From b016683552a58f9cc2a05cf628cc467234eaf599 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 28 Feb 2022 11:10:49 +0200
Subject: [PATCH] tests: ensure AD-SUPPORT subpolicy is active

Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
mode. This is required in FIPS mode due to AD not supporting Kerberos
AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
defined in RFC 8009.

Fixes: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
 ipatests/pytest_ipa/integration/fips.py  | 6 ++++++
 ipatests/pytest_ipa/integration/tasks.py | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/ipatests/pytest_ipa/integration/fips.py b/ipatests/pytest_ipa/integration/fips.py
index 694ec8a9927da917fe99482094f68540a1032c14..b33aa91b14552d6f47191c913db4f974a5a5948c 100644
--- a/ipatests/pytest_ipa/integration/fips.py
+++ b/ipatests/pytest_ipa/integration/fips.py
@@ -68,3 +68,9 @@ def disable_userspace_fips(host):
     # sanity check
     assert not is_fips_enabled(host)
     host.run_command(["openssl", "md5", "/dev/null"])
+
+
+def enable_crypto_subpolicy(host, subpolicy):
+    result = host.run_command(["update-crypto-policies", "--show"])
+    policy = result.stdin_text.strip() + ":" + subpolicy
+    host.run_command(["update-crypto-policies", "--set", policy])
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 7e1b7c24dab00986ff6e75430bf55e55dd1a6b8e..13d84e23fa7dc8a5e562e8498c9142e2bcad696a 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -66,6 +66,7 @@ from .env_config import env_to_script
 from .host import Host
 from .firewall import Firewall
 from .resolver import ResolvedResolver
+from .fips import is_fips_enabled, enable_crypto_subpolicy
 
 logger = logging.getLogger(__name__)
 
@@ -362,6 +363,8 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
     if setup_adtrust:
         args.append('--setup-adtrust')
         fw_services.append("freeipa-trust")
+        if is_fips_enabled(host):
+            enable_crypto_subpolicy(host, "AD-SUPPORT")
     if external_ca:
         args.append('--external-ca')
 
-- 
2.34.1