summaryrefslogtreecommitdiffstats
path: root/ipatests/test_cmdline/test_ipagetkeytab.py
blob: 6a1314f6c83c733b4ee72eaa4844ea32a77742a7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# Authors:
#   Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2010  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
"""
Test `ipa-getkeytab`
"""

import os
import shutil
import tempfile

import gssapi
import pytest

from ipalib import api
from ipalib import errors
from ipapython import ipautil, ipaldap
from ipaserver.plugins.ldap2 import ldap2
from ipatests.test_cmdline.cmdline import cmdline_test

def use_keytab(principal, keytab):
    try:
        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
        ccache_file = 'FILE:%s/ccache' % tmpdir
        name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
        store = {'ccache': ccache_file,
                 'client_keytab': keytab}
        os.environ['KRB5CCNAME'] = ccache_file
        gssapi.Credentials(name=name, usage='initiate', store=store)
        conn = ldap2(api)
        conn.connect(autobind=ipaldap.AUTOBIND_DISABLED)
        conn.disconnect()
    except gssapi.exceptions.GSSError as e:
        raise Exception('Unable to bind to LDAP. Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
    finally:
        os.environ.pop('KRB5CCNAME', None)
        if tmpdir:
            shutil.rmtree(tmpdir)


@pytest.mark.tier0
class test_ipagetkeytab(cmdline_test):
    """
    Test `ipa-getkeytab`.
    """
    command = "ipa-getkeytab"
    host_fqdn = u'ipatest.%s' % api.env.domain
    service_princ = u'test/%s@%s' % (host_fqdn, api.env.realm)
    [keytabfd, keytabname] = tempfile.mkstemp()
    os.close(keytabfd)

    def test_0_setup(self):
        """
        Create a host to test against.
        """
        # Create the service
        try:
            api.Command['host_add'](self.host_fqdn, force=True)
        except errors.DuplicateEntry:
            # it already exists, no problem
            pass

    def test_1_run(self):
        """
        Create a keytab with `ipa-getkeytab` for a non-existent service.
        """
        new_args = [self.command,
                    "-s", api.env.host,
                    "-p", "test/notfound.example.com",
                    "-k", self.keytabname,
                   ]
        result = ipautil.run(new_args, stdin=None, raiseonerr=False,
                             capture_error=True)
        err = result.error_output
        assert 'Failed to parse result: PrincipalName not found.\n' in err, err
        rc = result.returncode
        assert rc > 0, rc

    def test_2_run(self):
        """
        Create a keytab with `ipa-getkeytab` for an existing service.
        """
        # Create the service
        try:
            api.Command['service_add'](self.service_princ, force=True)
        except errors.DuplicateEntry:
            # it already exists, no problem
            pass

        os.unlink(self.keytabname)
        new_args = [self.command,
                    "-s", api.env.host,
                    "-p", self.service_princ,
                    "-k", self.keytabname,
                   ]
        try:
            result = ipautil.run(new_args, None, capture_error=True)
            expected = 'Keytab successfully retrieved and stored in: %s\n' % (
                self.keytabname)
            assert expected in result.error_output, (
                'Success message not in output:\n%s' % result.error_output)
        except ipautil.CalledProcessError as e:
            assert (False)

    def test_3_use(self):
        """
        Try to use the service keytab.
        """
        use_keytab(self.service_princ, self.keytabname)

    def test_4_disable(self):
        """
        Disable a kerberos principal
        """
        # Verify that it has a principal key
        entry = api.Command['service_show'](self.service_princ)['result']
        assert(entry['has_keytab'] == True)

        # Disable it
        api.Command['service_disable'](self.service_princ)

        # Verify that it looks disabled
        entry = api.Command['service_show'](self.service_princ)['result']
        assert(entry['has_keytab'] == False)

    def test_5_use_disabled(self):
        """
        Try to use the disabled keytab
        """
        try:
            use_keytab(self.service_princ, self.keytabname)
        except Exception as errmsg:
            assert('Unable to bind to LDAP. Error initializing principal' in str(errmsg))

    def test_9_cleanup(self):
        """
        Clean up test data
        """
        # First create the host that will use this policy
        os.unlink(self.keytabname)
        api.Command['host_del'](self.host_fqdn)