From 538a9992fd1394ed24cbcdf2a2a27694ac28da55 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 8 Mar 2021 18:20:35 +0100
Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
IPA services
Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.
Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
.../test_replica_promotion.py | 38 +++++++++++++++++++
ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
3 files changed, 69 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 0a137dbdcb068811899e7ff7914730f14ea651c1..b9c56f775d08885cb6b1226eeb7bcf105f87cdc1 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
assert result.returncode == 1
assert expected_err in result.stderr_text
+ @replicas_cleanup
+ def test_install_with_host_auth_ind_set(self):
+ """ A client shouldn't be able to be promoted if it has
+ any auth indicator set in the host principal.
+ https://pagure.io/freeipa/issue/8206
+ """
+
+ client = self.replicas[0]
+ # Configure firewall first
+ Firewall(client).enable_services(["freeipa-ldap",
+ "freeipa-ldaps"])
+
+ client.run_command(['ipa-client-install', '-U',
+ '--domain', self.master.domain.name,
+ '--realm', self.master.domain.realm,
+ '-p', 'admin',
+ '-w', self.master.config.admin_password,
+ '--server', self.master.hostname,
+ '--force-join'])
+
+ tasks.kinit_admin(client)
+
+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
+ client.hostname])
+
+ res = client.run_command(['ipa-replica-install', '-U', '-w',
+ self.master.config.dirman_password],
+ raiseonerr=False)
+
+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
+ client.hostname])
+
+ expected_err = ("Client cannot be promoted to a replica if the host "
+ "principal has an authentication indicator set.")
+ assert res.returncode == 1
+ assert expected_err in res.stderr_text
+
+
@replicas_cleanup
def test_one_command_installation(self):
"""
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index c66bbc865cd5e1ee5ee5e1874c177a3ea9b08c93..9cfde3565d48e103a0549e2bfb7579e07668f41b 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
error=u'An IPA master host cannot be deleted or disabled')):
command()
+ def test_try_add_auth_ind_master(self, this_host):
+ command = this_host.make_update_command({
+ u'krbprincipalauthind': u'radius'})
+ with raises_exact(errors.ValidationError(
+ name='krbprincipalauthind',
+ error=u'authentication indicators not allowed '
+ 'in service "host"'
+ )):
+ command()
+
@pytest.mark.tier1
class TestValidation(XMLRPC_test):
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 4c845938c33e2eca4235d53c4f4644c2fcdeda9c..ed634a0455a41dce367ed638634d1fc6d9e47553 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -25,6 +25,7 @@ from ipalib import api, errors
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
from ipatests.test_xmlrpc import objectclasses
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
@@ -1552,6 +1553,15 @@ def indicators_host(request):
return tracker.make_fixture(request)
+@pytest.fixture(scope='function')
+def this_host(request):
+ """Fixture for the current master"""
+ tracker = HostTracker(name=api.env.host.partition('.')[0],
+ fqdn=api.env.host)
+ tracker.exists = True
+ return tracker
+
+
@pytest.fixture(scope='function')
def indicators_service(request):
tracker = ServiceTracker(
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
expected_updates={u'krbprincipalauthind': [u'radius']}
)
+ def test_update_indicator_internal_service(self, this_host):
+ command = this_host.make_command('service_mod',
+ 'ldap/' + this_host.fqdn,
+ **dict(krbprincipalauthind='otp'))
+ with raises_exact(errors.ValidationError(
+ name='krbprincipalauthind',
+ error=u'authentication indicators not allowed '
+ 'in service "ldap"'
+ )):
+ command()
+
@pytest.fixture(scope='function')
def managing_host(request):
--
2.26.3