rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity
c10s
ipa/0081-ipatests-Tests-to-check-data-in-journal-log.patch
Florence Blanc-Renaud 518fbd80d0 ipa-4.12.2-16 
- Resolves: RHEL-84648 ipa-cacert-manage install fails with CAs having the same subject DN (subject key mismatch info)
- Resolves: RHEL-84279 IPU 9 -> 10: ipa-server breaks the in-place upgrade due to failed scriptlet
- Resolves: RHEL-84275 Search size limit tooltip has Search time limit tooltip text
- Resolves: RHEL-81200 Ipa client --raw --structured throws internal error
- Resolves: RHEL-68803 ipa-migrate with LDIF file from backup of remote server, fails with error 'change collided with another change'
- Resolves: RHEL-67686 [RFE] IDM support UIDs up to 4,294,967,293
- Resolves: RHEL-67633 ipa-healthcheck has tests which call fips-mode-setup
- Resolves: RHEL-4845 Protect *all* IPA service principals
2025-03-24 11:56:22 +01:00

191 lines
7.9 KiB
Diff
Raw Permalink Blame History

From 47770b8626c353b95d4ae89a0fb7e23b3791d3ea Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 22 Jan 2025 16:03:37 +0530
Subject: [PATCH] ipatests: Tests to check data in journal log
This testcase checks that ipa administrative user
password is not displayed in journal log.
Related: https://issues.redhat.com/browse/RHEL-67190
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 10 ++
ipatests/test_integration/test_commands.py | 116 +++++++++++++++++----
2 files changed, 104 insertions(+), 22 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 4ce33bb47cbc52641088f73cdb75d7bb184c274b..dccfaf30e708f18c81d3f1662d6df7b116ed36ac 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -3004,3 +3004,13 @@ def copy_files(source_host, dest_host, filelist):
dest_host.transport.mkdir_recursive(os.path.dirname(file))
data = source_host.get_file_contents(file)
dest_host.transport.put_file_contents(file, data)
+
+
+def check_journal_does_not_contain_secret(host, cmd):
+ """
+ Helper to check journal logs doesnt reveal secrets
+ """
+ journalctl_cmd = ['journalctl', '-t', cmd, '-n1', '-o', 'json-pretty']
+ result = host.run_command(journalctl_cmd, raiseonerr=False)
+ assert (host.config.admin_password not in result.stdout_text)
+ assert (host.config.dirman_password not in result.stdout_text)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 9c65b7c6bbf4c6378bdf0fa9da0242805ddd17aa..47ef232563d67f86040e2c5944805e430ab2e26c 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -39,6 +39,7 @@ from ipaplatform.tasks import tasks as platform_tasks
from ipatests.create_external_ca import ExternalCA
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
from ipapython.ipautil import realm_to_suffix, ipa_generate_password
+from ipatests.test_integration.test_topology import find_segment
from ipaserver.install.installutils import realm_to_serverid
from pkg_resources import parse_version
@@ -1662,28 +1663,77 @@ class TestIPACommand(IntegrationTest):
assert result.returncode == 1
assert 'cannot be deleted or disabled' in result.stderr_text
- def test_ipa_cacert_manage_prune(self):
- """Test for ipa-cacert-manage prune"""
-
- certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
- self.master.put_file_contents(certfile, isrgrootx1)
- result = self.master.run_command(
- [paths.IPA_CACERT_MANAGE, 'install', certfile])
-
- certs_before_prune = self.master.run_command(
- [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
- ).stdout_text
+ def test_ipa_systemd_journal(self):
+ """
+ This testcase checks that administrative user credentials
+ is not leaked to journald log
+ """
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ tasks.kinit_admin(self.clients[0])
+ cmds = [
+ ['/usr/sbin/ipa-adtrust-install', '-a',
+ self.master.config.admin_password, '-U'],
+ ['/usr/sbin/ipa-replica-manage', 'del',
+ f"dummyhost.{self.master.domain.name}", '-p',
+ self.master.config.dirman_password],
+ ['/usr/sbin/ipa-csreplica-manage', 'del',
+ f"dummyhost.{self.master.domain.name}", '-p',
+ self.master.config.dirman_password],
+ ['/usr/sbin/ipa-kra-install', '-p',
+ self.master.config.dirman_password, '-U'],
+ ['/usr/sbin/ipa-server-certinstall', '-k', '--pin',
+ self.master.config.dirman_password, '-p',
+ self.master.config.dirman_password, paths.KDC_CERT,
+ paths.KDC_KEY]
+ ]
+ for cmd in cmds:
+ self.master.run_command(cmd, raiseonerr=False)
+ tasks.check_journal_does_not_contain_secret(
+ self.master, cmd[0]
+ )
+ for cmd in cmds:
+ self.replicas[0].run_command(cmd, raiseonerr=False)
+ tasks.check_journal_does_not_contain_secret(
+ self.replicas[0], cmd[0]
+ )
+ tasks.check_journal_does_not_contain_secret(
+ self.clients[0], 'python3'
+ )
+ # Backup and restore IPA and check secrets are not leaked.
+ backup_path = tasks.get_backup_dir(self.master)
+ restore_cmd = (
+ ['/usr/sbin/ipa-restore', '-p',
+ self.master.config.dirman_password,
+ backup_path, '-U']
+ )
+ self.master.run_command(restore_cmd)
- assert isrgrootx1_nick in certs_before_prune
+ # re-initializing topology after restore
+ for topo_suffix in 'domain', 'ca':
+ topo_name = find_segment(self.master, self.replicas[0], topo_suffix)
+ arg = ['ipa', 'topologysegment-reinitialize',
+ topo_suffix, topo_name]
+ if topo_name.split('-to-', maxsplit=1)[0] != self.master.hostname:
+ arg.append('--left')
+ else:
+ arg.append('--right')
+ self.replicas[0].run_command(arg)
- # Jump in time to make sure the cert is expired
- self.master.run_command(['date', '-s', '+15Years'])
- result = self.master.run_command(
- [paths.IPA_CACERT_MANAGE, 'prune'], raiseonerr=False
- ).stdout_text
- self.master.run_command(['date', '-s', '-15Years'])
+ # wait sometime for re-initialization
+ tasks.wait_for_replication(self.replicas[0].ldap_connect())
- assert isrgrootx1_nick in result
+ tasks.check_journal_does_not_contain_secret(
+ self.master, restore_cmd[0]
+ )
+ # Checking for secrets in IPA server install
+ tasks.check_journal_does_not_contain_secret(
+ self.master, '/usr/sbin/ipa-server-install'
+ )
+ # Checking for secrets in IPA replica install
+ tasks.check_journal_does_not_contain_secret(
+ self.replicas[0], '/usr/sbin/ipa-replica-install'
+ )
class TestIPACommandWithoutReplica(IntegrationTest):
@@ -1719,10 +1769,9 @@ class TestIPACommandWithoutReplica(IntegrationTest):
self.master.run_command(['ipa', 'user-show', 'ipauser1'])
def test_basesearch_compat_tree(self):
- """Test ldapsearch against compat tree is working
-
+ """
+ Test ldapsearch against compat tree is working
This to ensure that ldapsearch with base scope is not failing.
-
related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
"""
version = self.master.run_command(
@@ -1920,6 +1969,29 @@ class TestIPACommandWithoutReplica(IntegrationTest):
assert old_err_msg not in dirsrv_error_log
assert re.search(new_err_msg, dirsrv_error_log)
+ def test_ipa_cacert_manage_prune(self):
+ """Test for ipa-cacert-manage prune"""
+
+ certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
+ self.master.put_file_contents(certfile, isrgrootx1)
+ result = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'install', certfile])
+
+ certs_before_prune = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
+ ).stdout_text
+
+ assert isrgrootx1_nick in certs_before_prune
+
+ # Jump in time to make sure the cert is expired
+ self.master.run_command(['date', '-s', '+15Years'])
+ result = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'prune'], raiseonerr=False
+ ).stdout_text
+ self.master.run_command(['date', '-s', '-15Years'])
+
+ assert isrgrootx1_nick in result
+
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.48.1
Reference in New Issue View Git Blame Copy Permalink