From 899530bd40db6b61aa09a5138f5067e1ca3496e7 Mon Sep 17 00:00:00 2001 From: Scott Poore Date: Wed, 28 Sep 2022 13:09:03 -0500 Subject: [PATCH] ipatests: add keycloak user login to ipa test Adding test case to test_sso.py to cover login to IPA client as Keycloak user without relying on external IdP. create_bridge.py: - getkeytab in setup_scim_server to allow bridge to use IPA API. - fix unintstall to remove plugin by version instead of main test_sso.py: - add keycloak_add_user function - add test_ipa_login_with_sso_user tasks.py: - add set_user_password to only set password for ipa users Fixes: https://pagure.io/freeipa/issue/9250 Signed-off-by: Scott Poore Reviewed-By: Anuja More Reviewed-By: Rob Crittenden --- .../pytest_ipa/integration/create_bridge.py | 18 +++++++-- ipatests/pytest_ipa/integration/tasks.py | 11 ++++++ ipatests/test_integration/test_sso.py | 38 +++++++++++++++++++ 3 files changed, 64 insertions(+), 3 deletions(-) diff --git a/ipatests/pytest_ipa/integration/create_bridge.py b/ipatests/pytest_ipa/integration/create_bridge.py index 538c59c51..c631b45cd 100644 --- a/ipatests/pytest_ipa/integration/create_bridge.py +++ b/ipatests/pytest_ipa/integration/create_bridge.py @@ -20,6 +20,17 @@ def setup_scim_server(host, version="main"): host.run_command(["python", "./prepare_sssd.py"], cwd=f"{dir}/src/install") + # Get keytab for scim bridge service + master = host.domain.hosts_by_role("master")[0].hostname + princ = f"admin@{host.domain.realm}" + ktfile = "/root/scim.keytab" + sendpass = f"{password}\n{password}" + tasks.kdestroy_all(host) + tasks.kinit_admin(host) + host.run_command(["ipa-getkeytab", "-s", master, "-p", princ, + "-P", "-k", ktfile], stdin_text=sendpass) + host.run_command(["kinit", "-k", "-t", ktfile, princ]) + # Install django requirements django_reqs = f"{dir}/src/install/requirements.txt" host.run_command(["pip", "install", "-r", f"{django_reqs}"]) @@ -159,13 +170,14 @@ def uninstall_scim_server(host): host.run_command(["rm", "-rf", "/opt/ipa-tuura", "/etc/sysconfig/scim", "/etc/systemd/system/scim.service", - "/tmp/scim-keycloak-user-storage-spi-main", - "/tmp/keycloak-scim-plugin.zip"]) + "/tmp/scim-keycloak-user-storage-spi-0.1", + "/tmp/keycloak-scim-plugin.zip", + "/root/scim.keytab"]) host.run_command(["systemctl", "daemon-reload"]) tasks.restore_files(host) def uninstall_scim_plugin(host): host.run_command(["rm", "-rf", - "/tmp/scim-keycloak-user-storage-spi-main", + "/tmp/scim-keycloak-user-storage-spi-0.1", "/tmp/keycloak-scim-plugin.zip"]) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 81f64f793..5dc20887c 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -2165,6 +2165,17 @@ def create_active_user(host, login, password, first='test', last='user', kdestroy_all(host) +def set_user_password(host, username, password): + temppass = "redhat\nredhat" + sendpass = f"redhat\n{password}\n{password}" + kdestroy_all(host) + kinit_admin(host) + host.run_command(["ipa", "passwd", username],stdin_text=temppass) + host.run_command(["kinit", username], stdin_text=sendpass) + kdestroy_all(host) + kinit_admin(host) + + def kdestroy_all(host): return host.run_command(['kdestroy', '-A']) diff --git a/ipatests/test_integration/test_sso.py b/ipatests/test_integration/test_sso.py index 5345f987f..e31f8ae8e 100644 --- a/ipatests/test_integration/test_sso.py +++ b/ipatests/test_integration/test_sso.py @@ -1,5 +1,6 @@ from __future__ import absolute_import + import textwrap from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks, create_keycloak @@ -53,6 +54,26 @@ def keycloak_login(host, username, password, username_fl=None): host.run_command(["rm", "-f", "/tmp/keycloak_login.py"]) +def keycloak_add_user(host, kcadm_pass, username, password=None): + domain = host.domain.name + kcadmin_sh = "/opt/keycloak/bin/kcadm.sh" + kcadmin = [kcadmin_sh, "config", "credentials", "--server", + f"https://{host.hostname}:8443/auth/", + "--realm", "master", "--user", "admin", + "--password", kcadm_pass] + + host.run_command(kcadmin) + host.run_command([kcadmin_sh, "create", "users", "-r", "master", + "-s", f"username={username}", + "-s", f"email={username}@{domain}", + "-s", "enabled=true"]) + + if password is not None: + host.run_command([kcadmin_sh, "set-password", "-r", "master", + "--username", "testuser1", "--new-password", + password]) + + class TestSsoBridge(IntegrationTest): # Replicas used instead of clients due to memory requirements @@ -98,3 +119,20 @@ class TestSsoBridge(IntegrationTest): username_fl = 'test user' password = self.keycloak.config.admin_password keycloak_login(self.keycloak, username, password, username_fl) + + def test_ipa_login_with_sso_user(self): + """ + Test case to authenticate via ssh to IPA client as Keycloak + user with password set in IPA without using external IdP + + related: https://pagure.io/freeipa/issue/9250 + """ + username = "kcuser1" + password = self.keycloak.config.admin_password + + keycloak_add_user(self.keycloak, password, username) + tasks.set_user_password(self.master, username, password) + + tasks.run_ssh_cmd(to_host=self.master.external_hostname, + username=username, auth_method="password", + password=password)