URL: https://github.com/freeipa/freeipa/pull/5171 Author: tiran Title: #5171: [Backport][ipa-4-8] Check ca_wrapped in ipa-custodia-check Action: opened
PR body: """ Manual backport of PR #5112 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5171/head:pr5171 git checkout pr5171
From bf06caa8ace05b1cfc561fce6ca397116728bd4b Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 16 Sep 2020 17:01:29 +0200 Subject: [PATCH 1/2] Check ca_wrapped in ipa-custodia-check ca_wrapped uses Dogtag's pki tool (written in Java) to wrap key material. Add checks to custodia to verify that key wrapping works. Related: https://pagure.io/freeipa/issue/8488 Signed-off-by: Christian Heimes <chei...@redhat.com> --- install/tools/ipa-custodia-check.in | 2 ++ ipaplatform/base/paths.py | 1 + ipaplatform/debian/paths.py | 1 + ipatests/test_integration/test_installation.py | 6 ++++++ ipatests/test_integration/test_simple_replication.py | 10 ++++++++++ 5 files changed, 20 insertions(+) diff --git a/install/tools/ipa-custodia-check.in b/install/tools/ipa-custodia-check.in index 5143dc4983..66f8f1d723 100644 --- a/install/tools/ipa-custodia-check.in +++ b/install/tools/ipa-custodia-check.in @@ -49,6 +49,8 @@ KEYS = [ 'dm/DMHash', 'ra/ipaCert', 'ca/auditSigningCert cert-pki-ca', + 'ca_wrapped/auditSigningCert cert-pki-ca', + 'ca_wrapped/auditSigningCert cert-pki-ca/1.2.840.113549.3.7', 'ca/caSigningCert cert-pki-ca', 'ca/ocspSigningCert cert-pki-ca', 'ca/subsystemCert cert-pki-ca', diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 2528192b4a..a1390fbfd5 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -391,6 +391,7 @@ class BasePathNamespace: IPA_CUSTODIA_SOCKET = '/run/httpd/ipa-custodia.sock' IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log' IPA_CUSTODIA_HANDLER = "/usr/libexec/ipa/custodia" + IPA_CUSTODIA_CHECK = "/usr/libexec/ipa/ipa-custodia-check" IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab' EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d' GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py index ad49afd357..c97007acea 100644 --- a/ipaplatform/debian/paths.py +++ b/ipaplatform/debian/paths.py @@ -117,6 +117,7 @@ class DebianPathNamespace(BasePathNamespace): IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock" IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log' IPA_CUSTODIA_HANDLER = "/usr/lib/ipa/custodia" + IPA_CUSTODIA_CHECK = "/usr/lib/ipa/ipa-custodia-check" WSGI_PREFIX_DIR = "/run/apache2/wsgi" paths = DebianPathNamespace() diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index ec826edb73..edb7245a54 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -1005,6 +1005,12 @@ def test_admin_root_alias_CVE_2020_10747(self): assert result.returncode != 0 assert 'user with name "root" already exists' in result.stderr_text + def test_ipa_custodia_check(self): + # check local key retrieval + self.master.run_command( + [paths.IPA_CUSTODIA_CHECK, self.master.hostname] + ) + class TestInstallMasterKRA(IntegrationTest): diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py index 7071e6ee70..8de3851447 100644 --- a/ipatests/test_integration/test_simple_replication.py +++ b/ipatests/test_integration/test_simple_replication.py @@ -21,6 +21,7 @@ import pytest +from ipaplatform.paths import paths from ipapython.dn import DN from ipatests.pytest_ipa.integration import tasks from ipatests.test_integration.base import IntegrationTest @@ -94,6 +95,15 @@ def test_replica_manage(self): assert msg1 not in result.stdout_text assert msg2 not in result.stdout_text + def test_ipa_custodia_check(self): + replica = self.replicas[0] + self.master.run_command( + [paths.IPA_CUSTODIA_CHECK, replica.hostname] + ) + replica.run_command( + [paths.IPA_CUSTODIA_CHECK, self.master.hostname] + ) + def test_replica_removal(self): """Test replica removal""" result = self.master.run_command(['ipa-replica-manage', 'list']) From a65cb408a5e9b498e6302af2f596bbdc14314210 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 23 Sep 2020 15:22:00 +0200 Subject: [PATCH 2/2] Verify freeipa-selinux's ipa module is loaded ipa-custodia tests will fail if the ipa.pp override module from freeipa-selinux is not correctly installed, loaded, and enabled. Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaplatform/base/paths.py | 1 + .../test_integration/test_installation.py | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index a1390fbfd5..0c5494612d 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -263,6 +263,7 @@ class BasePathNamespace: RESTORECON = "/usr/sbin/restorecon" SELINUXENABLED = "/usr/sbin/selinuxenabled" SETSEBOOL = "/usr/sbin/setsebool" + SEMODULE = "/usr/sbin/semodule" SMBD = "/usr/sbin/smbd" USERADD = "/usr/sbin/useradd" FONTS_DIR = "/usr/share/fonts" diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index edb7245a54..5cf84385d7 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -1011,6 +1011,25 @@ def test_ipa_custodia_check(self): [paths.IPA_CUSTODIA_CHECK, self.master.hostname] ) + @pytest.mark.skipif( + paths.SEMODULE is None, reason="test requires semodule command" + ) + def test_ipa_selinux_policy(self): + # check that freeipa-selinux's policy module is loaded and + # not disabled + result = self.master.run_command( + [paths.SEMODULE, "-lfull"] + ) + # prio module pp [disabled] + # 100: default priority + # 200: decentralized SELinux policy priority + entries = { + tuple(line.split()) + for line in result.stdout_text.split('\n') + if line.strip() + } + assert ('200', 'ipa', 'pp') in entries + class TestInstallMasterKRA(IntegrationTest):
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org