[Freeipa-devel] [freeipa PR#196][opened] ipatests: unresolvable nested netgroups

[apophys]

   URL: https://github.com/freeipa/freeipa/pull/196
Author: apophys
 Title: #196: ipatests: unresolvable nested netgroups
Action: opened

PR body:
"""
Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups

The test case tests for direct and indirect membership.

https://fedorahosted.org/freeipa/ticket/6439
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/196/head:pr196
git checkout pr196

From 92f114d7b93fe13c4f9f6d06a02916aa8cb00cf5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com>
Date: Wed, 26 Oct 2016 13:41:02 +0000
Subject: [PATCH] ipatests: unresolvable nested netgroups

Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups

The test case tests for direct and indirect membership.

https://fedorahosted.org/freeipa/ticket/6439
---
 ipatests/test_xmlrpc/test_netgroup_plugin.py | 113 +++++++++++++++++++++++++++
 1 file changed, 113 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_netgroup_plugin.py b/ipatests/test_xmlrpc/test_netgroup_plugin.py
index b6f004e..42bc579 100644
--- a/ipatests/test_xmlrpc/test_netgroup_plugin.py
+++ b/ipatests/test_xmlrpc/test_netgroup_plugin.py
@@ -26,8 +26,10 @@
 from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_digits,
                                               fuzzy_uuid, fuzzy_netgroupdn)
 from ipatests.test_xmlrpc import objectclasses
+from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
 from ipapython.dn import DN
 from ipatests.test_xmlrpc.test_user_plugin import get_user_result
+from ipatests.util import run
 import pytest
 
 # Global so we can save the value between tests
@@ -1408,3 +1410,114 @@ class test_netgroup(Declarative):
 #        # and even which user gets into which triple can be random.
 #        assert '(nosuchhost,jexample,example.com)' in triples
 #        assert '(ipatesthost.%s,pexample,example.com)' % api.env.domain in triples
+
+
+@pytest.fixture(scope='function')
+def netgroup_test1(request):
+    name = u'netgroup-test-1'
+
+    def ng_cleanup():
+        api.Command.netgroup_del(name)
+
+    request.addfinalizer(ng_cleanup)
+
+    api.Command.netgroup_add(name)
+    return name
+
+
+@pytest.fixture(scope='function')
+def netgroup_test2(request):
+    name = u'netgroup-test-2'
+
+    def ng_cleanup():
+        api.Command.netgroup_del(name)
+    request.addfinalizer(ng_cleanup)
+
+    api.Command.netgroup_add(name)
+    return name
+
+
+@pytest.fixture(scope='function')
+def netgroup_test3(request):
+    name = u'netgroup-test-3'
+
+    def ng_cleanup():
+        api.Command.netgroup_del(name)
+    request.addfinalizer(ng_cleanup)
+
+    api.Command.netgroup_add(name)
+    return name
+
+
+@pytest.fixture(scope='function')
+def netgroup_user1(request):
+    tr = UserTracker(u'ng_user_1', u'ng', u'user')
+
+    return tr.make_fixture(request)
+
+
+@pytest.fixture(scope='function')
+def netgroup_user2(request):
+    tr = UserTracker(u'ng_user_2', u'ng', u'user')
+
+    return tr.make_fixture(request)
+
+
+@pytest.fixture(scope='function')
+def netgroup_user3(request):
+    tr = UserTracker(u'ng_user_3', u'ng', u'user')
+
+    return tr.make_fixture(request)
+
+
+def test_netgroup_nested_groups(
+        netgroup_test1, netgroup_test2, netgroup_test3,
+        netgroup_user1, netgroup_user2, netgroup_user3):
+    """Test resolution of nested netgroup membership
+
+    The test sets up a chain of netgroups with user members in
+    each of the groups. Then the membership is evaluated on each
+    group, expecting the membership of users in nested groups to be
+    propagated into parent groups.
+    """
+
+    netgroup_user1.create()
+    netgroup_user2.create()
+    netgroup_user3.create()
+
+    # Prepare the nested netgroup hierarchy
+    api.Command.netgroup_add_member(netgroup_test1, netgroup=netgroup_test2)
+    api.Command.netgroup_add_member(netgroup_test2, netgroup=netgroup_test3)
+
+    # Add an user to each group
+    api.Command.netgroup_add_member(netgroup_test1, user=netgroup_user1.name)
+    api.Command.netgroup_add_member(netgroup_test2, user=netgroup_user2.name)
+    api.Command.netgroup_add_member(netgroup_test3, user=netgroup_user3.name)
+
+    # Clean the sssd cache
+    run(['sudo', 'sss_cache', '-E'], raiseonerr=False)
+
+    # Call getent for each group and check if the users are in the right groups
+
+    # Expected results: getent output in form (-,USERNAME,DOMAIN)
+    # where the DOMAIN part is the nisDomainName of the netgroup
+    nisdomain = (
+        api.Command.netgroup_show(netgroup_test1)['result']['nisdomainname'][0]
+    )
+
+    ng_rec_tmpl = '(-,{user},{domain})'
+    ng_rec_u1 = ng_rec_tmpl.format(user=netgroup_user1.name, domain=nisdomain)
+    ng_rec_u2 = ng_rec_tmpl.format(user=netgroup_user2.name, domain=nisdomain)
+    ng_rec_u3 = ng_rec_tmpl.format(user=netgroup_user3.name, domain=nisdomain)
+
+    r1 = run(['getent', 'netgroup', netgroup_test1], capture_output=True)
+    r2 = run(['getent', 'netgroup', netgroup_test2], capture_output=True)
+    r3 = run(['getent', 'netgroup', netgroup_test3], capture_output=True)
+
+    assert ng_rec_u3 in r3.output
+    assert ng_rec_u3 in r2.output and ng_rec_u2 in r2.output
+    assert (
+        ng_rec_u3 in r1.output and
+        ng_rec_u2 in r1.output and
+        ng_rec_u1 in r1.output
+    )

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code