Tests: Authentication indicators integration tests

https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Milan Kubik <mkubik@redhat.com>
author: Lenka Doudova <ldoudova@redhat.com> 2016-06-15 13:45:59 +0200
committer: Petr Vobornik <pvoborni@redhat.com> 2016-07-15 13:57:18 +0200
commit: aab861142d3aec503ebae4779fbfa1858e20f451 (patch)
tree: de9b9616165b67dde25f375f4ceed75ac0271bfe
parent: dcdbbb975927a24ec05f7addefd59c71823a57c2 (diff)
download: freeipa-aab861142d3aec503ebae4779fbfa1858e20f451.tar.gz
freeipa-aab861142d3aec503ebae4779fbfa1858e20f451.tar.xz
freeipa-aab861142d3aec503ebae4779fbfa1858e20f451.zip
1 files changed, 56 insertions, 0 deletions
diff --git a/ipatests/test_integration/test_service_permissions.py b/ipatests/test_integration/test_service_permissions.py
index 3d4a50d32..59f469713 100644
--- a/ipatests/test_integration/test_service_permissions.py
+++ b/ipatests/test_integration/test_service_permissions.py
@@ -80,3 +80,59 @@ class TestServicePermissions(IntegrationTest):
 
         self.master.run_command(['ipa', 'service-del', service_name])
         self.master.run_command(['ipa', 'user-del', 'tuser'])
+
+
+class TestServiceAuthenticationIndicators(IntegrationTest):
+    topology = 'star'
+
+    def test_service_access(self):
+        """ Test that user is granted access when authenticated using
+        credentials that are sufficient for a service, and denied access
+        when using insufficient credentials"""
+
+        service_name = 'testservice/%s@%s' % (self.master.hostname,
+                                              self.master.domain.realm)
+
+        keytab_file = os.path.join(self.master.config.test_dir,
+                                   'testservice_keytab')
+
+        # Prepare a service without authentication indicator
+        self.master.run_command(['ipa', 'service-add', service_name])
+
+        self.master.run_command(['ipa-getkeytab',
+                                 '-p', service_name,
+                                 '-k', keytab_file])
+
+        # Set authentication-type for admin user
+        self.master.run_command(['ipa', 'user-mod', 'admin',
+                                 '--user-auth-type=password',
+                                 '--user-auth-type=otp'])
+
+        # Authenticate
+        self.master.run_command(['kinit', '-k', service_name,
+                                 '-t', keytab_file])
+
+        # Verify access to service is granted
+        result = self.master.run_command(['kvno', service_name],
+                                         raiseonerr=False)
+        assert result.returncode == 0
+
+        # Obtain admin ticket to be able to update service
+        tasks.kinit_admin(self.master)
+
+        # Modify service to have authentication indicator
+        self.master.run_command(['ipa', 'service-mod', service_name,
+                                 '--auth-ind=otp'])
+
+        self.master.run_command(['ipa-getkeytab',
+                                 '-p', service_name,
+                                 '-k', keytab_file])
+
+        # Authenticate
+        self.master.run_command(['kinit', '-k', service_name,
+                                 '-t', keytab_file])
+
+        # Verify access to service is rejected
+        result = self.master.run_command(['kvno', service_name],
+                                         raiseonerr=False)
+        assert result.returncode > 0
author	Lenka Doudova <ldoudova@redhat.com>	2016-06-15 13:45:59 +0200
committer	Petr Vobornik <pvoborni@redhat.com>	2016-07-15 13:57:18 +0200
commit	aab861142d3aec503ebae4779fbfa1858e20f451 (patch)
tree	de9b9616165b67dde25f375f4ceed75ac0271bfe
parent	dcdbbb975927a24ec05f7addefd59c71823a57c2 (diff)
download	freeipa-aab861142d3aec503ebae4779fbfa1858e20f451.tar.gz freeipa-aab861142d3aec503ebae4779fbfa1858e20f451.tar.xz freeipa-aab861142d3aec503ebae4779fbfa1858e20f451.zip