From d57d11974e05f84c0964ca941a6b507419b02211 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 28 Aug 2025 15:31:39 +0200
Subject: [PATCH] ipatests: extend test for unique krbcanonicalname

Add a test ensuring that root@REALM cannot be added as
krbcanonicalname

Add a test for PAC enforcement:
try to access a service using a TGT obtained without PAC.
Should fail as PAC is now enforced.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
---
 ipatests/test_integration/test_commands.py | 44 ++++++++++++++++++++--
 1 file changed, 40 insertions(+), 4 deletions(-)

diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 38202c9a3fbc5e91c03a5953a5d9bec3c07117f4..c982c678aae047d5cb505889729bcb5bccbc3c20 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1563,7 +1563,7 @@ def test_unique_krbcanonicalname(self):
         hostname = master.hostname
         realm = master.domain.realm
         principal = f'test/{hostname}@{realm}'
-        entry_ldif = textwrap.dedent("""
+        entry_ldif_template = textwrap.dedent("""
             dn: krbprincipalname={principal},cn=services,cn=accounts,{base_dn}
             changetype: add
             ipakrbprincipalalias: test/{hostname}@{realm}
@@ -1573,13 +1573,15 @@ def test_unique_krbcanonicalname(self):
             objectclass: krbprincipal
             objectclass: krbprincipalaux
             objectclass: top
-            krbcanonicalname: admin@{realm}
+            krbcanonicalname: {user}@{realm}
             managedby: fqdn={hostname},cn=computers,cn=accounts,{base_dn}
-        """).format(
+        """)
+        entry_ldif = entry_ldif_template.format(
             base_dn=base_dn,
             hostname=hostname,
             principal=principal,
-            realm=realm)
+            realm=realm,
+            user='admin')
         tasks.kdestroy_all(master)
         master.run_command(
             ['kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}'])
@@ -1592,6 +1594,40 @@ def test_unique_krbcanonicalname(self):
                                     raiseonerr=False)
         assert "entry with the same attribute value" in result.stderr_text

+        # Now try with root@realm instead of admin@realm
+        entry_ldif = entry_ldif_template.format(
+            base_dn=base_dn,
+            hostname=hostname,
+            principal=principal,
+            realm=realm,
+            user='root')
+        args = [
+            'ldapmodify',
+            '-Y',
+            'GSSAPI'
+        ]
+        result = master.run_command(args, stdin_text=entry_ldif,
+                                    raiseonerr=False)
+        assert "entry with the same attribute value" in result.stderr_text
+        tasks.kdestroy_all(master)
+
+    def test_no_request_pac(self):
+        # Try to use a TGT obtained without PAC
+        # Should fail as the presence of the PAC when processing TGTs
+        # provided by TGS-REQ is now enforced.
+        hostname = self.master.hostname
+        realm = self.master.domain.realm
+        self.master.run_command([
+            'kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}',
+            '--no-request-pac'
+        ])
+        result = self.master.run_command(
+            ['kvno', f'ldap/{hostname}@{realm}'],
+            raiseonerr=False
+        )
+        assert result.returncode == 1
+        assert "PAC_ENFORCEMENT_TGT_WITHOUT_PAC" in result.stderr_text
+

 class TestIPACommandWithoutReplica(IntegrationTest):
     """
--
2.51.0