URL: https://github.com/freeipa/freeipa/pull/4544 Author: ssidhaye Title: #4544: Test for removing a subgroup Action: opened
PR body: """ Problem description: Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups The test: A user and three groups are created a,b,c 'c' should be a child of 'b' so that you have a->b->c user is direct member of 'a' and as a result member of 'b' and 'c'. Now when one adds a direct membership to 'b' nothing will change. If one removes the direct membership to 'b' again, nothing should change as well Pagure Link: https://pagure.io/SSSD/sssd/issue/3636 Signed-off-by: Sumedh Sidhaye <ssidh...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4544/head:pr4544 git checkout pr4544
From 6627f3c98c872106b99a64a0872c72974fc19a6e Mon Sep 17 00:00:00 2001 From: Sumedh Sidhaye <ssidh...@redhat.com> Date: Wed, 15 Apr 2020 22:10:39 +0530 Subject: [PATCH] Test for removing a subgroup Problem description: Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups The test: A user and three groups are created a,b,c 'c' should be a child of 'b' so that you have a->b->c user is direct member of 'a' and as a result member of 'b' and 'c'. Now when one adds a direct membership to 'b' nothing will change. If one removes the direct membership to 'b' again, nothing should change as well Pagure Link: https://pagure.io/SSSD/sssd/issue/3636 Signed-off-by: Sumedh Sidhaye <ssidh...@redhat.com> --- ipatests/test_integration/test_sssd.py | 144 +++++++++++++++++++++++++ 1 file changed, 144 insertions(+) diff --git a/ipatests/test_integration/test_sssd.py b/ipatests/test_integration/test_sssd.py index f516e169a6..d052359eda 100644 --- a/ipatests/test_integration/test_sssd.py +++ b/ipatests/test_integration/test_sssd.py @@ -9,6 +9,7 @@ import time from contextlib import contextmanager import re +import random import pytest import subprocess @@ -16,6 +17,7 @@ from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks +from ipatests.pytest_ipa.integration.tasks import clear_sssd_cache from ipatests.util import xfail_context from ipaplatform.tasks import tasks as platform_tasks from ipaplatform.osinfo import osinfo @@ -403,3 +405,145 @@ def test_trustdomain_disable_disables_subdomain(self): assert 'no such user' in res.stderr_text # verify the user can be retrieved after re-enabling trustdomain self.master.run_command(['id', user]) + + +class TestNestedMembers(IntegrationTest): + num_clients = 1 + + @classmethod + def install(cls, mh): + tasks.install_master(cls.master) + tasks.install_client(cls.master, cls.clients[0]) + + def test_nested_group_members(self): + """Nested group memberships should be honoured + + "c" should be a child of "b" + so that parent child relationship is as follows: + "a"->"b"->"c" + + user1 is direct member of "a" and as a result + member of "b" and "c"". + Now if one adds a direct membership to child1 + nothing will change. + + Now if one removes the direct membership to "b" + nothing should change, the memberships should be honored + Linked Issue: https://pagure.io/SSSD/sssd/issue/3636 + """ + master = self.master + client = self.clients[0] + tasks.kinit_admin(master) + + # add hbacrule + master.run_command(['ipa', 'hbacrule-add', '--usercat', 'all', + '--hostcat', 'all', '--servicecat', 'all', + 'any_to_any']) + # add a user + username = "testuser" + str(random.randint(200000, 9999999)) + userpasswd = 'Secret123' + cmd = ['ipa', 'user-add', + '--first', username, + '--last', username, + '--password', username] + input_passwd = '{upasswd}\n{upasswd}\n'.format(upasswd=userpasswd) + cmd_output = master.run_command(cmd) + assert 'Added user "%s"' % username in cmd_output.stdout_text + + cmd_output = master.run_command(['ipa', 'passwd', username], + stdin_text=input_passwd) + assert 'Changed password' in cmd_output.stdout_text + + # add group a + cmd_output = master.run_command(['ipa', 'group-add', 'a']) + assert 'Added group "child1"' in cmd_output.stdout_text + + # add group b + cmd_output = master.run_command(['ipa', 'group-add', 'b']) + assert 'Added group "child2"' in cmd_output.stdout_text + + # add group parent + cmd_output = master.run_command(['ipa', 'group-add', 'c']) + assert 'Added group "parent"' in cmd_output.stdout_text + + # add group members + cmd_output = master.run_command(['ipa', 'group-add-member', + 'b', '--groups', 'a']) + assert 'Group name: b' in cmd_output.stdout_text + assert 'Member groups: a' in cmd_output.stdout_text + assert 'Number of members added 1' in cmd_output.stdout_text + + cmd_output = master.run_command(['ipa', 'group-add-member', + 'c', '--groups', 'b']) + assert 'Group name: c' in cmd_output.stdout_text + assert 'Member groups: b' in cmd_output.stdout_text + assert 'Indirect Member groups: a' in cmd_output.stdout_text + + # add user to group 'a' + cmd_output = master.run_command(['ipa', 'group-add-member', + 'a', '--users', username]) + assert 'Group name: a' in cmd_output.stdout_text + assert 'Member users: {}'.format(username) in cmd_output.stdout_text + assert 'Member of groups: b' in cmd_output.stdout_text + assert 'Indirect Member of group: c' in cmd_output.stdout_text + + # clear sssd_cache + clear_sssd_cache(master) + + # user lookup + cmd_output = master.run_command(['ipa', 'user-show', 'u1', + '|', 'grep', 'group']) + assert_str = 'Member of groups: a, ipausers' + assert assert_str in cmd_output.stdout_text + assert_str = 'Indirect Member of group: b, c' + assert assert_str in cmd_output.stdout_text + + clear_sssd_cache(master) + + # ssh to client using the user created above from master + input_passwd = '{upasswd}\n{upasswd}\n{upasswd}\n{upasswd}\n'\ + .format(upasswd=userpasswd) + cmd_output = master.run_command(['ssh', '-q', + '%s@%s' % + (username, client.hostname), + 'groups'], stdin_text=input_passwd) + assert_str = '{} a b c'.format(username) + assert assert_str in cmd_output.stdout_text + + # add member + cmd_output = master.run_command(['ipa', 'group-add-member', + 'b', '--users', username]) + assert 'Group name: b' in cmd_output.stdout_text + assert 'Member users: {}'.format(username) in cmd_output.stdout_text + assert 'Member groups: a' in cmd_output.stdout_text + assert 'Member of groups: c' in cmd_output.stdout_text + assert 'Number of members added 1' in cmd_output.stdout_text + + # now check ssh on the client + clear_sssd_cache(client) + cmd_output = client.run_command(['ssh', '-q', + '%s@%s' % + (username, client.hostname), + 'groups'], + stdin_text='{}\n'.format(userpasswd)) + assert '{} a b c'.format(username) in cmd_output.stdout_text + + # now back to server to remove member + cmd_output = master.run_command(['ipa', 'group-remove-member', + 'b', '--users', username]) + assert_str = 'Indirect Member users: {}'.format(username) + assert 'Group name: b' in cmd_output.stdout_text + assert 'Member groups: a' in cmd_output.stdout_text + assert 'Member of groups: c' in cmd_output.stdout_text + assert assert_str in cmd_output.stdout_text + assert 'Number of members removed 1' in cmd_output.stdout_text + + clear_sssd_cache(master) + + # now check ssh on the client again + clear_sssd_cache(client) + cmd_output = client.run_command(['ssh', '-q', + '%s@%s' % (username, client.hostname), + 'groups'], + stdin_text='{}\n'.format(userpasswd)) + assert '{} a b c'.format(username) in cmd_output.stdout_text
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
