rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity
569c720af8
ipa/SOURCES/0044-ipatests-refactor-krb-unique-tests_rhel#110061.patch
eabdullin 569c720af8 Import from CS git
2025-10-02 11:38:49 +00:00

174 lines
6.5 KiB
Diff
Raw Blame History

--- a/ipatests/test_integration/test_commands.py 2025-09-17 10:36:00.180673487 -0300
+++ b/ipatests/test_integration/test_commands.py 2025-09-17 10:37:31.294681273 -0300
@@ -1554,80 +1554,6 @@
assert result.returncode == 1
assert 'cannot be deleted or disabled' in result.stderr_text
- def test_unique_krbcanonicalname(self):
- """Verify that the uniqueness for krbcanonicalname is working"""
- master = self.master
-
- base_dn = str(master.domain.basedn)
- hostname = master.hostname
- realm = master.domain.realm
- principal = f'test/{hostname}@{realm}'
- entry_ldif_template = textwrap.dedent("""
- dn: krbprincipalname={principal},cn=services,cn=accounts,{base_dn}
- changetype: add
- ipakrbprincipalalias: test/{hostname}@{realm}
- krbprincipalname: {principal}
- objectclass: ipakrbprincipal
- objectclass: ipaobject
- objectclass: ipaservice
- objectclass: krbprincipal
- objectclass: krbprincipalaux
- objectclass: top
- krbcanonicalname: {user}@{realm}
- managedby: fqdn={hostname},cn=computers,cn=accounts,{base_dn}
- """)
- entry_ldif = entry_ldif_template.format(
- base_dn=base_dn,
- hostname=hostname,
- principal=principal,
- realm=realm,
- user='admin')
- tasks.kdestroy_all(master)
- master.run_command(
- ['kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}'])
- args = [
- 'ldapmodify',
- '-Y',
- 'GSSAPI'
- ]
- result = master.run_command(args, stdin_text=entry_ldif,
- raiseonerr=False)
- assert "entry with the same attribute value" in result.stderr_text
-
- # Now try with root@realm instead of admin@realm
- entry_ldif = entry_ldif_template.format(
- base_dn=base_dn,
- hostname=hostname,
- principal=principal,
- realm=realm,
- user='root')
- args = [
- 'ldapmodify',
- '-Y',
- 'GSSAPI'
- ]
- result = master.run_command(args, stdin_text=entry_ldif,
- raiseonerr=False)
- assert "entry with the same attribute value" in result.stderr_text
- tasks.kdestroy_all(master)
-
- def test_no_request_pac(self):
- # Try to use a TGT obtained without PAC
- # Should fail as the presence of the PAC when processing TGTs
- # provided by TGS-REQ is now enforced.
- hostname = self.master.hostname
- realm = self.master.domain.realm
- self.master.run_command([
- 'kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}',
- '--no-request-pac'
- ])
- result = self.master.run_command(
- ['kvno', f'ldap/{hostname}@{realm}'],
- raiseonerr=False
- )
- assert result.returncode == 1
- assert "PAC_ENFORCEMENT_TGT_WITHOUT_PAC" in result.stderr_text
-
class TestIPACommandWithoutReplica(IntegrationTest):
"""
@@ -1749,7 +1675,7 @@
api.bootstrap_with_global_options(context='server')
api.finalize()
api.Backend.ldap2.connect()
-
+
api.Command["group_add"]("testgroup1", external=True)
api.Command["group_add"]("testgroup2", external=False)
result1 = api.Command["group_show"]("testgroup1", all=True)["result"] # noqa: E501
@@ -1794,6 +1720,80 @@
'/tmp/reproducer2_code.py'])
assert "missing attribute" not in result.stdout_text
+ def test_unique_krbcanonicalname(self):
+ """Verify that the uniqueness for krbcanonicalname is working"""
+ master = self.master
+
+ base_dn = str(master.domain.basedn)
+ hostname = master.hostname
+ realm = master.domain.realm
+ principal = f'test/{hostname}@{realm}'
+ entry_ldif_template = textwrap.dedent("""
+ dn: krbprincipalname={principal},cn=services,cn=accounts,{base_dn}
+ changetype: add
+ ipakrbprincipalalias: test/{hostname}@{realm}
+ krbprincipalname: {principal}
+ objectclass: ipakrbprincipal
+ objectclass: ipaobject
+ objectclass: ipaservice
+ objectclass: krbprincipal
+ objectclass: krbprincipalaux
+ objectclass: top
+ krbcanonicalname: {user}@{realm}
+ managedby: fqdn={hostname},cn=computers,cn=accounts,{base_dn}
+ """)
+ entry_ldif = entry_ldif_template.format(
+ base_dn=base_dn,
+ hostname=hostname,
+ principal=principal,
+ realm=realm,
+ user='admin')
+ tasks.kdestroy_all(master)
+ master.run_command(
+ ['kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}'])
+ args = [
+ 'ldapmodify',
+ '-Y',
+ 'GSSAPI'
+ ]
+ result = master.run_command(args, stdin_text=entry_ldif,
+ raiseonerr=False)
+ assert "entry with the same attribute value" in result.stderr_text
+
+ # Now try with root@realm instead of admin@realm
+ entry_ldif = entry_ldif_template.format(
+ base_dn=base_dn,
+ hostname=hostname,
+ principal=principal,
+ realm=realm,
+ user='root')
+ args = [
+ 'ldapmodify',
+ '-Y',
+ 'GSSAPI'
+ ]
+ result = master.run_command(args, stdin_text=entry_ldif,
+ raiseonerr=False)
+ assert "entry with the same attribute value" in result.stderr_text
+ tasks.kdestroy_all(master)
+
+ def test_no_request_pac(self):
+ # Try to use a TGT obtained without PAC
+ # Should fail as the presence of the PAC when processing TGTs
+ # provided by TGS-REQ is now enforced.
+ hostname = self.master.hostname
+ realm = self.master.domain.realm
+ self.master.run_command([
+ 'kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}',
+ '--no-request-pac'
+ ])
+ result = self.master.run_command(
+ ['kvno', f'ldap/{hostname}@{realm}'],
+ raiseonerr=False
+ )
+ assert result.returncode == 1
+ assert "PAC_ENFORCEMENT_TGT_WITHOUT_PAC" in result.stderr_text
+
class TestIPAautomount(IntegrationTest):
@classmethod
Reference in New Issue View Git Blame Copy Permalink