From 47770b8626c353b95d4ae89a0fb7e23b3791d3ea Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 22 Jan 2025 16:03:37 +0530
Subject: [PATCH] ipatests: Tests to check data in journal log

This testcase checks that ipa administrative user
password is not displayed in journal log.

Related: https://issues.redhat.com/browse/RHEL-67190

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipatests/pytest_ipa/integration/tasks.py   |  10 ++
 ipatests/test_integration/test_commands.py | 116 +++++++++++++++++----
 2 files changed, 104 insertions(+), 22 deletions(-)

diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 4ce33bb47cbc52641088f73cdb75d7bb184c274b..dccfaf30e708f18c81d3f1662d6df7b116ed36ac 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -3004,3 +3004,13 @@ def copy_files(source_host, dest_host, filelist):
         dest_host.transport.mkdir_recursive(os.path.dirname(file))
         data = source_host.get_file_contents(file)
         dest_host.transport.put_file_contents(file, data)
+
+
+def check_journal_does_not_contain_secret(host, cmd):
+    """
+    Helper to check journal logs doesnt reveal secrets
+    """
+    journalctl_cmd = ['journalctl', '-t', cmd, '-n1', '-o', 'json-pretty']
+    result = host.run_command(journalctl_cmd, raiseonerr=False)
+    assert (host.config.admin_password not in result.stdout_text)
+    assert (host.config.dirman_password not in result.stdout_text)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 9c65b7c6bbf4c6378bdf0fa9da0242805ddd17aa..47ef232563d67f86040e2c5944805e430ab2e26c 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -39,6 +39,7 @@ from ipaplatform.tasks import tasks as platform_tasks
 from ipatests.create_external_ca import ExternalCA
 from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
 from ipapython.ipautil import realm_to_suffix, ipa_generate_password
+from ipatests.test_integration.test_topology import find_segment
 from ipaserver.install.installutils import realm_to_serverid
 from pkg_resources import parse_version
 
@@ -1662,28 +1663,77 @@ class TestIPACommand(IntegrationTest):
         assert result.returncode == 1
         assert 'cannot be deleted or disabled' in result.stderr_text
 
-    def test_ipa_cacert_manage_prune(self):
-        """Test for ipa-cacert-manage prune"""
-
-        certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
-        self.master.put_file_contents(certfile, isrgrootx1)
-        result = self.master.run_command(
-            [paths.IPA_CACERT_MANAGE, 'install', certfile])
-
-        certs_before_prune = self.master.run_command(
-            [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
-        ).stdout_text
+    def test_ipa_systemd_journal(self):
+        """
+        This testcase checks that administrative user credentials
+        is not leaked to journald log
+        """
+        tasks.kinit_admin(self.master)
+        tasks.kinit_admin(self.replicas[0])
+        tasks.kinit_admin(self.clients[0])
+        cmds = [
+            ['/usr/sbin/ipa-adtrust-install', '-a',
+             self.master.config.admin_password, '-U'],
+            ['/usr/sbin/ipa-replica-manage', 'del',
+             f"dummyhost.{self.master.domain.name}", '-p',
+             self.master.config.dirman_password],
+            ['/usr/sbin/ipa-csreplica-manage', 'del',
+             f"dummyhost.{self.master.domain.name}", '-p',
+             self.master.config.dirman_password],
+            ['/usr/sbin/ipa-kra-install', '-p',
+             self.master.config.dirman_password, '-U'],
+            ['/usr/sbin/ipa-server-certinstall', '-k', '--pin',
+             self.master.config.dirman_password, '-p',
+             self.master.config.dirman_password, paths.KDC_CERT,
+             paths.KDC_KEY]
+        ]
+        for cmd in cmds:
+            self.master.run_command(cmd, raiseonerr=False)
+            tasks.check_journal_does_not_contain_secret(
+                self.master, cmd[0]
+            )
+        for cmd in cmds:
+            self.replicas[0].run_command(cmd, raiseonerr=False)
+            tasks.check_journal_does_not_contain_secret(
+                self.replicas[0], cmd[0]
+            )
+        tasks.check_journal_does_not_contain_secret(
+            self.clients[0], 'python3'
+        )
+        # Backup and restore IPA and check secrets are not leaked.
+        backup_path = tasks.get_backup_dir(self.master)
+        restore_cmd = (
+            ['/usr/sbin/ipa-restore', '-p',
+             self.master.config.dirman_password,
+             backup_path, '-U']
+        )
+        self.master.run_command(restore_cmd)
 
-        assert isrgrootx1_nick in certs_before_prune
+        # re-initializing topology after restore
+        for topo_suffix in 'domain', 'ca':
+            topo_name = find_segment(self.master, self.replicas[0], topo_suffix)
+            arg = ['ipa', 'topologysegment-reinitialize',
+                   topo_suffix, topo_name]
+            if topo_name.split('-to-', maxsplit=1)[0] != self.master.hostname:
+                arg.append('--left')
+            else:
+                arg.append('--right')
+            self.replicas[0].run_command(arg)
 
-        # Jump in time to make sure the cert is expired
-        self.master.run_command(['date', '-s', '+15Years'])
-        result = self.master.run_command(
-            [paths.IPA_CACERT_MANAGE, 'prune'], raiseonerr=False
-        ).stdout_text
-        self.master.run_command(['date', '-s', '-15Years'])
+        # wait sometime for re-initialization
+        tasks.wait_for_replication(self.replicas[0].ldap_connect())
 
-        assert isrgrootx1_nick in result
+        tasks.check_journal_does_not_contain_secret(
+            self.master, restore_cmd[0]
+        )
+        # Checking for secrets in IPA server install
+        tasks.check_journal_does_not_contain_secret(
+            self.master, '/usr/sbin/ipa-server-install'
+        )
+        # Checking for secrets in IPA replica install
+        tasks.check_journal_does_not_contain_secret(
+            self.replicas[0], '/usr/sbin/ipa-replica-install'
+        )
 
 
 class TestIPACommandWithoutReplica(IntegrationTest):
@@ -1719,10 +1769,9 @@ class TestIPACommandWithoutReplica(IntegrationTest):
         self.master.run_command(['ipa', 'user-show', 'ipauser1'])
 
     def test_basesearch_compat_tree(self):
-        """Test ldapsearch against compat tree is working
-
+        """
+        Test ldapsearch against compat tree is working
         This to ensure that ldapsearch with base scope is not failing.
-
         related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
         """
         version = self.master.run_command(
@@ -1920,6 +1969,29 @@ class TestIPACommandWithoutReplica(IntegrationTest):
         assert old_err_msg not in dirsrv_error_log
         assert re.search(new_err_msg, dirsrv_error_log)
 
+    def test_ipa_cacert_manage_prune(self):
+        """Test for ipa-cacert-manage prune"""
+
+        certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
+        self.master.put_file_contents(certfile, isrgrootx1)
+        result = self.master.run_command(
+            [paths.IPA_CACERT_MANAGE, 'install', certfile])
+
+        certs_before_prune = self.master.run_command(
+            [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
+        ).stdout_text
+
+        assert isrgrootx1_nick in certs_before_prune
+
+        # Jump in time to make sure the cert is expired
+        self.master.run_command(['date', '-s', '+15Years'])
+        result = self.master.run_command(
+            [paths.IPA_CACERT_MANAGE, 'prune'], raiseonerr=False
+        ).stdout_text
+        self.master.run_command(['date', '-s', '-15Years'])
+
+        assert isrgrootx1_nick in result
+
 
 class TestIPAautomount(IntegrationTest):
     @classmethod
-- 
2.48.1