def test_subid_useradmin(self):
tasks.kinit_admin(self.master)
uid_useradmin = "testuser_usermgr_mgr1"
role = "User Administrator"
uid = "testuser_usermgr_user1"
password = "******"
# create user administrator
tasks.create_active_user(self.master, uid_useradmin, password=password)
# add user to user admin group
tasks.kinit_admin(self.master)
self.master.run_command(
["ipa", "role-add-member", role, f"--users={uid_useradmin}"], )
# kinit as user admin
tasks.kinit_user(self.master, uid_useradmin, password)
# create new user as user admin
tasks.user_add(self.master, uid)
# assign new subid to user (with useradmin credentials)
self.subid_generate(uid)
# test that user admin can preserve and delete users with subids
self.master.run_command(["ipa", "user-del", "--preserve", uid])
# XXX does not work, see subordinate-ids.md
# subid should still exist
# self.assert_subid(uid, match=True)
# final delete should remove the user and subid
self.master.run_command(["ipa", "user-del", uid])
self.assert_subid(uid, match=False)
def install(cls, mh):
if cls.domain_level is not None:
domain_level = cls.domain_level
else:
domain_level = cls.master.config.domain_level
tasks.install_topo(cls.topology,
cls.master, cls.replicas,
cls.clients, domain_level,
clients_extra_args=('--mkhomedir',))
cls.ad = cls.ads[0]
cls.smbserver = cls.clients[0]
cls.smbclient = cls.clients[1]
cls.ad_user = '******'.format(cls.ad_user_login, cls.ad.domain.name)
tasks.config_host_resolvconf_with_master_data(cls.master,
cls.smbclient)
tasks.install_adtrust(cls.master)
tasks.configure_dns_for_trust(cls.master, cls.ad)
tasks.configure_windows_dns_for_trust(cls.ad, cls.master)
tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name,
extra_args=['--two-way=true'])
tasks.create_active_user(cls.master, cls.ipa_user1,
password=cls.ipa_user1_password)
tasks.create_active_user(cls.master, cls.ipa_user2,
password=cls.ipa_user2_password)
# Trigger creation of home directories on the SMB server
for user in [cls.ipa_user1, cls.ipa_user2, cls.ad_user]:
tasks.run_command_as_user(cls.smbserver, user, ['stat', '.'])
def test_ipa_user_pac(self):
"""Test that a user can request a service ticket with PAC"""
user = '******'
user_princ = '@'.join([user, self.master.domain.realm])
passwd = 'Secret123'
# Create a user with a password
tasks.create_active_user(
self.master,
user,
passwd,
extra_args=['--homedir', '/home/{}'.format(user)])
try:
# Defaults: host/... principal for service
# keytab in /etc/krb5.keytab
self.master.run_command(["kinit", '-k'])
# Don't use enterprise principal here because it doesn't work
# bug in krb5: src/lib/gssapi/krb5/acquire_cred.c:scan_cache()
# where enterprise principals aren't taken into account
result = self.master.run_command([
os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"), "ticket",
user_princ
],
stdin_text=(passwd + '\n'),
raiseonerr=False)
assert "PAC_DATA" in result.stdout_text
finally:
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', user])
def test_add_agent_not_allowed(self):
"""Check that add-agents can be run only by Admins."""
user = "******"
passwd = "Secret123"
host = self.replicas[0].hostname
data_fmt = '{{"method":"trust_enable_agent","params":[["{}"],{{}}]}}'
try:
# Create a nonadmin user that will be used by curl
tasks.create_active_user(self.master,
user,
passwd,
first=user,
last=user)
tasks.kinit_as_user(self.master, user, passwd)
# curl --negotiate -u : is using GSS-API i.e. nonadmin user
cmd_args = [
paths.BIN_CURL, '-H', 'referer:https://{}/ipa'.format(host),
'-H', 'Content-Type:application/json', '-H',
'Accept:applicaton/json', '--negotiate', '-u', ':', '--cacert',
paths.IPA_CA_CRT, '-d',
data_fmt.format(host), '-X', 'POST',
'https://{}/ipa/json'.format(host)
]
res = self.master.run_command(cmd_args)
expected = 'Insufficient access: not allowed to remotely add agent'
assert expected in res.stdout_text
finally:
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', user])
def test_subid_selfservice(self):
uid1 = "testuser_selfservice1"
uid2 = "testuser_selfservice2"
password = "******"
role = "Subordinate ID Selfservice User"
tasks.create_active_user(self.master, uid1, password=password)
tasks.create_active_user(self.master, uid2, password=password)
tasks.kinit_user(self.master, uid1, password=password)
self.assert_subid(uid1, match=False)
result = self.subid_generate(uid1, raiseonerr=False)
assert result.returncode > 0
result = self.subid_generate(None, raiseonerr=False)
assert result.returncode > 0
tasks.kinit_admin(self.master)
self.master.run_command(
["ipa", "role-add-member", role, "--groups=ipausers"])
try:
tasks.kinit_user(self.master, uid1, password)
self.subid_generate(uid1)
self.assert_subid(uid1, match=True)
# add subid from whoami
tasks.kinit_as_user(self.master, uid2, password=password)
self.subid_generate(None)
self.assert_subid(uid2, match=True)
finally:
tasks.kinit_admin(self.master)
self.master.run_command(
["ipa", "role-remove-member", role, "--groups=ipausers"])
def test_ipa_user_s4u2self_pac(self):
"""Test that a service can request S4U2Self ticket with PAC"""
user = '******'
user_princ = '@'.join([user, self.master.domain.realm])
passwd = 'Secret123'
# Create a user with a password
tasks.create_active_user(
self.master,
user,
passwd,
extra_args=["--homedir", "/home/{}".format(user)],
krb5_trace=True)
try:
# Defaults: host/... principal for service
# keytab in /etc/krb5.keytab
self.master.run_command(["kinit", '-k'])
result = self.master.run_command([
os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"), "-E",
"impersonate", user_princ
],
raiseonerr=False)
assert "PAC_DATA" in result.stdout_text
finally:
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', user])
def test_selinux_user_optimized(self):
"""
Check that SELinux login context is set on first login for the
user, even if the user is not mapped to a specific SELinux user.
Related ticket https://pagure.io/SSSD/sssd/issue/3819.
"""
# Scenario: add an IPA user with non-default home dir, login through
# ssh as this user and check that there is a SELinux user mapping
# for the user with `semanage login -l`.
test_user = '******'
password = '******'
tasks.kinit_admin(self.master)
tasks.create_active_user(
self.master,
test_user,
password=password,
extra_args=['--homedir', '/root/{}'.format(test_user)])
tasks.run_ssh_cmd(to_host=self.master.external_hostname,
username=test_user,
auth_method="password",
password=password)
# check if user listed in output
cmd = self.master.run_command(['semanage', 'login', '-l'])
assert test_user in cmd.stdout_text
# call ipa user-del
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', test_user])
def test_delete_group_by_user_administrator(self):
"""
Test that a user with sufficient privileges can delete group
This is a Automation for issue 6884
"""
# Create a new testadmin user with a password
testadmin = 'tuser'
password = '******'
testgroup = 'gtest'
try:
tasks.create_active_user(self.master, testadmin, password)
# Add testadmin user to role "User Administrator"
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'role-add-member', '--users', testadmin,
'User Administrator'
])
tasks.kdestroy_all(self.master)
# Create a test group
tasks.kinit_as_user(self.master, testadmin, password)
self.master.run_command(['ipa', 'group-add', testgroup])
# Call ipa-group-del to check if user can delete group
self.master.run_command(['ipa', 'group-del', testgroup])
finally:
# Cleanup
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', testadmin])
self.master.run_command(
['ipa', 'group-del', testgroup, '--continue'])
def test_sss_ssh_authorizedkeys(self):
"""Login via Ssh using private-key for ipa-user should work.
Test for : https://pagure.io/SSSD/sssd/issue/3937
Steps:
1) setup user with ssh-key and certificate stored in ipaserver
2) simulate p11_child timeout
3) try to login via ssh using private key.
"""
user = '******'
passwd = 'Secret123'
user_key = tasks.create_temp_file(self.master, create_file=False)
pem_file = tasks.create_temp_file(self.master)
# Create a user with a password
tasks.create_active_user(
self.master,
user,
passwd,
extra_args=['--homedir', '/home/{}'.format(user)])
tasks.kinit_admin(self.master)
tasks.run_command_as_user(self.master, user,
['ssh-keygen', '-N', '', '-f', user_key])
ssh_pub_key = self.master.get_file_contents('{}.pub'.format(user_key),
encoding='utf-8')
openssl_cmd = [
'openssl', 'req', '-x509', '-newkey', 'rsa:2048', '-days', '365',
'-nodes', '-out', pem_file, '-subj', '/CN=' + user
]
self.master.run_command(openssl_cmd)
cert_b64 = self.get_cert_base64(self.master, pem_file)
sssd_p11_child = '/usr/libexec/sssd/p11_child'
backup = tasks.FileBackup(self.master, sssd_p11_child)
try:
content = '#!/bin/bash\nsleep 999999'
# added sleep to simulate the timeout for p11_child
self.master.put_file_contents(sssd_p11_child, content)
self.master.run_command(
['ipa', 'user-mod', user, '--ssh', ssh_pub_key])
self.master.run_command(
['ipa', 'user-add-cert', user, '--certificate', cert_b64])
# clear cache to avoid SSSD to check the user in old lookup
tasks.clear_sssd_cache(self.master)
result = self.master.run_command(
[paths.SSS_SSH_AUTHORIZEDKEYS, user])
assert ssh_pub_key in result.stdout_text
# login to the system
self.master.run_command([
'ssh', '-o', 'PasswordAuthentication=no', '-o',
'IdentitiesOnly=yes', '-o', 'StrictHostKeyChecking=no', '-o',
'ConnectTimeout=10', '-l', user, '-i', user_key,
self.master.hostname, 'true'
])
finally:
# cleanup
self.master.run_command(['ipa', 'user-del', user])
backup.restore()
self.master.run_command(
['rm', '-f', pem_file, user_key, '{}.pub'.format(user_key)])
def user_creation_deletion(self):
# create user
self.testuser = '******'
tasks.create_active_user(self.master, self.testuser, 'Secret123')
yield
# cleanup
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', self.testuser])
def install(cls, mh):
super(TestSSSDAuthCache, cls).install(mh)
cls.ad = cls.ads[0] # pylint: disable=no-member
tasks.install_adtrust(cls.master)
tasks.configure_dns_for_trust(cls.master, cls.ad)
tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)
cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format(
domain=cls.ad.domain.name)
tasks.user_add(cls.master, cls.intermed_user)
tasks.create_active_user(cls.master, cls.ipa_user,
cls.ipa_user_password)
def install(cls, mh):
super(TestSSSDWithAdTrust, cls).install(mh)
cls.ad = cls.ads[0]
tasks.install_adtrust(cls.master)
tasks.configure_dns_for_trust(cls.master, cls.ad)
tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)
cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format(
domain=cls.ad.domain.name)
cls.users['ad']['group'] = cls.users['ad']['group_tmpl'].format(
domain=cls.ad.domain.name)
tasks.user_add(cls.master, cls.intermed_user)
tasks.create_active_user(cls.master, cls.ipa_user,
cls.ipa_user_password)
def install(cls, mh):
super(TestSSSDWithAdTrust, cls).install(mh)
cls.ad = cls.ads[0]
tasks.install_adtrust(cls.master)
tasks.configure_dns_for_trust(cls.master, cls.ad)
tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)
cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format(
domain=cls.ad.domain.name)
# Regression tests for cached_auth_timeout option
# https://bugzilla.redhat.com/show_bug.cgi?id=1685581
tasks.user_add(cls.master, cls.intermed_user)
tasks.create_active_user(cls.master, cls.ipa_user,
cls.ipa_user_password)
def test_2fa_disable_single_prompt(self):
"""Test ssh with 2FA when single prompt is disabled.
Test for : https://pagure.io/SSSD/sssd/issue/3264
When [prompting/2fa/sshd] with single_prompt = False is set
then during ssh it should be prompted with given message
for first factor and then for second factor.
This requires paramiko until the 2-prompt sshpass RFE is
fulfilled: https://sourceforge.net/p/sshpass/feature-requests/5/
"""
if self.master.is_fips_mode:
pytest.skip("paramiko is not compatible with FIPS mode")
master = self.master
USER2 = 'sshuser2'
sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF)
first_prompt = 'Enter first factor:'
second_prompt = 'Enter second factor:'
add_contents = textwrap.dedent('''
[prompting/2fa/sshd]
single_prompt = False
first_prompt = {0}
second_prompt = {1}
''').format(first_prompt, second_prompt)
set_sssd_conf(master, add_contents)
tasks.create_active_user(master, USER2, PASSWORD)
tasks.kinit_admin(master)
master.run_command(['ipa', 'user-mod', USER2, '--user-auth-type=otp'])
try:
otpuid, totp = add_otptoken(master, USER2, otptype='totp')
master.run_command(['ipa', 'otptoken-show', otpuid])
otpvalue = totp.generate(int(time.time())).decode('ascii')
answers = {
first_prompt: PASSWORD,
second_prompt: otpvalue
}
ssh_2f(master.hostname, USER2, answers)
# check if user listed in output
cmd = self.master.run_command(['semanage', 'login', '-l'])
assert USER2 in cmd.stdout_text
finally:
master.run_command(['ipa', 'user-del', USER2])
self.master.run_command(['semanage', 'login', '-D'])
sssd_conf_backup.restore()
def install(cls, mh):
super(TestOTPToken, cls).install(mh)
master = cls.master
tasks.kinit_admin(master)
# create service with OTP auth indicator
cls.service_name = f"otponly/{master.hostname}"
master.run_command(
["ipa", "service-add", cls.service_name, "--auth-ind=otp"])
# service needs a keytab before user can acquire a ticket for it
keytab = "/tmp/otponly.keytab"
master.run_command(
["ipa-getkeytab", "-p", cls.service_name, "-k", keytab])
master.run_command(["rm", "-f", keytab])
tasks.create_active_user(master, USER, PASSWORD)
tasks.kinit_admin(master)
master.run_command(["ipa", "user-mod", USER, "--user-auth-type=otp"])
def nested_group_setup(self, tmpdir):
"""Setup and Clean up groups and user created"""
master = self.master
client = self.clients[0]
# add a user and set password
tasks.create_active_user(master, self.username, self.userpasswd)
tasks.kinit_admin(master)
privkey, pubkey = tasks.generate_ssh_keypair()
with open(os.path.join(
tmpdir, 'ssh_priv_key'), 'w') as fp:
fp.write(privkey)
master.run_command([
'ipa', 'user-mod', self.username, '--ssh', "{}".format(pubkey)
])
master.put_file_contents('/tmp/user_ssh_priv_key', privkey)
master.run_command(['chmod', '600', '/tmp/user_ssh_priv_key'])
# add group groupa
cmd_output = master.run_command(['ipa', 'group-add', 'groupa'])
assert 'Added group "groupa"' in cmd_output.stdout_text
# add group groupb
cmd_output = master.run_command(['ipa', 'group-add', 'groupb'])
assert 'Added group "groupb"' in cmd_output.stdout_text
# add group groupc
cmd_output = master.run_command(['ipa', 'group-add', 'groupc'])
assert 'Added group "groupc"' in cmd_output.stdout_text
client.put_file_contents('/tmp/user_ssh_priv_key',
privkey)
client.run_command(['chmod', '600', '/tmp/user_ssh_priv_key'])
yield
# test cleanup
for group in ['groupa', 'groupb', 'groupc']:
self.master.run_command(['ipa', 'group-del', group, '--continue'])
self.master.run_command(['ipa', 'user-del', self.username,
'--no-preserve', '--continue'])
tasks.kdestroy_all(self.master)
tasks.kdestroy_all(self.clients[0])
def test_add_agent_not_allowed(self):
"""Check that add-agents can be run only by Admins."""
user = "******"
passwd = "Secret123"
host = self.replicas[0].hostname
data_fmt = '{{"method":"trust_enable_agent","params":[["{}"],{{}}]}}'
try:
# Create a nonadmin user that will be used by curl.
# First, display SSSD kdcinfo:
# https://bugzilla.redhat.com/show_bug.cgi?id=1850445#c1
self.master.run_command([
"cat",
"/var/lib/sss/pubconf/kdcinfo.%s" % self.master.domain.realm
],
raiseonerr=False)
# Set krb5_trace to True: https://pagure.io/freeipa/issue/8353
tasks.create_active_user(self.master,
user,
passwd,
first=user,
last=user,
krb5_trace=True)
tasks.kinit_as_user(self.master, user, passwd, krb5_trace=True)
# curl --negotiate -u : is using GSS-API i.e. nonadmin user
cmd_args = [
paths.BIN_CURL, '-H', 'referer:https://{}/ipa'.format(host),
'-H', 'Content-Type:application/json', '-H',
'Accept:applicaton/json', '--negotiate', '-u', ':', '--cacert',
paths.IPA_CA_CRT, '-d',
data_fmt.format(host), '-X', 'POST',
'https://{}/ipa/json'.format(host)
]
res = self.master.run_command(cmd_args)
expected = 'Insufficient access: not allowed to remotely add agent'
assert expected in res.stdout_text
finally:
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', user])
def test_2fa_enable_single_prompt(self):
"""Test ssh with 2FA when single prompt is enabled.
Test for : https://pagure.io/SSSD/sssd/issue/3264
When [prompting/2fa/sshd] with single_prompt = True is set
then during ssh it should be prompted with given message
for first and second factor at once.
"""
master = self.master
USER1 = 'sshuser1'
sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF)
first_prompt = 'Please enter password + OTP token value:'
add_contents = textwrap.dedent('''
[prompting/2fa/sshd]
single_prompt = True
first_prompt = {0}
''').format(first_prompt)
set_sssd_conf(master, add_contents)
tasks.create_active_user(master, USER1, PASSWORD)
tasks.kinit_admin(master)
master.run_command(['ipa', 'user-mod', USER1, '--user-auth-type=otp'])
try:
otpuid, totp = add_otptoken(master, USER1, otptype='totp')
master.run_command(['ipa', 'otptoken-show', otpuid])
otpvalue = totp.generate(int(time.time())).decode('ascii')
password = '******'.format(PASSWORD, otpvalue)
tasks.run_ssh_cmd(to_host=self.master.external_hostname,
username=USER1,
auth_method="password",
password=password)
# check if user listed in output
cmd = self.master.run_command(['semanage', 'login', '-l'])
assert USER1 in cmd.stdout_text
finally:
master.run_command(['ipa', 'user-del', USER1])
self.master.run_command(['semanage', 'login', '-D'])
sssd_conf_backup.restore()
def test_auto_generate_subid(self):
uid = "testuser_auto1"
passwd = "Secret123"
tasks.create_active_user(self.master, uid, password=passwd)
tasks.kinit_admin(self.master)
self.assert_subid(uid, match=False)
# add subid by name
self.subid_generate(uid)
info = self.assert_subid(uid, match=True)
# second generate fails due to unique index on ipaowner
result = self.subid_generate(uid, raiseonerr=False)
assert result.returncode > 0
assert f'for user "{uid}" already exists' in result.stderr_text
# check matching
subuid = info["ipasubuidnumber"]
for offset in (0, 1, 65535):
result = self.master.run_command(
["ipa", "subid-match", f"--subuid={subuid + offset}", "--raw"])
match = self._parse_result(result)
self.assert_subid_info(uid, match)
def install(cls, mh):
super(TestMemberManager, cls).install(mh)
master = cls.master
tasks.create_active_user(master, USER_MM, PASSWORD)
tasks.create_active_user(master, USER_INDIRECT, PASSWORD)
tasks.create_active_user(master, USER1, PASSWORD)
tasks.kinit_admin(master)
tasks.group_add(master, GROUP_INDIRECT)
master.run_command([
'ipa', 'group-add-member', GROUP_INDIRECT, '--users', USER_INDIRECT
])
tasks.user_add(master, USER2)
tasks.group_add(master, GROUP1)
tasks.group_add(master, GROUP2)
master.run_command(['ipa', 'hostgroup-add', HOSTGROUP1])
# make mmuser a member manager for group and hostgroup
master.run_command([
'ipa', 'group-add-member-manager', GROUP1,
'--users', USER_MM
])
master.run_command([
'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
'--users', USER_MM
])
# make indirect group member manager for group and hostgroup
master.run_command([
'ipa', 'group-add-member-manager', GROUP1,
'--groups', GROUP_INDIRECT
])
master.run_command([
'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
'--groups', GROUP_INDIRECT
])
tasks.kdestroy_all(master)
def install(cls, mh):
tasks.install_master(cls.master)
tasks.create_active_user(cls.master, USER1, PASSWORD)
tasks.create_active_user(cls.master, USER2, PASSWORD)
