diff --git a/src/tests/multihost/basic/test_kcm.py b/src/tests/multihost/basic/test_kcm.py index 8f527f6b81d..a463d087e57 100644 --- a/src/tests/multihost/basic/test_kcm.py +++ b/src/tests/multihost/basic/test_kcm.py @@ -8,9 +8,11 @@ """ import os import re + import pytest from pexpect import pxssh from utils_config import set_param + from sssd.testlib.common.utils import sssdTools @@ -51,6 +53,7 @@ def _remove_secret_db(self, multihost): 'rm -f /var/lib/sss/secrets/secrets.ldb') self._restart_kcm(multihost) + @pytest.mark.converted('test_kcm.py', 'test_kcm__kinit_kcm_krb5ccname') @pytest.mark.usefixtures("enable_kcm") def test_kinit_kcm(self, multihost): """ @@ -70,6 +73,7 @@ def test_kinit_kcm(self, multihost): assert cmd2.returncode == 0, "klist failed!" assert 'Ticket cache: KCM:14583103' in cmd2.stdout_text + @pytest.mark.converted('test_kcm.py', 'test_kcm__ssh_login_with_kcm') @staticmethod @pytest.mark.usefixtures("enable_kcm") def test_ssh_login_kcm(multihost): @@ -85,6 +89,7 @@ def test_ssh_login_kcm(multihost): 'journalctl -u sssd -n 50 --no-pager') assert ssh0, "Authentication Failed as user foo4" + @pytest.mark.converted('test_kcm.py', 'test_kcm__debug_enabled') @pytest.mark.usefixtures("enable_kcm") def test_kcm_debug_level_set(self, multihost): """ @@ -133,6 +138,7 @@ def test_kcm_debug_level_set(self, multihost): log_lines_debug = self._kcm_log_length(multihost) assert log_lines_debug > log_lines_pre + 100 + @pytest.mark.converted('test_kcm.py', 'test_kcm__kdestroy_nocache') @staticmethod @pytest.mark.usefixtures("enable_kcm") def test_kdestroy_retval(multihost): @@ -157,6 +163,7 @@ def test_kdestroy_retval(multihost): f'su -l {user} -c "kdestroy"', raiseonerr=False) assert kd2.returncode == 0, "Second kdestroy failed!" + @pytest.mark.converted('test_kcm.py', 'test_kcm__forward_credentials') @staticmethod @pytest.mark.usefixtures("enable_kcm") def test_ssh_forward_creds(multihost): @@ -191,6 +198,7 @@ def test_ssh_forward_creds(multihost): assert 'KCM:14583103' in klist, "kinit did not work!" assert 'KCM:14583109' in ssh_output, "Ticket not forwarded!" + @pytest.mark.converted('test_kcm.py', 'test_kcm__display_correct_kvno') @staticmethod @pytest.mark.usefixtures("enable_kcm") def test_kvno_display(multihost): @@ -216,6 +224,7 @@ def test_kvno_display(multihost): else: pytest.fail("kvno display was improper") + @pytest.mark.converted('test_kcm.py', 'test_kcm__per_uid_quota') @pytest.mark.usefixtures("enable_kcm", "create_many_user_principals") def test_kcm_peruid_quota(self, multihost): """ @@ -268,6 +277,7 @@ def test_kcm_peruid_quota(self, multihost): multihost.master[0].run_command( 'su -l foo3 -c "kdestroy -A"', raiseonerr=False) + @pytest.mark.converted('test_kcm.py', 'test_kcm__per_uid_quota_increase') @pytest.mark.usefixtures("enable_kcm", "create_many_user_principals") def test_kcm_peruid_quota_increase(self, multihost): """ @@ -310,6 +320,7 @@ def test_kcm_peruid_quota_increase(self, multihost): multihost.master[0].run_command( f'su -l {user} -c "kdestroy -A"', raiseonerr=False) + @pytest.mark.converted('test_kcm.py', 'test_kcm__low_per_uid_quota') @pytest.mark.usefixtures("enable_kcm") def test_kcm_payload_low_quota(self, multihost): """ diff --git a/src/tests/system/tests/test_kcm.py b/src/tests/system/tests/test_kcm.py index 942e8675010..01db0babc56 100644 --- a/src/tests/system/tests/test_kcm.py +++ b/src/tests/system/tests/test_kcm.py @@ -6,12 +6,14 @@ from __future__ import annotations +import re import time import pytest from pytest_mh.ssh import SSHProcessError from sssd_test_framework.roles.client import Client from sssd_test_framework.roles.kdc import KDC +from sssd_test_framework.roles.ldap import LDAP from sssd_test_framework.topology import KnownTopology @@ -413,3 +415,390 @@ def test_kcm__simple_kinit(client: Client, kdc: KDC): with pytest.raises(SSHProcessError): krb.kinit(username, password="wrong") assert krb.klist().rc == 0, "Klist failed" + + +@pytest.mark.topology(KnownTopology.Client) +def test_kcm__kinit_kcm_krb5ccname(client: Client, kdc: KDC): + """ + :title: Kinit with KRB5CCNAME=KCM + :setup: + 1. Add Kerberos principal "user1" to KDC + 2. Add local user "user1" + 3. Start SSSD + :steps: + 1. Authenticate as "user1" over SSH + 2. Kinit as "user1" + 3. Call klist + 4. Check that in stdout is correct + :expectedresults: + 1. User is logged into the host + 2. Kinit was successful + 3. Klist was successfull + 4. In stdout is correct cache name + :customerscenario: False + """ + user = "user1" + password = "Secret123" + + kdc.principal(user).add(password=password) + client.local.user(user).add(password=password, uid=123123) + + client.sssd.common.kcm(kdc) + + client.sssd.start() + with client.ssh(user, password) as ssh: + with client.auth.kerberos(ssh) as krb: + kinit = krb.kinit(user, password=password) + klist = krb.klist() + + assert kinit.rc == 0, "Kinit call was not successful" + assert klist.rc == 0, "Klist call was not successful" + assert "Ticket cache: KCM:123123" in klist.stdout, "Incorrect output of klist" + + +@pytest.mark.topology(KnownTopology.Client) +def test_kcm__debug_enabled(client: Client, kdc: KDC): + """ + :title: Kcm debug is enabled after sssd-kcm restart, when + "debug_level" in kcm section is set to 9 + :setup: + 1. Add Kerberos principal "user1" to KDC + 2. Add local user "user1" + 3. Remove log files + 4. Set "debug_level" in kcm config section to "0" + 5. Remove kcm log files + 6. Start SSSD + :steps: + 1. Try to produce some debug messages e.g. kdestroy + 2. Check that kcm debug messages were not generated + 3. Set "debug_level" in kcm config section to "9" + 4. Restart kcm + 5. Try to produce some debug messages e.g. kdestroy + 6. Check that kcm debug messages were generated + :expectedresults: + 1. No messages were generated + 2. Log file did not get bigger + 3. Successfully set + 4. Successfully restarted + 5. Some messages were generated + 6. Log file did get bigger + :customerscenario: False + """ + + def kcm_log_length() -> int: + try: + output = client.fs.wc(kcm_log_file, lines=True).stdout + return int(output.split()[0]) + except SSHProcessError: + return 0 + + user = "user1" + password = "Secret123" + kcm_log_file = "/var/log/sssd/sssd_kcm.log" + + kdc.principal(user).add(password=password) + client.local.user(user).add(password=password) + client.sssd.common.kcm(kdc) + + client.sssd.kcm["debug_level"] = "0" + client.sssd.config_apply() + + client.ssh(user, password).exec(["rm", "-f", kcm_log_file], raise_on_error=False) + client.sssd.start() + + start_log_length = kcm_log_length() + + with client.ssh(user, password) as ssh: + with client.auth.kerberos(ssh) as krb: + krb.kdestroy() + + end_log_nodebug = kcm_log_length() + assert start_log_length == end_log_nodebug, "Debug messages were generated" + + client.sssd.kcm["debug_level"] = "9" + client.sssd.config_apply() + assert client.svc.restart("sssd-kcm").rc == 0, "Restart of kcm failed" + + with client.ssh(user, password) as ssh: + with client.auth.kerberos(ssh) as krb: + krb.kdestroy() + + end_log_debug = kcm_log_length() + assert start_log_length + 100 < end_log_debug, "Debug messages were not generated" + + +# TODO +@pytest.mark.topology(KnownTopology.LDAP) +def test_kcm__ssh_login_with_kcm(client: Client, ldap: LDAP, kdc: KDC): + """ + :title: kcm: Verify ssh login is successuful with kcm as default + :setup: + 1. Add user and principal + 2. Set kerberos as default auth provider + 3. Start SSSD + :steps: + 1. Authenticate as "user1" over SSH using kcm + :expectedresults: + 1. Authenticated successfully + :customerscenario: False + """ + ldap.user("user1").add() + kdc.principal("user1").add() + + client.sssd.common.krb5_auth(kdc) + client.sssd.start() + + with client.ssh("user1", "Secret123") as ssh: + with client.auth.kerberos(ssh) as krb: + res = krb.klist() + assert res.rc == 0, "Klist failed" + # print(res.stdout) + + +# TODO +@pytest.mark.ticket(gh=4863) +@pytest.mark.topology(KnownTopology.Client) +def test_kcm__forward_credentials(client: Client, kdc: KDC): + """ + :title: SSH can forward credentials with KCM + :setup: + 1. Add Kerberos principals to KDC + 2. Add local users + 3. Start SSSD + :steps: + 1. Authenticate as "user1" over SSH + 2. Call kinit for "user2" + 3. Call klist + 4. Authenticate as "user2" over SSH + 5. Call klist on "user2" + :expectedresults: + 1. Authenticated successfully + 2. Kinit was successful + 3. Klist contained "KCM:99000" + 4. Authenticated successfully + 5. Klist contained "KCM:99001" + :customerscenario: True + """ + foo3 = "user1" + user2 = "user2" + password = "Secret123" + + kdc.principal(foo3).add(password=password) + client.local.user(foo3).add(password=password, uid=99000) + kdc.principal(user2).add(password=password) + client.local.user(user2).add(password=password, uid=99001) + + client.sssd.default_domain = "local" + client.sssd.common.kcm(kdc) + client.sssd.common.krb5_auth(kdc) + + client.sssd.start() + print(client.sssd.config_dumps()) + + with client.ssh(foo3, password) as ssh: + with client.auth.kerberos(ssh) as krb: + # assert krb.kinit(user2, password=password) + assert ssh.run("kinit -f user2",input=password).rc == 0 + + klist1 = krb.klist() + assert "KCM:99000" in klist1.stdout, "Kinit did not work!" + + klist2 = ssh.run(f"ssh -o StrictHostKeyChecking=no -o GssapiDelegateCredentials=yes -K -l user2 {client.host.hostname} klist") + + assert "KCM:99001" in klist2.stdout, "Ticket not forwarded!" + + +@pytest.mark.ticket(gh=4763) +@pytest.mark.topology(KnownTopology.Client) +def test_kcm__display_correct_kvno(client: Client, kdc: KDC): + """ + :title: kvno correctly displays version numbers of principals + :setup: + 1. Add Kerberos principal "user1" to KDC + 1. Add Kerberos service principal "host/client" to KDC + 2. Add local user "user1" + 3. Start SSSD + :steps: + 1. Authenticate as "user1" over SSH + 2. Kinit as "user1" + 3. Call kvno on service principal + 4. Check output of kvno + :expectedresults: + 1. Authenticated successfully + 2. Kinit was successful + 3. Kvno was successful + 4. Output is correct + :customerscenario: True + """ + user = "user1" + password = "Secret123" + + kdc.principal(user).add(password=password) + kdc.principal("host/client").add(password=None) + client.local.user(user).add(password=password, uid=99000) + client.sssd.common.kcm(kdc) + client.sssd.start() + + with client.ssh(user, password) as ssh: + with client.auth.kerberos(ssh) as krb: + krb.kinit(user, password=password) + res = krb.kvno("host/client", realm="TEST") + assert res.rc == 0 + + for line in res.stdout_lines: + kvno_check = re.search(r"host/client@TEST: kvno = (\d+)", line) + assert kvno_check, f"kvno display was not correct, line: {line}" + + +@pytest.mark.topology(KnownTopology.Client) +def test_kcm__per_uid_quota(client: Client, kdc: KDC): + """ + :title: "max_uid_ccaches" limits only specific user, + "max_uid_ccaches" defaults to 64 + :setup: + 1. Add local user "user0" and "user1" + 2. Add 65 Kerberos principals to KDC + 3. Start SSSD + :steps: + 1. Authenticate as "user0" over SSH + 2. Kinit 64 principals as "user0" + 3. Kinit 65th principal as "user0" + 4. Authenticate as "user1" over SSH + 5. Kinit principal "user64" as "user1" + 6. Authenticate as "user0" over SSH + 7. Call kdestroy to destroy all caches + 8. Kinit principal "user64" as "user0" + :expectedresults: + 1. Authenticated successfully + 2. All kinits were successful + 3. Kinit is not successful + 4. Authenticated successfully + 5. Kinit is successful + 6. Authenticated successfully + 7. Kdestroy is successful + 8. Kinit is successful + :customerscenario: False + """ + user0 = "user0" + user1 = "user1" + password = "Secret123" + client.local.user(user0).add(password=password, uid=99000) + client.local.user(user1).add(password=password, uid=99001) + + for i in range(65): + user = f"user{i}" + kdc.principal(user).add(password=password) + + client.sssd.common.kcm(kdc) + client.sssd.start() + + with client.ssh("user0", password) as ssh: + with client.auth.kerberos(ssh) as krb: + for i in range(64): + user = f"user{i}" + assert krb.kinit(user, password=password).rc == 0 + + with pytest.raises(SSHProcessError): + krb.kinit("user64", password=password).rc != 0 + + with client.ssh("user1", password) as ssh: + with client.auth.kerberos(ssh) as krb: + assert krb.kinit("user64", password=password).rc == 0 + + with client.ssh("user0", password) as ssh: + with client.auth.kerberos(ssh) as krb: + assert krb.kdestroy(all=True).rc == 0 + assert krb.kinit("user64", password=password).rc == 0 + + +@pytest.mark.topology(KnownTopology.Client) +def test_kcm__per_uid_quota_increase(client: Client, kdc: KDC): + """ + :title: "max_uid_ccaches" increased to kinit more principals + :setup: + 1. Add local user "user0" + 2. Add 65 Kerberos principals to KDC + 3. Start SSSD + :steps: + 1. Authenticate as "user0" over SSH + 2. Kinit 64 principals as "user0" + 3. Kinit 65th principal as "user0" + 4. Set "max_uid_ccaches" to "65" + 5. Kinit 65th principal as "user0" + :expectedresults: + 1. Authenticated successfully + 2. All kinits were successful + 3. Kinit is not successful + 4. Successfully set + 5. Kinit is successful + :customerscenario: False + """ + user0 = "user0" + password = "Secret123" + client.local.user(user0).add(password=password) + + for i in range(65): + user = f"user{i}" + kdc.principal(user).add(password=password) + + client.sssd.common.kcm(kdc) + client.sssd.start() + + with client.ssh(user0, password) as ssh: + with client.auth.kerberos(ssh) as krb: + for i in range(64): + user = f"user{i}" + assert krb.kinit(user, password=password).rc == 0 + + with pytest.raises(SSHProcessError): + krb.kinit("user64", password=password).rc != 0 + + client.sssd.kcm["max_uid_ccaches"] = "65" + client.sssd.config_apply() + client.svc.restart("sssd-kcm") + + assert krb.kinit("user64", password=password).rc == 0 + + +@pytest.mark.topology(KnownTopology.Client) +def test_kcm__low_per_uid_quota(client: Client, kdc: KDC): + """ + :title: "max_uid_ccaches" decreased and enforced + :setup: + 1. Add local user "user0" and "user1" + 2. Add Kerberos principals to KDC + 3. Start SSSD + :steps: + 1. Authenticate as "user0" over SSH + 2. Set "max_uid_ccaches" to "1" + 3. Kinit principal "user0" as "user0" + 4. Kinit principal "user1" as "user0" + :expectedresults: + 1. Authenticated successfully + 2. Successfully set + 3. Kinit is successful + 4. Kinit is not successful + :customerscenario: False + """ + user0 = "user0" + user1 = "user1" + password = "Secret123" + client.local.user(user0).add(password=password, uid=99000) + kdc.principal(user0).add(password=password) + kdc.principal(user1).add(password=password) + + client.sssd.common.kcm(kdc) + client.sssd.start() + + with client.ssh(user0, password) as ssh: + with client.auth.kerberos(ssh) as krb: + assert krb.kdestroy(all=True).rc == 0 + + client.sssd.kcm["max_uid_ccaches"] = "1" + client.sssd.config_apply() + client.svc.restart("sssd-kcm") + + assert krb.kinit(user0, password=password).rc == 0 + + with pytest.raises(SSHProcessError): + assert krb.kinit(user1, password=password).rc != 0