URL: https://github.com/SSSD/sssd/pull/5548 Author: aborah-sudo Title: #5548: Add support to verify authentication indicators in pam_sss_gss Action: opened
PR body: """ Error code of '[pam_cmd_gssapi_sec_ctx] (0x0400): Check if acquired service ticket has req. indicators:'. '2' is 'not applied' (ENOENT), """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5548/head:pr5548 git checkout pr5548
From dfc2c11a7ca9e179ae8245cefc206f016bac91d8 Mon Sep 17 00:00:00 2001 From: aborah <abo...@anuj.master.com> Date: Tue, 23 Mar 2021 08:10:54 +0530 Subject: [PATCH] Add support to verify authentication indicators in pam_sss_gss Error code of '[pam_cmd_gssapi_sec_ctx] (0x0400): Check if acquired service ticket has req. indicators:'. '2' is 'not applied' (ENOENT), --- src/tests/multihost/ipa/test_rfe.py | 134 ++++++++++++++++++++++++++++ 1 file changed, 134 insertions(+) create mode 100644 src/tests/multihost/ipa/test_rfe.py diff --git a/src/tests/multihost/ipa/test_rfe.py b/src/tests/multihost/ipa/test_rfe.py new file mode 100644 index 0000000000..25bb339875 --- /dev/null +++ b/src/tests/multihost/ipa/test_rfe.py @@ -0,0 +1,134 @@ +""" SSSD IPA RFE Automations """ + +import pytest +import time +from sssd.testlib.common.utils import sssdTools +from sssd.testlib.common.exceptions import SSSDException +from constants import ds_instance_name +from sssd.testlib.common.utils import SSHClient +import re + + +@pytest.mark.tier1_2 +class Testiparfe(object): + """ SSSD IPA RFE Automations """ + def test_authentication_indicators(self, multihost): + """ + :title: IDM-SSSD-TC: Add support to verify authentication + indicators in pam_sss_gss + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1926622 + :id: 4891ed62-7fc8-11eb-98be-002b677efe14 + :steps: + 1. Add pam_sss_gss configuration to /etc/sssd/sssd.conf + 2. Add pam_sss_gss.so to /etc/pam.d/sudo + 3. Restart SSSD + 4. Enable SSSD debug logs + 5. Switch to 'admin' user + 6. obtain Kerberos ticket and check that it + was obtained using SPAKE pre-authentication. + 7. Create sudo configuration that allows an admin to + run SUDO rules + 8. Try 'sudo -l' as admin + 9. As root, check content of sssd_pam.log + 10. Check if acquired service ticket has + req. indicators: 0 + 11. Add pam_sss_gss configuration to /etc/sssd/sssd.conf + 12. Check if acquired service ticket has req. + indicators: 2 + :expectedresults: + 1. Should succeed + 2. Should succeed + 3. Should succeed + 4. Should succeed + 5. Should succeed + 6. Should succeed + 7. Should succeed + 8. Should succeed + 9. Should succeed + 10. Should succeed + 11. Should succeed + 12. Should succeed + """ + client = sssdTools(multihost.client[0]) + domain_params = {'pam_gssapi_services': 'sudo, sudo-i', + 'pam_gssapi_indicators_map': 'hardened, ' + 'sudo:pkinit, ' + 'sudo-i:otp'} + client.sssd_conf('pam', domain_params) + multihost.client[0].run_command('cp -vf ' + '/etc/pam.d/sudo ' + '/etc/pam.d/sudo_indicators') + multihost.client[0].run_command("sed -i " + "'2s/^/auth sufficient " + "pam_sss_gss.so debug\\n/' " + "/etc/pam.d/sudo") + multihost.client[0].run_command('cp -vf ' + '/etc/pam.d/sudo-i ' + '/etc/pam.d/sudo-i_indicators') + multihost.client[0].run_command("sed -i " + "'2s/^/auth sufficient " + "pam_sss_gss.so debug\\n/' " + "/etc/pam.d/sudo-i") + multihost.client[0].run_command('systemctl stop sssd ; ' + 'rm -rf /var/log/sssd/* ; ' + 'rm -rf /var/lib/sss/db/* ; ' + 'systemctl start sssd') + multihost.client[0].run_command("sssctl debug-level 9") + ssh = SSHClient(multihost.client[0].sys_hostname, + username='admin', password='Secret123') + (_, _, exit_status) = ssh.execute_cmd('kinit admin', + stdin='Secret123') + (result, errors, exit_status) = ssh.exec_command('klist') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudocmd-add ALL2') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-add ' + 'testrule2') + (result, errors, exit_status) = ssh.execute_cmd("ipa sudorule-add" + "-allow-command " + "testrule2 " + "--sudocmds 'ALL2'") + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-mod ' + 'testrule2 ' + '--hostcat=all') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-add-user ' + 'testrule2 ' + '--users admin') + (result, errors, exit_status) = ssh.execute_cmd('sudo -l') + ssh.close() + search = multihost.client[0].run_command('fgrep ' + 'gssapi_ ' + '/var/log/sssd/sssd_pam.log ' + '|tail -10') + assert 'indicators: 0' in search.stdout_text + client = sssdTools(multihost.client[0]) + domain_params = {'pam_gssapi_services': 'sudo, sudo-i', + 'pam_gssapi_indicators_map': 'sudo-i:hardened'} + client.sssd_conf('pam', domain_params) + multihost.client[0].run_command('systemctl stop sssd ; ' + 'rm -rf /var/log/sssd/* ; ' + 'rm -rf /var/lib/sss/db/* ; ' + 'systemctl start sssd') + ssh = SSHClient(multihost.client[0].sys_hostname, + username='admin', password='Secret123') + (_, _, exit_status) = ssh.execute_cmd('kinit admin', + stdin='Secret123') + multihost.client[0].run_command("sssctl debug-level 9") + (result, errors, exit_status) = ssh.execute_cmd('sudo -l') + (result, errors, exit_status) = ssh.exec_command('klist') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudocmd-del ALL2') + (result, errors, exit_status) = ssh.execute_cmd('ipa ' + 'sudorule-del ' + 'testrule2') + multihost.client[0].run_command('cp -vf /etc/pam.d/sudo_indicators ' + '/etc/pam.d/sudo') + multihost.client[0].run_command('cp -vf /etc/pam.d/sudo-i_indicators ' + '/etc/pam.d/sudo-i') + search = multihost.client[0].run_command('fgrep gssapi_ ' + '/var/log/sssd/sssd_pam.log' + ' |tail -10') + ssh.close() + assert 'indicators: 2' in search.stdout_text
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
