mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
ipatests: ensure auth indicators can't be added to internal IPA services
Authentication indicators should not be added to internal IPA services, since this can lead to a broken IPA setup. In case a client with an auth indicator set in its host principal, promoting it to a replica should fail. Related: https://pagure.io/freeipa/issue/8206 Signed-off-by: Antonio Torres <antorres@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
parent
0bdbf11442
commit
da72a57658
@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
||||
assert result.returncode == 1
|
||||
assert expected_err in result.stderr_text
|
||||
|
||||
@replicas_cleanup
|
||||
def test_install_with_host_auth_ind_set(self):
|
||||
""" A client shouldn't be able to be promoted if it has
|
||||
any auth indicator set in the host principal.
|
||||
https://pagure.io/freeipa/issue/8206
|
||||
"""
|
||||
|
||||
client = self.replicas[0]
|
||||
# Configure firewall first
|
||||
Firewall(client).enable_services(["freeipa-ldap",
|
||||
"freeipa-ldaps"])
|
||||
|
||||
client.run_command(['ipa-client-install', '-U',
|
||||
'--domain', self.master.domain.name,
|
||||
'--realm', self.master.domain.realm,
|
||||
'-p', 'admin',
|
||||
'-w', self.master.config.admin_password,
|
||||
'--server', self.master.hostname,
|
||||
'--force-join'])
|
||||
|
||||
tasks.kinit_admin(client)
|
||||
|
||||
client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
|
||||
client.hostname])
|
||||
|
||||
res = client.run_command(['ipa-replica-install', '-U', '-w',
|
||||
self.master.config.dirman_password],
|
||||
raiseonerr=False)
|
||||
|
||||
client.run_command(['ipa', 'host-mod', '--auth-ind=',
|
||||
client.hostname])
|
||||
|
||||
expected_err = ("Client cannot be promoted to a replica if the host "
|
||||
"principal has an authentication indicator set.")
|
||||
assert res.returncode == 1
|
||||
assert expected_err in res.stderr_text
|
||||
|
||||
|
||||
@replicas_cleanup
|
||||
def test_one_command_installation(self):
|
||||
"""
|
||||
|
@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
|
||||
error=u'An IPA master host cannot be deleted or disabled')):
|
||||
command()
|
||||
|
||||
def test_try_add_auth_ind_master(self, this_host):
|
||||
command = this_host.make_update_command({
|
||||
u'krbprincipalauthind': u'radius'})
|
||||
with raises_exact(errors.ValidationError(
|
||||
name='krbprincipalauthind',
|
||||
error=u'authentication indicators not allowed '
|
||||
'in service "host"'
|
||||
)):
|
||||
command()
|
||||
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestValidation(XMLRPC_test):
|
||||
|
@ -25,6 +25,7 @@ from ipalib import api, errors
|
||||
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
|
||||
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
|
||||
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
|
||||
from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
|
||||
from ipatests.test_xmlrpc import objectclasses
|
||||
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
|
||||
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
|
||||
@ -1552,6 +1553,15 @@ def indicators_host(request):
|
||||
return tracker.make_fixture(request)
|
||||
|
||||
|
||||
@pytest.fixture(scope='function')
|
||||
def this_host(request):
|
||||
"""Fixture for the current master"""
|
||||
tracker = HostTracker(name=api.env.host.partition('.')[0],
|
||||
fqdn=api.env.host)
|
||||
tracker.exists = True
|
||||
return tracker
|
||||
|
||||
|
||||
@pytest.fixture(scope='function')
|
||||
def indicators_service(request):
|
||||
tracker = ServiceTracker(
|
||||
@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
|
||||
expected_updates={u'krbprincipalauthind': [u'radius']}
|
||||
)
|
||||
|
||||
def test_update_indicator_internal_service(self, this_host):
|
||||
command = this_host.make_command('service_mod',
|
||||
'ldap/' + this_host.fqdn,
|
||||
**dict(krbprincipalauthind='otp'))
|
||||
with raises_exact(errors.ValidationError(
|
||||
name='krbprincipalauthind',
|
||||
error=u'authentication indicators not allowed '
|
||||
'in service "ldap"'
|
||||
)):
|
||||
command()
|
||||
|
||||
|
||||
@pytest.fixture(scope='function')
|
||||
def managing_host(request):
|
||||
|
Loading…
Reference in New Issue
Block a user