644504a963
- Resolves: RHEL-68448 ipa trust-add fails in FIPS mode with an internal error has occurred - Resolves: RHEL-69301 Support GSSAPI in Cockpit on IPA servers Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
95 lines
3.6 KiB
Diff
95 lines
3.6 KiB
Diff
From 0dadcbb4ac9f6142b5130f025f64d918d6f208a9 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Tue, 8 Oct 2024 10:25:08 +0300
|
|
Subject: [PATCH] Minimal test for Cockpit integration on IPA master
|
|
|
|
Add a test to share HTTP service keytab on IPA master between IPA and
|
|
Cockpit. The test configures Cockpit with IPA CA-issued certificate and
|
|
allows Cockpit to access IPA HTTP service keytab for authentication.
|
|
|
|
The test then attempts to authenticate with GSSAPI as admin user. A
|
|
successful result is when we receive CSRF token from the Cockpit as
|
|
the result of this authentication. This means we have logged in
|
|
successfully with Kerberos.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9675
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
ipatests/test_integration/test_cockpit.py | 61 +++++++++++++++++++++++
|
|
1 file changed, 61 insertions(+)
|
|
create mode 100644 ipatests/test_integration/test_cockpit.py
|
|
|
|
diff --git a/ipatests/test_integration/test_cockpit.py b/ipatests/test_integration/test_cockpit.py
|
|
new file mode 100644
|
|
index 0000000000000000000000000000000000000000..cdc96170a116536c7aa00be78cc4e0225804e21c
|
|
--- /dev/null
|
|
+++ b/ipatests/test_integration/test_cockpit.py
|
|
@@ -0,0 +1,61 @@
|
|
+#
|
|
+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
|
|
+#
|
|
+
|
|
+from __future__ import absolute_import
|
|
+
|
|
+import time
|
|
+from ipatests.pytest_ipa.integration import tasks
|
|
+from ipatests.test_integration.base import IntegrationTest
|
|
+from ipaplatform.paths import paths
|
|
+
|
|
+
|
|
+class TestCockpitIntegration(IntegrationTest):
|
|
+ topology = "line"
|
|
+ reqcert = '/etc/cockpit/ws-certs.d/99-cockpit.cert'
|
|
+ reqkey = '/etc/cockpit/ws-certs.d/99-cockpit.key'
|
|
+ symlink = '/etc/cockpit/krb5.keytab'
|
|
+
|
|
+ @classmethod
|
|
+ def uninstall(cls, mh):
|
|
+ cls.master.run_command(['ipa-getcert', 'stop-tracking', '-f',
|
|
+ cls.reqcert], raiseonerr=False)
|
|
+ cls.master.run_command(['rm', '-f', cls.symlink], raiseonerr=False)
|
|
+ cls.master.run_command(['systemctl', 'disable', '--now',
|
|
+ 'cockpit.socket'])
|
|
+ super(TestCockpitIntegration, cls).uninstall(mh)
|
|
+
|
|
+ @classmethod
|
|
+ def install(cls, mh):
|
|
+ master = cls.master
|
|
+
|
|
+ # Install Cockpit and configure it to use IPA certificate and keytab
|
|
+ master.run_command(['dnf', 'install', '-y', 'cockpit', 'curl'],
|
|
+ raiseonerr=False)
|
|
+
|
|
+ super(TestCockpitIntegration, cls).install(mh)
|
|
+
|
|
+ master.run_command(['ipa-getcert', 'request', '-f', cls.reqcert, '-k',
|
|
+ cls.reqkey, '-D', cls.master.hostname, '-K',
|
|
+ 'host/' + cls.master.hostname, '-m', '0640', '-o',
|
|
+ 'root:cockpit-ws', '-O', 'root:root', '-M',
|
|
+ '0644'], raiseonerr=False)
|
|
+
|
|
+ master.run_command(['ln', '-s', paths.HTTP_KEYTAB, cls.symlink],
|
|
+ raiseonerr=False)
|
|
+
|
|
+ time.sleep(5)
|
|
+ master.run_command(['systemctl', 'enable', '--now', 'cockpit.socket'])
|
|
+
|
|
+ def test_login_with_kerberos(self):
|
|
+ """
|
|
+ Login to Cockpit using GSSAPI authentication
|
|
+ """
|
|
+ master = self.master
|
|
+ tasks.kinit_admin(master)
|
|
+
|
|
+ cockpit_login = f'https://{master.hostname}:9090/cockpit/login'
|
|
+ result = master.run_command([paths.BIN_CURL, '-u:', '--negotiate',
|
|
+ '--cacert', paths.IPA_CA_CRT,
|
|
+ cockpit_login])
|
|
+ assert ("csrf-token" in result.stdout_text)
|
|
--
|
|
2.47.0
|
|
|