diff --git a/tests/smartcard_server_role/restart_sssd_cleanly.sh b/tests/smartcard_server_role/restart_sssd_cleanly.sh new file mode 100644 index 000000000..429a6ddca --- /dev/null +++ b/tests/smartcard_server_role/restart_sssd_cleanly.sh @@ -0,0 +1,5 @@ +#!/bin/bash -eu + +systemctl stop sssd +rm -rf /var/lib/sss/{db,mc}/* +systemctl start sssd diff --git a/tests/smartcard_server_role/test_smartcard_server_role.yml b/tests/smartcard_server_role/test_smartcard_server_role.yml new file mode 100644 index 000000000..413101cad --- /dev/null +++ b/tests/smartcard_server_role/test_smartcard_server_role.yml @@ -0,0 +1,185 @@ +--- +- name: Test smartcard_server role + hosts: "{{ ipa_test_host | default('ipaserver') }}" + become: true + gather_facts: true + + tasks: + + # STAGE 1: Use role + + - name: Configure IPA server for Smart Card authentication + ansible.builtin.include_role: + name: ipasmartcard_server + vars: + state: present + ipaadmin_password: SomeADMINpassword + ipasmartcard_server_ca_certs: /etc/ipa/ca.crt + + # STAGE 2: Prepare + + - name: Get Domain from server name + ansible.builtin.set_fact: + ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}" + when: ipaserver_domain is not defined + + - name: Set ipaserver_realm. + ansible.builtin.set_fact: + ipaserver_realm: "{{ ipaserver_domain | upper }}" + when: ipaserver_realm is not defined + + - name: Install packages + ansible.builtin.package: + name: + - sssd + - softhsm + - opensc + - gnutls-utils + state: present + + # STAGE 2: Test + + - name: kinit using admin password + ansible.builtin.command: kinit admin + args: + stdin: SomeADMINpassword + + # Create user + + - name: Generate expire date + ansible.builtin.command: date --date="1 year" +"%Y%m%d%H%M%S" + register: result_date + + - name: Create user ipauser1 + ipauser: + ipaadmin_password: SomeADMINpassword + name: ipauser1 + first: ipa + last: user1 + password: SomeUSERpassword + passwordexpiration: "{{ result_date.stdout }}" + + # Setup softhsm for smart card emulation + + - name: Create /etc/sysconfig/sssd + ansible.builtin.copy: + dest: /etc/sysconfig/sssd + content: SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf + mode: 0700 + + - name: Create /etc/sssd/conf.d/softhsm2_conf + ansible.builtin.copy: + dest: /etc/sssd/conf.d/softhsm2_conf + mode: 0700 + content: | + directories.tokendir = /var/lib/sss/tokens + log.level = DEBUG + slots.removable = true + + - name: Create directory /var/lib/sss/tokens + ansible.builtin.file: + path: /var/lib/sss/tokens + state: directory + mode: 0700 + + - name: Setup softhsm + ansible.builtin.command: softhsm2-util --init-token --slot 0 --label "My token 1" --pin mypin --so-pin mypin + environment: + SOFTHSM2_CONF: /etc/sssd/conf.d/softhsm2_conf + + # Setting up cert for ipauser1 + + - name: Create req_ipauser1.cnf + ansible.builtin.copy: + dest: req_ipauser1.cnf + mode: 0700 + content: | + [ req ] + distinguished_name = req_distinguished_name + prompt = no + + [ req_distinguished_name ] + O = Example + OU = Example Test + CN = ipauser1 + + [ req_exts ] + basicConstraints = CA:FALSE + nsCertType = client, email + nsComment = "ipauser1" + subjectKeyIdentifier = hash + keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment + extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin + subjectAltName = otherName:msUPN;UTF8:ipauser1@{{ ipaserver_realm }}, email:ipauser1@{{ ipaserver_domain }} + + - name: Generate user key + ansible.builtin.command: openssl genrsa -out ipauser1.key 2048 + + - name: Generate user csr + ansible.builtin.command: openssl req -new -nodes -key ipauser1.key -reqexts req_exts -config req_ipauser1.cnf -out ipauser1.csr + + - name: Submit csr to IPA + ansible.builtin.command: ipa cert-request ipauser1.csr --principal=ipauser1 --certificate-out=ipauser1.crt + + - name: Add user key to PKCS #11 security tokens + ansible.builtin.command: pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ipauser1.key -y privkey --label ipauser1 -p mypin --set-id 0 -d 0 + environment: + SOFTHSM2_CONF: /etc/sssd/conf.d/softhsm2_conf + + - name: Add user crt to PKCS #11 security tokens + ansible.builtin.command: pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ipauser1.crt -y cert --label ipauser1 -p mypin --set-id 0 -d 0 + environment: + SOFTHSM2_CONF: /etc/sssd/conf.d/softhsm2_conf + + # kdestroy + + - name: Destroy all kerberos tickets + ansible.builtin.command: kdestroy -A + + # Setup SSSD for Smart Card authentication + # Might need to add "p11_child_timeout = 60" to [pam] section + # Might need to add "krb5_auth_timeout = 60" to [domain/...] section + + - name: Stat /usr/bin/authselect + ansible.builtin.stat: + path: /usr/bin/authselect + register: result_stat_authselect + + - name: Use authselect to enable Smart Card authentication + ansible.builtin.command: authselect select sssd with-smartcard --force + when: result_stat_authselect.stat.exists + + - name: Use authconfig to enable Smart Card authentication + ansible.builtin.command: authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall + when: not result_stat_authselect.stat.exists + + # Restart sssd, remove /var/lib/sss/{db,mc}/* + + - name: Stop sssd, remove /var/lib/sss/{db,mc}/*, start sssd + ansible.builtin.script: restart_sssd_cleanly.sh + + # Enable and start pcscd + + - name: Enable and start pcscd + ansible.builtin.service: + name: pcscd + state: started + + # Test pin with kinit + + - name: Test pin with kinit + ansible.builtin.command: kinit -X X509_user_identity=PKCS11:module_name=/usr/lib64/pkcs11/libsofthsm2.so ipauser1 + args: + stdin: mypin + environment: + SOFTHSM2_CONF: /etc/sssd/conf.d/softhsm2_conf + + # klist + + - name: List all kerberos tickets + ansible.builtin.command: klist + + # kdestroy + + - name: Destroy all kerberos tickets + ansible.builtin.command: kdestroy -A