def test_subid_useradmin(self): tasks.kinit_admin(self.master) uid_useradmin = "testuser_usermgr_mgr1" role = "User Administrator" uid = "testuser_usermgr_user1" password = "******" # create user administrator tasks.create_active_user(self.master, uid_useradmin, password=password) # add user to user admin group tasks.kinit_admin(self.master) self.master.run_command( ["ipa", "role-add-member", role, f"--users={uid_useradmin}"], ) # kinit as user admin tasks.kinit_user(self.master, uid_useradmin, password) # create new user as user admin tasks.user_add(self.master, uid) # assign new subid to user (with useradmin credentials) self.subid_generate(uid) # test that user admin can preserve and delete users with subids self.master.run_command(["ipa", "user-del", "--preserve", uid]) # XXX does not work, see subordinate-ids.md # subid should still exist # self.assert_subid(uid, match=True) # final delete should remove the user and subid self.master.run_command(["ipa", "user-del", uid]) self.assert_subid(uid, match=False)
def install(cls, mh): if cls.domain_level is not None: domain_level = cls.domain_level else: domain_level = cls.master.config.domain_level tasks.install_topo(cls.topology, cls.master, cls.replicas, cls.clients, domain_level, clients_extra_args=('--mkhomedir',)) cls.ad = cls.ads[0] cls.smbserver = cls.clients[0] cls.smbclient = cls.clients[1] cls.ad_user = '******'.format(cls.ad_user_login, cls.ad.domain.name) tasks.config_host_resolvconf_with_master_data(cls.master, cls.smbclient) tasks.install_adtrust(cls.master) tasks.configure_dns_for_trust(cls.master, cls.ad) tasks.configure_windows_dns_for_trust(cls.ad, cls.master) tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name, extra_args=['--two-way=true']) tasks.create_active_user(cls.master, cls.ipa_user1, password=cls.ipa_user1_password) tasks.create_active_user(cls.master, cls.ipa_user2, password=cls.ipa_user2_password) # Trigger creation of home directories on the SMB server for user in [cls.ipa_user1, cls.ipa_user2, cls.ad_user]: tasks.run_command_as_user(cls.smbserver, user, ['stat', '.'])
def test_ipa_user_pac(self): """Test that a user can request a service ticket with PAC""" user = '******' user_princ = '@'.join([user, self.master.domain.realm]) passwd = 'Secret123' # Create a user with a password tasks.create_active_user( self.master, user, passwd, extra_args=['--homedir', '/home/{}'.format(user)]) try: # Defaults: host/... principal for service # keytab in /etc/krb5.keytab self.master.run_command(["kinit", '-k']) # Don't use enterprise principal here because it doesn't work # bug in krb5: src/lib/gssapi/krb5/acquire_cred.c:scan_cache() # where enterprise principals aren't taken into account result = self.master.run_command([ os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"), "ticket", user_princ ], stdin_text=(passwd + '\n'), raiseonerr=False) assert "PAC_DATA" in result.stdout_text finally: tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-del', user])
def test_add_agent_not_allowed(self): """Check that add-agents can be run only by Admins.""" user = "******" passwd = "Secret123" host = self.replicas[0].hostname data_fmt = '{{"method":"trust_enable_agent","params":[["{}"],{{}}]}}' try: # Create a nonadmin user that will be used by curl tasks.create_active_user(self.master, user, passwd, first=user, last=user) tasks.kinit_as_user(self.master, user, passwd) # curl --negotiate -u : is using GSS-API i.e. nonadmin user cmd_args = [ paths.BIN_CURL, '-H', 'referer:https://{}/ipa'.format(host), '-H', 'Content-Type:application/json', '-H', 'Accept:applicaton/json', '--negotiate', '-u', ':', '--cacert', paths.IPA_CA_CRT, '-d', data_fmt.format(host), '-X', 'POST', 'https://{}/ipa/json'.format(host) ] res = self.master.run_command(cmd_args) expected = 'Insufficient access: not allowed to remotely add agent' assert expected in res.stdout_text finally: tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-del', user])
def test_subid_selfservice(self): uid1 = "testuser_selfservice1" uid2 = "testuser_selfservice2" password = "******" role = "Subordinate ID Selfservice User" tasks.create_active_user(self.master, uid1, password=password) tasks.create_active_user(self.master, uid2, password=password) tasks.kinit_user(self.master, uid1, password=password) self.assert_subid(uid1, match=False) result = self.subid_generate(uid1, raiseonerr=False) assert result.returncode > 0 result = self.subid_generate(None, raiseonerr=False) assert result.returncode > 0 tasks.kinit_admin(self.master) self.master.run_command( ["ipa", "role-add-member", role, "--groups=ipausers"]) try: tasks.kinit_user(self.master, uid1, password) self.subid_generate(uid1) self.assert_subid(uid1, match=True) # add subid from whoami tasks.kinit_as_user(self.master, uid2, password=password) self.subid_generate(None) self.assert_subid(uid2, match=True) finally: tasks.kinit_admin(self.master) self.master.run_command( ["ipa", "role-remove-member", role, "--groups=ipausers"])
def test_ipa_user_s4u2self_pac(self): """Test that a service can request S4U2Self ticket with PAC""" user = '******' user_princ = '@'.join([user, self.master.domain.realm]) passwd = 'Secret123' # Create a user with a password tasks.create_active_user( self.master, user, passwd, extra_args=["--homedir", "/home/{}".format(user)], krb5_trace=True) try: # Defaults: host/... principal for service # keytab in /etc/krb5.keytab self.master.run_command(["kinit", '-k']) result = self.master.run_command([ os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"), "-E", "impersonate", user_princ ], raiseonerr=False) assert "PAC_DATA" in result.stdout_text finally: tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-del', user])
def test_selinux_user_optimized(self): """ Check that SELinux login context is set on first login for the user, even if the user is not mapped to a specific SELinux user. Related ticket https://pagure.io/SSSD/sssd/issue/3819. """ # Scenario: add an IPA user with non-default home dir, login through # ssh as this user and check that there is a SELinux user mapping # for the user with `semanage login -l`. test_user = '******' password = '******' tasks.kinit_admin(self.master) tasks.create_active_user( self.master, test_user, password=password, extra_args=['--homedir', '/root/{}'.format(test_user)]) tasks.run_ssh_cmd(to_host=self.master.external_hostname, username=test_user, auth_method="password", password=password) # check if user listed in output cmd = self.master.run_command(['semanage', 'login', '-l']) assert test_user in cmd.stdout_text # call ipa user-del tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-del', test_user])
def test_delete_group_by_user_administrator(self): """ Test that a user with sufficient privileges can delete group This is a Automation for issue 6884 """ # Create a new testadmin user with a password testadmin = 'tuser' password = '******' testgroup = 'gtest' try: tasks.create_active_user(self.master, testadmin, password) # Add testadmin user to role "User Administrator" tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'role-add-member', '--users', testadmin, 'User Administrator' ]) tasks.kdestroy_all(self.master) # Create a test group tasks.kinit_as_user(self.master, testadmin, password) self.master.run_command(['ipa', 'group-add', testgroup]) # Call ipa-group-del to check if user can delete group self.master.run_command(['ipa', 'group-del', testgroup]) finally: # Cleanup tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-del', testadmin]) self.master.run_command( ['ipa', 'group-del', testgroup, '--continue'])
def test_sss_ssh_authorizedkeys(self): """Login via Ssh using private-key for ipa-user should work. Test for : https://pagure.io/SSSD/sssd/issue/3937 Steps: 1) setup user with ssh-key and certificate stored in ipaserver 2) simulate p11_child timeout 3) try to login via ssh using private key. """ user = '******' passwd = 'Secret123' user_key = tasks.create_temp_file(self.master, create_file=False) pem_file = tasks.create_temp_file(self.master) # Create a user with a password tasks.create_active_user( self.master, user, passwd, extra_args=['--homedir', '/home/{}'.format(user)]) tasks.kinit_admin(self.master) tasks.run_command_as_user(self.master, user, ['ssh-keygen', '-N', '', '-f', user_key]) ssh_pub_key = self.master.get_file_contents('{}.pub'.format(user_key), encoding='utf-8') openssl_cmd = [ 'openssl', 'req', '-x509', '-newkey', 'rsa:2048', '-days', '365', '-nodes', '-out', pem_file, '-subj', '/CN=' + user ] self.master.run_command(openssl_cmd) cert_b64 = self.get_cert_base64(self.master, pem_file) sssd_p11_child = '/usr/libexec/sssd/p11_child' backup = tasks.FileBackup(self.master, sssd_p11_child) try: content = '#!/bin/bash\nsleep 999999' # added sleep to simulate the timeout for p11_child self.master.put_file_contents(sssd_p11_child, content) self.master.run_command( ['ipa', 'user-mod', user, '--ssh', ssh_pub_key]) self.master.run_command( ['ipa', 'user-add-cert', user, '--certificate', cert_b64]) # clear cache to avoid SSSD to check the user in old lookup tasks.clear_sssd_cache(self.master) result = self.master.run_command( [paths.SSS_SSH_AUTHORIZEDKEYS, user]) assert ssh_pub_key in result.stdout_text # login to the system self.master.run_command([ 'ssh', '-o', 'PasswordAuthentication=no', '-o', 'IdentitiesOnly=yes', '-o', 'StrictHostKeyChecking=no', '-o', 'ConnectTimeout=10', '-l', user, '-i', user_key, self.master.hostname, 'true' ]) finally: # cleanup self.master.run_command(['ipa', 'user-del', user]) backup.restore() self.master.run_command( ['rm', '-f', pem_file, user_key, '{}.pub'.format(user_key)])
def user_creation_deletion(self): # create user self.testuser = '******' tasks.create_active_user(self.master, self.testuser, 'Secret123') yield # cleanup tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-del', self.testuser])
def install(cls, mh): super(TestSSSDAuthCache, cls).install(mh) cls.ad = cls.ads[0] # pylint: disable=no-member tasks.install_adtrust(cls.master) tasks.configure_dns_for_trust(cls.master, cls.ad) tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name) cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format( domain=cls.ad.domain.name) tasks.user_add(cls.master, cls.intermed_user) tasks.create_active_user(cls.master, cls.ipa_user, cls.ipa_user_password)
def install(cls, mh): super(TestSSSDWithAdTrust, cls).install(mh) cls.ad = cls.ads[0] tasks.install_adtrust(cls.master) tasks.configure_dns_for_trust(cls.master, cls.ad) tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name) cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format( domain=cls.ad.domain.name) cls.users['ad']['group'] = cls.users['ad']['group_tmpl'].format( domain=cls.ad.domain.name) tasks.user_add(cls.master, cls.intermed_user) tasks.create_active_user(cls.master, cls.ipa_user, cls.ipa_user_password)
def install(cls, mh): super(TestSSSDWithAdTrust, cls).install(mh) cls.ad = cls.ads[0] tasks.install_adtrust(cls.master) tasks.configure_dns_for_trust(cls.master, cls.ad) tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name) cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format( domain=cls.ad.domain.name) # Regression tests for cached_auth_timeout option # https://bugzilla.redhat.com/show_bug.cgi?id=1685581 tasks.user_add(cls.master, cls.intermed_user) tasks.create_active_user(cls.master, cls.ipa_user, cls.ipa_user_password)
def test_2fa_disable_single_prompt(self): """Test ssh with 2FA when single prompt is disabled. Test for : https://pagure.io/SSSD/sssd/issue/3264 When [prompting/2fa/sshd] with single_prompt = False is set then during ssh it should be prompted with given message for first factor and then for second factor. This requires paramiko until the 2-prompt sshpass RFE is fulfilled: https://sourceforge.net/p/sshpass/feature-requests/5/ """ if self.master.is_fips_mode: pytest.skip("paramiko is not compatible with FIPS mode") master = self.master USER2 = 'sshuser2' sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF) first_prompt = 'Enter first factor:' second_prompt = 'Enter second factor:' add_contents = textwrap.dedent(''' [prompting/2fa/sshd] single_prompt = False first_prompt = {0} second_prompt = {1} ''').format(first_prompt, second_prompt) set_sssd_conf(master, add_contents) tasks.create_active_user(master, USER2, PASSWORD) tasks.kinit_admin(master) master.run_command(['ipa', 'user-mod', USER2, '--user-auth-type=otp']) try: otpuid, totp = add_otptoken(master, USER2, otptype='totp') master.run_command(['ipa', 'otptoken-show', otpuid]) otpvalue = totp.generate(int(time.time())).decode('ascii') answers = { first_prompt: PASSWORD, second_prompt: otpvalue } ssh_2f(master.hostname, USER2, answers) # check if user listed in output cmd = self.master.run_command(['semanage', 'login', '-l']) assert USER2 in cmd.stdout_text finally: master.run_command(['ipa', 'user-del', USER2]) self.master.run_command(['semanage', 'login', '-D']) sssd_conf_backup.restore()
def install(cls, mh): super(TestOTPToken, cls).install(mh) master = cls.master tasks.kinit_admin(master) # create service with OTP auth indicator cls.service_name = f"otponly/{master.hostname}" master.run_command( ["ipa", "service-add", cls.service_name, "--auth-ind=otp"]) # service needs a keytab before user can acquire a ticket for it keytab = "/tmp/otponly.keytab" master.run_command( ["ipa-getkeytab", "-p", cls.service_name, "-k", keytab]) master.run_command(["rm", "-f", keytab]) tasks.create_active_user(master, USER, PASSWORD) tasks.kinit_admin(master) master.run_command(["ipa", "user-mod", USER, "--user-auth-type=otp"])
def nested_group_setup(self, tmpdir): """Setup and Clean up groups and user created""" master = self.master client = self.clients[0] # add a user and set password tasks.create_active_user(master, self.username, self.userpasswd) tasks.kinit_admin(master) privkey, pubkey = tasks.generate_ssh_keypair() with open(os.path.join( tmpdir, 'ssh_priv_key'), 'w') as fp: fp.write(privkey) master.run_command([ 'ipa', 'user-mod', self.username, '--ssh', "{}".format(pubkey) ]) master.put_file_contents('/tmp/user_ssh_priv_key', privkey) master.run_command(['chmod', '600', '/tmp/user_ssh_priv_key']) # add group groupa cmd_output = master.run_command(['ipa', 'group-add', 'groupa']) assert 'Added group "groupa"' in cmd_output.stdout_text # add group groupb cmd_output = master.run_command(['ipa', 'group-add', 'groupb']) assert 'Added group "groupb"' in cmd_output.stdout_text # add group groupc cmd_output = master.run_command(['ipa', 'group-add', 'groupc']) assert 'Added group "groupc"' in cmd_output.stdout_text client.put_file_contents('/tmp/user_ssh_priv_key', privkey) client.run_command(['chmod', '600', '/tmp/user_ssh_priv_key']) yield # test cleanup for group in ['groupa', 'groupb', 'groupc']: self.master.run_command(['ipa', 'group-del', group, '--continue']) self.master.run_command(['ipa', 'user-del', self.username, '--no-preserve', '--continue']) tasks.kdestroy_all(self.master) tasks.kdestroy_all(self.clients[0])
def test_add_agent_not_allowed(self): """Check that add-agents can be run only by Admins.""" user = "******" passwd = "Secret123" host = self.replicas[0].hostname data_fmt = '{{"method":"trust_enable_agent","params":[["{}"],{{}}]}}' try: # Create a nonadmin user that will be used by curl. # First, display SSSD kdcinfo: # https://bugzilla.redhat.com/show_bug.cgi?id=1850445#c1 self.master.run_command([ "cat", "/var/lib/sss/pubconf/kdcinfo.%s" % self.master.domain.realm ], raiseonerr=False) # Set krb5_trace to True: https://pagure.io/freeipa/issue/8353 tasks.create_active_user(self.master, user, passwd, first=user, last=user, krb5_trace=True) tasks.kinit_as_user(self.master, user, passwd, krb5_trace=True) # curl --negotiate -u : is using GSS-API i.e. nonadmin user cmd_args = [ paths.BIN_CURL, '-H', 'referer:https://{}/ipa'.format(host), '-H', 'Content-Type:application/json', '-H', 'Accept:applicaton/json', '--negotiate', '-u', ':', '--cacert', paths.IPA_CA_CRT, '-d', data_fmt.format(host), '-X', 'POST', 'https://{}/ipa/json'.format(host) ] res = self.master.run_command(cmd_args) expected = 'Insufficient access: not allowed to remotely add agent' assert expected in res.stdout_text finally: tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-del', user])
def test_2fa_enable_single_prompt(self): """Test ssh with 2FA when single prompt is enabled. Test for : https://pagure.io/SSSD/sssd/issue/3264 When [prompting/2fa/sshd] with single_prompt = True is set then during ssh it should be prompted with given message for first and second factor at once. """ master = self.master USER1 = 'sshuser1' sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF) first_prompt = 'Please enter password + OTP token value:' add_contents = textwrap.dedent(''' [prompting/2fa/sshd] single_prompt = True first_prompt = {0} ''').format(first_prompt) set_sssd_conf(master, add_contents) tasks.create_active_user(master, USER1, PASSWORD) tasks.kinit_admin(master) master.run_command(['ipa', 'user-mod', USER1, '--user-auth-type=otp']) try: otpuid, totp = add_otptoken(master, USER1, otptype='totp') master.run_command(['ipa', 'otptoken-show', otpuid]) otpvalue = totp.generate(int(time.time())).decode('ascii') password = '******'.format(PASSWORD, otpvalue) tasks.run_ssh_cmd(to_host=self.master.external_hostname, username=USER1, auth_method="password", password=password) # check if user listed in output cmd = self.master.run_command(['semanage', 'login', '-l']) assert USER1 in cmd.stdout_text finally: master.run_command(['ipa', 'user-del', USER1]) self.master.run_command(['semanage', 'login', '-D']) sssd_conf_backup.restore()
def test_auto_generate_subid(self): uid = "testuser_auto1" passwd = "Secret123" tasks.create_active_user(self.master, uid, password=passwd) tasks.kinit_admin(self.master) self.assert_subid(uid, match=False) # add subid by name self.subid_generate(uid) info = self.assert_subid(uid, match=True) # second generate fails due to unique index on ipaowner result = self.subid_generate(uid, raiseonerr=False) assert result.returncode > 0 assert f'for user "{uid}" already exists' in result.stderr_text # check matching subuid = info["ipasubuidnumber"] for offset in (0, 1, 65535): result = self.master.run_command( ["ipa", "subid-match", f"--subuid={subuid + offset}", "--raw"]) match = self._parse_result(result) self.assert_subid_info(uid, match)
def install(cls, mh): super(TestMemberManager, cls).install(mh) master = cls.master tasks.create_active_user(master, USER_MM, PASSWORD) tasks.create_active_user(master, USER_INDIRECT, PASSWORD) tasks.create_active_user(master, USER1, PASSWORD) tasks.kinit_admin(master) tasks.group_add(master, GROUP_INDIRECT) master.run_command([ 'ipa', 'group-add-member', GROUP_INDIRECT, '--users', USER_INDIRECT ]) tasks.user_add(master, USER2) tasks.group_add(master, GROUP1) tasks.group_add(master, GROUP2) master.run_command(['ipa', 'hostgroup-add', HOSTGROUP1]) # make mmuser a member manager for group and hostgroup master.run_command([ 'ipa', 'group-add-member-manager', GROUP1, '--users', USER_MM ]) master.run_command([ 'ipa', 'hostgroup-add-member-manager', HOSTGROUP1, '--users', USER_MM ]) # make indirect group member manager for group and hostgroup master.run_command([ 'ipa', 'group-add-member-manager', GROUP1, '--groups', GROUP_INDIRECT ]) master.run_command([ 'ipa', 'hostgroup-add-member-manager', HOSTGROUP1, '--groups', GROUP_INDIRECT ]) tasks.kdestroy_all(master)
def install(cls, mh): tasks.install_master(cls.master) tasks.create_active_user(cls.master, USER1, PASSWORD) tasks.create_active_user(cls.master, USER2, PASSWORD)