IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

test_ipagetkeytab: allow testing LDAP connection beyond bind operation

Browse Source 
Convert use_keytab() function into a context manager to allow additional
operations to be done as part of the test. Also pass proper credentials
cache file to the backend while connecting to LDAP so that right creds
are in use.

This is required to perform actual tests for use of the retrieved keys.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Alexander Bokovoy 2019-05-17 14:25:25 +03:00
parent ef67dece52
commit 6163cbc166
1 changed files with 32 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
ipatests/test_cmdline/test_ipagetkeytab.py
View File

@ -29,31 +29,37 @@ import tempfile
import gssapi import gssapi
import pytest import pytest
from ipalib import api from ipapython.ipautil import private_ccache
from ipalib import api, errors
from ipalib.request import context
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython import ipautil, ipaldap from ipapython import ipautil, ipaldap
from ipaserver.plugins.ldap2 import ldap2 from ipaserver.plugins.ldap2 import ldap2
from ipatests.test_cmdline.cmdline import cmdline_test from ipatests.test_cmdline.cmdline import cmdline_test
from ipatests.test_xmlrpc.tracker import host_plugin, service_plugin from ipatests.test_xmlrpc.tracker import host_plugin, service_plugin
from contextlib import contextmanager
@contextmanager
def use_keytab(principal, keytab): def use_keytab(principal, keytab):
try: with private_ccache() as ccache_file:
tmpdir = tempfile.mkdtemp(prefix = "tmp-") try:
ccache_file = 'FILE:%s/ccache' % tmpdir old_principal = getattr(context, 'principal', None)
name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
store = {'ccache': ccache_file, store = {'ccache': ccache_file,
'client_keytab': keytab} 'client_keytab': keytab}
os.environ['KRB5CCNAME'] = ccache_file gssapi.Credentials(name=name, usage='initiate', store=store)
gssapi.Credentials(name=name, usage='initiate', store=store) conn = ldap2(api)
conn = ldap2(api) conn.connect(ccache=ccache_file,
conn.connect(autobind=ipaldap.AUTOBIND_DISABLED) autobind=ipaldap.AUTOBIND_DISABLED)
conn.disconnect() yield conn
except gssapi.exceptions.GSSError as e: conn.disconnect()
raise Exception('Unable to bind to LDAP. Error initializing principal %s in %s: %s' % (principal, keytab, str(e))) except gssapi.exceptions.GSSError as e:
finally: raise Exception('Unable to bind to LDAP. Error initializing '
os.environ.pop('KRB5CCNAME', None) 'principal %s in %s: %s' % (principal, keytab,
if tmpdir: str(e)))
shutil.rmtree(tmpdir) finally:
setattr(context, 'principal', old_principal)
@pytest.fixture(scope='class') @pytest.fixture(scope='class')
@ -98,7 +104,7 @@ class KeytabRetrievalTest(cmdline_test):
pass pass
def run_ipagetkeytab(self, service_principal, args=tuple(), def run_ipagetkeytab(self, service_principal, args=tuple(),
raiseonerr=False): raiseonerr=False, stdin=None):
new_args = [self.command, new_args = [self.command,
"-p", service_principal, "-p", service_principal,
"-k", self.keytabname] "-k", self.keytabname]
@ -110,7 +116,7 @@ class KeytabRetrievalTest(cmdline_test):
return ipautil.run( return ipautil.run(
new_args, new_args,
stdin=None, stdin=stdin,
raiseonerr=raiseonerr, raiseonerr=raiseonerr,
capture_error=True) capture_error=True)
@ -162,7 +168,9 @@ class test_ipagetkeytab(KeytabRetrievalTest):
""" """
Try to use the service keytab. Try to use the service keytab.
""" """
use_keytab(test_service.name, self.keytabname) with use_keytab(test_service.name, self.keytabname) as conn:
assert conn.can_read(test_service.dn, 'objectclass') is True
assert getattr(context, 'principal') == test_service.name
def test_4_disable(self, test_service): def test_4_disable(self, test_service):
""" """
@ -186,7 +194,9 @@ class test_ipagetkeytab(KeytabRetrievalTest):
Try to use the disabled keytab Try to use the disabled keytab
""" """
try: try:
use_keytab(test_service.name, self.keytabname) with use_keytab(test_service.name, self.keytabname) as conn:
assert conn.can_read(test_service.dn, 'objectclass') is True
assert getattr(context, 'principal') == test_service.name
except Exception as errmsg: except Exception as errmsg:
assert('Unable to bind to LDAP. Error initializing principal' in str(errmsg)) assert('Unable to bind to LDAP. Error initializing principal' in str(errmsg))