From 538a9992fd1394ed24cbcdf2a2a27694ac28da55 Mon Sep 17 00:00:00 2001

From: Antonio Torres <antorres@redhat.com>

Date: Mon, 8 Mar 2021 18:20:35 +0100

Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal

 IPA services

Authentication indicators should not be added to internal IPA services,

since this can lead to a broken IPA setup. In case a client with

an auth indicator set in its host principal, promoting it to a replica

should fail.

Related: https://pagure.io/freeipa/issue/8206

Signed-off-by: Antonio Torres <antorres@redhat.com>

---

 .../test_replica_promotion.py                 | 38 +++++++++++++++++++

 ipatests/test_xmlrpc/test_host_plugin.py      | 10 +++++

 ipatests/test_xmlrpc/test_service_plugin.py   | 21 ++++++++++

 3 files changed, 69 insertions(+)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py

index 0a137dbdcb068811899e7ff7914730f14ea651c1..b9c56f775d08885cb6b1226eeb7bcf105f87cdc1 100644

--- a/ipatests/test_integration/test_replica_promotion.py

+++ b/ipatests/test_integration/test_replica_promotion.py

@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):

         assert result.returncode == 1

         assert expected_err in result.stderr_text

+    @replicas_cleanup

+    def test_install_with_host_auth_ind_set(self):

+        """ A client shouldn't be able to be promoted if it has

+        any auth indicator set in the host principal.

+        https://pagure.io/freeipa/issue/8206

+        """

+

+        client = self.replicas[0]

+        # Configure firewall first

+        Firewall(client).enable_services(["freeipa-ldap",

+                                          "freeipa-ldaps"])

+

+        client.run_command(['ipa-client-install', '-U',

+                            '--domain', self.master.domain.name,

+                            '--realm', self.master.domain.realm,

+                            '-p', 'admin',

+                            '-w', self.master.config.admin_password,

+                            '--server', self.master.hostname,

+                            '--force-join'])

+

+        tasks.kinit_admin(client)

+

+        client.run_command(['ipa', 'host-mod', '--auth-ind=otp',

+                            client.hostname])

+

+        res = client.run_command(['ipa-replica-install', '-U', '-w',

+                                  self.master.config.dirman_password],

+                                 raiseonerr=False)

+

+        client.run_command(['ipa', 'host-mod', '--auth-ind=',

+                            client.hostname])

+

+        expected_err = ("Client cannot be promoted to a replica if the host "

+                        "principal has an authentication indicator set.")

+        assert res.returncode == 1

+        assert expected_err in res.stderr_text

+

+

     @replicas_cleanup

     def test_one_command_installation(self):

         """

diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py

index c66bbc865cd5e1ee5ee5e1874c177a3ea9b08c93..9cfde3565d48e103a0549e2bfb7579e07668f41b 100644

--- a/ipatests/test_xmlrpc/test_host_plugin.py

+++ b/ipatests/test_xmlrpc/test_host_plugin.py

@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):

                 error=u'An IPA master host cannot be deleted or disabled')):

             command()

+    def test_try_add_auth_ind_master(self, this_host):

+        command = this_host.make_update_command({

+            u'krbprincipalauthind': u'radius'})

+        with raises_exact(errors.ValidationError(

+            name='krbprincipalauthind',

+            error=u'authentication indicators not allowed '

+                'in service "host"'

+        )):

+            command()

+

 @pytest.mark.tier1

 class TestValidation(XMLRPC_test):

diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py

index 4c845938c33e2eca4235d53c4f4644c2fcdeda9c..ed634a0455a41dce367ed638634d1fc6d9e47553 100644

--- a/ipatests/test_xmlrpc/test_service_plugin.py

+++ b/ipatests/test_xmlrpc/test_service_plugin.py

@@ -25,6 +25,7 @@ from ipalib import api, errors

 from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash

 from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer

 from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test

+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact

 from ipatests.test_xmlrpc import objectclasses

 from ipatests.test_xmlrpc.testcert import get_testcert, subject_base

 from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn

@@ -1552,6 +1553,15 @@ def indicators_host(request):

     return tracker.make_fixture(request)

+@pytest.fixture(scope='function')

+def this_host(request):

+    """Fixture for the current master"""

+    tracker = HostTracker(name=api.env.host.partition('.')[0],

+                          fqdn=api.env.host)

+    tracker.exists = True

+    return tracker

+

+

 @pytest.fixture(scope='function')

 def indicators_service(request):

     tracker = ServiceTracker(

@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):

             expected_updates={u'krbprincipalauthind': [u'radius']}

         )

+    def test_update_indicator_internal_service(self, this_host):

+        command = this_host.make_command('service_mod',

+                                         'ldap/' + this_host.fqdn,

+                                         **dict(krbprincipalauthind='otp'))

+        with raises_exact(errors.ValidationError(

+            name='krbprincipalauthind',

+            error=u'authentication indicators not allowed '

+                 'in service "ldap"'

+        )):

+            command()

+

 @pytest.fixture(scope='function')

 def managing_host(request):

-- 

2.26.3