IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipatests: add keycloak user login to ipa test

Browse Source 
Adding test case to test_sso.py to cover login to IPA client as Keycloak
user without relying on external IdP.

create_bridge.py:
- getkeytab in setup_scim_server to allow bridge to use IPA API.
- fix unintstall to remove plugin by version instead of main

test_sso.py:
- add keycloak_add_user function
- add test_ipa_login_with_sso_user

tasks.py:
- add set_user_password to only set password for ipa users

Fixes: https://pagure.io/freeipa/issue/9250
Signed-off-by: Scott Poore <spoore@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Scott Poore 2022-09-28 13:09:03 -05:00 committed by Rob Crittenden
parent 06780f4d90
commit 899530bd40
3 changed files with 64 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
ipatests/pytest_ipa/integration/create_bridge.py
View File

@ -20,6 +20,17 @@ def setup_scim_server(host, version="main"):
host.run_command(["python", "./prepare_sssd.py"], host.run_command(["python", "./prepare_sssd.py"],
cwd=f"{dir}/src/install") cwd=f"{dir}/src/install")
# Get keytab for scim bridge service
master = host.domain.hosts_by_role("master")[0].hostname
princ = f"admin@{host.domain.realm}"
ktfile = "/root/scim.keytab"
sendpass = f"{password}\n{password}"
tasks.kdestroy_all(host)
tasks.kinit_admin(host)
host.run_command(["ipa-getkeytab", "-s", master, "-p", princ,
"-P", "-k", ktfile], stdin_text=sendpass)
host.run_command(["kinit", "-k", "-t", ktfile, princ])
# Install django requirements # Install django requirements
django_reqs = f"{dir}/src/install/requirements.txt" django_reqs = f"{dir}/src/install/requirements.txt"
host.run_command(["pip", "install", "-r", f"{django_reqs}"]) host.run_command(["pip", "install", "-r", f"{django_reqs}"])
@ -159,13 +170,14 @@ def uninstall_scim_server(host):
host.run_command(["rm", "-rf", "/opt/ipa-tuura", host.run_command(["rm", "-rf", "/opt/ipa-tuura",
"/etc/sysconfig/scim", "/etc/sysconfig/scim",
"/etc/systemd/system/scim.service", "/etc/systemd/system/scim.service",
"/tmp/scim-keycloak-user-storage-spi-main", "/tmp/scim-keycloak-user-storage-spi-0.1",
"/tmp/keycloak-scim-plugin.zip"]) "/tmp/keycloak-scim-plugin.zip",
"/root/scim.keytab"])
host.run_command(["systemctl", "daemon-reload"]) host.run_command(["systemctl", "daemon-reload"])
tasks.restore_files(host) tasks.restore_files(host)
def uninstall_scim_plugin(host): def uninstall_scim_plugin(host):
host.run_command(["rm", "-rf", host.run_command(["rm", "-rf",
"/tmp/scim-keycloak-user-storage-spi-main", "/tmp/scim-keycloak-user-storage-spi-0.1",
"/tmp/keycloak-scim-plugin.zip"]) "/tmp/keycloak-scim-plugin.zip"])

11
ipatests/pytest_ipa/integration/tasks.py
View File

@ -2165,6 +2165,17 @@ def create_active_user(host, login, password, first='test', last='user',
kdestroy_all(host) kdestroy_all(host)
def set_user_password(host, username, password):
temppass = "redhat\nredhat"
sendpass = f"redhat\n{password}\n{password}"
kdestroy_all(host)
kinit_admin(host)
host.run_command(["ipa", "passwd", username],stdin_text=temppass)
host.run_command(["kinit", username], stdin_text=sendpass)
kdestroy_all(host)
kinit_admin(host)
def kdestroy_all(host): def kdestroy_all(host):
return host.run_command(['kdestroy', '-A']) return host.run_command(['kdestroy', '-A'])

38
ipatests/test_integration/test_sso.py
View File

@ -1,5 +1,6 @@
from __future__ import absolute_import from __future__ import absolute_import
import textwrap import textwrap
from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks, create_keycloak from ipatests.pytest_ipa.integration import tasks, create_keycloak
@ -53,6 +54,26 @@ def keycloak_login(host, username, password, username_fl=None):
host.run_command(["rm", "-f", "/tmp/keycloak_login.py"]) host.run_command(["rm", "-f", "/tmp/keycloak_login.py"])
def keycloak_add_user(host, kcadm_pass, username, password=None):
domain = host.domain.name
kcadmin_sh = "/opt/keycloak/bin/kcadm.sh"
kcadmin = [kcadmin_sh, "config", "credentials", "--server",
f"https://{host.hostname}:8443/auth/",
"--realm", "master", "--user", "admin",
"--password", kcadm_pass]
host.run_command(kcadmin)
host.run_command([kcadmin_sh, "create", "users", "-r", "master",
"-s", f"username={username}",
"-s", f"email={username}@{domain}",
"-s", "enabled=true"])
if password is not None:
host.run_command([kcadmin_sh, "set-password", "-r", "master",
"--username", "testuser1", "--new-password",
password])
class TestSsoBridge(IntegrationTest): class TestSsoBridge(IntegrationTest):
# Replicas used instead of clients due to memory requirements # Replicas used instead of clients due to memory requirements
@ -98,3 +119,20 @@ class TestSsoBridge(IntegrationTest):
username_fl = 'test user' username_fl = 'test user'
password = self.keycloak.config.admin_password password = self.keycloak.config.admin_password
keycloak_login(self.keycloak, username, password, username_fl) keycloak_login(self.keycloak, username, password, username_fl)
def test_ipa_login_with_sso_user(self):
"""
Test case to authenticate via ssh to IPA client as Keycloak
user with password set in IPA without using external IdP
related: https://pagure.io/freeipa/issue/9250
"""
username = "kcuser1"
password = self.keycloak.config.admin_password
keycloak_add_user(self.keycloak, password, username)
tasks.set_user_password(self.master, username, password)
tasks.run_ssh_cmd(to_host=self.master.external_hostname,
username=username, auth_method="password",
password=password)