From 0dadcbb4ac9f6142b5130f025f64d918d6f208a9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 8 Oct 2024 10:25:08 +0300
Subject: [PATCH] Minimal test for Cockpit integration on IPA master

Add a test to share HTTP service keytab on IPA master between IPA and
Cockpit. The test configures Cockpit with IPA CA-issued certificate and
allows Cockpit to access IPA HTTP service keytab for authentication.

The test then attempts to authenticate with GSSAPI as admin user. A
successful result is when we receive CSRF token from the Cockpit as
the result of this authentication. This means we have logged in
successfully with Kerberos.

Fixes: https://pagure.io/freeipa/issue/9675

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipatests/test_integration/test_cockpit.py | 61 +++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 ipatests/test_integration/test_cockpit.py

diff --git a/ipatests/test_integration/test_cockpit.py b/ipatests/test_integration/test_cockpit.py
new file mode 100644
index 0000000000000000000000000000000000000000..cdc96170a116536c7aa00be78cc4e0225804e21c
--- /dev/null
+++ b/ipatests/test_integration/test_cockpit.py
@@ -0,0 +1,61 @@
+#
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
+#
+
+from __future__ import absolute_import
+
+import time
+from ipatests.pytest_ipa.integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+class TestCockpitIntegration(IntegrationTest):
+    topology = "line"
+    reqcert = '/etc/cockpit/ws-certs.d/99-cockpit.cert'
+    reqkey = '/etc/cockpit/ws-certs.d/99-cockpit.key'
+    symlink = '/etc/cockpit/krb5.keytab'
+
+    @classmethod
+    def uninstall(cls, mh):
+        cls.master.run_command(['ipa-getcert', 'stop-tracking', '-f',
+                                cls.reqcert], raiseonerr=False)
+        cls.master.run_command(['rm', '-f', cls.symlink], raiseonerr=False)
+        cls.master.run_command(['systemctl', 'disable', '--now',
+                                'cockpit.socket'])
+        super(TestCockpitIntegration, cls).uninstall(mh)
+
+    @classmethod
+    def install(cls, mh):
+        master = cls.master
+
+        # Install Cockpit and configure it to use IPA certificate and keytab
+        master.run_command(['dnf', 'install', '-y', 'cockpit', 'curl'],
+                           raiseonerr=False)
+
+        super(TestCockpitIntegration, cls).install(mh)
+
+        master.run_command(['ipa-getcert', 'request', '-f', cls.reqcert, '-k',
+                            cls.reqkey, '-D', cls.master.hostname, '-K',
+                            'host/' + cls.master.hostname, '-m', '0640', '-o',
+                            'root:cockpit-ws', '-O', 'root:root', '-M',
+                            '0644'], raiseonerr=False)
+
+        master.run_command(['ln', '-s', paths.HTTP_KEYTAB, cls.symlink],
+                           raiseonerr=False)
+
+        time.sleep(5)
+        master.run_command(['systemctl', 'enable', '--now', 'cockpit.socket'])
+
+    def test_login_with_kerberos(self):
+        """
+        Login to Cockpit using GSSAPI authentication
+        """
+        master = self.master
+        tasks.kinit_admin(master)
+
+        cockpit_login = f'https://{master.hostname}:9090/cockpit/login'
+        result = master.run_command([paths.BIN_CURL, '-u:', '--negotiate',
+                                     '--cacert', paths.IPA_CA_CRT,
+                                     cockpit_login])
+        assert ("csrf-token" in result.stdout_text)
-- 
2.47.0