From da72a576586f40d3378a3cb376ba0af510c74b86 Mon Sep 17 00:00:00 2001 From: Antonio Torres Date: Mon, 8 Mar 2021 18:20:35 +0100 Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal IPA services Authentication indicators should not be added to internal IPA services, since this can lead to a broken IPA setup. In case a client with an auth indicator set in its host principal, promoting it to a replica should fail. Related: https://pagure.io/freeipa/issue/8206 Signed-off-by: Antonio Torres Reviewed-By: Rob Crittenden Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes --- .../test_replica_promotion.py | 38 +++++++++++++++++++ ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++ ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++ 3 files changed, 69 insertions(+) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 0a137dbdc..b9c56f775 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): assert result.returncode == 1 assert expected_err in result.stderr_text + @replicas_cleanup + def test_install_with_host_auth_ind_set(self): + """ A client shouldn't be able to be promoted if it has + any auth indicator set in the host principal. + https://pagure.io/freeipa/issue/8206 + """ + + client = self.replicas[0] + # Configure firewall first + Firewall(client).enable_services(["freeipa-ldap", + "freeipa-ldaps"]) + + client.run_command(['ipa-client-install', '-U', + '--domain', self.master.domain.name, + '--realm', self.master.domain.realm, + '-p', 'admin', + '-w', self.master.config.admin_password, + '--server', self.master.hostname, + '--force-join']) + + tasks.kinit_admin(client) + + client.run_command(['ipa', 'host-mod', '--auth-ind=otp', + client.hostname]) + + res = client.run_command(['ipa-replica-install', '-U', '-w', + self.master.config.dirman_password], + raiseonerr=False) + + client.run_command(['ipa', 'host-mod', '--auth-ind=', + client.hostname]) + + expected_err = ("Client cannot be promoted to a replica if the host " + "principal has an authentication indicator set.") + assert res.returncode == 1 + assert expected_err in res.stderr_text + + @replicas_cleanup def test_one_command_installation(self): """ diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index c66bbc865..9cfde3565 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test): error=u'An IPA master host cannot be deleted or disabled')): command() + def test_try_add_auth_ind_master(self, this_host): + command = this_host.make_update_command({ + u'krbprincipalauthind': u'radius'}) + with raises_exact(errors.ValidationError( + name='krbprincipalauthind', + error=u'authentication indicators not allowed ' + 'in service "host"' + )): + command() + @pytest.mark.tier1 class TestValidation(XMLRPC_test): diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index 4c845938c..ed634a045 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -25,6 +25,7 @@ from ipalib import api, errors from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test +from ipatests.test_xmlrpc.xmlrpc_test import raises_exact from ipatests.test_xmlrpc import objectclasses from ipatests.test_xmlrpc.testcert import get_testcert, subject_base from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn @@ -1552,6 +1553,15 @@ def indicators_host(request): return tracker.make_fixture(request) +@pytest.fixture(scope='function') +def this_host(request): + """Fixture for the current master""" + tracker = HostTracker(name=api.env.host.partition('.')[0], + fqdn=api.env.host) + tracker.exists = True + return tracker + + @pytest.fixture(scope='function') def indicators_service(request): tracker = ServiceTracker( @@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test): expected_updates={u'krbprincipalauthind': [u'radius']} ) + def test_update_indicator_internal_service(self, this_host): + command = this_host.make_command('service_mod', + 'ldap/' + this_host.fqdn, + **dict(krbprincipalauthind='otp')) + with raises_exact(errors.ValidationError( + name='krbprincipalauthind', + error=u'authentication indicators not allowed ' + 'in service "ldap"' + )): + command() + @pytest.fixture(scope='function') def managing_host(request):