URL: https://github.com/freeipa/freeipa/pull/2287 Author: Rezney Title: #2287: Integration test for sssd_ssh leaks Action: opened
PR body: """ Integration test for sssd_ssh leaks https://pagure.io/SSSD/sssd/issue/3794 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2287/head:pr2287 git checkout pr2287
From 1af32fd29f577abaf6cb02aafabda7b14496ad3f Mon Sep 17 00:00:00 2001 From: Michal Reznik <mrez...@redhat.com> Date: Thu, 23 Aug 2018 10:34:39 +0200 Subject: [PATCH 1/3] tests: sssd_ssh fd leaks when user cert converted into SSH key --- ipatests/pytest_ipa/integration/tasks.py | 1 + ipatests/test_integration/test_commands.py | 48 ++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 23090ebbab..fcfd703b41 100644 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -1530,3 +1530,4 @@ def generate_ssh_keypair(): public_key_str = public_key.decode('utf-8') return (private_key_str, public_key_str) + diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index e207c7543c..5fc68f7a1f 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -11,6 +11,7 @@ import logging import ssl from tempfile import NamedTemporaryFile +from itertools import chain, repeat import textwrap import time import paramiko @@ -20,6 +21,7 @@ from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks +from ipatests.create_external_ca import ExternalCA logger = logging.getLogger(__name__) @@ -355,3 +357,49 @@ def test_ssh_key_connection(self, tmpdir): # cleanup self.master.run_command(['ipa', 'user-del', test_user]) + + def test_ssh_leak(self): + """ + Integration test for https://pagure.io/SSSD/sssd/issue/3794 + """ + + def count_pipes(): + + res = self.master.run_command(['pidof', 'sssd_ssh']) + pid = res.stdout_text.strip() + proc_path = '/proc/{}/fd'.format(pid) + res = self.master.run_command(['ls', '-la', proc_path]) + fds_text = res.stdout_text.strip() + return sum((1 for _ in re.finditer(r'pipe', fds_text))) + + test_user = 'test-ssh' + + tasks.kinit_admin(self.master) + self.master.run_command(['ipa', 'user-add', test_user, + '--first=tester', '--last=tester']) + + certs = [] + + # we are ok with whatever certificate for this test + external_ca = ExternalCA() + for i in range(3): + cert = external_ca.create_ca() + cert = tasks.strip_cert_header(cert.decode('utf-8')) + certs.append('"{}"'.format(cert)) + + cert_args = list( + chain.from_iterable(list(zip(repeat('--certificate'), certs)))) + cmd = 'ipa user-add-cert {} {}'.format(test_user, ' '.join(cert_args)) + self.master.run_command(cmd) + + tasks.clear_sssd_cache(self.master) + + num_of_pipes = count_pipes() + + for i in range(3): + self.master.run_command([paths.SSS_SSH_AUTHORIZEDKEYS, test_user]) + current_num_of_pipes = count_pipes() + assert current_num_of_pipes == num_of_pipes + + # cleanup + self.master.run_command(['ipa', 'user-del', test_user]) From 5ee328086d1effbc611472d8fd6741efc8e74eb1 Mon Sep 17 00:00:00 2001 From: Michal Reznik <mrez...@redhat.com> Date: Thu, 23 Aug 2018 10:42:31 +0200 Subject: [PATCH 2/3] temp_commit --- ipatests/prci_definitions/gating.yaml | 207 +------------------------- 1 file changed, 2 insertions(+), 205 deletions(-) diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml index ba09d8276c..dd9fbe8ca3 100644 --- a/ipatests/prci_definitions/gating.yaml +++ b/ipatests/prci_definitions/gating.yaml @@ -27,218 +27,15 @@ jobs: timeout: 1800 topology: *build - fedora-28/simple_replication: + fedora-28/test_commands_SSH: requires: [fedora-28/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_simple_replication.py + test_suite: test_integration/test_commands.py::TestIPACommand::test_ssh_leak template: *ci-master-f28 timeout: 3600 topology: *master_1repl - fedora-28/caless: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/external_ca_1: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_external_ca.py::TestExternalCA - template: *ci-master-f28 - timeout: 4800 - topology: *master_1repl_1client - - fedora-28/external_ca_2: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_topologies: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_topologies.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_sudo: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_sudo.py - template: *ci-master-f28 - timeout: 4800 - topology: *master_1repl_1client - - fedora-28/test_commands: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_commands.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_kerberos_flags: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_kerberos_flags.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl_1client - - fedora-28/test_http_kdc_proxy: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_http_kdc_proxy.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl_1client - - fedora-28/test_forced_client_enrolment: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_forced_client_reenrollment.py - template: *ci-master-f28 - timeout: 4800 - topology: *master_1repl_1client - - fedora-28/test_advise: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_advise.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_testconfig: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_testconfig.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_service_permissions: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_service_permissions.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_netgroup: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_netgroup.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_vault: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_vault.py - template: *ci-master-f28 - timeout: 6300 - topology: *master_1repl - - fedora-28/test_authconfig: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_authselect.py - template: *ci-master-f28 - timeout: 4800 - topology: *master_1repl_1client - - fedora-28/replica_promotion: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_replica_promotion.py::TestSubCAkeyReplication - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/dnssec: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_dnssec.py::TestInstallDNSSECFirst - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl From bf9128c937bb6e8b203c9115f34dc2af263eb424 Mon Sep 17 00:00:00 2001 From: Michal Reznik <mrez...@redhat.com> Date: Mon, 27 Aug 2018 15:56:12 +0200 Subject: [PATCH 3/3] add strip_cert_header() to tasks.py --- ipatests/pytest_ipa/integration/tasks.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index fcfd703b41..8f3f809615 100644 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -1531,3 +1531,16 @@ def generate_ssh_keypair(): return (private_key_str, public_key_str) + +def strip_cert_header(pem): + """ + Remove the header and footer from a certificate. + """ + regexp = ( + r"^-----BEGIN CERTIFICATE-----(.*?)-----END CERTIFICATE-----" + ) + s = re.search(regexp, pem, re.MULTILINE | re.DOTALL) + if s is not None: + return s.group(1) + else: + return pem
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org