mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import
Instead of using ip[6]tables commands, use new firewall class to deny access to TCP and UDP port 88 on external machines using the OUTPUT chain. The iptables calls in the install method are replaced by a prepend_passthrough_rules call with the rules defined in the class. The firewall rules are defined in the class as fw_rules without --append/-A, --delete/-D, .. First entry of each rule is the chain name, the argument to add or delete the rule will be added by the used Firewall method. See firewall.py for more information. The "iptables -F" call (IPv4 only) in the uninstall method is replaced by a remove_passthrough_rules call with the rules defined in the class. See: https://pagure.io/freeipa/issue/7755 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Armando Neto <abiagion@redhat.com>
This commit is contained in:
parent
d427e4b2ba
commit
5a740144e0
@ -6,6 +6,7 @@ from __future__ import absolute_import
|
||||
|
||||
import six
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
from ipatests.pytest_ipa.integration.firewall import Firewall
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
from ipaplatform.paths import paths
|
||||
|
||||
@ -17,23 +18,18 @@ if six.PY3:
|
||||
class TestHttpKdcProxy(IntegrationTest):
|
||||
topology = "line"
|
||||
num_clients = 1
|
||||
# Firewall rules without --append/-A, --delete/-D, .. First entry of
|
||||
# each rule is the chain name, the argument to add or delete the rule
|
||||
# will be added by the used Firewall method. See firewall.py for more
|
||||
# information.
|
||||
fw_rules = [['OUTPUT', '-p', 'tcp', '--dport', '88', '-j', 'DROP'],
|
||||
['OUTPUT', '-p', 'udp', '--dport', '88', '-j', 'DROP']]
|
||||
|
||||
@classmethod
|
||||
def install(cls, mh):
|
||||
super(TestHttpKdcProxy, cls).install(mh)
|
||||
# Block access from client to master's port 88
|
||||
cls.clients[0].run_command([
|
||||
'iptables', '-A', 'OUTPUT', '-p', 'tcp',
|
||||
'--dport', '88', '-j', 'DROP'])
|
||||
cls.clients[0].run_command([
|
||||
'iptables', '-A', 'OUTPUT', '-p', 'udp',
|
||||
'--dport', '88', '-j', 'DROP'])
|
||||
cls.clients[0].run_command([
|
||||
'ip6tables', '-A', 'OUTPUT', '-p', 'tcp',
|
||||
'--dport', '88', '-j', 'DROP'])
|
||||
cls.clients[0].run_command([
|
||||
'ip6tables', '-A', 'OUTPUT', '-p', 'udp',
|
||||
'--dport', '88', '-j', 'DROP'])
|
||||
Firewall(cls.clients[0]).prepend_passthrough_rules(cls.fw_rules)
|
||||
# configure client
|
||||
cls.clients[0].run_command(
|
||||
r"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
|
||||
@ -51,7 +47,7 @@ class TestHttpKdcProxy(IntegrationTest):
|
||||
@classmethod
|
||||
def uninstall(cls, mh):
|
||||
super(TestHttpKdcProxy, cls).uninstall(mh)
|
||||
cls.clients[0].run_command(['iptables', '-F'])
|
||||
Firewall(cls.clients[0]).remove_passthrough_rules(cls.fw_rules)
|
||||
|
||||
def test_http_kdc_proxy_works(self):
|
||||
result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
|
||||
|
Loading…
Reference in New Issue
Block a user