On 09/10/2015 06:41 PM, Milan Kubík wrote:
On 09/10/2015 06:36 PM, Alexander Bokovoy wrote:
On Thu, 10 Sep 2015, Milan Kubík wrote:
Hi list,

before my PTO, I was trying to write a functional test for CA ACLs
with the tracker along all other acceptance/functional tests.

I wasn't successful, the approach doesn't seem to work for CA ACLs as
they have specific requirements for kerberos credentials
that none of my attempts were able to met. I have tried several
approaches and the memo I got out of this is that currently, there
seems to be no way how to conveniently run a test that changes the
user identity during the functional test (xmlrpc tests).

I haven't had much time to write an integration test that should
solve these problems with changing identity.

The approaches I have tried include, in no particular order:

* switch the default ccache to the identity desired, before calls
made on an API object
   - in case of FILE ccache, moving it back and forth
   - in case of kernel keyring, using kswitch

* instantiating another API instance in the process running the test,
while the other ccache is active
   - the API object internals seem to prevent this as there is still
a lot of shared state between the API instances

* running the command supposed to have different identity as a
subprocess after switching the identity
   - this attempt seemed to have inherited the opened connection to
the backend from the parent python process,
     creating a conflict during the client bootstrap

* injecting the KRB5CCNAME environment variable with second identity
into the python process
   - the API instance doesn't seem to be affected by this value half
of the times.
   - randomly, the new credentials are used, breaking all the things.

Unable to change the user during the test, the code I wrote for this
wasn't doing what I intended it to do
because the admin user used in the tests overrides all CA ACLs.
One way to do it is to use keyctl to create subsessions for different
authenticated users and switch between subsessions for the separate
calls.

See keyctl manual page and 'keyctl session <name>' part.
Thanks, I'll take a look at this next week.


Maybe you can also try to wrap the user auth, connection and API calls
in 'ipapython.ipautil.private_ccache' context manager like this:

"""
from ipalib import api
from ipapython.ipautil import private_ccache, kinit_password, run

api.bootstrap()
api.finalize()

tmp_ccache='krb5cc_jdoe'

run(['klist']) # should list admin as default principal

with private_ccache(tmp_ccache):
    kinit_password(u'jdoe', u'jdoepasswd', tmp_ccache)
    run(['klist']) # lists jdoe as default principal
    api.Backend.rpcclient.connect(ccache=tmp_ccache)
    api.Command.ping()
    api.backend.rpcclient.disconnect()

run(['klist']) # KRB5CCNAME should be reset back to admin ccache        
"""

I have tested it and it seems to work. I haven't played with it very extensively, though.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to