Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integration tests for certificate policy manager #753

Merged
merged 8 commits into from
Aug 2, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 10 additions & 6 deletions cmd/adsysd/daemon/daemon.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,16 @@ type daemonConfig struct {

Socket string
CacheDir string `mapstructure:"cache_dir"`
StateDir string `mapstructure:"state_dir"`
RunDir string `mapstructure:"run_dir"`

DconfDir string `mapstructure:"dconf_dir"`
SudoersDir string `mapstructure:"sudoers_dir"`
PolicyKitDir string `mapstructure:"policykit_dir"`
ApparmorDir string `mapstructure:"apparmor_dir"`
ApparmorFsDir string `mapstructure:"apparmorfs_dir"`
SystemUnitDir string `mapstructure:"systemunit_dir"`
DconfDir string `mapstructure:"dconf_dir"`
SudoersDir string `mapstructure:"sudoers_dir"`
PolicyKitDir string `mapstructure:"policykit_dir"`
ApparmorDir string `mapstructure:"apparmor_dir"`
ApparmorFsDir string `mapstructure:"apparmorfs_dir"`
SystemUnitDir string `mapstructure:"systemunit_dir"`
GlobalTrustDir string `mapstructure:"global_trust_dir"`

AdBackend string `mapstructure:"ad_backend"`
SSSdConfig sss.Config `mapstructure:"sssd"`
Expand Down Expand Up @@ -111,13 +113,15 @@ func New() *App {
RunE: func(cmd *cobra.Command, args []string) error {
adsys, err := adsysservice.New(context.Background(),
adsysservice.WithCacheDir(a.config.CacheDir),
adsysservice.WithStateDir(a.config.StateDir),
adsysservice.WithRunDir(a.config.RunDir),
adsysservice.WithDconfDir(a.config.DconfDir),
adsysservice.WithSudoersDir(a.config.SudoersDir),
adsysservice.WithPolicyKitDir(a.config.PolicyKitDir),
adsysservice.WithApparmorDir(a.config.ApparmorDir),
adsysservice.WithApparmorFsDir(a.config.ApparmorFsDir),
adsysservice.WithSystemUnitDir(a.config.SystemUnitDir),
adsysservice.WithGlobalTrustDir(a.config.GlobalTrustDir),
adsysservice.WithADBackend(a.config.AdBackend),
adsysservice.WithSSSConfig(a.config.SSSdConfig),
adsysservice.WithWinbindConfig(a.config.WinbindConfig),
Expand Down
4 changes: 3 additions & 1 deletion cmd/adsysd/integration_tests/adsys_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,7 @@ socket: %s/socket

# Service only configuration
cache_dir: %s/cache
state_dir: %s/lib
run_dir: %s/run
service_timeout: 30

Expand All @@ -254,7 +255,8 @@ policykit_dir: %s/polkit-1
apparmor_dir: %s/apparmor.d/adsys
apparmorfs_dir: %s/apparmorfs
systemunit_dir: %s/systemd/system
`, args.adsysDir, args.adsysDir, args.adsysDir, args.backend, args.adsysDir, args.adsysDir, args.adsysDir, args.adsysDir, args.adsysDir, args.adsysDir, args.adsysDir))
global_trust_dir: %s/share/ca-certificates
`, args.adsysDir, args.adsysDir, args.adsysDir, args.adsysDir, args.backend, args.adsysDir, args.adsysDir, args.adsysDir, args.adsysDir, args.adsysDir, args.adsysDir, args.adsysDir, args.adsysDir))

testutils.WriteFile(t, confFile, confData, os.ModePerm)
require.NoError(t, os.MkdirAll(filepath.Join(args.adsysDir, "dconf"), 0750), "Setup: should create dconf dir")
Expand Down
17 changes: 17 additions & 0 deletions cmd/adsysd/integration_tests/adsysctl_policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -711,6 +711,22 @@ func TestPolicyUpdate(t *testing.T) {
systemAnswer: "apply_proxy_fail",
wantErr: true,
},
"Error on system certificate autoenroll failing": {
args: []string{"-m"},
krb5ccname: "-",
krb5ccNamesState: []krb5ccNamesWithState{
{
src: "ccache_EXAMPLE.COM",
machine: true,
},
},
initState: "localhost-uptodate",
// this generates an error when parent directories are not writable
readOnlyDirs: []string{
"lib", // state directory
},
wantErr: true,
},
"Error on host is offline, without policies": {
sssdConf: "sssd.conf-offline",
initState: "old-data",
Expand Down Expand Up @@ -1073,6 +1089,7 @@ func TestPolicyUpdate(t *testing.T) {
testutils.CompareTreesWithFiltering(t, filepath.Join(adsysDir, "polkit-1"), filepath.Join(goldenPath, "polkit-1"), update)
testutils.CompareTreesWithFiltering(t, filepath.Join(adsysDir, "apparmor.d", "adsys"), filepath.Join(goldenPath, "apparmor.d", "adsys"), update)
testutils.CompareTreesWithFiltering(t, filepath.Join(adsysDir, "systemd", "system"), filepath.Join(goldenPath, "systemd", "system"), update)
testutils.CompareTreesWithFiltering(t, filepath.Join(adsysDir, "lib"), filepath.Join(goldenPath, "lib"), update)

// Current user can have different UID depending on where it’s running. We can’t mock it as we rely on current uid
// in the process for authorization check. Just make it generic.
Expand Down
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ gpos:
disabled: true
- key: proxy/no-proxy
value: localhost,127.0.0.1,::1
certificate:
- key: autoenroll
value: "1"

- id: '{31B2F340-016D-11D2-945F-00C04FB984F9}'
name: Default Domain Policy
Expand Down
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TDB file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,9 @@ gpos:
disabled: true
- key: proxy/no-proxy
value: old-localhost,127.0.0.1,::1
certificate:
- key: autoenroll
value: "32768"

- id: '{31B2F340-016D-11D2-945F-00C04FB984F9}'
name: Default Domain Policy
Expand Down
2 changes: 2 additions & 0 deletions conf.example/adsys.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,14 @@ socket: /tmp/adsysd/socket
# Service only configuration
service_timeout: 3600
cache_dir: /tmp/adsysd/cache
state_dir: /tmp/adsysd/lib
run_dir: /tmp/adsysd/run
dconf_dir: /etc/dconf
sudoers_dir: /etc/sudoers.d
policykit_dir: /etc/polkit-1
apparmor_dir: /etc/apparmor.d/adsys
apparmorfs_dir: /sys/kernel/security/apparmor
global_trust_dir: /usr/local/share/ca-certificates

# Backend selection: sssd (default) or winbind
#ad_backend: sssd
Expand Down
80 changes: 54 additions & 26 deletions internal/adsysservice/adsysservice.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,28 +46,32 @@ type Service struct {
}

type state struct {
cacheDir string
runDir string
dconfDir string
sudoersDir string
policyKitDir string
apparmorDir string
systemUnitDir string
cacheDir string
stateDir string
runDir string
dconfDir string
sudoersDir string
policyKitDir string
apparmorDir string
systemUnitDir string
globalTrustDir string
}

type options struct {
cacheDir string
runDir string
dconfDir string
sudoersDir string
policyKitDir string
apparmorDir string
apparmorFsDir string
systemUnitDir string
adBackend string
sssConfig sss.Config
winbindConfig winbind.Config
authorizer authorizerer
cacheDir string
stateDir string
runDir string
dconfDir string
sudoersDir string
policyKitDir string
apparmorDir string
apparmorFsDir string
systemUnitDir string
globalTrustDir string
adBackend string
sssConfig sss.Config
winbindConfig winbind.Config
authorizer authorizerer
}
type option func(*options) error

Expand All @@ -83,6 +87,14 @@ func WithCacheDir(p string) func(o *options) error {
}
}

// WithStateDir specifies a personalized daemon state directory.
func WithStateDir(p string) func(o *options) error {
return func(o *options) error {
o.stateDir = p
return nil
}
}

// WithRunDir specifies a personalized /run.
func WithRunDir(p string) func(o *options) error {
return func(o *options) error {
Expand Down Expand Up @@ -141,6 +153,14 @@ func WithSystemUnitDir(p string) func(o *options) error {
}
}

// WithGlobalTrustDir specifies a personalized directory for global trust store.
func WithGlobalTrustDir(p string) func(o *options) error {
return func(o *options) error {
o.globalTrustDir = p
return nil
}
}

// WithADBackend specifies our specific backend to select.
func WithADBackend(backend string) func(o *options) error {
return func(o *options) error {
Expand Down Expand Up @@ -261,6 +281,9 @@ func New(ctx context.Context, opts ...option) (s *Service, err error) {
if args.cacheDir != "" {
policyOptions = append(policyOptions, policies.WithCacheDir(args.cacheDir))
}
if args.stateDir != "" {
policyOptions = append(policyOptions, policies.WithStateDir(args.stateDir))
}
if args.dconfDir != "" {
policyOptions = append(policyOptions, policies.WithDconfDir(args.dconfDir))
}
Expand All @@ -282,6 +305,9 @@ func New(ctx context.Context, opts ...option) (s *Service, err error) {
if args.systemUnitDir != "" {
policyOptions = append(policyOptions, policies.WithSystemUnitDir(args.systemUnitDir))
}
if args.globalTrustDir != "" {
policyOptions = append(policyOptions, policies.WithGlobalTrustDir(args.globalTrustDir))
}
m, err := policies.NewManager(bus, hostname, adBackend, policyOptions...)
if err != nil {
return nil, err
Expand All @@ -295,13 +321,15 @@ func New(ctx context.Context, opts ...option) (s *Service, err error) {
policyManager: m,
authorizer: args.authorizer,
state: state{
cacheDir: args.cacheDir,
dconfDir: args.dconfDir,
sudoersDir: args.sudoersDir,
policyKitDir: args.policyKitDir,
runDir: args.runDir,
apparmorDir: args.apparmorDir,
systemUnitDir: args.systemUnitDir,
cacheDir: args.cacheDir,
stateDir: args.stateDir,
dconfDir: args.dconfDir,
sudoersDir: args.sudoersDir,
policyKitDir: args.policyKitDir,
runDir: args.runDir,
apparmorDir: args.apparmorDir,
systemUnitDir: args.systemUnitDir,
globalTrustDir: args.globalTrustDir,
},
initSystemTime: initSysTime,
bus: bus,
Expand Down
4 changes: 4 additions & 0 deletions internal/adsysservice/adsysservice_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,12 +57,14 @@ func TestNew(t *testing.T) {

temp := t.TempDir()
adsysCacheDir := filepath.Join(temp, "parentcache", "cache")
adsysStateDir := filepath.Join(temp, "var", "lib")
adsysRunDir := filepath.Join(temp, "parentrun", "run")
dconfDir := filepath.Join(temp, "dconf")
sudoersDir := filepath.Join(temp, "sudoers.d")
policyKitDir := filepath.Join(temp, "polkit-1")
apparmorDir := filepath.Join(temp, "apparmor.d", "adsys")
apparmorFsDir := filepath.Join(temp, "apparmorfs")
globalTrustDir := filepath.Join(temp, "ca-certificates")
if tc.existingAdsysDirs {
require.NoError(t, os.MkdirAll(adsysCacheDir, 0700), "Setup: could not create adsys cache directory")
require.NoError(t, os.MkdirAll(adsysRunDir, 0700), "Setup: could not create adsys run directory")
Expand All @@ -86,12 +88,14 @@ func TestNew(t *testing.T) {

options := []adsysservice.Option{
adsysservice.WithCacheDir(adsysCacheDir),
adsysservice.WithStateDir(adsysStateDir),
adsysservice.WithRunDir(adsysRunDir),
adsysservice.WithDconfDir(dconfDir),
adsysservice.WithSudoersDir(sudoersDir),
adsysservice.WithPolicyKitDir(policyKitDir),
adsysservice.WithApparmorDir(apparmorDir),
adsysservice.WithApparmorFsDir(apparmorFsDir),
adsysservice.WithGlobalTrustDir(globalTrustDir),
adsysservice.WithSSSConfig(sssdConfig),
adsysservice.WithWinbindConfig(winbindConfig),
}
Expand Down
2 changes: 2 additions & 0 deletions internal/consts/consts.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ const (
DefaultApparmorDir = "/etc/apparmor.d/adsys"
// DefaultSystemUnitDir is the default directory for systemd unit files.
DefaultSystemUnitDir = "/etc/systemd/system"
// DefaultGlobalTrustDir is the default directory for the global trust store.
DefaultGlobalTrustDir = "/usr/local/share/ca-certificates"
)

// SSSD related properties.
Expand Down
22 changes: 9 additions & 13 deletions internal/policies/certificate/cert-autoenroll
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import json
import os
import sys
import tempfile
import shutil

from samba import param
from samba.credentials import MUST_USE_KERBEROS, Credentials
Expand Down Expand Up @@ -40,15 +41,9 @@ def main():
parser.add_argument('--policy_servers_json', type=str,
help='GPO entries for advanced configuration of the policy servers. \
Must be in JSON format.')
parser.add_argument('--samba_cache_dir', type=str,
default='/var/lib/adsys/samba',
help='Directory to store GPO Samba cache in.')
parser.add_argument('--private_dir', type=str,
default='/var/lib/adsys/private/certs',
help='Directory to store private keys in.')
parser.add_argument('--trust_dir', type=str,
default='/var/lib/adsys/certs',
help='Directory to store trusted certificates in.')
parser.add_argument('--state_dir', type=str,
default='/var/lib/adsys',
help='Directory to store all certificate-related files in.')
parser.add_argument('--global_trust_dir', type=str,
default='/usr/local/share/ca-certificates',
help='Directory to symlink root CA certificates to.')
Expand All @@ -57,9 +52,9 @@ def main():

args = parser.parse_args()

samba_cache_dir = args.samba_cache_dir
trust_dir = args.trust_dir
private_dir = args.private_dir
samba_cache_dir = os.path.join(args.state_dir, 'samba')
trust_dir = os.path.join(args.state_dir, 'certs')
private_dir = os.path.join(args.state_dir, 'private', 'certs')
global_trust_dir = args.global_trust_dir

# Create needed directories if they don't exist
Expand All @@ -86,7 +81,8 @@ def main():
ext.enroll(guid, entries, trust_dir, private_dir, global_trust_dir)
else:
ext.unenroll(guid)
os.removedirs(samba_cache_dir)
if os.path.exists(samba_cache_dir):
shutil.rmtree(samba_cache_dir)

def gpo_entries(entries_json):
"""
Expand Down
Loading