From 785c496dceb76a8f628249ce598e0540b1dfec6e Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Tue, 6 Nov 2018 13:57:14 +0100

Subject: [PATCH] Allow ipaapi user to access SSSD's info pipe

For smart card authentication, ipaapi must be able to access to sss-ifp.

During installation and upgrade, the ipaapi user is now added to

[ifp]allowed_uids.

The commit also fixes two related issues:

* The server upgrade code now enables ifp service in sssd.conf. The

  existing code modified sssd.conf but never wrote the changes to disk.

* sssd_enable_service() no longer fails after it has detected an

  unrecognized service.

Fixes: https://pagure.io/freeipa/issue/7751

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipaclient/install/client.py                | 41 ++++++++++++++++++----

 ipaserver/install/server/upgrade.py        | 27 +++++++++-----

 ipatests/test_integration/test_commands.py | 31 ++++++++++++++++

 3 files changed, 83 insertions(+), 16 deletions(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py

index 05255fe61b..f9b003ef57 100644

--- a/ipaclient/install/client.py

+++ b/ipaclient/install/client.py

@@ -35,6 +35,7 @@

 # pylint: enable=import-error

 from ipalib import api, errors, x509

+from ipalib.constants import IPAAPI_USER

 from ipalib.install import certmonger, certstore, service, sysrestore

 from ipalib.install import hostname as hostname_

 from ipalib.install.kinit import kinit_keytab, kinit_password

@@ -914,7 +915,7 @@ def configure_sssd_conf(

         domain = sssdconfig.new_domain(cli_domain)

     if options.on_master:

-        sssd_enable_service(sssdconfig, 'ifp')

+        sssd_enable_ifp(sssdconfig)

     if (

         (options.conf_ssh and os.path.isfile(paths.SSH_CONFIG)) or

@@ -1018,21 +1019,47 @@ def configure_sssd_conf(

     return 0

-def sssd_enable_service(sssdconfig, service):

+def sssd_enable_service(sssdconfig, name):

     try:

-        sssdconfig.new_service(service)

+        sssdconfig.new_service(name)

     except SSSDConfig.ServiceAlreadyExists:

         pass

     except SSSDConfig.ServiceNotRecognizedError:

         logger.error(

-            "Unable to activate the %s service in SSSD config.", service)

+            "Unable to activate the '%s' service in SSSD config.", name)

         logger.info(

             "Please make sure you have SSSD built with %s support "

-            "installed.", service)

+            "installed.", name)

         logger.info(

-            "Configure %s support manually in /etc/sssd/sssd.conf.", service)

+            "Configure %s support manually in /etc/sssd/sssd.conf.", name)

+        return None

-    sssdconfig.activate_service(service)

+    sssdconfig.activate_service(name)

+    return sssdconfig.get_service(name)

+

+

+def sssd_enable_ifp(sssdconfig):

+    """Enable and configure libsss_simpleifp plugin

+    """

+    service = sssd_enable_service(sssdconfig, 'ifp')

+    if service is None:

+        # unrecognized service

+        return

+

+    try:

+        uids = service.get_option('allowed_uids')

+    except SSSDConfig.NoOptionError:

+        uids = set()

+    else:

+        uids = {s.strip() for s in uids.split(',') if s.strip()}

+    # SSSD supports numeric and string UIDs

+    # ensure that root is allowed to access IFP, might be 0 or root

+    if uids.isdisjoint({'0', 'root'}):

+        uids.add('root')

+    # allow IPA API to access IFP

+    uids.add(IPAAPI_USER)

+    service.set_option('allowed_uids', ', '.join(sorted(uids)))

+    sssdconfig.save_service(service)

 def change_ssh_config(filename, changes, sections):

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index 96c95b7a07..698afd347e 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -23,7 +23,7 @@

 import ipalib.util

 import ipalib.errors

 from ipaclient.install import timeconf

-from ipaclient.install.client import sssd_enable_service

+from ipaclient.install.client import sssd_enable_ifp

 from ipaplatform import services

 from ipaplatform.tasks import tasks

 from ipapython import ipautil, version

@@ -1408,6 +1408,22 @@ def set_sssd_domain_option(option, value):

     sssdconfig.write(paths.SSSD_CONF)

+def sssd_update():

+    sssdconfig = SSSDConfig.SSSDConfig()

+    sssdconfig.import_config()

+    # upgrade domain

+    domain = sssdconfig.get_domain(str(api.env.domain))

+    domain.set_option('ipa_server_mode', 'True')

+    domain.set_option('ipa_server', api.env.host)

+    sssdconfig.save_domain(domain)

+    # enable and configure IFP plugin

+    sssd_enable_ifp(sssdconfig)

+    # write config and restart service

+    sssdconfig.write(paths.SSSD_CONF)

+    sssd = services.service('sssd', api)

+    sssd.restart()

+

+

 def remove_ds_ra_cert(subject_base):

     logger.info('[Removing RA cert from DS NSS database]')

@@ -2017,15 +2033,8 @@ def upgrade_configuration():

         cainstance.ensure_ipa_authority_entry()

     migrate_to_authselect()

-    set_sssd_domain_option('ipa_server_mode', 'True')

-    set_sssd_domain_option('ipa_server', api.env.host)

-    sssdconfig = SSSDConfig.SSSDConfig()

-    sssdconfig.import_config()

-    sssd_enable_service(sssdconfig, 'ifp')

-

-    sssd = services.service('sssd', api)

-    sssd.restart()

+    sssd_update()

     krb = krbinstance.KrbInstance(fstore)

     krb.fqdn = fqdn

diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py

index 640eacfa06..1aa1bb3313 100644

--- a/ipatests/test_integration/test_commands.py

+++ b/ipatests/test_integration/test_commands.py

@@ -20,6 +20,8 @@

 from cryptography.hazmat.backends import default_backend

 from cryptography import x509

+from ipalib.constants import IPAAPI_USER

+

 from ipaplatform.paths import paths

 from ipatests.test_integration.base import IntegrationTest

@@ -28,6 +30,7 @@

 logger = logging.getLogger(__name__)

+

 class TestIPACommand(IntegrationTest):

     """

     A lot of commands can be executed against a single IPA installation

@@ -429,3 +432,31 @@ def test_certificate_out_write_to_file(self):

             x509.load_pem_x509_certificate(data, backend=default_backend())

             self.master.run_command(['rm', '-f', filename])

+

+    def test_sssd_ifp_access_ipaapi(self):

+        # check that ipaapi is allowed to access sssd-ifp for smartcard auth

+        # https://pagure.io/freeipa/issue/7751

+        username = 'admin'

+        # get UID for user

+        result = self.master.run_command(['ipa', 'user-show', username])

+        mo = re.search(r'UID: (\d+)', result.stdout_text)

+        assert mo is not None, result.stdout_text

+        uid = mo.group(1)

+

+        cmd = [

+            'dbus-send',

+            '--print-reply', '--system',

+            '--dest=org.freedesktop.sssd.infopipe',

+            '/org/freedesktop/sssd/infopipe/Users',

+            'org.freedesktop.sssd.infopipe.Users.FindByName',

+            'string:{}'.format(username)

+        ]

+        # test IFP as root

+        result = self.master.run_command(cmd)

+        assert uid in result.stdout_text

+

+        # test IFP as ipaapi

+        result = self.master.run_command(

+            ['sudo', '-u', IPAAPI_USER, '--'] + cmd

+        )

+        assert uid in result.stdout_text

From eb0136ea3438b6fb1145456478f401b9b7467cba Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Fri, 16 Nov 2018 14:11:16 +0100

Subject: [PATCH] Remove dead code

set_sssd_domain_option() is no longer used. Changes are handled by

sssd_update().

See: https://pagure.io/freeipa/issue/7751

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipaserver/install/server/upgrade.py | 9 ---------

 1 file changed, 9 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index f1e78beb27..71bdd3670c 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -1399,15 +1399,6 @@ def fix_schema_file_syntax():

     sysupgrade.set_upgrade_state('ds', 'fix_schema_syntax', True)

-def set_sssd_domain_option(option, value):

-    sssdconfig = SSSDConfig.SSSDConfig()

-    sssdconfig.import_config()

-    domain = sssdconfig.get_domain(str(api.env.domain))

-    domain.set_option(option, value)

-    sssdconfig.save_domain(domain)

-    sssdconfig.write(paths.SSSD_CONF)

-

-

 def sssd_update():

     sssdconfig = SSSDConfig.SSSDConfig()

     sssdconfig.import_config()

From 415295a6f68f4c797529e19a3f0cf956619d4bed Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Fri, 16 Nov 2018 14:51:23 +0100

Subject: [PATCH] Allow HTTPd user to access SSSD IFP

For smart card and certificate authentication, Apache's

mod_lookup_identity module must be able to acess SSSD IFP. The module

accesses IFP as Apache user, not as ipaapi user.

Apache is not allowed to use IFP by default. The update code uses the

service's ok-to-auth-as-delegate flag to detect smart card / cert auth.

See: https://pagure.io/freeipa/issue/7751

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipaclient/install/client.py         | 10 +++++++++-

 ipaserver/install/server/upgrade.py | 11 ++++++++++-

 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py

index f9b003ef57..6125588802 100644

--- a/ipaclient/install/client.py

+++ b/ipaclient/install/client.py

@@ -47,6 +47,7 @@

     verify_host_resolvable,

 )

 from ipaplatform import services

+from ipaplatform.constants import constants

 from ipaplatform.paths import paths

 from ipaplatform.tasks import tasks

 from ipapython import certdb, kernel_keyring, ipaldap, ipautil

@@ -1038,8 +1039,13 @@ def sssd_enable_service(sssdconfig, name):

     return sssdconfig.get_service(name)

-def sssd_enable_ifp(sssdconfig):

+def sssd_enable_ifp(sssdconfig, allow_httpd=False):

     """Enable and configure libsss_simpleifp plugin

+

+    Allow the ``ipaapi`` user to access IFP. In case allow_httpd is true,

+    the Apache HTTPd user is also allowed to access IFP. For smart card

+    authentication, mod_lookup_identity must be allowed to access user

+    information.

     """

     service = sssd_enable_service(sssdconfig, 'ifp')

     if service is None:

@@ -1058,6 +1064,8 @@ def sssd_enable_ifp(sssdconfig):

         uids.add('root')

     # allow IPA API to access IFP

     uids.add(IPAAPI_USER)

+    if allow_httpd:

+        uids.add(constants.HTTPD_USER)

     service.set_option('allowed_uids', ', '.join(sorted(uids)))

     sssdconfig.save_service(service)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index 71bdd3670c..4de7fd974d 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -1407,8 +1407,17 @@ def sssd_update():

     domain.set_option('ipa_server_mode', 'True')

     domain.set_option('ipa_server', api.env.host)

     sssdconfig.save_domain(domain)

+    # check if service has ok_to_auth_as_delegate

+    service = 'HTTP/{}'.format(api.env.host)

+    result = api.Command.service_show(service, all=True)

+    flag = result['result'].get('ipakrboktoauthasdelegate', False)

+    if flag:

+        logger.debug(

+            "%s has ok_to_auth_as_delegate, allow Apache to access IFP",

+            services

+        )

     # enable and configure IFP plugin

-    sssd_enable_ifp(sssdconfig)

+    sssd_enable_ifp(sssdconfig, allow_httpd=flag)

     # write config and restart service

     sssdconfig.write(paths.SSSD_CONF)

     sssd = services.service('sssd', api)

From d7d17ece57ae1322c8368b7853f24d56b1d6a150 Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Fri, 16 Nov 2018 14:54:32 +0100

Subject: [PATCH] Smart card auth advise: Allow Apache user

Modify the smard card auth advise script to use sssd_enable_ifp() in

order to allow Apache to access SSSD IFP.

See: https://pagure.io/freeipa/issue/7751

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipaserver/advise/plugins/smart_card_auth.py | 21 ++++++++++++++++++++-

 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py

index 97e23303b0..9a7a315ed5 100644

--- a/ipaserver/advise/plugins/smart_card_auth.py

+++ b/ipaserver/advise/plugins/smart_card_auth.py

@@ -105,6 +105,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):

     ssl_conf = paths.HTTPD_SSL_CONF

     ssl_ocsp_directive = OCSP_DIRECTIVE

     kdc_service_name = services.knownservices.krb5kdc.systemd_name

+    httpd_service_name = services.knownservices.httpd.systemd_name

     def get_info(self):

         self.log.exit_on_nonroot_euid()

@@ -117,6 +118,7 @@ def get_info(self):

         self.record_httpd_ocsp_status()

         self.check_and_enable_pkinit()

         self.enable_ok_to_auth_as_delegate_on_http_principal()

+        self.allow_httpd_ifp()

         self.upload_smartcard_ca_certificates_to_systemwide_db()

         self.install_smart_card_signing_ca_certs()

         self.update_ipa_ca_certificate_store()

@@ -183,7 +185,9 @@ def _format_command(self, fmt_line, directive, filename):

     def restart_httpd(self):

         self.log.comment('finally restart apache')

-        self.log.command('systemctl restart httpd')

+        self.log.command(

+            'systemctl restart {}'.format(self.httpd_service_name)

+        )

     def record_httpd_ocsp_status(self):

         self.log.comment('store the OCSP upgrade state')

@@ -214,6 +218,21 @@ def enable_ok_to_auth_as_delegate_on_http_principal(self):

             ["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"]

         )

+    def allow_httpd_ifp(self):

+        self.log.comment('Allow Apache to access SSSD IFP')

+        self.log.exit_on_failed_command(

+            '{} -c "import SSSDConfig; '

+            'from ipaclient.install.client import sssd_enable_ifp; '

+            'from ipaplatform.paths import paths; '

+            'c = SSSDConfig.SSSDConfig(); '

+            'c.import_config(); '

+            'sssd_enable_ifp(c, allow_httpd=True); '

+            'c.write(paths.SSSD_CONF)"'.format(sys.executable),

+            ['Failed to modify SSSD config']

+        )

+        self.log.comment('Restart sssd')

+        self.log.command('systemctl restart sssd')

+

     def restart_kdc(self):

         self.log.exit_on_failed_command(

             'systemctl restart {}'.format(self.kdc_service_name),

From b56db8daa704782c44683412b85a454654eabc19 Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Mon, 19 Nov 2018 14:19:16 +0100

Subject: [PATCH] Log stderr in run_command

pytest_multihost's run_command() does not log stderr when a command

fails. Wrap the function call to log stderr so it's easier to debug

failing tests.

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipatests/pytest_ipa/integration/host.py | 19 +++++++++++++++++++

 1 file changed, 19 insertions(+)

diff --git a/ipatests/pytest_ipa/integration/host.py b/ipatests/pytest_ipa/integration/host.py

index 28f6e2cd32..6aed58ae96 100644

--- a/ipatests/pytest_ipa/integration/host.py

+++ b/ipatests/pytest_ipa/integration/host.py

@@ -18,6 +18,7 @@

 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

 """Host class for integration testing"""

+import subprocess

 import pytest_multihost.host

@@ -60,6 +61,24 @@ def to_env(self, **kwargs):

         from ipatests.pytest_ipa.integration.env_config import host_to_env

         return host_to_env(self, **kwargs)

+    def run_command(self, argv, set_env=True, stdin_text=None,

+                    log_stdout=True, raiseonerr=True,

+                    cwd=None, bg=False, encoding='utf-8'):

+        # Wrap run_command to log stderr on raiseonerr=True

+        result = super().run_command(

+            argv, set_env=set_env, stdin_text=stdin_text,

+            log_stdout=log_stdout, raiseonerr=False, cwd=cwd, bg=bg,

+            encoding=encoding

+        )

+        if result.returncode and raiseonerr:

+            result.log.error('stderr: %s', result.stderr_text)

+            raise subprocess.CalledProcessError(

+                result.returncode, argv,

+                result.stdout_text, result.stderr_text

+            )

+        else:

+            return result

+

 class WinHost(pytest_multihost.host.WinHost):

     """

From 97776d2c4eed5de73780476bb11a635a2e47ebc5 Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Wed, 21 Nov 2018 10:00:20 +0100

Subject: [PATCH] Test smart card advise scripts

Create and execute the server and client smart card advise scripts.

See: See: https://pagure.io/freeipa/issue/7751

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipatests/prci_definitions/gating.yaml    |  2 +-

 ipatests/test_integration/test_advise.py | 99 ++++++++++++++++++------

 2 files changed, 75 insertions(+), 26 deletions(-)

diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml

index 7a9b612dea..13f8851d02 100644

--- a/ipatests/prci_definitions/gating.yaml

+++ b/ipatests/prci_definitions/gating.yaml

@@ -157,7 +157,7 @@ jobs:

         test_suite: test_integration/test_advise.py

         template: *ci-master-f29

         timeout: 3600

-        topology: *master_1repl

+        topology: *master_1repl_1client

   fedora-29/test_testconfig:

     requires: [fedora-29/build]

diff --git a/ipatests/test_integration/test_advise.py b/ipatests/test_integration/test_advise.py

index 3b821c8797..b548614922 100644

--- a/ipatests/test_integration/test_advise.py

+++ b/ipatests/test_integration/test_advise.py

@@ -21,11 +21,17 @@

 # pylint: disable=no-member

 import re

+

+from ipalib.constants import IPAAPI_USER

+from ipaplatform.paths import paths

+from ipaplatform.constants import constants

+

+from ipatests.create_external_ca import ExternalCA

 from ipatests.pytest_ipa.integration import tasks

 from ipatests.test_integration.base import IntegrationTest

-def run_advice(master, advice_id, advice_regex, raiseerr):

+def run_advice(master, advice_id, advice_regex, raiseerr=True):

     # Obtain the advice from the server

     tasks.kinit_admin(master)

     result = master.run_command(['ipa-advise', advice_id],

@@ -43,28 +49,38 @@ class TestAdvice(IntegrationTest):

     """

     Tests ipa-advise output.

     """

-    advice_id = None

-    raiseerr = None

-    advice_regex = ''

     topology = 'line'

+    num_replicas = 0

+    num_clients = 1

+

+    def execute_advise(self, host, advice_id, *args):

+        # ipa-advise script is only available on a server

+        tasks.kinit_admin(self.master)

+        advice = self.master.run_command(['ipa-advise', advice_id])

+        # execute script on host (client or master)

+        if host is not self.master:

+            tasks.kinit_admin(host)

+        filename = tasks.upload_temp_contents(host, advice.stdout_text)

+        cmd = ['sh', filename]

+        cmd.extend(args)

+        try:

+            result = host.run_command(cmd)

+        finally:

+            host.run_command(['rm', '-f', filename])

+        return advice, result

     def test_invalid_advice(self):

         advice_id = r'invalid-advise-param'

         advice_regex = r"invalid[\s]+\'advice\'.*"

-        raiseerr = False

-

-        run_advice(self.master, advice_id, advice_regex, raiseerr)

-

+        run_advice(self.master, advice_id, advice_regex, raiseerr=False)

     def test_advice_FreeBSDNSSPAM(self):

         advice_id = 'config-freebsd-nss-pam-ldapd'

         advice_regex = r"\#\!\/bin\/sh.*" \

                        r"pkg_add[\s]+\-r[\s]+nss\-pam\-ldapd[\s]+curl.*" \

                        r"\/usr\/local\/etc\/rc\.d\/nslcd[\s]+restart"

-        raiseerr = True

-

-        run_advice(self.master, advice_id, advice_regex, raiseerr)

+        run_advice(self.master, advice_id, advice_regex)

     def test_advice_GenericNSSPAM(self):

         advice_id = 'config-generic-linux-nss-pam-ldapd'

@@ -75,20 +91,16 @@ def test_advice_GenericNSSPAM(self):

             r"service[\s]+nscd[\s]+stop[\s]+\&\&[\s]+service[\s]+"

             r"nslcd[\s]+restart"

         )

-        raiseerr = True

-

-        run_advice(self.master, advice_id, advice_regex, raiseerr)

+        run_advice(self.master, advice_id, advice_regex)

     def test_advice_GenericSSSDBefore19(self):

         advice_id = r'config-generic-linux-sssd-before-1-9'

         advice_regex = r"\#\!\/bin\/sh.*" \

                        r"apt\-get[\s]+\-y[\s]+install sssd curl openssl.*" \

                        r"service[\s]+sssd[\s]+start"

-        raiseerr = True

-

-        run_advice(self.master, advice_id, advice_regex, raiseerr)

+        run_advice(self.master, advice_id, advice_regex)

     def test_advice_RedHatNSS(self):

         advice_id = 'config-redhat-nss-ldap'

@@ -100,10 +112,8 @@ def test_advice_RedHatNSS(self):

             r"[\s]+\-\-enableldapauth[\s]+"

             r"\-\-ldapserver=.*[\s]+\-\-ldapbasedn=.*"

         )

-        raiseerr = True

-

-        run_advice(self.master, advice_id, advice_regex, raiseerr)

+        run_advice(self.master, advice_id, advice_regex)

     def test_advice_RedHatNSSPAM(self):

         advice_id = 'config-redhat-nss-pam-ldapd'

@@ -113,10 +123,8 @@ def test_advice_RedHatNSSPAM(self):

                        r"authconfig[\s]+\-\-updateall[\s]+\-\-enableldap"\

                        r"[\s]+\-\-enableldaptls[\s]+\-\-enableldapauth[\s]+" \

                        r"\-\-ldapserver=.*[\s]+\-\-ldapbasedn=.*"

-        raiseerr = True

-

-        run_advice(self.master, advice_id, advice_regex, raiseerr)

+        run_advice(self.master, advice_id, advice_regex)

     def test_advice_RedHatSSSDBefore19(self):

         advice_id = 'config-redhat-sssd-before-1-9'

@@ -125,6 +133,47 @@ def test_advice_RedHatSSSDBefore19(self):

             r"yum[\s]+install[\s]+\-y[\s]+sssd[\s]+authconfig[\s]+"

             r"curl[\s]+openssl.*service[\s]+sssd[\s]+start"

         )

-        raiseerr = True

-        run_advice(self.master, advice_id, advice_regex, raiseerr)

+        run_advice(self.master, advice_id, advice_regex)

+

+    # trivial checks

+    def test_advice_enable_admins_sudo(self):

+        advice_id = 'enable_admins_sudo'

+        advice_regex = r"\#\!\/bin\/sh.*"

+        run_advice(self.master, advice_id, advice_regex)

+

+    def test_advice_config_server_for_smart_card_auth(self):

+        advice_id = 'config_server_for_smart_card_auth'

+        advice_regex = r"\#\!\/bin\/sh.*"

+        run_advice(self.master, advice_id, advice_regex)

+

+        ca_pem = ExternalCA().create_ca()

+        ca_file = tasks.upload_temp_contents(self.master, ca_pem)

+        try:

+            self.execute_advise(self.master, advice_id, ca_file)

+        except Exception:

+            # debug: sometimes ipa-certupdate times out in

+            # "Resubmitting certmonger request"

+            self.master.run_command(['getcert', 'list'])

+            raise

+        finally:

+            self.master.run_command(['rm', '-f', ca_file])

+        sssd_conf = self.master.get_file_contents(

+            paths.SSSD_CONF, encoding='utf-8'

+        )

+        assert constants.HTTPD_USER in sssd_conf

+        assert IPAAPI_USER in sssd_conf

+

+    def test_advice_config_client_for_smart_card_auth(self):

+        advice_id = 'config_client_for_smart_card_auth'

+        advice_regex = r"\#\!\/bin\/sh.*"

+        run_advice(self.master, advice_id, advice_regex)

+

+        client = self.clients[0]

+

+        ca_pem = ExternalCA().create_ca()

+        ca_file = tasks.upload_temp_contents(client, ca_pem)

+        try:

+            self.execute_advise(client, advice_id, ca_file)

+        finally:

+            client.run_command(['rm', '-f', ca_file])

From 6ed90a2ac08c070e8e5c47a1eb3c52d7d30cabb8 Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Wed, 21 Nov 2018 10:44:55 +0100

Subject: [PATCH] Add install/remove package helpers to advise

The smart card advise scripts assume that yum is installed. However

Fedora has dnf and the yum wrapper is not installed by default.

Installation and removal of packages is now provided by two helper

methods that detect the package manager.

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipaserver/advise/base.py                    | 36 +++++++++++++++++++++

 ipaserver/advise/plugins/smart_card_auth.py | 24 +++++++-------

 2 files changed, 47 insertions(+), 13 deletions(-)

diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py

index 07b1431e84..ec65113e34 100644

--- a/ipaserver/advise/base.py

+++ b/ipaserver/advise/base.py

@@ -227,6 +227,7 @@ def __init__(self):

         self.content = []

         self.prefix = '# '

         self.options = None

+        self.pkgmgr_detected = False

         self._indentation_tracker = _IndentationTracker(

             spaces_per_indent=DEFAULT_INDENTATION_INCREMENT)

@@ -312,6 +313,41 @@ def exit_on_predicate(self, predicate, error_message_lines):

             self.command('exit 1')

+    def detect_pkgmgr(self):

+        self.commands_on_predicate(

+            'which yum >/dev/null',

+            commands_to_run_when_true=['PKGMGR=yum'],

+            commands_to_run_when_false=['PKGMGR=dnf']

+        )

+        self.pkgmgr_detected = True

+

+    def install_packages(self, names, error_message_lines):

+        assert isinstance(names, list)

+        self.detect_pkgmgr()

+        self.command('rpm -qi {} > /dev/null'.format(' '.join(names)))

+        self.commands_on_predicate(

+            '[ "$?" -ne "0" ]',

+            ['$PKGMGR install -y {}'.format(' '.join(names))]

+        )

+        self.exit_on_predicate(

+            '[ "$?" -ne "0" ]',

+            error_message_lines

+        )

+

+    def remove_package(self, name, error_message_lines):

+        # remove only supports one package name

+        assert ' ' not in name

+        self.detect_pkgmgr()

+        self.command('rpm -qi {} > /dev/null'.format(name))

+        self.commands_on_predicate(

+            '[ "$?" -eq "0" ]',

+            ['$PKGMGR remove -y {} || exit 1'.format(name)]

+        )

+        self.exit_on_predicate(

+            '[ "$?" -ne "0" ]',

+            error_message_lines

+        )

+

     @contextmanager

     def unbranched_if(self, predicate):

         with self._compound_statement(UnbranchedIfStatement, predicate):

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py

index 9a7a315ed5..411124f935 100644

--- a/ipaserver/advise/plugins/smart_card_auth.py

+++ b/ipaserver/advise/plugins/smart_card_auth.py

@@ -135,9 +135,10 @@ def resolve_ipaca_records(self):