|
|
bb0ded |
From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
|
|
|
bb0ded |
From: Julien Rische <jrische@redhat.com>
|
|
|
bb0ded |
Date: Tue, 1 Feb 2022 19:38:29 +0100
|
|
|
bb0ded |
Subject: [PATCH] ipatests: add case for hardened-only ticket policy
|
|
|
bb0ded |
|
|
|
bb0ded |
Signed-off-by: Julien Rische <jrische@redhat.com>
|
|
|
bb0ded |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
bb0ded |
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
|
bb0ded |
---
|
|
|
bb0ded |
ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
|
|
|
bb0ded |
1 file changed, 28 insertions(+), 2 deletions(-)
|
|
|
bb0ded |
|
|
|
bb0ded |
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
|
|
|
bb0ded |
index 63e75ae67f493352b1d3a611e7b079d914a7b253..9489fbc97b7836aecf491b57627f254d4849eb56 100644
|
|
|
bb0ded |
--- a/ipatests/test_integration/test_krbtpolicy.py
|
|
|
bb0ded |
+++ b/ipatests/test_integration/test_krbtpolicy.py
|
|
|
bb0ded |
@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
|
|
|
bb0ded |
result = master.run_command('klist | grep krbtgt')
|
|
|
bb0ded |
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
|
|
bb0ded |
|
|
|
bb0ded |
- def test_krbtpolicy_hardended(self):
|
|
|
bb0ded |
- """Test a hardened kerberos ticket policy with 10 min tickets"""
|
|
|
bb0ded |
+ def test_krbtpolicy_password_and_hardended(self):
|
|
|
bb0ded |
+ """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
|
|
|
bb0ded |
master = self.master
|
|
|
bb0ded |
master.run_command(['ipa', 'user-mod', USER1,
|
|
|
bb0ded |
'--user-auth-type', 'password',
|
|
|
bb0ded |
@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
|
|
|
bb0ded |
result = master.run_command('klist | grep krbtgt')
|
|
|
bb0ded |
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
|
|
bb0ded |
|
|
|
bb0ded |
+ def test_krbtpolicy_hardended(self):
|
|
|
bb0ded |
+ """Test a hardened kerberos ticket policy with 30min tickets"""
|
|
|
bb0ded |
+ master = self.master
|
|
|
bb0ded |
+ master.run_command(['ipa', 'user-mod', USER1,
|
|
|
bb0ded |
+ '--user-auth-type', 'hardened'])
|
|
|
bb0ded |
+ master.run_command(['ipa', 'config-mod',
|
|
|
bb0ded |
+ '--user-auth-type', 'hardened'])
|
|
|
bb0ded |
+ master.run_command(['ipa', 'krbtpolicy-mod', USER1,
|
|
|
bb0ded |
+ '--hardened-maxlife', '1800'])
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+ tasks.kdestroy_all(master)
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+ master.run_command(['kinit', USER1],
|
|
|
bb0ded |
+ stdin_text=PASSWORD + '\n')
|
|
|
bb0ded |
+ result = master.run_command('klist | grep krbtgt')
|
|
|
bb0ded |
+ assert maxlife_within_policy(result.stdout_text, 1800,
|
|
|
bb0ded |
+ slush=1800) is True
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+ tasks.kdestroy_all(master)
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+ # Verify that the short policy only applies to USER1
|
|
|
bb0ded |
+ master.run_command(['kinit', USER2],
|
|
|
bb0ded |
+ stdin_text=PASSWORD + '\n')
|
|
|
bb0ded |
+ result = master.run_command('klist | grep krbtgt')
|
|
|
bb0ded |
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
|
|
bb0ded |
+
|
|
|
bb0ded |
def test_krbtpolicy_password(self):
|
|
|
bb0ded |
"""Test the kerberos ticket policy which issues 20 min tickets"""
|
|
|
bb0ded |
master = self.master
|
|
|
bb0ded |
--
|
|
|
bb0ded |
2.34.1
|
|
|
bb0ded |
|