From 0a429107a4133760d042586a9ae80ef06ffb96e1 Mon Sep 17 00:00:00 2001
From: Patrik Rosecky <prosecky@redhat.com>
Date: Tue, 25 Jul 2023 14:03:23 +0200
Subject: [PATCH] tests: convert multihost/basic/test_basic to test_kcm and
 test_authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Jakub Vávra <jvavra@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 376534022aebf11d23ee2b70ef13d17ca3842aea)
---
 src/tests/multihost/basic/test_basic.py       |  4 +
 src/tests/system/tests/test_authentication.py | 86 +++++++++++++++++++
 src/tests/system/tests/test_kcm.py            | 38 ++++++++
 3 files changed, 128 insertions(+)
 create mode 100644 src/tests/system/tests/test_authentication.py

diff --git a/src/tests/multihost/basic/test_basic.py b/src/tests/multihost/basic/test_basic.py
index 214cecc48e5..72f092eba2f 100644
--- a/src/tests/multihost/basic/test_basic.py
+++ b/src/tests/multihost/basic/test_basic.py
@@ -6,6 +6,7 @@
 :upstream: yes
 :status: approved
 """
+import pytest
 import time
 import configparser as ConfigParser
 from sssd.testlib.common.utils import sssdTools
@@ -13,6 +14,7 @@
 
 class TestSanitySSSD(object):
     """ Basic Sanity Test cases """
+    @pytest.mark.converted('test_authentication.py', 'test_authentication__login')
     @staticmethod
     def test_ssh_user_login(multihost):
         """
@@ -23,6 +25,7 @@ def test_ssh_user_login(multihost):
         ssh0 = client.auth_from_client("foo1", 'Secret123') == 3
         assert ssh0, "Authentication Failed as user foo1"
 
+    @pytest.mark.converted('test_kcm.py', 'test_kcm__simple_kinit')
     @staticmethod
     def test_kinit(multihost):
         """
@@ -39,6 +42,7 @@ def test_kinit(multihost):
             f'su - {user} -c "klist"', raiseonerr=False)
         assert cmd2.returncode == 0, "klist failed!"
 
+    @pytest.mark.converted('test_authentication.py', 'test_authentication__offline_login')
     @staticmethod
     def test_offline_ssh_login(multihost):
         """
diff --git a/src/tests/system/tests/test_authentication.py b/src/tests/system/tests/test_authentication.py
new file mode 100644
index 00000000000..bf30c180f54
--- /dev/null
+++ b/src/tests/system/tests/test_authentication.py
@@ -0,0 +1,86 @@
+"""
+SSSD Sanity Test Cases
+
+:requirement: offline
+"""
+from __future__ import annotations
+
+import pytest
+from sssd_test_framework.roles.client import Client
+from sssd_test_framework.roles.generic import GenericProvider
+from sssd_test_framework.topology import KnownTopologyGroup
+
+
+@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
+@pytest.mark.parametrize("method", ["su", "ssh"])
+def test_authentication__login(client: Client, provider: GenericProvider, method: str):
+    """
+    :title: ssh/su login
+    :setup:
+        1. Add user to SSSD
+        2. Set password for user
+        3. Start SSSD
+    :steps:
+        1. Authenticate user with correct password
+        2. Authenticate user with incorrect password
+    :expectedresults:
+        1. User is authenticated
+        2. User is not authenticated
+    :customerscenario: False
+    """
+    provider.user("user1").add(password="Secret123")
+
+    client.sssd.start()
+
+    assert client.auth.parametrize(method).password("user1", "Secret123"), "login with correct password failed"
+    assert not client.auth.parametrize(method).password("user1", "NOTSecret123"), "login with wrong password succeeded"
+
+
+@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
+@pytest.mark.parametrize("method", ["su", "ssh"])
+def test_authentication__offline_login(client: Client, provider: GenericProvider, method: str):
+    """
+    :title: Offline ssh/su login
+    :setup:
+        1. Add user to SSSD and set its password
+        2. In SSSD domain change "cache_credentials" and "krb5_store_password_if_offline" to "True"
+        3. In SSSD pam change "offline_credentials_expiration" to "0"
+        4. Start SSSD
+    :steps:
+        1. Authenticate user with wrong password
+        2. Authenticate user with correct password
+        3. Make server offline (by removing firewall rules for LDAP, KDC and Global Catalog ports)
+        4. Bring SSSD offline explicitly
+        5. Offline authentication of user with correct password
+        6. Offline authentication of user with wrong password
+    :expectedresults:
+        1. User is not authenticated
+        2. User is authenticated
+        3. Firewall rules dropped
+        4. SSSD is offline
+        5. Offline authentication is successful
+        6. Offline authentication is not successful
+    :customerscenario: False
+    """
+    user = "user1"
+    correct = "Secret123"
+    wrong = "Wrong123"
+    provider.user(user).add(password=correct)
+
+    client.sssd.domain["cache_credentials"] = "True"
+    client.sssd.domain["krb5_store_password_if_offline"] = "True"
+    client.sssd.pam["offline_credentials_expiration"] = "0"
+    client.sssd.start()
+
+    assert not client.auth.parametrize(method).password(user, wrong), "login with wrong password succeeded"
+    assert client.auth.parametrize(method).password(user, correct), "login with correct password failed"
+
+    # Block KDC, LDAP and Global Catalog ports.
+    provider.firewall.drop([88, 389, 3268])
+
+    # There might be active connections that are not terminated by creating firewall rule.
+    # We need to terminated it by bringing SSSD to offline state explicitly.
+    client.sssd.bring_offline()
+
+    assert client.auth.parametrize(method).password(user, correct), "offline login with correct password failed"
+    assert not client.auth.parametrize(method).password(user, wrong), "offline login with wrong password succeeded"
diff --git a/src/tests/system/tests/test_kcm.py b/src/tests/system/tests/test_kcm.py
index aa7b61608c5..6a6ed020f5d 100644
--- a/src/tests/system/tests/test_kcm.py
+++ b/src/tests/system/tests/test_kcm.py
@@ -9,6 +9,7 @@
 import time
 
 import pytest
+from pytest_mh.ssh import SSHProcessError
 from sssd_test_framework.roles.client import Client
 from sssd_test_framework.roles.kdc import KDC
 from sssd_test_framework.topology import KnownTopology
@@ -363,3 +364,40 @@ def test_kcm__tgt_renewal(client: Client, kdc: KDC):
             (renew_start, _) = krb.list_tgt_times(kdc.realm)
 
             assert init_start < renew_start
+
+
+@pytest.mark.topology(KnownTopology.Client)
+def test_kcm__simple_kinit(client: Client, kdc: KDC):
+    """
+    :title: kinit is successfull after user login
+    :setup:
+        1. Add 'user1' to kdc and set its password
+        2. Add 'user1' to local and set its password
+        3. Configure Kerberos to allow KCM tests
+    :steps:
+        1. Authenticate user with ssh
+        2. Authenticate to kerberos
+        3. Call "kinit" with correct password
+        4. Call "kinit" with wrong password
+        5. Call "klist"
+    :expectedresults:
+        1. User is authenticated
+        2. User is authenticated
+        3. Call is successful
+        4. Call is not successful
+        5. Call is successful
+    :customerscenario: False
+    """
+    username = "user1"
+    password = "Secret123"
+
+    kdc.principal(username).add(password=password)
+    client.local.user(username).add(password=password)
+    client.sssd.common.kcm(kdc)
+
+    with client.ssh(username, password) as ssh:
+        with client.auth.kerberos(ssh) as krb:
+            assert krb.kinit(username, password=password).rc == 0, "Kinit with correct password failed"
+            with pytest.raises(SSHProcessError):
+                krb.kinit(username, password="wrong")
+            assert krb.klist().rc == 0, "Klist failed"