def test_podmanmap_feature(self, multihost):
"""
:Title: Podman supports subid ranges managed by FreeIPA
:id: 0e86df9c-50f1-11ec-82f3-845cf3eff344
:customerscenario: true
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1803943
:steps:
1. Test podman finds proper uid_map
2. Test podman finds proper gid_map
:expectedresults:
1. Should succeed
2. Should succeed
"""
ipa_subid_find(multihost)
ssh1 = SSHClient(multihost.client[0].ip,
username=user,
password=test_password)
map1 = "/proc/self/uid_map"
(results1, results2, results3) = ssh1.exec_command(f"podman "
f"unshare "
f"cat "
f"{map1}")
actual_result = results2.readlines()
assert str(uid_start) == actual_result[1].split()[1]
assert str(uid_range) == actual_result[1].split()[2]
map2 = "/proc/self/gid_map"
(results1, results2, results3) = ssh1.exec_command(f"podman "
f"unshare "
f"cat "
f"{map2}")
actual_result = results2.readlines()
assert str(gid_start) == actual_result[1].split()[1]
assert str(gid_range) == actual_result[1].split()[2]
ssh1.close()
def test_subid_feature(self, multihost):
"""
:Title: support subid ranges managed by FreeIPA
:id: 50bcdc28-00c8-11ec-bef4-845cf3eff344
:customerscenario: true
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1803943
:steps:
1. Test newuidmap command
2. Test newgidmap command
:expectedresults:
1. Should succeed
2. Should succeed
"""
ipa_subid_find(multihost)
ssh1 = SSHClient(multihost.client[0].ip,
username=user, password=test_password)
(results1, results2, results3) = ssh1.exec_command("unshare"
" -U bash"
" -c 'echo $$"
">/tmp/unshare.pid;"
"sleep 1000'")
time.sleep(2)
proces_id = int(execute_cmd(multihost,
"cat "
"/tmp/unshare.pid").stdout_text.strip())
uid = 0
gid = 1000
count = 1
(std_out, std_err, exit_status) = ssh1.exec_command(f"newuidmap "
f"{proces_id}"
f" {uid}"
f" {uid_start}"
f" {count}")
for i in exit_status.readlines():
assert "write to uid_map failed" not in i
(result, result1, exit_status) = ssh1.exec_command(f"newgidmap "
f"{proces_id} "
f"{gid} "
f"{gid_start} "
f"{count}")
for i in exit_status.readlines():
assert "write to gid_map failed" not in i
result = execute_cmd(multihost, f"cat /proc/{proces_id}/uid_map")
assert str(uid) == result.stdout_text.split()[0]
assert str(uid_start) == result.stdout_text.split()[1]
assert str(count) == result.stdout_text.split()[2]
result = execute_cmd(multihost, f"cat /proc/{proces_id}/gid_map")
assert str(gid) == result.stdout_text.split()[0]
assert str(gid_start) == result.stdout_text.split()[1]
assert str(count) == result.stdout_text.split()[2]
multihost.client[0].run_command(f'kill -9 {proces_id}')
multihost.client[0].run_command("rm -vf "
"/tmp/unshare.pid")
ssh1.close()
def ipa_subid_find(multihost):
ssh1 = SSHClient(multihost.client[0].ip,
username=user, password=test_password)
(result, result1, exit_status) = ssh1.exec_command(f"ipa "
f"subid-find"
f" --owner "
f"{user}")
user_details = result1.readlines()
global uid_start, uid_range, gid_start, gid_range
uid_start = int(user_details[5].split(': ')[1].split('\n')[0])
uid_range = int(user_details[6].split(': ')[1].split('\n')[0])
gid_start = int(user_details[7].split(': ')[1].split('\n')[0])
gid_range = int(user_details[8].split(': ')[1].split('\n')[0])
ssh1.close()
def subid_generate(session_multihost, request):
"""
Generate subid for user admin
"""
user = "******"
test_password = "******"
ssh1 = SSHClient(session_multihost.client[0].ip,
username=user, password=test_password)
(result, result1, exit_status) = ssh1.execute_cmd('kinit',
stdin=test_password)
assert exit_status == 0
(result, result1, exit_status) = ssh1.exec_command(f"ipa "
f" subid-generate"
f" --owner={user}")
ssh1.close()
def test_authentication_indicators(self, multihost):
"""
:title: Add support to verify authentication
indicators in pam_sss_gss
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1926622
:id: 4891ed62-7fc8-11eb-98be-002b677efe14
:steps:
1. Add pam_sss_gss configuration to /etc/sssd/sssd.conf
2. Add pam_sss_gss.so to /etc/pam.d/sudo
3. Restart SSSD
4. Enable SSSD debug logs
5. Switch to 'admin' user
6. obtain Kerberos ticket and check that it
was obtained using SPAKE pre-authentication.
7. Create sudo configuration that allows an admin to
run SUDO rules
8. Try 'sudo -l' as admin
9. As root, check content of sssd_pam.log
10. Check if acquired service ticket has req. indicators: 0
11. Add pam_sss_gss configuration to /etc/sssd/sssd.conf
12. Check if acquired service ticket has req.
indicators: 2
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
5. Should succeed
6. Should succeed
7. Should succeed
8. Should succeed
9. Should succeed
10. Should succeed
11. Should succeed
12. Should succeed
"""
client = sssdTools(multihost.client[0])
domain_params = {
'pam_gssapi_services': 'sudo, sudo-i',
'pam_gssapi_indicators_map': 'hardened, '
'sudo:pkinit, '
'sudo-i:otp'
}
client.sssd_conf('pam', domain_params)
multihost.client[0].run_command('cp -vf '
'/etc/pam.d/sudo '
'/etc/pam.d/sudo_indicators')
multihost.client[0].run_command("sed -i "
"'2s/^/auth sufficient "
"pam_sss_gss.so debug\\n/' "
"/etc/pam.d/sudo")
multihost.client[0].run_command('cp -vf '
'/etc/pam.d/sudo-i '
'/etc/pam.d/sudo-i_indicators')
multihost.client[0].run_command("sed -i "
"'2s/^/auth sufficient "
"pam_sss_gss.so debug\\n/' "
"/etc/pam.d/sudo-i")
multihost.client[0].run_command('systemctl stop sssd ; '
'rm -rf /var/log/sssd/* ; '
'rm -rf /var/lib/sss/db/* ; '
'systemctl start sssd')
multihost.client[0].run_command("sssctl debug-level 9")
ssh = SSHClient(multihost.client[0].ip,
username='******',
password='******')
(_, _, exit_status) = ssh.execute_cmd('kinit admin', stdin='Secret123')
(result, errors, exit_status) = ssh.exec_command('klist')
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudocmd-add ALL2')
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudorule-add '
'testrule2')
(result, errors, exit_status) = ssh.execute_cmd("ipa sudorule-add"
"-allow-command "
"testrule2 "
"--sudocmds 'ALL2'")
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudorule-mod '
'testrule2 '
'--hostcat=all')
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudorule-add-user '
'testrule2 '
'--users admin')
(result, errors, exit_status) = ssh.execute_cmd('sudo -l')
ssh.close()
search = multihost.client[0].run_command('fgrep '
'gssapi_ '
'/var/log/sssd/sssd_pam.log '
'|tail -10')
assert 'indicators: 0' in search.stdout_text
client = sssdTools(multihost.client[0])
domain_params = {
'pam_gssapi_services': 'sudo, sudo-i',
'pam_gssapi_indicators_map': 'sudo-i:hardened'
}
client.sssd_conf('pam', domain_params)
multihost.client[0].run_command('systemctl stop sssd ; '
'rm -rf /var/log/sssd/* ; '
'rm -rf /var/lib/sss/db/* ; '
'systemctl start sssd')
ssh = SSHClient(multihost.client[0].ip,
username='******',
password='******')
(_, _, exit_status) = ssh.execute_cmd('kinit admin', stdin='Secret123')
multihost.client[0].run_command("sssctl debug-level 9")
(result, errors, exit_status) = ssh.execute_cmd('sudo -l')
(result, errors, exit_status) = ssh.exec_command('klist')
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudocmd-del ALL2')
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudorule-del '
'testrule2')
multihost.client[0].run_command('cp -vf /etc/pam.d/sudo_indicators '
'/etc/pam.d/sudo')
multihost.client[0].run_command('cp -vf /etc/pam.d/sudo-i_indicators '
'/etc/pam.d/sudo-i')
search = multihost.client[0].run_command('fgrep gssapi_ '
'/var/log/sssd/sssd_pam.log'
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
