From c02cc93c146bca429f69bf5536a3f6c15b02876e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 19 Nov 2019 18:33:23 -0500
Subject: [PATCH] Add integration test for Kerberos ticket policy

This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a specific indicator type.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipatests/prci_definitions/nightly_latest.yaml |  12 ++
 .../nightly_latest_testing.yaml               |  13 ++
 .../prci_definitions/nightly_previous.yaml    |  12 ++
 .../prci_definitions/nightly_rawhide.yaml     |  12 ++
 ipatests/test_integration/test_krbtpolicy.py  | 114 ++++++++++++++++++
 5 files changed, 163 insertions(+)
 create mode 100644 ipatests/test_integration/test_krbtpolicy.py

diff --git a/ipatests/prci_definitions/nightly_latest.yaml b/ipatests/prci_definitions/nightly_latest.yaml
index 1e492d41d..9e479aba2 100644
--- a/ipatests/prci_definitions/nightly_latest.yaml
+++ b/ipatests/prci_definitions/nightly_latest.yaml
@@ -1384,3 +1384,15 @@ jobs:
         template: *ci-master-latest
         timeout: 1800
         topology: *master_1repl
+
+  fedora-latest/krbtpolicy:
+    requires: [fedora-latest/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-latest/build_url}'
+        test_suite: test_integration/test_krbtpolicy.py
+        template: *ci-master-latest
+        timeout: 3600
+        topology: *ipaserver
diff --git a/ipatests/prci_definitions/nightly_latest_testing.yaml b/ipatests/prci_definitions/nightly_latest_testing.yaml
index e27189775..18315ca55 100644
--- a/ipatests/prci_definitions/nightly_latest_testing.yaml
+++ b/ipatests/prci_definitions/nightly_latest_testing.yaml
@@ -1479,3 +1479,16 @@ jobs:
         template: *testing-master-latest
         timeout: 1800
         topology: *master_1repl
+
+  testing-fedora/krbtpolicy:
+    requires: [testing-fedora/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{testing-fedora/build_url}'
+        update_packages: True
+        test_suite: test_integration/test_krbtpolicy.py
+        template: *testing-master-latest
+        timeout: 3600
+        topology: *ipaserver
diff --git a/ipatests/prci_definitions/nightly_previous.yaml b/ipatests/prci_definitions/nightly_previous.yaml
index 514a1e858..1dd99d1d0 100644
--- a/ipatests/prci_definitions/nightly_previous.yaml
+++ b/ipatests/prci_definitions/nightly_previous.yaml
@@ -1360,3 +1360,15 @@ jobs:
         template: *ci-master-previous
         timeout: 1800
         topology: *master_1repl
+
+  fedora-previous/krbtpolicy:
+    requires: [fedora-previous/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-previous/build_url}'
+        test_suite: test_integration/test_krbtpolicy.py
+        template: *ci-master-previous
+        timeout: 3600
+        topology: *ipaserver
diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml
index 8d01ad6c8..0b80f4709 100644
--- a/ipatests/prci_definitions/nightly_rawhide.yaml
+++ b/ipatests/prci_definitions/nightly_rawhide.yaml
@@ -1384,3 +1384,15 @@ jobs:
         template: *ci-master-frawhide
         timeout: 1800
         topology: *master_1repl
+
+  fedora-rawhide/krbtpolicy:
+    requires: [fedora-rawhide/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-rawhide/build_url}'
+        test_suite: test_integration/test_krbtpolicy.py
+        template: *ci-master-frawhide
+        timeout: 3600
+        topology: *ipaserver
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
new file mode 100644
index 000000000..b2264de7a
--- /dev/null
+++ b/ipatests/test_integration/test_krbtpolicy.py
@@ -0,0 +1,114 @@
+#
+# Copyright (C) 2019  FreeIPA Contributors see COPYING for license
+#
+
+"""
+Module provides tests for Kerberos ticket policy options
+"""
+
+from __future__ import absolute_import
+
+from datetime import datetime
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.pytest_ipa.integration import tasks
+
+PASSWORD = "Secret123"
+USER1 = "testuser1"
+USER2 = "testuser2"
+MAXLIFE = 86400
+
+
+def maxlife_within_policy(input, maxlife, slush=5):
+    """Given klist output of the TGT verify that it is within policy
+
+       Ensure that the validity period is somewhere within the
+       absolute maxlife and a slush value, maxlife - slush.
+
+       Returns True if within policy.
+
+       Input should be a string like:
+       11/19/2019 16:37:40  11/20/2019 16:37:39  krbtgt/...
+    """
+    data = input.split()
+    start = datetime.strptime(data[0] + ' ' + data[1], '%m/%d/%Y %H:%M:%S')
+    end = datetime.strptime(data[2] + ' ' + data[3], '%m/%d/%Y %H:%M:%S')
+    diff = int((end - start).total_seconds())
+
+    return maxlife >= diff >= maxlife - slush
+
+
+class TestPWPolicy(IntegrationTest):
+    """Tests password custom and default password policies.
+    """
+    num_replicas = 0
+
+    @classmethod
+    def install(cls, mh):
+        tasks.install_master(cls.master)
+        tasks.create_active_user(cls.master, USER1, PASSWORD)
+        tasks.create_active_user(cls.master, USER2, PASSWORD)
+
+    def test_krbtpolicy_default(self):
+        """Test the default kerberos ticket policy 24-hr tickets"""
+        master = self.master
+
+        tasks.kinit_admin(master)
+        master.run_command(['ipa', 'krbtpolicy-mod', USER1,
+                            '--maxlife', str(MAXLIFE)])
+        tasks.kdestroy_all(master)
+
+        master.run_command(['kinit', USER1],
+                           stdin_text=PASSWORD + '\n')
+        result = master.run_command('klist | grep krbtgt')
+        assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+
+        tasks.kdestroy_all(master)
+
+    def test_krbtpolicy_hardended(self):
+        """Test a hardened kerberos ticket policy with 10 min tickets"""
+        master = self.master
+
+        tasks.kinit_admin(master)
+        master.run_command(['ipa', 'user-mod', USER1,
+                            '--user-auth-type', 'password',
+                            '--user-auth-type', 'hardened'])
+        master.run_command(['ipa', 'config-mod',
+                            '--user-auth-type', 'password',
+                            '--user-auth-type', 'hardened'])
+        master.run_command(['ipa', 'krbtpolicy-mod', USER1,
+                            '--hardened-maxlife', '600'])
+
+        tasks.kdestroy_all(master)
+
+        master.run_command(['kinit', USER1],
+                           stdin_text=PASSWORD + '\n')
+        result = master.run_command('klist | grep krbtgt')
+        assert maxlife_within_policy(result.stdout_text, 600) is True
+
+        tasks.kdestroy_all(master)
+
+        # Verify that the short policy only applies to USER1
+        master.run_command(['kinit', USER2],
+                           stdin_text=PASSWORD + '\n')
+        result = master.run_command('klist | grep krbtgt')
+        assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+
+        tasks.kdestroy_all(master)
+
+    def test_krbtpolicy_password(self):
+        """Test the kerberos ticket policy which issues 20 min tickets"""
+        master = self.master
+
+        tasks.kinit_admin(master)
+        master.run_command(['ipa', 'krbtpolicy-mod', USER2,
+                            '--maxlife', '1200'])
+
+        tasks.kdestroy_all(master)
+
+        master.run_command(['kinit', USER2],
+                           stdin_text=PASSWORD + '\n')
+        result = master.run_command('klist | grep krbtgt')
+        assert maxlife_within_policy(result.stdout_text, 1200) is True
+
+        tasks.kdestroy_all(master)