From 6dec9f7c7bed1bc3f6d2e7bb1b9ff8da43614285 Mon Sep 17 00:00:00 2001 From: aborah Date: Mon, 8 Jul 2024 10:05:57 +0530 Subject: [PATCH] Tests: Port ipa/test_authentication_indicators to new test framework MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://github.com/SSSD/sssd/blob/master/src/tests/multihost/ipa/test_misc.py#L258 Reviewed-by: Dan Lavu Reviewed-by: Jakub Vávra --- src/tests/system/tests/test_ipa.py | 68 ++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/src/tests/system/tests/test_ipa.py b/src/tests/system/tests/test_ipa.py index 6da55b7d250..1b5bd2a08fa 100644 --- a/src/tests/system/tests/test_ipa.py +++ b/src/tests/system/tests/test_ipa.py @@ -9,6 +9,8 @@ from __future__ import annotations +import time + import pytest from sssd_test_framework.roles.client import Client from sssd_test_framework.roles.ipa import IPA @@ -122,3 +124,69 @@ def test_ipa__hostpublickeys_by_ip(client: Client, ipa: IPA, public_keys: list[s assert len(public_keys) == len(result.stdout_lines), "Did not get expected number of public keys!" for key in public_keys: assert f"{ip} {key}" in result.stdout_lines, "Did not get expected public keys!" + + +@pytest.mark.ticket(bz=1926622) +@pytest.mark.integration +@pytest.mark.importance("low") +@pytest.mark.topology(KnownTopology.IPA) +def test_ipa__check_gssapi_authentication_indicator(client: Client, ipa: IPA): + """ + :title: Check logs for authentication indicator + :description: + Checks that logs for the authentication indicator showing that the kerberos ticket was obtained using GSSAPI + :setup: + 1. Configure SSSD for sudo and gssapi + 2. Start SSSD + 3. Create sudo configuration that allows user to run SUDO rules + :steps: + 1. Login as the test user and obtain ticket + 2. Try 'sudo -l' as user + 3. Check if acquired service ticket has req. indicators: 0 in sssd_pam.log + 4. Update config with 'pam_gssapi_service, pam_gssaspi_indicator_map and restart sssd + 5. Login as the test user and obtain a new ticket + 6. Check if acquired service ticket has req. indicators: 2 in sssd_pam.log + :expectedresults: + 1. Login successful and ticket obtained + 2. "Sudo -l" should run without password + 3. "indicators: 0" should be there in the sssd_pam.log + 4. Configuration is updated and SSSD is restarted + 5. Login successful and new ticket obtained + 6. "indicators: 2" should be there in the sssd_pam.log + :customerscenario: True + """ + user = ipa.user("user-1").add(password="Secret123") + password = "Secret123" + + # In future some other string replacement module may be created, for now generic sed module is used. + for path in ["/etc/pam.d/sudo", "/etc/pam.d/sudo-i"]: + client.fs.sed(path=path, command="2s/^/auth sufficient pam_sss_gss.so debug\\n/", args=["-i"]) + + client.sssd.config["pam"] = { + "pam_gssapi_services": "sudo, sudo-i", + "pam_gssapi_indicators_map": "hardened, sudo:pkinit, sudo-i:otp", + } + client.sssd.start() + + with client.ssh(user.name, password) as ssh: + ssh.run(f"kinit {user.name}@{ipa.host.realm}", input=password) + ssh.run("klist") + ssh.disconnect() + ipa.sudorule("testrule").add(user=user.name, host="ALL", command="sudo -l") + assert not client.auth.sudo.list(user.name), "User found in sudo rule!" + time.sleep(3) + log1 = client.fs.read(client.sssd.logs.pam) + assert "indicators: 0" in log1, "String `indicators: 0` not found in logs!" + + client.sssd.config["pam"] = {"pam_gssapi_services": "sudo, sudo-i", "pam_gssapi_indicators_map": "sudo-i:hardened"} + client.sssd.clear(logs=True) + client.sssd.restart() + + with client.ssh(user.name, password) as ssh: + ssh.run(f"kinit {user.name}@{ipa.host.realm}", input=password) + ssh.run("klist") + ssh.disconnect() + assert not client.auth.sudo.list(user.name), "User found in sudo rule!" + time.sleep(3) + log2 = client.fs.read(client.sssd.logs.pam) + assert "indicators: 2" in log2, "String `indicators: 2` not found in logs!"