URL: https://github.com/freeipa/freeipa/pull/2287
Author: Rezney
Title: #2287: Integration test for sssd_ssh leaks
Action: opened
PR body:
"""
Integration test for sssd_ssh leaks
https://pagure.io/SSSD/sssd/issue/3794
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2287/head:pr2287
git checkout pr2287
From 1af32fd29f577abaf6cb02aafabda7b14496ad3f Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Thu, 23 Aug 2018 10:34:39 +0200
Subject: [PATCH 1/3] tests: sssd_ssh fd leaks when user cert converted into
SSH key
---
ipatests/pytest_ipa/integration/tasks.py | 1 +
ipatests/test_integration/test_commands.py | 48 ++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 23090ebbab..fcfd703b41 100644
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -1530,3 +1530,4 @@ def generate_ssh_keypair():
public_key_str = public_key.decode('utf-8')
return (private_key_str, public_key_str)
+
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index e207c7543c..5fc68f7a1f 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -11,6 +11,7 @@
import logging
import ssl
from tempfile import NamedTemporaryFile
+from itertools import chain, repeat
import textwrap
import time
import paramiko
@@ -20,6 +21,7 @@
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
+from ipatests.create_external_ca import ExternalCA
logger = logging.getLogger(__name__)
@@ -355,3 +357,49 @@ def test_ssh_key_connection(self, tmpdir):
# cleanup
self.master.run_command(['ipa', 'user-del', test_user])
+
+ def test_ssh_leak(self):
+ """
+ Integration test for https://pagure.io/SSSD/sssd/issue/3794
+ """
+
+ def count_pipes():
+
+ res = self.master.run_command(['pidof', 'sssd_ssh'])
+ pid = res.stdout_text.strip()
+ proc_path = '/proc/{}/fd'.format(pid)
+ res = self.master.run_command(['ls', '-la', proc_path])
+ fds_text = res.stdout_text.strip()
+ return sum((1 for _ in re.finditer(r'pipe', fds_text)))
+
+ test_user = 'test-ssh'
+
+ tasks.kinit_admin(self.master)
+ self.master.run_command(['ipa', 'user-add', test_user,
+ '--first=tester', '--last=tester'])
+
+ certs = []
+
+ # we are ok with whatever certificate for this test
+ external_ca = ExternalCA()
+ for i in range(3):
+ cert = external_ca.create_ca()
+ cert = tasks.strip_cert_header(cert.decode('utf-8'))
+ certs.append('"{}"'.format(cert))
+
+ cert_args = list(
+ chain.from_iterable(list(zip(repeat('--certificate'), certs))))
+ cmd = 'ipa user-add-cert {} {}'.format(test_user, ' '.join(cert_args))
+ self.master.run_command(cmd)
+
+ tasks.clear_sssd_cache(self.master)
+
+ num_of_pipes = count_pipes()
+
+ for i in range(3):
+ self.master.run_command([paths.SSS_SSH_AUTHORIZEDKEYS, test_user])
+ current_num_of_pipes = count_pipes()
+ assert current_num_of_pipes == num_of_pipes
+
+ # cleanup
+ self.master.run_command(['ipa', 'user-del', test_user])
From 5ee328086d1effbc611472d8fd6741efc8e74eb1 Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Thu, 23 Aug 2018 10:42:31 +0200
Subject: [PATCH 2/3] temp_commit
---
ipatests/prci_definitions/gating.yaml | 207 +-------------------------
1 file changed, 2 insertions(+), 205 deletions(-)
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
index ba09d8276c..dd9fbe8ca3 100644
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@@ -27,218 +27,15 @@ jobs:
timeout: 1800
topology: *build
- fedora-28/simple_replication:
+ fedora-28/test_commands_SSH:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_simple_replication.py
+ test_suite: test_integration/test_commands.py::TestIPACommand::test_ssh_leak
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
- fedora-28/caless:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl
-
- fedora-28/external_ca_1:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_external_ca.py::TestExternalCA
- template: *ci-master-f28
- timeout: 4800
- topology: *master_1repl_1client
-
- fedora-28/external_ca_2:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl
-
- fedora-28/test_topologies:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_topologies.py
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl
-
- fedora-28/test_sudo:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_sudo.py
- template: *ci-master-f28
- timeout: 4800
- topology: *master_1repl_1client
-
- fedora-28/test_commands:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_commands.py
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl
-
- fedora-28/test_kerberos_flags:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_kerberos_flags.py
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl_1client
-
- fedora-28/test_http_kdc_proxy:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_http_kdc_proxy.py
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl_1client
-
- fedora-28/test_forced_client_enrolment:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_forced_client_reenrollment.py
- template: *ci-master-f28
- timeout: 4800
- topology: *master_1repl_1client
-
- fedora-28/test_advise:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_advise.py
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl
-
- fedora-28/test_testconfig:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_testconfig.py
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl
-
- fedora-28/test_service_permissions:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_service_permissions.py
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl
-
- fedora-28/test_netgroup:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_netgroup.py
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl
-
- fedora-28/test_vault:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_vault.py
- template: *ci-master-f28
- timeout: 6300
- topology: *master_1repl
-
- fedora-28/test_authconfig:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_authselect.py
- template: *ci-master-f28
- timeout: 4800
- topology: *master_1repl_1client
-
- fedora-28/replica_promotion:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_replica_promotion.py::TestSubCAkeyReplication
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl
-
- fedora-28/dnssec:
- requires: [fedora-28/build]
- priority: 50
- job:
- class: RunPytest
- args:
- build_url: '{fedora-28/build_url}'
- test_suite: test_integration/test_dnssec.py::TestInstallDNSSECFirst
- template: *ci-master-f28
- timeout: 3600
- topology: *master_1repl
From bf9128c937bb6e8b203c9115f34dc2af263eb424 Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Mon, 27 Aug 2018 15:56:12 +0200
Subject: [PATCH 3/3] add strip_cert_header() to tasks.py
---
ipatests/pytest_ipa/integration/tasks.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index fcfd703b41..8f3f809615 100644
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -1531,3 +1531,16 @@ def generate_ssh_keypair():
return (private_key_str, public_key_str)
+
+def strip_cert_header(pem):
+ """
+ Remove the header and footer from a certificate.
+ """
+ regexp = (
+ r"^-----BEGIN CERTIFICATE-----(.*?)-----END CERTIFICATE-----"
+ )
+ s = re.search(regexp, pem, re.MULTILINE | re.DOTALL)
+ if s is not None:
+ return s.group(1)
+ else:
+ return pem
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
