Imported Debian patch 4.7.2-3

2019-05-06 08:43:34 +03:00
parent 27edeba051
commit 8bc559c5a1
917 changed files with 1068993 additions and 1184676 deletions
--- a/ipatests/test_cmdline/test_ipagetkeytab.py
+++ b/ipatests/test_cmdline/test_ipagetkeytab.py
@@ -29,38 +29,31 @@ import tempfile
 import gssapi
 import pytest

-from ipapython.ipautil import private_ccache
-from ipalib import api, errors
-from ipalib.request import context
+from ipalib import api
 from ipaplatform.paths import paths
 from ipapython import ipautil, ipaldap
 from ipaserver.plugins.ldap2 import ldap2
 from ipatests.test_cmdline.cmdline import cmdline_test
 from ipatests.test_xmlrpc.tracker import host_plugin, service_plugin
-from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, add_oc
-from contextlib import contextmanager

-
-@contextmanager
 def use_keytab(principal, keytab):
-    with private_ccache() as ccache_file:
-        try:
-            old_principal = getattr(context, 'principal', None)
-            name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
-            store = {'ccache': ccache_file,
-                     'client_keytab': keytab}
-            gssapi.Credentials(name=name, usage='initiate', store=store)
-            conn = ldap2(api)
-            conn.connect(ccache=ccache_file,
-                         autobind=ipaldap.AUTOBIND_DISABLED)
-            yield conn
-            conn.disconnect()
-        except gssapi.exceptions.GSSError as e:
-            raise Exception('Unable to bind to LDAP. Error initializing '
-                            'principal %s in %s: %s' % (principal, keytab,
-                                                        str(e)))
-        finally:
-            setattr(context, 'principal', old_principal)
+    try:
+        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+        ccache_file = 'FILE:%s/ccache' % tmpdir
+        name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
+        store = {'ccache': ccache_file,
+                 'client_keytab': keytab}
+        os.environ['KRB5CCNAME'] = ccache_file
+        gssapi.Credentials(name=name, usage='initiate', store=store)
+        conn = ldap2(api)
+        conn.connect(autobind=ipaldap.AUTOBIND_DISABLED)
+        conn.disconnect()
+    except gssapi.exceptions.GSSError as e:
+        raise Exception('Unable to bind to LDAP. Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
+    finally:
+        os.environ.pop('KRB5CCNAME', None)
+        if tmpdir:
+            shutil.rmtree(tmpdir)


@pytest.fixture(scope='class')
@@ -70,7 +63,7 @@ def test_host(request):


@pytest.fixture(scope='class')
-def test_service(request, test_host, keytab_retrieval_setup):
+def test_service(request, test_host):
    service_tracker = service_plugin.ServiceTracker(u'srv', test_host.name)
    test_host.ensure_exists()
    return service_tracker.make_fixture(request)
@@ -84,9 +77,10 @@ class KeytabRetrievalTest(cmdline_test):
    command = "ipa-getkeytab"
    keytabname = None

-    @pytest.fixture(autouse=True, scope="class")
-    def keytab_retrieval_setup(self, request, cmdline_setup):
-        cls = request.cls
+    @classmethod
+    def setup_class(cls):
+        super(KeytabRetrievalTest, cls).setup_class()
+
        keytabfd, keytabname = tempfile.mkstemp()

        os.close(keytabfd)
@@ -94,16 +88,17 @@ class KeytabRetrievalTest(cmdline_test):

        cls.keytabname = keytabname

-        def fin():
-            try:
-                os.unlink(cls.keytabname)
-            except OSError:
-                pass
+    @classmethod
+    def teardown_class(cls):
+        super(KeytabRetrievalTest, cls).teardown_class()

-        request.addfinalizer(fin)
+        try:
+            os.unlink(cls.keytabname)
+        except OSError:
+            pass

    def run_ipagetkeytab(self, service_principal, args=tuple(),
-                         raiseonerr=False, stdin=None):
+                         raiseonerr=False):
        new_args = [self.command,
                    "-p", service_principal,
                    "-k", self.keytabname]
@@ -115,7 +110,7 @@ class KeytabRetrievalTest(cmdline_test):

        return ipautil.run(
            new_args,
-            stdin=stdin,
+            stdin=None,
            raiseonerr=raiseonerr,
            capture_error=True)

@@ -167,9 +162,7 @@ class test_ipagetkeytab(KeytabRetrievalTest):
        """
        Try to use the service keytab.
        """
-        with use_keytab(test_service.name, self.keytabname) as conn:
-            assert conn.can_read(test_service.dn, 'objectclass') is True
-            assert getattr(context, 'principal') == test_service.name
+        use_keytab(test_service.name, self.keytabname)

    def test_4_disable(self, test_service):
        """
@@ -193,77 +186,10 @@ class test_ipagetkeytab(KeytabRetrievalTest):
        Try to use the disabled keytab
        """
        try:
-            with use_keytab(test_service.name, self.keytabname) as conn:
-                assert conn.can_read(test_service.dn, 'objectclass') is True
-                assert getattr(context, 'principal') == test_service.name
+            use_keytab(test_service.name, self.keytabname)
        except Exception as errmsg:
            assert('Unable to bind to LDAP. Error initializing principal' in str(errmsg))

-    def test_6_quiet_mode(self, test_service):
-        """
-        Try to use quiet mode
-        """
-        test_service.ensure_exists()
-        # getkeytab without quiet mode option enabled
-        result = self.run_ipagetkeytab(test_service.name)
-        err = result.error_output.split("\n")[0]
-        assert err == f"Keytab successfully retrieved and stored in:" \
-                      f" {self.keytabname}"
-        assert result.returncode == 0
-
-        # getkeytab with quiet mode option enabled
-        result1 = self.run_ipagetkeytab(test_service.name, args=tuple("-q"))
-        assert result1.returncode == 0
-
-    def test_7_server_name_check(self, test_service):
-        """
-        Try to use -s for server name
-        """
-        test_service.ensure_exists()
-        self.assert_success(test_service.name, args=["-s", api.env.host])
-
-    def test_8_keytab_encryption_check(self, test_service):
-        """
-        Try to use -e for different types of encryption check
-        """
-        encryptes_list = [
-            "aes256-cts-hmac-sha1-96",
-            "aes128-cts-hmac-sha256-128",
-        ]
-        self.assert_success(
-            test_service.name, args=["-e", ",".join(encryptes_list)]
-        )
-
-    def test_dangling_symlink(self, test_service):
-        # see https://pagure.io/freeipa/issue/4607
-        test_service.ensure_exists()
-
-        fd, symlink_target = tempfile.mkstemp()
-        os.close(fd)
-        os.unlink(symlink_target)
-        # create dangling symlink
-        os.symlink(self.keytabname, symlink_target)
-
-        try:
-            self.assert_success(test_service.name, raiseonerr=True)
-            assert os.path.isfile(symlink_target)
-            assert os.path.samefile(self.keytabname, symlink_target)
-        finally:
-            os.unlink(symlink_target)
-
-
-def retrieve_dm_password():
-    dmpw_file = os.path.join(api.env.dot_ipa, '.dmpw')
-
-    if not os.path.isfile(dmpw_file):
-        raise errors.NotFound(reason='{} file required '
-                              'for this test'.format(dmpw_file))
-
-    with open(dmpw_file, 'r') as f:
-        dm_password = f.read().strip()
-
-    return dm_password
-

 class TestBindMethods(KeytabRetrievalTest):
    """
@@ -273,13 +199,17 @@ class TestBindMethods(KeytabRetrievalTest):
    dm_password = None
    ca_cert = None

-    @pytest.fixture(autouse=True, scope="class")
-    def bindmethods_setup(self, request, keytab_retrieval_setup):
-        cls = request.cls
-        try:
-            cls.dm_password = retrieve_dm_password()
-        except errors.NotFound as e:
-            pytest.skip(e.args)
+    @classmethod
+    def setup_class(cls):
+        super(TestBindMethods, cls).setup_class()
+
+        dmpw_file = os.path.join(api.env.dot_ipa, '.dmpw')
+
+        if not os.path.isfile(dmpw_file):
+            pytest.skip('{} file required for this test'.format(dmpw_file))
+
+        with open(dmpw_file, 'r') as f:
+            cls.dm_password = f.read().strip()

        tempfd, temp_ca_cert = tempfile.mkstemp()

@@ -289,12 +219,14 @@ class TestBindMethods(KeytabRetrievalTest):

        cls.ca_cert = temp_ca_cert

-        def fin():
-            try:
-                os.unlink(cls.ca_cert)
-            except OSError:
-                pass
-        request.addfinalizer(fin)
+    @classmethod
+    def teardown_class(cls):
+        super(TestBindMethods, cls).teardown_class()
+
+        try:
+            os.unlink(cls.ca_cert)
+        except OSError:
+            pass

    def check_ldapi(self):
        if not api.env.ldap_uri.startswith('ldapi://'):
@@ -393,106 +325,3 @@ class TestBindMethods(KeytabRetrievalTest):
                '-H', 'ldaps://{}'.format(api.env.host),
                '-Y', 'EXTERNAL'],
            raiseonerr=False)
-
-
-class SMBServiceTracker(service_plugin.ServiceTracker):
-    def __init__(self, name, host_fqdn, options=None):
-        super(SMBServiceTracker, self).__init__(name, host_fqdn,
-                                                options=options)
-        # Create SMB service principal that has POSIX attributes to allow
-        # generating SID and adding proper objectclasses
-        self.create_keys |= {u'uidnumber', u'gidnumber'}
-        self.options[u'addattr'] = [
-            u'objectclass=ipaIDObject', u'uidNumber=-1', u'gidNumber=-1']
-
-    def track_create(self, **options):
-        super(SMBServiceTracker, self).track_create(**options)
-        self.attrs[u'uidnumber'] = [fuzzy_digits]
-        self.attrs[u'gidnumber'] = [fuzzy_digits]
-        self.attrs[u'objectclass'].append(u'ipaIDObject')
-
-
-@pytest.fixture(scope='class')
-def test_smb_svc(request, test_host, smb_service_setup):
-    service_tracker = SMBServiceTracker(u'cifs', test_host.name)
-    test_host.ensure_exists()
-    return service_tracker.make_fixture(request)
-
-
-@pytest.mark.tier0
-@pytest.mark.skipif(u'ipantuserattrs' not in add_oc([], u'ipantuserattrs'),
-                    reason="Must have trust support enabled for this test")
-class test_smb_service(KeytabRetrievalTest):
-    """
-    Test `ipa-getkeytab` for retrieving explicit enctypes
-    """
-    command = "ipa-getkeytab"
-    dm_password = None
-    keytabname = None
-
-    @pytest.fixture(autouse=True, scope="class")
-    def smb_service_setup(self, request, keytab_retrieval_setup):
-        cls = request.cls
-        try:
-            cls.dm_password = retrieve_dm_password()
-        except errors.NotFound as e:
-            pytest.skip(e.args)
-
-    def test_create(self, test_smb_svc):
-        """
-        Create a keytab with `ipa-getkeytab` for an existing service.
-        """
-        test_smb_svc.ensure_exists()
-
-        # Request a keytab with explicit encryption types
-        enctypes = ['aes128-cts-hmac-sha1-96',
-                    'aes256-cts-hmac-sha1-96', 'arcfour-hmac']
-        args = ['-e', ','.join(enctypes), '-s', api.env.host]
-        self.assert_success(test_smb_svc.name, args=args, raiseonerr=True)
-
-    def test_use(self, test_smb_svc):
-        """
-        Try to use the service keytab to regenerate ipaNTHash value
-        """
-        # Step 1. Extend objectclass to allow ipaNTHash attribute
-        # We cannot verify write access to objectclass
-        with use_keytab(test_smb_svc.name, self.keytabname) as conn:
-            entry = conn.get_entry(test_smb_svc.dn, ['objectclass'])
-            entry['objectclass'].extend(['ipaNTUserAttrs'])
-            try:
-                conn.update_entry(entry)
-            except errors.ACIError:
-                assert ('No correct ACI to the allow ipaNTUserAttrs '
-                        'for SMB service' in "failure")
-
-        # Step 2. With ipaNTUserAttrs in place, we can ask to regenerate
-        # ipaNTHash value. We can also verify it is possible to write to
-        # ipaNTHash attribute while being an SMB service
-        with use_keytab(test_smb_svc.name, self.keytabname) as conn:
-            assert conn.can_write(test_smb_svc.dn, 'ipaNTHash') is True
-            entry = conn.get_entry(test_smb_svc.dn, ['ipaNTHash'])
-            entry['ipanthash'] = b'MagicRegen'
-            try:
-                conn.update_entry(entry)
-            except errors.ACIError:
-                assert ("No correct ACI to the ipaNTHash for SMB service"
-                        in "failure")
-            except errors.EmptyResult:
-                assert "No arcfour-hmac in Kerberos keys" in "failure"
-            except errors.DatabaseError:
-                # Most likely ipaNTHash already existed -- we either get
-                # OPERATIONS_ERROR or UNWILLING_TO_PERFORM, both map to
-                # the same DatabaseError class.
-                assert "LDAP Entry corruption after generation" in "failure"
-
-        # Update succeeded, now we have either MagicRegen (broken) or
-        # a real NT hash in the entry. However, we can only retrieve it as
-        # a cn=Directory Manager. When bind_dn is None, ldap2.connect() wil
-        # default to cn=Directory Manager.
-        conn = ldap2(api)
-        conn.connect(bind_dn=None, bind_pw=self.dm_password,
-                     autobind=ipaldap.AUTOBIND_DISABLED)
-        entry = conn.retrieve(test_smb_svc.dn, ['ipaNTHash'])
-        ipanthash = entry.single_value.get('ipanthash')
-        conn.disconnect()
-        assert ipanthash != b'MagicRegen', 'LDBM backend entry corruption'