From 2de1aa27f981060acd6a867c89ef963a18cc27df Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 18 Apr 2018 13:05:41 +0300 Subject: [PATCH] ACL: Allow hosts to remove services they manage Allow hosts to delete services they own. This is an ACL that complements existing one that allows to create services on the same host. Add a test that creates a host and then attempts to create and delete a service using its own host keytab. Fixes: https://pagure.io/freeipa/issue/7486 Reviewed-By: Rob Crittenden --- install/updates/20-aci.update | 3 ++- ipatests/test_xmlrpc/test_service_plugin.py | 28 +++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index b8a172eb5..184749d78 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -124,10 +124,11 @@ add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targe dn: $SUFFIX add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) -# Hosts can add their own services +# Hosts can add and delete their own services dn: cn=services,cn=accounts,$SUFFIX remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) +add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can delete own services"; allow(delete) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) # CIFS service on the master can manage ID ranges dn: cn=ranges,cn=etc,$SUFFIX diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index 6985f75ee..c910269df 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -31,6 +31,7 @@ from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn from ipatests.test_xmlrpc.tracker.service_plugin import ServiceTracker from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker +from ipatests.util import change_principal, host_keytab import base64 from ipapython.dn import DN @@ -1343,3 +1344,30 @@ class TestAuthenticationIndicators(XMLRPC_test): updates={u'krbprincipalauthind': u'radius'}, expected_updates={u'krbprincipalauthind': [u'radius']} ) + + +@pytest.fixture(scope='function') +def managing_host(request): + tracker = HostTracker(name=u'managinghost2', fqdn=fqdn2) + return tracker.make_fixture(request) + + +@pytest.fixture(scope='function') +def managed_service(request): + tracker = ServiceTracker( + name=u'managed-service', host_fqdn=fqdn2) + return tracker.make_fixture(request) + + +@pytest.mark.tier1 +class TestManagedServices(XMLRPC_test): + def test_managed_service( + self, managing_host, managed_service): + """ Add a host and then add a service as a host + Finally, remove the service as a host """ + managing_host.ensure_exists() + with host_keytab(managing_host.name) as keytab_filename: + with change_principal(managing_host.attrs['krbcanonicalname'][0], + keytab=keytab_filename): + managed_service.create() + managed_service.delete()