ipa/SOURCES/0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch

From 538a9992fd1394ed24cbcdf2a2a27694ac28da55 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 8 Mar 2021 18:20:35 +0100
Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
 IPA services

Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.

Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
 .../test_replica_promotion.py                 | 38 +++++++++++++++++++
 ipatests/test_xmlrpc/test_host_plugin.py      | 10 +++++
 ipatests/test_xmlrpc/test_service_plugin.py   | 21 ++++++++++
 3 files changed, 69 insertions(+)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 0a137dbdcb068811899e7ff7914730f14ea651c1..b9c56f775d08885cb6b1226eeb7bcf105f87cdc1 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
         assert result.returncode == 1
         assert expected_err in result.stderr_text
 
+    @replicas_cleanup
+    def test_install_with_host_auth_ind_set(self):
+        """ A client shouldn't be able to be promoted if it has
+        any auth indicator set in the host principal.
+        https://pagure.io/freeipa/issue/8206
+        """
+
+        client = self.replicas[0]
+        # Configure firewall first
+        Firewall(client).enable_services(["freeipa-ldap",
+                                          "freeipa-ldaps"])
+
+        client.run_command(['ipa-client-install', '-U',
+                            '--domain', self.master.domain.name,
+                            '--realm', self.master.domain.realm,
+                            '-p', 'admin',
+                            '-w', self.master.config.admin_password,
+                            '--server', self.master.hostname,
+                            '--force-join'])
+
+        tasks.kinit_admin(client)
+
+        client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
+                            client.hostname])
+
+        res = client.run_command(['ipa-replica-install', '-U', '-w',
+                                  self.master.config.dirman_password],
+                                 raiseonerr=False)
+
+        client.run_command(['ipa', 'host-mod', '--auth-ind=',
+                            client.hostname])
+
+        expected_err = ("Client cannot be promoted to a replica if the host "
+                        "principal has an authentication indicator set.")
+        assert res.returncode == 1
+        assert expected_err in res.stderr_text
+
+
     @replicas_cleanup
     def test_one_command_installation(self):
         """
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index c66bbc865cd5e1ee5ee5e1874c177a3ea9b08c93..9cfde3565d48e103a0549e2bfb7579e07668f41b 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
                 error=u'An IPA master host cannot be deleted or disabled')):
             command()
 
+    def test_try_add_auth_ind_master(self, this_host):
+        command = this_host.make_update_command({
+            u'krbprincipalauthind': u'radius'})
+        with raises_exact(errors.ValidationError(
+            name='krbprincipalauthind',
+            error=u'authentication indicators not allowed '
+                'in service "host"'
+        )):
+            command()
+
 
 @pytest.mark.tier1
 class TestValidation(XMLRPC_test):
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 4c845938c33e2eca4235d53c4f4644c2fcdeda9c..ed634a0455a41dce367ed638634d1fc6d9e47553 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -25,6 +25,7 @@ from ipalib import api, errors
 from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
 from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
 from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
 from ipatests.test_xmlrpc import objectclasses
 from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
 from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
@@ -1552,6 +1553,15 @@ def indicators_host(request):
     return tracker.make_fixture(request)
 
 
+@pytest.fixture(scope='function')
+def this_host(request):
+    """Fixture for the current master"""
+    tracker = HostTracker(name=api.env.host.partition('.')[0],
+                          fqdn=api.env.host)
+    tracker.exists = True
+    return tracker
+
+
 @pytest.fixture(scope='function')
 def indicators_service(request):
     tracker = ServiceTracker(
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
             expected_updates={u'krbprincipalauthind': [u'radius']}
         )
 
+    def test_update_indicator_internal_service(self, this_host):
+        command = this_host.make_command('service_mod',
+                                         'ldap/' + this_host.fqdn,
+                                         **dict(krbprincipalauthind='otp'))
+        with raises_exact(errors.ValidationError(
+            name='krbprincipalauthind',
+            error=u'authentication indicators not allowed '
+                 'in service "ldap"'
+        )):
+            command()
+
 
 @pytest.fixture(scope='function')
 def managing_host(request):
-- 
2.26.3