-
Notifications
You must be signed in to change notification settings - Fork 251
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tests: authentication, adding override_homedir tests
* moving ad specific test out of authentication and to it's own file
- Loading branch information
Dan Lavu
committed
Dec 5, 2024
1 parent
58a2fee
commit 23f3645
Showing
2 changed files
with
120 additions
and
60 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
""" | ||
SSSD Active Directory (AD) Test Cases | ||
:requirement: ad | ||
""" | ||
|
||
from __future__ import annotations | ||
|
||
import pytest | ||
from sssd_test_framework.roles.ad import AD | ||
from sssd_test_framework.roles.client import Client | ||
from sssd_test_framework.topology import KnownTopology | ||
|
||
|
||
@pytest.mark.topology(KnownTopology.AD) | ||
@pytest.mark.ticket(gh=7174) | ||
@pytest.mark.parametrize("method", ["su", "ssh"]) | ||
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) | ||
@pytest.mark.importance("critical") | ||
@pytest.mark.require( | ||
lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), | ||
"SSSD was built without support for running under non-root", | ||
) | ||
def test_authentication__using_the_users_email_address(client: Client, ad: AD, method: str, sssd_service_user: str): | ||
""" | ||
:title: Login using the user's email address | ||
:description: | ||
Testing the feature to login using an email address instead of the userid. The username used, | ||
must match one of the user's LDAP attribute values, "EmailAddress". The login should be | ||
case-insensitive and permit special characters. | ||
:setup: | ||
1. Add AD users with different email addresses | ||
2. Start SSSD | ||
:steps: | ||
1. Authenticate users using their email address and in different cases | ||
:expectedresults: | ||
1. Authentication is successful using the email address and is case-insensitive | ||
:customerscenario: False | ||
""" | ||
ad.user("user-1").add(password="Secret123", email=f"user-1@{ad.host.domain}") | ||
ad.user("user-2").add(password="Secret123", email="[email protected]") | ||
ad.user("user_3").add(password="Secret123", email="[email protected]") | ||
|
||
client.sssd.start(service_user=sssd_service_user) | ||
|
||
assert client.auth.parametrize(method).password( | ||
f"user-1@{ad.host.domain}", "Secret123" | ||
), f"User user-1@{ad.host.domain} failed login!" | ||
assert client.auth.parametrize(method).password( | ||
"[email protected]", "Secret123" | ||
), "User [email protected] failed login!" | ||
assert client.auth.parametrize(method).password( | ||
"[email protected]", "Secret123" | ||
), "User [email protected] failed login!" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,23 +7,16 @@ | |
from __future__ import annotations | ||
|
||
import pytest | ||
from sssd_test_framework.roles.ad import AD | ||
from sssd_test_framework.roles.client import Client | ||
from sssd_test_framework.roles.generic import GenericProvider | ||
from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup | ||
from sssd_test_framework.roles.ldap import LDAP | ||
from sssd_test_framework.topology import KnownTopologyGroup | ||
|
||
|
||
@pytest.mark.topology(KnownTopologyGroup.AnyProvider) | ||
@pytest.mark.parametrize("method", ["su", "ssh"]) | ||
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) | ||
@pytest.mark.importance("critical") | ||
@pytest.mark.require( | ||
lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), | ||
"SSSD was built without support for running under non-root", | ||
) | ||
def test_authentication__with_default_settings( | ||
client: Client, provider: GenericProvider, method: str, sssd_service_user: str | ||
): | ||
def test_authentication__with_default_settings(client: Client, provider: GenericProvider, method: str): | ||
""" | ||
:title: Authenticate with default settings | ||
:setup: | ||
|
@@ -39,24 +32,79 @@ def test_authentication__with_default_settings( | |
""" | ||
provider.user("user1").add(password="Secret123") | ||
|
||
client.sssd.start(service_user=sssd_service_user) | ||
client.sssd.start() | ||
|
||
assert client.auth.parametrize(method).password("user1", "Secret123"), "User failed login!" | ||
assert not client.auth.parametrize(method).password( | ||
"user1", "NOTSecret123" | ||
), "User logged in with an invalid password!" | ||
|
||
|
||
@pytest.mark.topology(KnownTopologyGroup.AnyProvider) | ||
@pytest.mark.parametrize( | ||
"home_key", | ||
["user", "uid", "fqn", "domain", "first_char", "upn", "default", "lowercase", "substring", "literal%"], | ||
) | ||
@pytest.mark.importance("medium") | ||
def test_authentication__with_overriding_home_directory(client: Client, provider: GenericProvider, home_key: str): | ||
""" | ||
:title: Override the user's home directory | ||
:description: | ||
For simplicity, the home directory is set to '/home/user1' because some providers homedirs are different. | ||
:setup: | ||
1. Create user and set home directory to '/home/user1' | ||
2. Configure SSSD with 'override_homedir' home_key value and restart SSSD | ||
3. Get entry for 'user1' | ||
:steps: | ||
1. Login as 'user1' and check working directory | ||
:expectedresults: | ||
1. Login is successful and working directory matches the expected value | ||
:customerscenario: False | ||
""" | ||
provider.user("user1").add(password="Secret123", home="/home/user1") | ||
client.sssd.common.mkhomedir() | ||
client.sssd.start() | ||
|
||
user = client.tools.getent.passwd("user1") | ||
assert user is not None | ||
|
||
home_map: dict[str, list[str]] = { | ||
"user": ["/home/%u", f"/home/{user.name}"], | ||
"uid": ["/home/%U", f"/home/{user.uid}"], | ||
"fqn": ["/home/%f", f"/home/{user.name}@{client.sssd.default_domain}"], | ||
"domain": ["/home/%d/%u", f"/home/{client.sssd.default_domain}/{user.name}"], | ||
"first_char": ["/home/%l", f"/home/{str(user.name)[0]}"], | ||
"upn": ["/home/%P", f"/home/{user.name}@{provider.domain.upper()}"], | ||
"default": ["%o", f"{user.home}"], | ||
"lowercase": ["%h", f"{str(user.home).lower()}"], | ||
"substring": ["%H/%u", f"/home/homedir/{user.name}"], | ||
"literal%": ["/home/%%/%u", f"/home/%/{user.name}"], | ||
} | ||
|
||
if home_key == "upn" and isinstance(provider, LDAP): | ||
pytest.skip("Skipping provider, userPrincipal attribute is not set!") | ||
|
||
if home_key == "domain": | ||
client.fs.mkdir_p(f"/home/{client.sssd.default_domain}") | ||
|
||
home_fmt, home_exp = home_map[home_key] | ||
client.sssd.domain["homedir_substring"] = "/home/homedir" | ||
client.sssd.domain["override_homedir"] = home_fmt | ||
client.sssd.restart(clean=True) | ||
|
||
with client.ssh("user1", "Secret123") as ssh: | ||
result = ssh.run("pwd").stdout | ||
assert result is not None, "Getting path failed!" | ||
assert result == home_exp, f"Current path {result} is not {home_exp}!" | ||
|
||
|
||
@pytest.mark.topology(KnownTopologyGroup.AnyProvider) | ||
@pytest.mark.parametrize("method", ["su", "ssh"]) | ||
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) | ||
@pytest.mark.importance("critical") | ||
@pytest.mark.require( | ||
lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), | ||
"SSSD was built without support for running under non-root", | ||
) | ||
def test_authentication__default_settings_when_the_provider_is_offline( | ||
client: Client, provider: GenericProvider, method: str, sssd_service_user: str | ||
client: Client, | ||
provider: GenericProvider, | ||
method: str, | ||
): | ||
""" | ||
:title: Authenticate with default settings when the provider is offline | ||
|
@@ -83,7 +131,7 @@ def test_authentication__default_settings_when_the_provider_is_offline( | |
client.sssd.domain["cache_credentials"] = "True" | ||
client.sssd.domain["krb5_store_password_if_offline"] = "True" | ||
client.sssd.pam["offline_credentials_expiration"] = "0" | ||
client.sssd.start(service_user=sssd_service_user) | ||
client.sssd.start() | ||
|
||
assert client.auth.parametrize(method).password(user, correct), "User failed login!" | ||
|
||
|
@@ -95,45 +143,3 @@ def test_authentication__default_settings_when_the_provider_is_offline( | |
|
||
assert client.auth.parametrize(method).password(user, correct), "User failed login!" | ||
assert not client.auth.parametrize(method).password(user, wrong), "User logged in with an incorrect password!" | ||
|
||
|
||
@pytest.mark.topology(KnownTopology.AD) | ||
@pytest.mark.ticket(gh=7174) | ||
@pytest.mark.parametrize("method", ["su", "ssh"]) | ||
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) | ||
@pytest.mark.importance("critical") | ||
@pytest.mark.require( | ||
lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), | ||
"SSSD was built without support for running under non-root", | ||
) | ||
def test_authentication__using_the_users_email_address(client: Client, ad: AD, method: str, sssd_service_user: str): | ||
""" | ||
:title: Login using the user's email address | ||
:description: | ||
Testing the feature to login using an email address instead of the userid. The username used, | ||
must match one of the user's LDAP attribute values, "EmailAddress". The login should be | ||
case-insensitive and permit special characters. | ||
:setup: | ||
1. Add AD users with different email addresses | ||
2. Start SSSD | ||
:steps: | ||
1. Authenticate users using their email address and in different cases | ||
:expectedresults: | ||
1. Authentication is successful using the email address and is case-insensitive | ||
:customerscenario: False | ||
""" | ||
ad.user("user-1").add(password="Secret123", email=f"user-1@{ad.host.domain}") | ||
ad.user("user-2").add(password="Secret123", email="[email protected]") | ||
ad.user("user_3").add(password="Secret123", email="[email protected]") | ||
|
||
client.sssd.start(service_user=sssd_service_user) | ||
|
||
assert client.auth.parametrize(method).password( | ||
f"user-1@{ad.host.domain}", "Secret123" | ||
), f"User user-1@{ad.host.domain} failed login!" | ||
assert client.auth.parametrize(method).password( | ||
"[email protected]", "Secret123" | ||
), "User [email protected] failed login!" | ||
assert client.auth.parametrize(method).password( | ||
"[email protected]", "Secret123" | ||
), "User [email protected] failed login!" |