From 67d4a673d504a6fb921d3b0c061083559a9249d7 Mon Sep 17 00:00:00 2001 From: aborah Date: Tue, 23 Mar 2021 08:10:54 +0530 Subject: [PATCH] Add support to verify authentication indicators in pam_sss_gss Error code of '[pam_cmd_gssapi_sec_ctx] (0x0400): Check if acquired service ticket has req. indicators:'. '2' is 'not applied' (ENOENT), Verifies: https://github.com/SSSD/sssd/issues/5482 Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1926622 --- src/tests/multihost/ipa/test_misc.py | 217 ++++++++++++++++++++++++--- 1 file changed, 199 insertions(+), 18 deletions(-) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index a3ec7cd100..2e76d0b0cf 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -1,22 +1,31 @@ -""" Miscellaneous IPA Bug Automations """ +""" Miscellaneous IPA Bug Automations + +:requirement: IDM-SSSD-REQ: Testing SSSD in IPA Provider +:casecomponent: sssd +:subsystemteam: sst_idm_sssd +:upstream: yes +""" import pytest import time -from sssd.testlib.common.utils import sssdTools +from sssd.testlib.common.utils import sssdTools, SSHClient from sssd.testlib.common.exceptions import SSSDException import re -@pytest.mark.tier1 +@pytest.mark.usefixtures('default_ipa_users') +@pytest.mark.tier2 class Testipabz(object): """ IPA BZ Automations """ def test_blank_kinit(self, multihost): - """@Title: verify sssd fails to start with - invalid default keytab file - - BZ:1748292 - systemctl status sssd says No such file or directory - about "default" when keytab exists but is empty file + """ + :title: verify sssd fails to start with + invalid default keytab file + :id: 525cbe28-f835-4d2e-9583-d3f614b8486e + :requirement: IDM-SSSD-REQ : KRB5 Provider + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1748292 + :description: systemctl status sssd says No such file or + directory about "default" when keytab exists but is empty file """ tools = sssdTools(multihost.client[0]) # stop sssd @@ -49,15 +58,14 @@ def test_blank_kinit(self, multihost): def test_sssdConfig_remove_Domains(self, multihost): """ - @Title: Verify SSSDConfig.save_domain API removes - all autofs entries from sssd.conf - - @Description: - SSSDConfig.save_domain(domain) does not always - remove all entries removed from domain - - @Bugzilla: - https://bugzilla.redhat.com/show_bug.cgi?id=1796989 + :title: Verify SSSDConfig.save_domain API removes + all autofs entries from sssd.conf + :id: 3efaf0af-58a7-4631-8555-da8a7bbcf351 + :description: + SSSDConfig.save_domain(domain) does not always + remove all entries removed from domain + :bugzilla: + https://bugzilla.redhat.com/show_bug.cgi?id=1796989 """ tools = sssdTools(multihost.client[0]) setup_automount = "ipa-client-automount --location default -U " \ @@ -72,3 +80,176 @@ def test_sssdConfig_remove_Domains(self, multihost): raiseonerr=False) assert cmd1.returncode == 0 assert cmd2.returncode == 0 + + def test_filter_groups(self, multihost, default_ipa_groups, + add_group_member, backupsssdconf): + """ + :title: filter_groups option partially filters the group from id + output of the user because gidNumber still appears in id output + :id: 8babb6ee-7141-4723-a79d-c5cf7879a9b4 + :description: + filter_groups option partially filters the group from 'id' output + of the user because gidNumber still appears in 'id' output + :steps: + 1. Create IPA users, groups and add users in groups. + 2. Add filter_groups in sssd.conf. + 3. Check filter_groups option filters the group from 'id' output. + :expectedresults: + 1. Successfully add users, groups and users added in groups. + 2. Successfully added filter_groups in sssd.conf. + 3. Successfully filter out the groups. + :bugzilla: + https://bugzilla.redhat.com/show_bug.cgi?id=1876658 + """ + gid_start = default_ipa_groups + sssd_client = sssdTools(multihost.client[0]) + domain_name = '%s/%s' % ('domain', + sssd_client.get_domain_section_name()) + enable_filtergroups1 = {'filter_groups': 'ipa-group1, ipa-group2'} + sssd_client.sssd_conf(domain_name, enable_filtergroups1) + sssd_client.clear_sssd_cache() + lk_cmd1 = 'id foobar1' + cmd1 = multihost.client[0].run_command(lk_cmd1, raiseonerr=False) + assert cmd1.returncode == 0 + assert all(x not in cmd1.stdout_text for x in ["ipa-group1", + "ipa-group2"]), \ + "The unexpected group name found in the id output!" + assert all(x not in cmd1.stdout_text for x in [str(gid_start+1), + str(gid_start+2)]), \ + "The unexpected gid found in the id output!" + enable_filtergroups2 = {'filter_groups': 'ipa-group3, ipa-group4, ' + 'ipa-group5'} + sssd_client.sssd_conf(domain_name, enable_filtergroups2) + sssd_client.clear_sssd_cache() + lk_cmd2 = 'id foobar2' + cmd2 = multihost.client[0].run_command(lk_cmd2, raiseonerr=False) + assert cmd2.returncode == 0 + assert all(x not in cmd2.stdout_text for x in ["ipa-group3", + "ipa-group4", + "ipa-group5"]), \ + "The unexpected group name found in the id output!" + assert all(x not in cmd2.stdout_text for x in [str(gid_start+3), + str(gid_start+4), + str(gid_start+5)]), \ + "The unexpected gid found in the id output!" + + def test_authentication_indicators(self, multihost): + """ + :title: Add support to verify authentication + indicators in pam_sss_gss + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1926622 + :id: 4891ed62-7fc8-11eb-98be-002b677efe14 + :steps: + 1. Add pam_sss_gss configuration to /etc/sssd/sssd.conf + 2. Add pam_sss_gss.so to /etc/pam.d/sudo + 3. Restart SSSD + 4. Enable SSSD debug logs + 5. Switch to 'admin' user + 6. obtain Kerberos ticket and check that it + was obtained using SPAKE pre-authentication. + 7. Create sudo configuration that allows an admin to + run SUDO rules + 8. Try 'sudo -l' as admin + 9. As root, check content of sssd_pam.log + 10. Check if acquired service ticket has + req. indicators: 0 + 11. Add pam_sss_gss configuration to /etc/sssd/sssd.conf + 12. Check if acquired service ticket has req. + indicators: 2 + :expectedresults: + 1. Should succeed + 2. Should succeed + 3. Should succeed + 4. Should succeed + 5. Should succeed + 6. Should succeed + 7. Should succeed + 8. Should succeed + 9. Should succeed + 10. Should succeed + 11. Should succeed + 12. Should succeed + """ + client = sssdTools(multihost.client[0]) + domain_params = {'pam_gssapi_services': 'sudo, sudo-i', + 'pam_gssapi_indicators_map': 'hardened, ' + 'sudo:pkinit, ' + 'sudo-i:otp'} + client.sssd_conf('pam', domain_params) + multihost.client[0].run_command('cp -vf ' + '/etc/pam.d/sudo ' + '/etc/pam.d/sudo_indicators') + multihost.client[0].run_command("sed -i " + "'2s/^/auth sufficient " + "pam_sss_gss.so debug\\n/' " + "/etc/pam.d/sudo") + multihost.client[0].run_command('cp -vf ' + '/etc/pam.d/sudo-i ' + '/etc/pam.d/sudo-i_indicators') + multihost.client[0].run_command("sed -i " + "'2s/^/auth sufficient " + "pam_sss_gss.so debug\\n/' " + "/etc/pam.d/sudo-i") + multihost.client[0].run_command('systemctl stop sssd ; ' + 'rm -rf /var/log/sssd/* ; ' + 'rm -rf /var/lib/sss/db/* ; ' + 'systemctl start sssd') + multihost.client[0].run_command("sssctl debug-level 9") + ssh = SSHClient(multihost.client[0].sys_hostname, + username='admin', password='Secret123') + (_, _, exit_status) = ssh.execute_cmd('kinit admin', + stdin='Secret123') + (result, errors, exit_status) = ssh.exec_command('klist') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudocmd-add ALL2') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-add ' + 'testrule2') + (result, errors, exit_status) = ssh.execute_cmd("ipa sudorule-add" + "-allow-command " + "testrule2 " + "--sudocmds 'ALL2'") + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-mod ' + 'testrule2 ' + '--hostcat=all') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-add-user ' + 'testrule2 ' + '--users admin') + (result, errors, exit_status) = ssh.execute_cmd('sudo -l') + ssh.close() + search = multihost.client[0].run_command('fgrep ' + 'gssapi_ ' + '/var/log/sssd/sssd_pam.log ' + '|tail -10') + assert 'indicators: 0' in search.stdout_text + client = sssdTools(multihost.client[0]) + domain_params = {'pam_gssapi_services': 'sudo, sudo-i', + 'pam_gssapi_indicators_map': 'sudo-i:hardened'} + client.sssd_conf('pam', domain_params) + multihost.client[0].run_command('systemctl stop sssd ; ' + 'rm -rf /var/log/sssd/* ; ' + 'rm -rf /var/lib/sss/db/* ; ' + 'systemctl start sssd') + ssh = SSHClient(multihost.client[0].sys_hostname, + username='admin', password='Secret123') + (_, _, exit_status) = ssh.execute_cmd('kinit admin', + stdin='Secret123') + multihost.client[0].run_command("sssctl debug-level 9") + (result, errors, exit_status) = ssh.execute_cmd('sudo -l') + (result, errors, exit_status) = ssh.exec_command('klist') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudocmd-del ALL2') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-del ' + 'testrule2') + multihost.client[0].run_command('cp -vf /etc/pam.d/sudo_indicators ' + '/etc/pam.d/sudo') + multihost.client[0].run_command('cp -vf /etc/pam.d/sudo-i_indicators ' + '/etc/pam.d/sudo-i') + search = multihost.client[0].run_command('fgrep gssapi_ ' + '/var/log/sssd/sssd_pam.log' + ' |tail -10') + ssh.close() + assert 'indicators: 2' in search.stdout_text