IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipatests: make sure PKINIT enrollment works with a strict policy

Browse Source 
Previously, for a global policy which does not include
'password', krb5kdc restart was failing. Now it should succeed.

We set admin user authentication type to PASSWORD to simplify
configuration in the test.

What matters here is that global policy does not include PKINIT and that
means a code in the ticket policy check will allow PKINIT implicitly
rather than explicitly.

Related: https://pagure.io/freeipa/issue/9485

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
This commit is contained in:
Alexander Bokovoy 2023-11-24 13:00:48 +02:00 committed by Antonio Torres
parent 62c44c9e69
commit c3bc938650
No known key found for this signature in database
GPG Key ID: 359FAF777296F653
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
ipatests/test_integration/test_pkinit_install.py
View File

@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest):
def install(cls, mh): def install(cls, mh):
tasks.install_master(cls.master) tasks.install_master(cls.master)
def enforce_password_and_otp(self):
"""enforce otp by default and password for admin """
self.master.run_command(
[
"ipa",
"config-mod",
"--user-auth-type=otp",
]
)
self.master.run_command(
[
"ipa",
"user-mod",
"admin",
"--user-auth-type=password",
]
)
def add_certmaperule(self): def add_certmaperule(self):
"""add certmap rule to map SAN dNSName to host entry""" """add certmap rule to map SAN dNSName to host entry"""
self.master.run_command( self.master.run_command(
@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest):
cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM) cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM)
client.put_file_contents(self.tmpbundle, cabundle) client.put_file_contents(self.tmpbundle, cabundle)
def test_restart_krb5kdc(self):
tasks.kinit_admin(self.master)
self.enforce_password_and_otp()
self.master.run_command(['systemctl', 'stop', 'krb5kdc.service'])
self.master.run_command(['systemctl', 'start', 'krb5kdc.service'])
self.master.run_command(['systemctl', 'stop', 'kadmin.service'])
self.master.run_command(['systemctl', 'start', 'kadmin.service'])
def test_client_install_pkinit(self): def test_client_install_pkinit(self):
tasks.kinit_admin(self.master) tasks.kinit_admin(self.master)
self.add_certmaperule() self.add_certmaperule()