Jump to: navigation, search

V4/Password Vault/Test Plan

Template:Password Vault Test Plan

Overview

This page describes test scenarios and test cases of Vault Password. It focuses on general parts which are Installation, Container Managerment, Vault Management, and Secret Management. You can find more details about this feature in Desing document

Test Plan

Vault Management

Test case: Creating and removing vaults; NOTE: if there is not comment about user in test case use your standard non-admin account (for example: "testuser")

Autotest

{{{autotest}}}

Setup

Create some user that will run these tests (in this case: testuser - ipa user-add ...)

Actions

1. Remove nonexistent vault
$ ipa vault-del PrivateVault
2. Create a new private vault ("PrivateVault")
$ ipa vault-add PrivateVault --desc="Private vault"
3. Create the same private vault
$ ipa vault-add PrivateVault --desc="Private vault"
4. Create a shared vault ("SharedVault")
$ ipa vault-add SharedVault --desc="Shared vault" --shared
5. Create a shared vault ("SharedVault") as "admin" user (kinit admin)
$ ipa vault-add SharedVault --desc="Shared vault" --shared
6. Create the same shared vault (as "admin" user)
$ ipa vault-add SharedVault --desc="Shared vault" --shared
7. Create a symmetric private vault ("SymmetricVault")
$ ipa vault-add SymmetricVault --desc="Symmetric vault" --type=symmetric
8. Remove a symmetric private vault
$ ipa vault-del SymmetricVault
9. Create a symmetric private vault ("SymmetricVault") by inserting a password via CL
$ ipa vault-add SymmetricVault --desc="Symmetric vault" --type=symmetric --password=mypassword
10. Create a symmetric private vault ("SymmetricVault2") by inserting a password via password file
$ echo "mypassword" >password.txt; ipa vault-add SymmetricVault2 --desc="Symmetric vault 2" --type=symmetric --password-file=password.txt
11. Create an asymmetric vault ("AsymmetricVault")
$ openssl genrsa -out mykey.pem 2048; openssl rsa -in mykey.pem -pubout >mykey.pub; ipa vault-add AsymmetricVault --desc="Asymmetric vault" --type=asymmetric --public-key-file=mykey.pub
12. Create an asymmetric vault ("AsymmetricVault2") using same keys from "AsymmetricVault"
$ ipa vault-add AsymmetricVault2 --desc="Asymmetric vault 2" --type=asymmetric --public-key-file=mykey.pub
13. Create "HTTPNSS" service vault ("SvcHTTPNSSVault") as "admin" user
$ ipa vault-add SvcHTTPNSSVault --service=HTTP/server.example.com
14. Create "HTTPS" service vault ("SvcHTTPSVault") as "admin" user
$ ipa vault-add SvcHTTPSVault --service=HTTP/server.example.com
15. Create a private vault ("PV1")
$ ipa vault-add PV1 --desc="Private vault 1"
16. Create a private vault ("PV2")
$ ipa vault-add PV1 --desc="Private vault 2"
17. Remove several vaults ("PV1" and "PV2")
$ ipa vault-del PV1 PV2
18. Create private assymetric vault ("PrivAdmin") as admin user
$ openssl genrsa -out adminkey.pem 2048; openssl rsa -in adminkey.pem -pubout >adminkey.pub; ipa vault-add PrivAdmin --desc="Private Admin's vault" --type=asymmetric --public-key-file adminkey.pub

Expected results

1. Nonexistent vault not removed

ipa: ERROR: PrivateVault: vault not found

2. Private vault created

--------------------------
Added vault "PrivateVault"
--------------------------
  Vault name: PrivateVault
  Description: Private vault
  Type: standard
  Owner users: testuser

3. Private vault not created

ipa: ERROR: vault with name "PrivateVault" already exists

4. Shared vault not created

ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=SharedVault,cn=shared,cn=vaults,cn=kra,dc=abc,dc=example,dc=com'.

5. Shared vault created

-------------------------
Added vault "SharedVault"
-------------------------
  Vault name: SharedVault
  Description: Shared vault
  Type: standard
  Owner users: admin

6. Shared vault not created

ipa: ERROR: vault with name "SharedVault" already exists

7. Symmetric private vault, protected by password from stdin, created (note that "Salt" is randomized value)

New password: ********
Verify password: ********
----------------------------
Added vault "SymmetricVault"
----------------------------
  Vault name: SymmetricVault
  Description: Symmetric vault
  Type: symmetric
  Salt: 7XWDD0CG8BLmoKSSOcKZ9g==
  Owner users: testuser

8. Symmetric private vault removed

------------------------------
Deleted vault "SymmetricVault"
------------------------------

9. Symmetric private vault, protected by password from CL, created

----------------------------
Added vault "SymmetricVault"
----------------------------
  Vault name: SymmetricVault
  Description: Symmetric vault
  Type: symmetric
  Salt: /eDKGdqCN+mTwP9mD/zb/Q==
  Owner users: testuser

10. Symmetric private vault, protected by password from password file, created

-----------------------------
Added vault "SymmetricVault2"
-----------------------------
  Vault name: SymmetricVault2
  Description: Symmetric vault 2
  Type: symmetric
  Salt: LI5JFVRMisOB0AoLKEIW5A==
  Owner users: testuser

11. Asymmetric private vault "AsymmetricVault" created ("Public key" is random value)

Generating RSA private key, 2048 bit long modulus
................................................................................................+++
....................................................+++
e is 65537 (0x10001)
writing RSA key
-----------------------------
Added vault "AsymmetricVault"
-----------------------------
  Vault name: AsymmetricVault
  Description: Asymmetric vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1a1NOblVYODVLaXRnMTRKaEdNUwpwYS9lVGQzdmhWeFVDeDhYRXNZdExwVEdWbGZTL1hBbURTeGpOZTVGSEc2d3Z4Ti9EUTVJOE5UOTNUeHVoTGtKClhCL1JmZ1ZtaEFDaENINFpVcDN6OU9jZmYxUUdiT1kxcCtYT0plT0hncjJCSHVYVjMvNjkweTRQOGxkbWhxLzgKUkIyMXkyMlVBekxHS2syZnZJOGRpdmN2SnN6Y1hlNmwzRjdxNkU0cXhOOGhoWEpyYldFQlB5SFVuM2xMdUozNwpCVU5qbDI4VER6ak1kM1R5Wkg5TmxZajBidXNsOFk5clJQQlVFeXhReFZtVi90Nm1NN3h0czhsSjFQU3ZDTXpiCmJRSCsxTUEwSVh0ZTh5SkFKU3pUU0plbGFOc3RoZXFwUFhCRUVQdllmSGVSdWxGMWNUU2M0enBEOVVSTGIvNkgKNFFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: testuser

12. Asymmetric private vault "AsymmetricVault2" created ("Public key" is random value)

------------------------------
Added vault "AsymmetricVault2"
------------------------------
  Vault name: AsymmetricVault2
  Description: Asymmetric vault 2
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1a1NOblVYODVLaXRnMTRKaEdNUwpwYS9lVGQzdmhWeFVDeDhYRXNZdExwVEdWbGZTL1hBbURTeGpOZTVGSEc2d3Z4Ti9EUTVJOE5UOTNUeHVoTGtKClhCL1JmZ1ZtaEFDaENINFpVcDN6OU9jZmYxUUdiT1kxcCtYT0plT0hncjJCSHVYVjMvNjkweTRQOGxkbWhxLzgKUkIyMXkyMlVBekxHS2syZnZJOGRpdmN2SnN6Y1hlNmwzRjdxNkU0cXhOOGhoWEpyYldFQlB5SFVuM2xMdUozNwpCVU5qbDI4VER6ak1kM1R5Wkg5TmxZajBidXNsOFk5clJQQlVFeXhReFZtVi90Nm1NN3h0czhsSjFQU3ZDTXpiCmJRSCsxTUEwSVh0ZTh5SkFKU3pUU0plbGFOc3RoZXFwUFhCRUVQdllmSGVSdWxGMWNUU2M0enBEOVVSTGIvNkgKNFFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: testuser

13. Symmetric service vault "SvcHTTPNSSVault" created

-----------------------------
Added vault "SvcHTTPNSSVault"
-----------------------------
  Vault name: SvcHTTPNSSVault
  Type: standard
  Owner users: admin

14. Asymmetric service vault "AsymLDAPVault" created

---------------------------
Added vault "SvcHTTPSVault"
---------------------------
  Vault name: SvcHTTPSVault
  Type: standard
  Owner users: admin

15. Private vault "PV1" created

-----------------
Added vault "PV1"
-----------------
  Vault name: PV1
  Description: Private vault 1
  Type: standard
  Owner users: testuser

16. Private vault "PV2" created

-----------------
Added vault "PV2"
-----------------
  Vault name: PV2
  Description: Private vault 2
  Type: standard
  Owner users: testuser

17. Both vaults ("PV1" and "PV2") removed

-----------------------
Deleted vault "PV1,PV2"
-----------------------

18. Asymmetric private vault "PrivAdmin" created ("Public key" is random value)

Generating RSA private key, 2048 bit long modulus
.................+++
............................................+++
e is 65537 (0x10001)
writing RSA key
-----------------------
Added vault "PrivAdmin"
-----------------------
  Vault name: PrivAdmin
  Description: Private Admin's vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2OXZMRURHVkFiL1hST0RJWURYSgpmNWMwdXQwc2pTSVlCVHNrNlp2RUkrc2lVR1BKNWNlRlc4YytDamY3Z282NCtiQ0I3TkFBR05PZDB4YUpiU3RxClY4MXdTZzAyaVNyTnBHN3JpYktjRkQvUHhXcHR3dGlkdWRYZ2NZRzhFZm9lNnVCRThXWERXT1FlWXRtYkdiTjgKaEZtTWx4S0N0ZlprbndxZ0xJeE03cm04eFdoKzNOOFNjeUd4bUxadXVEdUVocFVCcDBPSG9qNEI3UjR4L1pGNgpMQ01QV1VZd3ZvTklBOElqUEVQSUg3TzgzTmFmcWFIenVpdWdoVDN5c1JiQzNRZ0FmVUtRbHk0L1pXK25xNGt6Cm1JMDVwYm5RVUFYZkRaQ20vVjFXT0YrZmgzY0tXVEw4cTFtaGZRNmpQVGREU1hoN2s4a3ZOQlo5K2k1YWVLOTgKd1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin

Test case: Modifying, and listing vaults; NOTE: if there is not comment about user in test case use your standard non-admin account (for example: "testuser")

Autotest

{{{autotest}}}

Setup

This test case is based on existing vaults, for more info see the test case "Creating and removing vaults"

Actions

1. Find and list private vaults
$ ipa vault-find
2. Find and list shared vaults
$ ipa vault-find --shared
3. Find and list shared vaults as "admin" user (kinit admin)
$ ipa vault-find --shared
4. Find the service vaults according to its name as "admin" user
$ ipa vault-find --service=HTTP/server.example.com
5. *>=FreeIPA-4.2.1* Find all service vaults
$ ipa vault-find --services
6. Display the basic vault info ("SymmetricVault")
$ ipa vault-show SymmetricVault
7. Display the complete vault info ("SymmetricVault")
$ ipa vault-show SymmetricVault --all
8. Change the vault description ("PrivateVault")
$ ipa vault-mod PrivateVault --desc="This is NOT a private vault"
9. Clear the vault description ("PrivateVault")
$ ipa vault-mod PrivateVault --desc=""
10. Change the vault description ("PrivateVault")
$ ipa vault-mod PrivateVault --setattr="Description=This is a private vault"
11. Display the complete vault info ("PrivateVault")
$ ipa vault-show PrivateVault --all

Expected results

1. 5 vaults found

----------------
5 vaults matched
----------------
  Vault name: AsymmetricVault
  Description: Asymmetric vault
  Type: asymmetric

  Vault name: AsymmetricVault2
  Description: Asymmetric vault 2
  Type: asymmetric

  Vault name: PrivateVault
  Description: 'This is a private vault'
  Type: standard

  Vault name: SymmetricVault
  Description: Symmetric vault
  Type: symmetric

  Vault name: SymmetricVault2
  Description: Symmetric vault 2
  Type: symmetric
----------------------------
Number of entries returned 5
----------------------------

2. No vault found

----------------
0 vaults matched
----------------
----------------------------
Number of entries returned 0
----------------------------

3. 1 shared vault found

---------------
1 vault matched
---------------
  Vault name: SharedVault
  Description: Shared vault
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

4. Service vault found

---------------
1 vault matched
---------------
  Vault name: ServiceVault
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

5. *>=FreeIPA-4.2.1* Service vault listed

---------------
1 vault matched
---------------
  Vault name: ServiceVault
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

6. Symmetric vault listed ("Salt" has random value)

  Vault name: SymmetricVault
  Description: Symmetric vault
  Type: symmetric
  Salt: /eDKGdqCN+mTwP9mD/zb/Q==
  Owner users: testuser

7. Symmetric vault listed ("Salt" has random value)

  dn: cn=SymmetricVault,cn=testuser,cn=users,cn=vaults,cn=kra,dc=abc,dc=example,dc=com'
  Vault name: SymmetricVault
  Description: Symmetric vault
  Type: symmetric
  Salt: /eDKGdqCN+mTwP9mD/zb/Q==
  Owner users: testuser
  objectclass: top, ipaVault

8. PrivateVault changed its description

-----------------------------
Modified vault "PrivateVault"
-----------------------------
  Vault name: PrivateVault
  Description: This is NOT a private vault
  Type: standard
  Owner users: testuser

9. PrivateVault has no description

-----------------------------
Modified vault "PrivateVault"
-----------------------------
  Vault name: PrivateVault
  Type: standard
  Owner users: testuser

10. PrivateVault changed its description

-----------------------------
Modified vault "PrivateVault"
-----------------------------
  Vault name: PrivateVault
  Description: This is a private vault
  Type: standard
  Owner users: testuser

11. PrivateVault displayed

  dn: cn=PrivateVault,cn=testuser,cn=users,cn=vaults,cn=kra,dc=abc,dc=example,dc=com
  Vault name: PrivateVault
  Description: This is a private vault
  Type: standard
  Owner users: testuser
  objectclass: top, ipaVault

Test case: Adding and removing vault members, owners, and groups; changing vault passwords; NOTE: if there is not comment about user in test case use your standard non-admin account (for example: "testuser")

Autotest

{{{autotest}}}

Setup

Create several test users and groups (under "admin" user)

$ for I in 1 2 3 4; do echo "password" | ipa user-add --first=IPA${I} --last=TestUser --homedir=/home/testuseripa${I} --password testuseripa${I}; mkdir -p /home/testuseripa${I}/.ipa; chown -R testuseripa${I}:testuseripa${I} /home/testuseripa${I}; done
-------------------------
Added user "testuseripa1"
-------------------------
  User login: testuseripa1
  First name: IPA1
  Last name: TestUser
  Full name: IPA1 TestUser
  Display name: IPA1 TestUser
  Initials: IT
  Home directory: /home/testuseripa1
  GECOS: IPA1 TestUser
  Login shell: /bin/sh
  Kerberos principal: testuseripa1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Email address: testuseripa1@abc.idm.lab.eng.brq.redhat.com
  UID: 1025000021
  GID: 1025000021
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
-------------------------
Added user "testuseripa2"
-------------------------
  User login: testuseripa2
  First name: IPA2
  Last name: TestUser
  Full name: IPA2 TestUser
  Display name: IPA2 TestUser
  Initials: IT
  Home directory: /home/testuseripa2
  GECOS: IPA2 TestUser
  Login shell: /bin/sh
  Kerberos principal: testuseripa2@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Email address: testuseripa2@abc.idm.lab.eng.brq.redhat.com
  UID: 1025000022
  GID: 1025000022
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
-------------------------
Added user "testuseripa3"
-------------------------
  User login: testuseripa3
  First name: IPA3
  Last name: TestUser
  Full name: IPA3 TestUser
  Display name: IPA3 TestUser
  Initials: IT
  Home directory: /home/testuseripa3
  GECOS: IPA3 TestUser
  Login shell: /bin/sh
  Kerberos principal: testuseripa3@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Email address: testuseripa3@abc.idm.lab.eng.brq.redhat.com
  UID: 1025000023
  GID: 1025000023
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
-------------------------
Added user "testuseripa4"
-------------------------
  User login: testuseripa4
  First name: IPA4
  Last name: TestUser
  Full name: IPA4 TestUser
  Display name: IPA4 TestUser
  Initials: IT
  Home directory: /home/testuseripa4
  GECOS: IPA4 TestUser
  Login shell: /bin/sh
  Kerberos principal: testuseripa4@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Email address: testuseripa4@abc.idm.lab.eng.brq.redhat.com
  UID: 1025000024
  GID: 1025000024
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

$ ipa group-add U1U2group
-----------------------
Added group "u1u2group"
-----------------------
  Group name: u1u2group
  GID: 1025000014

$ ipa group-add U3group
---------------------
Added group "u3group"
---------------------
  Group name: u3group
  GID: 1025000015

$ ipa group-add-member U1U2group --users=testuseripa1 --users=testuseripa2
  Group name: u1u2group
  GID: 1025000014
  Member users: testuseripa1, testuseripa2
-------------------------
Number of members added 2
-------------------------

$ ipa group-add-member U3group --users=testuseripa3
  Group name: u3group
  GID: 1025000015
  Member users: testuseripa3
-------------------------
Number of members added 1
-------------------------

Actions

1. Remove nonexistent vault member
$ ipa vault-remove-member PrivateVault --users=testmember
2. Remove nonexistent vault group
$ ipa vault-remove-member PrivateVault --groups testgroup
3. Create (as "admin" user) shared vault ("SharedU1U2")
$ ipa vault-add SharedU1U2 --shared --desc="Shared vault for testuseripa1 and testuseripa2"; ipa vault-add-member SharedU1U2 --shared --users=testuseripa1 --users=testuseripa2
4. Create (as "admin" user) shared vault ("SharedU3")
$ ipa vault-add SharedU3 --shared --desc="Shared vault for testuseripa3"; ipa vault-add-member SharedU3 --shared --users=testuseripa3
5. Create (as "admin" user) shared vault ("SharedG1G2")
$ ipa vault-add SharedG1G2 --shared --desc="Shared vault for u1u2group (testuseripa1 and testuseripa2)"; ipa vault-add-member SharedG1G2 --shared --groups=u1u2group
6. Create (as "admin" user) shared vault ("SharedG3")
$ ipa vault-add SharedG3 --shared --desc="Shared vault for u3group (testuseripa3)"; ipa vault-add-member SharedG3 --shared --groups=u3group
7. Create (as "admin" user) shared vault for all users ("ipausers" group)
$ ipa vault-add SharedAll --shared --desc="Shared vault for all users ('ipausers' group)"; ipa vault-add-member SharedAll --shared --groups=ipausers
8. Login as a user "testuseripa1" (change the password if you're asked for it), kinit, and list shared vaults
$ ipa vault-find --shared; ipa vault-show --shared SharedU1U2; ipa vault-show --shared SharedU3; ipa vault-show --shared SharedAll
9. Login as a user "testuseripa2" (change the password if you're asked for it), kinit, and list shared vaults
$ ipa vault-find --shared; ipa vault-show --shared SharedU1U2; ipa vault-show --shared SharedU3; ipa vault-show --shared SharedAll
10. Login as a user "testuseripa3" (change the password if you're asked for it), kinit, and list shared vaults
$ ipa vault-find --shared; ipa vault-show --shared SharedU1U2; ipa vault-show --shared SharedU3; ipa vault-show --shared SharedAll
11. Add group members "ipausers" and "trust admin" to shared vault "SharedAll" (as "testuser")
$ ipa vault-add-member SharedAll --shared --groups=ipausers --groups="trust admins"
12. Add group members "ipausers" and "trust admin" to shared vault "SharedAll" (as "admin" user)
$ ipa vault-add-member SharedAll --shared --groups=ipausers --groups="trust admins"
13. Remove group member "trust admins" from shared vault "SharedAll" (as "testuser")
$ ipa vault-remove-member SharedAll --shared --groups="trust admins"
14. Remove group member "trust admins" from shared vault "SharedAll" (as "admin" user)
$ ipa vault-remove-member SharedAll --shared --groups="trust admins"
15. Remove nonexistent vault owner
$ ipa vault-remove-owner SharedAll --shared --users testowner

16. Add a new owner to vault ("SharedAll")</pre>$ ipa vault-add-owner SharedAll --shared --users testuser</pre>

17. As testuser add a new owner to shared ("SharedAll") vault
$ ipa vault-add-owner SharedAll --shared --users=testuseripa1
18. As remove admin and testuser owners from shared ("SharedAll") vault
$ ipa vault-remove-owner SharedAll --shared --users=admin --users=testuser
19. As testuser add a new vault owner ("testuser") to shared vault ("SharedAll")
$ ipa vault-add-owner SharedAll --shared --users=testuser
20. As admin add a new vault owner ("admin") to shared vault ("SharedAll")
$ ipa vault-add-owner SharedAll --shared --users=admin
21. As admin delete all vault owners ("SharedAll")
$ ipa vault-remove-owner SharedAll --shared --users=testuseripa1 --users=admin
22. Remove nonexistent owner group ("SharedG3") from shared vault
$ ipa vault-remove-owner SharedAll --shared --groups=SharedG3
23. Change the password of private vault ("PrivateVault")
$ ipa vault-mod PrivateVault --change-password
24. Change the password of symmetric vault ("SymmetricVault")
$ echo "mypassword2" >password-new.txt; ipa vault-mod SymmetricVault --old-password-file=password.txt --new-password-file=password-new.txt; rm -rf password.txt; mv password-new.txt password.txt
25. *>=FreeIPA-4.2.1* Change the key of asymmetric vault ("AssymetricVault2")
$ openssl rsa -in mykey.pem -pubout >mykey2.pub; ipa vault-mod AsymmetricVault2 --change-password --private-key-file=mykey.pem --new-public-key-file=mykey2.pub

Expected results

1. Nonexistent member not removed

  Vault name: PrivateVault
  Description: 'This is a private vault'
  Type: standard
  Owner users: testuser
  Failed members: 
    member user: testmember: This entry is not a member
    member group: 
---------------------------
Number of members removed 0
---------------------------

2. Nonexistent group not removed

  Vault name: PrivateVault
  Description: 'This is a private vault'
  Type: standard
  Owner users: testuser
  Failed members: 
    member user: 
    member group: testgroup: This entry is not a member
---------------------------
Number of members removed 0
---------------------------

3. Shared vault created, testuseripa1 and testuseripa2 became the members of this vault

------------------------
Added vault "SharedU1U2"
------------------------
  Vault name: SharedU1U2
  Description: Shared vault for testuseripa1 and testuseripa2
  Type: standard
  Owner users: admin
  Vault name: SharedU1U2
  Description: Shared vault for testuseripa1 and testuseripa2
  Type: standard
  Owner users: admin
  Member users: testuseripa1, testuseripa2
-------------------------
Number of members added 2
-------------------------

4. Shared vault created, testuseripa3 became the members of this vault

----------------------
Added vault "SharedU3"
----------------------
  Vault name: SharedU3
  Description: Shared vault for testuseripa3
  Type: standard
  Owner users: admin
  Vault name: SharedU3
  Description: Shared vault for testuseripa3
  Type: standard
  Owner users: admin
  Member users: testuseripa3
-------------------------
Number of members added 1
-------------------------

5. Shared vault created, u1u2group group (testuseripa1 and testuseripa2) became the members of this vault

------------------------
Added vault "SharedG1G2"
------------------------
  Vault name: SharedG1G2
  Description: Shared vault for u1u2group (testuseripa1 and testuseripa2)
  Type: standard
  Owner users: admin
  Vault name: SharedG1G2
  Description: Shared vault for u1u2group (testuseripa1 and testuseripa2)
  Type: standard
  Owner users: admin
  Member groups: u1u2group
-------------------------
Number of members added 1
-------------------------

6. Shared vault created, u3group group (testuseripa3) became the members of this vault

----------------------
Added vault "SharedG3"
----------------------
  Vault name: SharedG3
  Description: Shared vault for u3group (testuseripa3)
  Type: standard
  Owner users: admin
  Vault name: SharedG3
  Description: Shared vault for u3group (testuseripa3)
  Type: standard
  Owner users: admin
  Member groups: u3group
-------------------------
Number of members added 1
-------------------------

7. Shared vault created, ipausers group (default group for all users) became the members of this vault

-----------------------
Added vault "SharedAll"
-----------------------
  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Owner users: admin
  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Owner users: admin
  Member groups: ipausers
-------------------------
Number of members added 1
-------------------------

8. 3 vaults listed, 1 from direct membership, 2 via group memberships; vault called "SharedU3" is not available for "testuseripa1"

----------------
3 vaults matched
----------------
  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard

  Vault name: SharedG1G2
  Description: Shared vault for u1u2group (testuseripa1 and testuseripa2)
  Type: standard

  Vault name: SharedU1U2
  Description: Shared vault for testuseripa1 and testuseripa2
  Type: standard
----------------------------
Number of entries returned 3
----------------------------
  Vault name: SharedU1U2
  Description: Shared vault for testuseripa1 and testuseripa2
  Type: standard
  Owner users: admin
  Member users: testuseripa1, testuseripa2
ipa: ERROR: SharedU3: vault not found
  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Owner users: admin
  Member groups: ipausers

9. 3 vaults listed, 1 from direct membership, 2 via group memberships; vault called "SharedU3" is not available for "testuseripa2"

----------------
3 vaults matched
----------------
  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard

  Vault name: SharedG1G2
  Description: Shared vault for u1u2group (testuseripa1 and testuseripa2)
  Type: standard

  Vault name: SharedU1U2
  Description: Shared vault for testuseripa1 and testuseripa2
  Type: standard
----------------------------
Number of entries returned 3
----------------------------
  Vault name: SharedU1U2
  Description: Shared vault for testuseripa1 and testuseripa2
  Type: standard
  Owner users: admin
  Member users: testuseripa1, testuseripa2
ipa: ERROR: SharedU3: vault not found
  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Owner users: admin
  Member groups: ipausers

10. 3 vaults listed, 1 from direct membership, 2 via group memberships; vault called "SharedU1U2" is not available for "testuseripa3"

----------------
3 vaults matched
----------------
  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard

  Vault name: SharedG3
  Description: Shared vault for u3group (testuseripa3)
  Type: standard

  Vault name: SharedU3
  Description: Shared vault for testuseripa3
  Type: standard
----------------------------
Number of entries returned 3
----------------------------
ipa: ERROR: SharedU1U2: vault not found
  Vault name: SharedU3
  Description: Shared vault for testuseripa3
  Type: standard
  Owner users: admin
  Member users: testuseripa3
  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Owner users: admin
  Member groups: ipausers

11. No member to "SharedAll" vault added

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Member groups: ipausers
  Failed members: 
    member user: 
    member group: ipausers: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=sharedall,cn=shared,cn=vaults,cn=kra,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.
    member group: trust admins: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=sharedall,cn=shared,cn=vaults,cn=kra,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.
-------------------------
Number of members added 0
-------------------------

12. "trust admins" group added to "SharedAll" vault, "ipausers" groups is already a member

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Member groups: ipausers, trust admins
  Failed members: 
    member user: 
    member group: ipausers: This entry is already a member
-------------------------
Number of members added 1
-------------------------

13. "trust admins" group not removed

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Member groups: ipausers, trust admins
  Failed members: 
    member user: 
    member group: trust admins: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=sharedall,cn=shared,cn=vaults,cn=kra,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.
---------------------------
Number of members removed 0
---------------------------

14. "trust admins" group removed

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Member groups: ipausers
---------------------------
Number of members removed 1
---------------------------

15. Nonexistent owner nto removed

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Owner users: admin
  Member groups: ipausers
--------------------------
Number of owners removed 0
--------------------------

16. A new owner "testuser" added

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Owner users: admin, testuser
  Member groups: ipausers
------------------------
Number of owners added 1
------------------------

17. A new owner "testuseripa1" added to shared vault

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Owner users: admin, testuser, testuseripa1
  Member groups: ipausers
------------------------
Number of owners added 1
------------------------

18. Both owners deleted

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Owner users: testuseripa1
  Member groups: ipausers
--------------------------
Number of owners removed 2
--------------------------

19. "testuser" didn't add "testuser" into vault owners

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Owner users: testuseripa1, admin
  Member groups: ipausers
------------------------
Number of owners added 0
------------------------

20. "admin" was added into vault owners

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Owner users: testuseripa1, admin
  Member groups: ipausers
------------------------
Number of owners added 1
------------------------

21. All owners deleted

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Member groups: ipausers
--------------------------
Number of owners removed 2
--------------------------

22. No owner group deleted

  Vault name: SharedAll
  Description: Shared vault for all users ('ipausers' group)
  Type: standard
  Member groups: ipausers
--------------------------
Number of owners removed 0
--------------------------

23. #FreeIPA-4.2.1! Password (stdin) of "PrivateVault" changed.

Password: ****
New password: ******
Verify new password: ******
---------------------
Modified vault "PrivateVault"
---------------------
  Vault name: test
  Type: symmetric

24. #FreeIPA-4.2.1! Password (from file) of "PrivateVault" changed.

---------------------
Modified vault "SymmetricVault"
---------------------
  Vault name: SymmetricVault
  Type: symmetric

25. Key of "PrivateVault" changed.

---------------------
Modified vault "AsymmetricVault"
---------------------

Test case: Archiving and retrieving data, copying vaults

Autotest

{{{autotest}}}

Setup

This test case is based on existing vaults, for more info see the test case "Creating and removing vaults"; NOTE: if there is not comment about user in test case use your standard non-admin account (for example: "testuser")

Actions

1. Archive text data (base64) via stdin in standard vault ("PrivateVault")
$ ipa vault-archive PrivateVault --data=$(echo "secret" | base64)
2. Archive text data from file in standard vault ("PrivateVault")
$ echo "hello world" >secret1.in; ipa vault-archive PrivateVault --in=secret1.in
3. Archive text data from file in standard vault ("PrivateVault")
$ echo '$(echo ls)' "'"'!"\$&\0" secret in file"'"'" >secret2.in; ipa vault-archive PrivateVault --in=secret2.in
4. Archive text data from file in symmetric vault ("SymmetricVault")
$ ipa vault-archive SymmetricVault --password-file=password.txt --in secret1.in
5. Archive text data from file in asymmetric vault ("AsymmetricVault")
$ ipa vault-archive AsymmetricVault --in secret1.in
6. Archive text data from file in asymmetric vault ("AsymmetricVault2")
$ ipa vault-archive AsymmetricVault2 --in secret1.in
7. Retrieve data from standard vault and store it in given file
$ ipa vault-retrieve PrivateVault --out secret.out && cat secret.out && echo >secret.out
8. Retrieve data from symmetric vault and store it in given file
$ ipa vault-retrieve SymmetricVault --password-file=password.txt --out secret.out && cat secret.out && echo >secret.out
9. Retrieve data from asymmetric vault and store it in given file
$ ipa vault-retrieve --private-key-file=mykey.pem AsymmetricVault --out secret.out && cat secret.out && echo >secret.out
10. Try to retreive data from asymmetric vault using incorrect private key and store it in given file
openssl genrsa -out newkey.pem 2048; openssl rsa -in newkey.pem -pubout >newkey.pub; ipa vault-retrieve --private-key-file=newkey.pem AsymmetricVault --out secret.out && cat secret.out && echo >secret.out
11. *>=FreeIPA-4.2.1* Archive text data (base64) via stdin in asymmetric vault ("AsymmetricVault2"), then change the private key, and try to retrieve data
$ ipa vault-archive AsymmetricVault2 --data=$(echo "secret" | base64); openssl genrsa -out newkey.pem 2048; openssl rsa -in newkey.pem -pubout >newkey.pub; ipa vault-mod AsymmetricVault2 --change-password --private-key-file=newkey.pem --new-public-key-file=newkey.pub; ipa vault-retrieve PrivateVault --out secret.out && cat secret.out && echo >secret.out; ipa vault-mod AsymmetricVault2 --change-password --private-key-file=mykey.pem --new-public-key-file=mykey2.pub
12. Archive text data via stdin in shared vault ("SharedVault") as admin
$ ipa vault-archive SharedVault --shared --data=$(echo "shared data" | base64)
13. Retrieve data from shared vault ("SharedVault")
$ ipa vault-retrieve SharedVault --shared
14. Archive text data via stdin in shared vault for all ("SharedAll") <pre>$ ipa vault-archive SharedAll --shared --data=$(echo "shared for all" | base64)
15. Retrieve data from shared vault ("SharedAll") as "testuseripa1"
$ ipa vault-retrieve SharedAll --shared | grep 'Data:' | awk '{ print $2; }' | base64 -d
16. Archive empty file in shared vault "SharedG3" as "testuseripa3"
$ touch empty-file; ipa vault-archive SharedG3 --shared --in=empty-file; rm -rf empty-file
17. Archive huge file in shared vault "SharedG3" as "testuseripa3"
$ dd if=/dev/zero of=huge-file bs=1024k count=100; ipa vault-archive SharedG3 --shared --in=huge-file; rm -rf huge-file
18. *>=FreeIPA-4.2.1* Copy private vault to new private vault
$ ipa vault-copy PrivateVault NewPrivateVault
19. *>=FreeIPA-4.2.1* Copy shared vault to new shared vault as admin
$ ipa vault-copy SharedVault NewSharedVault1
20. *>=FreeIPA-4.2.1* Copy private vault to new shared vault
$ ipa vault-copy PrivateVault NewSharedVault2 --source-vault-id PrivateVault
21. *>=FreeIPA-4.2.1* Copy shared vault to new private vault
$ ipa vault-copy SharedVault PrivateVault
22. Archive text file in service vault ("SvcHTTPNSSVault") as "admin" user
$ echo "secret password" >nsspassword; ipa vault-archive SvcHTTPNSSVault --service=HTTP/server.example.com --in=nsspassword
23. Archive data file in service vault ("SvcHTTPSVault") as "admin" user
$ openssl genrsa -out services.pem 2048; openssl rsa -in services.pem -pubout >services.pub; ipa vault-archive SvcHTTPSVault --service=HTTP/server.example.com --in=services.pem
24. Retrieve data from service vault ("SvcHTTPNSSVault") as "admin" user
$ rm -rf nsspassword; ipa vault-retrieve SvcHTTPNSSVault --service=HTTP/server.example.com --out=nsspassword; cat nsspassword; rm -rf nsspassword
25. Retrieve data from service vault ("SvcHTTPSVault") as "admin" user
$ OLDSUM=$(sha512sum services.pem); rm -rf services.pem; ipa vault-retrieve SvcHTTPSVault --service=HTTP/server.example.com --out=services.pem; NEWSUM=$(sha512sum services.pem); [ "${OLDSUM}" == "${NEWSUM}" ] && echo PASS || echo FAIL; rm -rf services.pem

Expected results

1. Data stored in "PrivateVault" successfully

---------------------------------------
Archived data into vault "PrivateVault"
---------------------------------------

2. Data file stored in "PrivateVault" successfully

---------------------------------------
Archived data into vault "PrivateVault"
---------------------------------------

3. Data stored in "PrivateVault" successfully

---------------------------------------
Archived data into vault "PrivateVault"
---------------------------------------

4. Data stored in "SymmetricVault" successfully

-----------------------------------------
Archived data into vault "SymmetricVault"
-----------------------------------------

5. Data stored in "AsymmetricVault" successfully

------------------------------------------
Archived data into vault "AsymmetricVault"
------------------------------------------

6. Data stored in "AsymmetricVault2" successfully

-------------------------------------------
Archived data into vault "AsymmetricVault2"
-------------------------------------------

7. Data from "PrivateVault" retrieved sucessfully

----------------------------------------
Retrieved data from vault "PrivateVault"
----------------------------------------
$(echo ls) '!"\$&\0" secret in file"'

8. Data from "SymmetricVault" retrieved successfully

------------------------------------------
Retrieved data from vault "SymmetricVault"
------------------------------------------
hello world

9. Data from "AsymmetricVault" retrieved successfully

-------------------------------------------
Retrieved data from vault "AsymmetricVault"
-------------------------------------------
hello world

10. Data from "AssymetricVault" not retrieved (incorrect private key)

Generating RSA private key, 2048 bit long modulus
..............................+++
....+++
e is 65537 (0x10001)
writing RSA key
ipa: ERROR: Invalid credentials

11. *>=FreeIPA-4.2.1* Archive text data (base64) via stdin in asymmetric vault ("AsymmetricVault2"), then change the private key, and try to retrieve data (IT SHOULDN'T BE POSSIBLE BECAUSE DATA ENCODED WITH OTHER PRIVATE KEY)


12. Data stored in "SharedVault" successfully

--------------------------------------
Archived data into vault "SharedVault"
--------------------------------------

13. Data from "SharedVault" not retrieved ipa: ERROR: SharedVault: vault not found 14. Data stored in "SharedAll" successfully


Archived data into vault "SharedAll"


15. Data from "SharedAll" retrieved successfully (as "testuseripa1") shared for all 16. Data stored in "SharedG3"

-----------------------------------
Archived data into vault "SharedG3"
-----------------------------------

17. Data stored in "SharedG3"

100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 0.219098 s, 479 MB/s
-----------------------------------
Archived data into vault "SharedG3"
-----------------------------------

18. *>=FreeIPA-4.2.1* Vault coppied... 19. *>=FreeIPA-4.2.1* Vault coppied... 20. *>=FreeIPA-4.2.1* Vault coppied... 21. *>=FreeIPA-4.2.1* Vault coppied... 22. Data stored in "SvcHTTPNSSVault"

------------------------------------------
Archived data into vault "SvcHTTPNSSVault"
------------------------------------------

23. Data stored in "SvcHTTPSVault"

Generating RSA private key, 2048 bit long modulus
.......................+++
........................+++
e is 65537 (0x10001)
writing RSA key
----------------------------------------
Archived data into vault "SvcHTTPSVault"
----------------------------------------

24. Data from "SvcHTTPNSSVault" retrieved successfully

-------------------------------------------
Retrieved data from vault "SvcHTTPNSSVault"
-------------------------------------------
secret password

25. Data from "SvcHTTPSVault" retrieved successfully

-----------------------------------------
Retrieved data from vault "SvcHTTPSVault"
-----------------------------------------
PASS


Escrow Operations, *>=FreeIPA-4.2.1*

Test case: Creating vaults with escrow, escrowing existing vaults, archiving and retrieving secrets

Autotest

{{{autotest}}}

Setup

This test case is based on existing vaults, for more info see the test case "Creating and removing vaults"; NOTE: if there is not comment about user in test case use your standard non-admin account (for example: "testuser")

Actions

1. *>=FreeIPA-4.2.1* Create escrowed symmetric vault ("EscrowedSymmetricVault")
$ openssl genrsa -out escrowed.pem 2048; openssl rsa -in escrowed.pem -pubout >escrowed.pub; ipa vault-add EscrowedSymmetricVault --type=symmetric --escrow-public-key-file=escrowed.pub
2. *>=FreeIPA-4.2.1* Create escrowed asymmetric vault ("EscrowedAsymmetricVault")
$ ipa vault-add EscrowedAsymmetricVault --type=asymmetric --public-key-file=escrowed.pub --escrow-public-key-file=escrowed.pub
3. *>=FreeIPA-4.2.1* Archive some secrets in symmetric vault ("SymmetricVault2") and escrow this vault
$ ipa vault-archive SymmetricVault2 --data=$(echo "Symmetric Vault #2" | base64) --password-file=password.txt; ipa vault-mod SymmetricVault2 --escrow=true --escrow-public-key-file=escrowed.pub
4. *>=FreeIPA-4.2.1* Create a new asymmetric vault ("AsymmetricVault3"), archive some data in there, and escrow the vault
$ ipa vault-add AsymmetricVault3 --type=asymmetric --public-key-file=mykey2.pub; ipa vault-archive AsymmetricVault3 --data=$(echo "Asymmetric Vault #3" | base64); ipa vault-mod AsymmetricVault3 --private-key-file=mykey.pem --escrow=true --escrow-public-key-file=escrowed.pub
5. *>=FreeIPA-4.2.1* Unescrow existing escrowed vault ("SymmetricVault2")
$ ipa vault-mod SymmetricVault2 --escrow-public-key NONE
6. *>=FreeIPA-4.2.1* Retrieve a secret from escrowed vault ("AsymmetricVault3")
$ ipa vault-retrieve AsymmetricVault3 --escrow-private-key-file=escrowed.pem --out=secret-EscrowedV.txt; cat secret-EscrowedV.txt; rm -rf secret-EscrowedV.txt
7. *>=FreeIPA-4.2.1* Change the password of escrowed symmetric vault ("EscrowedSymmetricVault") and archive some secret
$ ipa vault-mod EscrowedSymmetricVault --change-password; ipa vault-archive EscrowedSymmetricVault --data=$(echo "Escrowed Symmetric Vault #1" | base64) --escrow-public-key-file=escrowed.pub
8. *>=FreeIPA-4.2.1* Reset the password of escrowed symmetric vault ("EscrowedSymmetricVault") but reject the request (it can be done by vault officer)
$ ipa vault-password EscrowedSymmetricVault --reset; ipa vault-password EscrowedSymmetricVault --reject; ipa vault-retrieve EscrowedSymmetricVault --password=<new password>
9. *>=FreeIPA-4.2.1* Reset the password of escrowed symmetric vault ("EscrowedSymmetricVault") and approve the request (it can be done by vault officer)
$ ipa vault-password EscrowedSymmetricVault --reset; ipa vault-password EscrowedSymmetricVault --approve --escrow-private-key-file=escrowed.pem; ipa vault-retrieve EscrowedSymmetricVault --password=<new password> | grep 'Data:' | awk '{ print $2; }' | base64 -d

Expected results

1. *>=FreeIPA-4.2.1* Escrowed asymmetric vault created successfully

Generating RSA private key, 2048 bit long modulus
............................+++
........................+++
e is 65537 (0x10001)
writing RSA key
New password: ******
Verify password: ******
------------------------------------
Added vault "EscrowedSymmetricVault"
------------------------------------
  Vault name: EscrowedSymmetricVault
  Vault type: symmetric

2. *>=FreeIPA-4.2.1* Escrowed asymmetric vault created successfully

-------------------------------------
Added vault "EscrowedAsymmetricVault"
-------------------------------------
  Vault name: EscrowedAsymmetricVault
  Vault type: asymmetric

3. *>=FreeIPA-4.2.1* Data stored in "SymmetricVault2" and vault escrowed

------------------------------------------
Archived data into vault "SymmetricVault2"
------------------------------------------
-------------------------------
Modified vault "SymmetricVault"
-------------------------------

4. *>=FreeIPA-4.2.1* Asymmetric vault ("AsymmetricVault3") created, data stored, and the vault escrowed successfully

------------------------------
Added vault "AsymmetricVault3"
------------------------------
  Vault name: AsymmetricVault3
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2OFNPeWNFSHBNSWVuUmlWL1VhTQpWY2dOUzVkTllmL3EwdjR0ZlN0YTdJV2RPNDJSemZjeTRpU3ZwK3lMUFJ4K3VJbC8xY2JNV2p4cjcxTGlYaE9FCmhjRlY3ZUQveVVvaFdYM1JyOFpXcjltcHZWa3VIWWk4ZzBUMUVtdVcrREF6a0FpQ0M0bzVEdkgrNE9sWmZsSkEKd2w1ck1QUkVNdEY4bEJSSFd1TlVVVUdpSG1WVUNrenNwSVlKN21QaHovS0s5dXVNa1hHSTBpZHlWam5zRG5DVwpXMERMd2VhMG9WeVdZNHNJa0RxN2NYbTB1dHd1bzBhMGdYeDNXTkRCMHJybEgrcjhqTVdVTG1qZ1h6cERRUHprCkhWOGlPYU5kUWQ2b2V1cjFKRWQ0TXJkNkpoWThjVXlWK3kxTUUwakZJQnpHcVB4OXl2cjFjQU1KM0pLUWcxL3MKRVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: testuser
-------------------------------------------
Archived data into vault "AsymmetricVault3"
-------------------------------------------
--------------------------------
Modified vault "AsymmetricVault3"
--------------------------------

5. *>=FreeIPA-4.2.1* Symmetric vault ("SymmetricVault2") unescrowed

--------------------------------
Modified vault "SymmetricVault2"
--------------------------------

6. *>=FreeIPA-4.2.1* Data recieved from "AsymmetricVault3"

--------------------------------------------
Retrieved data from vault "AsymmetricVault3"
--------------------------------------------
Asymmetric Vault #3

7. *>=FreeIPA-4.2.1* The password of "EscrowedSymmetricVault" changed successfully

Password: *********
New password: *********
Verify password: ********
-------------------------
Password change completed
-------------------------
Password: ********
-------------------------------------------------
Archived data into vault "EscrowedSymmetricVault"
-------------------------------------------------

8. *>=FreeIPA-4.2.1* Password reset of "EscrowedSymmetricVault" requested successfully but disapproved by vault officer

New password: *********
Verify password: ********
-----------------------
Password change pending
-----------------------
------------------------
Password change canceled
------------------------
ipa: ERROR: Invalid credentials

9. *>=FreeIPA-4.2.1* Password reset of "EscrowedSymmetricVault" requested successfully and approved by vault officer, the secret retrieved successfully

New password: *********
Verify password: ********
-----------------------
Password change pending
-----------------------
-------------------------
Password change completed
-------------------------
Escrowed Symmetric Vault #1