def test_installclient_as_user_admin(self):
"""ipa-client-install should not use hardcoded admin for principal
In ipaclient-install.log it should use the username that was entered
earlier in the install process at the prompt.
Related to : https://pagure.io/freeipa/issue/5406
"""
client = self.clients[0]
tasks.install_master(self.master)
tasks.kinit_admin(self.master)
username = '******'
password = '******'
password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'user-add', username,
'--first', username,
'--last', username,
'--password'],
stdin_text=password_confirmation)
role_add = ['ipa', 'role-add', 'useradmin']
self.master.run_command(role_add)
self.master.run_command(['ipa', 'privilege-add', 'Add Hosts'])
self.master.run_command(['ipa', 'privilege-add-permission',
'--permissions', 'System: Add Hosts',
'Add Hosts'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Host Enrollment'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Add Hosts'])
role_member_add = ['ipa', 'role-add-member', 'useradmin',
'--users={}'.format(username)]
self.master.run_command(role_member_add)
user_kinit = "%s\n%s\n%s\n" % (password, password, password)
self.master.run_command(['kinit', username],
stdin_text=user_kinit)
tasks.install_client(
self.master, client,
extra_args=['--request-cert'],
user=username, password=password
)
msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
(username, client.domain.name)
install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
encoding='utf-8')
assert msg in install_log
# check that user is able to request a host cert, too
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text
result = tasks.run_certutil(
client,
['-K', '-f', paths.IPA_NSSDB_PWDFILE_TXT],
paths.IPA_NSSDB_DIR
)
assert 'Local IPA host' in result.stdout_text
def test_invalid_range_types(self):
invalid_range_types = ['ipa-local',
'ipa-ad-winsync',
'ipa-ipa-trust',
'random-invalid',
're@ll%ybad12!']
self.configure_dns_and_time(self.ad)
try:
for range_type in invalid_range_types:
tasks.kinit_admin(self.master)
result = self.master.run_command(
['ipa', 'trust-add', '--type', 'ad', self.ad_domain,
'--admin', 'Administrator',
'--range-type', range_type, '--password'],
raiseonerr=False,
stdin_text=self.master.config.ad_admin_password)
# The trust-add command is supposed to fail
assert result.returncode == 1
assert "ERROR: invalid 'range_type'" in result.stderr_text
finally:
tasks.unconfigure_dns_for_trust(self.master, self.ad)
def test_list_help_topics(self):
tasks.kinit_admin(self.master)
result = self.master.run_command(
["ipa", "help", "topics"],
raiseonerr=False
)
assert result.returncode == 0
def install(cls, mh):
super(TestRulesWithServicePrincipals, cls).install(mh)
master = cls.master
tasks.kinit_admin(master)
cls.replica = "replica.%s" % master.domain.name
master.run_command(['ipa', 'host-add', cls.replica, '--force'])
cls.service_name = "svc/%s" % master.hostname
cls.replica_service_name = "svc/%s" % cls.replica
master.run_command("ipa service-add %s" % cls.service_name)
master.run_command("ipa service-add %s --force" %
cls.replica_service_name)
master.run_command("ipa service-add-host %s --hosts %s" % (
cls.service_name, cls.replica))
master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl)
master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl,
cls.replica))
master.run_command("ipa caacl-add-service %s --services"
" svc/`hostname`" % cls.caacl)
master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % (
cls.replica, master.domain.realm, cls.keytab))
master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica))
# Prepare a CSR
cls.prepare_config()
stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica
master.run_command(['openssl', 'req', '-config', cls.csr_conf, '-new',
'-out', cls.csr], stdin_text=stdin_text)
def test_delete_preserve_as_alternate_admin(self):
"""
Test that a user member of admins group can call delete --preserve.
This is a test case for issue 7342
"""
# kinit admin
tasks.kinit_admin(self.master)
# Create a new user 'testuser' with a password
testuser = '******'
password = '******'
testuser_password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'user-add', testuser,
'--first', testuser,
'--last', testuser,
'--password'],
stdin_text=testuser_password_confirmation)
# kinit as altadmin
self.master.run_command(['kinit', self.altadmin],
stdin_text=self.master.config.admin_password)
# call ipa user-del --preserve
self.master.run_command(['ipa', 'user-del', '--preserve', testuser])
def test_stageuser_show_as_alternate_admin(self):
"""
Test that a user member of admins group can call stageuser-show
and read the 'Kerberos Keys available' information.
This is a test case for issue 7342
"""
# kinit admin
tasks.kinit_admin(self.master)
# Create a new stage user 'stageuser' with a password
stageuser = '******'
password = '******'
stageuser_password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'stageuser-add', stageuser,
'--first', stageuser,
'--last', stageuser,
'--password'],
stdin_text=stageuser_password_confirmation)
# kinit as altadmin
self.master.run_command(['kinit', self.altadmin],
stdin_text=self.master.config.admin_password)
# call ipa stageuser-show
# the field Kerberos Keys available must contain True
result = self.master.run_command(['ipa', 'stageuser-show', stageuser])
assert 'Kerberos keys available: True' in result.stdout_text
def test_change_selinuxusermaporder(self):
"""
An update file meant to ensure a more sane default was
overriding any customization done to the order.
"""
maporder = "unconfined_u:s0-s0:c0.c1023"
# set a new default
tasks.kinit_admin(self.master)
result = self.master.run_command(
["ipa", "config-mod",
"--ipaselinuxusermaporder={}".format(maporder)],
raiseonerr=False
)
assert result.returncode == 0
# apply the update
result = self.master.run_command(
["ipa-server-upgrade"],
raiseonerr=False
)
assert result.returncode == 0
# ensure result is the same
result = self.master.run_command(
["ipa", "config-show"],
raiseonerr=False
)
assert result.returncode == 0
assert "SELinux user map order: {}".format(
maporder) in result.stdout_text
def _full_backup_restore_with_DNS_zone(self, reinstall=False):
"""backup, uninstall, restore"""
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
])
tasks.resolve_record(self.master.ip, self.example_test_zone)
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.resolve_record(self.master.ip, self.example_test_zone)
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
])
tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_add_permission_failure_issue5923(self):
# https://pagure.io/freeipa/issue/5923
# error response used to contain bytes instead of text
tasks.kinit_admin(self.master)
# neither privilege nor permission exists
result = self.master.run_command(
["ipa", "privilege-add-permission", "loc",
"--permission='System: Show IPA Locations"],
raiseonerr=False
)
assert result.returncode == 2
err = result.stderr_text.strip() # pylint: disable=no-member
assert err == "ipa: ERROR: loc: privilege not found"
# add privilege
result = self.master.run_command(
["ipa", "privilege-add", "loc"],
)
assert 'Added privilege "loc"' in result.stdout_text
# permission is still missing
result = self.master.run_command(
["ipa", "privilege-add-permission", "loc",
"--permission='System: Show IPA Locations"],
raiseonerr=False
)
assert result.returncode == 1
assert "Number of permissions added 0" in result.stdout_text
def test_create_and_retrieve_shared_vault_replica_without_kra(self):
# create vault
self.replicas[0].run_command([
"ipa", "vault-add",
self.shared_vault_name_replica_without_KRA,
"--shared",
"--type", "standard",
])
# archive secret
self.replicas[0].run_command([
"ipa", "vault-archive",
self.shared_vault_name_replica_without_KRA,
"--shared",
"--data", self.vault_data,
])
time.sleep(WAIT_AFTER_ARCHIVE)
# add non-admin user
self.replicas[0].run_command([
'ipa', 'user-add', self.vault_user,
'--first', self.vault_user,
'--last', self.vault_user,
'--password'],
stdin_text=self.vault_user_password)
# add it to vault
self.replicas[0].run_command([
"ipa", "vault-add-member",
self.shared_vault_name_replica_without_KRA,
"--shared",
"--users", self.vault_user,
])
self.replicas[0].run_command([
'kdestroy', '-A'])
user_kinit = "%s\n%s\n%s\n" % (self.vault_user_password,
self.vault_user_password,
self.vault_user_password)
self.replicas[0].run_command([
'kinit', self.vault_user],
stdin_text=user_kinit)
# TODO: possibly refactor with:
# self._retrieve_secret([self.vault_name_replica_without_KRA])
self.replicas[0].run_command([
"ipa", "vault-retrieve",
"--shared",
self.shared_vault_name_replica_without_KRA,
"--out=test.txt"])
self.replicas[0].run_command([
'kdestroy', '-A'])
tasks.kinit_admin(self.replicas[0])
def test_ssh_key_connection(self, tmpdir):
"""
Integration test for https://pagure.io/SSSD/sssd/issue/3747
"""
test_user = '******'
external_master_hostname = \
self.master.external_hostname # pylint: disable=no-member
pub_keys = []
for i in range(40):
ssh_key_pair = tasks.generate_ssh_keypair()
pub_keys.append(ssh_key_pair[1])
with open(os.path.join(
tmpdir, 'ssh_priv_{}'.format(i)), 'w') as fp:
fp.write(ssh_key_pair[0])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-add', test_user,
'--first=tester', '--last=tester'])
keys_opts = ' '.join(['--ssh "{}"'.format(k) for k in pub_keys])
cmd = 'ipa user-mod {} {}'.format(test_user, keys_opts)
self.master.run_command(cmd)
# connect with first SSH key
first_priv_key_path = os.path.join(tmpdir, 'ssh_priv_1')
# change private key permission to comply with SS rules
os.chmod(first_priv_key_path, 0o600)
sshcon = paramiko.SSHClient()
sshcon.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# first connection attempt is a workaround for
# https://pagure.io/SSSD/sssd/issue/3669
try:
sshcon.connect(external_master_hostname, username=test_user,
key_filename=first_priv_key_path, timeout=1)
except (paramiko.AuthenticationException, paramiko.SSHException):
pass
try:
sshcon.connect(external_master_hostname, username=test_user,
key_filename=first_priv_key_path, timeout=1)
except (paramiko.AuthenticationException,
paramiko.SSHException) as e:
pytest.fail('Authentication using SSH key not successful', e)
journal_cmd = ['journalctl', '--since=today', '-u', 'sshd']
result = self.master.run_command(journal_cmd)
output = result.stdout_text
assert not re.search('exited on signal 13', output)
# cleanup
self.master.run_command(['ipa', 'user-del', test_user])
def test_service_as_user_admin(self):
"""Test that a service in User Administrator role can manage users"""
service_name1 = 'testservice1/%s@%s' % (self.master.hostname,
self.master.domain.realm)
keytab_file1 = os.path.join(self.master.config.test_dir,
'testservice_keytab1')
# Prepare a service
self.master.run_command(['ipa', 'service-add', service_name1])
self.master.run_command(['ipa-getkeytab',
'-p', service_name1,
'-k', keytab_file1,
'-s', self.master.hostname])
# Check that the service cannot add a user
self.master.run_command(['kdestroy'])
self.master.run_command(['kinit', '-k', service_name1,
'-t', keytab_file1])
result = self.master.run_command(['ipa', 'role-add-member',
'User Administrator',
'--service', service_name1],
raiseonerr=False)
assert result.returncode > 0
# Add service to User Administrator role
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'role-add-member',
'User Administrator',
'--service', service_name1])
# Check that the service now can add a user
self.master.run_command(['kdestroy'])
self.master.run_command(['kinit', '-k', service_name1,
'-t', keytab_file1])
self.master.run_command(['ipa', 'user-add', 'tuser',
'--first', 'a', '--last', 'b', '--random'])
# Clean up
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'service-del', service_name1])
self.master.run_command(['ipa', 'user-del', 'tuser'])
def run_advice(master, advice_id, advice_regex, raiseerr=True):
# Obtain the advice from the server
tasks.kinit_admin(master)
result = master.run_command(['ipa-advise', advice_id],
raiseonerr=raiseerr)
if not result.stdout_text:
advice = result.stderr_text
else:
advice = result.stdout_text
assert re.search(advice_regex, advice, re.S)
def test_service_access(self):
""" Test that user is granted access when authenticated using
credentials that are sufficient for a service, and denied access
when using insufficient credentials"""
service_name2 = 'testservice2/%s@%s' % (self.master.hostname,
self.master.domain.realm)
keytab_file2 = os.path.join(self.master.config.test_dir,
'testservice_keytab2')
# Prepare a service without authentication indicator
self.master.run_command(['ipa', 'service-add', service_name2])
self.master.run_command(['ipa-getkeytab',
'-p', service_name2,
'-k', keytab_file2])
# Set authentication-type for admin user
self.master.run_command(['ipa', 'user-mod', 'admin',
'--user-auth-type=password',
'--user-auth-type=otp'])
# Authenticate
self.master.run_command(['kinit', '-k', service_name2,
'-t', keytab_file2])
# Verify access to service is granted
result = self.master.run_command(['kvno', service_name2],
raiseonerr=False)
assert result.returncode == 0
# Obtain admin ticket to be able to update service
tasks.kinit_admin(self.master)
# Modify service to have authentication indicator
self.master.run_command(['ipa', 'service-mod', service_name2,
'--auth-ind=otp'])
self.master.run_command(['ipa-getkeytab',
'-p', service_name2,
'-k', keytab_file2])
# Authenticate
self.master.run_command(['kinit', '-k', service_name2,
'-t', keytab_file2])
# Verify access to service is rejected
result = self.master.run_command(['kvno', service_name2],
raiseonerr=False)
assert result.returncode > 0
def test_apply_advice(self):
# Obtain the advice from the server
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa-advise', self.advice_id])
advice = result.stdout_text
# Apply the advice on the legacy client
advice_path = os.path.join(self.legacy_client.config.test_dir,
'advice.sh')
self.legacy_client.put_file_contents(advice_path, advice)
result = self.legacy_client.run_command(['bash', '-x', '-e',
advice_path])
# Restart SSHD to load new PAM configuration
self.legacy_client.run_command([paths.SBIN_SERVICE, 'sshd', 'restart'])
def execute_advise(self, host, advice_id, *args):
# ipa-advise script is only available on a server
tasks.kinit_admin(self.master)
advice = self.master.run_command(['ipa-advise', advice_id])
# execute script on host (client or master)
if host is not self.master:
tasks.kinit_admin(host)
filename = tasks.upload_temp_contents(host, advice.stdout_text)
cmd = ['sh', filename]
cmd.extend(args)
try:
result = host.run_command(cmd)
finally:
host.run_command(['rm', '-f', filename])
return advice, result
def test_ipa_console(self):
tasks.kinit_admin(self.master)
result = self.master.run_command(
["ipa", "console"],
stdin_text="api.env"
)
assert "ipalib.config.Env" in result.stdout_text
filename = tasks.upload_temp_contents(
self.master,
"print(api.env)\n"
)
result = self.master.run_command(
["ipa", "console", filename],
)
assert "ipalib.config.Env" in result.stdout_text
def test_establish_nonexternal_treedomain_trust(self):
self.configure_dns_and_time(self.tree_ad)
try:
tasks.kinit_admin(self.master)
result = self.master.run_command([
'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain,
'--admin',
'Administrator', '--password', '--range-type', 'ipa-ad-trust'
], stdin_text=self.master.config.ad_admin_password,
raiseonerr=False)
assert result != 0
assert ("Domain '{0}' is not a root domain".format(
self.ad_treedomain) in result.stderr_text)
finally:
tasks.unconfigure_dns_for_trust(self.master, self.tree_ad)
def restore_checker(host):
"""Check that the IPA at host works the same at context enter and exit"""
tasks.kinit_admin(host)
results = []
for check, assert_func in CHECKS:
logger.info('Storing result for %s', check.__name__)
results.append(check(host))
yield
tasks.kinit_admin(host)
for (check, assert_func), expected in zip(CHECKS, results):
logger.info('Checking result for %s', check.__name__)
got = check(host)
assert_func(expected, got)
def install(cls, mh):
super(TestIDViews, cls).install(mh)
master = cls.master
client = cls.clients[0]
tasks.kinit_admin(master)
tasks.user_add(
master, cls.user1, first='Test1',
extra_args=[
'--uid', str(cls.user1_uid),
'--gidnumber', str(cls.user1_gid),
]
)
tasks.user_add(
master, cls.user2, first='Test2',
extra_args=[
'--uid', str(cls.user2_uid),
'--gidnumber', str(cls.user2_gid),
]
)
tasks.group_add(
master, cls.group1, extra_args=['--gid', str(cls.group1_gid)]
)
master.run_command(['ipa', 'idview-add', cls.idview])
# add overrides for user1 and its default user group
master.run_command([
'ipa', 'idoverrideuser-add', cls.idview, cls.user1,
'--uid', str(cls.user1_uid_override),
'--gid', str(cls.user1_gid_override),
'--homedir', '/special-home/{}'.format(cls.user1),
'--shell', '/bin/special'
])
master.run_command([
'ipa', 'idoverridegroup-add', cls.idview, cls.group1,
'--gid', str(cls.group1_gid_override),
])
# ID view overrides don't work on IPA masters
master.run_command([
'ipa', 'idview-apply', cls.idview,
'--hosts', client.hostname
])
# finally restart SSSD to materialize idviews
client.run_command(['systemctl', 'restart', 'sssd.service'])
def _full_backup_restore_with_vault(self, reinstall=False):
with restore_checker(self.master):
# create vault
self.master.run_command([
"ipa", "vault-add",
self.vault_name,
"--password", self.vault_password,
"--type", "symmetric",
])
# archive secret
self.master.run_command([
"ipa", "vault-archive",
self.vault_name,
"--password", self.vault_password,
"--data", self.vault_data,
])
# retrieve secret
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.kinit_admin(self.master)
# retrieve secret after restore
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
def test_ssh_leak(self):
"""
Integration test for https://pagure.io/SSSD/sssd/issue/3794
"""
def count_pipes():
res = self.master.run_command(['pidof', 'sssd_ssh'])
pid = res.stdout_text.strip()
proc_path = '/proc/{}/fd'.format(pid)
res = self.master.run_command(['ls', '-la', proc_path])
fds_text = res.stdout_text.strip()
return sum((1 for _ in re.finditer(r'pipe', fds_text)))
test_user = '******'
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-add', test_user,
'--first=tester', '--last=tester'])
certs = []
# we are ok with whatever certificate for this test
external_ca = ExternalCA()
for _dummy in range(3):
cert = external_ca.create_ca()
cert = tasks.strip_cert_header(cert.decode('utf-8'))
certs.append('"{}"'.format(cert))
cert_args = list(
chain.from_iterable(list(zip(repeat('--certificate'), certs))))
cmd = 'ipa user-add-cert {} {}'.format(test_user, ' '.join(cert_args))
self.master.run_command(cmd)
tasks.clear_sssd_cache(self.master)
num_of_pipes = count_pipes()
for _dummy in range(3):
self.master.run_command([paths.SSS_SSH_AUTHORIZEDKEYS, test_user])
current_num_of_pipes = count_pipes()
assert current_num_of_pipes == num_of_pipes
# cleanup
self.master.run_command(['ipa', 'user-del', test_user])
def test_add_remove_segment(self):
"""
Make sure a topology segment can be manually created and deleted
with the influence on the real topology
Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:_Basic_CRUD_test
"""
tasks.kinit_admin(self.master)
# Install the second replica
tasks.install_replica(self.master, self.replicas[1], setup_ca=False,
setup_dns=False)
# turn a star into a ring
segment, err = tasks.create_segment(self.master,
self.replicas[0],
self.replicas[1])
assert err == "", err
# Make sure the new segment is shown by `ipa topologysegment-find`
result1 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
assert(segment['name'] in result1), (
"%s: segment not found" % segment['name'])
# Remove master <-> replica2 segment and make sure that the changes get
# there through replica1
# Since segment name can be one of master-to-replica2 or
# replica2-to-master, we need to determine the segment name dynamically
deleteme = find_segment(self.master, self.replicas[1])
returncode, error = tasks.destroy_segment(self.master, deleteme)
assert returncode == 0, error
# Wait till replication ends and make sure replica1 does not have
# segment that was deleted on master
master_ldap = self.master.ldap_connect()
tasks.wait_for_replication(master_ldap)
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
assert(deleteme not in result3), "%s: segment still exists" % deleteme
# Create test data on master and make sure it gets all the way down to
# replica2 through replica1
self.master.run_command(['ipa', 'user-add', 'someuser',
'--first', 'test',
'--last', 'user'])
tasks.wait_for_replication(master_ldap)
result4 = self.replicas[1].run_command(['ipa', 'user-find'])
assert('someuser' in result4.stdout_text), 'User not found: someuser'
def test_topology_updated_on_replica_install_remove(self):
"""
Install and remove a replica and make sure topology information is
updated on all other replicas
Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:
_Replication_topology_should_be_saved_in_the_LDAP_tree
"""
tasks.kinit_admin(self.master)
result1 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text
segment_name = self.segmentnames_re.findall(result1)[0]
assert (self.master.hostname in segment_name), (
"Segment %s does not contain master hostname" % segment_name)
assert (self.replicas[0].hostname in segment_name), (
"Segment %s does not contain replica hostname" % segment_name)
tasks.install_replica(self.master,
self.replicas[1],
setup_ca=False,
setup_dns=False)
# We need to make sure topology information is consistent across all
# replicas
result2 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
result3 = self.replicas[0].run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
result4 = self.replicas[1].run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
segments = self.tokenize_topologies(result2.stdout_text)
assert (len(segments) == 2), "Unexpected number of segments found"
assert_deepequal(result2.stdout_text, result3.stdout_text)
assert_deepequal(result3.stdout_text, result4.stdout_text)
# Now let's check that uninstalling the replica will update the topology
# info on the rest of replicas.
# first step of uninstallation is removal of the replica on other
# master, then it can be uninstalled. Doing it the other way is also
# possible, but not reliable - some data might not be replicated.
tasks.clean_replication_agreement(self.master, self.replicas[1])
tasks.uninstall_master(self.replicas[1])
result5 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
num_entries = self.noentries_re.search(result5.stdout_text).group(1)
assert (num_entries == "1"), "Incorrect number of entries displayed"
def test_2fa_disable_single_prompt(self):
"""Test ssh with 2FA when single prompt is disabled.
Test for : https://pagure.io/SSSD/sssd/issue/3264
When [prompting/2fa/sshd] with single_prompt = False is set
then during ssh it should be prompted with given message
for first factor and then for second factor.
This requires paramiko until the 2-prompt sshpass RFE is
fulfilled: https://sourceforge.net/p/sshpass/feature-requests/5/
"""
if self.master.is_fips_mode: # pylint: disable=no-member
pytest.skip("paramiko is not compatible with FIPS mode")
master = self.master
USER2 = 'sshuser2'
sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF)
first_prompt = 'Enter first factor:'
second_prompt = 'Enter second factor:'
add_contents = textwrap.dedent('''
[prompting/2fa/sshd]
single_prompt = False
first_prompt = {0}
second_prompt = {1}
''').format(first_prompt, second_prompt)
set_sssd_conf(master, add_contents)
tasks.create_active_user(master, USER2, PASSWORD)
tasks.kinit_admin(master)
master.run_command(['ipa', 'user-mod', USER2, '--user-auth-type=otp'])
try:
otpuid, totp = add_otptoken(master, USER2, otptype='totp')
master.run_command(['ipa', 'otptoken-show', otpuid])
otpvalue = totp.generate(int(time.time())).decode('ascii')
answers = {first_prompt: PASSWORD, second_prompt: otpvalue}
ssh_2f(master.hostname, USER2, answers)
# check if user listed in output
cmd = self.master.run_command(['semanage', 'login', '-l'])
assert USER2 in cmd.stdout_text
finally:
master.run_command(['ipa', 'user-del', USER2])
self.master.run_command(['semanage', 'login', '-D'])
sssd_conf_backup.restore()
def restore_checker(host):
"""Check that the IPA at host works the same at context enter and exit"""
tasks.kinit_admin(host)
results = []
for check, assert_func in CHECKS:
logger.info('Storing result for %s', check.__name__)
results.append(check(host))
yield
# Wait for SSSD to become online before doing any other check
tasks.wait_for_sssd_domain_status_online(host)
tasks.kinit_admin(host)
for (check, assert_func), expected in zip(CHECKS, results):
logger.info('Checking result for %s', check.__name__)
got = check(host)
assert_func(expected, got)
def test_certmap_match_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
result = self.master.run_command(
['ipa', 'certmap-match', paths.IPA_CA_CRT],
raiseonerr=False
)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'certmap-match', '--certificate', cab64],
raiseonerr=False
)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
def test_prepare_users(self):
users = {"athena": "p", "euripides": "s"}
temp_pass = '******'
for user in users:
self.master.run_command([
"ipa", "user-add",
"%s" % user, "--first",
"%s" % user, "--last",
"%s" % users[user], '--password'
],
stdin_text="%s\n%s\n" %
(temp_pass, temp_pass))
self.master.run_command(["kdestroy", "-A"])
password = "******"
user_kinit = "%s\n%s\n%s\n" % (temp_pass, password, password)
self.master.run_command(['kinit', user], stdin_text=user_kinit)
self.master.run_command(["kdestroy", "-A"])
tasks.kinit_admin(self.master)
def install(cls, mh):
super(BaseTestLegacyClient, cls).install(mh)
tasks.kinit_admin(cls.master)
password_confirmation = (
cls.master.config.admin_password +
'\n' +
cls.master.config.admin_password
)
cls.master.run_command(['ipa', 'user-add', 'disabledipauser',
'--first', 'disabled',
'--last', 'ipauser',
'--password'],
stdin_text=password_confirmation)
cls.master.run_command(['ipa', 'user-disable', 'disabledipauser'])
cls.ad = cls.ad_domains[0].ads[0]
cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0])
# Determine whether the subdomain AD is available
try:
child_ad = cls.host_by_role(cls.optional_extra_roles[0])
cls.ad_subdomain = '.'.join(
child_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_subdomain = None
# Determine whether the tree domain AD is available
try:
cls.tree_ad = cls.host_by_role(cls.optional_extra_roles[1])
cls.ad_treedomain = '.'.join(
cls.tree_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_treedomain = None
tasks.apply_common_fixes(cls.legacy_client)
for f in cls.backup_files:
tasks.backup_file(cls.legacy_client, f)
def install(cls, mh):
super(BaseTestLegacyClient, cls).install(mh)
tasks.kinit_admin(cls.master)
password_confirmation = (
cls.master.config.admin_password +
'\n' +
cls.master.config.admin_password
)
cls.master.run_command(['ipa', 'user-add', 'disabledipauser',
'--first', 'disabled',
'--last', 'ipauser',
'--password'],
stdin_text=password_confirmation)
cls.master.run_command(['ipa', 'user-disable', 'disabledipauser'])
cls.ad = cls.ad_domains[0].ads[0]
cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0])
# Determine whether the subdomain AD is available
try:
child_ad = cls.host_by_role(cls.optional_extra_roles[0])
cls.ad_subdomain = '.'.join(
child_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_subdomain = None
# Determine whether the tree domain AD is available
try:
cls.tree_ad = cls.host_by_role(cls.optional_extra_roles[1])
cls.ad_treedomain = '.'.join(
cls.tree_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_treedomain = None
tasks.apply_common_fixes(cls.legacy_client)
for f in cls.backup_files:
tasks.backup_file(cls.legacy_client, f)
def install(cls, mh):
super(TestACMEwithExternalCA, cls).install(mh)
# install master with external-ca
result = install_server_external_ca_step1(cls.master)
assert result.returncode == 0
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
cls.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
install_server_external_ca_step2(cls.master, ipa_ca_fname,
root_ca_fname)
tasks.kinit_admin(cls.master)
tasks.install_client(cls.master, cls.clients[0])
tasks.config_host_resolvconf_with_master_data(cls.master,
cls.clients[0])
tasks.install_replica(cls.master, cls.replicas[0])
tasks.config_host_resolvconf_with_master_data(cls.master,
cls.replicas[0])
def test_ccache_sweep_expired(self, reset_to_default_policy):
"""Test that the ccache sweeper works on expired ccaches
- Force wipe all existing ccaches
- Set the ticket policy to a short value, 20 seconds.
- Do a series of kinit, ipa command, kdestroy to generate ccaches
- sleep() for expiration
- Run the sweeper
- Verify that all expired ccaches are gone
"""
MAXLIFE = 20
reset_to_default_policy(self.master) # this will reset at END of test
tasks.kinit_admin(self.master)
self.master.run_command(
['ipa', 'krbtpolicy-mod', '--maxlife', str(MAXLIFE)]
)
tasks.kdestroy_all(self.master)
self.master.run_command(
['find', paths.IPA_CCACHES, '-type', 'f', '-delete']
)
for _i in range(5):
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-show', 'admin'])
tasks.kdestroy_all(self.master)
result = self.master.run_command(
"ls -1 {0} | wc -l".format(paths.IPA_CCACHES)
)
assert int(result.stdout_text.strip()) == 5
# let ccache expire
time.sleep(MAXLIFE)
ccache_sweep_cmd = ["/usr/libexec/ipa/ipa-ccache-sweeper", "-m", "0"]
# should be run as ipaapi for GSSProxy
self.master.run_command(
["runuser", "-u", IPAAPI_USER, "--"] + ccache_sweep_cmd
)
result = self.master.run_command(
"ls -1 {0} | wc -l".format(paths.IPA_CCACHES)
)
assert int(result.stdout_text.strip()) == 0
def test_establish_nonexternal_treedomain_trust(self):
tasks.configure_dns_for_trust(self.master, self.ad, self.tree_ad)
try:
tasks.kinit_admin(self.master)
result = self.master.run_command(
[
'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain,
'--admin', 'Administrator', '--password', '--range-type',
'ipa-ad-trust'
],
stdin_text=self.master.config.ad_admin_password,
raiseonerr=False)
assert result != 0
assert ("Domain '{0}' is not a root domain".format(
self.ad_treedomain) in result.stderr_text)
finally:
tasks.unconfigure_dns_for_trust(self.master, self.ad, self.tree_ad)
def test_aes_sha_kerberos_enctypes(self):
"""Test AES SHA 256 and 384 Kerberos enctypes enabled
AES SHA 256 and 384-bit enctypes supported by MIT kerberos but
was not enabled in IPA. This test is to check if these types are
enabled.
related: https://pagure.io/freeipa/issue/8110
"""
tasks.kinit_admin(self.master)
dn = DN(("cn", self.master.domain.realm), ("cn", "kerberos"),
realm_to_suffix(self.master.domain.realm))
result = tasks.ldapsearch_dm(self.master,
str(dn), ["krbSupportedEncSaltTypes"],
scope="base")
assert "aes128-sha2:normal" in result.stdout_text
assert "aes128-sha2:special" in result.stdout_text
assert "aes256-sha2:normal" in result.stdout_text
assert "aes256-sha2:special" in result.stdout_text
def test_certmap_match_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
result = self.master.run_command(
['ipa', 'certmap-match', paths.IPA_CA_CRT],
raiseonerr=False
)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'certmap-match', '--certificate', cab64],
raiseonerr=False
)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
def test_ext_grp_with_ldap(self):
"""User and group with same name should not break reading AD user data.
Regression test for https://pagure.io/SSSD/sssd/issue/4073
When aduser is added in extrnal group and this group is added
in group with same name of nonprivate ipa user and possix id, then
lookup of aduser and group should be successful when cache is empty.
"""
cmd = self.master.run_command(['sssd', '--version'])
sssd_version = platform_tasks.parse_ipa_version(
cmd.stdout_text.strip())
if sssd_version <= platform_tasks.parse_ipa_version('2.2.2'):
pytest.skip("Fix for https://pagure.io/SSSD/sssd/issue/4073 "
"unavailable with sssd-2.2.2")
client = self.clients[0]
user = '******'
userid = '100996'
ext_group = 'ext-ipatest'
tasks.kinit_admin(self.master)
# add user with same uid and gidnumber
tasks.user_add(
self.master,
user,
extra_args=['--noprivate', '--uid', userid, '--gidnumber', userid])
# add group with same as user_name and user_id.
tasks.group_add(self.master, user, extra_args=['--gid', userid])
tasks.group_add(self.master, ext_group, extra_args=['--external'])
self.master.run_command(
['ipa', 'group-add-member', '--group', ext_group, user])
self.master.run_command([
'ipa', '-n', 'group-add-member', '--external',
self.users['ad']['name'], ext_group
])
tasks.clear_sssd_cache(self.master)
tasks.clear_sssd_cache(client)
try:
result = client.run_command(['id', self.users['ad']['name']])
assert '{uid}({name})'.format(uid=userid,
name=user) in result.stdout_text
finally:
self.master.run_command(['ipa', 'user-del', user])
self.master.run_command(['ipa', 'group-del', user, ext_group])
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False):
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed"
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed after restore"
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example2_test_zone)
), "A new zone is not signed"
def test_auth_sudo_idp(self):
"""
Test case to check that sudorule is working as
expected for user configured with external idp.
"""
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
# rule: keycloakuser are allowed to execute yum on
# the client machine as root.
cmdlist = [
["ipa", "sudocmd-add", "/usr/bin/yum"],
["ipa", "sudorule-add", "sudorule"],
['ipa', 'sudorule-add-user', '--users=keycloakuser',
'sudorule'],
['ipa', 'sudorule-add-host', '--hosts',
self.client.hostname, 'sudorule'],
['ipa', 'sudorule-add-runasuser',
'--users=root', 'sudorule'],
['ipa', 'sudorule-add-allow-command',
'--sudocmds=/usr/bin/yum', 'sudorule'],
['ipa', 'sudorule-show', 'sudorule', '--all'],
['ipa', 'sudorule-add-option',
'sudorule', '--sudooption', "!authenticate"]
]
for cmd in cmdlist:
self.master.run_command(cmd)
tasks.clear_sssd_cache(self.master)
tasks.clear_sssd_cache(self.client)
try:
cmd = 'sudo -ll -U keycloakuser'
test = self.client.run_command(cmd).stdout_text
assert "User keycloakuser may run the following commands" in test
assert "/usr/bin/yum" in test
kinit_idp(self.client, 'keycloakuser', self.client)
test_sudo = 'su -c "sudo yum list wget" keycloakuser'
self.client.run_command(test_sudo)
list_fail = self.master.run_command(cmd).stdout_text
assert "User keycloakuser is not allowed to run sudo" in list_fail
finally:
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'sudorule-del', 'sudorule'])
self.master.run_command(["ipa", "sudocmd-del", "/usr/bin/yum"])
def test_ipa_getcert_san_aci(self):
"""Test for DNS and IP SAN extensions + ACIs
"""
hostname = self.clients[0].hostname
certfile = '/etc/pki/tls/certs/test2.pem'
tasks.kinit_admin(self.master)
name, zone = hostname.split('.', 1)
self.master.run_command(['ipa', 'dnsrecord-show', zone, name])
tasks.kdestroy_all(self.master)
cmd_arg = [
'ipa-getcert',
'request',
'-v',
'-w',
'-f',
certfile,
'-k',
'/etc/pki/tls/private/test2.key',
'-K',
f'test/{hostname}',
'-D',
hostname,
'-A',
self.clients[0].ip,
]
result = self.clients[0].run_command(cmd_arg)
request_id = re.findall(r'\d+', result.stdout_text)
# check if certificate is in MONITORING state
status = tasks.wait_for_request(self.clients[0], request_id[0], 50)
assert status == "MONITORING"
certdata = self.clients[0].get_file_contents(certfile)
cert = x509.load_pem_x509_certificate(certdata, default_backend())
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
dnsnames = ext.value.get_values_for_type(x509.DNSName)
assert dnsnames == [self.clients[0].hostname]
ipaddrs = ext.value.get_values_for_type(x509.IPAddress)
assert ipaddrs == [ipaddress.ip_address(self.clients[0].ip)]
def _full_backup_restore_with_DNS_zone(self, reinstall=False):
"""backup, uninstall, restore.
Test for bug https://pagure.io/freeipa/issue/7630.
"""
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
])
tasks.resolve_record(self.master.ip, self.example_test_zone)
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
tasks.uninstall_packages(self.master, ['*ipa-server-dns'])
dirman_password = self.master.config.dirman_password
result = self.master.run_command(
['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes',
raiseonerr=False)
assert 'Please install the package' in result.stderr_text
tasks.install_packages(self.master, ['*ipa-server-dns'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.resolve_record(self.master.ip, self.example_test_zone)
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
])
tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_idp_backup_restore(self):
"""
Test case to check that after restore data is retrieved
with related idp configuration.
"""
tasks.kinit_admin(self.master)
user = "******"
cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak",
"--client-id=ipa_oidc_client", "--org=master",
"--base-url={0}:8443/auth".format(self.client.hostname)]
self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
self.client.config.admin_password))
tasks.user_add(self.master, user,
extra_args=["--user-auth-type=idp",
"[email protected]",
"--idp=testidp"]
)
backup_path = tasks.get_backup_dir(self.master)
# change data after backup
self.master.run_command(['ipa', 'user-del', user])
self.master.run_command(['ipa', 'idp-del', 'testidp'])
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
try:
list_user = self.master.run_command(
['ipa', 'user-show', 'backupuser', '--all']
).stdout_text
assert "External IdP configuration: testidp" in list_user
assert "User authentication types: idp" in list_user
assert ("External IdP user identifier: "
"*****@*****.**") in list_user
list_idp = self.master.run_command(['ipa', 'idp-find', 'testidp'])
assert "testidp" in list_idp.stdout_text
kinit_idp(self.master, user, self.client)
finally:
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
self.master.run_command(["rm", "-rf", backup_path])
self.master.run_command(["ipa", "idp-del", "testidp"])
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False):
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed"
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed after restore"
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example2_test_zone)
), "A new zone is not signed"
def install(cls, mh):
cls.username = '******'
tasks.install_master(cls.master, domain_level=cls.domain_level)
password = cls.master.config.dirman_password
cls.new_password = '******'
adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password,
cls.master.config.admin_password)
user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password,
cls.new_password)
tasks.kinit_admin(cls.master)
cls.master.run_command([
'ipa', 'user-add', cls.username, '--password', '--first', 'John',
'--last', 'Donn'
],
stdin_text=adduser_stdin_text)
# Now we need to change the password for the user
cls.master.run_command(['kinit', cls.username],
stdin_text=user_kinit_stdin_text)
# And again kinit admin
tasks.kinit_admin(cls.master)
def test_hidden_replica_backup_and_restore(self):
"""Exercises backup+restore and hidden replica uninstall
"""
self._check_server_role(self.replicas[0], 'hidden')
# backup
backup_path = tasks.get_backup_dir(self.replicas[0])
# uninstall
tasks.uninstall_master(self.replicas[0])
# restore
dirman_password = self.master.config.dirman_password
self.replicas[0].run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.kinit_admin(self.master)
tasks.kinit_admin(self.replicas[0])
# restore turns a hidden replica into an enabled replica
# https://pagure.io/freeipa/issue/7894
self._check_config([self.master, self.replicas[0]])
self._check_server_role(self.replicas[0], 'enabled')
def test_hidden_replica_backup_and_restore(self):
"""Exercises backup+restore and hidden replica uninstall
"""
self._check_server_role(self.replicas[0], 'hidden')
# backup
backup_path = backup(self.replicas[0])
# uninstall
tasks.uninstall_master(self.replicas[0])
# restore
dirman_password = self.master.config.dirman_password
self.replicas[0].run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# give replication some time
time.sleep(5)
tasks.kinit_admin(self.replicas[0])
# FIXME: restore turns hidden replica into enabled replica
self._check_config([self.master, self.replicas[0]])
self._check_server_role(self.replicas[0], 'enabled')
def install(cls, mh):
super(TestOTPToken, cls).install(mh)
master = cls.master
tasks.kinit_admin(master)
# create service with OTP auth indicator
cls.service_name = f"otponly/{master.hostname}"
master.run_command(
["ipa", "service-add", cls.service_name, "--auth-ind=otp"]
)
# service needs a keytab before user can acquire a ticket for it
keytab = "/tmp/otponly.keytab"
master.run_command(
["ipa-getkeytab", "-p", cls.service_name, "-k", keytab]
)
master.run_command(["rm", "-f", keytab])
tasks.create_active_user(master, USER, PASSWORD)
tasks.kinit_admin(master)
master.run_command(["ipa", "user-mod", USER, "--user-auth-type=otp"])
def test_establish_trust(self):
""" Tests establishing non-external trust with Active Directory """
self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
'HTTP/%s' % self.master.hostname])
self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
self.master.run_command(['kdestroy', '-A'])
tasks.kinit_admin(self.master)
self.master.run_command(['klist'])
self.master.run_command(['smbcontrol', 'all', 'debug', '100'])
result = self.master.run_command([
'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin',
'Administrator', '--password', '--range-type', 'ipa-ad-trust'
], stdin_text=self.master.config.ad_admin_password,
raiseonerr=False)
assert result != 0
assert ("Domain '{0}' is not a root domain".format(
self.ad_treedomain) in result.stderr_text)
def test_password_login_as_aduser(self):
"""Test if AD user can login with password to Web UI"""
ad_admin = 'Administrator@%s' % self.ad_domain
tasks.kdestroy_all(self.master)
user_and_password = ('user=%s&password=%s' %
(ad_admin, self.master.config.ad_admin_password))
host = self.master.hostname
cmd_args = [
paths.BIN_CURL,
'-v',
'-H', 'referer:https://{}/ipa'.format(host),
'-H', 'Content-Type:application/x-www-form-urlencoded',
'-H', 'Accept:text/plain',
'--cacert', paths.IPA_CA_CRT,
'--data', user_and_password,
'https://{}/ipa/session/login_password'.format(host)]
result = self.master.run_command(cmd_args)
assert "Set-Cookie: ipa_session=MagBearerToken" in result.stderr_text
tasks.kinit_admin(self.master)
def test_cert_find_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
subject = 'CN=Certificate Authority,O={}'.format(
self.master.domain.realm)
# by cert file
result = self.master.run_command(
['ipa', 'cert-find', '--file', paths.IPA_CA_CRT]
)
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
# by base64 cert
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'cert-find', '--certificate', cab64]
)
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
def test_sudorules_ad_groups(self):
"""Verify trusted domain groups can be added to sudorules"""
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
testuser = '******' % (self.master.config.ad_admin_name, self.ad_domain)
testgroup = 'Enterprise Admins@%s' % self.ad_domain
expected = "(root) NOPASSWD: ALL"
with self.check_sudorules_for("group", testuser, testuser,
expected) as sudorule:
# Remove the user and instead add a group
self.master.run_command([
'ipa', 'sudorule-remove-user', sudorule.name, '--users',
sudorule.user
])
self.master.run_command([
'ipa', 'sudorule-add-user', sudorule.name, '--groups',
testgroup
])
def test_replica_after_domain_upgrade(self):
tasks.kinit_admin(self.master)
tasks.kinit_admin(self.replicas[0])
self.master.run_command([
'ipa', 'user-add', self.username, '--first', 'test', '--last',
'user'
])
tasks.wait_for_replication(self.replicas[0].ldap_connect())
self.master.run_command(
['ipa', 'domainlevel-set',
str(DOMAIN_LEVEL_1)])
result = self.replicas[0].run_command(
['ipa', 'user-show', self.username])
assert ("User login: %s" % self.username in result.stdout_text), (
"A testuser was not found on replica after domain upgrade")
self.replicas[0].run_command(['ipa', 'user-del', self.username])
tasks.wait_for_replication(self.master.ldap_connect())
result1 = self.master.run_command(['ipa', 'user-show', self.username],
raiseonerr=False)
assert_error(result1, "%s: user not found" % self.username, 2)
def test_external_group_member_mismatch(self, user_origin):
"""Prevent adding IPA objects as external group external members
External groups must only allow adding non-IPA objects as external
members in 'ipa group-add-member foo --external bar'.
"""
master = self.master
tasks.clear_sssd_cache(master)
tasks.kinit_admin(master)
master.run_command(['ipa', 'group-add', '--external', 'ext-ipatest'])
try:
master.run_command([
'ipa', '-n', 'group-add-member', 'ext-ipatest', '--external',
self.users[user_origin]['name']
])
except subprocess.CalledProcessError:
# Only 'ipa' origin should throw a validation error
assert user_origin == 'ipa'
finally:
master.run_command(['ipa', 'group-del', 'ext-ipatest'])
def test_cert_find_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
subject = 'CN=Certificate Authority,O={}'.format(
self.master.domain.realm)
# by cert file
result = self.master.run_command(
['ipa', 'cert-find', '--file', paths.IPA_CA_CRT]
)
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
# by base64 cert
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'cert-find', '--certificate', cab64]
)
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
def test_topology_updated_on_replica_install_remove(self):
"""
Install and remove a replica and make sure topology information is
updated on all other replicas
Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:
_Replication_topology_should_be_saved_in_the_LDAP_tree
"""
tasks.kinit_admin(self.master)
result1 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
segment_name = self.segmentnames_re.findall(result1)[0]
assert(self.master.hostname in segment_name), (
"Segment %s does not contain master hostname" % segment_name)
assert(self.replicas[0].hostname in segment_name), (
"Segment %s does not contain replica hostname" % segment_name)
tasks.install_replica(self.master, self.replicas[1], setup_ca=False,
setup_dns=False)
# We need to make sure topology information is consistent across all
# replicas
result2 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
result4 = self.replicas[1].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
segments = self.tokenize_topologies(result2.stdout_text)
assert(len(segments) == 2), "Unexpected number of segments found"
assert_deepequal(result2.stdout_text, result3.stdout_text)
assert_deepequal(result3.stdout_text, result4.stdout_text)
# Now let's check that uninstalling the replica will update the topology
# info on the rest of replicas.
# first step of uninstallation is removal of the replica on other
# master, then it can be uninstalled. Doing it the other way is also
# possible, but not reliable - some data might not be replicated.
tasks.clean_replication_agreement(self.master, self.replicas[1])
tasks.uninstall_master(self.replicas[1])
result5 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
num_entries = self.noentries_re.search(result5.stdout_text).group(1)
assert(num_entries == "1"), "Incorrect number of entries displayed"
def test_krbtpolicy_otp(self):
"""Test otp ticket policy"""
master = self.master
tasks.kinit_admin(self.master)
master.run_command(['ipa', 'user-mod', USER1,
'--user-auth-type', 'otp'])
master.run_command(['ipa', 'config-mod',
'--user-auth-type', 'otp'])
master.run_command(['ipa', 'krbtpolicy-mod', USER1,
'--otp-maxrenew=90', '--otp-maxlife=60'])
armor = tasks.create_temp_file(self.master, create_file=False)
otpuid, totp = add_otptoken(master, USER1, otptype="totp")
otpvalue = totp.generate(int(time.time())).decode("ascii")
try:
tasks.kdestroy_all(master)
# create armor for FAST
master.run_command(['kinit', '-n', '-c', armor])
# expect ticket expire in otp-maxlife=60 seconds
master.run_command(
['kinit', '-T', armor, USER1, '-r', '90'],
stdin_text='{0}{1}\n'.format(PASSWORD, otpvalue))
master.run_command(['ipa', 'user-find', USER1])
time.sleep(30)
# when user kerberos ticket expired but still within renew time,
# kinit -R should give user new life
master.run_command(['kinit', '-R', USER1])
master.run_command(['ipa', 'user-find', USER1])
time.sleep(60)
# when renew time expires, kinit -R should fail
result1 = master.run_command(['kinit', '-R', USER1],
raiseonerr=False)
tasks.assert_error(
result1,
"kinit: Ticket expired while renewing credentials", 1)
master.run_command(['ipa', 'user-find', USER1],
ok_returncode=1)
finally:
del_otptoken(master, otpuid)
reset_to_default_policy(master, USER1)
self.master.run_command(['rm', '-f', armor])
master.run_command(['ipa', 'config-mod', '--user-auth-type='])
def nested_group_setup(self, tmpdir):
"""Setup and Clean up groups and user created"""
master = self.master
client = self.clients[0]
# add a user and set password
tasks.create_active_user(master, self.username, self.userpasswd)
tasks.kinit_admin(master)
privkey, pubkey = tasks.generate_ssh_keypair()
with open(os.path.join(tmpdir, 'ssh_priv_key'), 'w') as fp:
fp.write(privkey)
master.run_command(
['ipa', 'user-mod', self.username, '--ssh', "{}".format(pubkey)])
master.put_file_contents('/tmp/user_ssh_priv_key', privkey)
master.run_command(['chmod', '600', '/tmp/user_ssh_priv_key'])
# add group groupa
cmd_output = master.run_command(['ipa', 'group-add', 'groupa'])
assert 'Added group "groupa"' in cmd_output.stdout_text
# add group groupb
cmd_output = master.run_command(['ipa', 'group-add', 'groupb'])
assert 'Added group "groupb"' in cmd_output.stdout_text
# add group groupc
cmd_output = master.run_command(['ipa', 'group-add', 'groupc'])
assert 'Added group "groupc"' in cmd_output.stdout_text
client.put_file_contents('/tmp/user_ssh_priv_key', privkey)
client.run_command(['chmod', '600', '/tmp/user_ssh_priv_key'])
yield
# test cleanup
for group in ['groupa', 'groupb', 'groupc']:
self.master.run_command(['ipa', 'group-del', group, '--continue'])
self.master.run_command(
['ipa', 'user-del', self.username, '--no-preserve', '--continue'])
tasks.kdestroy_all(self.master)
tasks.kdestroy_all(self.clients[0])
def test_user_add_withradius(self):
"""
Test that a user with User Administrator role can call
ipa user-add --radius myradius
to create a user with an assigned Radius Proxy Server.
This is a test case for issue 7570
"""
# kinit admin
tasks.kinit_admin(self.master)
# Create a radius proxy server
radiusproxy = 'myradius'
secret = 'Secret123'
radius_secret_confirmation = "%s\n%s\n" % (secret, secret)
self.master.run_command(
['ipa', 'radiusproxy-add', radiusproxy,
'--server', 'radius.example.com', '--secret'],
stdin_text=radius_secret_confirmation)
# Create a user with 'User Administrator' role
altuser = '******'
password = '******'
password_confirmation = "%s\n%s\n" % (password, password)
self.master.run_command(
['ipa', 'user-add', altuser, '--first', altuser, '--last', altuser,
'--password'],
stdin_text=password_confirmation)
self.master.run_command(
['ipa', 'role-add-member', "User Administrator",
'--user', altuser])
# kinit as altuser to initialize the password
altuser_kinit = "%s\n%s\n%s\n" % (password, password, password)
self.master.run_command(['kinit', altuser], stdin_text=altuser_kinit)
# call ipa user-add with --radius=...
# this call requires read access to radius proxy servers
self.master.run_command(
['ipa', 'user-add', '--first', 'test', '--last', 'test',
'--user-auth-type', 'radius', '--radius-username', 'testradius',
'testradius', '--radius', radiusproxy])
def test_find_by_member_manager(self):
master = self.master
tasks.kinit_admin(master)
result = master.run_command([
'ipa', 'group-find', '--membermanager-users', USER_MM
])
assert GROUP1 in result.stdout_text
result = master.run_command([
'ipa', 'group-find', '--membermanager-groups', GROUP_INDIRECT
])
assert GROUP1 in result.stdout_text
result = master.run_command(
[
'ipa', 'group-find', '--membermanager-users', USER1
],
raiseonerr=False
)
assert result.returncode == 1
assert "0 groups matched" in result.stdout_text
result = master.run_command([
'ipa', 'hostgroup-find', '--membermanager-users', USER_MM
])
assert HOSTGROUP1 in result.stdout_text
result = master.run_command([
'ipa', 'hostgroup-find', '--membermanager-groups', GROUP_INDIRECT
])
assert HOSTGROUP1 in result.stdout_text
result = master.run_command(
[
'ipa', 'hostgroup-find', '--membermanager-users', USER1
],
raiseonerr=False
)
assert result.returncode == 1
assert "0 hostgroups matched" in result.stdout_text
def test_fake_mname_param(self):
"""Test that fake_mname param is set using dnsserver-mod option.
Test for BZ 1488732 which checks that --soa-mname-override option
from dnsserver-mod sets the fake_mname.
"""
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'dnsserver-mod', self.master.hostname,
'--soa-mname-override', 'fake'])
tasks.restart_named(self.master)
cmd = self.master.run_command(['dig', '+short', '-t', 'SOA',
self.master.domain.name])
assert 'fake' in cmd.stdout_text
# reverting the fake_mname change to check it is reverted correctly
self.master.run_command(['ipa', 'dnsserver-mod', self.master.hostname,
'--soa-mname-override', ''])
tasks.restart_named(self.master)
cmd = self.master.run_command(['dig', '+short', '-t', 'SOA',
self.master.domain.name])
assert 'fake' not in cmd.stdout_text
def test_selinux_user_optimized(self):
"""
Check that SELinux login context is set on first login for the
user, even if the user is not mapped to a specific SELinux user.
Related ticket https://pagure.io/SSSD/sssd/issue/3819.
"""
# Scenario: add an IPA user with non-default home dir, login through
# ssh as this user and check that there is a SELinux user mapping
# for the user with `semanage login -l`.
# kinit admin
tasks.kinit_admin(self.master)
testuser = '******'
password = '******'
testuser_password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'user-add', testuser,
'--first', testuser,
'--last', testuser,
'--password',
'--homedir',
'/root/{}'.format(testuser)],
stdin_text=testuser_password_confirmation)
# login to the system
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(self.master.hostname,
username=testuser,
password=password)
client.close()
# check if user listed in output
cmd = self.master.run_command(['semanage', 'login', '-l'])
assert testuser in cmd.stdout_text
# call ipa user-del
self.master.run_command(['ipa', 'user-del', testuser])
