From 6163cbc16658930f49794ebecd5a6ac14ba8cfd4 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 17 May 2019 14:25:25 +0300 Subject: [PATCH] test_ipagetkeytab: allow testing LDAP connection beyond bind operation Convert use_keytab() function into a context manager to allow additional operations to be done as part of the test. Also pass proper credentials cache file to the backend while connecting to LDAP so that right creds are in use. This is required to perform actual tests for use of the retrieved keys. Related: https://pagure.io/freeipa/issue/7953 Reviewed-By: Christian Heimes --- ipatests/test_cmdline/test_ipagetkeytab.py | 54 +++++++++++++--------- 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/ipatests/test_cmdline/test_ipagetkeytab.py b/ipatests/test_cmdline/test_ipagetkeytab.py index 6b86c9dd4..3b1c7e951 100644 --- a/ipatests/test_cmdline/test_ipagetkeytab.py +++ b/ipatests/test_cmdline/test_ipagetkeytab.py @@ -29,31 +29,37 @@ import tempfile import gssapi import pytest -from ipalib import api +from ipapython.ipautil import private_ccache +from ipalib import api, errors +from ipalib.request import context from ipaplatform.paths import paths from ipapython import ipautil, ipaldap from ipaserver.plugins.ldap2 import ldap2 from ipatests.test_cmdline.cmdline import cmdline_test from ipatests.test_xmlrpc.tracker import host_plugin, service_plugin +from contextlib import contextmanager + +@contextmanager def use_keytab(principal, keytab): - try: - tmpdir = tempfile.mkdtemp(prefix = "tmp-") - ccache_file = 'FILE:%s/ccache' % tmpdir - name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) - store = {'ccache': ccache_file, - 'client_keytab': keytab} - os.environ['KRB5CCNAME'] = ccache_file - gssapi.Credentials(name=name, usage='initiate', store=store) - conn = ldap2(api) - conn.connect(autobind=ipaldap.AUTOBIND_DISABLED) - conn.disconnect() - except gssapi.exceptions.GSSError as e: - raise Exception('Unable to bind to LDAP. Error initializing principal %s in %s: %s' % (principal, keytab, str(e))) - finally: - os.environ.pop('KRB5CCNAME', None) - if tmpdir: - shutil.rmtree(tmpdir) + with private_ccache() as ccache_file: + try: + old_principal = getattr(context, 'principal', None) + name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) + store = {'ccache': ccache_file, + 'client_keytab': keytab} + gssapi.Credentials(name=name, usage='initiate', store=store) + conn = ldap2(api) + conn.connect(ccache=ccache_file, + autobind=ipaldap.AUTOBIND_DISABLED) + yield conn + conn.disconnect() + except gssapi.exceptions.GSSError as e: + raise Exception('Unable to bind to LDAP. Error initializing ' + 'principal %s in %s: %s' % (principal, keytab, + str(e))) + finally: + setattr(context, 'principal', old_principal) @pytest.fixture(scope='class') @@ -98,7 +104,7 @@ class KeytabRetrievalTest(cmdline_test): pass def run_ipagetkeytab(self, service_principal, args=tuple(), - raiseonerr=False): + raiseonerr=False, stdin=None): new_args = [self.command, "-p", service_principal, "-k", self.keytabname] @@ -110,7 +116,7 @@ class KeytabRetrievalTest(cmdline_test): return ipautil.run( new_args, - stdin=None, + stdin=stdin, raiseonerr=raiseonerr, capture_error=True) @@ -162,7 +168,9 @@ class test_ipagetkeytab(KeytabRetrievalTest): """ Try to use the service keytab. """ - use_keytab(test_service.name, self.keytabname) + with use_keytab(test_service.name, self.keytabname) as conn: + assert conn.can_read(test_service.dn, 'objectclass') is True + assert getattr(context, 'principal') == test_service.name def test_4_disable(self, test_service): """ @@ -186,7 +194,9 @@ class test_ipagetkeytab(KeytabRetrievalTest): Try to use the disabled keytab """ try: - use_keytab(test_service.name, self.keytabname) + with use_keytab(test_service.name, self.keytabname) as conn: + assert conn.can_read(test_service.dn, 'objectclass') is True + assert getattr(context, 'principal') == test_service.name except Exception as errmsg: assert('Unable to bind to LDAP. Error initializing principal' in str(errmsg))