|
 |
1079a7 |
From b016683552a58f9cc2a05cf628cc467234eaf599 Mon Sep 17 00:00:00 2001
|
|
|
1079a7 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
1079a7 |
Date: Mon, 28 Feb 2022 11:10:49 +0200
|
|
|
1079a7 |
Subject: [PATCH] tests: ensure AD-SUPPORT subpolicy is active
|
|
|
1079a7 |
|
|
|
1079a7 |
Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
|
|
|
1079a7 |
mode. This is required in FIPS mode due to AD not supporting Kerberos
|
|
|
1079a7 |
AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
|
|
|
1079a7 |
defined in RFC 8009.
|
|
|
1079a7 |
|
|
|
1079a7 |
Fixes: https://pagure.io/freeipa/issue/9119
|
|
|
1079a7 |
|
|
|
1079a7 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
1079a7 |
Reviewed-By: Julien Rische <jrische@redhat.com>
|
|
|
1079a7 |
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
|
1079a7 |
---
|
|
|
1079a7 |
ipatests/pytest_ipa/integration/fips.py | 6 ++++++
|
|
|
1079a7 |
ipatests/pytest_ipa/integration/tasks.py | 3 +++
|
|
|
1079a7 |
2 files changed, 9 insertions(+)
|
|
|
1079a7 |
|
|
|
1079a7 |
diff --git a/ipatests/pytest_ipa/integration/fips.py b/ipatests/pytest_ipa/integration/fips.py
|
|
|
1079a7 |
index 694ec8a9927da917fe99482094f68540a1032c14..b33aa91b14552d6f47191c913db4f974a5a5948c 100644
|
|
|
1079a7 |
--- a/ipatests/pytest_ipa/integration/fips.py
|
|
|
1079a7 |
+++ b/ipatests/pytest_ipa/integration/fips.py
|
|
|
1079a7 |
@@ -68,3 +68,9 @@ def disable_userspace_fips(host):
|
|
|
1079a7 |
# sanity check
|
|
|
1079a7 |
assert not is_fips_enabled(host)
|
|
|
1079a7 |
host.run_command(["openssl", "md5", "/dev/null"])
|
|
|
1079a7 |
+
|
|
|
1079a7 |
+
|
|
|
1079a7 |
+def enable_crypto_subpolicy(host, subpolicy):
|
|
|
1079a7 |
+ result = host.run_command(["update-crypto-policies", "--show"])
|
|
|
1079a7 |
+ policy = result.stdin_text.strip() + ":" + subpolicy
|
|
|
1079a7 |
+ host.run_command(["update-crypto-policies", "--set", policy])
|
|
|
1079a7 |
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
|
|
1079a7 |
index 7e1b7c24dab00986ff6e75430bf55e55dd1a6b8e..13d84e23fa7dc8a5e562e8498c9142e2bcad696a 100755
|
|
|
1079a7 |
--- a/ipatests/pytest_ipa/integration/tasks.py
|
|
|
1079a7 |
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
|
|
1079a7 |
@@ -66,6 +66,7 @@ from .env_config import env_to_script
|
|
|
1079a7 |
from .host import Host
|
|
|
1079a7 |
from .firewall import Firewall
|
|
|
1079a7 |
from .resolver import ResolvedResolver
|
|
|
1079a7 |
+from .fips import is_fips_enabled, enable_crypto_subpolicy
|
|
|
1079a7 |
|
|
|
1079a7 |
logger = logging.getLogger(__name__)
|
|
|
1079a7 |
|
|
|
1079a7 |
@@ -362,6 +363,8 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
|
|
|
1079a7 |
if setup_adtrust:
|
|
|
1079a7 |
args.append('--setup-adtrust')
|
|
|
1079a7 |
fw_services.append("freeipa-trust")
|
|
|
1079a7 |
+ if is_fips_enabled(host):
|
|
|
1079a7 |
+ enable_crypto_subpolicy(host, "AD-SUPPORT")
|
|
|
1079a7 |
if external_ca:
|
|
|
1079a7 |
args.append('--external-ca')
|
|
|
1079a7 |
|
|
|
1079a7 |
--
|
|
|
1079a7 |
2.34.1
|
|
|
1079a7 |
|