ipatests: add keycloak user login to ipa test

Adding test case to test_sso.py to cover login to IPA client as Keycloak user without relying on external IdP. create_bridge.py: - getkeytab in setup_scim_server to allow bridge to use IPA API. - fix unintstall to remove plugin by version instead of main test_sso.py: - add keycloak_add_user function - add test_ipa_login_with_sso_user tasks.py: - add set_user_password to only set password for ipa users Fixes: https://pagure.io/freeipa/issue/9250 Signed-off-by: Scott Poore <spoore@redhat.com> Reviewed-By: Anuja More <amore@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-09-28 13:09:03 -05:00 · 2022-09-28 13:09:03 -05:00 · 899530bd40
commit 899530bd40
parent 06780f4d90
3 changed files with 64 additions and 3 deletions
--- a/ipatests/pytest_ipa/integration/create_bridge.py
+++ b/ipatests/pytest_ipa/integration/create_bridge.py
@ -20,6 +20,17 @@ def setup_scim_server(host, version="main"):
    host.run_command(["python", "./prepare_sssd.py"],
                     cwd=f"{dir}/src/install")

+    # Get keytab for scim bridge service
+    master = host.domain.hosts_by_role("master")[0].hostname
+    princ = f"admin@{host.domain.realm}"
+    ktfile = "/root/scim.keytab"
+    sendpass = f"{password}\n{password}"
+    tasks.kdestroy_all(host)
+    tasks.kinit_admin(host)
+    host.run_command(["ipa-getkeytab", "-s", master, "-p", princ,
+                      "-P", "-k", ktfile], stdin_text=sendpass)
+    host.run_command(["kinit", "-k", "-t", ktfile, princ])
+
    # Install django requirements
    django_reqs = f"{dir}/src/install/requirements.txt"
    host.run_command(["pip", "install", "-r", f"{django_reqs}"])
@ -159,13 +170,14 @@ def uninstall_scim_server(host):
    host.run_command(["rm", "-rf", "/opt/ipa-tuura",
                      "/etc/sysconfig/scim",
                      "/etc/systemd/system/scim.service",
-                      "/tmp/scim-keycloak-user-storage-spi-main",
-                      "/tmp/keycloak-scim-plugin.zip"])
+                      "/tmp/scim-keycloak-user-storage-spi-0.1",
+                      "/tmp/keycloak-scim-plugin.zip",
+                      "/root/scim.keytab"])
    host.run_command(["systemctl", "daemon-reload"])
    tasks.restore_files(host)


 def uninstall_scim_plugin(host):
    host.run_command(["rm", "-rf",
-                      "/tmp/scim-keycloak-user-storage-spi-main",
+                      "/tmp/scim-keycloak-user-storage-spi-0.1",
                      "/tmp/keycloak-scim-plugin.zip"])
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@ -2165,6 +2165,17 @@ def create_active_user(host, login, password, first='test', last='user',
    kdestroy_all(host)


+def set_user_password(host, username, password):
+    temppass = "redhat\nredhat"
+    sendpass = f"redhat\n{password}\n{password}"
+    kdestroy_all(host)
+    kinit_admin(host)
+    host.run_command(["ipa", "passwd", username],stdin_text=temppass)
+    host.run_command(["kinit", username], stdin_text=sendpass)
+    kdestroy_all(host)
+    kinit_admin(host)
+
+
 def kdestroy_all(host):
    return host.run_command(['kdestroy', '-A'])

--- a/ipatests/test_integration/test_sso.py
+++ b/ipatests/test_integration/test_sso.py
@ -1,5 +1,6 @@
 from __future__ import absolute_import

+
 import textwrap
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_ipa.integration import tasks, create_keycloak
@ -53,6 +54,26 @@ def keycloak_login(host, username, password, username_fl=None):
        host.run_command(["rm", "-f", "/tmp/keycloak_login.py"])


+def keycloak_add_user(host, kcadm_pass, username, password=None):
+    domain = host.domain.name
+    kcadmin_sh = "/opt/keycloak/bin/kcadm.sh"
+    kcadmin = [kcadmin_sh, "config", "credentials", "--server",
+               f"https://{host.hostname}:8443/auth/",
+               "--realm", "master", "--user", "admin",
+               "--password", kcadm_pass]
+
+    host.run_command(kcadmin)
+    host.run_command([kcadmin_sh, "create", "users", "-r", "master",
+                      "-s", f"username={username}",
+                      "-s", f"email={username}@{domain}",
+                      "-s", "enabled=true"])
+
+    if password is not None:
+        host.run_command([kcadmin_sh, "set-password", "-r", "master",
+                          "--username", "testuser1", "--new-password",
+                          password])
+
+
 class TestSsoBridge(IntegrationTest):

    # Replicas used instead of clients due to memory requirements
@ -98,3 +119,20 @@ class TestSsoBridge(IntegrationTest):
        username_fl = 'test user'
        password = self.keycloak.config.admin_password
        keycloak_login(self.keycloak, username, password, username_fl)
+
+    def test_ipa_login_with_sso_user(self):
+        """
+        Test case to authenticate via ssh to IPA client as Keycloak
+        user with password set in IPA without using external IdP
+
+        related: https://pagure.io/freeipa/issue/9250
+        """
+        username = "kcuser1"
+        password = self.keycloak.config.admin_password
+
+        keycloak_add_user(self.keycloak, password, username)
+        tasks.set_user_password(self.master, username, password)
+
+        tasks.run_ssh_cmd(to_host=self.master.external_hostname,
+                          username=username, auth_method="password",
+                          password=password)