pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone
Source Code
GIT

Blame SOURCES/0053-Tests-add-integration-test-for-password-changes-by-d.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client
  1.   6ad8f3f1268e7a09ea9830aea99e7629487c2693
  2.   SOURCES
  3.   0053-Tests-add-integration-test-for-password-changes-by-d.patch
Blob History Raw
979ee0 
From 97e0d55745a125a933a8d4f9dddd31a752977948 Mon Sep 17 00:00:00 2001
979ee0 
From: Florence Blanc-Renaud <flo@redhat.com>
979ee0 
Date: Mon, 6 Aug 2018 18:25:16 +0200
979ee0 
Subject: [PATCH] Tests: add integration test for password changes by dir mgr
979ee0
979ee0 
Add a test for issue 7601:
979ee0 
- add a user, perform kinit user to modify the password, read krblastpwdchange
979ee0 
and krbpasswordexpiration.
979ee0 
- perform a ldapmodify on the password as dir mgr
979ee0 
- make sure that krblastpwdchange and krbpasswordexpiration have been modified
979ee0 
- perform the same check with ldappasswd
979ee0
979ee0 
Related to:
979ee0 
https://pagure.io/freeipa/issue/7601
979ee0
979ee0 
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
979ee0 
---
979ee0 
 ipatests/test_integration/test_commands.py | 127 +++++++++++++++++++++
979ee0 
 1 file changed, 127 insertions(+)
979ee0 
 create mode 100644 ipatests/test_integration/test_commands.py
979ee0
979ee0 
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
979ee0 
new file mode 100644
979ee0 
index 0000000000000000000000000000000000000000..e277e4a2fe4089392b08719d46b011e6444e8094
979ee0 
--- /dev/null
979ee0 
+++ b/ipatests/test_integration/test_commands.py
979ee0 
@@ -0,0 +1,127 @@
979ee0 
+#
979ee0 
+# Copyright (C) 2018  FreeIPA Contributors see COPYING for license
979ee0 
+#
979ee0 
+"""Misc test for 'ipa' CLI regressions
979ee0 
+"""
979ee0 
+from __future__ import print_function
979ee0 
+
979ee0 
+import re
979ee0 
+from tempfile import NamedTemporaryFile
979ee0 
+import textwrap
979ee0 
+import time
979ee0 
+
979ee0 
+from ipaplatform.paths import paths
979ee0 
+
979ee0 
+from ipatests.test_integration.base import IntegrationTest
979ee0 
+from ipatests.pytest_plugins.integration import tasks
979ee0 
+
979ee0 
+
979ee0 
+class TestIPACommand(IntegrationTest):
979ee0 
+    """
979ee0 
+    A lot of commands can be executed against a single IPA installation
979ee0 
+    so provide a generic class to execute one-off commands that need to be
979ee0 
+    tested without having to fire up a full server to run one command.
979ee0 
+    """
979ee0 
+    topology = 'line'
979ee0 
+
979ee0 
+    def test_ldapmodify_password_issue7601(self):
979ee0 
+        user = 'ipauser'
979ee0 
+        original_passwd = 'Secret123'
979ee0 
+        new_passwd = 'userPasswd123'
979ee0 
+        new_passwd2 = 'mynewPwd123'
979ee0 
+        master = self.master
979ee0 
+        base_dn = str(master.domain.basedn)  # pylint: disable=no-member
979ee0 
+
979ee0 
+        # Create a user with a password
979ee0 
+        tasks.kinit_admin(master)
979ee0 
+        add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd)
979ee0 
+        master.run_command(['ipa', 'user-add', user,
979ee0 
+                            '--first', user,
979ee0 
+                            '--last', user,
979ee0 
+                            '--password'],
979ee0 
+                           stdin_text=add_password_stdin_text)
979ee0 
+        # kinit as that user in order to modify the pwd
979ee0 
+        user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format(
979ee0 
+            old=original_passwd,
979ee0 
+            new=original_passwd)
979ee0 
+        master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
979ee0 
+        # Retrieve krblastpwdchange and krbpasswordexpiration
979ee0 
+        search_cmd = [
979ee0 
+            'ldapsearch', '-x',
979ee0 
+            '-D', 'cn=directory manager',
979ee0 
+            '-w', master.config.dirman_password,
979ee0 
+            '-s', 'base',
979ee0 
+            '-b', 'uid={user},cn=users,cn=accounts,{base_dn}'.format(
979ee0 
+                user=user, base_dn=base_dn),
979ee0 
+            '-o', 'ldif-wrap=no',
979ee0 
+            '-LLL',
979ee0 
+            'krblastpwdchange',
979ee0 
+            'krbpasswordexpiration']
979ee0 
+        output = master.run_command(search_cmd).stdout_text.lower()
979ee0 
+
979ee0 
+        # extract krblastpwdchange and krbpasswordexpiration
979ee0 
+        krbchg_pattern = 'krblastpwdchange: (.+)\n'
979ee0 
+        krbexp_pattern = 'krbpasswordexpiration: (.+)\n'
979ee0 
+        krblastpwdchange = re.findall(krbchg_pattern, output)[0]
979ee0 
+        krbexp = re.findall(krbexp_pattern, output)[0]
979ee0 
+
979ee0 
+        # sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most
979ee0 
+        # a 1s precision)
979ee0 
+        time.sleep(1)
979ee0 
+        # perform ldapmodify on userpassword as dir mgr
979ee0 
+        mod = NamedTemporaryFile()
979ee0 
+        ldif_file = mod.name
979ee0 
+        entry_ldif = textwrap.dedent("""
979ee0 
+            dn: uid={user},cn=users,cn=accounts,{base_dn}
979ee0 
+            changetype: modify
979ee0 
+            replace: userpassword
979ee0 
+            userpassword: {new_passwd}
979ee0 
+        """).format(
979ee0 
+            user=user,
979ee0 
+            base_dn=base_dn,
979ee0 
+            new_passwd=new_passwd)
979ee0 
+        master.put_file_contents(ldif_file, entry_ldif)
979ee0 
+        arg = ['ldapmodify',
979ee0 
+               '-h', master.hostname,
979ee0 
+               '-p', '389', '-D',
979ee0 
+               str(master.config.dirman_dn),   # pylint: disable=no-member
979ee0 
+               '-w', master.config.dirman_password,
979ee0 
+               '-f', ldif_file]
979ee0 
+        master.run_command(arg)
979ee0 
+
979ee0 
+        # Test new password with kinit
979ee0 
+        master.run_command(['kinit', user], stdin_text=new_passwd)
979ee0 
+        # Retrieve krblastpwdchange and krbpasswordexpiration
979ee0 
+        output = master.run_command(search_cmd).stdout_text.lower()
979ee0 
+        # extract krblastpwdchange and krbpasswordexpiration
979ee0 
+        newkrblastpwdchange = re.findall(krbchg_pattern, output)[0]
979ee0 
+        newkrbexp = re.findall(krbexp_pattern, output)[0]
979ee0 
+
979ee0 
+        # both should have changed
979ee0 
+        assert newkrblastpwdchange != krblastpwdchange
979ee0 
+        assert newkrbexp != krbexp
979ee0 
+
979ee0 
+        # Now test passwd modif with ldappasswd
979ee0 
+        time.sleep(1)
979ee0 
+        master.run_command([
979ee0 
+            paths.LDAPPASSWD,
979ee0 
+            '-D', str(master.config.dirman_dn),   # pylint: disable=no-member
979ee0 
+            '-w', master.config.dirman_password,
979ee0 
+            '-a', new_passwd,
979ee0 
+            '-s', new_passwd2,
979ee0 
+            '-x', '-ZZ',
979ee0 
+            '-H', 'ldap://{hostname}'.format(hostname=master.hostname),
979ee0 
+            'uid={user},cn=users,cn=accounts,{base_dn}'.format(
979ee0 
+                user=user, base_dn=base_dn)]
979ee0 
+        )
979ee0 
+        # Test new password with kinit
979ee0 
+        master.run_command(['kinit', user], stdin_text=new_passwd2)
979ee0 
+        # Retrieve krblastpwdchange and krbpasswordexpiration
979ee0 
+        output = master.run_command(search_cmd).stdout_text.lower()
979ee0 
+        # extract krblastpwdchange and krbpasswordexpiration
979ee0 
+        newkrblastpwdchange2 = re.findall(krbchg_pattern, output)[0]
979ee0 
+        newkrbexp2 = re.findall(krbexp_pattern, output)[0]
979ee0 
+
979ee0 
+        # both should have changed
979ee0 
+        assert newkrblastpwdchange != newkrblastpwdchange2
979ee0 
+        assert newkrbexp != newkrbexp2
979ee0 
--
979ee0 
2.17.1
979ee0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation