From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Tue, 1 Feb 2022 19:38:29 +0100 Subject: [PATCH] ipatests: add case for hardened-only ticket policy Signed-off-by: Julien Rische Reviewed-By: Alexander Bokovoy Reviewed-By: Francisco Trivino --- ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py index 63e75ae67f493352b1d3a611e7b079d914a7b253..9489fbc97b7836aecf491b57627f254d4849eb56 100644 --- a/ipatests/test_integration/test_krbtpolicy.py +++ b/ipatests/test_integration/test_krbtpolicy.py @@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest): result = master.run_command('klist | grep krbtgt') assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True - def test_krbtpolicy_hardended(self): - """Test a hardened kerberos ticket policy with 10 min tickets""" + def test_krbtpolicy_password_and_hardended(self): + """Test a pwd and hardened kerberos ticket policy with 10min tickets""" master = self.master master.run_command(['ipa', 'user-mod', USER1, '--user-auth-type', 'password', @@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest): result = master.run_command('klist | grep krbtgt') assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True + def test_krbtpolicy_hardended(self): + """Test a hardened kerberos ticket policy with 30min tickets""" + master = self.master + master.run_command(['ipa', 'user-mod', USER1, + '--user-auth-type', 'hardened']) + master.run_command(['ipa', 'config-mod', + '--user-auth-type', 'hardened']) + master.run_command(['ipa', 'krbtpolicy-mod', USER1, + '--hardened-maxlife', '1800']) + + tasks.kdestroy_all(master) + + master.run_command(['kinit', USER1], + stdin_text=PASSWORD + '\n') + result = master.run_command('klist | grep krbtgt') + assert maxlife_within_policy(result.stdout_text, 1800, + slush=1800) is True + + tasks.kdestroy_all(master) + + # Verify that the short policy only applies to USER1 + master.run_command(['kinit', USER2], + stdin_text=PASSWORD + '\n') + result = master.run_command('klist | grep krbtgt') + assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True + def test_krbtpolicy_password(self): """Test the kerberos ticket policy which issues 20 min tickets""" master = self.master -- 2.34.1