Skip to content

Commit

Permalink
Upstream test for smartcard_server role
Browse files Browse the repository at this point in the history
This test is using softhsm to emulate a Smart Card on a server with
configured IPA DNS.

The configuration of softhsm in this way might break other tests.
  • Loading branch information
t-woerner committed Sep 6, 2022
1 parent 5d7afb5 commit b1e588a
Show file tree
Hide file tree
Showing 2 changed files with 190 additions and 0 deletions.
5 changes: 5 additions & 0 deletions tests/smartcard_server_role/restart_sssd_cleanly.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/bin/bash -eu

systemctl stop sssd
rm -rf /var/lib/sss/{db,mc}/*
systemctl start sssd
185 changes: 185 additions & 0 deletions tests/smartcard_server_role/test_smartcard_server_role.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@
---
- name: Test group
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: true
gather_facts: true

tasks:

# STAGE 1: Use role

- name: Configure IPA server for Smart Card authentication
ansible.builtin.include_role:
name: ipasmartcard_server
vars:
state: present
ipaadmin_password: SomeADMINpassword
ipasmartcard_server_ca_certs: /etc/ipa/ca.crt

# STAGE 2: Prepare

- name: Get Domain from server name
set_fact:
ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
when: ipaserver_domain is not defined

- name: Set ipaserver_realm.
set_fact:
ipaserver_realm: "{{ ipaserver_domain | upper }}"
when: ipaserver_realm is not defined

- name: Install packages
ansible.builtin.package:
name:
- sssd
- softhsm
- opensc
- gnutls-utils
state: present

# STAGE 2: Test

- name: kinit using admin password
ansible.builtin.command: kinit admin
args:
stdin: SomeADMINpassword

# Create user

- name: Generate expire date
ansible.builtin.command: date --date="1 year" +"%Y%m%d%H%M%S"
register: result_date

- name: Create user ipauser1
ipauser:
ipaadmin_password: SomeADMINpassword
name: ipauser1
first: ipa
last: user1
password: SomeUSERpassword
passwordexpiration: "{{ result_date.stdout }}"

# Setup softhsm for smart card emulation

- name: Create /etc/sysconfig/sssd
ansible.builtin.copy:
dest: /etc/sysconfig/sssd
content: SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf
mode: 0700

- name: Create /etc/sssd/conf.d/softhsm2_conf
ansible.builtin.copy:
dest: /etc/sssd/conf.d/softhsm2_conf
mode: 0700
content: |
directories.tokendir = /var/lib/sss/tokens
log.level = DEBUG
slots.removable = true
- name: Create directory /var/lib/sss/tokens
ansible.builtin.file:
path: /var/lib/sss/tokens
state: directory
mode: 0700

- name: Setup softhsm
command: softhsm2-util --init-token --slot 0 --label "My token 1" --pin mypin --so-pin mypin
environment:
SOFTHSM2_CONF: /etc/sssd/conf.d/softhsm2_conf

# Setting up cert for ipauser1

- name: Create req_ipauser1.cnf
ansible.builtin.copy:
dest: req_ipauser1.cnf
mode: 0700
content: |
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
O = Example
OU = Example Test
CN = ipauser1
[ req_exts ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "ipauser1"
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin
subjectAltName = otherName:msUPN;UTF8:ipauser1@{{ ipaserver_realm }}, email:ipauser1@{{ ipaserver_domain }}
- name: Generate user key
ansible.builtin.command: openssl genrsa -out ipauser1.key 2048

- name: Generate user csr
ansible.builtin.command: openssl req -new -nodes -key ipauser1.key -reqexts req_exts -config req_ipauser1.cnf -out ipauser1.csr

- name: Submit csr to IPA
ansible.builtin.command: ipa cert-request ipauser1.csr --principal=ipauser1 --certificate-out=ipauser1.crt

- name: Add user key to PKCS #11 security tokens
ansible.builtin.command: pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ipauser1.key -y privkey --label ipauser1 -p mypin --set-id 0 -d 0
environment:
SOFTHSM2_CONF: /etc/sssd/conf.d/softhsm2_conf

- name: Add user crt to PKCS #11 security tokens
ansible.builtin.command: pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ipauser1.crt -y cert --label ipauser1 -p mypin --set-id 0 -d 0
environment:
SOFTHSM2_CONF: /etc/sssd/conf.d/softhsm2_conf

# kdestroy

- name: Destroy all kerberos tickets
ansible.builtin.command: kdestroy -A

# Setup SSSD for Smart Card authentication
# Might need to add "p11_child_timeout = 60" to [pam] section
# Might need to add "krb5_auth_timeout = 60" to [domain/...] section

- name: Stat /usr/bin/authselect
stat:
path: /usr/bin/authselect
register: result_stat_authselect

- name: Use authselect to enable Smart Card authentication
command: authselect select sssd with-smartcard --force
when: result_stat_authselect.stat.exists

- name: Use authconfig to enable Smart Card authentication
ansible.builtin.command: authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall
when: not result_stat_authselect.stat.exists

# Restart sssd, remove /var/lib/sss/{db,mc}/*

- name: Stop sssd, remove /var/lib/sss/{db,mc}/*, start sssd
ansible.builtin.script: restart_sssd_cleanly.sh

# Enable and start pcscd

- name: Enable and start pcscd
ansible.builtin.service:
name: pcscd
state: started

# Test pin with kinit

- name: Test pin with kinit
command: kinit -X X509_user_identity=PKCS11:module_name=/usr/lib64/pkcs11/libsofthsm2.so ipauser1
args:
stdin: mypin
environment:
SOFTHSM2_CONF: /etc/sssd/conf.d/softhsm2_conf

# klist

- name: List all kerberos tickets
ansible.builtin.command: klist

# kdestroy

- name: Destroy all kerberos tickets
ansible.builtin.command: kdestroy -A

0 comments on commit b1e588a

Please sign in to comment.