From d0faac88516b1e131560327d598c239813232078 Mon Sep 17 00:00:00 2001 From: aborah Date: Tue, 23 Mar 2021 08:10:54 +0530 Subject: [PATCH] Add support to verify authentication indicators in pam_sss_gss Error code of '[pam_cmd_gssapi_sec_ctx] (0x0400): Check if acquired service ticket has req. indicators:'. '2' is 'not applied' (ENOENT), Verifies: https://github.com/SSSD/sssd/issues/5482 Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1926622 --- src/tests/multihost/ipa/test_misc.py | 125 ++++++++++++++++++++++++++- 1 file changed, 123 insertions(+), 2 deletions(-) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index a3ec7cd100..8403c1310f 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -2,12 +2,12 @@ import pytest import time -from sssd.testlib.common.utils import sssdTools +from sssd.testlib.common.utils import sssdTools, SSHClient from sssd.testlib.common.exceptions import SSSDException import re -@pytest.mark.tier1 +@pytest.mark.tier2 class Testipabz(object): """ IPA BZ Automations """ def test_blank_kinit(self, multihost): @@ -72,3 +72,124 @@ def test_sssdConfig_remove_Domains(self, multihost): raiseonerr=False) assert cmd1.returncode == 0 assert cmd2.returncode == 0 + + def test_authentication_indicators(self, multihost): + """ + :title: IDM-SSSD-TC: Add support to verify authentication + indicators in pam_sss_gss + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1926622 + :id: 4891ed62-7fc8-11eb-98be-002b677efe14 + :steps: + 1. Add pam_sss_gss configuration to /etc/sssd/sssd.conf + 2. Add pam_sss_gss.so to /etc/pam.d/sudo + 3. Restart SSSD + 4. Enable SSSD debug logs + 5. Switch to 'admin' user + 6. obtain Kerberos ticket and check that it + was obtained using SPAKE pre-authentication. + 7. Create sudo configuration that allows an admin to + run SUDO rules + 8. Try 'sudo -l' as admin + 9. As root, check content of sssd_pam.log + 10. Check if acquired service ticket has + req. indicators: 0 + 11. Add pam_sss_gss configuration to /etc/sssd/sssd.conf + 12. Check if acquired service ticket has req. + indicators: 2 + :expectedresults: + 1. Should succeed + 2. Should succeed + 3. Should succeed + 4. Should succeed + 5. Should succeed + 6. Should succeed + 7. Should succeed + 8. Should succeed + 9. Should succeed + 10. Should succeed + 11. Should succeed + 12. Should succeed + """ + client = sssdTools(multihost.client[0]) + domain_params = {'pam_gssapi_services': 'sudo, sudo-i', + 'pam_gssapi_indicators_map': 'hardened, ' + 'sudo:pkinit, ' + 'sudo-i:otp'} + client.sssd_conf('pam', domain_params) + multihost.client[0].run_command('cp -vf ' + '/etc/pam.d/sudo ' + '/etc/pam.d/sudo_indicators') + multihost.client[0].run_command("sed -i " + "'2s/^/auth sufficient " + "pam_sss_gss.so debug\\n/' " + "/etc/pam.d/sudo") + multihost.client[0].run_command('cp -vf ' + '/etc/pam.d/sudo-i ' + '/etc/pam.d/sudo-i_indicators') + multihost.client[0].run_command("sed -i " + "'2s/^/auth sufficient " + "pam_sss_gss.so debug\\n/' " + "/etc/pam.d/sudo-i") + multihost.client[0].run_command('systemctl stop sssd ; ' + 'rm -rf /var/log/sssd/* ; ' + 'rm -rf /var/lib/sss/db/* ; ' + 'systemctl start sssd') + multihost.client[0].run_command("sssctl debug-level 9") + ssh = SSHClient(multihost.client[0].sys_hostname, + username='admin', password='Secret123') + (_, _, exit_status) = ssh.execute_cmd('kinit admin', + stdin='Secret123') + (result, errors, exit_status) = ssh.exec_command('klist') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudocmd-add ALL2') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-add ' + 'testrule2') + (result, errors, exit_status) = ssh.execute_cmd("ipa sudorule-add" + "-allow-command " + "testrule2 " + "--sudocmds 'ALL2'") + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-mod ' + 'testrule2 ' + '--hostcat=all') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-add-user ' + 'testrule2 ' + '--users admin') + (result, errors, exit_status) = ssh.execute_cmd('sudo -l') + ssh.close() + search = multihost.client[0].run_command('fgrep ' + 'gssapi_ ' + '/var/log/sssd/sssd_pam.log ' + '|tail -10') + assert 'indicators: 0' in search.stdout_text + client = sssdTools(multihost.client[0]) + domain_params = {'pam_gssapi_services': 'sudo, sudo-i', + 'pam_gssapi_indicators_map': 'sudo-i:hardened'} + client.sssd_conf('pam', domain_params) + multihost.client[0].run_command('systemctl stop sssd ; ' + 'rm -rf /var/log/sssd/* ; ' + 'rm -rf /var/lib/sss/db/* ; ' + 'systemctl start sssd') + ssh = SSHClient(multihost.client[0].sys_hostname, + username='admin', password='Secret123') + (_, _, exit_status) = ssh.execute_cmd('kinit admin', + stdin='Secret123') + multihost.client[0].run_command("sssctl debug-level 9") + (result, errors, exit_status) = ssh.execute_cmd('sudo -l') + (result, errors, exit_status) = ssh.exec_command('klist') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudocmd-del ALL2') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-del ' + 'testrule2') + multihost.client[0].run_command('cp -vf /etc/pam.d/sudo_indicators ' + '/etc/pam.d/sudo') + multihost.client[0].run_command('cp -vf /etc/pam.d/sudo-i_indicators ' + '/etc/pam.d/sudo-i') + search = multihost.client[0].run_command('fgrep gssapi_ ' + '/var/log/sssd/sssd_pam.log' + ' |tail -10') + ssh.close() + assert 'indicators: 2' in search.stdout_text