|
|
6d47df |
From 858859187a1353cbaa893642cc7b27f9f644b18b Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: François Cami <fcami@redhat.com>
|
|
|
6d47df |
Date: Nov 23 2018 09:54:46 +0000
|
|
|
6d47df |
Subject: Add a shared-vault-retrieve test
|
|
|
6d47df |
|
|
|
6d47df |
|
|
|
6d47df |
Add a shared-vault-retrieve test when:
|
|
|
6d47df |
* master has KRA installed
|
|
|
6d47df |
* replica has no KRA
|
|
|
6d47df |
This currently fails because of issue#7691
|
|
|
6d47df |
|
|
|
6d47df |
Related-to: https://pagure.io/freeipa/issue/7691
|
|
|
6d47df |
Signed-off-by: François Cami <fcami@redhat.com>
|
|
|
6d47df |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
|
|
|
6d47df |
---
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/ipatests/test_integration/test_vault.py b/ipatests/test_integration/test_vault.py
|
|
|
6d47df |
index ea2591b..e5b3ad1 100644
|
|
|
6d47df |
--- a/ipatests/test_integration/test_vault.py
|
|
|
6d47df |
+++ b/ipatests/test_integration/test_vault.py
|
|
|
6d47df |
@@ -20,14 +20,17 @@ class TestInstallKRA(IntegrationTest):
|
|
|
6d47df |
|
|
|
6d47df |
vault_password = "password"
|
|
|
6d47df |
vault_data = "SSBsb3ZlIENJIHRlc3RzCg=="
|
|
|
6d47df |
+ vault_user = "vault_user"
|
|
|
6d47df |
+ vault_user_password = "vault_user_password"
|
|
|
6d47df |
vault_name_master = "ci_test_vault_master"
|
|
|
6d47df |
vault_name_master2 = "ci_test_vault_master2"
|
|
|
6d47df |
vault_name_master3 = "ci_test_vault_master3"
|
|
|
6d47df |
vault_name_replica_without_KRA = "ci_test_vault_replica_without_kra"
|
|
|
6d47df |
+ shared_vault_name_replica_without_KRA = ("ci_test_shared"
|
|
|
6d47df |
+ "_vault_replica_without_kra")
|
|
|
6d47df |
vault_name_replica_with_KRA = "ci_test_vault_replica_with_kra"
|
|
|
6d47df |
vault_name_replica_KRA_uninstalled = "ci_test_vault_replica_KRA_uninstalled"
|
|
|
6d47df |
|
|
|
6d47df |
-
|
|
|
6d47df |
@classmethod
|
|
|
6d47df |
def install(cls, mh):
|
|
|
6d47df |
tasks.install_master(cls.master, setup_kra=True)
|
|
|
6d47df |
@@ -89,6 +92,66 @@ class TestInstallKRA(IntegrationTest):
|
|
|
6d47df |
|
|
|
6d47df |
self._retrieve_secret([self.vault_name_replica_without_KRA])
|
|
|
6d47df |
|
|
|
6d47df |
+ def test_create_and_retrieve_shared_vault_replica_without_kra(self):
|
|
|
6d47df |
+ # create vault
|
|
|
6d47df |
+ self.replicas[0].run_command([
|
|
|
6d47df |
+ "ipa", "vault-add",
|
|
|
6d47df |
+ self.shared_vault_name_replica_without_KRA,
|
|
|
6d47df |
+ "--shared",
|
|
|
6d47df |
+ "--type", "standard",
|
|
|
6d47df |
+ ])
|
|
|
6d47df |
+
|
|
|
6d47df |
+ # archive secret
|
|
|
6d47df |
+ self.replicas[0].run_command([
|
|
|
6d47df |
+ "ipa", "vault-archive",
|
|
|
6d47df |
+ self.shared_vault_name_replica_without_KRA,
|
|
|
6d47df |
+ "--shared",
|
|
|
6d47df |
+ "--data", self.vault_data,
|
|
|
6d47df |
+ ])
|
|
|
6d47df |
+ time.sleep(WAIT_AFTER_ARCHIVE)
|
|
|
6d47df |
+
|
|
|
6d47df |
+ # add non-admin user
|
|
|
6d47df |
+ self.replicas[0].run_command([
|
|
|
6d47df |
+ 'ipa', 'user-add', self.vault_user,
|
|
|
6d47df |
+ '--first', self.vault_user,
|
|
|
6d47df |
+ '--last', self.vault_user,
|
|
|
6d47df |
+ '--password'],
|
|
|
6d47df |
+ stdin_text=self.vault_user_password)
|
|
|
6d47df |
+
|
|
|
6d47df |
+ # add it to vault
|
|
|
6d47df |
+ self.replicas[0].run_command([
|
|
|
6d47df |
+ "ipa", "vault-add-member",
|
|
|
6d47df |
+ self.shared_vault_name_replica_without_KRA,
|
|
|
6d47df |
+ "--shared",
|
|
|
6d47df |
+ "--users", self.vault_user,
|
|
|
6d47df |
+ ])
|
|
|
6d47df |
+
|
|
|
6d47df |
+ self.replicas[0].run_command([
|
|
|
6d47df |
+ 'kdestroy', '-A'])
|
|
|
6d47df |
+
|
|
|
6d47df |
+ user_kinit = "%s\n%s\n%s\n" % (self.vault_user_password,
|
|
|
6d47df |
+ self.vault_user_password,
|
|
|
6d47df |
+ self.vault_user_password)
|
|
|
6d47df |
+
|
|
|
6d47df |
+ self.replicas[0].run_command([
|
|
|
6d47df |
+ 'kinit', self.vault_user],
|
|
|
6d47df |
+ stdin_text=user_kinit)
|
|
|
6d47df |
+
|
|
|
6d47df |
+ # TODO: possibly refactor with:
|
|
|
6d47df |
+ # self._retrieve_secret([self.vault_name_replica_without_KRA])
|
|
|
6d47df |
+
|
|
|
6d47df |
+ self.replicas[0].run_command([
|
|
|
6d47df |
+ "ipa", "vault-retrieve",
|
|
|
6d47df |
+ "--shared",
|
|
|
6d47df |
+ self.shared_vault_name_replica_without_KRA,
|
|
|
6d47df |
+ "--out=test.txt"])
|
|
|
6d47df |
+
|
|
|
6d47df |
+ self.replicas[0].run_command([
|
|
|
6d47df |
+ 'kdestroy', '-A'])
|
|
|
6d47df |
+
|
|
|
6d47df |
+ tasks.kinit_admin(self.replicas[0])
|
|
|
6d47df |
+
|
|
|
6d47df |
+
|
|
|
6d47df |
def test_create_and_retrieve_vault_replica_with_kra(self):
|
|
|
6d47df |
|
|
|
6d47df |
# install KRA on replica
|
|
|
6d47df |
|
|
|
6d47df |
From d57d97ea7f911e18ac75d532e19833c4efaafa96 Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: François Cami <fcami@redhat.com>
|
|
|
6d47df |
Date: Nov 23 2018 09:54:46 +0000
|
|
|
6d47df |
Subject: Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
|
|
|
6d47df |
|
|
|
6d47df |
|
|
|
6d47df |
Fixes: https://pagure.io/freeipa/issue/7691
|
|
|
6d47df |
Signed-off-by: François Cami <fcami@redhat.com>
|
|
|
6d47df |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
|
|
|
6d47df |
---
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
|
|
|
6d47df |
index 184749d..7650cb4 100644
|
|
|
6d47df |
--- a/install/updates/20-aci.update
|
|
|
6d47df |
+++ b/install/updates/20-aci.update
|
|
|
6d47df |
@@ -36,6 +36,10 @@ remove:aci:(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny rea
|
|
|
6d47df |
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
|
|
|
6d47df |
add:aci:(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)
|
|
|
6d47df |
|
|
|
6d47df |
+# Allow users to discover enabled services
|
|
|
6d47df |
+dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
|
|
|
6d47df |
+add:aci:(targetfilter = "(ipaConfigString=enabledService)")(targetattrs = "ipaConfigString")(version 3.0; acl "Find enabled services"; allow(read, search, compare) userdn = "ldap:///all";)
|
|
|
6d47df |
+
|
|
|
6d47df |
# Allow hosts to read masters service configuration
|
|
|
6d47df |
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
|
|
|
6d47df |
add:aci:(targetfilter = "(objectclass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Allow hosts to read masters service configuration"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
|
|
|
6d47df |
|