mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-25 15:46:30 -06:00
5a740144e0
Instead of using ip[6]tables commands, use new firewall class to deny access to TCP and UDP port 88 on external machines using the OUTPUT chain. The iptables calls in the install method are replaced by a prepend_passthrough_rules call with the rules defined in the class. The firewall rules are defined in the class as fw_rules without --append/-A, --delete/-D, .. First entry of each rule is the chain name, the argument to add or delete the rule will be added by the used Firewall method. See firewall.py for more information. The "iptables -F" call (IPv4 only) in the uninstall method is replaced by a remove_passthrough_rules call with the rules defined in the class. See: https://pagure.io/freeipa/issue/7755 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Armando Neto <abiagion@redhat.com>
57 lines
2.0 KiB
Python
57 lines
2.0 KiB
Python
#
|
|
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
from __future__ import absolute_import
|
|
|
|
import six
|
|
from ipatests.pytest_ipa.integration import tasks
|
|
from ipatests.pytest_ipa.integration.firewall import Firewall
|
|
from ipatests.test_integration.base import IntegrationTest
|
|
from ipaplatform.paths import paths
|
|
|
|
|
|
if six.PY3:
|
|
unicode = str
|
|
|
|
|
|
class TestHttpKdcProxy(IntegrationTest):
|
|
topology = "line"
|
|
num_clients = 1
|
|
# Firewall rules without --append/-A, --delete/-D, .. First entry of
|
|
# each rule is the chain name, the argument to add or delete the rule
|
|
# will be added by the used Firewall method. See firewall.py for more
|
|
# information.
|
|
fw_rules = [['OUTPUT', '-p', 'tcp', '--dport', '88', '-j', 'DROP'],
|
|
['OUTPUT', '-p', 'udp', '--dport', '88', '-j', 'DROP']]
|
|
|
|
@classmethod
|
|
def install(cls, mh):
|
|
super(TestHttpKdcProxy, cls).install(mh)
|
|
# Block access from client to master's port 88
|
|
Firewall(cls.clients[0]).prepend_passthrough_rules(cls.fw_rules)
|
|
# configure client
|
|
cls.clients[0].run_command(
|
|
r"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
|
|
cls.master.hostname, paths.KRB5_CONF)
|
|
)
|
|
cls.clients[0].run_command(
|
|
r"sed -i 's/master_kdc = .*$/master_kdc"
|
|
r" = https:\/\/%s\/KdcProxy/' %s" % (
|
|
cls.master.hostname, paths.KRB5_CONF)
|
|
)
|
|
# Workaround for https://fedorahosted.org/freeipa/ticket/6443
|
|
cls.clients[0].run_command(['systemctl', 'restart', 'sssd.service'])
|
|
# End of workaround
|
|
|
|
@classmethod
|
|
def uninstall(cls, mh):
|
|
super(TestHttpKdcProxy, cls).uninstall(mh)
|
|
Firewall(cls.clients[0]).remove_passthrough_rules(cls.fw_rules)
|
|
|
|
def test_http_kdc_proxy_works(self):
|
|
result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
|
|
assert(result.returncode == 0), (
|
|
"Unable to kinit using KdcProxy: %s" % result.stderr_text
|
|
)
|