freeipa/ipatests/test_integration/test_http_kdc_proxy.py

#
# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
#

from __future__ import absolute_import

import six
from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration.firewall import Firewall
from ipatests.test_integration.base import IntegrationTest
from ipaplatform.paths import paths


if six.PY3:
    unicode = str


class TestHttpKdcProxy(IntegrationTest):
    topology = "line"
    num_clients = 1
    # Firewall rules without --append/-A, --delete/-D, .. First entry of
    # each rule is the chain name, the argument to add or delete the rule
    # will be added by the used Firewall method. See firewall.py for more
    # information.
    fw_rules = [['OUTPUT', '-p', 'tcp', '--dport', '88', '-j', 'DROP'],
                ['OUTPUT', '-p', 'udp', '--dport', '88', '-j', 'DROP']]

    @classmethod
    def install(cls, mh):
        super(TestHttpKdcProxy, cls).install(mh)
        # Block access from client to master's port 88
        Firewall(cls.clients[0]).prepend_passthrough_rules(cls.fw_rules)
        # configure client
        cls.clients[0].run_command(
            r"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
                cls.master.hostname, paths.KRB5_CONF)
            )
        cls.clients[0].run_command(
            r"sed -i 's/master_kdc = .*$/master_kdc"
            r" = https:\/\/%s\/KdcProxy/' %s" % (
                cls.master.hostname, paths.KRB5_CONF)
            )
        # Workaround for https://fedorahosted.org/freeipa/ticket/6443
        cls.clients[0].run_command(['systemctl', 'restart', 'sssd.service'])
        # End of workaround

    @classmethod
    def uninstall(cls, mh):
        super(TestHttpKdcProxy, cls).uninstall(mh)
        Firewall(cls.clients[0]).remove_passthrough_rules(cls.fw_rules)

    def test_http_kdc_proxy_works(self):
        result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
        assert(result.returncode == 0), (
            "Unable to kinit using KdcProxy: %s" % result.stderr_text
            )
Test: basic kerberos over http functionality https://fedorahosted.org/freeipa/ticket/6446 Reviewed-By: Milan Kubik <mkubik@redhat.com> 2016-11-01 03:25:16 -05:00			`#`
			`# Copyright (C) 2016 FreeIPA Contributors see COPYING for license`
			`#`

Add absolute_import future imports Add absolute_import from __future__ so that pylint does not fail and to achieve python3 behavior in python2. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-04-05 02:21:16 -05:00			`from __future__ import absolute_import`

Test: basic kerberos over http functionality https://fedorahosted.org/freeipa/ticket/6446 Reviewed-By: Milan Kubik <mkubik@redhat.com> 2016-11-01 03:25:16 -05:00			`import six`
Rename pytest_plugins to ipatests.pytest_ipa pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string "pytest_plugins" is used as marker to load plugins. By populare vote and to avoid future conflicts, we decided to rename the directory to pytest_ipa. Fixes: https://pagure.io/freeipa/issue/7663 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-08-02 06:45:19 -05:00			`from ipatests.pytest_ipa.integration import tasks`
ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import Instead of using ip[6]tables commands, use new firewall class to deny access to TCP and UDP port 88 on external machines using the OUTPUT chain. The iptables calls in the install method are replaced by a prepend_passthrough_rules call with the rules defined in the class. The firewall rules are defined in the class as fw_rules without --append/-A, --delete/-D, .. First entry of each rule is the chain name, the argument to add or delete the rule will be added by the used Firewall method. See firewall.py for more information. The "iptables -F" call (IPv4 only) in the uninstall method is replaced by a remove_passthrough_rules call with the rules defined in the class. See: https://pagure.io/freeipa/issue/7755 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Armando Neto <abiagion@redhat.com> 2018-11-09 04:24:59 -06:00			`from ipatests.pytest_ipa.integration.firewall import Firewall`
Test: basic kerberos over http functionality https://fedorahosted.org/freeipa/ticket/6446 Reviewed-By: Milan Kubik <mkubik@redhat.com> 2016-11-01 03:25:16 -05:00			`from ipatests.test_integration.base import IntegrationTest`
			`from ipaplatform.paths import paths`


			`if six.PY3:`
			`unicode = str`


			`class TestHttpKdcProxy(IntegrationTest):`
			`topology = "line"`
			`num_clients = 1`
ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import Instead of using ip[6]tables commands, use new firewall class to deny access to TCP and UDP port 88 on external machines using the OUTPUT chain. The iptables calls in the install method are replaced by a prepend_passthrough_rules call with the rules defined in the class. The firewall rules are defined in the class as fw_rules without --append/-A, --delete/-D, .. First entry of each rule is the chain name, the argument to add or delete the rule will be added by the used Firewall method. See firewall.py for more information. The "iptables -F" call (IPv4 only) in the uninstall method is replaced by a remove_passthrough_rules call with the rules defined in the class. See: https://pagure.io/freeipa/issue/7755 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Armando Neto <abiagion@redhat.com> 2018-11-09 04:24:59 -06:00			`# Firewall rules without --append/-A, --delete/-D, .. First entry of`
			`# each rule is the chain name, the argument to add or delete the rule`
			`# will be added by the used Firewall method. See firewall.py for more`
			`# information.`
			`fw_rules = [['OUTPUT', '-p', 'tcp', '--dport', '88', '-j', 'DROP'],`
			`['OUTPUT', '-p', 'udp', '--dport', '88', '-j', 'DROP']]`
Test: basic kerberos over http functionality https://fedorahosted.org/freeipa/ticket/6446 Reviewed-By: Milan Kubik <mkubik@redhat.com> 2016-11-01 03:25:16 -05:00
			`@classmethod`
			`def install(cls, mh):`
			`super(TestHttpKdcProxy, cls).install(mh)`
			`# Block access from client to master's port 88`
ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import Instead of using ip[6]tables commands, use new firewall class to deny access to TCP and UDP port 88 on external machines using the OUTPUT chain. The iptables calls in the install method are replaced by a prepend_passthrough_rules call with the rules defined in the class. The firewall rules are defined in the class as fw_rules without --append/-A, --delete/-D, .. First entry of each rule is the chain name, the argument to add or delete the rule will be added by the used Firewall method. See firewall.py for more information. The "iptables -F" call (IPv4 only) in the uninstall method is replaced by a remove_passthrough_rules call with the rules defined in the class. See: https://pagure.io/freeipa/issue/7755 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Armando Neto <abiagion@redhat.com> 2018-11-09 04:24:59 -06:00			`Firewall(cls.clients[0]).prepend_passthrough_rules(cls.fw_rules)`
Test: basic kerberos over http functionality https://fedorahosted.org/freeipa/ticket/6446 Reviewed-By: Milan Kubik <mkubik@redhat.com> 2016-11-01 03:25:16 -05:00			`# configure client`
			`cls.clients[0].run_command(`
Sprinkle raw strings across the code base tox / pytest is complaining about lots and lots of invalid escape sequences in our code base. Sprinkle raw strings or backslash escapes across the code base to fix most occurences of: DeprecationWarning: invalid escape sequence There is still one warning that keeps repeating, though: source:264: DeprecationWarning: invalid escape sequence \d Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 2018-09-24 03:49:45 -05:00			`r"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (`
Test: basic kerberos over http functionality https://fedorahosted.org/freeipa/ticket/6446 Reviewed-By: Milan Kubik <mkubik@redhat.com> 2016-11-01 03:25:16 -05:00			`cls.master.hostname, paths.KRB5_CONF)`
			`)`
			`cls.clients[0].run_command(`
Sprinkle raw strings across the code base tox / pytest is complaining about lots and lots of invalid escape sequences in our code base. Sprinkle raw strings or backslash escapes across the code base to fix most occurences of: DeprecationWarning: invalid escape sequence There is still one warning that keeps repeating, though: source:264: DeprecationWarning: invalid escape sequence \d Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 2018-09-24 03:49:45 -05:00			`r"sed -i 's/master_kdc = .*$/master_kdc"`
			`r" = https:\/\/%s\/KdcProxy/' %s" % (`
Test: basic kerberos over http functionality https://fedorahosted.org/freeipa/ticket/6446 Reviewed-By: Milan Kubik <mkubik@redhat.com> 2016-11-01 03:25:16 -05:00			`cls.master.hostname, paths.KRB5_CONF)`
			`)`
			`# Workaround for https://fedorahosted.org/freeipa/ticket/6443`
			`cls.clients[0].run_command(['systemctl', 'restart', 'sssd.service'])`
			`# End of workaround`

			`@classmethod`
			`def uninstall(cls, mh):`
			`super(TestHttpKdcProxy, cls).uninstall(mh)`
ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import Instead of using ip[6]tables commands, use new firewall class to deny access to TCP and UDP port 88 on external machines using the OUTPUT chain. The iptables calls in the install method are replaced by a prepend_passthrough_rules call with the rules defined in the class. The firewall rules are defined in the class as fw_rules without --append/-A, --delete/-D, .. First entry of each rule is the chain name, the argument to add or delete the rule will be added by the used Firewall method. See firewall.py for more information. The "iptables -F" call (IPv4 only) in the uninstall method is replaced by a remove_passthrough_rules call with the rules defined in the class. See: https://pagure.io/freeipa/issue/7755 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Armando Neto <abiagion@redhat.com> 2018-11-09 04:24:59 -06:00			`Firewall(cls.clients[0]).remove_passthrough_rules(cls.fw_rules)`
Test: basic kerberos over http functionality https://fedorahosted.org/freeipa/ticket/6446 Reviewed-By: Milan Kubik <mkubik@redhat.com> 2016-11-01 03:25:16 -05:00
			`def test_http_kdc_proxy_works(self):`
			`result = tasks.kinit_admin(self.clients[0], raiseonerr=False)`
			`assert(result.returncode == 0), (`
			`"Unable to kinit using KdcProxy: %s" % result.stderr_text`
			`)`