RBCD: add basic test for RBCD handling

Add a test that uses IPA API to allow delegation of RBCD configuration
to a host and then use it to set up RBCD rule for a service.

Run RBCD check when the rule exists and when the rule is removed.

Since we only provide RBCD support on KDC side with Kerberos 1.20, skip
the test on Fedora versions prior to Fedora 38 and on RHEL versions
prior to RHEL 9.2.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Alexander Bokovoy 2023-03-24 08:16:16 +02:00 committed by Rob Crittenden
parent f78dc0b163
commit dd5b189a09

View File

@ -22,6 +22,12 @@ import os
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
from ipaplatform.osinfo import osinfo
import pytest
skip_rbcd_tests = any([
(osinfo.id == 'fedora' and osinfo.version_number < (38,)),
(osinfo.id == 'rhel' and osinfo.version_number < (9,2))])
class TestServicePermissions(IntegrationTest):
topology = 'star'
@ -142,3 +148,47 @@ class TestServicePermissions(IntegrationTest):
service_name3 = "testservice3" + '/' + self.master.hostname
self.master.run_command(['ipa', 'service-add', service_name3])
self.master.run_command(['ipa', 'service-del', service_name3])
@pytest.mark.xfail(
skip_rbcd_tests,
reason='krb5 before 1.20', strict=True)
def test_service_delegation(self):
""" Test that host can handle resource-based constrained delegation of
own services. """
keytab_file = '/etc/krb5.keytab'
keytab_file4 = '/tmp/krb5-testservice4.keytab'
hostservice_name4 = "host" + "/" + self.master.hostname
service_name4 = "testservice4" + '/' + self.master.hostname
self.master.run_command(['kinit', '-kt', keytab_file])
# Add service and configure delegation
self.master.run_command(['ipa', 'service-add', service_name4])
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'service-add-delegation',
service_name4, hostservice_name4])
self.master.run_command(['kinit', '-kt', keytab_file])
self.master.run_command(['ipa-getkeytab',
'-p', service_name4,
'-k', keytab_file4])
# Verify access to service is granted
result = self.master.run_command(['kvno', '-U', 'admin',
'-k', keytab_file,
'-P', hostservice_name4,
service_name4],
raiseonerr=False)
assert result.returncode == 0
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'service-remove-delegation',
service_name4, hostservice_name4])
# Verify access to service is not granted
self.master.run_command(['kinit', '-kt', keytab_file])
result = self.master.run_command(['kvno', '-U', 'admin',
'-k', keytab_file,
'-P', hostservice_name4,
service_name4],
raiseonerr=False)
assert result.returncode > 0
self.master.run_command(['ipa', 'service-del', service_name4])