IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add integration test for Kerberos ticket policy

Browse Source 
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a specific indicator type.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden 2019-11-19 18:33:23 -05:00
parent c5f32165d6
commit c02cc93c14
5 changed files with 163 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ipatests/prci_definitions/nightly_latest.yaml
View File

@ -1384,3 +1384,15 @@ jobs:
template: *ci-master-latest template: *ci-master-latest
timeout: 1800 timeout: 1800
topology: *master_1repl topology: *master_1repl
fedora-latest/krbtpolicy:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_krbtpolicy.py
template: *ci-master-latest
timeout: 3600
topology: *ipaserver

13
ipatests/prci_definitions/nightly_latest_testing.yaml
View File

@ -1479,3 +1479,16 @@ jobs:
template: *testing-master-latest template: *testing-master-latest
timeout: 1800 timeout: 1800
topology: *master_1repl topology: *master_1repl
testing-fedora/krbtpolicy:
requires: [testing-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{testing-fedora/build_url}'
update_packages: True
test_suite: test_integration/test_krbtpolicy.py
template: *testing-master-latest
timeout: 3600
topology: *ipaserver

12
ipatests/prci_definitions/nightly_previous.yaml
View File

@ -1360,3 +1360,15 @@ jobs:
template: *ci-master-previous template: *ci-master-previous
timeout: 1800 timeout: 1800
topology: *master_1repl topology: *master_1repl
fedora-previous/krbtpolicy:
requires: [fedora-previous/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-previous/build_url}'
test_suite: test_integration/test_krbtpolicy.py
template: *ci-master-previous
timeout: 3600
topology: *ipaserver

12
ipatests/prci_definitions/nightly_rawhide.yaml
View File

@ -1384,3 +1384,15 @@ jobs:
template: *ci-master-frawhide template: *ci-master-frawhide
timeout: 1800 timeout: 1800
topology: *master_1repl topology: *master_1repl
fedora-rawhide/krbtpolicy:
requires: [fedora-rawhide/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-rawhide/build_url}'
test_suite: test_integration/test_krbtpolicy.py
template: *ci-master-frawhide
timeout: 3600
topology: *ipaserver

114
ipatests/test_integration/test_krbtpolicy.py Normal file
View File

@ -0,0 +1,114 @@
#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
"""
Module provides tests for Kerberos ticket policy options
"""
from __future__ import absolute_import
from datetime import datetime
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
PASSWORD = "Secret123"
USER1 = "testuser1"
USER2 = "testuser2"
MAXLIFE = 86400
def maxlife_within_policy(input, maxlife, slush=5):
"""Given klist output of the TGT verify that it is within policy
Ensure that the validity period is somewhere within the
absolute maxlife and a slush value, maxlife - slush.
Returns True if within policy.
Input should be a string like:
11/19/2019 16:37:40 11/20/2019 16:37:39 krbtgt/...
"""
data = input.split()
start = datetime.strptime(data[0] + ' ' + data[1], '%m/%d/%Y %H:%M:%S')
end = datetime.strptime(data[2] + ' ' + data[3], '%m/%d/%Y %H:%M:%S')
diff = int((end - start).total_seconds())
return maxlife >= diff >= maxlife - slush
class TestPWPolicy(IntegrationTest):
"""Tests password custom and default password policies.
"""
num_replicas = 0
@classmethod
def install(cls, mh):
tasks.install_master(cls.master)
tasks.create_active_user(cls.master, USER1, PASSWORD)
tasks.create_active_user(cls.master, USER2, PASSWORD)
def test_krbtpolicy_default(self):
"""Test the default kerberos ticket policy 24-hr tickets"""
master = self.master
tasks.kinit_admin(master)
master.run_command(['ipa', 'krbtpolicy-mod', USER1,
'--maxlife', str(MAXLIFE)])
tasks.kdestroy_all(master)
master.run_command(['kinit', USER1],
stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
tasks.kdestroy_all(master)
def test_krbtpolicy_hardended(self):
"""Test a hardened kerberos ticket policy with 10 min tickets"""
master = self.master
tasks.kinit_admin(master)
master.run_command(['ipa', 'user-mod', USER1,
'--user-auth-type', 'password',
'--user-auth-type', 'hardened'])
master.run_command(['ipa', 'config-mod',
'--user-auth-type', 'password',
'--user-auth-type', 'hardened'])
master.run_command(['ipa', 'krbtpolicy-mod', USER1,
'--hardened-maxlife', '600'])
tasks.kdestroy_all(master)
master.run_command(['kinit', USER1],
stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, 600) is True
tasks.kdestroy_all(master)
# Verify that the short policy only applies to USER1
master.run_command(['kinit', USER2],
stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
tasks.kdestroy_all(master)
def test_krbtpolicy_password(self):
"""Test the kerberos ticket policy which issues 20 min tickets"""
master = self.master
tasks.kinit_admin(master)
master.run_command(['ipa', 'krbtpolicy-mod', USER2,
'--maxlife', '1200'])
tasks.kdestroy_all(master)
master.run_command(['kinit', USER2],
stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, 1200) is True
tasks.kdestroy_all(master)