mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 16:31:08 -06:00
c3bc938650
Previously, for a global policy which does not include 'password', krb5kdc restart was failing. Now it should succeed. We set admin user authentication type to PASSWORD to simplify configuration in the test. What matters here is that global policy does not include PKINIT and that means a code in the ticket policy check will allow PKINIT implicitly rather than explicitly. Related: https://pagure.io/freeipa/issue/9485 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
127 lines
3.7 KiB
Python
127 lines
3.7 KiB
Python
#
|
|
# Copyright (C) 2022 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
"""
|
|
Module provides tests for ipa-client-install with PKINIT
|
|
"""
|
|
import os
|
|
|
|
from ipaplatform.paths import paths
|
|
from ipatests.test_integration.base import IntegrationTest
|
|
from ipatests.pytest_ipa.integration import tasks
|
|
|
|
|
|
class TestPkinitClientInstall(IntegrationTest):
|
|
num_clients = 1
|
|
|
|
certfile = "/etc/pki/tls/certs/client.pem"
|
|
keyfile = "/etc/pki/tls/private/client.key"
|
|
tmpbundle = "/tmp/kdc-ca-bundle.pme"
|
|
|
|
@classmethod
|
|
def install(cls, mh):
|
|
tasks.install_master(cls.master)
|
|
|
|
def enforce_password_and_otp(self):
|
|
"""enforce otp by default and password for admin """
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"config-mod",
|
|
"--user-auth-type=otp",
|
|
]
|
|
)
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"user-mod",
|
|
"admin",
|
|
"--user-auth-type=password",
|
|
]
|
|
)
|
|
|
|
def add_certmaperule(self):
|
|
"""add certmap rule to map SAN dNSName to host entry"""
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"certmaprule-add",
|
|
"pkinit-host",
|
|
"--matchrule=<ISSUER>CN=Certificate Authority,.*",
|
|
"--maprule=(fqdn={subject_dns_name})",
|
|
]
|
|
)
|
|
|
|
def add_host(self):
|
|
"""Add host entry for client
|
|
|
|
Allow master to manage client so it can create a certificate.
|
|
"""
|
|
client = self.clients[0]
|
|
self.master.run_command(
|
|
["ipa", "host-add", "--force", client.hostname]
|
|
)
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"host-add-managedby",
|
|
f"--hosts={self.master.hostname}",
|
|
client.hostname,
|
|
]
|
|
)
|
|
|
|
def create_cert(self):
|
|
"""Create and copy certificate for client"""
|
|
client = self.clients[0]
|
|
self.master.run_command(
|
|
[
|
|
"mkdir",
|
|
"-p",
|
|
os.path.dirname(self.certfile),
|
|
os.path.dirname(self.keyfile),
|
|
]
|
|
)
|
|
self.master.run_command(
|
|
[
|
|
"ipa-getcert",
|
|
"request",
|
|
"-w",
|
|
# fmt: off
|
|
"-f", self.certfile,
|
|
"-k", self.keyfile,
|
|
"-N", client.hostname,
|
|
"-D", client.hostname,
|
|
"-K", f"host/{client.hostname}",
|
|
# fmt: on
|
|
]
|
|
)
|
|
# copy cert, key, and bundle to client
|
|
for filename in (self.certfile, self.keyfile):
|
|
data = self.master.get_file_contents(filename)
|
|
client.put_file_contents(filename, data)
|
|
|
|
cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM)
|
|
client.put_file_contents(self.tmpbundle, cabundle)
|
|
|
|
def test_restart_krb5kdc(self):
|
|
tasks.kinit_admin(self.master)
|
|
self.enforce_password_and_otp()
|
|
self.master.run_command(['systemctl', 'stop', 'krb5kdc.service'])
|
|
self.master.run_command(['systemctl', 'start', 'krb5kdc.service'])
|
|
self.master.run_command(['systemctl', 'stop', 'kadmin.service'])
|
|
self.master.run_command(['systemctl', 'start', 'kadmin.service'])
|
|
|
|
def test_client_install_pkinit(self):
|
|
tasks.kinit_admin(self.master)
|
|
self.add_certmaperule()
|
|
self.add_host()
|
|
self.create_cert()
|
|
|
|
tasks.install_client(
|
|
self.master,
|
|
self.clients[0],
|
|
pkinit_identity=f"FILE:{self.certfile},{self.keyfile}",
|
|
extra_args=[f"--pkinit-anchor=FILE:{self.tmpbundle}"],
|
|
)
|