freeipa/ipatests/test_integration/test_user_permissions.py
François Cami 5cc7a2b703 ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_selinux_user_optimized to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.

Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2020-07-29 13:53:52 +02:00

282 lines
11 KiB
Python

#
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
#
from __future__ import absolute_import
import pytest
from ipaplatform.osinfo import osinfo
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks as platformtasks
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
class TestUserPermissions(IntegrationTest):
topology = 'star'
altadmin = "altadmin"
@classmethod
def install(cls, mh):
super(TestUserPermissions, cls).install(mh)
tasks.kinit_admin(cls.master)
# Create a new user altadmin
password_confirmation = "%s\n%s\n" % (cls.master.config.admin_password,
cls.master.config.admin_password)
cls.master.run_command(['ipa', 'user-add', cls.altadmin,
'--first', cls.altadmin,
'--last', cls.altadmin,
'--password'],
stdin_text=password_confirmation)
# Add altadmin to the group cn=admins
cls.master.run_command(['ipa', 'group-add-member', 'admins',
'--users', cls.altadmin])
# kinit as altadmin to initialize the password
altadmin_kinit = "%s\n%s\n%s\n" % (cls.master.config.admin_password,
cls.master.config.admin_password,
cls.master.config.admin_password)
cls.master.run_command(['kinit', cls.altadmin],
stdin_text=altadmin_kinit)
cls.master.run_command(['kdestroy', '-A'])
def test_delete_preserve_as_alternate_admin(self):
"""
Test that a user member of admins group can call delete --preserve.
This is a test case for issue 7342
"""
# kinit admin
tasks.kinit_admin(self.master)
# Create a new user 'testuser' with a password
testuser = 'testuser'
password = 'Secret123'
testuser_password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'user-add', testuser,
'--first', testuser,
'--last', testuser,
'--password'],
stdin_text=testuser_password_confirmation)
# kinit as altadmin
self.master.run_command(['kinit', self.altadmin],
stdin_text=self.master.config.admin_password)
# call ipa user-del --preserve
self.master.run_command(['ipa', 'user-del', '--preserve', testuser])
@pytest.mark.skipif(
not platformtasks.is_selinux_enabled(),
reason="Test needs SELinux enabled")
@pytest.mark.xfail(
osinfo.id == 'fedora' and osinfo.version_number <= (28,),
reason='sssd ticket 3819', strict=True)
def test_selinux_user_optimized(self):
"""
Check that SELinux login context is set on first login for the
user, even if the user is not mapped to a specific SELinux user.
Related ticket https://pagure.io/SSSD/sssd/issue/3819.
"""
# Scenario: add an IPA user with non-default home dir, login through
# ssh as this user and check that there is a SELinux user mapping
# for the user with `semanage login -l`.
test_user = 'testuser_selinux'
password = 'Secret123'
tasks.kinit_admin(self.master)
tasks.create_active_user(
self.master, test_user, password=password,
extra_args=['--homedir', '/root/{}'.format(test_user)]
)
tasks.run_ssh_cmd(
to_host=self.master.external_hostname, username=test_user,
auth_method="password", password=password
)
# check if user listed in output
cmd = self.master.run_command(['semanage', 'login', '-l'])
assert test_user in cmd.stdout_text
# call ipa user-del
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', test_user])
def test_stageuser_show_as_alternate_admin(self):
"""
Test that a user member of admins group can call stageuser-show
and read the 'Kerberos Keys available' information.
This is a test case for issue 7342
"""
# kinit admin
tasks.kinit_admin(self.master)
# Create a new stage user 'stageuser' with a password
stageuser = 'stageuser'
password = 'Secret123'
stageuser_password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'stageuser-add', stageuser,
'--first', stageuser,
'--last', stageuser,
'--password'],
stdin_text=stageuser_password_confirmation)
# kinit as altadmin
self.master.run_command(['kinit', self.altadmin],
stdin_text=self.master.config.admin_password)
# call ipa stageuser-show
# the field Kerberos Keys available must contain True
result = self.master.run_command(['ipa', 'stageuser-show', stageuser])
assert 'Kerberos keys available: True' in result.stdout_text
def test_user_add_withradius(self):
"""
Test that a user with User Administrator role can call
ipa user-add --radius myradius
to create a user with an assigned Radius Proxy Server.
This is a test case for issue 7570
"""
# kinit admin
tasks.kinit_admin(self.master)
# Create a radius proxy server
radiusproxy = 'myradius'
secret = 'Secret123'
radius_secret_confirmation = "%s\n%s\n" % (secret, secret)
self.master.run_command(
['ipa', 'radiusproxy-add', radiusproxy,
'--server', 'radius.example.com', '--secret'],
stdin_text=radius_secret_confirmation)
# Create a user with 'User Administrator' role
altuser = 'specialuser'
password = 'SpecialUser123'
password_confirmation = "%s\n%s\n" % (password, password)
self.master.run_command(
['ipa', 'user-add', altuser, '--first', altuser, '--last', altuser,
'--password'],
stdin_text=password_confirmation)
self.master.run_command(
['ipa', 'role-add-member', "User Administrator",
'--user', altuser])
# kinit as altuser to initialize the password
altuser_kinit = "%s\n%s\n%s\n" % (password, password, password)
self.master.run_command(['kinit', altuser], stdin_text=altuser_kinit)
# call ipa user-add with --radius=...
# this call requires read access to radius proxy servers
self.master.run_command(
['ipa', 'user-add', '--first', 'test', '--last', 'test',
'--user-auth-type', 'radius', '--radius-username', 'testradius',
'testradius', '--radius', radiusproxy])
def test_delete_group_by_user_administrator(self):
"""
Test that a user with sufficient privileges can delete group
This is a Automation for issue 6884
"""
# Create a new testadmin user with a password
testadmin = 'tuser'
password = 'Secret123'
testgroup = 'gtest'
try:
tasks.create_active_user(self.master, testadmin, password)
# Add testadmin user to role "User Administrator"
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'role-add-member',
'--users', testadmin,
'User Administrator'])
tasks.kdestroy_all(self.master)
# Create a test group
tasks.kinit_as_user(self.master, testadmin, password)
self.master.run_command(['ipa', 'group-add', testgroup])
# Call ipa-group-del to check if user can delete group
self.master.run_command(['ipa', 'group-del', testgroup])
finally:
# Cleanup
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', testadmin])
self.master.run_command(['ipa', 'group-del', testgroup,
'--continue'])
class TestInstallClientNoAdmin(IntegrationTest):
num_clients = 1
def test_installclient_as_user_admin(self):
"""ipa-client-install should not use hardcoded admin for principal
In ipaclient-install.log it should use the username that was entered
earlier in the install process at the prompt.
Related to : https://pagure.io/freeipa/issue/5406
"""
client = self.clients[0]
tasks.install_master(self.master)
tasks.kinit_admin(self.master)
username = 'testuser1'
password = 'userSecretPassword123'
password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'user-add', username,
'--first', username,
'--last', username,
'--password'],
stdin_text=password_confirmation)
role_add = ['ipa', 'role-add', 'useradmin']
self.master.run_command(role_add)
self.master.run_command(['ipa', 'privilege-add', 'Add Hosts'])
self.master.run_command(['ipa', 'privilege-add-permission',
'--permissions', 'System: Add Hosts',
'Add Hosts'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Host Enrollment'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Add Hosts'])
role_member_add = ['ipa', 'role-add-member', 'useradmin',
'--users={}'.format(username)]
self.master.run_command(role_member_add)
user_kinit = "%s\n%s\n%s\n" % (password, password, password)
self.master.run_command(['kinit', username],
stdin_text=user_kinit)
tasks.install_client(
self.master, client,
extra_args=['--request-cert'],
user=username, password=password
)
msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
(username, client.domain.name)
install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
encoding='utf-8')
assert msg in install_log
# check that user is able to request a host cert, too
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text
result = tasks.run_certutil(
client,
['-K', '-f', paths.IPA_NSSDB_PWDFILE_TXT],
paths.IPA_NSSDB_DIR
)
assert 'Local IPA host' in result.stdout_text