freeipa/ipatests/test_integration/test_user_permissions.py

#
# Copyright (C) 2018  FreeIPA Contributors see COPYING for license
#

from __future__ import absolute_import

import pytest

from ipaplatform.osinfo import osinfo
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks as platformtasks
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks

class TestUserPermissions(IntegrationTest):
    topology = 'star'
    altadmin = "altadmin"

    @classmethod
    def install(cls, mh):
        super(TestUserPermissions, cls).install(mh)
        tasks.kinit_admin(cls.master)

        # Create a new user altadmin
        password_confirmation = "%s\n%s\n" % (cls.master.config.admin_password,
                                              cls.master.config.admin_password)
        cls.master.run_command(['ipa', 'user-add', cls.altadmin,
                                '--first', cls.altadmin,
                                '--last', cls.altadmin,
                                '--password'],
                               stdin_text=password_confirmation)

        # Add altadmin to the group cn=admins
        cls.master.run_command(['ipa', 'group-add-member', 'admins',
                                '--users', cls.altadmin])

        # kinit as altadmin to initialize the password
        altadmin_kinit = "%s\n%s\n%s\n" % (cls.master.config.admin_password,
                                           cls.master.config.admin_password,
                                           cls.master.config.admin_password)
        cls.master.run_command(['kinit', cls.altadmin],
                               stdin_text=altadmin_kinit)
        cls.master.run_command(['kdestroy', '-A'])

    def test_delete_preserve_as_alternate_admin(self):
        """
        Test that a user member of admins group can call delete --preserve.

        This is a test case for issue 7342
        """

        # kinit admin
        tasks.kinit_admin(self.master)

        # Create a new user 'testuser' with a password
        testuser = 'testuser'
        password = 'Secret123'
        testuser_password_confirmation = "%s\n%s\n" % (password,
                                                       password)
        self.master.run_command(['ipa', 'user-add', testuser,
                                 '--first', testuser,
                                 '--last', testuser,
                                 '--password'],
                                stdin_text=testuser_password_confirmation)
        try:
            # kinit as altadmin
            self.master.run_command(
                ['kinit', self.altadmin],
                stdin_text=self.master.config.admin_password
            )
            # call ipa user-del --preserve
            self.master.run_command(['ipa', 'user-del', '--preserve', testuser]
                                    )
        finally:
            self.master.run_command(['ipa', 'user-del', testuser])

    @pytest.mark.skipif(
        not platformtasks.is_selinux_enabled(),
        reason="Test needs SELinux enabled")
    @pytest.mark.xfail(
        osinfo.id == 'fedora' and osinfo.version_number <= (28,),
        reason='sssd ticket 3819', strict=True)
    def test_selinux_user_optimized(self):
        """
        Check that SELinux login context is set on first login for the
        user, even if the user is not mapped to a specific SELinux user.

        Related ticket https://pagure.io/SSSD/sssd/issue/3819.
        """

        # Scenario: add an IPA user with non-default home dir, login through
        # ssh as this user and check that there is a SELinux user mapping
        # for the user with `semanage login -l`.

        test_user = 'testuser_selinux'
        password = 'Secret123'

        tasks.kinit_admin(self.master)
        tasks.create_active_user(
            self.master, test_user, password=password,
            extra_args=['--homedir', '/root/{}'.format(test_user)]
        )

        tasks.run_ssh_cmd(
            to_host=self.master.external_hostname, username=test_user,
            auth_method="password", password=password
        )

        # check if user listed in output
        cmd = self.master.run_command(['semanage', 'login', '-l'])
        assert test_user in cmd.stdout_text

        # call ipa user-del
        tasks.kinit_admin(self.master)
        self.master.run_command(['ipa', 'user-del', test_user])

    def test_stageuser_show_as_alternate_admin(self):
        """
        Test that a user member of admins group can call stageuser-show
        and read the 'Kerberos Keys available' information.

        This is a test case for issue 7342
        """
        # kinit admin
        tasks.kinit_admin(self.master)

        # Create a new stage user 'stageuser' with a password
        stageuser = 'stageuser'
        password = 'Secret123'
        stageuser_password_confirmation = "%s\n%s\n" % (password,
                                                        password)
        self.master.run_command(['ipa', 'stageuser-add', stageuser,
                                 '--first', stageuser,
                                 '--last', stageuser,
                                 '--password'],
                                stdin_text=stageuser_password_confirmation)

        # kinit as altadmin
        self.master.run_command(['kinit', self.altadmin],
                                stdin_text=self.master.config.admin_password)

        # call ipa stageuser-show
        # the field Kerberos Keys available must contain True
        result = self.master.run_command(['ipa', 'stageuser-show', stageuser])
        assert 'Kerberos keys available: True' in result.stdout_text

    def test_user_add_withradius(self):
        """
        Test that a user with User Administrator role can call
        ipa user-add --radius myradius
        to create a user with an assigned Radius Proxy Server.

        This is a test case for issue 7570
        """
        # kinit admin
        tasks.kinit_admin(self.master)

        # Create a radius proxy server
        radiusproxy = 'myradius'
        secret = 'Secret123'
        radius_secret_confirmation = "%s\n%s\n" % (secret, secret)
        self.master.run_command(
            ['ipa', 'radiusproxy-add', radiusproxy,
             '--server', 'radius.example.com', '--secret'],
            stdin_text=radius_secret_confirmation)

        # Create a user with 'User Administrator' role
        altuser = 'specialuser'
        password = 'SpecialUser123'
        password_confirmation = "%s\n%s\n" % (password, password)
        self.master.run_command(
            ['ipa', 'user-add', altuser, '--first', altuser, '--last', altuser,
             '--password'],
            stdin_text=password_confirmation)
        self.master.run_command(
            ['ipa', 'role-add-member', "User Administrator",
             '--user', altuser])

        # kinit as altuser to initialize the password
        altuser_kinit = "%s\n%s\n%s\n" % (password, password, password)
        self.master.run_command(['kinit', altuser], stdin_text=altuser_kinit)
        # call ipa user-add with --radius=...
        # this call requires read access to radius proxy servers
        self.master.run_command(
            ['ipa', 'user-add', '--first', 'test', '--last', 'test',
             '--user-auth-type', 'radius', '--radius-username', 'testradius',
             'testradius', '--radius', radiusproxy])

    def test_delete_group_by_user_administrator(self):
        """
        Test that a user with sufficient privileges can delete group
        This is a Automation for issue 6884
        """
        # Create a new testadmin user with a password
        testadmin = 'tuser'
        password = 'Secret123'
        testgroup = 'gtest'

        try:
            tasks.create_active_user(self.master, testadmin, password)

            # Add testadmin user to role "User Administrator"
            tasks.kinit_admin(self.master)
            self.master.run_command(['ipa', 'role-add-member',
                                     '--users', testadmin,
                                     'User Administrator'])
            tasks.kdestroy_all(self.master)

            # Create a test group
            tasks.kinit_as_user(self.master, testadmin, password)
            self.master.run_command(['ipa', 'group-add', testgroup])

            # Call ipa-group-del to check if user can delete group
            self.master.run_command(['ipa', 'group-del', testgroup])
        finally:
            # Cleanup
            tasks.kinit_admin(self.master)
            self.master.run_command(['ipa', 'user-del', testadmin])
            self.master.run_command(['ipa', 'group-del', testgroup,
                                     '--continue'])

    def test_search_hbacrule_nonadminuser(self):
        """
        Test that non admin user can search hbac rule.

        Related : https://pagure.io/freeipa/issue/5130
        """
        user = 'hbacuser'
        password = 'Secret123'
        hrule = 'rule1'

        try:
            tasks.create_active_user(self.master, user, password)
            tasks.kinit_admin(self.master)
            self.master.run_command(["ipa", "hbacrule-add", hrule])
            tasks.kdestroy_all(self.master)
            tasks.kinit_as_user(self.master, user, password)
            rule = "Rule name: {0}".format(hrule)
            result = self.master.run_command(["ipa", "hbacrule-find", hrule])
            assert rule in result.stdout_text
            result2 = self.master.run_command(["ipa", "hbacrule-find"])
            assert rule in result2.stdout_text
        finally:
            # Cleanup
            tasks.kinit_admin(self.master)
            self.master.run_command(['ipa', 'user-del', user])
            self.master.run_command(["ipa", "hbacrule-del", hrule])


class TestInstallClientNoAdmin(IntegrationTest):
    num_clients = 1

    def test_installclient_as_user_admin(self):
        """ipa-client-install should not use hardcoded admin for principal

        In ipaclient-install.log it should use the username that was entered
        earlier in the install process at the prompt.
        Related to : https://pagure.io/freeipa/issue/5406
        """
        client = self.clients[0]
        tasks.install_master(self.master)
        tasks.kinit_admin(self.master)
        username = 'testuser1'
        password = 'userSecretPassword123'
        password_confirmation = "%s\n%s\n" % (password,
                                              password)

        self.master.run_command(['ipa', 'user-add', username,
                                 '--first', username,
                                 '--last', username,
                                 '--password'],
                                stdin_text=password_confirmation)

        role_add = ['ipa', 'role-add', 'useradmin']
        self.master.run_command(role_add)
        self.master.run_command(['ipa', 'privilege-add', 'Add Hosts'])
        self.master.run_command(['ipa', 'privilege-add-permission',
                                 '--permissions', 'System: Add Hosts',
                                 'Add Hosts'])
        self.master.run_command(['ipa', 'privilege-add-permission',
                                 '--permissions', 'System: Manage Host Keytab',
                                 'Add Hosts'])

        self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
                                 '--privileges', 'Host Enrollment'])

        self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
                                 '--privileges', 'Add Hosts'])

        role_member_add = ['ipa', 'role-add-member', 'useradmin',
                           '--users={}'.format(username)]
        self.master.run_command(role_member_add)
        user_kinit = "%s\n%s\n%s\n" % (password, password, password)
        self.master.run_command(['kinit', username],
                                stdin_text=user_kinit)
        tasks.install_client(
            self.master, client,
            extra_args=['--request-cert'],
            user=username, password=password
        )
        msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
              (username, client.domain.name)
        install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
                                               encoding='utf-8')
        assert msg in install_log

        # Make sure we do not fallback to an old keytab retrieval method anymore
        msg = "Retrying with pre-4.0 keytab retrieval method..."
        assert msg not in install_log

        # check that user is able to request a host cert, too
        result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
        assert 'Local IPA host' in result.stdout_text
        result = tasks.run_certutil(
            client,
            ['-K', '-f', paths.IPA_NSSDB_PWDFILE_TXT],
            paths.IPA_NSSDB_DIR
        )
        assert 'Local IPA host' in result.stdout_text