URL: https://github.com/SSSD/sssd/pull/658
Author: mrniranjan
Title: #658: pytest: Test case for sudo: search with lower cased name for case
insensitive domains
Action: opened
PR body:
"""
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/658/head:pr658
git checkout pr658
From 086de91d192534af72e8b9f77fec2d7b685b21c3 Mon Sep 17 00:00:00 2001
From: "Niranjan M.R" <mrniran...@redhat.com>
Date: Thu, 20 Sep 2018 12:22:18 +0530
Subject: [PATCH 1/4] pytest/library: Add function to create organizational
Unit
Minor fix of removing space in DN when creating self signed CA
Signed-off-by: Niranjan M.R <mrniran...@redhat.com>
---
src/tests/python/sssd/testlib/common/utils.py | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/tests/python/sssd/testlib/common/utils.py b/src/tests/python/sssd/testlib/common/utils.py
index 5f3596c68..3d89ad399 100644
--- a/src/tests/python/sssd/testlib/common/utils.py
+++ b/src/tests/python/sssd/testlib/common/utils.py
@@ -590,6 +590,20 @@ def posix_group(self, org_unit, basedn, group_attr, memberUid=False):
if ret != 'Success':
raise LdapException('Unable to add group to ldap')
+ def org_unit(self, org_unit, basedn):
+ """ Add Organizational Unit
+ :param str ou: Organizational unit name
+ :param str basedn: Base dn ('dc=example,dc=test')
+ :Exception: Raise LdapException if unable to organizational
+ """
+ attr = {
+ 'objectClass': [b'top', b'organizationalUnit'],
+ 'ou': org_unit.encode('utf-8')}
+ org_dn = 'ou=%s,%s' % (org_unit, basedn)
+ (ret, _) = self.add_entry(attr, org_dn)
+ if ret != 'Success':
+ raise LdapException('Unable to add organizational unit to ldap')
+
def enable_autofs_schema(self, basedn):
""" Enable autofs schema
@@ -728,7 +742,7 @@ def createselfsignedcerts(self,
serverlist,
ca_dn=None,
passphrase='Secret123',
- canickname='Example CA'):
+ canickname='ExampleCA'):
"""
Creates a NSS DB in /tmp/nssDirxxxx where self signed Root CA
and Server Certs are created
@@ -737,7 +751,7 @@ def createselfsignedcerts(self,
:param str Server_DN: Distinguished Name for Server Cert
"""
if ca_dn is None:
- ca_dn = 'CN=Example CA,O=Example,L=Raleigh,C=US'
+ ca_dn = 'CN=ExampleCA,O=Example,L=Raleigh,C=US'
nss_passphrase = passphrase
pin_filename = 'pin.txt'
nss_dir = self.create_nssdb()
From aba5caf14f10dce7e85e919f34ce837a6e88f693 Mon Sep 17 00:00:00 2001
From: "Niranjan M.R" <mrniran...@redhat.com>
Date: Thu, 20 Sep 2018 12:24:26 +0530
Subject: [PATCH 2/4] pytest/testlib: Fix related to removing kerberos database
Stop krb5kdc and kadmin services. Earlier we were
not stopping kadmin services. The current code use
loop to stop the services.
Signed-off-by: Niranjan M.R <mrniran...@redhat.com>
---
.../python/sssd/testlib/common/libkrb5.py | 23 ++++++++-----------
1 file changed, 9 insertions(+), 14 deletions(-)
diff --git a/src/tests/python/sssd/testlib/common/libkrb5.py b/src/tests/python/sssd/testlib/common/libkrb5.py
index 2fa833109..4d167efc7 100644
--- a/src/tests/python/sssd/testlib/common/libkrb5.py
+++ b/src/tests/python/sssd/testlib/common/libkrb5.py
@@ -198,20 +198,15 @@ def destroy_krb5server(self):
:Exception: subprocess.CalledProcessError
"""
# stop the Kerberos server
- try:
- self.multihost.run_command(['systemctl', 'stop', 'krb5kdc'])
- except subprocess.CalledProcessError:
- raise
- else:
- self.multihost.log.info("stopped krb5kdc service")
-
- # stop kadmin service
- try:
- self.multihost.run_command(['systemctl', 'stop', 'krb5kdc'])
- except subprocess.CalledProcessError:
- raise
- else:
- self.multihost.log.info("stopped kadmin service")
+ services = ['krb5kdc', 'kadmin']
+ for service in services:
+ stop_cmd = 'systemctl stop %s' % service
+ try:
+ self.multihost.run_command(stop_cmd)
+ except subprocess.CalledProcessError:
+ raise
+ else:
+ self.multihost.log.info("stopped %s service ")
# destroy Kerberos database
try:
From 1269cc768716ff533c72950b075780faac4ee433 Mon Sep 17 00:00:00 2001
From: "Niranjan M.R" <mrniran...@redhat.com>
Date: Thu, 20 Sep 2018 12:27:02 +0530
Subject: [PATCH 3/4] pytest/testlib: Remove Spaces in CA DN.
Signed-off-by: Niranjan M.R <mrniran...@redhat.com>
---
src/tests/python/sssd/testlib/common/libdirsrv.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/python/sssd/testlib/common/libdirsrv.py b/src/tests/python/sssd/testlib/common/libdirsrv.py
index 5c3927f7e..43d73d7c1 100644
--- a/src/tests/python/sssd/testlib/common/libdirsrv.py
+++ b/src/tests/python/sssd/testlib/common/libdirsrv.py
@@ -208,7 +208,7 @@ def setup_certs(self, ssl_dir):
for pkcs_file in pkcs12_file:
if not self._import_certs(pkcs_file, pwfile):
raise DirSrvException("importing certificates failed")
- set_trust_cmd = 'certutil -M -d %s -n "Example CA"'\
+ set_trust_cmd = 'certutil -M -d %s -n "ExampleCA"'\
' -t "CTu,u,u" -f %s' % (self.dsinst_path, pwfile)
self.multihost.run_command(create_cert_dir)
self.multihost.run_command(set_trust_cmd)
From 1cf9a950c82566699e69ce910a4e12eb6676e129 Mon Sep 17 00:00:00 2001
From: "Niranjan M.R" <mrniran...@redhat.com>
Date: Thu, 20 Sep 2018 15:48:34 +0530
Subject: [PATCH 4/4] pytest: Add test for sudo: search with lower cased name
for case insensitive domains
1. Add test case for sudo: search with lower
cased name for case insensitive domains
2. Minor fixes to package installation
3. Remove Host kerberos keytab while teardown
4. Add fixtures:
disable case_sensitive
enable sudo service
add suders: sss in nsswitch.conf
Signed-off-by: Niranjan M.R <mrniran...@redhat.com>
---
src/tests/multihost/basic/conftest.py | 115 +++++++++++++++++++++++-
src/tests/multihost/basic/test_basic.py | 26 ++++++
2 files changed, 140 insertions(+), 1 deletion(-)
diff --git a/src/tests/multihost/basic/conftest.py b/src/tests/multihost/basic/conftest.py
index 221928848..45a60806b 100644
--- a/src/tests/multihost/basic/conftest.py
+++ b/src/tests/multihost/basic/conftest.py
@@ -42,7 +42,7 @@ def package_install(session_multihost):
if 'Fedora' in distro:
cmd = 'dnf install -y %s' % (pkg_list)
elif '8.' in distro.split()[5]:
- cmd = 'dnf module -y install idm:4 389-ds:1.4'
+ cmd = 'dnf module -y install 389-ds:1.4'
session_multihost.master[0].run_command(cmd)
@@ -89,6 +89,8 @@ def setup_kerberos(session_multihost, request):
def remove_kerberos():
""" Remove kerberos instance """
krb.destroy_krb5server()
+ remove_keytab = 'rm -f /etc/krb5.keytab'
+ session_multihost.master[0].run_command(remove_keytab)
request.addfinalizer(remove_kerberos)
@@ -173,6 +175,117 @@ def disable_kcm():
request.addfinalizer(disable_kcm)
+@pytest.fixture
+def create_casesensitive_posix_user(session_multihost):
+ """ Create a case sensitive posix user """
+ ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
+ krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
+ ds_rootdn = 'cn=Directory Manager'
+ ds_rootpw = 'Secret123'
+ ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+ username = 'CAPSUSER-1'
+ user_info = {'cn': username,
+ 'uid': username,
+ 'uidNumber': '24583100',
+ 'gidNumber': '14564100'}
+ ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info)
+ krb.add_principal('CAPSUSER-1', 'user', 'Secret123')
+
+
+@pytest.fixture
+def set_case_sensitive_false(session_multihost):
+ """ Set case_sensitive to false in sssd domain section """
+ session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf',
+ '/tmp/sssd.conf')
+ sssdconfig = ConfigParser.SafeConfigParser()
+ sssdconfig.read('/tmp/sssd.conf')
+ domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST')
+ if domain_section in sssdconfig.sections():
+ sssdconfig.set(domain_section, 'case_sensitive', 'false')
+ with open('/tmp/sssd.conf', "w") as sssconf:
+ sssdconfig.write(sssconf)
+ session_multihost.master[0].transport.put_file('/tmp/sssd.conf',
+ '/etc/sssd/sssd.conf')
+ session_multihost.master[0].service_sssd('restart')
+
+
+@pytest.fixture
+def enable_sudo_service(session_multihost):
+ """ Enable sudo services in sssd.conf """
+ session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf',
+ '/tmp/sssd.conf')
+ sssdconfig = ConfigParser.SafeConfigParser()
+ sssdconfig.read('/tmp/sssd.conf')
+ sssdconfig.remove_option('sssd', 'services')
+ sssdconfig.set('sssd', 'services', 'nss, pam, ifp, sudo')
+ with open('/tmp/sssd.conf', "w") as sssconf:
+ sssdconfig.write(sssconf)
+ session_multihost.master[0].transport.put_file('/tmp/sssd.conf',
+ '/etc/sssd/sssd.conf')
+ session_multihost.master[0].service_sssd('restart')
+
+
+@pytest.fixture
+def create_sudorule(session_multihost, create_casesensitive_posix_user):
+ """ Create posix user and groups """
+ # pylint: disable=unused-argument
+ _pytest_fixture = [create_casesensitive_posix_user]
+ ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
+ ds_rootdn = 'cn=Directory Manager'
+ ds_rootpw = 'Secret123'
+ ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+ ldap_inst.org_unit('sudoers', 'dc=example,dc=test')
+ capsrule_dn1 = 'cn=lessrule,ou=sudoers,dc=example,dc=test'
+ capsrule_dn2 = 'cn=morerule,ou=sudoers,dc=example,dc=test'
+ sudo_attr1 = {
+ 'objectClass': [b'top', b'sudoRole'],
+ 'cn': 'lessrule'.encode('utf-8'),
+ 'sudoHost': 'ALL'.encode('utf-8'),
+ 'sudoCommand': '/usr/bin/less'.encode('utf-8'),
+ 'sudoUser': 'capsuser-1'.encode('utf-8'),
+ 'sudoOption': '!requiretty'.encode('utf-8')}
+ sudo_attr2 = {
+ 'objectClass': [b'top', b'sudoRole'],
+ 'cn': 'morerule'.encode('utf-8'),
+ 'sudoHost': 'ALL'.encode('utf-8'),
+ 'sudoCommand': '/usr/bin/more'.encode('utf-8'),
+ 'sudoUser': 'CAPSUSER-1'.encode('utf-8'),
+ 'sudoOption': '!requiretty'.encode('utf-8')}
+ no_passwd = [(ldap.MOD_ADD, 'sudoOption', '!authenticate'.encode('utf-8'))]
+ try:
+ (_, _) = ldap_inst.add_entry(sudo_attr1, capsrule_dn1)
+ except LdapException:
+ pytest.fail("Failed to add %s rule in ldap" % (capsrule_dn1))
+ try:
+ (_, _) = ldap_inst.add_entry(sudo_attr2, capsrule_dn2)
+ except LdapException:
+ pytest.fail("Failed to add %s rule in ldap" % (capsrule_dn2))
+ else:
+ (_, _) = ldap_inst.modify_ldap(capsrule_dn1, no_passwd)
+ (_, _) = ldap_inst.modify_ldap(capsrule_dn2, no_passwd)
+
+
+@pytest.fixture
+def enable_sss_sudo_nsswitch(session_multihost, tmpdir, request):
+ """Enable sss backend for sudoers in nsswitch.conf """
+ conf = '/etc/nsswitch.conf'
+ local_conf = tmpdir.mkdir("tmpdir").join('nsswitch.conf')
+ backup_cmd = "cp -f /etc/nsswitch.conf /etc/nsswitch.conf.backup"
+ session_multihost.master[0].run_command(backup_cmd)
+ content = '\nsudoers: sss\n'
+ session_multihost.master[0].transport.get_file(conf, str(local_conf))
+
+ local_conf.write(content, mode='a')
+ session_multihost.master[0].transport.put_file(str(local_conf),
+ '/etc/nsswitch.conf')
+
+ def restore_nsswitch():
+ """ Restore nsswitch.conf """
+ restore_cmd = 'cp -f /etc/nsswitch.conf.backup /etc/nsswitch.conf'
+ session_multihost.master[0].run_command(restore_cmd)
+ request.addfinalizer(restore_nsswitch)
+
+
@pytest.fixture(scope='class', autouse=True)
def create_posix_usersgroups(session_multihost):
""" Create posix user and groups """
diff --git a/src/tests/multihost/basic/test_basic.py b/src/tests/multihost/basic/test_basic.py
index 568288d0c..ee6b5f62b 100644
--- a/src/tests/multihost/basic/test_basic.py
+++ b/src/tests/multihost/basic/test_basic.py
@@ -117,3 +117,29 @@ def test_ssh_login_kcm(self, multihost, enable_kcm):
else:
assert True
ssh.close()
+
+ def test_case_senitivity_sudo_responder(self, multihost,
+ create_sudorule,
+ enable_sss_sudo_nsswitch,
+ set_case_sensitive_false,
+ enable_sudo_service):
+ """ Verify case sensitivity in sudo responder """
+ # pylint: disable=unused-argument
+ _pytest_fixtures = [create_sudorule, enable_sss_sudo_nsswitch,
+ set_case_sensitive_false, enable_sudo_service]
+ try:
+ ssh = SSHClient(multihost.master[0].sys_hostname,
+ username='capsuser-1', password='Secret123')
+ except paramiko.ssh_exception.AuthenticationException:
+ pytest.fail("%s failed to login" % 'capsuser-1')
+ else:
+ (stdout, _, exit_status) = ssh.execute_cmd('sudo -l')
+ result = []
+ assert exit_status == 0
+ for line in stdout.readlines():
+ if 'NOPASSWD' in line:
+ line.strip()
+ result.append(line.strip('(root) NOPASSWD: '))
+ assert '/usr/bin/less\n' in result
+ assert '/usr/bin/more\n' in result
+ ssh.close()
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
