls.ad.domain.name
cls.aduser = "******" % cls.ad_domain
master = cls.master
# A setup for test_dbus_user_lookup
master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
raiseonerr=False)
master.run_command("sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF,
raiseonerr=False)
with tasks.remote_sssd_config(master) as sssd_config:
try:
sssd_config.new_service('ifp')
except ServiceAlreadyExists:
pass
sssd_config.activate_service('ifp')
master.run_command(['systemctl', 'restart', 'sssd.service'])
# End of setup for test_dbus_user_lookup
# AD-related stuff
tasks.install_adtrust(master)
tasks.sync_time(master, cls.ad)
tasks.configure_dns_for_trust(master, cls.ad)
tasks.establish_trust_with_ad(
cls.master,
cls.ad_domain,
extra_args=['--range-type', 'ipa-ad-trust'])
cls.reqdir = os.path.join(master.config.test_dir, "certs")
cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
cls.pwname = os.path.join(cls.reqdir, "pwd")
# Create a NSS database folder
master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
# Create an empty password file
master.run_command(["touch", cls.pwname], raiseonerr=False)
# Initialize NSS database
tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
# Now generate self-signed certs for a windows user
stdin_text = string.digits + string.ascii_letters[2:] + '\n'
tasks.run_certutil(master, [
'-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert1, '-n', cls.adcert1, '-x', '-t',
'CT,C,C', '-v', '120', '-m', '1234'
],
cls.reqdir,
stdin=stdin_text)
tasks.run_certutil(master, [
'-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert2, '-n', cls.adcert2, '-x', '-t',
'CT,C,C', '-v', '120', '-m', '1234'
],
cls.reqdir,
stdin=stdin_text)
# Export the previously generated cert
res = tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a'],
cls.reqdir)
master.put_file_contents(
os.path.join(master.config.test_dir, cls.adcert1_file),
res.stdout_text)
res = tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a'],
cls.reqdir)
master.put_file_contents(
os.path.join(master.config.test_dir, cls.adcert2_file),
res.stdout_text)
cls.cert1_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" %
cls.adcert1_file).stdout_text
cls.cert2_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" %
cls.adcert2_file).stdout_text
cls.cert1_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert1_file).stdout_text
cls.cert2_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert2_file).stdout_text
