ipatests: make sure PKINIT enrollment works with a strict policy

Previously, for a global policy which does not include 'password', krb5kdc restart was failing. Now it should succeed. We set admin user authentication type to PASSWORD to simplify configuration in the test. What matters here is that global policy does not include PKINIT and that means a code in the ticket policy check will allow PKINIT implicitly rather than explicitly. Related: https://pagure.io/freeipa/issue/9485 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2025-02-25 18:55:28 -06:00 · 2023-11-24 13:00:48 +02:00 · 2023-11-24 13:00:48 +02:00 · c3bc938650
commit c3bc938650
parent 62c44c9e69
1 changed files with 26 additions and 0 deletions
--- a/ipatests/test_integration/test_pkinit_install.py
+++ b/ipatests/test_integration/test_pkinit_install.py
@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest):
    def install(cls, mh):
        tasks.install_master(cls.master)

+    def enforce_password_and_otp(self):
+        """enforce otp by default and password for admin """
+        self.master.run_command(
+            [
+                "ipa",
+                "config-mod",
+                "--user-auth-type=otp",
+            ]
+        )
+        self.master.run_command(
+            [
+                "ipa",
+                "user-mod",
+                "admin",
+                "--user-auth-type=password",
+            ]
+        )
+
    def add_certmaperule(self):
        """add certmap rule to map SAN dNSName to host entry"""
        self.master.run_command(
@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest):
        cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM)
        client.put_file_contents(self.tmpbundle, cabundle)

+    def test_restart_krb5kdc(self):
+        tasks.kinit_admin(self.master)
+        self.enforce_password_and_otp()
+        self.master.run_command(['systemctl', 'stop', 'krb5kdc.service'])
+        self.master.run_command(['systemctl', 'start', 'krb5kdc.service'])
+        self.master.run_command(['systemctl', 'stop', 'kadmin.service'])
+        self.master.run_command(['systemctl', 'start', 'kadmin.service'])
+
    def test_client_install_pkinit(self):
        tasks.kinit_admin(self.master)
        self.add_certmaperule()