ipatests: ensure auth indicators can't be added to internal IPA services

Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.

Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Antonio Torres 2021-03-08 18:20:35 +01:00 committed by Florence Blanc-Renaud
parent 0bdbf11442
commit da72a57658
3 changed files with 69 additions and 0 deletions

View File

@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
assert result.returncode == 1
assert expected_err in result.stderr_text
@replicas_cleanup
def test_install_with_host_auth_ind_set(self):
""" A client shouldn't be able to be promoted if it has
any auth indicator set in the host principal.
https://pagure.io/freeipa/issue/8206
"""
client = self.replicas[0]
# Configure firewall first
Firewall(client).enable_services(["freeipa-ldap",
"freeipa-ldaps"])
client.run_command(['ipa-client-install', '-U',
'--domain', self.master.domain.name,
'--realm', self.master.domain.realm,
'-p', 'admin',
'-w', self.master.config.admin_password,
'--server', self.master.hostname,
'--force-join'])
tasks.kinit_admin(client)
client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
client.hostname])
res = client.run_command(['ipa-replica-install', '-U', '-w',
self.master.config.dirman_password],
raiseonerr=False)
client.run_command(['ipa', 'host-mod', '--auth-ind=',
client.hostname])
expected_err = ("Client cannot be promoted to a replica if the host "
"principal has an authentication indicator set.")
assert res.returncode == 1
assert expected_err in res.stderr_text
@replicas_cleanup
def test_one_command_installation(self):
"""

View File

@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
error=u'An IPA master host cannot be deleted or disabled')):
command()
def test_try_add_auth_ind_master(self, this_host):
command = this_host.make_update_command({
u'krbprincipalauthind': u'radius'})
with raises_exact(errors.ValidationError(
name='krbprincipalauthind',
error=u'authentication indicators not allowed '
'in service "host"'
)):
command()
@pytest.mark.tier1
class TestValidation(XMLRPC_test):

View File

@ -25,6 +25,7 @@ from ipalib import api, errors
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
from ipatests.test_xmlrpc import objectclasses
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
@ -1552,6 +1553,15 @@ def indicators_host(request):
return tracker.make_fixture(request)
@pytest.fixture(scope='function')
def this_host(request):
"""Fixture for the current master"""
tracker = HostTracker(name=api.env.host.partition('.')[0],
fqdn=api.env.host)
tracker.exists = True
return tracker
@pytest.fixture(scope='function')
def indicators_service(request):
tracker = ServiceTracker(
@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
expected_updates={u'krbprincipalauthind': [u'radius']}
)
def test_update_indicator_internal_service(self, this_host):
command = this_host.make_command('service_mod',
'ldap/' + this_host.fqdn,
**dict(krbprincipalauthind='otp'))
with raises_exact(errors.ValidationError(
name='krbprincipalauthind',
error=u'authentication indicators not allowed '
'in service "ldap"'
)):
command()
@pytest.fixture(scope='function')
def managing_host(request):