From 67d4a673d504a6fb921d3b0c061083559a9249d7 Mon Sep 17 00:00:00 2001
From: aborah <aborah@anuj.master.com>
Date: Tue, 23 Mar 2021 08:10:54 +0530
Subject: [PATCH] Add support to verify authentication indicators in
 pam_sss_gss

Error code of '[pam_cmd_gssapi_sec_ctx] (0x0400): Check if
acquired service ticket has req. indicators:'.
'2' is 'not applied' (ENOENT),

Verifies: https://github.com/SSSD/sssd/issues/5482

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1926622
---
 src/tests/multihost/ipa/test_misc.py | 217 ++++++++++++++++++++++++---
 1 file changed, 199 insertions(+), 18 deletions(-)

diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index a3ec7cd100..2e76d0b0cf 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -1,22 +1,31 @@
-""" Miscellaneous IPA Bug Automations """
+""" Miscellaneous IPA Bug Automations
+
+:requirement: IDM-SSSD-REQ: Testing SSSD in IPA Provider
+:casecomponent: sssd
+:subsystemteam: sst_idm_sssd
+:upstream: yes
+"""
 
 import pytest
 import time
-from sssd.testlib.common.utils import sssdTools
+from sssd.testlib.common.utils import sssdTools, SSHClient
 from sssd.testlib.common.exceptions import SSSDException
 import re
 
 
-@pytest.mark.tier1
+@pytest.mark.usefixtures('default_ipa_users')
+@pytest.mark.tier2
 class Testipabz(object):
     """ IPA BZ Automations """
     def test_blank_kinit(self, multihost):
-        """@Title: verify sssd fails to start with
-        invalid default keytab file
-
-        BZ:1748292
-        systemctl status sssd says No such file or directory
-        about "default" when keytab exists but is empty file
+        """
+        :title: verify sssd fails to start with
+         invalid default keytab file
+        :id: 525cbe28-f835-4d2e-9583-d3f614b8486e
+        :requirement: IDM-SSSD-REQ : KRB5 Provider
+        :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1748292
+        :description: systemctl status sssd says No such file or
+         directory about "default" when keytab exists but is empty file
         """
         tools = sssdTools(multihost.client[0])
         # stop sssd
@@ -49,15 +58,14 @@ def test_blank_kinit(self, multihost):
 
     def test_sssdConfig_remove_Domains(self, multihost):
         """
-        @Title: Verify SSSDConfig.save_domain API removes
-        all autofs entries from sssd.conf
-
-        @Description:
-        SSSDConfig.save_domain(domain) does not always
-        remove all entries removed from domain
-
-        @Bugzilla:
-        https://bugzilla.redhat.com/show_bug.cgi?id=1796989
+        :title: Verify SSSDConfig.save_domain API removes
+         all autofs entries from sssd.conf
+        :id: 3efaf0af-58a7-4631-8555-da8a7bbcf351
+        :description:
+         SSSDConfig.save_domain(domain) does not always
+         remove all entries removed from domain
+        :bugzilla:
+         https://bugzilla.redhat.com/show_bug.cgi?id=1796989
         """
         tools = sssdTools(multihost.client[0])
         setup_automount = "ipa-client-automount --location default -U " \
@@ -72,3 +80,176 @@ def test_sssdConfig_remove_Domains(self, multihost):
                                                    raiseonerr=False)
             assert cmd1.returncode == 0
             assert cmd2.returncode == 0
+
+    def test_filter_groups(self, multihost, default_ipa_groups,
+                           add_group_member, backupsssdconf):
+        """
+        :title:  filter_groups option partially filters the group from id
+        output of the user because gidNumber still appears in id output
+        :id: 8babb6ee-7141-4723-a79d-c5cf7879a9b4
+        :description:
+         filter_groups option partially filters the group from 'id' output
+         of the user because gidNumber still appears in 'id' output
+        :steps:
+          1. Create IPA users, groups and add users in groups.
+          2. Add filter_groups in sssd.conf.
+          3. Check filter_groups option filters the group from 'id' output.
+        :expectedresults:
+          1. Successfully add users, groups and users added in groups.
+          2. Successfully added filter_groups in sssd.conf.
+          3. Successfully filter out the groups.
+        :bugzilla:
+         https://bugzilla.redhat.com/show_bug.cgi?id=1876658
+        """
+        gid_start = default_ipa_groups
+        sssd_client = sssdTools(multihost.client[0])
+        domain_name = '%s/%s' % ('domain',
+                                 sssd_client.get_domain_section_name())
+        enable_filtergroups1 = {'filter_groups': 'ipa-group1, ipa-group2'}
+        sssd_client.sssd_conf(domain_name, enable_filtergroups1)
+        sssd_client.clear_sssd_cache()
+        lk_cmd1 = 'id foobar1'
+        cmd1 = multihost.client[0].run_command(lk_cmd1, raiseonerr=False)
+        assert cmd1.returncode == 0
+        assert all(x not in cmd1.stdout_text for x in ["ipa-group1",
+                                                       "ipa-group2"]), \
+            "The unexpected group name found in the id output!"
+        assert all(x not in cmd1.stdout_text for x in [str(gid_start+1),
+                                                       str(gid_start+2)]), \
+            "The unexpected gid found in the id output!"
+        enable_filtergroups2 = {'filter_groups': 'ipa-group3, ipa-group4, '
+                                                 'ipa-group5'}
+        sssd_client.sssd_conf(domain_name, enable_filtergroups2)
+        sssd_client.clear_sssd_cache()
+        lk_cmd2 = 'id foobar2'
+        cmd2 = multihost.client[0].run_command(lk_cmd2, raiseonerr=False)
+        assert cmd2.returncode == 0
+        assert all(x not in cmd2.stdout_text for x in ["ipa-group3",
+                                                       "ipa-group4",
+                                                       "ipa-group5"]), \
+            "The unexpected group name found in the id output!"
+        assert all(x not in cmd2.stdout_text for x in [str(gid_start+3),
+                                                       str(gid_start+4),
+                                                       str(gid_start+5)]), \
+            "The unexpected gid found in the id output!"
+
+    def test_authentication_indicators(self, multihost):
+        """
+        :title: Add support to verify authentication
+         indicators in pam_sss_gss
+        :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1926622
+        :id: 4891ed62-7fc8-11eb-98be-002b677efe14
+        :steps:
+            1. Add pam_sss_gss configuration to /etc/sssd/sssd.conf
+            2. Add pam_sss_gss.so to /etc/pam.d/sudo
+            3. Restart SSSD
+            4. Enable SSSD debug logs
+            5. Switch to 'admin' user
+            6. obtain Kerberos ticket and check that it
+             was obtained using SPAKE pre-authentication.
+            7. Create sudo configuration that allows an admin to
+             run SUDO rules
+            8. Try 'sudo -l' as admin
+            9. As root, check content of sssd_pam.log
+            10. Check if acquired service ticket has
+             req. indicators: 0
+            11. Add pam_sss_gss configuration to /etc/sssd/sssd.conf
+            12. Check if acquired service ticket has req.
+             indicators: 2
+        :expectedresults:
+            1. Should succeed
+            2. Should succeed
+            3. Should succeed
+            4. Should succeed
+            5. Should succeed
+            6. Should succeed
+            7. Should succeed
+            8. Should succeed
+            9. Should succeed
+            10. Should succeed
+            11. Should succeed
+            12. Should succeed
+        """
+        client = sssdTools(multihost.client[0])
+        domain_params = {'pam_gssapi_services': 'sudo, sudo-i',
+                         'pam_gssapi_indicators_map': 'hardened, '
+                                                      'sudo:pkinit, '
+                                                      'sudo-i:otp'}
+        client.sssd_conf('pam', domain_params)
+        multihost.client[0].run_command('cp -vf '
+                                        '/etc/pam.d/sudo '
+                                        '/etc/pam.d/sudo_indicators')
+        multihost.client[0].run_command("sed -i "
+                                        "'2s/^/auth sufficient "
+                                        "pam_sss_gss.so debug\\n/' "
+                                        "/etc/pam.d/sudo")
+        multihost.client[0].run_command('cp -vf '
+                                        '/etc/pam.d/sudo-i '
+                                        '/etc/pam.d/sudo-i_indicators')
+        multihost.client[0].run_command("sed -i "
+                                        "'2s/^/auth sufficient "
+                                        "pam_sss_gss.so debug\\n/' "
+                                        "/etc/pam.d/sudo-i")
+        multihost.client[0].run_command('systemctl stop sssd ; '
+                                        'rm -rf /var/log/sssd/* ; '
+                                        'rm -rf /var/lib/sss/db/* ; '
+                                        'systemctl start sssd')
+        multihost.client[0].run_command("sssctl debug-level 9")
+        ssh = SSHClient(multihost.client[0].sys_hostname,
+                        username='admin', password='Secret123')
+        (_, _, exit_status) = ssh.execute_cmd('kinit admin',
+                                              stdin='Secret123')
+        (result, errors, exit_status) = ssh.exec_command('klist')
+        (result, errors, exit_status) = ssh.execute_cmd('ipa '
+                                                        'sudocmd-add ALL2')
+        (result, errors, exit_status) = ssh.execute_cmd('ipa '
+                                                        'sudorule-add '
+                                                        'testrule2')
+        (result, errors, exit_status) = ssh.execute_cmd("ipa sudorule-add"
+                                                        "-allow-command "
+                                                        "testrule2 "
+                                                        "--sudocmds 'ALL2'")
+        (result, errors, exit_status) = ssh.execute_cmd('ipa '
+                                                        'sudorule-mod '
+                                                        'testrule2 '
+                                                        '--hostcat=all')
+        (result, errors, exit_status) = ssh.execute_cmd('ipa '
+                                                        'sudorule-add-user '
+                                                        'testrule2 '
+                                                        '--users admin')
+        (result, errors, exit_status) = ssh.execute_cmd('sudo -l')
+        ssh.close()
+        search = multihost.client[0].run_command('fgrep '
+                                                 'gssapi_ '
+                                                 '/var/log/sssd/sssd_pam.log '
+                                                 '|tail -10')
+        assert 'indicators: 0' in search.stdout_text
+        client = sssdTools(multihost.client[0])
+        domain_params = {'pam_gssapi_services': 'sudo, sudo-i',
+                         'pam_gssapi_indicators_map': 'sudo-i:hardened'}
+        client.sssd_conf('pam', domain_params)
+        multihost.client[0].run_command('systemctl stop sssd ; '
+                                        'rm -rf /var/log/sssd/* ; '
+                                        'rm -rf /var/lib/sss/db/* ; '
+                                        'systemctl start sssd')
+        ssh = SSHClient(multihost.client[0].sys_hostname,
+                        username='admin', password='Secret123')
+        (_, _, exit_status) = ssh.execute_cmd('kinit admin',
+                                              stdin='Secret123')
+        multihost.client[0].run_command("sssctl debug-level 9")
+        (result, errors, exit_status) = ssh.execute_cmd('sudo -l')
+        (result, errors, exit_status) = ssh.exec_command('klist')
+        (result, errors, exit_status) = ssh.execute_cmd('ipa '
+                                                        'sudocmd-del ALL2')
+        (result, errors, exit_status) = ssh.execute_cmd('ipa '
+                                                        'sudorule-del '
+                                                        'testrule2')
+        multihost.client[0].run_command('cp -vf /etc/pam.d/sudo_indicators '
+                                        '/etc/pam.d/sudo')
+        multihost.client[0].run_command('cp -vf /etc/pam.d/sudo-i_indicators '
+                                        '/etc/pam.d/sudo-i')
+        search = multihost.client[0].run_command('fgrep gssapi_ '
+                                                 '/var/log/sssd/sssd_pam.log'
+                                                 ' |tail -10')
+        ssh.close()
+        assert 'indicators: 2' in search.stdout_text
