From 845ccfed58f9ed3e9504a1ed11dd8bfc03f9cdb9 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Tue, 8 Aug 2023 21:47:38 +0300 Subject: [PATCH] Create directories after checking for binaries In case the binaries needed for certificate autoenrollment are not present on the system, avoid creating the needed directories. Also add a test to illustrate that we will not fail if the directory structure is wonky, if certmonger is not present. --- .../integration_tests/adsysctl_policy_test.go | 30 +++++++++++++++---- .../adsys/machine/nested/usr.bin.baz | 1 + .../apparmor.d/adsys/machine/usr.bin.bar | 1 + .../apparmor.d/adsys/machine/usr.bin.foo | 1 + .../adsys/users/adsystestuser@example.com | 6 ++++ .../dconf/db/gdm.d/adsys | 4 +++ .../dconf/db/gdm.d/locks/adsys | 3 ++ .../dconf/db/machine.d/adsys | 1 + .../dconf/db/machine.d/locks/adsys | 1 + .../dconf/profile/gdm | 3 ++ .../lib/private | 1 + .../lib/samba/cert_gpo_state_HOST.tdb | 1 + .../99-adsys-privilege-enforcement.conf | 6 ++++ .../run/machine/scripts/.ready | 0 .../scripts/scripts/empty-subfolder/.empty | 0 .../scripts/scripts/final-machine-script.sh | 1 + .../scripts/scripts/other-script-user-logon | 1 + .../scripts/otherfolder/script-user-logoff | 1 + .../scripts/scripts/script-machine-shutdown | 1 + .../scripts/scripts/script-machine-startup | 1 + .../machine/scripts/scripts/script-user-logon | 1 + .../scripts/scripts/subfolder/other-script | 1 + .../machine/scripts/scripts/unreferenced-data | 1 + .../scripts/scripts/unreferenced-script | 1 + .../run/machine/scripts/startup | 2 ++ .../run/users/.empty | 0 .../sudoers.d/99-adsys-privilege-enforcement | 10 +++++++ .../systemd/system/.empty | 0 internal/policies/certificate/cert-autoenroll | 24 +++++++-------- .../golden/enroll_with_cepces_not_installed | 1 - .../enroll_with_certmonger_not_installed | 1 - 31 files changed, 86 insertions(+), 20 deletions(-) create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/nested/usr.bin.baz create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.bar create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.foo create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/users/adsystestuser@example.com create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/adsys create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/locks/adsys create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/adsys create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/locks/adsys create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/profile/gdm create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/lib/private create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/lib/samba/cert_gpo_state_HOST.tdb create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/.ready create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/empty-subfolder/.empty create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/final-machine-script.sh create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/other-script-user-logon create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/otherfolder/script-user-logoff create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-shutdown create mode 100755 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-startup create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-user-logon create mode 100755 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/subfolder/other-script create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-data create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-script create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/startup create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/users/.empty create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/sudoers.d/99-adsys-privilege-enforcement create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/systemd/system/.empty diff --git a/cmd/adsysd/integration_tests/adsysctl_policy_test.go b/cmd/adsysd/integration_tests/adsysctl_policy_test.go index f92871a1d..f1492ff3d 100644 --- a/cmd/adsysd/integration_tests/adsysctl_policy_test.go +++ b/cmd/adsysd/integration_tests/adsysctl_policy_test.go @@ -216,6 +216,7 @@ func TestPolicyUpdate(t *testing.T) { readOnlyDirs []string winbindMockBehavior string purge bool + missingCertmonger bool wantErr bool }{ @@ -603,6 +604,21 @@ func TestPolicyUpdate(t *testing.T) { initState: "localhost-uptodate", systemAnswer: "no_proxy_object", }, + "Does not error when certmonger or cepces is not available": { + args: []string{"-m"}, + krb5ccname: "-", + krb5ccNamesState: []krb5ccNamesWithState{ + { + src: "ccache_EXAMPLE.COM", + machine: true, + }, + }, + initState: "localhost-uptodate", + addPaths: []string{ + "lib/private", // make parent of private dir a file + }, + missingCertmonger: true, + }, // Purge cases "Purge current user policies": { @@ -966,13 +982,15 @@ func TestPolicyUpdate(t *testing.T) { t.Setenv("ADSYS_WBCLIENT_BEHAVIOR", tc.winbindMockBehavior) // Create fake certmonger and cepces binaries for the certificate manager - binDir := t.TempDir() - for _, executable := range []string{"getcert", "cepces-submit"} { - // #nosec G306. We want this asset to be executable. - err := os.WriteFile(filepath.Join(binDir, executable), []byte("#!/bin/sh\necho $@\n"), 0755) - require.NoError(t, err, "Setup: could not create %q binary", executable) + if !tc.missingCertmonger { + binDir := t.TempDir() + for _, executable := range []string{"getcert", "cepces-submit"} { + // #nosec G306. We want this asset to be executable. + err := os.WriteFile(filepath.Join(binDir, executable), []byte("#!/bin/sh\necho $@\n"), 0755) + require.NoError(t, err, "Setup: could not create %q binary", executable) + } + t.Setenv("PATH", binDir+":"+os.Getenv("PATH")) } - t.Setenv("PATH", binDir+":"+os.Getenv("PATH")) // Some tests will need some initial state assets for _, k := range tc.clearDirs { diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/nested/usr.bin.baz b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/nested/usr.bin.baz new file mode 100644 index 000000000..c3fdc981e --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/nested/usr.bin.baz @@ -0,0 +1 @@ +/usr/bin/baz {} diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.bar b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.bar new file mode 100644 index 000000000..9fc2774f1 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.bar @@ -0,0 +1 @@ +/usr/bin/bar {} diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.foo b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.foo new file mode 100644 index 000000000..450648222 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.foo @@ -0,0 +1 @@ +/usr/bin/foo {} diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/users/adsystestuser@example.com b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/users/adsystestuser@example.com new file mode 100644 index 000000000..b60fe25fd --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/users/adsystestuser@example.com @@ -0,0 +1,6 @@ +^adsystestuser@example.com { +/etc/environment r, +@{HOMEDIRS}/.xauth* w, +/usr/bin/{,b,d,rb}ash Ux, +/usr/bin/{c,k,tc}sh Ux, +} diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/adsys b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/adsys new file mode 100644 index 000000000..f3b6f3bbe --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/adsys @@ -0,0 +1,4 @@ +[org/gnome/desktop/interface] +clock-format='24h' +clock-show-date=false +clock-show-weekday=true diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/locks/adsys b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/locks/adsys new file mode 100644 index 000000000..8228842d9 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/locks/adsys @@ -0,0 +1,3 @@ +/org/gnome/desktop/interface/clock-format +/org/gnome/desktop/interface/clock-show-date +/org/gnome/desktop/interface/clock-show-weekday diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/adsys b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/adsys new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/adsys @@ -0,0 +1 @@ + diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/locks/adsys b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/locks/adsys new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/locks/adsys @@ -0,0 +1 @@ + diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/profile/gdm b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/profile/gdm new file mode 100644 index 000000000..96cbe1408 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/profile/gdm @@ -0,0 +1,3 @@ +user-db:user +system-db:gdm +system-db:machine \ No newline at end of file diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/lib/private b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/lib/private new file mode 100644 index 000000000..47d2739ba --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/lib/private @@ -0,0 +1 @@ +new content \ No newline at end of file diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/lib/samba/cert_gpo_state_HOST.tdb b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/lib/samba/cert_gpo_state_HOST.tdb new file mode 100644 index 000000000..9a69ddcee --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/lib/samba/cert_gpo_state_HOST.tdb @@ -0,0 +1 @@ +TDB file diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf new file mode 100644 index 000000000..7b2facd62 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf @@ -0,0 +1,6 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +[Configuration] +AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/.ready b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/.ready new file mode 100644 index 000000000..e69de29bb diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/empty-subfolder/.empty b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/empty-subfolder/.empty new file mode 100644 index 000000000..e69de29bb diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/final-machine-script.sh b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/final-machine-script.sh new file mode 100644 index 000000000..ae7b4be6c --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/final-machine-script.sh @@ -0,0 +1 @@ +final machine script diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/other-script-user-logon b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/other-script-user-logon new file mode 100644 index 000000000..e5a483136 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/other-script-user-logon @@ -0,0 +1 @@ +script user logon diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/otherfolder/script-user-logoff b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/otherfolder/script-user-logoff new file mode 100644 index 000000000..4080816a8 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/otherfolder/script-user-logoff @@ -0,0 +1 @@ +script user logoff diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-shutdown b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-shutdown new file mode 100644 index 000000000..4dc4c0713 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-shutdown @@ -0,0 +1 @@ +script machine shutdown diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-startup b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-startup new file mode 100755 index 000000000..5adba498f --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-startup @@ -0,0 +1 @@ +script machine startup diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-user-logon b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-user-logon new file mode 100644 index 000000000..e5a483136 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-user-logon @@ -0,0 +1 @@ +script user logon diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/subfolder/other-script b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/subfolder/other-script new file mode 100755 index 000000000..47e740068 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/subfolder/other-script @@ -0,0 +1 @@ +subfolder other script diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-data b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-data new file mode 100644 index 000000000..802d880a9 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-data @@ -0,0 +1 @@ +unreferenced data diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-script b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-script new file mode 100644 index 000000000..be58cc792 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-script @@ -0,0 +1 @@ +unreferenced script diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/startup b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/startup new file mode 100644 index 000000000..87bec63c0 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/startup @@ -0,0 +1,2 @@ +scripts/script-machine-startup +scripts/subfolder/other-script diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/users/.empty b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/users/.empty new file mode 100644 index 000000000..e69de29bb diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/sudoers.d/99-adsys-privilege-enforcement b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/sudoers.d/99-adsys-privilege-enforcement new file mode 100644 index 000000000..770c1f06a --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/sudoers.d/99-adsys-privilege-enforcement @@ -0,0 +1,10 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +%admin ALL=(ALL) !ALL +%sudo ALL=(ALL:ALL) !ALL + +"bob@example.com" ALL=(ALL:ALL) ALL +"%mygroup@example2.com" ALL=(ALL:ALL) ALL + diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/systemd/system/.empty b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/systemd/system/.empty new file mode 100644 index 000000000..e69de29bb diff --git a/internal/policies/certificate/cert-autoenroll b/internal/policies/certificate/cert-autoenroll index 53eb10954..4232c6f75 100755 --- a/internal/policies/certificate/cert-autoenroll +++ b/internal/policies/certificate/cert-autoenroll @@ -58,23 +58,11 @@ def main(): private_dir = os.path.join(args.state_dir, 'private', 'certs') global_trust_dir = args.global_trust_dir - # Create needed directories if they don't exist - for directory in [samba_cache_dir, trust_dir, private_dir, global_trust_dir]: - if not os.path.exists(directory): - perms = 0o700 if directory == private_dir else 0o755 - os.makedirs(directory, mode=perms) - with tempfile.NamedTemporaryFile(prefix='smb_conf') as smb_conf: smb_conf.write(smb_config(args.realm, args.debug).encode('utf-8')) smb_conf.flush() lp = param.LoadParm(smb_conf.name) - c = Credentials() - c.set_kerberos_state(MUST_USE_KERBEROS) - c.guess(lp) - username = c.get_username() - store = GPOStorage(os.path.join(samba_cache_dir, f'cert_gpo_state_{args.object_name}.tdb')) - # Set up logging logger_init('cert-autoenroll', lp.log_level()) @@ -82,6 +70,18 @@ def main(): log.warning('certmonger and/or cepces not found, skipping certificate enrollment') return + # Create needed directories if they don't exist + for directory in [samba_cache_dir, trust_dir, private_dir, global_trust_dir]: + if not os.path.exists(directory): + perms = 0o700 if directory == private_dir else 0o755 + os.makedirs(directory, mode=perms) + + c = Credentials() + c.set_kerberos_state(MUST_USE_KERBEROS) + c.guess(lp) + username = c.get_username() + store = GPOStorage(os.path.join(samba_cache_dir, f'cert_gpo_state_{args.object_name}.tdb')) + ext = adsys_cert_auto_enroll(lp, c, username, store) guid = f'adsys-cert-autoenroll-{args.object_name}' if args.action == 'enroll': diff --git a/internal/policies/certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_cepces_not_installed b/internal/policies/certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_cepces_not_installed index fefe24e79..a3bc384bd 100644 --- a/internal/policies/certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_cepces_not_installed +++ b/internal/policies/certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_cepces_not_installed @@ -2,5 +2,4 @@ Loading smb.conf [global] realm = example.com -Loading state file: #STATEDIR#/samba/cert_gpo_state_keypress.tdb WARNING: certmonger and/or cepces not found, skipping certificate enrollment diff --git a/internal/policies/certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_certmonger_not_installed b/internal/policies/certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_certmonger_not_installed index fefe24e79..a3bc384bd 100644 --- a/internal/policies/certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_certmonger_not_installed +++ b/internal/policies/certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_certmonger_not_installed @@ -2,5 +2,4 @@ Loading smb.conf [global] realm = example.com -Loading state file: #STATEDIR#/samba/cert_gpo_state_keypress.tdb WARNING: certmonger and/or cepces not found, skipping certificate enrollment