ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import

Instead of using ip[6]tables commands, use new firewall class to deny
access to TCP and UDP port 88 on external machines using the OUTPUT chain.
The iptables calls in the install method are replaced by a
prepend_passthrough_rules call with the rules defined in the class.

The firewall rules are defined in the class as fw_rules without
--append/-A, --delete/-D, .. First entry of each rule is the chain name,
the argument to add or delete the rule will be added by the used Firewall
method. See firewall.py for more information.

The "iptables -F" call (IPv4 only) in the uninstall method is replaced by
a remove_passthrough_rules call with the rules defined in the class.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
This commit is contained in:
Thomas Woerner 2018-11-09 11:24:59 +01:00
parent d427e4b2ba
commit 5a740144e0

View File

@ -6,6 +6,7 @@ from __future__ import absolute_import
import six
from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration.firewall import Firewall
from ipatests.test_integration.base import IntegrationTest
from ipaplatform.paths import paths
@ -17,23 +18,18 @@ if six.PY3:
class TestHttpKdcProxy(IntegrationTest):
topology = "line"
num_clients = 1
# Firewall rules without --append/-A, --delete/-D, .. First entry of
# each rule is the chain name, the argument to add or delete the rule
# will be added by the used Firewall method. See firewall.py for more
# information.
fw_rules = [['OUTPUT', '-p', 'tcp', '--dport', '88', '-j', 'DROP'],
['OUTPUT', '-p', 'udp', '--dport', '88', '-j', 'DROP']]
@classmethod
def install(cls, mh):
super(TestHttpKdcProxy, cls).install(mh)
# Block access from client to master's port 88
cls.clients[0].run_command([
'iptables', '-A', 'OUTPUT', '-p', 'tcp',
'--dport', '88', '-j', 'DROP'])
cls.clients[0].run_command([
'iptables', '-A', 'OUTPUT', '-p', 'udp',
'--dport', '88', '-j', 'DROP'])
cls.clients[0].run_command([
'ip6tables', '-A', 'OUTPUT', '-p', 'tcp',
'--dport', '88', '-j', 'DROP'])
cls.clients[0].run_command([
'ip6tables', '-A', 'OUTPUT', '-p', 'udp',
'--dport', '88', '-j', 'DROP'])
Firewall(cls.clients[0]).prepend_passthrough_rules(cls.fw_rules)
# configure client
cls.clients[0].run_command(
r"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
@ -51,7 +47,7 @@ class TestHttpKdcProxy(IntegrationTest):
@classmethod
def uninstall(cls, mh):
super(TestHttpKdcProxy, cls).uninstall(mh)
cls.clients[0].run_command(['iptables', '-F'])
Firewall(cls.clients[0]).remove_passthrough_rules(cls.fw_rules)
def test_http_kdc_proxy_works(self):
result = tasks.kinit_admin(self.clients[0], raiseonerr=False)