From 80ccac79b9d123e158a5ba60f9853611d0854188 Mon Sep 17 00:00:00 2001

From: Sergey Orlov <sorlov@redhat.com>

Date: Wed, 17 Feb 2021 16:48:33 +0100

Subject: [PATCH] ipatests: test Samba mount with NTLM authentication

Related to https://pagure.io/freeipa/issue/8636

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 ipatests/pytest_ipa/integration/__init__.py | 17 ++++++

 ipatests/test_integration/test_smb.py       | 63 +++++++++++++++++++++

 2 files changed, 80 insertions(+)

diff --git a/ipatests/pytest_ipa/integration/__init__.py b/ipatests/pytest_ipa/integration/__init__.py

index 55291ae8b..f62b667bd 100644

--- a/ipatests/pytest_ipa/integration/__init__.py

+++ b/ipatests/pytest_ipa/integration/__init__.py

@@ -28,12 +28,14 @@ import os

 import tempfile

 import shutil

 import re

+import functools

 import pytest

 from pytest_multihost import make_multihost_fixture

 from ipapython import ipautil

 from ipaplatform.paths import paths

+from . import fips

 from .config import Config

 from .env_config import get_global_config

 from . import tasks

@@ -478,3 +480,18 @@ def del_compat_attrs(cls):

         del cls.ad_subdomains

         del cls.ad_treedomains

     del cls.ad_domains

+

+

+def skip_if_fips(reason='Not supported in FIPS mode', host='master'):

+    if callable(reason):

+        raise TypeError('Invalid decorator usage, add "()"')

+

+    def decorator(test_method):

+        @functools.wraps(test_method)

+        def wrapper(instance, *args, **kwargs):

+            if fips.is_fips_enabled(getattr(instance, host)):

+                pytest.skip(reason)

+            else:

+                test_method(instance, *args, **kwargs)

+        return wrapper

+    return decorator

diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py

index 37725ab15..749a96325 100644

--- a/ipatests/test_integration/test_smb.py

+++ b/ipatests/test_integration/test_smb.py

@@ -19,6 +19,7 @@ from ipatests.test_integration.base import IntegrationTest

 from ipatests.pytest_ipa.integration import tasks

 from ipaplatform.osinfo import osinfo

 from ipaplatform.paths import paths

+from ipatests.pytest_ipa.integration import skip_if_fips

 def wait_smbd_functional(host):

@@ -378,6 +379,68 @@ class TestSMB(IntegrationTest):

         finally:

             self.cleanup_mount(mountpoint)

+    def check_repeated_smb_mount(self, options):

+        mountpoint = '/mnt/smb'

+        unc = '//{}/homes'.format(self.smbserver.hostname)

+        test_file = 'ntlm_test'

+        test_file_server_path = '/home/{}/{}'.format(self.ipa_user1, test_file)

+        test_file_client_path = '{}/{}'.format(mountpoint, test_file)

+

+        self.smbclient.run_command(['mkdir', '-p', mountpoint])

+        self.smbserver.put_file_contents(test_file_server_path, '')

+        try:

+            for i in [1, 2]:

+                res = self.smbclient.run_command([

+                    'mount', '-t', 'cifs', unc, mountpoint, '-o', options],

+                    raiseonerr=False)

+                assert res.returncode == 0, (

+                    'Mount failed at iteration {}. Output: {}'

+                    .format(i, res.stdout_text + res.stderr_text))

+                assert self.smbclient.transport.file_exists(

+                    test_file_client_path)

+                self.smbclient.run_command(['umount', mountpoint])

+        finally:

+            self.cleanup_mount(mountpoint)

+            self.smbserver.run_command(['rm', '-f', test_file_server_path])

+

+    @skip_if_fips()

+    def test_ntlm_authentication_with_auto_domain(self):

+        """Repeatedly try to authenticate with username and password with

+        automatic domain discovery.

+

+        This is a regression test for https://pagure.io/freeipa/issue/8636

+        """

+        tasks.kdestroy_all(self.smbclient)

+

+        mount_options = 'user={user},pass={password},domainauto'.format(

+            user=self.ipa_user1,

+            password=self.ipa_user1_password

+        )

+

+        self.check_repeated_smb_mount(mount_options)

+

+    @skip_if_fips()

+    def test_ntlm_authentication_with_upn_with_lowercase_domain(self):

+        tasks.kdestroy_all(self.smbclient)

+

+        mount_options = 'user={user}@{domain},pass={password}'.format(

+            user=self.ipa_user1,

+            password=self.ipa_user1_password,

+            domain=self.master.domain.name.lower()

+        )

+        self.check_repeated_smb_mount(mount_options)

+

+    @skip_if_fips()

+    def test_ntlm_authentication_with_upn_with_uppercase_domain(self):

+        tasks.kdestroy_all(self.smbclient)

+

+        mount_options = 'user={user}@{domain},pass={password}'.format(

+            user=self.ipa_user1,

+            password=self.ipa_user1_password,

+            domain=self.master.domain.name.upper()

+        )

+        self.check_repeated_smb_mount(mount_options)

+

     def test_uninstall_samba(self):

         self.smbserver.run_command(['ipa-client-samba', '--uninstall', '-U'])

         res = self.smbserver.run_command(

-- 

2.29.2