From 02b17c8560a6aabb4be1109a3a794412f527c83c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 24 Nov 2023 13:00:48 +0200
Subject: [PATCH] ipatests: make sure PKINIT enrollment works with a strict
 policy

Previously, for a global policy which does not include
'password', krb5kdc restart was failing. Now it should succeed.

We set admin user authentication type to PASSWORD to simplify
configuration in the test.

What matters here is that global policy does not include PKINIT and that
means a code in the ticket policy check will allow PKINIT implicitly
rather than explicitly.

Related: https://pagure.io/freeipa/issue/9485

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
 .../test_integration/test_pkinit_install.py   | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/ipatests/test_integration/test_pkinit_install.py b/ipatests/test_integration/test_pkinit_install.py
index caa0e6a34dc7e50359a41314e419a0d5be0c3aa8..5c2e7af0231677d4653ea2f82fa3dffed711a10d 100644
--- a/ipatests/test_integration/test_pkinit_install.py
+++ b/ipatests/test_integration/test_pkinit_install.py
@@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest):
     def install(cls, mh):
         tasks.install_master(cls.master)
 
+    def enforce_password_and_otp(self):
+        """enforce otp by default and password for admin """
+        self.master.run_command(
+            [
+                "ipa",
+                "config-mod",
+                "--user-auth-type=otp",
+            ]
+        )
+        self.master.run_command(
+            [
+                "ipa",
+                "user-mod",
+                "admin",
+                "--user-auth-type=password",
+            ]
+        )
+
     def add_certmaperule(self):
         """add certmap rule to map SAN dNSName to host entry"""
         self.master.run_command(
@@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest):
         cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM)
         client.put_file_contents(self.tmpbundle, cabundle)
 
+    def test_restart_krb5kdc(self):
+        tasks.kinit_admin(self.master)
+        self.enforce_password_and_otp()
+        self.master.run_command(['systemctl', 'stop', 'krb5kdc.service'])
+        self.master.run_command(['systemctl', 'start', 'krb5kdc.service'])
+        self.master.run_command(['systemctl', 'stop', 'kadmin.service'])
+        self.master.run_command(['systemctl', 'start', 'kadmin.service'])
+
     def test_client_install_pkinit(self):
         tasks.kinit_admin(self.master)
         self.add_certmaperule()
-- 
2.43.0