[Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests

Martin Babinsky mbabinsk at redhat.com
Fri Sep 11 12:40:05 UTC 2015 

On 09/10/2015 06:41 PM, Milan Kubík wrote:
> On 09/10/2015 06:36 PM, Alexander Bokovoy wrote:
>> On Thu, 10 Sep 2015, Milan Kubík wrote:
>>> Hi list,
>>>
>>> before my PTO, I was trying to write a functional test for CA ACLs
>>> with the tracker along all other acceptance/functional tests.
>>>
>>> I wasn't successful, the approach doesn't seem to work for CA ACLs as
>>> they have specific requirements for kerberos credentials
>>> that none of my attempts were able to met. I have tried several
>>> approaches and the memo I got out of this is that currently, there
>>> seems to be no way how to conveniently run a test that changes the
>>> user identity during the functional test (xmlrpc tests).
>>>
>>> I haven't had much time to write an integration test that should
>>> solve these problems with changing identity.
>>>
>>> The approaches I have tried include, in no particular order:
>>>
>>> * switch the default ccache to the identity desired, before calls
>>> made on an API object
>>>    - in case of FILE ccache, moving it back and forth
>>>    - in case of kernel keyring, using kswitch
>>>
>>> * instantiating another API instance in the process running the test,
>>> while the other ccache is active
>>>    - the API object internals seem to prevent this as there is still
>>> a lot of shared state between the API instances
>>>
>>> * running the command supposed to have different identity as a
>>> subprocess after switching the identity
>>>    - this attempt seemed to have inherited the opened connection to
>>> the backend from the parent python process,
>>>      creating a conflict during the client bootstrap
>>>
>>> * injecting the KRB5CCNAME environment variable with second identity
>>> into the python process
>>>    - the API instance doesn't seem to be affected by this value half
>>> of the times.
>>>    - randomly, the new credentials are used, breaking all the things.
>>>
>>> Unable to change the user during the test, the code I wrote for this
>>> wasn't doing what I intended it to do
>>> because the admin user used in the tests overrides all CA ACLs.
>> One way to do it is to use keyctl to create subsessions for different
>> authenticated users and switch between subsessions for the separate
>> calls.
>>
>> See keyctl manual page and 'keyctl session <name>' part.
> Thanks, I'll take a look at this next week.
>

Maybe you can also try to wrap the user auth, connection and API calls
in 'ipapython.ipautil.private_ccache' context manager like this:

"""
from ipalib import api
from ipapython.ipautil import private_ccache, kinit_password, run

api.bootstrap()
api.finalize()

tmp_ccache='krb5cc_jdoe'

run(['klist']) # should list admin as default principal

with private_ccache(tmp_ccache):
     kinit_password(u'jdoe', u'jdoepasswd', tmp_ccache)
     run(['klist']) # lists jdoe as default principal
     api.Backend.rpcclient.connect(ccache=tmp_ccache)
     api.Command.ping()
     api.backend.rpcclient.disconnect()

run(['klist']) # KRB5CCNAME should be reset back to admin ccache	
"""

I have tested it and it seems to work. I haven't played with it very 
extensively, though.

-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list