replica: Ensure that ipaapi user is allowed to access ifp

ipaserver/install/server/replicainstall.py

@@ -22,7 +22,7 @@
 from pkg_resources import parse_version
 import six
 
-from ipaclient.install.client import check_ldap_conf
+from ipaclient.install.client import check_ldap_conf, sssd_enable_ifp
 import ipaclient.install.timeconf
 from ipalib.install import certstore, sysrestore
 from ipalib.install.kinit import kinit_keytab
@@ -462,6 +462,9 @@ def promote_sssd(host_name):
     domain.set_option('ipa_server', host_name)
     domain.set_option('ipa_server_mode', True)
     sssdconfig.save_domain(domain)
+
+    sssd_enable_ifp(sssdconfig)
+
     sssdconfig.write()
 
     sssd = services.service('sssd', api)

ipatests/test_integration/test_replica_promotion.py

@@ -47,6 +47,21 @@ def test_kra_install_master(self):
         assert(found > 0), result2.stdout_text
 
 
+def sssd_config_allows_ipaapi_access_to_ifp(host):
+    """Checks that the sssd configuration allows the ipaapi user to access
+    ifp
+
+    :param host the machine on which to check that sssd allows ipaapi
+    access to ifp
+    """
+    with tasks.remote_sssd_config(host) as sssd_conf:
+        ifp = sssd_conf.get_service('ifp')
+        uids = [
+            uid.strip() for uid in ifp.get_option('allowed_uids').split(',')
+        ]
+        assert 'ipaapi' in uids
+
+
 class TestReplicaPromotionLevel1(ReplicaPromotionBase):
     """
     TestCase: http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan#
@@ -100,6 +115,16 @@ def test_one_command_installation(self):
         result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
         assert "PKINIT is enabled" in result.stdout_text
 
+    @replicas_cleanup
+    def test_sssd_config_allows_ipaapi_access_to_ifp(self):
+        """Verify that the sssd configuration allows the ipaapi user to
+        access ifp
+
+        Test for ticket 8403.
+        """
+        for replica in self.replicas:
+            sssd_config_allows_ipaapi_access_to_ifp(replica)
+
 
 class TestUnprivilegedUserPermissions(IntegrationTest):
     """
@@ -171,6 +196,22 @@ def test_replica_promotion_after_adding_to_admin_group(self):
                                       '-r', self.master.domain.realm,
                                       '-U'])
 
+    def test_sssd_config_allows_ipaapi_access_to_ifp(self):
+        self.master.run_command(['ipa', 'group-add-member', 'admins',
+                                 '--users=%s' % self.username])
+
+        # Configure firewall first
+        Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
+                                                    "freeipa-ldaps"])
+        self.replicas[0].run_command(['ipa-replica-install',
+                                      '-P', self.username,
+                                      '-p', self.new_password,
+                                      '-n', self.master.domain.name,
+                                      '-r', self.master.domain.realm,
+                                      '-U'])
+
+        sssd_config_allows_ipaapi_access_to_ifp(self.replicas[0])
+
 
 class TestProhibitReplicaUninstallation(IntegrationTest):
     topology = 'line'