|
 |
2737e7 |
From 97e0d55745a125a933a8d4f9dddd31a752977948 Mon Sep 17 00:00:00 2001
|
|
|
2737e7 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
2737e7 |
Date: Mon, 6 Aug 2018 18:25:16 +0200
|
|
|
2737e7 |
Subject: [PATCH] Tests: add integration test for password changes by dir mgr
|
|
|
2737e7 |
|
|
|
2737e7 |
Add a test for issue 7601:
|
|
|
2737e7 |
- add a user, perform kinit user to modify the password, read krblastpwdchange
|
|
|
2737e7 |
and krbpasswordexpiration.
|
|
|
2737e7 |
- perform a ldapmodify on the password as dir mgr
|
|
|
2737e7 |
- make sure that krblastpwdchange and krbpasswordexpiration have been modified
|
|
|
2737e7 |
- perform the same check with ldappasswd
|
|
|
2737e7 |
|
|
|
2737e7 |
Related to:
|
|
|
2737e7 |
https://pagure.io/freeipa/issue/7601
|
|
|
2737e7 |
|
|
|
2737e7 |
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
|
|
2737e7 |
---
|
|
|
2737e7 |
ipatests/test_integration/test_commands.py | 127 +++++++++++++++++++++
|
|
|
2737e7 |
1 file changed, 127 insertions(+)
|
|
|
2737e7 |
create mode 100644 ipatests/test_integration/test_commands.py
|
|
|
2737e7 |
|
|
|
2737e7 |
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
|
|
2737e7 |
new file mode 100644
|
|
|
2737e7 |
index 0000000000000000000000000000000000000000..e277e4a2fe4089392b08719d46b011e6444e8094
|
|
|
2737e7 |
--- /dev/null
|
|
|
2737e7 |
+++ b/ipatests/test_integration/test_commands.py
|
|
|
2737e7 |
@@ -0,0 +1,127 @@
|
|
|
2737e7 |
+#
|
|
|
2737e7 |
+# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
|
|
|
2737e7 |
+#
|
|
|
2737e7 |
+"""Misc test for 'ipa' CLI regressions
|
|
|
2737e7 |
+"""
|
|
|
2737e7 |
+from __future__ import print_function
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+import re
|
|
|
2737e7 |
+from tempfile import NamedTemporaryFile
|
|
|
2737e7 |
+import textwrap
|
|
|
2737e7 |
+import time
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+from ipaplatform.paths import paths
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+from ipatests.test_integration.base import IntegrationTest
|
|
|
2737e7 |
+from ipatests.pytest_plugins.integration import tasks
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+class TestIPACommand(IntegrationTest):
|
|
|
2737e7 |
+ """
|
|
|
2737e7 |
+ A lot of commands can be executed against a single IPA installation
|
|
|
2737e7 |
+ so provide a generic class to execute one-off commands that need to be
|
|
|
2737e7 |
+ tested without having to fire up a full server to run one command.
|
|
|
2737e7 |
+ """
|
|
|
2737e7 |
+ topology = 'line'
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ def test_ldapmodify_password_issue7601(self):
|
|
|
2737e7 |
+ user = 'ipauser'
|
|
|
2737e7 |
+ original_passwd = 'Secret123'
|
|
|
2737e7 |
+ new_passwd = 'userPasswd123'
|
|
|
2737e7 |
+ new_passwd2 = 'mynewPwd123'
|
|
|
2737e7 |
+ master = self.master
|
|
|
2737e7 |
+ base_dn = str(master.domain.basedn) # pylint: disable=no-member
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ # Create a user with a password
|
|
|
2737e7 |
+ tasks.kinit_admin(master)
|
|
|
2737e7 |
+ add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd)
|
|
|
2737e7 |
+ master.run_command(['ipa', 'user-add', user,
|
|
|
2737e7 |
+ '--first', user,
|
|
|
2737e7 |
+ '--last', user,
|
|
|
2737e7 |
+ '--password'],
|
|
|
2737e7 |
+ stdin_text=add_password_stdin_text)
|
|
|
2737e7 |
+ # kinit as that user in order to modify the pwd
|
|
|
2737e7 |
+ user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format(
|
|
|
2737e7 |
+ old=original_passwd,
|
|
|
2737e7 |
+ new=original_passwd)
|
|
|
2737e7 |
+ master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
|
|
|
2737e7 |
+ # Retrieve krblastpwdchange and krbpasswordexpiration
|
|
|
2737e7 |
+ search_cmd = [
|
|
|
2737e7 |
+ 'ldapsearch', '-x',
|
|
|
2737e7 |
+ '-D', 'cn=directory manager',
|
|
|
2737e7 |
+ '-w', master.config.dirman_password,
|
|
|
2737e7 |
+ '-s', 'base',
|
|
|
2737e7 |
+ '-b', 'uid={user},cn=users,cn=accounts,{base_dn}'.format(
|
|
|
2737e7 |
+ user=user, base_dn=base_dn),
|
|
|
2737e7 |
+ '-o', 'ldif-wrap=no',
|
|
|
2737e7 |
+ '-LLL',
|
|
|
2737e7 |
+ 'krblastpwdchange',
|
|
|
2737e7 |
+ 'krbpasswordexpiration']
|
|
|
2737e7 |
+ output = master.run_command(search_cmd).stdout_text.lower()
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ # extract krblastpwdchange and krbpasswordexpiration
|
|
|
2737e7 |
+ krbchg_pattern = 'krblastpwdchange: (.+)\n'
|
|
|
2737e7 |
+ krbexp_pattern = 'krbpasswordexpiration: (.+)\n'
|
|
|
2737e7 |
+ krblastpwdchange = re.findall(krbchg_pattern, output)[0]
|
|
|
2737e7 |
+ krbexp = re.findall(krbexp_pattern, output)[0]
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ # sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most
|
|
|
2737e7 |
+ # a 1s precision)
|
|
|
2737e7 |
+ time.sleep(1)
|
|
|
2737e7 |
+ # perform ldapmodify on userpassword as dir mgr
|
|
|
2737e7 |
+ mod = NamedTemporaryFile()
|
|
|
2737e7 |
+ ldif_file = mod.name
|
|
|
2737e7 |
+ entry_ldif = textwrap.dedent("""
|
|
|
2737e7 |
+ dn: uid={user},cn=users,cn=accounts,{base_dn}
|
|
|
2737e7 |
+ changetype: modify
|
|
|
2737e7 |
+ replace: userpassword
|
|
|
2737e7 |
+ userpassword: {new_passwd}
|
|
|
2737e7 |
+ """).format(
|
|
|
2737e7 |
+ user=user,
|
|
|
2737e7 |
+ base_dn=base_dn,
|
|
|
2737e7 |
+ new_passwd=new_passwd)
|
|
|
2737e7 |
+ master.put_file_contents(ldif_file, entry_ldif)
|
|
|
2737e7 |
+ arg = ['ldapmodify',
|
|
|
2737e7 |
+ '-h', master.hostname,
|
|
|
2737e7 |
+ '-p', '389', '-D',
|
|
|
2737e7 |
+ str(master.config.dirman_dn), # pylint: disable=no-member
|
|
|
2737e7 |
+ '-w', master.config.dirman_password,
|
|
|
2737e7 |
+ '-f', ldif_file]
|
|
|
2737e7 |
+ master.run_command(arg)
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ # Test new password with kinit
|
|
|
2737e7 |
+ master.run_command(['kinit', user], stdin_text=new_passwd)
|
|
|
2737e7 |
+ # Retrieve krblastpwdchange and krbpasswordexpiration
|
|
|
2737e7 |
+ output = master.run_command(search_cmd).stdout_text.lower()
|
|
|
2737e7 |
+ # extract krblastpwdchange and krbpasswordexpiration
|
|
|
2737e7 |
+ newkrblastpwdchange = re.findall(krbchg_pattern, output)[0]
|
|
|
2737e7 |
+ newkrbexp = re.findall(krbexp_pattern, output)[0]
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ # both should have changed
|
|
|
2737e7 |
+ assert newkrblastpwdchange != krblastpwdchange
|
|
|
2737e7 |
+ assert newkrbexp != krbexp
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ # Now test passwd modif with ldappasswd
|
|
|
2737e7 |
+ time.sleep(1)
|
|
|
2737e7 |
+ master.run_command([
|
|
|
2737e7 |
+ paths.LDAPPASSWD,
|
|
|
2737e7 |
+ '-D', str(master.config.dirman_dn), # pylint: disable=no-member
|
|
|
2737e7 |
+ '-w', master.config.dirman_password,
|
|
|
2737e7 |
+ '-a', new_passwd,
|
|
|
2737e7 |
+ '-s', new_passwd2,
|
|
|
2737e7 |
+ '-x', '-ZZ',
|
|
|
2737e7 |
+ '-H', 'ldap://{hostname}'.format(hostname=master.hostname),
|
|
|
2737e7 |
+ 'uid={user},cn=users,cn=accounts,{base_dn}'.format(
|
|
|
2737e7 |
+ user=user, base_dn=base_dn)]
|
|
|
2737e7 |
+ )
|
|
|
2737e7 |
+ # Test new password with kinit
|
|
|
2737e7 |
+ master.run_command(['kinit', user], stdin_text=new_passwd2)
|
|
|
2737e7 |
+ # Retrieve krblastpwdchange and krbpasswordexpiration
|
|
|
2737e7 |
+ output = master.run_command(search_cmd).stdout_text.lower()
|
|
|
2737e7 |
+ # extract krblastpwdchange and krbpasswordexpiration
|
|
|
2737e7 |
+ newkrblastpwdchange2 = re.findall(krbchg_pattern, output)[0]
|
|
|
2737e7 |
+ newkrbexp2 = re.findall(krbexp_pattern, output)[0]
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ # both should have changed
|
|
|
2737e7 |
+ assert newkrblastpwdchange != newkrblastpwdchange2
|
|
|
2737e7 |
+ assert newkrbexp != newkrbexp2
|
|
|
2737e7 |
--
|
|
|
2737e7 |
2.17.1
|
|
|
2737e7 |
|