From 7d68f4f08361760adab90ad4b44c6da2c4ea664d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Apr 06 2023 06:53:32 +0000 Subject: RBCD: add basic test for RBCD handling Add a test that uses IPA API to allow delegation of RBCD configuration to a host and then use it to set up RBCD rule for a service. Run RBCD check when the rule exists and when the rule is removed. Since we only provide RBCD support on KDC side with Kerberos 1.20, skip the test on Fedora versions prior to Fedora 38 and on RHEL versions prior to RHEL 9.2. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy Reviewed-By: Rob Crittenden --- diff --git a/ipatests/test_integration/test_service_permissions.py b/ipatests/test_integration/test_service_permissions.py index aab1a94..b855158 100644 --- a/ipatests/test_integration/test_service_permissions.py +++ b/ipatests/test_integration/test_service_permissions.py @@ -22,6 +22,12 @@ import os from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks +from ipaplatform.osinfo import osinfo +import pytest +skip_rbcd_tests = any([ + (osinfo.id == 'fedora' and osinfo.version_number < (38,)), + (osinfo.id == 'rhel' and osinfo.version_number < (9,2))]) + class TestServicePermissions(IntegrationTest): topology = 'star' @@ -142,3 +148,47 @@ class TestServicePermissions(IntegrationTest): service_name3 = "testservice3" + '/' + self.master.hostname self.master.run_command(['ipa', 'service-add', service_name3]) self.master.run_command(['ipa', 'service-del', service_name3]) + + @pytest.mark.xfail( + skip_rbcd_tests, + reason='krb5 before 1.20', strict=True) + def test_service_delegation(self): + """ Test that host can handle resource-based constrained delegation of + own services. """ + + keytab_file = '/etc/krb5.keytab' + keytab_file4 = '/tmp/krb5-testservice4.keytab' + hostservice_name4 = "host" + "/" + self.master.hostname + service_name4 = "testservice4" + '/' + self.master.hostname + self.master.run_command(['kinit', '-kt', keytab_file]) + # Add service and configure delegation + self.master.run_command(['ipa', 'service-add', service_name4]) + self.master.run_command(['kdestroy']) + tasks.kinit_admin(self.master) + self.master.run_command(['ipa', 'service-add-delegation', + service_name4, hostservice_name4]) + self.master.run_command(['kinit', '-kt', keytab_file]) + self.master.run_command(['ipa-getkeytab', + '-p', service_name4, + '-k', keytab_file4]) + # Verify access to service is granted + result = self.master.run_command(['kvno', '-U', 'admin', + '-k', keytab_file, + '-P', hostservice_name4, + service_name4], + raiseonerr=False) + assert result.returncode == 0 + + tasks.kinit_admin(self.master) + self.master.run_command(['ipa', 'service-remove-delegation', + service_name4, hostservice_name4]) + # Verify access to service is not granted + self.master.run_command(['kinit', '-kt', keytab_file]) + result = self.master.run_command(['kvno', '-U', 'admin', + '-k', keytab_file, + '-P', hostservice_name4, + service_name4], + raiseonerr=False) + assert result.returncode > 0 + + self.master.run_command(['ipa', 'service-del', service_name4])