def setup_ipa_client(session_multihost, request):
""" Setup ipa client """
sssd_client = sssdTools(session_multihost.client[0])
client_hostname = session_multihost.client[0].sys_hostname
server_hostname = session_multihost.master[0].sys_hostname
ipa_client = ipaTools(session_multihost.client[0])
ipa_server = ipaTools(session_multihost.master[0])
ipa_client.install_common_pkgs()
ipa_server.install_common_pkgs()
ipa_client_uuid = ipa_client.get_default_nw_uuid()
ipa_client_ip = ipa_client.get_interface_ip(ipa_client_uuid)
ipa_server_uuid = ipa_server.get_default_nw_uuid()
ipa_server_ip = ipa_server.get_interface_ip(ipa_server_uuid)
sssd_client.update_resolv_conf(ipa_server_ip)
options = "--ip-address=%s --hostname %s "\
"--server %s --domain %s "\
"--realm %s -w %s -p %s -U --mkhomedir" % (ipa_client_ip,
client_hostname,
server_hostname,
"testrealm.test",
"TESTREALM.TEST",
"Secret123",
"admin")
client_install_cmd = "ipa-client-install %s" % options
try:
session_multihost.client[0].run_command(client_install_cmd)
except subprocess.CalledProcessError:
pytest.fail("ipa client install failed")
def teardown_session():
""" Uninstall ipa client from server """
client_uninstall_cmd = 'ipa-client-install --uninstall -U'
session_multihost.client[0].run_command(client_uninstall_cmd)
request.addfinalizer(teardown_session)
def test_hbac_refresh_time(self, multihost):
"""
:title: hbac: Verify cached hbac rule is applied
for the refresh time period
:id: c839fd33-65da-4252-82cf-5ba88ad02f55
"""
ipa_server = ipaTools(multihost.master[0])
ipa_client = ipaTools(multihost.client[0])
sssd_client = sssdTools(multihost.client[0])
domain_name = '%s/%s' % ('domain',
sssd_client.get_domain_section_name())
client_host = multihost.client[0].sys_hostname
sshClient1 = pexpect_ssh(client_host,
'foobar1',
'Secret123',
debug=False)
ipa_server.add_hbac_rule('test1', 'foobar1', client_host, 'sshd')
multihost.client[0].service_sssd('stop')
sssd_client.remove_sss_cache('/var/lib/sss/db')
hbac_params = {'ipa_hbac_refresh': '60'}
sssd_client.sssd_conf(domain_name, hbac_params)
multihost.client[0].service_sssd('start')
login_status = ipa_client.ssh_login('foobar1',
'Secret123',
client_host,
command='id')
if login_status:
status = 'PASS'
# update the rule
update_rule = "ipa hbacrule-remove-user --users='foobar1' test1"
# sleep for 20 seconds
time.sleep(20)
multihost.master[0].run_command(update_rule)
login_status = ipa_client.ssh_login('foobar1',
'Secret123',
client_host,
command='id')
if login_status:
status = 'PASS'
time.sleep(45)
# now it should not allow login
login_status = ipa_client.ssh_login('foobar1', 'Secret123',
client_host)
if not login_status:
status = 'PASS'
sssd_client.sssd_conf(domain_name, hbac_params, action='delete')
multihost.client[0].service_sssd('restart')
ipa_server.del_hbac_rule('test1')
assert status == 'PASS'
def test_multiple_ad_groups(self, multihost):
"""
:title: Verify hbac evaluation when user is member
of multiple AD Groups and with different hbac rules
:id: eb78448d-8a4d-4800-9334-8d8cdb8b0af2
"""
ipa_server_tools = ipaTools(multihost.master[0])
ipa_client = sssdTools(multihost.client[0])
ipa_server = sssdTools(multihost.master[0])
client_host = multihost.client[0].sys_hostname
ad_domain_name = multihost.ad[0].domainname.lower()
aduser = '******' % ad_domain_name
adgroup = 'idm_group3@%s' % ad_domain_name
status = ''
for i in range(3, 5, 1):
ext_group = 'idm_ext_group%d' % i
adgroup = 'idm_group%d@%s' % (i, ad_domain_name)
posix_group = 'idm_posix_group%d' % i
hbac_rule_name = 'ad_test%d' % i
try:
ipa_server_tools.create_group(ext_group, external=True)
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.group_add_member(adgroup, ext_group,
external=True)
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.create_group(posix_group)
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.group_add_member(ext_group, posix_group)
except SSSDException:
status = 'FAIL'
ipa_server_tools.add_hbac_rule('ad_test3', 'idm_posix_group3',
client_host, 'sshd', group=True)
ipa_server_tools.add_hbac_rule('ad_test4', 'idm_posix_group4',
client_host, 'sudo', group=True)
sssctl_cmd = 'sssctl user-checks -s sshd %s' % aduser
test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success')
cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False)
result = test_pam.search(cmd.stderr_text)
if not result:
status = 'FAIL'
else:
status = 'PASS'
for i in ['idm_ext_group3', 'idm_ext_group4',
'idm_posix_group3', 'idm_posix_group4']:
cmd = 'ipa group-del %s' % i
multihost.master[0].run_command(cmd, raiseonerr=False)
ipa_server_tools.del_hbac_rule('ad_test3')
ipa_server_tools.del_hbac_rule('ad_test4')
ipa_client.clear_sssd_cache()
ipa_server.clear_sssd_cache()
assert status == 'PASS'
def test_disallowed_ad_group(self, multihost, create_aduser_group):
"""
:title: Verify Member of denied AD Group through
hbac is not able to login
:id: 7092f403-ca58-4683-89b8-400c64dd0a1d
"""
(aduser, adgroup) = create_aduser_group
ipa_server_tools = ipaTools(multihost.master[0])
ipa_client = sssdTools(multihost.client[0])
ipa_server = sssdTools(multihost.master[0])
client_host = multihost.client[0].sys_hostname
ad_domain_name = multihost.ad[0].domainname.lower()
allow_aduser = '******' % ad_domain_name
allow_adgroup = 'idm_group1@%s' % ad_domain_name
status = ''
try:
ipa_server_tools.create_group('idm_ext_group2', external=True)
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.group_add_member(allow_adgroup,
'idm_ext_group2',
external=True)
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.create_group('idm_posix_group2')
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.group_add_member('idm_ext_group2',
'idm_posix_group2')
except SSSDException:
status = 'FAIL'
ipa_server_tools.add_hbac_rule('ad_test2',
'idm_posix_group2',
client_host,
'sshd',
group=True)
diallowed_user = '******' % (aduser, ad_domain_name)
sssctl_cmd = 'sssctl user-checks -s sshd %s' % diallowed_user
test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Permission denie')
cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False)
result = test_pam.search(cmd.stderr_text)
if not result:
status = 'FAIL'
else:
status = 'PASS'
for i in ['idm_ext_group2', 'idm_posix_group2']:
cmd = 'ipa group-del %s' % i
multihost.master[0].run_command(cmd, raiseonerr=False)
ipa_server_tools.del_hbac_rule('ad_test2')
ipa_client.clear_sssd_cache()
ipa_server.clear_sssd_cache()
assert status == 'PASS'
def test_allowed_ad_group(self, multihost):
"""
:title: Verify Member of allowed AD Group
through hbac is able to login
:id: 401fb710-b876-4693-92d0-86a75b94973f
"""
ipa_server_tools = ipaTools(multihost.master[0])
ipa_client = sssdTools(multihost.client[0])
ipa_server = sssdTools(multihost.master[0])
client_host = multihost.client[0].sys_hostname
ad_domain_name = multihost.ad[0].domainname.lower()
aduser = '******' % ad_domain_name
adgroup = 'idm_group1@%s' % ad_domain_name
status = ''
try:
ipa_server_tools.create_group('idm_ext_group1', external=True)
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.group_add_member(adgroup,
'idm_ext_group1',
external=True)
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.create_group('idm_posix_group1')
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.group_add_member('idm_ext_group1',
'idm_posix_group1')
except SSSDException:
status = 'FAIL'
ipa_server_tools.add_hbac_rule('ad_test1',
'idm_posix_group1',
client_host,
'sshd',
group=True)
sssctl_cmd = 'sssctl user-checks -s sshd %s' % aduser
test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success')
cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False)
result = test_pam.search(cmd.stderr_text)
if not result:
status = 'FAIL'
else:
status = 'PASS'
for i in ['idm_ext_group1', 'idm_posix_group1']:
cmd = 'ipa group-del %s' % i
multihost.master[0].run_command(cmd, raiseonerr=False)
ipa_server_tools.del_hbac_rule('ad_test1')
ipa_client.clear_sssd_cache()
ipa_server.clear_sssd_cache()
assert status == 'PASS'
def test_hbac_nested_group(self, multihost):
"""
:title: Verify hbac evaluation of AD Nested Groups
:id: f7fc6349-daba-43c2-be4e-e13923e201f9
"""
ipa_server_tools = ipaTools(multihost.master[0])
ipa_client = sssdTools(multihost.client[0])
ipa_server = sssdTools(multihost.master[0])
client_host = multihost.client[0].sys_hostname
ad_domain_name = multihost.ad[0].domainname.lower()
aduser = '******' % ad_domain_name
adgroup = 'nested_group1@%s' % ad_domain_name
status = ''
try:
ipa_server_tools.create_group('idm_ext_group5', external=True)
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.group_add_member(adgroup,
'idm_ext_group5',
external=True)
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.create_group('idm_posix_group5')
except SSSDException:
status = 'FAIL'
try:
ipa_server_tools.group_add_member('idm_ext_group5',
'idm_posix_group5')
except SSSDException:
status = 'FAIL'
ipa_server_tools.add_hbac_rule('ad_test5',
'idm_posix_group5',
client_host,
'sshd',
group=True)
sssctl_cmd = 'sssctl user-checks -s sshd %s' % aduser
test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success')
cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False)
result = test_pam.search(cmd.stderr_text)
if not result:
status = 'FAIL'
else:
status = 'PASS'
for i in ['idm_ext_group5', 'idm_posix_group5']:
cmd = 'ipa group-del %s' % i
multihost.master[0].run_command(cmd, raiseonerr=False)
ipa_server_tools.del_hbac_rule('ad_test5')
ipa_client.clear_sssd_cache()
ipa_server.clear_sssd_cache()
assert status == 'PASS'
def hbac_sshd_rule(session_multihost, request):
"""
Setup hbac rule for service sshd which allows
user foobar1 to ssh from client host.
"""
ipa_server_tools = ipaTools(session_multihost.master[0])
client_host = session_multihost.client[0].sys_hostname
ipa_server_tools.add_hbac_rule('test1', 'foobar1', client_host, 'sshd')
def delete_hbac_rule():
""" Delete hbac rule """
ipa_server_tools.del_hbac_rule('test1')
request.addfinalizer(delete_hbac_rule)
def test_nested_groups(self, multihost):
"""
:title: hbac: Verify hbac evaluation works as expected
with nested group evaluation
:id: fb2fd287-b217-487c-a59a-d827c426b0bb
"""
ipa_server = ipaTools(multihost.master[0])
client_host = multihost.client[0].sys_hostname
groups = ['std_group', 'admin_group']
for grp in groups:
cmd = 'ipa group-add %s' % grp
multihost.master[0].run_command(cmd)
# Add members
cmd1 = 'ipa group-add-member --users=foobar1 std_group'
cmd2 = 'ipa group-add-member --users=foobar2 admin_group'
multihost.master[0].run_command(cmd1, raiseonerr=False)
multihost.master[0].run_command(cmd2, raiseonerr=False)
# make admin_group member of std_group
nested_group = 'ipa group-add-member --groups=admin_group std_group'
multihost.master[0].run_command(nested_group, raiseonerr=False)
# add rule
ipa_server.add_hbac_rule('allow_ssh_access',
'std_group',
client_host,
'sshd',
group=True)
ipa_server.add_hbac_rule('allow_sudo_access',
'admin_group',
client_host,
'sudo',
group=True)
users = ['foobar1', 'foobar2']
for user in users:
sssctl_cmd = 'sssctl user-checks -s sshd %s' % user
cmd1 = multihost.client[0].run_command(sssctl_cmd)
test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success')
result = test_pam.search(cmd1.stderr_text)
if not result:
STATUS = 'FAIL'
else:
STATUS = 'PASS'
ipa_server.del_hbac_rule('allow_ssh_access')
ipa_server.del_hbac_rule('allow_sudo_access')
for grp in groups:
cmd = 'ipa group-del %s' % grp
multihost.master[0].run_command(cmd)
assert STATUS == 'PASS'
def test_auto_private_group(self, multihost):
"""
:title: hbac: Verify hbac rule associated with
User private Groups
:id: 99904ccd-bf2f-4c09-9636-92e036e19a0e
"""
ipa_server = ipaTools(multihost.master[0])
sssd_client = sssdTools(multihost.client[0])
domain_name = '%s/%s' % ('domain',
sssd_client.get_domain_section_name())
client_host = multihost.client[0].sys_hostname
sshClient1 = pexpect_ssh(client_host,
'foobar1',
'Secret123',
debug=False)
multihost.client[0].service_sssd('stop')
sssd_client.remove_sss_cache('/var/lib/sss/db')
enable_pvtgroups = {'auto_private_groups': 'True'}
sssd_client.sssd_conf(domain_name, enable_pvtgroups)
multihost.client[0].service_sssd('start')
cmd = 'ipa group-add std_group'
multihost.master[0].run_command(cmd)
# Add members
cmd1 = 'ipa group-add-member --users=foobar1 std_group'
multihost.master[0].run_command(cmd1, raiseonerr=False)
# add rule
ipa_server.add_hbac_rule('allow_ssh_access',
'std_group',
client_host,
'sshd',
group=True)
sssctl_cmd = 'sssctl user-checks -s sshd foobar1'
cmd1 = multihost.client[0].run_command(sssctl_cmd)
test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success')
result = test_pam.search(cmd1.stderr_text)
if not result:
STATUS = 'FAIL'
else:
STATUS = 'PASS'
ipa_server.del_hbac_rule('allow_ssh_access')
cmd = 'ipa group-del std_group'
multihost.master[0].run_command(cmd)
sssd_client.sssd_conf(domain_name, enable_pvtgroups, action='delete')
multihost.client[0].service_sssd('restart')
assert STATUS == 'PASS'
def test_multiple_hbac_rules(self, multihost):
"""
@Title: hbac: Verify HBAC Evaluation happens per service
when user is associated with multiple hbac rules
"""
ipa_server = ipaTools(multihost.master[0])
client_host = multihost.client[0].sys_hostname
ipa_server.add_hbac_rule('test1', 'foobar1', client_host, 'sshd')
ipa_server.add_hbac_rule('test2', 'foobar1', client_host, 'sudo')
sssctl_cmd = 'sssctl user-checks -s sshd foobar1'
test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success')
cmd = multihost.client[0].run_command(sssctl_cmd)
result = test_pam.search(cmd.stderr_text)
if not result:
STATUS = 'FAIL'
else:
STATUS = 'PASS'
ipa_server.del_hbac_rule('test1')
ipa_server.del_hbac_rule('test2')
assert STATUS == 'PASS'
