From 858859187a1353cbaa893642cc7b27f9f644b18b Mon Sep 17 00:00:00 2001 From: François Cami Date: Nov 23 2018 09:54:46 +0000 Subject: Add a shared-vault-retrieve test Add a shared-vault-retrieve test when: * master has KRA installed * replica has no KRA This currently fails because of issue#7691 Related-to: https://pagure.io/freeipa/issue/7691 Signed-off-by: François Cami Reviewed-By: Christian Heimes --- diff --git a/ipatests/test_integration/test_vault.py b/ipatests/test_integration/test_vault.py index ea2591b..e5b3ad1 100644 --- a/ipatests/test_integration/test_vault.py +++ b/ipatests/test_integration/test_vault.py @@ -20,14 +20,17 @@ class TestInstallKRA(IntegrationTest): vault_password = "password" vault_data = "SSBsb3ZlIENJIHRlc3RzCg==" + vault_user = "vault_user" + vault_user_password = "vault_user_password" vault_name_master = "ci_test_vault_master" vault_name_master2 = "ci_test_vault_master2" vault_name_master3 = "ci_test_vault_master3" vault_name_replica_without_KRA = "ci_test_vault_replica_without_kra" + shared_vault_name_replica_without_KRA = ("ci_test_shared" + "_vault_replica_without_kra") vault_name_replica_with_KRA = "ci_test_vault_replica_with_kra" vault_name_replica_KRA_uninstalled = "ci_test_vault_replica_KRA_uninstalled" - @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_kra=True) @@ -89,6 +92,66 @@ class TestInstallKRA(IntegrationTest): self._retrieve_secret([self.vault_name_replica_without_KRA]) + def test_create_and_retrieve_shared_vault_replica_without_kra(self): + # create vault + self.replicas[0].run_command([ + "ipa", "vault-add", + self.shared_vault_name_replica_without_KRA, + "--shared", + "--type", "standard", + ]) + + # archive secret + self.replicas[0].run_command([ + "ipa", "vault-archive", + self.shared_vault_name_replica_without_KRA, + "--shared", + "--data", self.vault_data, + ]) + time.sleep(WAIT_AFTER_ARCHIVE) + + # add non-admin user + self.replicas[0].run_command([ + 'ipa', 'user-add', self.vault_user, + '--first', self.vault_user, + '--last', self.vault_user, + '--password'], + stdin_text=self.vault_user_password) + + # add it to vault + self.replicas[0].run_command([ + "ipa", "vault-add-member", + self.shared_vault_name_replica_without_KRA, + "--shared", + "--users", self.vault_user, + ]) + + self.replicas[0].run_command([ + 'kdestroy', '-A']) + + user_kinit = "%s\n%s\n%s\n" % (self.vault_user_password, + self.vault_user_password, + self.vault_user_password) + + self.replicas[0].run_command([ + 'kinit', self.vault_user], + stdin_text=user_kinit) + + # TODO: possibly refactor with: + # self._retrieve_secret([self.vault_name_replica_without_KRA]) + + self.replicas[0].run_command([ + "ipa", "vault-retrieve", + "--shared", + self.shared_vault_name_replica_without_KRA, + "--out=test.txt"]) + + self.replicas[0].run_command([ + 'kdestroy', '-A']) + + tasks.kinit_admin(self.replicas[0]) + + def test_create_and_retrieve_vault_replica_with_kra(self): # install KRA on replica From d57d97ea7f911e18ac75d532e19833c4efaafa96 Mon Sep 17 00:00:00 2001 From: François Cami Date: Nov 23 2018 09:54:46 +0000 Subject: Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes. Fixes: https://pagure.io/freeipa/issue/7691 Signed-off-by: François Cami Reviewed-By: Christian Heimes --- diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 184749d..7650cb4 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -36,6 +36,10 @@ remove:aci:(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny rea dn: cn=masters,cn=ipa,cn=etc,$SUFFIX add:aci:(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";) +# Allow users to discover enabled services +dn: cn=masters,cn=ipa,cn=etc,$SUFFIX +add:aci:(targetfilter = "(ipaConfigString=enabledService)")(targetattrs = "ipaConfigString")(version 3.0; acl "Find enabled services"; allow(read, search, compare) userdn = "ldap:///all";) + # Allow hosts to read masters service configuration dn: cn=masters,cn=ipa,cn=etc,$SUFFIX add:aci:(targetfilter = "(objectclass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Allow hosts to read masters service configuration"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)