From c3bc938650b19a51706d8ccd98cdf8deaa26dc28 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Dec 22 2023 09:34:19 +0000 Subject: ipatests: make sure PKINIT enrollment works with a strict policy Previously, for a global policy which does not include 'password', krb5kdc restart was failing. Now it should succeed. We set admin user authentication type to PASSWORD to simplify configuration in the test. What matters here is that global policy does not include PKINIT and that means a code in the ticket policy check will allow PKINIT implicitly rather than explicitly. Related: https://pagure.io/freeipa/issue/9485 Signed-off-by: Alexander Bokovoy Reviewed-By: Francisco Trivino --- diff --git a/ipatests/test_integration/test_pkinit_install.py b/ipatests/test_integration/test_pkinit_install.py index caa0e6a..5c2e7af 100644 --- a/ipatests/test_integration/test_pkinit_install.py +++ b/ipatests/test_integration/test_pkinit_install.py @@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest): def install(cls, mh): tasks.install_master(cls.master) + def enforce_password_and_otp(self): + """enforce otp by default and password for admin """ + self.master.run_command( + [ + "ipa", + "config-mod", + "--user-auth-type=otp", + ] + ) + self.master.run_command( + [ + "ipa", + "user-mod", + "admin", + "--user-auth-type=password", + ] + ) + def add_certmaperule(self): """add certmap rule to map SAN dNSName to host entry""" self.master.run_command( @@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest): cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM) client.put_file_contents(self.tmpbundle, cabundle) + def test_restart_krb5kdc(self): + tasks.kinit_admin(self.master) + self.enforce_password_and_otp() + self.master.run_command(['systemctl', 'stop', 'krb5kdc.service']) + self.master.run_command(['systemctl', 'start', 'krb5kdc.service']) + self.master.run_command(['systemctl', 'stop', 'kadmin.service']) + self.master.run_command(['systemctl', 'start', 'kadmin.service']) + def test_client_install_pkinit(self): tasks.kinit_admin(self.master) self.add_certmaperule()