replica: Add tests to ensure the ipaapi user is allowed access to ifp on replicas

https://pagure.io/freeipa/issue/8403 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-07-13 13:59:12 -04:00 · 2020-07-13 13:59:12 -04:00 · 2ff1d6b450
commit 2ff1d6b450
parent 12529d7ef1
1 changed files with 41 additions and 0 deletions
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@ -47,6 +47,21 @@ class ReplicaPromotionBase(IntegrationTest):
        assert(found > 0), result2.stdout_text


+def sssd_config_allows_ipaapi_access_to_ifp(host):
+    """Checks that the sssd configuration allows the ipaapi user to access
+    ifp
+
+    :param host the machine on which to check that sssd allows ipaapi
+    access to ifp
+    """
+    with tasks.remote_sssd_config(host) as sssd_conf:
+        ifp = sssd_conf.get_service('ifp')
+        uids = [
+            uid.strip() for uid in ifp.get_option('allowed_uids').split(',')
+        ]
+        assert 'ipaapi' in uids
+
+
 class TestReplicaPromotionLevel1(ReplicaPromotionBase):
    """
    TestCase: http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan#
@ -100,6 +115,16 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
        result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
        assert "PKINIT is enabled" in result.stdout_text

+    @replicas_cleanup
+    def test_sssd_config_allows_ipaapi_access_to_ifp(self):
+        """Verify that the sssd configuration allows the ipaapi user to
+        access ifp
+
+        Test for ticket 8403.
+        """
+        for replica in self.replicas:
+            sssd_config_allows_ipaapi_access_to_ifp(replica)
+

 class TestUnprivilegedUserPermissions(IntegrationTest):
    """
@ -171,6 +196,22 @@ class TestUnprivilegedUserPermissions(IntegrationTest):
                                      '-r', self.master.domain.realm,
                                      '-U'])

+    def test_sssd_config_allows_ipaapi_access_to_ifp(self):
+        self.master.run_command(['ipa', 'group-add-member', 'admins',
+                                 '--users=%s' % self.username])
+
+        # Configure firewall first
+        Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
+                                                    "freeipa-ldaps"])
+        self.replicas[0].run_command(['ipa-replica-install',
+                                      '-P', self.username,
+                                      '-p', self.new_password,
+                                      '-n', self.master.domain.name,
+                                      '-r', self.master.domain.realm,
+                                      '-U'])
+
+        sssd_config_allows_ipaapi_access_to_ifp(self.replicas[0])
+

 class TestProhibitReplicaUninstallation(IntegrationTest):
    topology = 'line'