replica: Add tests to ensure the ipaapi user is allowed access to ifp…

… on replicas https://pagure.io/freeipa/issue/8403 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
freeipa · Jul 14, 2020 · 6de4b0f · 6de4b0f
1 parent 4b8da1b
commit 6de4b0f
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
@@ -47,6 +47,21 @@ def test_kra_install_master(self):
         assert(found > 0), result2.stdout_text
 
 
+def sssd_config_allows_ipaapi_access_to_ifp(host):
+    """Checks that the sssd configuration allows the ipaapi user to access
+    ifp
+
+    :param host the machine on which to check that sssd allows ipaapi
+    access to ifp
+    """
+    with tasks.remote_sssd_config(host) as sssd_conf:
+        ifp = sssd_conf.get_service('ifp')
+        uids = [
+            uid.strip() for uid in ifp.get_option('allowed_uids').split(',')
+        ]
+        assert 'ipaapi' in uids
+
+
 class TestReplicaPromotionLevel1(ReplicaPromotionBase):
     """
     TestCase: http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan#
@@ -100,6 +115,16 @@ def test_one_command_installation(self):
         result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
         assert "PKINIT is enabled" in result.stdout_text
 
+    @replicas_cleanup
+    def test_sssd_config_allows_ipaapi_access_to_ifp(self):
+        """Verify that the sssd configuration allows the ipaapi user to
+        access ifp
+
+        Test for ticket 8403.
+        """
+        for replica in self.replicas:
+            sssd_config_allows_ipaapi_access_to_ifp(replica)
+
 
 class TestUnprivilegedUserPermissions(IntegrationTest):
     """
@@ -171,6 +196,22 @@ def test_replica_promotion_after_adding_to_admin_group(self):
                                       '-r', self.master.domain.realm,
                                       '-U'])
 
+    def test_sssd_config_allows_ipaapi_access_to_ifp(self):
+        self.master.run_command(['ipa', 'group-add-member', 'admins',
+                                 '--users=%s' % self.username])
+
+        # Configure firewall first
+        Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
+                                                    "freeipa-ldaps"])
+        self.replicas[0].run_command(['ipa-replica-install',
+                                      '-P', self.username,
+                                      '-p', self.new_password,
+                                      '-n', self.master.domain.name,
+                                      '-r', self.master.domain.realm,
+                                      '-U'])
+
+        sssd_config_allows_ipaapi_access_to_ifp(self.replicas[0])
+
 
 class TestProhibitReplicaUninstallation(IntegrationTest):
     topology = 'line'