diff --git a/src/tests/multihost/alltests/test_autoprivategroup.py b/src/tests/multihost/alltests/test_autoprivategroup.py index e551a145aa1..ba1c70551cc 100644 --- a/src/tests/multihost/alltests/test_autoprivategroup.py +++ b/src/tests/multihost/alltests/test_autoprivategroup.py @@ -18,7 +18,7 @@ 'create_posix_usersgroups_autoprivategroups') @pytest.mark.autoprivategroup class TestAutoPrivateGroups(object): - @pytest.mark.converted('test_auto_private_groups.py', 'test_auto_private_groups__hybrid') + @pytest.mark.converted('test_identity.py', 'test_identity__lookup_when_private_groups_set_to_hybrid') @pytest.mark.tier1 def test_0001_bz1695577(self, multihost, backupsssdconf): """ @@ -42,7 +42,7 @@ def test_0001_bz1695577(self, multihost, backupsssdconf): output = cmd.stdout_text.split(':') assert int(output[2]) == int(output[3]) - @pytest.mark.converted('test_auto_private_groups.py', 'test_auto_private_groups__hybrid') + @pytest.mark.converted('test_identity.py', 'test_identity__lookup_when_private_groups_set_to_hybrid') @pytest.mark.tier1 def test_0002_bz1695577(self, multihost, backupsssdconf): """ diff --git a/src/tests/multihost/alltests/test_default_debug_level.py b/src/tests/multihost/alltests/test_default_debug_level.py index ede9f205f14..b707a3d8972 100644 --- a/src/tests/multihost/alltests/test_default_debug_level.py +++ b/src/tests/multihost/alltests/test_default_debug_level.py @@ -20,7 +20,7 @@ @pytest.mark.defaultdebuglevel class TestDefaultDebugLevel(object): """ Check sssd default debug level """ - @pytest.mark.converted('test_default_debug_level.py', 'test_default_debug_level__check') + @pytest.mark.converted('logging.py', 'test_logging__default_debug_level_check') @pytest.mark.tier1_4 def test_0001_check_default_debug_level(self, multihost, backupsssdconf): """ @@ -63,7 +63,7 @@ def test_0001_check_default_debug_level(self, multihost, backupsssdconf): debug_str1 = pattern2.search(log_single_line) assert debug_str1.group() == '(0x3f7c0)' - @pytest.mark.converted('test_default_debug_level.py', 'test_default_debug_level__check_with_login') + @pytest.mark.converted('logging.py', 'test_logging__default_debug_level_check_with_login') @pytest.mark.tier1_4 def test_0002_check_default_level_with_auth(self, multihost, backupsssdconf): @@ -111,7 +111,7 @@ def test_0002_check_default_level_with_auth(self, multihost, assert ssh, f'{user} is not able to login' assert alog_size.stdout_text == blog_size.stdout_text - @pytest.mark.converted('test_default_debug_level.py', 'test_default_debug_level__fatal_and_critical_failures') + @pytest.mark.converted('logging.py', 'test_logging__default_debug_level_fatal_and_critical_failures') @pytest.mark.tier2 def test_0003_bz1893159(self, multihost, backupsssdconf): """ @@ -152,7 +152,7 @@ def test_0003_bz1893159(self, multihost, backupsssdconf): if not find1.search(log_str) and not find2.search(log_str): assert False - @pytest.mark.converted('test_default_debug_level.py', 'test_default_debug_level__cannot_load_sssd_config') + @pytest.mark.converted('logging.py', 'test_logging__default_debug_level_cannot_load_sssd_config') @pytest.mark.tier1_4 def test_0004_bz1893159(self, multihost, backupsssdconf): """ @@ -181,7 +181,7 @@ def test_0004_bz1893159(self, multihost, backupsssdconf): pattern = re.compile(r'SSSD couldn\'t load the configuration database') assert pattern.search(log_str) - @pytest.mark.converted('test_default_debug_level.py', 'test_default_debug_level__nonexisting_ldap_server') + @pytest.mark.converted('logging.py', 'test_logging__default_debug_level_nonexisting_ldap_server') @pytest.mark.tier1_4 def test_bz1893159(self, multihost, backupsssdconf): """ @@ -209,7 +209,7 @@ def test_bz1893159(self, multihost, backupsssdconf): #check what is logged at default debug_level(2) assert find.search(log_str) - @pytest.mark.converted('test_default_debug_level.py', 'test_default_debug_level__sbus') + @pytest.mark.converted('logging.py', 'test_logging__default_debug_level_sbus') @pytest.mark.tier1_4 def test_0005_bz1915319(self, multihost, backupsssdconf): """ diff --git a/src/tests/multihost/alltests/test_offline.py b/src/tests/multihost/alltests/test_offline.py index 3f003a675a6..a9c3e35ceb2 100644 --- a/src/tests/multihost/alltests/test_offline.py +++ b/src/tests/multihost/alltests/test_offline.py @@ -20,7 +20,7 @@ class TestOffline(object): """ This is test case class for ldap offline suite """ - @pytest.mark.converted('test_offline.py', 'test_offline__ldap_log_to_syslog') + @pytest.mark.converted('test_ldap.py', 'test_ldap__log_to_syslog') @pytest.mark.tier1 def test_0001_bz1416150(self, multihost, backupsssdconf): """ @@ -59,7 +59,7 @@ def test_0001_bz1416150(self, multihost, backupsssdconf): else: pytest.fail("Failed to start sssd") - @pytest.mark.converted('test_offline.py', 'test_offline__ldap_network_timeout_parameters_shown_in_logs') + @pytest.mark.converted('test_ldap.py', 'test_ldap__network_timeout_parameters_shown_in_logs') @pytest.mark.tier1_2 def test_0002_bz1928648(self, multihost, backupsssdconf): """ diff --git a/src/tests/multihost/alltests/test_sssctl_analyzer.py b/src/tests/multihost/alltests/test_sssctl_analyzer.py index 8b1b0dd7716..483b3a10eb8 100644 --- a/src/tests/multihost/alltests/test_sssctl_analyzer.py +++ b/src/tests/multihost/alltests/test_sssctl_analyzer.py @@ -34,7 +34,7 @@ def analyze(multihost, req_arg, op_arg=None): @pytest.mark.tier1_4 class TestSssctlAnalyze(object): """ sssctl analyze test suite """ - @pytest.mark.converted('test_sssctl_analyze.py', 'test_sssctl_analyze__list') + @pytest.mark.converted('test_sssctl.py', 'test_sssctl__analyze_list') def test_analyze_list(self, multihost, backupsssdconf): """ :title: sssctl analyze list to show captured nss related @@ -83,7 +83,7 @@ def test_analyze_list(self, multihost, backupsssdconf): _, stdout = analyze(multihost, act_op) assert all(ptn in stdout for ptn in ['CID #1', 'getent']) - @pytest.mark.converted('test_sssctl_analyze.py', 'test_sssctl_analyze__non_default_log_location') + @pytest.mark.converted('test_sssctl.py', 'test_sssctl__analyze_non_default_log_location') def test_analyze_diff_log_location(self, multihost, backupsssdconf): """ :title: sssctl analyze able to parse sssd logs from non-default @@ -143,7 +143,7 @@ def test_analyze_diff_log_location(self, multihost, backupsssdconf): _, stdout = analyze(multihost, act_op, log_dir) assert 'sshd' in stdout - @pytest.mark.converted('test_sssctl_analyze.py', 'test_sssctl_analyze__pam_logs') + @pytest.mark.converted('test_sssctl.py', 'test_sssctl__analyze_pam_logs') def test_analyze_pam_logs(self, multihost, backupsssdconf): """ :title: sssctl analyze to parse pam requests from logs @@ -182,7 +182,7 @@ def test_analyze_pam_logs(self, multihost, backupsssdconf): for pam_auth in pam_cmds: assert pam_auth in stdout - @pytest.mark.converted('test_sssctl_analyze.py', 'test_sssctl_analyze__tevent_id') + @pytest.mark.converted('test_sssctl.py', 'test_sssctl__analyze_tevent_id') def test_analyze_tevent_id(self, multihost, backupsssdconf): """ :title: sssctl analyze to parse tevent chain IDs from logs @@ -216,7 +216,7 @@ def test_analyze_tevent_id(self, multihost, backupsssdconf): _, stdout = analyze(multihost, 'show 1 --pam') assert all(ptn in stdout for ptn in ['RID#', user]) - @pytest.mark.converted('test_sssctl_analyze.py', 'test_sssctl_analyze__parse_child_logs') + @pytest.mark.converted('test_sssctl.py', 'test_sssctl__analyze_parse_child_logs') def test_analyze_parse_child_logs(self, multihost, backupsssdconf): """ :title: sssctl analyze to parse child logs from logs @@ -264,7 +264,7 @@ def test_analyze_parse_child_logs(self, multihost, backupsssdconf): _, stdout = analyze(multihost, 'show --pam --child 1') assert re.findall(r"RID#[0-9]*] Received error code", stdout) - @pytest.mark.converted('test_sssctl_analyze.py', 'test_sssctl_analyze__root_privileges') + @pytest.mark.converted('test_sssctl.py', 'test_sssctl__analyze_root_privileges') @staticmethod def test_non_root_privileged(multihost, localusers): """ diff --git a/src/tests/system/tests/test_authentication.py b/src/tests/system/tests/test_authentication.py index 83085851a01..1359f6c0ca3 100644 --- a/src/tests/system/tests/test_authentication.py +++ b/src/tests/system/tests/test_authentication.py @@ -1,5 +1,5 @@ """ -SSSD Sanity Test Cases +SSSD Authentication Test Cases :requirement: offline """ @@ -20,9 +20,11 @@ lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), "SSSD was built without support for running under non-root", ) -def test_authentication__login(client: Client, provider: GenericProvider, method: str, sssd_service_user: str): +def test_authentication__using_a_good_then_bad_password( + client: Client, provider: GenericProvider, method: str, sssd_service_user: str +): """ - :title: ssh/su login + :title: SSH and su authentication :setup: 1. Add user to SSSD 2. Set password for user @@ -51,7 +53,9 @@ def test_authentication__login(client: Client, provider: GenericProvider, method lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), "SSSD was built without support for running under non-root", ) -def test_authentication__offline_login(client: Client, provider: GenericProvider, method: str, sssd_service_user: str): +def test_authentication__using_a_good_then_bad_password_when_offline( + client: Client, provider: GenericProvider, method: str, sssd_service_user: str +): """ :title: Offline ssh/su login :setup: @@ -74,6 +78,7 @@ def test_authentication__offline_login(client: Client, provider: GenericProvider 5. Offline authentication is successful 6. Offline authentication is not successful :customerscenario: False + :TODO: Make this a generic test. """ user = "user1" correct = "Secret123" diff --git a/src/tests/system/tests/test_auto_private_groups.py b/src/tests/system/tests/test_auto_private_groups.py deleted file mode 100644 index 643c1dafb56..00000000000 --- a/src/tests/system/tests/test_auto_private_groups.py +++ /dev/null @@ -1,48 +0,0 @@ -""" -Automation of auto private groups - -:requirement: IDM-SSSD-REQ: SSSD can automatically create\ - user private groups for users -""" - -from __future__ import annotations - -import pytest -from sssd_test_framework.roles.client import Client -from sssd_test_framework.roles.generic import GenericProvider -from sssd_test_framework.topology import KnownTopologyGroup - - -@pytest.mark.ticket(bz=1695577) -@pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_auto_private_groups__hybrid(client: Client, provider: GenericProvider): - """ - :title: auto_private_groups set to hybrid - :setup: - 1. Add user "user_same" with uid equals to gid - 2. Add user "user_different" with uid not equals to gid - 3. Set auto_private_groups in sssd.conf to hybrid and turn of ldap_id_mapping - 4. Start SSSD - :steps: - 1. getent passwd "user_same" - 2. getent passwd "user_different" - :expectedresults: - 1. Uid equals to gid - 2. Uid does not equal to gid - :customerscenario: True - """ - provider.user("user_same").add(uid=111111, gid=111111) - provider.user("user_different").add(uid=111111, gid=100000) - - client.sssd.domain["auto_private_groups"] = "hybrid" - client.sssd.domain["ldap_id_mapping"] = "false" - - client.sssd.start() - - result = client.tools.getent.passwd("user_same@test") - assert result, "getent passwd failed on user_same" - assert result.uid == result.gid, "gid and uid for user_same are not same" - - result = client.tools.getent.passwd("user_different@test") - assert result, "getent passwd failed on user_different" - assert result.uid != result.gid, "gid and uid for user_different are same" diff --git a/src/tests/system/tests/test_autofs.py b/src/tests/system/tests/test_autofs.py index 9206dc44f5c..9cd0e9ae02e 100644 --- a/src/tests/system/tests/test_autofs.py +++ b/src/tests/system/tests/test_autofs.py @@ -1,7 +1,7 @@ """ -Autofs tests. +Automount Test Cases -:requirement: Ldap Provider - automount +:requirement: autofs """ from __future__ import annotations @@ -22,7 +22,7 @@ lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), "SSSD was built without support for running under non-root", ) -def test_autofs__cache_first( +def test_autofs__cache_first_set_to_true( client: Client, nfs: NFS, provider: GenericProvider, cache_first: bool, sssd_service_user: str ): """ @@ -71,7 +71,7 @@ def test_autofs__cache_first( @pytest.mark.importance("medium") @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_autofs__propagate_offline__single_domain(client: Client, provider: GenericProvider): +def test_autofs__propagate_offline_status_for_a_single_domain(client: Client, provider: GenericProvider): """ :title: Autofs propagates offline status if a domain is offline :setup: @@ -109,7 +109,7 @@ def test_autofs__propagate_offline__single_domain(client: Client, provider: Gene @pytest.mark.importance("critical") @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_autofs__propagate_offline__multi_domain(client: Client): +def test_autofs__propagate_offline_status_for_multiple_domains(client: Client): """ :title: Autofs propagates offline status if a domain is offline in multi domain environment :setup: @@ -157,7 +157,7 @@ def test_autofs__propagate_offline__multi_domain(client: Client): @pytest.mark.importance("critical") @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_autofs__offline_domains(client: Client, nfs: NFS, provider: GenericProvider): +def test_autofs__works_with_some_offline_domains(client: Client, nfs: NFS, provider: GenericProvider): """ :title: Autofs works if some domain is offline in multi domain environment :setup: diff --git a/src/tests/system/tests/test_config.py b/src/tests/system/tests/test_config.py new file mode 100644 index 00000000000..0dd98147ac5 --- /dev/null +++ b/src/tests/system/tests/test_config.py @@ -0,0 +1,175 @@ +""" +SSSD Configuration Test Cases + +:requirement: IDM-SSSD-REQ: Configuration merging +""" + +from __future__ import annotations + +import pytest +from sssd_test_framework.roles.client import Client +from sssd_test_framework.topology import KnownTopologyGroup + + +@pytest.mark.importance("critical") +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_config__reload_config(client: Client): + """ + :title: Re-generate config while SSSD is running + :setup: + 1. In pam domain set "debug_level" to 9 + 2. Start SSSD + :steps: + 1. Check that "debug_level" in pam domain is 9 + 2. Change "debug_level" in pam to 1 + 3. Apply config changes + 4. Call "sssd --genconf" + 5. Check that "debug_level" in pam is 1 + :expectedresults: + 1. "debug_level" is set to 9 + 2. "debug_level" is changed successfully + 3. Changes are apllied successfully + 4. "sssd --genconf" is called successfully + 5. "debug_level" is set to 1 + :customerscenario: False + """ + client.sssd.pam["debug_level"] = "9" + client.sssd.start() + + result = client.ldb.search("/var/lib/sss/db/config.ldb", "cn=pam,cn=config") + assert result["cn=pam,cn=config"]["debug_level"] == ["9"] + + client.sssd.pam["debug_level"] = "1" + client.sssd.config_apply() + client.sssd.genconf() + + result = client.ldb.search("/var/lib/sss/db/config.ldb", "cn=pam,cn=config") + assert result["cn=pam,cn=config"]["debug_level"] == ["1"] + + +@pytest.mark.importance("critical") +@pytest.mark.config +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_config__reload_a_section(client: Client): + """ + :title: Re-generate only particular section in config while SSSD is running + :setup: + 1. In pam domain set "debug_level" to 9 + 2. In nss domain set "debug_level" to 9 + 3. Start SSSD + :steps: + 1. Check that "debug_level" in pam domain is 9 + 2. Check that "debug_level" in nss domain is 9 + 3. Change "debug_level" in pam and in nss to 1 + 4. Apply config changes + 5. Call "sssd --genconf-section==pam" + 6. Check that "debug_level" in pam is 1 + 7. Check that "debug_level" in nss remained 9 + :expectedresults: + 1. "debug_level" is set to 9 + 2. "debug_level" is set to 9 + 3. "debug_level" is changed successfully + 4. Changes are apllied successfully + 5. "sssd --genconf-section==pam" is called successfully + 6. "debug_level" in pam is 1 + 7. "debug_level" in nss remains 9 + :customerscenario: False + """ + client.sssd.pam["debug_level"] = "9" + client.sssd.nss["debug_level"] = "9" + client.sssd.start() + + result = client.ldb.search("/var/lib/sss/db/config.ldb") + assert result["cn=pam,cn=config"]["debug_level"] == ["9"] + assert result["cn=nss,cn=config"]["debug_level"] == ["9"] + + client.sssd.pam["debug_level"] = "1" + client.sssd.nss["debug_level"] = "1" + client.sssd.config_apply() + + client.sssd.genconf("pam") + + result = client.ldb.search("/var/lib/sss/db/config.ldb") + assert result["cn=pam,cn=config"]["debug_level"] == ["1"] + assert result["cn=nss,cn=config"]["debug_level"] == ["9"] + + +@pytest.mark.importance("critical") +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_config__reload_added_and_removed_configuration(client: Client): + """ + :title: Add and remove new section to config file + with --genconf-section while SSSD is running + :setup: + 1. In pam domain set "debug_level" to 9 + 2. In nss domain set "debug_level" to 9 + 3. Start SSSD + :steps: + 1. Check that "debug_level" in pam and nss is 9 + 2. Add new section to config with key, value pair set + 3. Apply config changes + 4. Call "sssd --genconf-section==$newSection" + 5. Check that the new section is properly set + 6. Remove new section + 7. Call "sssd --genconf-section==$newSection" + 8. Check that the new section was deleted + 9. Check that "debug_level" in pam and nss is 9 + :expectedresults: + 1. "debug_level" is set to 9 in both domains + 2. Added successfully + 3. New configuration was written + 4. Changes are applied successfully + 5. "sssd --genconf-section==$newSection" is called successfully + 6. New section is removed successfully + 7. "sssd --genconf-section==$newSection" is called successfully + 8. New section was deleted correctly + 9. "debug_level" in pam and nss remained 9 + :customerscenario: False + """ + client.sssd.pam["debug_level"] = "9" + client.sssd.nss["debug_level"] = "9" + client.sssd.start() + + result = client.ldb.search("/var/lib/sss/db/config.ldb") + assert result["cn=pam,cn=config"]["debug_level"] == ["9"] + assert result["cn=nss,cn=config"]["debug_level"] == ["9"] + + client.sssd.config["new_section"] = {"key": "value"} + client.sssd.config_apply(check_config=False) + client.sssd.genconf("new_section") + + result = client.ldb.search("/var/lib/sss/db/config.ldb", "cn=new_section,cn=config") + assert result["cn=new_section,cn=config"]["key"] == ["value"] + + del client.sssd.config["new_section"] + + client.sssd.config_apply() + client.sssd.genconf("new_section") + + result = client.ldb.search("/var/lib/sss/db/config.ldb") + assert result["cn=pam,cn=config"]["debug_level"] == ["9"] + assert result["cn=nss,cn=config"]["debug_level"] == ["9"] + with pytest.raises(KeyError): + assert result["cn=new_section,cn=config"]["key"] != ["value"] + + +@pytest.mark.skip +@pytest.mark.importance("critical") +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_config__genconf_no_such_section(client: Client): + """ + :title: genconf-section with nonexisting section did not fail + :setup: + 1. Start SSSD + :steps: + 1. Call 'sssd --genconf-section=$nonexistingSection' + :expectedresults: + 1. Call did not fail + :customerscenario: False + + This feature has been removed in sssd-2.9.x + """ + client.sssd.start() + result = client.sssd.genconf("nonexistingSection") + assert result.rc == 0 + assert not result.stderr diff --git a/src/tests/system/tests/test_files.py b/src/tests/system/tests/test_files.py index 8f44ad41e0c..b691e8a9729 100644 --- a/src/tests/system/tests/test_files.py +++ b/src/tests/system/tests/test_files.py @@ -1,5 +1,5 @@ """ -Files test provider cases +SSSD File Provider Test Case :requirement: IDM-SSSD-REQ :: SSSD is default for local resolution """ @@ -15,7 +15,7 @@ @pytest.mark.builtwith("files-provider") @pytest.mark.topology(KnownTopology.Client) -def test_files__getent_does_not_handle_root(client: Client): +def test_files__lookup_root(client: Client): """ :title: Getent call doesnt work on root, when service specified as "sss" :setup: @@ -36,7 +36,7 @@ def test_files__getent_does_not_handle_root(client: Client): @pytest.mark.builtwith("files-provider") @pytest.mark.topology(KnownTopology.Client) -def test_files__simple_getent(client: Client): +def test_files__lookup_user(client: Client): """ :title: Simple getent call :setup: @@ -62,7 +62,7 @@ def test_files__simple_getent(client: Client): @pytest.mark.builtwith("files-provider") @pytest.mark.topology(KnownTopology.Client) -def test_files__enumeration(client: Client): +def test_files__lookup_should_not_enumerate_users(client: Client): """ :title: Files provider should not enumerate :setup: @@ -83,7 +83,7 @@ def test_files__enumeration(client: Client): @pytest.mark.builtwith("files-provider") @pytest.mark.topology(KnownTopology.Client) -def test_files__user_modify(client: Client): +def test_files__lookup_user_shows_updated_user_info(client: Client): """ :title: User have his homedir updated, after passwd :setup: diff --git a/src/tests/system/tests/test_identity.py b/src/tests/system/tests/test_identity.py index ab6734f2ee1..e9acbbacd19 100644 --- a/src/tests/system/tests/test_identity.py +++ b/src/tests/system/tests/test_identity.py @@ -1,5 +1,5 @@ """ -SSSD Client identity Lookups +SSSD Identity Lookup Test Cases :requirement: IDM-SSSD-REQ: Client side performance improvements """ @@ -544,4 +544,39 @@ def test_identity__lookup_idmapping_of_posix_and_non_posix_user_and_group(client assert client.tools.getent.group("posix_group") is not None, "posix-group is not returned by sssd" assert client.tools.getent.group("nonposix_group") is None, "non-posix group is returned by sssd, it should not be" - assert client.tools.getent.passwd("nonposix_user") is None, "non-posix user is returned by sssd, it should not be" + + +@pytest.mark.ticket(bz=1695577) +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_identity__lookup_when_private_groups_set_to_hybrid(client: Client, provider: GenericProvider): + """ + :title: auto_private_groups set to hybrid + :setup: + 1. Add user "user_same" with uid equals to gid + 2. Add user "user_different" with uid not equals to gid + 3. Set auto_private_groups in sssd.conf to hybrid and turn of ldap_id_mapping + 4. Start SSSD + :steps: + 1. getent passwd "user_same" + 2. getent passwd "user_different" + :expectedresults: + 1. Uid equals to gid + 2. Uid does not equal to gid + :customerscenario: True + :requirement: IDM-SSSD-REQ: SSSD can automatically create user private groups for users + """ + provider.user("user_same").add(uid=111111, gid=111111) + provider.user("user_different").add(uid=111111, gid=100000) + + client.sssd.domain["auto_private_groups"] = "hybrid" + client.sssd.domain["ldap_id_mapping"] = "false" + + client.sssd.start() + + result = client.tools.getent.passwd("user_same@test") + assert result, "getent passwd failed on user_same" + assert result.uid == result.gid, "gid and uid for user_same are not same" + + result = client.tools.getent.passwd("user_different@test") + assert result, "getent passwd failed on user_different" + assert result.uid != result.gid, "gid and uid for user_different are same" diff --git a/src/tests/system/tests/test_kcm.py b/src/tests/system/tests/test_kcm.py index b17acbd5a6b..40d8371139e 100644 --- a/src/tests/system/tests/test_kcm.py +++ b/src/tests/system/tests/test_kcm.py @@ -20,7 +20,7 @@ @pytest.mark.authentication @pytest.mark.topology(KnownTopology.Client) @pytest.mark.parametrize("ccache_storage", ["memory", "secdb"]) -def test_kcm__kinit_overwrite(client: Client, kdc: KDC, ccache_storage: str): +def test_kcm__kinit_does_not_create_new_ccache(client: Client, kdc: KDC, ccache_storage: str): """ :title: Second call to kinit with the same principal does not create new ccache. :setup: @@ -68,7 +68,7 @@ def test_kcm__kinit_overwrite(client: Client, kdc: KDC, ccache_storage: str): @pytest.mark.authentication @pytest.mark.topology(KnownTopology.Client) @pytest.mark.parametrize("ccache_storage", ["memory", "secdb"]) -def test_kcm__kinit_collection(client: Client, kdc: KDC, ccache_storage: str): +def test_kcm__ccache_holds_multiple_and_all_types_of_principals(client: Client, kdc: KDC, ccache_storage: str): """ :title: Multiple principals and service tickets can be stored in a ccache collection. :setup: @@ -159,7 +159,7 @@ def test_kcm__kinit_collection(client: Client, kdc: KDC, ccache_storage: str): @pytest.mark.authentication @pytest.mark.topology(KnownTopology.Client) @pytest.mark.parametrize("ccache_storage", ["memory", "secdb"]) -def test_kcm__kswitch(client: Client, kdc: KDC, ccache_storage: str): +def test_kcm__kswitch_between_primary_ccaches(client: Client, kdc: KDC, ccache_storage: str): """ :title: Switching between primary ccaches. :setup: @@ -229,7 +229,7 @@ def test_kcm__kswitch(client: Client, kdc: KDC, ccache_storage: str): @pytest.mark.authentication @pytest.mark.topology(KnownTopology.Client) @pytest.mark.parametrize("ccache_storage", ["memory", "secdb"]) -def test_kcm__subsidiaries(client: Client, kdc: KDC, ccache_storage: str): +def test_kcm__subsidiary_ccaches_are_used_by_the_kcm(client: Client, kdc: KDC, ccache_storage: str): """ :title: Subsidiary ccaches are usable and KCM: without UID can identify the collection. :setup: @@ -306,7 +306,7 @@ def test_kcm__subsidiaries(client: Client, kdc: KDC, ccache_storage: str): @pytest.mark.authentication @pytest.mark.topology(KnownTopology.Client) @pytest.mark.parametrize("ccache_storage", ["memory", "secdb"]) -def test_kcm__kdestroy_nocache(client: Client, kdc: KDC, ccache_storage: str): +def test_kcm__kdestroy_nocache_throws_no_error(client: Client, kdc: KDC, ccache_storage: str): """ :title: Destroying non-existing cache must not throw an error. :setup: @@ -341,7 +341,7 @@ def test_kcm__kdestroy_nocache(client: Client, kdc: KDC, ccache_storage: str): @pytest.mark.importance("critical") @pytest.mark.authentication @pytest.mark.topology(KnownTopology.Client) -def test_kcm__tgt_renewal(client: Client, kdc: KDC): +def test_kcm__tgt_renewal_updates_ticket_as_configured(client: Client, kdc: KDC): """ :title: Automatic ticket-granting ticket renewal. :setup: @@ -380,9 +380,9 @@ def test_kcm__tgt_renewal(client: Client, kdc: KDC): @pytest.mark.topology(KnownTopology.Client) -def test_kcm__simple_kinit(client: Client, kdc: KDC): +def test_kcm__kinit_user_after_login(client: Client, kdc: KDC): """ - :title: kinit is successfull after user login + :title: kinit is successful after user login :setup: 1. Add 'user1' to kdc and set its password 2. Add 'user1' to local and set its password diff --git a/src/tests/system/tests/test_ldap.py b/src/tests/system/tests/test_ldap.py index bfef3d055f3..ce73633e751 100644 --- a/src/tests/system/tests/test_ldap.py +++ b/src/tests/system/tests/test_ldap.py @@ -2,10 +2,14 @@ SSSD LDAP provider tests :requirement: IDM-SSSD-REQ : LDAP Provider +:TODO: Every provider has password policy tests. I think the password change (test_ldap__password_change*) + tests should be turned into a generic provider test to consolidate test cases and code. """ from __future__ import annotations +import time + import pytest from sssd_test_framework.roles.client import Client from sssd_test_framework.roles.ldap import LDAP @@ -23,7 +27,7 @@ lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), "SSSD was built without support for running under non-root", ) -def test_ldap__change_password(client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str, sssd_service_user: str): +def test_ldap__password_change(client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str, sssd_service_user: str): """ :title: Change password with "ldap_pwmodify_mode" set to @modify_mode :setup: @@ -67,7 +71,9 @@ def test_ldap__change_password(client: Client, ldap: LDAP, modify_mode: str, use @pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"]) @pytest.mark.parametrize("use_ppolicy", ["true", "false"]) @pytest.mark.topology(KnownTopology.LDAP) -def test_ldap__change_password_new_pass_not_match(client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str): +def test_ldap__password_change_new_passwords_do_not_match( + client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str +): """ :title: Change password with "ldap_pwmodify_mode" set to @modify_mode, but retyped password do not match :setup: @@ -97,7 +103,9 @@ def test_ldap__change_password_new_pass_not_match(client: Client, ldap: LDAP, mo @pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"]) @pytest.mark.parametrize("use_ppolicy", ["true", "false"]) @pytest.mark.topology(KnownTopology.LDAP) -def test_ldap__change_password_lowercase(client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str): +def test_ldap__password_change_new_password_does_not_meet_complexity_requirements( + client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str +): """ :title: Change password to lower-case letters, password check fail :setup: @@ -136,7 +144,7 @@ def test_ldap__change_password_lowercase(client: Client, ldap: LDAP, modify_mode @pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"]) @pytest.mark.parametrize("use_ppolicy", ["true", "false"]) @pytest.mark.topology(KnownTopology.LDAP) -def test_ldap__change_password_wrong_current(client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str): +def test_ldap__password_change_failed_current_password(client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str): """ :title: Password change failed because an incorrect password was used :setup: @@ -162,7 +170,7 @@ def test_ldap__change_password_wrong_current(client: Client, ldap: LDAP, modify_ @pytest.mark.ticket(bz=[1067476, 1065534]) @pytest.mark.topology(KnownTopology.LDAP) -def test_ldap__user_with_whitespace(client: Client, ldap: LDAP): +def test_ldap__authenticate_user_with_whitespace_prefix_in_userid(client: Client, ldap: LDAP): """ :title: user with a whitespace at beginning is able to login and "id" :setup: @@ -209,7 +217,7 @@ def test_ldap__user_with_whitespace(client: Client, ldap: LDAP): @pytest.mark.ticket(bz=1507035) @pytest.mark.topology(KnownTopology.LDAP) @pytest.mark.parametrize("method", ["su", "ssh"]) -def test_ldap__password_change(client: Client, ldap: LDAP, method: str): +def test_ldap__change_password_when_ldap_pwd_policy_is_set_shadow(client: Client, ldap: LDAP, method: str): """ :title: Change password with shadow ldap password policy :setup: @@ -219,12 +227,13 @@ def test_ldap__password_change(client: Client, ldap: LDAP, method: str): 4. Set ldap_chpass_update_last_change to "True" 5. Start SSSD :steps: - 1. Autheticate as "tuser" with old password + 1. Authenticate as "tuser" with old password 2. Autheticate as "tuser" with new password :expectedresults: 1. Password was expired and new password was expected and provided 2. Authentication with new password was successful :customerscenario: True + TODO: This can be parameterized with ppolicy_password_change test """ ldap.aci.add('(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)') ldap.user("tuser").add( @@ -240,3 +249,271 @@ def test_ldap__password_change(client: Client, ldap: LDAP, method: str): # Authenticate with new password assert client.auth.parametrize(method).password("tuser", "Redhat@321") + + +@pytest.mark.importance("medium") +@pytest.mark.ticket(bz=1928648) +@pytest.mark.topology(KnownTopology.LDAP) +def test_ldap__network_timeout_parameters_shown_in_logs(client: Client, ldap: LDAP): + """ + :title: Each timeout setting is properly logged in logs + :setup: + 1. Add user + 2. Start SSSD + :steps: + 1. Check that "Setting 6 seconds timeout [ldap_network_timeout] for connecting" is in logs + 2. Fetch information about user + 3. Block LDAP traffic + 4. Connect user over SSH + 5. Logs should contain following timeout parameters + - ldap_opt_timeout + - ldap_search_timeout + - ldap_network_timeout + - dns_resolver_timeout + :expectedresults: + 1. Timeout setting is stored in logs + 2. User is found + 3. LDAP traffic is blocked + 4. User is unable to connect + 5. The timeout parameters are in the logs + :customerscenario: True + :TODO: This is a non functional test, we should move it to test_logging_*.py or make it functional. + """ + ldap.user("user1").add(password="Secret123") + client.sssd.start() + + log = client.fs.read(f"/var/log/sssd/sssd_{client.sssd.default_domain}.log") + assert "Setting 6 seconds timeout [ldap_network_timeout] for connecting" in log + + assert client.tools.id("user1") is not None + + client.firewall.outbound.drop_host(ldap) + + with pytest.raises(Exception): + client.ssh("user1", "Secret123").connect() + + log = client.fs.read(f"/var/log/sssd/sssd_{client.sssd.default_domain}.log") + for timeout in ["ldap_opt_timeout", "ldap_search_timeout", "ldap_network_timeout", "dns_resolver_timeout"]: + assert timeout in log, f"Value '{timeout}' not found in logs" + + +@pytest.mark.topology(KnownTopology.LDAP) +def test_ldap__authenticate_user_with_empty_ldap_search_base(client: Client, ldap: LDAP): + """ + :title: Without ldapsearch base specified in sssd conf and rootDSE exists + :setup: + 1. With sssd config set enumerate = True. + 2. Set sssd config nss part with filter_groups and filter_users to root. + 3. Add test user with password and make sure it can authenticate. + :steps: + 1. Without ldap_search_base set when user authenticates certain logs + should appear in sssd domain logs. + 2. Now set ldap_search_base in sssd config try with user authentication , + in sssd domain logs sdap_set_config_options_with_rootdse should not appear. + :expectedresults: + 1. Certain logs should appear in sssd domain logs + 2. In sssd domain logs sdap_set_config_options_with_rootdse should not appear. + :customerscenario: False + """ + base = ldap.ldap.naming_context + + client.sssd.dom("test")["enumerate"] = "true" + client.sssd.config["nss"] = { + "filter_groups": "root", + "filter_users": "root", + } + + ou_users = ldap.ou("users").add() + user = ldap.user("puser1", basedn=ou_users).add(uid=10001, gid=10001, password="Secret123") + + client.sssd.stop() + client.sssd.clear() + client.sssd.start() + + assert client.auth.ssh.password(user.name, "Secret123") + time.sleep(3) + + log = client.fs.read(client.sssd.logs.domain()) + for doc in [ + f"Setting option [ldap_search_base] to [{base}]", + f"Setting option [ldap_user_search_base] to [{base}]", + f"Setting option [ldap_group_search_base] to [{base}]", + f"Setting option [ldap_netgroup_search_base] to [{base}]", + ]: + assert doc in str(log) + client.sssd.dom("test")["ldap_search_base"] = ldap.ldap.naming_context + + client.sssd.stop() + client.sssd.clear() + client.sssd.start() + + assert client.auth.ssh.password("puser1", "Secret123") + time.sleep(3) + + log = client.fs.read(client.sssd.logs.domain()) + assert "sdap_set_config_options_with_rootdse" not in log + + +@pytest.mark.topology(KnownTopology.LDAP) +@pytest.mark.parametrize( + "user_search_base, search_base", + [ + ("ldap_user_search_base", "ou=People,dc=ldap,dc=test"), + ("ldap_group_search_base", "ou=Groups,dc=ldap,dc=test"), + ("ldap_netgroup_search_base", "ou=Netgroup,dc=ldap,dc=test"), + ], +) +def test_ldap__authenticate_user_with_search_base_set(client: Client, ldap: LDAP, user_search_base, search_base): + """ + :title: Without ldapsearch base and with ldap user search base specified + :setup: + 1. With sssd config set enumerate = True. + 2. Set sssd config nss part with filter_groups and filter_users to root. + 3. Add test user with password and make sure it can authenticate. + :steps: + 1. Set user_search_base to sssd config. + 2. Set ldap_group_search_base to sssd config. + 3. Set ldap_netgroup_search_base to sssd config. + 4. With each search base there will be different logs generated in sssd domain logs. + :expectedresults: + 1. User_search_base should be set to sssd config. + 2. Ldap_group_search_base should be set to sssd config. + 3. Ldap_netgroup_search_base should be set to sssd config. + 4. There will be different logs generated in sssd domain logs. + :customerscenario: False + """ + base = ldap.ldap.naming_context + + client.sssd.dom("test")["enumerate"] = "true" + client.sssd.dom("test")[user_search_base] = search_base + client.sssd.config["nss"] = { + "filter_groups": "root", + "filter_users": "root", + } + + ou_users = ldap.ou("People").add() + user = ldap.user("puser1", basedn=ou_users).add(uid=10001, gid=10001, password="Secret123") + + client.sssd.stop() + client.sssd.clear() + client.sssd.start() + + result = client.tools.getent.passwd(user.name) + assert result is not None + assert result.name == user.name + + assert client.auth.ssh.password(user.name, "Secret123") + time.sleep(3) + + log = client.fs.read(client.sssd.logs.domain()) + match user_search_base: + case "ldap_user_search_base": + for doc in [ + "Got rootdse", + f"Setting option [ldap_search_base] to [{base}]", + f"Setting option [ldap_group_search_base] to [{base}]", + f"Setting option [ldap_netgroup_search_base] to [{base}]", + ]: + assert doc in str(log) + case "ldap_group_search_base": + for doc in [ + "Got rootdse", + f"Setting option [ldap_search_base] to [{base}]", + f"Setting option [ldap_user_search_base] to [{base}]", + f"Setting option [ldap_netgroup_search_base] to [{base}]", + ]: + assert doc in str(log) + case "ldap_netgroup_search_base": + for doc in [ + "Got rootdse", + f"Setting option [ldap_search_base] to [{base}]", + f"Setting option [ldap_user_search_base] to [{base}]", + f"Setting option [ldap_group_search_base] to [{base}]", + ]: + assert doc in str(log) + + +@pytest.mark.topology(KnownTopology.LDAP) +def test_ldap__lookup_user_default_naming_context_and_no_search_base(client: Client, ldap: LDAP): + """ + :title: Without ldapsearch base and default namingContexts + :setup: + 1. With sssd config set enumerate = True. + 2. Set sssd config nss part with filter_groups and filter_users to root. + 3. Add test user with password and make sure it can authenticate. + :steps: + 1. Sssd without ldapsearch base and default namingContexts. + 2. Sssd should generate some logs when try to authenticate with users. + :expectedresults: + 1. Sssd should work without ldapsearch base and default namingContexts. + 2. Sssd should generate some logs when try to authenticate with users. + :customerscenario: False + """ + base = ldap.ldap.naming_context + + client.sssd.dom("test")["enumerate"] = "true" + client.sssd.config["nss"] = { + "filter_groups": "root", + "filter_users": "root", + } + + ou_users = ldap.ou("People").add() + user = ldap.user("puser1", basedn=ou_users).add(uid=10001, gid=10001, password="Secret123") + + client.sssd.stop() + client.sssd.clear() + client.sssd.start() + + result = client.tools.getent.passwd(user.name) + assert result is not None + assert result.name == user.name + time.sleep(3) + + log = client.fs.read(client.sssd.logs.domain()) + assert "Got rootdse" in log + assert "Using value from [defaultNamingContext] as naming context" in log + assert f"Setting option [ldap_search_base] to [{base}]" in log + + +@pytest.mark.topology(KnownTopology.LDAP) +@pytest.mark.parametrize("user_search_base", ["dc=ldap,dc=test", "dc=shanks,dc=com"]) +def test_ldap__lookup_user_multiple_naming_contexts_and_no_search_base(client: Client, ldap: LDAP, user_search_base): + """ + :title: Without ldapsearch base and multiple namingContexts + :setup: + 1. With sssd config set enumerate = True. + 2. Set sssd config nss part with filter_groups and filter_users to root. + 3. Add test user with password and make sure it can authenticate. + :steps: + 1. Sssd with user_search_base "dc=ldap,dc=test" + 2. Sssd with user_search_base "dc=shanks,dc=com" + 3. With both the cases sssd authentication should work when we configure it with ldap_search_base, + ldap_user_search_base, ldap_group_search_base. + :expectedresults: + 1. Sssd should be configured user_search_base "dc=ldap,dc=test" + 2. Sssd should be configured user_search_base "dc=shanks,dc=com" + 3. User authentication should be success with both the cases. + :customerscenario: False + """ + base = ldap.ldap.naming_context + + ou_users = ldap.ou("People").add() + user = ldap.user("puser1", basedn=ou_users).add(uid=10001, gid=10001, password="Secret123") + + client.sssd.dom("test")["enumerate"] = "true" + client.sssd.dom("test")["ldap_search_base"] = user_search_base + client.sssd.dom("test")["ldap_user_search_base"] = f"ou=People,{base}" + client.sssd.dom("test")["ldap_group_search_base"] = f"ou=Groups,{base}" + client.sssd.config["nss"] = { + "filter_groups": "root", + "filter_users": "root", + } + + client.sssd.stop() + client.sssd.clear() + client.sssd.start() + + result = client.tools.getent.passwd(user.name) + assert result is not None + assert result.name == user.name + assert client.auth.ssh.password(user.name, "Secret123") diff --git a/src/tests/system/tests/test_default_debug_level.py b/src/tests/system/tests/test_logging.py similarity index 77% rename from src/tests/system/tests/test_default_debug_level.py rename to src/tests/system/tests/test_logging.py index 93de621ab77..ee279679104 100644 --- a/src/tests/system/tests/test_default_debug_level.py +++ b/src/tests/system/tests/test_logging.py @@ -6,13 +6,15 @@ from __future__ import annotations +import time + import pytest from sssd_test_framework.roles.client import Client from sssd_test_framework.topology import KnownTopology @pytest.mark.topology(KnownTopology.Client) -def test_default_debug_level__check(client: Client): +def test_logging__default_debug_level_check(client: Client): """ :title: Check default debug level when sssd started successfully :setup: @@ -40,7 +42,7 @@ def test_default_debug_level__check(client: Client): @pytest.mark.topology(KnownTopology.Client) -def test_default_debug_level__check_with_login(client: Client): +def test_logging__default_debug_level_check_with_login(client: Client): """ :title: Successful login with default debug level doesn't generate any logs :setup: @@ -73,7 +75,7 @@ def test_default_debug_level__check_with_login(client: Client): @pytest.mark.ticket(bz=1893159) @pytest.mark.topology(KnownTopology.Client) -def test_default_debug_level__fatal_and_critical_failures(client: Client): +def test_logging__default_debug_level_fatal_and_critical_failures(client: Client): """ :title: Check that messages with levels 0 and 1 are logged for fatal or critical failures :setup: @@ -97,7 +99,7 @@ def test_default_debug_level__fatal_and_critical_failures(client: Client): @pytest.mark.ticket(bz=1893159) @pytest.mark.topology(KnownTopology.Client) -def test_default_debug_level__cannot_load_sssd_config(client: Client): +def test_logging__default_debug_level_cannot_load_sssd_config(client: Client): """ :title: Check that messages with level 2 are logged when SSSD can't load config :setup: @@ -119,7 +121,7 @@ def test_default_debug_level__cannot_load_sssd_config(client: Client): @pytest.mark.ticket(bz=1893159) @pytest.mark.topology(KnownTopology.LDAP) -def test_default_debug_level__nonexisting_ldap_server(client: Client): +def test_logging__default_debug_level_nonexisting_ldap_server(client: Client): """ :title: Check that messages with level 2 are logged when LDAP server doesn't exist :setup: @@ -148,7 +150,7 @@ def test_default_debug_level__nonexisting_ldap_server(client: Client): @pytest.mark.ticket(bz=1915319) @pytest.mark.topology(KnownTopology.Client) -def test_default_debug_level__sbus(client: Client): +def test_logging__default_debug_level_sbus(client: Client): """ :title: SBUS doesn't trigger failure message at modules startup :setup: @@ -165,3 +167,36 @@ def test_default_debug_level__sbus(client: Client): for file in [client.sssd.logs.monitor, client.sssd.logs.domain(), client.sssd.logs.nss, client.sssd.logs.pam]: assert "Unable to remove key" not in client.fs.read(file), f"'Unable to remove key' was found in file: {file}" + + +@pytest.mark.ticket(bz=1416150) +@pytest.mark.topology(KnownTopology.LDAP) +def test_logging__log_to_syslog_when_backend_goes_offline(client: Client): + """ + :title: Log to syslog when sssd cannot contact servers goes offline + :setup: + 1. Set an invalid hostname uri and disable the offset to refresh sudo rules + 2. Start SSSD + :steps: + 1. Check domain status for default domain + 2. Clear journal and restart SSSD + 3. Check journalctl + :expectedresults: + 1. Domain is offline + 2. Succeed + 3. "Backend is offline" found + :customerscenario: True + """ + client.sssd.domain["ldap_uri"] = "ldaps://typo.invalid" + client.sssd.domain["ldap_sudo_random_offset"] = "0" + client.sssd.start() + assert client.sssd.default_domain is not None, "Failed to load default domain" + status = client.sssctl.domain_status(client.sssd.default_domain) + assert "Offline" in status.stdout or "Unable to get online status" in status.stderr, "Domain is not offline" + + client.journald.clear() + client.sssd.restart() + time.sleep(1) + + log = client.journald.journalctl(grep="Backend is offline", unit="sssd") + assert log.rc == 0, "'Backend is offline' is not logged" diff --git a/src/tests/system/tests/test_memory_cache.py b/src/tests/system/tests/test_memory_cache.py index ad35d1d1876..7c743e35511 100644 --- a/src/tests/system/tests/test_memory_cache.py +++ b/src/tests/system/tests/test_memory_cache.py @@ -16,7 +16,7 @@ @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__getpwnam(client: Client, provider: GenericProvider): +def test_memory_cache__lookup_users(client: Client, provider: GenericProvider): """ :title: Lookup user by name uses memory cache when SSSD is stopped :setup: @@ -57,7 +57,7 @@ def check(users): @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__getgrnam(client: Client, provider: GenericProvider): +def test_memory_cache__lookup_groups(client: Client, provider: GenericProvider): """ :title: Lookup group by groupname uses memory cache when SSSD is stopped :setup: @@ -98,7 +98,7 @@ def check(groups): @pytest.mark.importance("high") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__disabled_passwd_getgrnam(client: Client, provider: GenericProvider): +def test_memory_cache__user_cache_is_disabled_and_lookup_groups(client: Client, provider: GenericProvider): """ :title: Lookup group by groupname uses memory cache when SSSD is stopped and 'memcache_size_passwd' = 0 :setup: @@ -141,7 +141,7 @@ def check(groups): @pytest.mark.importance("high") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__disabled_passwd_getpwnam(client: Client, provider: GenericProvider): +def test_memory_cache__user_cache_is_disabled_and_lookup_users(client: Client, provider: GenericProvider): """ :title: Lookup user by name when SSSD is stopped and 'memcache_size_passwd' = 0 uses memory cache therefore user is not found @@ -188,7 +188,7 @@ def test_memory_cache__disabled_passwd_getpwnam(client: Client, provider: Generi @pytest.mark.importance("high") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__disabled_intitgroups_getgrnam(client: Client, provider: GenericProvider): +def test_memory_cache__initgroup_cache_is_disabled_and_lookup_groups(client: Client, provider: GenericProvider): """ :title: Lookup group by groupname when SSSD is stopped and 'memcache_size_initgroups' = 0 uses memory cache :setup: @@ -231,7 +231,7 @@ def check(groups): @pytest.mark.importance("high") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__disabled_intitgroups_getpwnam(client: Client, provider: GenericProvider): +def test_memory_cache__initgroup_cache_is_disabled_and_lookup_users(client: Client, provider: GenericProvider): """ :title: Lookup user by name and id when SSSD is stopped and 'memcache_size_initgroups' = 0 uses memory cache :setup: @@ -286,7 +286,7 @@ def check(ids): @pytest.mark.importance("high") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__disabled_group(client: Client, provider: GenericProvider): +def test_memory_cache__group_cache_disabled_and_lookup_groups(client: Client, provider: GenericProvider): """ :title: Lookup user by name and id when SSSD is stopped and 'memcache_size_group' = 0 uses memory cache, but lookup groups is not possible @@ -360,7 +360,7 @@ def check(users): @pytest.mark.importance("high") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__disabled_cache(client: Client, provider: GenericProvider): +def test_memory_cache__all_caches_disabled_and_all_lookups_fails(client: Client, provider: GenericProvider): """ :title: Lookup user and group when SSSD is stopped and whole cache disabled uses memory cache and therefore it is not possible @@ -437,7 +437,7 @@ def test_memory_cache__disabled_cache(client: Client, provider: GenericProvider) @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__membership_by_group_name(client: Client, provider: GenericProvider): +def test_memory_cache__lookup_users_check_group_memberships(client: Client, provider: GenericProvider): """ :title: Lookup user by name and test membership by name use memory cache when SSSD is stopped :setup: @@ -490,7 +490,7 @@ def check(): @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__membership_by_group_id(client: Client, provider: GenericProvider): +def test_memory_cache__lookup_users_and_check_membership_by_gid(client: Client, provider: GenericProvider): """ :title: Lookup user by name and test membership by gid use memory cache when SSSD is stopped :setup: @@ -546,7 +546,7 @@ def check(): @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__user_gids(client: Client, provider: GenericProvider): +def test_memory_cache__lookup_uids_and_check_membership_by_gid(client: Client, provider: GenericProvider): """ :title: Lookup user by id and test membership by gid use memory cache when SSSD is stopped :setup: @@ -602,7 +602,7 @@ def check(): @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__getpwnam_fully_qualified_names(client: Client, provider: GenericProvider): +def test_memory_cache__lookup_users_by_fully_qualified_names(client: Client, provider: GenericProvider): """ :title: Lookup user by full name when 'use_fully_qualified_names' is 'true' uses memory cache when sssd is stopped @@ -655,7 +655,7 @@ def check(): @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__case_insensitive(client: Client, provider: GenericProvider): +def test_memory_cache__lookup_users_when_case_insensitive_is_false(client: Client, provider: GenericProvider): """ :title: Lookup user by case insensitive name when 'case_sensitive' is 'false' uses memory cache when SSSD is stopped @@ -718,7 +718,9 @@ def test_memory_cache__case_insensitive(client: Client, provider: GenericProvide @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__fq_names_case_insensitive(client: Client, provider: GenericProvider): +def test_memory_cache__lookup_users_when_fully_qualified_name_is_true_and_case_ins_is_false( + client: Client, provider: GenericProvider +): """ :title: Lookup user by case insensitive fully qualified name when 'case_sensitive' is 'false' and 'use_fully_qualified_names' is 'true' uses memory cache when SSSD is stopped @@ -858,7 +860,7 @@ def check_group(name, gid): @pytest.mark.importance("high") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__initgroups_without_change_in_membership(client: Client, provider: GenericProvider): +def test_memory_cache__lookup_initgroups_without_change_in_membership(client: Client, provider: GenericProvider): """ :title: Invalidated cache, after refresh and stopped SSSD, has everything loaded in memory :setup: @@ -947,7 +949,7 @@ def check(): @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__invalidate_user_before_stop(client: Client, provider: GenericProvider): +def test_memory_cache__invalidate_user_cache_before_stop(client: Client, provider: GenericProvider): """ :title: Invalidate user cache before SSSD is stopped :setup: @@ -1003,7 +1005,7 @@ def test_memory_cache__invalidate_user_before_stop(client: Client, provider: Gen @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__invalidate_user_after_stop(client: Client, provider: GenericProvider): +def test_memory_cache__invalidate_user_cache_after_stop(client: Client, provider: GenericProvider): """ :title: Invalidate user cache after SSSD is stopped :setup: @@ -1059,7 +1061,7 @@ def test_memory_cache__invalidate_user_after_stop(client: Client, provider: Gene @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__invalidate_users_before_stop(client: Client, provider: GenericProvider): +def test_memory_cache__invalidate_users_cache_before_stop(client: Client, provider: GenericProvider): """ :title: Invalidate users cache before SSSD is stopped :setup: @@ -1123,7 +1125,7 @@ def test_memory_cache__invalidate_users_before_stop(client: Client, provider: Ge @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__invalidate_users_after_stop(client: Client, provider: GenericProvider): +def test_memory_cache__invalidate_users_cache_after_stop(client: Client, provider: GenericProvider): """ :title: Invalidate users cache after SSSD is stopped :setup: @@ -1187,7 +1189,7 @@ def test_memory_cache__invalidate_users_after_stop(client: Client, provider: Gen @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__invalidate_group_before_stop(client: Client, provider: GenericProvider): +def test_memory_cache__invalidate_group_cache_before_stop(client: Client, provider: GenericProvider): """ :title: Invalidate group cache before SSSD is stopped :setup: @@ -1230,7 +1232,7 @@ def test_memory_cache__invalidate_group_before_stop(client: Client, provider: Ge @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__invalidate_group_after_stop(client: Client, provider: GenericProvider): +def test_memory_cache__invalidate_group_cache_after_stop(client: Client, provider: GenericProvider): """ :title: Invalidate group cache after SSSD is stopped :setup: @@ -1273,7 +1275,7 @@ def test_memory_cache__invalidate_group_after_stop(client: Client, provider: Gen @pytest.mark.importance("high") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__invalidate_groups_before_stop(client: Client, provider: GenericProvider): +def test_memory_cache__invalidate_groups_cache_before_stop(client: Client, provider: GenericProvider): """ :title: Invalidate groups cache before SSSD is stopped :setup: @@ -1320,7 +1322,7 @@ def test_memory_cache__invalidate_groups_before_stop(client: Client, provider: G @pytest.mark.importance("high") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_memory_cache__invalidate_groups_after_stop(client: Client, provider: GenericProvider): +def test_memory_cache__invalidate_groups_cache_after_stop(client: Client, provider: GenericProvider): """ :title: Invalidate groups cache after SSSD is stopped :setup: @@ -1627,7 +1629,7 @@ def test_memory_cache__removed_cache_without_invalidation(client: Client, provid @pytest.mark.topology(KnownTopology.LDAP) @pytest.mark.ticket(bz=2226021) -def test_memory_cache__truncate__nosigbus(client: Client, ldap: LDAP): +def test_memory_cache__truncate_in_memory_cache_no_sigbus(client: Client, ldap: LDAP): """ :title: Accessing truncated in-memory cache file does not cause SIGBUS :setup: diff --git a/src/tests/system/tests/test_offline.py b/src/tests/system/tests/test_offline.py deleted file mode 100644 index d8ae60b86e2..00000000000 --- a/src/tests/system/tests/test_offline.py +++ /dev/null @@ -1,92 +0,0 @@ -""" -Automation of offline tests - -:requirement: offline -""" - -from __future__ import annotations - -import time - -import pytest -from sssd_test_framework.roles.client import Client -from sssd_test_framework.roles.ldap import LDAP -from sssd_test_framework.topology import KnownTopology - - -@pytest.mark.ticket(bz=1416150) -@pytest.mark.topology(KnownTopology.LDAP) -def test_offline__ldap_log_to_syslog(client: Client): - """ - :title: Log to syslog when sssd cannot contact servers goes offline - :setup: - 1. Set an invalid hostname uri and disable the offset to refresh sudo rules - 2. Start SSSD - :steps: - 1. Check domain status for default domain - 2. Clear journal and restart SSSD - 3. Check journalctl - :expectedresults: - 1. Domain is offline - 2. Succeed - 3. "Backend is offline" found - :customerscenario: True - """ - client.sssd.domain["ldap_uri"] = "ldaps://typo.invalid" - client.sssd.domain["ldap_sudo_random_offset"] = "0" - client.sssd.start() - assert client.sssd.default_domain is not None, "Failed to load default domain" - status = client.sssctl.domain_status(client.sssd.default_domain) - assert "Offline" in status.stdout or "Unable to get online status" in status.stderr, "Domain is not offline" - - client.journald.clear() - client.sssd.restart() - time.sleep(1) - - log = client.journald.journalctl(grep="Backend is offline", unit="sssd") - assert log.rc == 0, "'Backend is offline' is not logged" - - -@pytest.mark.importance("medium") -@pytest.mark.ticket(bz=1928648) -@pytest.mark.topology(KnownTopology.LDAP) -def test_offline__ldap_network_timeout_parameters_shown_in_logs(client: Client, ldap: LDAP): - """ - :title: Each timeout setting is properly logged in logs - :setup: - 1. Add user - 2. Start SSSD - :steps: - 1. Check that "Setting 6 seconds timeout [ldap_network_timeout] for connecting" is in logs - 2. Fetch information about user - 3. Block LDAP traffic - 4. Connect user over SSH - 5. Logs should contain following timeout parameters - - ldap_opt_timeout - - ldap_search_timeout - - ldap_network_timeout - - dns_resolver_timeout - :expectedresults: - 1. Timeout setting is stored in logs - 2. User is found - 3. LDAP traffic is blocked - 4. User is unable to connect - 5. The timeout parameters are in the logs - :customerscenario: True - """ - ldap.user("user1").add(password="Secret123") - client.sssd.start() - - log = client.fs.read(f"/var/log/sssd/sssd_{client.sssd.default_domain}.log") - assert "Setting 6 seconds timeout [ldap_network_timeout] for connecting" in log - - assert client.tools.id("user1") is not None - - client.firewall.outbound.drop_host(ldap) - - with pytest.raises(Exception): - client.ssh("user1", "Secret123").connect() - - log = client.fs.read(f"/var/log/sssd/sssd_{client.sssd.default_domain}.log") - for timeout in ["ldap_opt_timeout", "ldap_search_timeout", "ldap_network_timeout", "dns_resolver_timeout"]: - assert timeout in log, f"Value '{timeout}' not found in logs" diff --git a/src/tests/system/tests/test_passkey.py b/src/tests/system/tests/test_passkey.py index 9f0e9c448a2..ab25090c5e0 100644 --- a/src/tests/system/tests/test_passkey.py +++ b/src/tests/system/tests/test_passkey.py @@ -29,7 +29,7 @@ def passkey_requires_root(client: Client) -> tuple[bool, str] | bool: @pytest.mark.importance("high") @pytest.mark.topology(KnownTopology.Client) @pytest.mark.builtwith(client="passkey") -def test_passkey__register__sssctl(client: Client, moduledatadir: str, testdatadir: str): +def test_passkey__register_sssctl(client: Client, moduledatadir: str, testdatadir: str): """ :title: Register a key with sssctl :setup: @@ -58,7 +58,7 @@ def test_passkey__register__sssctl(client: Client, moduledatadir: str, testdatad @pytest.mark.importance("high") @pytest.mark.topology(KnownTopology.IPA) @pytest.mark.builtwith(client="passkey", ipa="passkey") -def test_passkey__register__ipa(ipa: IPA, moduledatadir: str, testdatadir: str): +def test_passkey__register_ipa(ipa: IPA, moduledatadir: str, testdatadir: str): """ :title: Register a passkey with the IPA command :setup: @@ -90,7 +90,7 @@ def test_passkey__register__ipa(ipa: IPA, moduledatadir: str, testdatadir: str): @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.builtwith(client="passkey", provider="passkey") @pytest.mark.require.with_args(passkey_requires_root) -def test_passkey__su(client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str): +def test_passkey__su_user(client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str): """ :title: Check su authentication of user with LDAP, IPA, AD and Samba :setup: @@ -125,7 +125,9 @@ def test_passkey__su(client: Client, provider: GenericProvider, moduledatadir: s @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.builtwith(client="passkey", provider="passkey") @pytest.mark.require.with_args(passkey_requires_root) -def test_passkey__su_fail_pin(client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str): +def test_passkey__su_user_with_failed_pin( + client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str +): """ :title: Check su authentication deny of user with LDAP, IPA, AD and Samba with incorrect pin :setup: @@ -160,7 +162,9 @@ def test_passkey__su_fail_pin(client: Client, provider: GenericProvider, moduled @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.builtwith(client="passkey", provider="passkey") @pytest.mark.require.with_args(passkey_requires_root) -def test_passkey__su_fail_mapping(client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str): +def test_passkey__su_user_with_incorrect_mapping( + client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str +): """ :title: Check su authentication deny of user with LDAP, IPA, AD and Samba with incorrect mapping :setup: @@ -197,7 +201,7 @@ def test_passkey__su_fail_mapping(client: Client, provider: GenericProvider, mod @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.builtwith(client="passkey", provider="passkey") @pytest.mark.require.with_args(passkey_requires_root) -def test_passkey__su_srv_not_resolvable( +def test_passkey__su_user_when_server_is_not_resolvable( client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str ): """ @@ -258,7 +262,9 @@ def test_passkey__su_srv_not_resolvable( @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.builtwith(client="passkey", provider="passkey") @pytest.mark.require.with_args(passkey_requires_root) -def test_passkey__offline_su(client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str): +def test_passkey__su_user_when_offline( + client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str +): """ :title: Check offline su authentication of a user with LDAP, IPA, AD and Samba :setup: @@ -314,7 +320,7 @@ def test_passkey__offline_su(client: Client, provider: GenericProvider, moduleda @pytest.mark.importance("high") @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.builtwith(client="passkey", provider="passkey") -def test_passkey__user_fetch_from_cache( +def test_passkey__lookup_user_from_cache( client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str ): """ @@ -352,9 +358,9 @@ def test_passkey__user_fetch_from_cache( @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.builtwith(client="passkey", provider="passkey") @pytest.mark.require.with_args(passkey_requires_root) -def test_passkey__su_multi_keys_for_same_user( +def test_passkey__su_user_with_multiple_keys( +>>>>>>> ace8a593c (tests: test case audit and house keeping) client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str -): """ :title: Check su authentication of user when multiple keys added for same user with LDAP, IPA, AD and Samba server. @@ -392,7 +398,7 @@ def test_passkey__su_multi_keys_for_same_user( @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.builtwith(client="passkey", provider="passkey") @pytest.mark.require.with_args(passkey_requires_root) -def test_passkey__su_same_key_for_multi_user( +def test_passkey__su_user_same_key_for_other_users( client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str ): """ diff --git a/src/tests/system/tests/test_proxy.py b/src/tests/system/tests/test_proxy.py index 76059a72db6..b4d8e2ef8dd 100644 --- a/src/tests/system/tests/test_proxy.py +++ b/src/tests/system/tests/test_proxy.py @@ -1,7 +1,7 @@ """ Proxy Provider tests. -:requirement: Ldap Provider - nss-pam-ldapd +:requirement: Proxy Provider """ from __future__ import annotations @@ -14,15 +14,14 @@ @pytest.mark.topology(KnownTopology.LDAP) @pytest.mark.ticket(bz=895570) -def test_invalid_attribute_syntax(client: Client, ldap: LDAP): +def test_proxy__nslcd_fast_alias_set_to_true_with_no_ldb_modify_errors(client: Client, ldap: LDAP): """ - :title: Enabling proxy_fast_alias shows "ldb_modify failed: - [Invalid attribute syntax]" for id lookups. + :title: Enabling proxy_fast_alias should not show "ldb_modify failed: [Invalid attribute syntax]" for id lookups. :setup: 1. Setup sssd for proxy provider. 2. Enable proxy_fast_alias. 3. Setup nslcd services. - 4. Add Ou and User. + 4. Add OU and User. :steps: 1. id lookup a user. 2. Check logs for "ldb_modify failed". @@ -30,6 +29,7 @@ def test_invalid_attribute_syntax(client: Client, ldap: LDAP): 1. id look up should success. 2. Errors should not be seen on enabling proxy_fast_alias. :customerscenario: True + :TODO: Review test. """ client.sssd.config["domain/test"] = { "id_provider": "proxy", @@ -56,8 +56,10 @@ def test_invalid_attribute_syntax(client: Client, ldap: LDAP): client.sssd.restart() ou_users = ldap.ou("users").add() user = ldap.user("user-1", basedn=ou_users).add(uid=10001, gid=10001, password="Secret123") + result = client.tools.id(user.name) assert result is not None assert result.user.name == user.name + log = client.fs.read(client.sssd.logs.domain()) assert "ldb_modify failed: [Invalid attribute syntax]" not in log diff --git a/src/tests/system/tests/test_rootdse.py b/src/tests/system/tests/test_rootdse.py deleted file mode 100644 index 5d292eb5dfc..00000000000 --- a/src/tests/system/tests/test_rootdse.py +++ /dev/null @@ -1,236 +0,0 @@ -""" -SSSD Log tests. - -:requirement: Ldap Provider - ldap_id_ldap_auth -""" - -from __future__ import annotations - -import time - -import pytest -from sssd_test_framework.roles.client import Client -from sssd_test_framework.roles.ldap import LDAP -from sssd_test_framework.topology import KnownTopology - - -@pytest.mark.topology(KnownTopology.LDAP) -def test_ldap_search_base(client: Client, ldap: LDAP): - """ - :title: Without ldapsearch base specified in sssd conf and rootDSE exists - :setup: - 1. With sssd config set enumerate = True. - 2. Set sssd config nss part with filter_groups and filter_users to root. - 3. Add test user with password and make sure it can authenticate. - :steps: - 1. Without ldap_search_base set when user authenticates certain logs - should appear in sssd domain logs. - 2. Now set ldap_search_base in sssd config try with user authentication , - in sssd domain logs sdap_set_config_options_with_rootdse should not appear. - :expectedresults: - 1. Certain logs should appear in sssd domain logs - 2. In sssd domain logs sdap_set_config_options_with_rootdse should not appear. - :customerscenario: False - """ - base = ldap.ldap.naming_context - - client.sssd.dom("test")["enumerate"] = "true" - client.sssd.config["nss"] = { - "filter_groups": "root", - "filter_users": "root", - } - - ou_users = ldap.ou("users").add() - user = ldap.user("puser1", basedn=ou_users).add(uid=10001, gid=10001, password="Secret123") - - client.sssd.stop() - client.sssd.clear() - client.sssd.start() - - assert client.auth.ssh.password(user.name, "Secret123") - time.sleep(3) - - log = client.fs.read(client.sssd.logs.domain()) - for doc in [ - f"Setting option [ldap_search_base] to [{base}]", - f"Setting option [ldap_user_search_base] to [{base}]", - f"Setting option [ldap_group_search_base] to [{base}]", - f"Setting option [ldap_netgroup_search_base] to [{base}]", - ]: - assert doc in str(log) - client.sssd.dom("test")["ldap_search_base"] = ldap.ldap.naming_context - - client.sssd.stop() - client.sssd.clear() - client.sssd.start() - - assert client.auth.ssh.password("puser1", "Secret123") - time.sleep(3) - - log = client.fs.read(client.sssd.logs.domain()) - assert "sdap_set_config_options_with_rootdse" not in log - - -@pytest.mark.topology(KnownTopology.LDAP) -@pytest.mark.parametrize( - "user_search_base, search_base", - [ - ("ldap_user_search_base", "ou=People,dc=ldap,dc=test"), - ("ldap_group_search_base", "ou=Groups,dc=ldap,dc=test"), - ("ldap_netgroup_search_base", "ou=Netgroup,dc=ldap,dc=test"), - ], -) -def test_ldap_user_search_base_set(client: Client, ldap: LDAP, user_search_base, search_base): - """ - :title: Without ldapsearch base and with ldap user search base specified - :setup: - 1. With sssd config set enumerate = True. - 2. Set sssd config nss part with filter_groups and filter_users to root. - 3. Add test user with password and make sure it can authenticate. - :steps: - 1. Set user_search_base to sssd config. - 2. Set ldap_group_search_base to sssd config. - 3. Set ldap_netgroup_search_base to sssd config. - 4. With each search base there will be different logs generated in sssd domain logs. - :expectedresults: - 1. User_search_base should be set to sssd config. - 2. Ldap_group_search_base should be set to sssd config. - 3. Ldap_netgroup_search_base should be set to sssd config. - 4. There will be different logs generated in sssd domain logs. - :customerscenario: False - """ - base = ldap.ldap.naming_context - - client.sssd.dom("test")["enumerate"] = "true" - client.sssd.dom("test")[user_search_base] = search_base - client.sssd.config["nss"] = { - "filter_groups": "root", - "filter_users": "root", - } - - ou_users = ldap.ou("People").add() - user = ldap.user("puser1", basedn=ou_users).add(uid=10001, gid=10001, password="Secret123") - - client.sssd.stop() - client.sssd.clear() - client.sssd.start() - - result = client.tools.getent.passwd(user.name) - assert result is not None - assert result.name == user.name - - assert client.auth.ssh.password(user.name, "Secret123") - time.sleep(3) - - log = client.fs.read(client.sssd.logs.domain()) - match user_search_base: - case "ldap_user_search_base": - for doc in [ - "Got rootdse", - f"Setting option [ldap_search_base] to [{base}]", - f"Setting option [ldap_group_search_base] to [{base}]", - f"Setting option [ldap_netgroup_search_base] to [{base}]", - ]: - assert doc in str(log) - case "ldap_group_search_base": - for doc in [ - "Got rootdse", - f"Setting option [ldap_search_base] to [{base}]", - f"Setting option [ldap_user_search_base] to [{base}]", - f"Setting option [ldap_netgroup_search_base] to [{base}]", - ]: - assert doc in str(log) - case "ldap_netgroup_search_base": - for doc in [ - "Got rootdse", - f"Setting option [ldap_search_base] to [{base}]", - f"Setting option [ldap_user_search_base] to [{base}]", - f"Setting option [ldap_group_search_base] to [{base}]", - ]: - assert doc in str(log) - - -@pytest.mark.topology(KnownTopology.LDAP) -def test_default_naming_context(client: Client, ldap: LDAP): - """ - :title: Without ldapsearch base and default namingContexts - :setup: - 1. With sssd config set enumerate = True. - 2. Set sssd config nss part with filter_groups and filter_users to root. - 3. Add test user with password and make sure it can authenticate. - :steps: - 1. Sssd without ldapsearch base and default namingContexts. - 2. Sssd should generate some logs when try to authenticate with users. - :expectedresults: - 1. Sssd should work without ldapsearch base and default namingContexts. - 2. Sssd should generate some logs when try to authenticate with users. - :customerscenario: False - """ - base = ldap.ldap.naming_context - - client.sssd.dom("test")["enumerate"] = "true" - client.sssd.config["nss"] = { - "filter_groups": "root", - "filter_users": "root", - } - - ou_users = ldap.ou("People").add() - user = ldap.user("puser1", basedn=ou_users).add(uid=10001, gid=10001, password="Secret123") - - client.sssd.stop() - client.sssd.clear() - client.sssd.start() - - result = client.tools.getent.passwd(user.name) - assert result is not None - assert result.name == user.name - time.sleep(3) - - log = client.fs.read(client.sssd.logs.domain()) - assert "Got rootdse" in log - assert "Using value from [defaultNamingContext] as naming context" in log - assert f"Setting option [ldap_search_base] to [{base}]" in log - - -@pytest.mark.topology(KnownTopology.LDAP) -@pytest.mark.parametrize("user_search_base", ["dc=ldap,dc=test", "dc=shanks,dc=com"]) -def test_multiple_naming_contexts(client: Client, ldap: LDAP, user_search_base): - """ - :title: Without ldapsearch base and multiple namingContexts - :setup: - 1. With sssd config set enumerate = True. - 2. Set sssd config nss part with filter_groups and filter_users to root. - 3. Add test user with password and make sure it can authenticate. - :steps: - 1. Sssd with user_search_base "dc=ldap,dc=test" - 2. Sssd with user_search_base "dc=shanks,dc=com" - 3. With both the cases sssd authentication should work when we configure it with ldap_search_base, - ldap_user_search_base, ldap_group_search_base. - :expectedresults: - 1. Sssd should be configured user_search_base "dc=ldap,dc=test" - 2. Sssd should be configured user_search_base "dc=shanks,dc=com" - 3. User authentication should be success with both the cases. - :customerscenario: False - """ - base = ldap.ldap.naming_context - - ou_users = ldap.ou("People").add() - user = ldap.user("puser1", basedn=ou_users).add(uid=10001, gid=10001, password="Secret123") - - client.sssd.dom("test")["enumerate"] = "true" - client.sssd.dom("test")["ldap_search_base"] = user_search_base - client.sssd.dom("test")["ldap_user_search_base"] = f"ou=People,{base}" - client.sssd.dom("test")["ldap_group_search_base"] = f"ou=Groups,{base}" - client.sssd.config["nss"] = { - "filter_groups": "root", - "filter_users": "root", - } - - client.sssd.stop() - client.sssd.clear() - client.sssd.start() - - result = client.tools.getent.passwd(user.name) - assert result is not None - assert result.name == user.name - assert client.auth.ssh.password(user.name, "Secret123") diff --git a/src/tests/system/tests/test_schema.py b/src/tests/system/tests/test_schema.py index 4535d4d330e..47d207ebe24 100644 --- a/src/tests/system/tests/test_schema.py +++ b/src/tests/system/tests/test_schema.py @@ -31,6 +31,7 @@ def test_schema__ldap_extra_attrs_filled(client: Client, provider: GenericProvid 1. SSSD starts successfully 2. "tuser" is present in the passwd db :customerscenario: False + """ provider.user("tuser").add() client.sssd.domain["ldap_user_extra_attrs"] = attrs diff --git a/src/tests/system/tests/test_sss_cache.py b/src/tests/system/tests/test_sss_cache.py index f972f3dcba4..ba20fa858a4 100644 --- a/src/tests/system/tests/test_sss_cache.py +++ b/src/tests/system/tests/test_sss_cache.py @@ -51,7 +51,7 @@ def test_sss_cache__cache_expire_message(client: Client): @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_sss_cache__background_refresh(client: Client, provider: GenericProvider): +def test_sss_cache__ldb_database_is_refreshed_as_configured(client: Client, provider: GenericProvider): """ :title: Ensuring ldb cache data is refreshed correctly :setup: diff --git a/src/tests/system/tests/test_sssctl.py b/src/tests/system/tests/test_sssctl.py index 8bb5258f99f..7f6bcd9c6ef 100644 --- a/src/tests/system/tests/test_sssctl.py +++ b/src/tests/system/tests/test_sssctl.py @@ -7,9 +7,10 @@ from __future__ import annotations import re +import time import pytest -from pytest_mh.ssh import SSHProcessError +from pytest_mh.ssh import SSHAuthenticationError, SSHProcessError from sssd_test_framework.roles.client import Client from sssd_test_framework.roles.ldap import LDAP from sssd_test_framework.topology import KnownTopology @@ -19,7 +20,7 @@ @pytest.mark.tools @pytest.mark.ticket(bz=2100789) @pytest.mark.topology(KnownTopology.LDAP) -def test_sssctl__check_id_provider(client: Client): +def test_sssctl__check_missing_id_provider(client: Client): """ :title: Check id_provider in domain section with sssctl config-check command :setup: @@ -94,6 +95,9 @@ def test_sssctl__user_show_cache_expiration_time(client: Client): 1. Called successfully 2. Output is as expected :customerscenario: True + :TODO: To check expiration, should we have the accounts set to expire? + 1. Is this just showing the default cache expiration? If so, rename test + 2. Is this specific only to the files provider? If not can we make this more general? """ client.local.user("local1").add() client.local.user("local2").add() @@ -131,6 +135,11 @@ def test_sssctl__handle_implicit_domain(client: Client): 2. Called successfully 3. Output is correct :customerscenario: True + :TODO: + 1. Is this really checking implicit domain if we set enable_files_domain? + a. If not, rename or merge with above (see #2 below) + 2. Can this be merged with test_sssctl__user_show_cache_expiration_time? + 3. Maybe a generic sssctl user-show test covering expected output? """ client.local.user("local1").add() client.local.user("local2").add() @@ -148,7 +157,7 @@ def test_sssctl__handle_implicit_domain(client: Client): @pytest.mark.ticket(bz=1902280) @pytest.mark.topology(KnownTopology.LDAP) -def test_sssctl__reset_cached_timestamps(client: Client, ldap: LDAP): +def test_sssctl__reset_cached_timestamps_to_reflect_changes(client: Client, ldap: LDAP): """ :title: fix sssctl cache-expire to also reset cached timestamp :setup: @@ -191,7 +200,7 @@ def test_sssctl__reset_cached_timestamps(client: Client, ldap: LDAP): @pytest.mark.importance("high") @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__check_typo_option_name(client: Client): +def test_sssctl__check_invalid_option_name(client: Client): """ :title: sssctl config-check detects mistyped option name :setup: @@ -204,6 +213,7 @@ def test_sssctl__check_typo_option_name(client: Client): 1. config-check detects an error in config 2. Error message is properly set :customerscenario: False + :TODO: merge with other check-config tests? """ client.sssd.common.local() client.sssd.dom("test")["wrong_option"] = "true" @@ -217,7 +227,7 @@ def test_sssctl__check_typo_option_name(client: Client): @pytest.mark.importance("high") @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__check_typo_domain_name(client: Client): +def test_sssctl__check_missing_domain_name(client: Client): """ :title: sssctl config-check detects mistyped domain name :setup: @@ -230,6 +240,7 @@ def test_sssctl__check_typo_domain_name(client: Client): 1. config-check detects an error in config 2. Error message is properly set :customerscenario: False + :TODO: merge with other check-config tests? """ client.sssd.dom("")["debug_level"] = "9" @@ -255,6 +266,7 @@ def test_sssctl__check_misplaced_option(client: Client): 1. config-check detects an error in config 2. Error message is properly set :customerscenario: False + :TODO: merge with other check-config tests? """ client.sssd.common.local() client.sssd.dom("test")["services"] = "nss, pam" @@ -282,6 +294,8 @@ def test_sssctl__check_invalid_option_name_in_snippet(client: Client): 1. config-check detects an error in config snippet 2. Error message is properly set :customerscenario: False + :TODO: is this really different from test_sssctl__check_invalid_option_name? + 1. If so, maybe merge with other check-config snippet tests? """ client.sssd.common.local() client.fs.write("/etc/sssd/conf.d/01_snippet.conf", "[domain/local]\ninvalid_option = True", mode="600") @@ -293,7 +307,7 @@ def test_sssctl__check_invalid_option_name_in_snippet(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__check_invalid_domain_name_in_snippet(client: Client): +def test_sssctl__check_invalid_section_in_name_in_snippet(client: Client): """ :title: sssctl config-check detects invalid domain name in snippet :setup: @@ -305,6 +319,7 @@ def test_sssctl__check_invalid_domain_name_in_snippet(client: Client): 1. config-check detects an error in config snippet 2. Error message is properly set :customerscenario: False + :TODO: maybe merge with other check-config snippet tests? """ client.sssd.common.local() client.fs.write("/etc/sssd/conf.d/01_snippet.conf", "[invalid/local]\ninvalid_option = True", mode="600") @@ -316,11 +331,11 @@ def test_sssctl__check_invalid_domain_name_in_snippet(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__missing_equal_sign(client: Client): +def test_sssctl__check_missing_equal_sign(client: Client): """ :title: sssctl config-check detects missing equals sign :setup: - 1. Start SSSD, so default config is autimatically created + 1. Start SSSD, so default config is automatically created 2. Edit config file so "=" is missing :steps: 1. Call sssctl config-check @@ -329,6 +344,7 @@ def test_sssctl__missing_equal_sign(client: Client): 1. config-check detects an error 2. Error messages are properly set :customerscenario: False + :TODO: merge with other check-config tests? """ client.sssd.common.local() client.sssd.start() @@ -342,7 +358,7 @@ def test_sssctl__missing_equal_sign(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__special_character_option_name(client: Client): +def test_sssctl__check_special_character_in_option_name(client: Client): """ :title: option name contains special character :setup: @@ -355,6 +371,8 @@ def test_sssctl__special_character_option_name(client: Client): 1. config-check detects an error 2. Error message is properly set :customerscenario: False + :TODO: Isn't this the same as test_sssctl__check_invalid_option_name? + 1. maybe drop check_invalid_option_name and keep this? """ client.sssd.common.local() client.sssd.start() @@ -368,7 +386,7 @@ def test_sssctl__special_character_option_name(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__special_character_section_name(client: Client): +def test_sssctl__check_special_character_in_section_name(client: Client): """ :title: section name contains special character :setup: @@ -381,6 +399,7 @@ def test_sssctl__special_character_section_name(client: Client): 1. config-check detects an error 2. Error message is properly set :customerscenario: False + :TODO: Isn't this the same as test_sssctl__check_invalid_section_name_in_snippet? """ client.sssd.common.local() client.sssd.start() @@ -394,7 +413,7 @@ def test_sssctl__special_character_section_name(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__special_character_domain_name(client: Client): +def test_sssctl__check_special_character_in_domain_name(client: Client): """ :title: domain name contains special character :setup: @@ -407,6 +426,7 @@ def test_sssctl__special_character_domain_name(client: Client): 1. config-check detects an error 2. Error message is properly set :customerscenario: False + :TODO: Is this really different from check_special_character_in_section_name? """ client.sssd.common.local() client.sssd.start() @@ -420,7 +440,7 @@ def test_sssctl__special_character_domain_name(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__forward_slash_missing(client: Client): +def test_sssctl__check_forward_slash_missing_in_domain_section(client: Client): """ :title: Forward slash is not present between domain name and section name :setup: @@ -433,6 +453,7 @@ def test_sssctl__forward_slash_missing(client: Client): 1. config-check detects an error 2. Error message is properly set :customerscenario: False + :TODO: Is this really different from check_special_character_in_section_name? """ client.sssd.common.local() client.sssd.start() @@ -446,7 +467,7 @@ def test_sssctl__forward_slash_missing(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__sssd_section_name_typo(client: Client): +def test_sssctl__check_invalid_sssd_section_name(client: Client): """ :title: Typo in sssd section name :setup: @@ -459,6 +480,7 @@ def test_sssctl__sssd_section_name_typo(client: Client): 1. config-check detects an error 2. Error message is properly set :customerscenario: False + :TODO: Is this different than the other section name checks? """ client.sssd.common.local() client.sssd.start() @@ -472,7 +494,7 @@ def test_sssctl__sssd_section_name_typo(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__pam_section_name_typo(client: Client): +def test_sssctl__check_invalid_pam_section_name(client: Client): """ :title: Typo in pam section name :setup: @@ -485,6 +507,7 @@ def test_sssctl__pam_section_name_typo(client: Client): 1. config-check detects an error 2. Error message is properly set :customerscenario: False + :TODO: Is this different than the other section name checks? """ client.sssd.common.local() client.sssd.start() @@ -498,7 +521,7 @@ def test_sssctl__pam_section_name_typo(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__nss_section_name_typo(client: Client): +def test_sssctl__check_invalid_nss_section_name(client: Client): """ :title: Typo in nss section name :setup: @@ -511,6 +534,7 @@ def test_sssctl__nss_section_name_typo(client: Client): 1. config-check detects an error 2. Error message is properly set :customerscenario: False + :TODO: Is this different than the other section name checks? """ client.sssd.common.local() client.sssd.start() @@ -524,7 +548,7 @@ def test_sssctl__nss_section_name_typo(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__verify_permission(client: Client): +def test_sssctl__check_invalid_permission(client: Client): """ :title: Verify the permission of default configuration file :setup: @@ -548,7 +572,34 @@ def test_sssctl__verify_permission(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__verify_missing_closing_bracket(client: Client): +def test_sssctl__check_invalid_ownership(client: Client): + """ + :title: Verify the ownership of default configuration file + :setup: + 1. Start SSSD, so default config is autimatically created + 2. Change ownership of default config file + :steps: + 1. Call sssctl config-check + 2. Check error message + :expectedresults: + 1. config-check detects an error + 2. Error message is properly set + :customerscenario: False + """ + client.local.user("user1").add() + client.local.group("group1").add() + client.sssd.common.local() + client.sssd.start() + client.fs.chown("/etc/sssd/sssd.conf", "user1", "group1") + result = client.sssctl.config_check() + assert result.rc != 0, "Config-check did not detect misconfigured config" + assert "File ownership and permissions check failed" in result.stdout, "Wrong error message on stdout" + + +@pytest.mark.tools +@pytest.mark.topology(KnownTopology.Client) +def test_sssctl__check_missing_closing_bracket(client: Client): +>>>>>>> ace8a593c (tests: test case audit and house keeping) """ :title: Missing closing bracket in sssd section name :setup: @@ -574,7 +625,7 @@ def test_sssctl__verify_missing_closing_bracket(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__verify_missing_opening_bracket(client: Client): +def test_sssctl__check_missing_opening_bracket(client: Client): """ :title: Missing opening bracket in domain name :setup: @@ -587,6 +638,8 @@ def test_sssctl__verify_missing_opening_bracket(client: Client): 1. config-check detects an error 2. Error message is properly set :customerscenario: False + :TODO: "Equal sign is missing" seems misleading + 1. Is there no "No opening bracket" error like the closing bracket one? """ client.sssd.common.local() client.sssd.start() @@ -601,7 +654,7 @@ def test_sssctl__verify_missing_opening_bracket(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__verify_typo_in_config_with_two_domains(client: Client): +def test_sssctl__check_invalid_options_in_two_domains(client: Client): """ :title: Verify typo in option name with multiple domains in default configuration file :setup: @@ -614,6 +667,7 @@ def test_sssctl__verify_typo_in_config_with_two_domains(client: Client): 1. config-check detects an error 2. Error messages are properly set :customerscenario: False + :TODO: can be merged with other invalid option tests? """ client.sssd.common.local() client.sssd.dom("ldap1")["ldap_ri"] = "ldaps://invalid" @@ -632,7 +686,7 @@ def test_sssctl__verify_typo_in_config_with_two_domains(client: Client): @pytest.mark.tools @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__config_does_not_exist(client: Client): +def test_sssctl__check_config_does_not_exist(client: Client): """ :title: sssctl detects missing config :setup: @@ -682,7 +736,7 @@ def test_sssctl__check_ldap_host_object_class_in_domain(client: Client): @pytest.mark.tools @pytest.mark.ticket(bz=1677994) @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__check_ldap_host_object_class_in_sssd(client: Client): +def test_sssctl__check_ldap_host_object_class_not_allowed_in_sssd(client: Client): """ :title: sssctl config-check do not allow ldap_host_object_class in sssd section :setup: @@ -708,7 +762,7 @@ def test_sssctl__check_ldap_host_object_class_in_sssd(client: Client): @pytest.mark.tools @pytest.mark.ticket(bz=1856861) @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__enabling_2FA(client: Client): +def test_sssctl__check_enabling_2fa_prompting(client: Client): """ :title: False warnings are logged in sssd.log file after enabling 2FA prompting :setup: @@ -736,7 +790,7 @@ def test_sssctl__enabling_2FA(client: Client): @pytest.mark.tools @pytest.mark.ticket(bz=1791892) @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__auto_private_groups_in_child_domain(client: Client): +def test_sssctl__check_auto_private_groups_in_child_domains(client: Client): """ :title: sssctl config-check detects false positive when auto_private_groups is enabled or disabled in child domains :setup: @@ -762,7 +816,7 @@ def test_sssctl__auto_private_groups_in_child_domain(client: Client): @pytest.mark.tools @pytest.mark.ticket(bz=1723273) @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__non_default_config_location_snippet_directory(client: Client): +def test_sssctl__check_non_default_config_location_missing_snippet_directory(client: Client): """ :title: sssctl config-check complains about non existing snippet directory when config is non default :setup: @@ -774,6 +828,7 @@ def test_sssctl__non_default_config_location_snippet_directory(client: Client): 1. config-check failed 2. Error message is properly set :customerscenario: True + :TODO: can non-default config checks be merged? """ client.sssd.common.local() client.sssd.config_apply() @@ -788,7 +843,7 @@ def test_sssctl__non_default_config_location_snippet_directory(client: Client): @pytest.mark.tools @pytest.mark.ticket(bz=1723273) @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__non_default_config_location_permission(client: Client): +def test_sssctl__check_non_default_config_location_invalid_permission(client: Client): """ :title: sssctl config-check complains about proper permission when config is non default :setup: @@ -800,6 +855,7 @@ def test_sssctl__non_default_config_location_permission(client: Client): 1. config-check failed 2. Error message is properly set :customerscenario: True + :TODO: can non-default config checks be merged? """ client.sssd.common.local() client.sssd.config_apply() @@ -814,7 +870,36 @@ def test_sssctl__non_default_config_location_permission(client: Client): @pytest.mark.tools @pytest.mark.ticket(bz=1723273) @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__non_default_config_location_option_name_typo(client: Client): +def test_sssctl__check_non_default_config_location_invalid_ownership(client: Client): + """ + :title: sssctl config-check complains about proper ownership when config is non default + :setup: + 1. Copy sssd.conf file to different directory and set it wrong ownership + :steps: + 1. Call sssctl config-check on that different directory + 2. Check error message + :expectedresults: + 1. config-check failed + 2. Error message is properly set + :customerscenario: True + :TODO: can non-default config checks be merged? + """ + client.local.user("user1").add() + client.sssd.common.local() + client.sssd.config_apply() + client.fs.mkdir("/tmp/test/") + client.fs.copy("/etc/sssd/sssd.conf", "/tmp/test/sssd.conf", user="user1") + + result = client.sssctl.config_check(config="/tmp/test/sssd.conf") + assert result.rc != 0, "Config-check successfully finished" + assert "File ownership and permissions check failed" in result.stdout, "Wrong error message on stdout" + + +@pytest.mark.tools +@pytest.mark.ticket(bz=1723273) +@pytest.mark.topology(KnownTopology.Client) +def test_sssctl__check_non_default_config_location_invalid_option_name(client: Client): +>>>>>>> ace8a593c (tests: test case audit and house keeping) """ :title: sssctl config-check detects typo in option name when config is non default :setup: @@ -826,6 +911,7 @@ def test_sssctl__non_default_config_location_option_name_typo(client: Client): 1. config-check failed 2. Error message is properly set :customerscenario: True + :TODO: can non-default config checks be merged? """ client.sssd.common.local() client.sssd.default_domain = "local" @@ -845,7 +931,7 @@ def test_sssctl__non_default_config_location_option_name_typo(client: Client): @pytest.mark.tools @pytest.mark.ticket(bz=1723273) @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__non_default_config_location_snippet_is_present(client: Client): +def test_sssctl__check_non_default_config_location_with_snippet_directory(client: Client): """ :title: sssctl config-check does not complain about missing snippet directory after adding with proper permission :setup: @@ -857,6 +943,7 @@ def test_sssctl__non_default_config_location_snippet_is_present(client: Client): 1. config-check failed 2. Error message is properly set :customerscenario: True + :TODO: can non-default config checks be merged? """ client.sssd.common.local() client.sssd.config_apply(check_config=False) @@ -873,7 +960,7 @@ def test_sssctl__non_default_config_location_snippet_is_present(client: Client): @pytest.mark.tools @pytest.mark.ticket(bz=1723273) @pytest.mark.topology(KnownTopology.Client) -def test_sssctl__non_existing_snippet(client: Client): +def test_sssctl__check_non_existing_snippet(client: Client): """ :title: sssctl config-check detects non existing snippet directory :setup: @@ -885,9 +972,284 @@ def test_sssctl__non_existing_snippet(client: Client): 1. config-check failed 2. Error message is properly set :customerscenario: True + :TODO: can non-default config checks be merged? """ client.sssd.common.local() client.sssd.start() result = client.sssctl.config_check(snippet="/does/not/exist") assert result.rc != 0, "Config-check successfully finished" assert "Directory /does/not/exist does not exist" in result.stdout, "Wrong error message on stdout" + + +@pytest.mark.tools +@pytest.mark.ticket(bz=1294670) +@pytest.mark.topology(KnownTopology.LDAP) +def test_sssctl__analyze_list(client: Client, ldap: LDAP): + """ + :title: "sssctl analyze request list" show captured nss related requests from sssd log + :setup: + 1. Add user and group + 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section + 3. Start SSSD + :steps: + 1. Call id user1 and getent group group1 + 2. Call sssctl analyze request list, also with -v + 3. Find "getent" and " id" in result + 4. Clear cache + 5. Call getent passwd user + 6. Call sssctl analyze request list, also with -v + 7. Find "CID #1" and "getent" in result + :expectedresults: + 1. Called successfully, information is stored in logs + 2. Called successfully + 3. Strings found + 4. Cache cleared + 5. Called successfully + 6. Called successfully + 7. Strings found + :customerscenario: True + :TODO: can the analyze tests be merged? + """ + ldap.user("user1").add() + ldap.group("group1").add() + client.sssd.nss["debug_level"] = "9" + client.sssd.pam["debug_level"] = "9" + client.sssd.domain["debug_level"] = "9" + client.sssd.start() + + assert client.tools.getent.group("group1"), "getent group1 failed" + assert client.tools.id("user1"), "id user1 failed" + + res = client.sssctl.analyze_request("list") + assert res.rc == 0, "sssctl analyze call failed" + assert "getent" in res.stdout, "'getent' not found in analyze list output" + assert " id" in res.stdout or "coreutils" in res.stdout, "' id' or 'coreutils' not found in analyze list output" + res = client.sssctl.analyze_request("list -v") + assert res.rc == 0, "sssctl analyze call failed" + assert "getent" in res.stdout, "'getent' not found in analyze list -v output" + assert " id" in res.stdout or "coreutils" in res.stdout, "' id' or 'coreutils' not found in analyze list -v output" + + client.sssd.stop() + client.sssd.clear(db=True, memcache=True, logs=True) + client.sssd.start() + + assert client.tools.getent.passwd("user1") + res = client.sssctl.analyze_request("list") + assert res.rc == 0, "sssctl analyze call failed" + assert "CID #1" in res.stdout, "CID #1 not found in analyze list -v output" + assert "getent" in res.stdout, "getent not found in analyze list -v output" + res = client.sssctl.analyze_request("list -v") + assert res.rc == 0, "sssctl analyze call failed" + assert "CID #1" in res.stdout, "CID #1 not found in analyze list -v output" + assert "getent" in res.stdout, "getent not found in analyze list -v output" + + +@pytest.mark.tools +@pytest.mark.ticket(bz=1294670, gh=6298) +@pytest.mark.topology(KnownTopology.LDAP) +def test_sssctl__analyze_non_default_log_location(client: Client, ldap: LDAP): + """ + :title: "sssctl analyze" parse sssd logs from non-default location when SSSD is not running + :setup: + 1. Add user + 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section + 3. Start SSSD + :steps: + 1. Call id user1 and login user via ssh + 2. Copy sssd logs to diferent location + 3. Stop sssd and remove config, logs and cache + 4. sssctl analyze --logdir PATH parse logs from PATH location + :expectedresults: + 1. Information is stored in logs + 2. Copied successfully + 3. Stopped and cleared successfully + 4. Output is correct + :customerscenario: True + :TODO: can the analyze tests be merged? + """ + ldap.user("user1").add(password="Secret123") + client.sssd.nss["debug_level"] = "9" + client.sssd.pam["debug_level"] = "9" + client.sssd.domain["debug_level"] = "9" + client.sssd.start() + + assert client.tools.id("user1@test"), "call 'id user1@test' failed" + client.ssh("user1", "Secret123").connect() + + client.fs.copy("/var/log/sssd", "/tmp/copy/") + client.sssd.stop() + client.sssd.clear(config=True, logs=True) + + res = client.sssctl.analyze_request(command="show 1 --pam", logdir="/tmp/copy/") + assert "SSS_PAM_AUTHENTICATE" in res.stdout + assert "SSS_PAM_ACCT_MGMT" in res.stdout + assert "SSS_PAM_SETCRED" in res.stdout + + res = client.sssctl.analyze_request(command="list", logdir="/tmp/copy/") + assert " id" in res.stdout or "coreutils" in res.stdout, "' id' or 'coreutils' not found in analyze list output" + assert "sshd" in res.stdout or "coreutils" in res.stdout, "sshd or coreutils not found in output" + + res = client.sssctl.analyze_request(command="list -v", logdir="/tmp/copy/") + assert " id" in res.stdout or "coreutils" in res.stdout, "' id' or 'coreutils' not found in analyze list -v output" + assert "sshd" in res.stdout or "coreutils" in res.stdout, "sshd or coreutils not found in output" + + +@pytest.mark.tools +@pytest.mark.ticket(bz=1294670) +@pytest.mark.topology(KnownTopology.LDAP) +def test_sssctl__analyze_pam_logs(client: Client, ldap: LDAP): + """ + :title: "sssctl analyze" to parse pam authentication requests from logs + :setup: + 1. Add user + 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section + 3. Start SSSD + 4. Log in as user via ssh + :steps: + 1. sssctl analyze with --pam option + 2. Result of command is login related + :expectedresults: + 1. Called successfully + 2. Output is login related + :customerscenario: True + :TODO: Already tested in analyze_non_default_log_location? + """ + ldap.user("user1").add() + client.sssd.nss["debug_level"] = "9" + client.sssd.pam["debug_level"] = "9" + client.sssd.start() + + client.ssh("user1", "Secret123").connect() + + result = client.sssctl.analyze_request("show 1 --pam") + assert result.rc == 0 + assert "CID #1" in result.stdout + + assert "SSS_PAM_AUTHENTICATE" in result.stdout + assert "SSS_PAM_ACCT_MGMT" in result.stdout + assert "SSS_PAM_SETCRED" in result.stdout + + +@pytest.mark.tools +@pytest.mark.ticket(bz=2013259) +@pytest.mark.topology(KnownTopology.LDAP) +def test_sssctl__analyze_tevent_id(client: Client, ldap: LDAP): + """ + :title: "sssctl analyze" to parse tevent chain IDs from logs + :setup: + 1. Add user + 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section + 3. Start SSSD + 4. Log in as user via ssh + :steps: + 1. Call sssctl analyze request show 1 --pam + 2. Confirm tevent chain IDs(RID) is showing in logs + :expectedresults: + 1. Called successfully + 2. Output is correct + :customerscenario: True + :TODO: can the analyze tests be merged? + """ + ldap.user("user1").add() + client.sssd.nss["debug_level"] = "9" + client.sssd.pam["debug_level"] = "9" + client.sssd.domain["debug_level"] = "9" + client.sssd.start() + + client.ssh("user1", "Secret123").connect() + + result = client.sssctl.analyze_request("show 1 --pam") + assert result.rc == 0 + assert "RID#" in result.stdout, "RID# was not found in the output" + assert "user1@test" in result.stdout, "user1@test was not found in the output" + + +@pytest.mark.tools +@pytest.mark.ticket(bz=2013260) +@pytest.mark.topology(KnownTopology.LDAP) +def test_sssctl__analyze_child_logs(client: Client, ldap: LDAP): + """ + :title: "sssctl analyze" to parse child logs + :setup: + 1. Add user + 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section + 3. Start SSSD + :steps: + 1. Log in as user via ssh + 2. Call sssctl analyze to check logs + 3. Clear cache and restart SSSD + 4. Log in as user via ssh with wrong password + 5. Call sssctl analyze to check logs + :expectedresults: + 1. Logged in successfully + 2. Logs contain login related logs + 3. Succesfully + 4. Failed to login + 5. Logs contain info about failed login + :customerscenario: True + :TODO: can the analyze tests be merged? + 1. Does the authentication failure not show up without --child 1? + """ + ldap.user("user1").add() + client.sssd.nss["debug_level"] = "9" + client.sssd.pam["debug_level"] = "9" + client.sssd.domain["debug_level"] = "9" + client.sssd.start() + + client.ssh("user1", "Secret123").connect() + + result = client.sssctl.analyze_request("show --pam --child 1") + assert result.rc == 0 + assert "user1@test" in result.stdout + assert "SSS_PAM_AUTHENTICATE" in result.stdout + + client.sssd.stop() + client.sssd.clear(db=True, memcache=True, logs=True) + client.sssd.start() + time.sleep(5) + + with pytest.raises(SSHAuthenticationError): + client.ssh("user1", "Wrong").connect() + result = client.sssctl.analyze_request("show --pam --child 1") + assert ( + "Authentication failure to the client" in result.stdout + ), "'Authentication failure to the client' was not found" + + +@pytest.mark.tools +@pytest.mark.ticket(bz=[2142960, 2142794, 2142961]) +@pytest.mark.topology(KnownTopology.LDAP) +def test_sssctl__analyze_without_root_privileges(client: Client, ldap: LDAP): + """ + :title: "sssctl analyze" command does not require "root" privileges + :setup: + 1. Add user with proper password + 2. Start SSSD + 3. Fetch information about user + 4. Copy logs to different location + 5. Change ownership of copied file to user + :steps: + 1. Call "sssctl analyze --logdir /tmp/copy request show 1" as root + 2. Call "sssctl analyze --logdir /tmp/copy request show 1" as user + 3. Check that outputs match + 4. Username is stored in outputs + :expectedresults: + 1. Called successfully + 2. Called successfully + 3. Outputs are the same + 4. Username is stored in outputs + :customerscenario: True + :TODO: can the analyze tests be merged? + """ + ldap.user("user1").add(password="Secret123") + client.sssd.start() + client.tools.id("user1") + client.fs.copy("/var/log/sssd", "/tmp/copy/") + client.fs.chown("/tmp/copy", "user1", args=["--recursive"]) + + result_root = client.sssctl.analyze_request(command="show 1", logdir="/tmp/copy") + result_user = client.ssh("user1", "Secret123").run("sssctl analyze --logdir /tmp/copy request show 1") + assert result_root.rc == 0, "sssctl analyze call failed as root" + assert result_user.rc == 0, "sssctl analyze call failed as user1" + assert result_root.stdout == result_user.stdout, "the outputs are different" + assert "user1" in result_user.stdout, "user1 is not in the outputs" diff --git a/src/tests/system/tests/test_sssctl_analyze.py b/src/tests/system/tests/test_sssctl_analyze.py deleted file mode 100644 index b86cef48993..00000000000 --- a/src/tests/system/tests/test_sssctl_analyze.py +++ /dev/null @@ -1,284 +0,0 @@ -""" -Automation tests for sssctl analyze - -:requirement: sssctl analyze -""" - -from __future__ import annotations - -import time - -import pytest -from pytest_mh.ssh import SSHAuthenticationError -from sssd_test_framework.roles.client import Client -from sssd_test_framework.roles.ldap import LDAP -from sssd_test_framework.topology import KnownTopology - - -@pytest.mark.tools -@pytest.mark.ticket(bz=1294670) -@pytest.mark.topology(KnownTopology.LDAP) -def test_sssctl_analyze__list(client: Client, ldap: LDAP): - """ - :title: "sssctl analyze request list" show captured nss related requests from sssd log - :setup: - 1. Add user and group - 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section - 3. Start SSSD - :steps: - 1. Call id user1 and getent group group1 - 2. Call sssctl analyze request list, also with -v - 3. Find "getent" and " id" in result - 4. Clear cache - 5. Call getent passwd user - 6. Call sssctl analyze request list, also with -v - 7. Find "CID #1" and "getent" in result - :expectedresults: - 1. Called successfully, information is stored in logs - 2. Called successfully - 3. Strings found - 4. Cache cleared - 5. Called successfully - 6. Called successfully - 7. Strings found - :customerscenario: True - """ - ldap.user("user1").add() - ldap.group("group1").add() - client.sssd.nss["debug_level"] = "9" - client.sssd.pam["debug_level"] = "9" - client.sssd.domain["debug_level"] = "9" - client.sssd.start() - - assert client.tools.getent.group("group1"), "getent group1 failed" - assert client.tools.id("user1"), "id user1 failed" - - res = client.sssctl.analyze_request("list") - assert res.rc == 0, "sssctl analyze call failed" - assert "getent" in res.stdout, "'getent' not found in analyze list output" - assert " id" in res.stdout or "coreutils" in res.stdout, "' id' or 'coreutils' not found in analyze list output" - res = client.sssctl.analyze_request("list -v") - assert res.rc == 0, "sssctl analyze call failed" - assert "getent" in res.stdout, "'getent' not found in analyze list -v output" - assert " id" in res.stdout or "coreutils" in res.stdout, "' id' or 'coreutils' not found in analyze list -v output" - - client.sssd.stop() - client.sssd.clear(db=True, memcache=True, logs=True) - client.sssd.start() - - assert client.tools.getent.passwd("user1") - res = client.sssctl.analyze_request("list") - assert res.rc == 0, "sssctl analyze call failed" - assert "CID #1" in res.stdout, "CID #1 not found in analyze list -v output" - assert "getent" in res.stdout, "getent not found in analyze list -v output" - res = client.sssctl.analyze_request("list -v") - assert res.rc == 0, "sssctl analyze call failed" - assert "CID #1" in res.stdout, "CID #1 not found in analyze list -v output" - assert "getent" in res.stdout, "getent not found in analyze list -v output" - - -@pytest.mark.tools -@pytest.mark.ticket(bz=1294670, gh=6298) -@pytest.mark.topology(KnownTopology.LDAP) -def test_sssctl_analyze__non_default_log_location(client: Client, ldap: LDAP): - """ - :title: "sssctl analyze" parse sssd logs from non-default location when SSSD is not running - :setup: - 1. Add user - 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section - 3. Start SSSD - :steps: - 1. Call id user1 and login user via ssh - 2. Copy sssd logs to diferent location - 3. Stop sssd and remove config, logs and cache - 4. sssctl analyze --logdir PATH parse logs from PATH location - :expectedresults: - 1. Information is stored in logs - 2. Copied successfully - 3. Stopped and cleared successfully - 4. Output is correct - :customerscenario: True - """ - ldap.user("user1").add(password="Secret123") - client.sssd.nss["debug_level"] = "9" - client.sssd.pam["debug_level"] = "9" - client.sssd.domain["debug_level"] = "9" - client.sssd.start() - - assert client.tools.id("user1@test"), "call 'id user1@test' failed" - client.ssh("user1", "Secret123").connect() - - client.fs.copy("/var/log/sssd", "/tmp/copy/") - client.sssd.stop() - client.sssd.clear(config=True, logs=True) - - res = client.sssctl.analyze_request(command="show 1 --pam", logdir="/tmp/copy/") - assert "SSS_PAM_AUTHENTICATE" in res.stdout - assert "SSS_PAM_ACCT_MGMT" in res.stdout - assert "SSS_PAM_SETCRED" in res.stdout - - res = client.sssctl.analyze_request(command="list", logdir="/tmp/copy/") - assert " id" in res.stdout or "coreutils" in res.stdout, "' id' or 'coreutils' not found in analyze list output" - res = client.sssctl.analyze_request(command="list --pam", logdir="/tmp/copy/") - assert "sshd" in res.stdout, "sshd not found in list --pam output" - - res = client.sssctl.analyze_request(command="list -v", logdir="/tmp/copy/") - assert " id" in res.stdout or "coreutils" in res.stdout, "' id' or 'coreutils' not found in analyze list -v output" - res = client.sssctl.analyze_request(command="list -v --pam", logdir="/tmp/copy/") - assert "sshd" in res.stdout, "sshd not found in list -v --pam output" - - -@pytest.mark.tools -@pytest.mark.ticket(bz=1294670) -@pytest.mark.topology(KnownTopology.LDAP) -def test_sssctl_analyze__pam_logs(client: Client, ldap: LDAP): - """ - :title: "sssctl analyze" to parse pam authentication requests from logs - :setup: - 1. Add user - 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section - 3. Start SSSD - 4. Log in as user via ssh - :steps: - 1. sssctl analyze with --pam option - 2. Result of command is login related - :expectedresults: - 1. Called successfully - 2. Output is login related - :customerscenario: True - """ - ldap.user("user1").add() - client.sssd.nss["debug_level"] = "9" - client.sssd.pam["debug_level"] = "9" - client.sssd.start() - - client.ssh("user1", "Secret123").connect() - - result = client.sssctl.analyze_request("show 1 --pam") - assert result.rc == 0 - assert "CID #1" in result.stdout - - assert "SSS_PAM_AUTHENTICATE" in result.stdout - assert "SSS_PAM_ACCT_MGMT" in result.stdout - assert "SSS_PAM_SETCRED" in result.stdout - - -@pytest.mark.tools -@pytest.mark.ticket(bz=2013259) -@pytest.mark.topology(KnownTopology.LDAP) -def test_sssctl_analyze__tevent_id(client: Client, ldap: LDAP): - """ - :title: "sssctl analyze" to parse tevent chain IDs from logs - :setup: - 1. Add user - 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section - 3. Start SSSD - 4. Log in as user via ssh - :steps: - 1. Call sssctl analyze request show 1 --pam - 2. Confirm tevent chain IDs(RID) is showing in logs - :expectedresults: - 1. Called successfully - 2. Output is correct - :customerscenario: True - """ - ldap.user("user1").add() - client.sssd.nss["debug_level"] = "9" - client.sssd.pam["debug_level"] = "9" - client.sssd.domain["debug_level"] = "9" - client.sssd.start() - - client.ssh("user1", "Secret123").connect() - - result = client.sssctl.analyze_request("show 1 --pam") - assert result.rc == 0 - assert "RID#" in result.stdout, "RID# was not found in the output" - assert "user1@test" in result.stdout, "user1@test was not found in the output" - - -@pytest.mark.tools -@pytest.mark.ticket(bz=2013260) -@pytest.mark.topology(KnownTopology.LDAP) -def test_sssctl_analyze__parse_child_logs(client: Client, ldap: LDAP): - """ - :title: "sssctl analyze" to parse child logs - :setup: - 1. Add user - 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section - 3. Start SSSD - :steps: - 1. Log in as user via ssh - 2. Call sssctl analyze to check logs - 3. Clear cache and restart SSSD - 4. Log in as user via ssh with wrong password - 5. Call sssctl analyze to check logs - :expectedresults: - 1. Logged in successfully - 2. Logs contain login related logs - 3. Succesfully - 4. Failed to login - 5. Logs contain info about failed login - :customerscenario: True - """ - ldap.user("user1").add() - client.sssd.nss["debug_level"] = "9" - client.sssd.pam["debug_level"] = "9" - client.sssd.domain["debug_level"] = "9" - client.sssd.start() - - client.ssh("user1", "Secret123").connect() - - result = client.sssctl.analyze_request("show --pam --child 1") - assert result.rc == 0 - assert "user1@test" in result.stdout - assert "SSS_PAM_AUTHENTICATE" in result.stdout - - client.sssd.stop() - client.sssd.clear(db=True, memcache=True, logs=True) - client.sssd.start() - time.sleep(5) - - with pytest.raises(SSHAuthenticationError): - client.ssh("user1", "Wrong").connect() - result = client.sssctl.analyze_request("show --pam --child 1") - assert ( - "Authentication failure to the client" in result.stdout - ), "'Authentication failure to the client' was not found" - - -@pytest.mark.tools -@pytest.mark.ticket(bz=[2142960, 2142794, 2142961]) -@pytest.mark.topology(KnownTopology.LDAP) -def test_sssctl_analyze__root_privileges(client: Client, ldap: LDAP): - """ - :title: "sssctl analyze" command does not require "root" privileges - :setup: - 1. Add user with proper password - 2. Start SSSD - 3. Fetch information about user - 4. Copy logs to different location - 5. Change ownership of copied file to user - :steps: - 1. Call "sssctl analyze --logdir /tmp/copy request show 1" as root - 2. Call "sssctl analyze --logdir /tmp/copy request show 1" as user - 3. Check that outputs match - 4. Username is stored in outputs - :expectedresults: - 1. Called successfully - 2. Called successfully - 3. Outputs are the same - 4. Username is stored in outputs - :customerscenario: True - """ - ldap.user("user1").add(password="Secret123") - client.sssd.start() - client.tools.id("user1") - client.fs.copy("/var/log/sssd", "/tmp/copy/") - client.fs.chown("/tmp/copy", "user1", args=["--recursive"]) - - result_root = client.sssctl.analyze_request(command="show 1", logdir="/tmp/copy") - result_user = client.ssh("user1", "Secret123").run("sssctl analyze --logdir /tmp/copy request show 1") - assert result_root.rc == 0, "sssctl analyze call failed as root" - assert result_user.rc == 0, "sssctl analyze call failed as user1" - assert result_root.stdout == result_user.stdout, "the outputs are different" - assert "user1" in result_user.stdout, "user1 is not in the outputs" diff --git a/src/tests/system/tests/test_trust_identity.py b/src/tests/system/tests/test_trusts.py similarity index 96% rename from src/tests/system/tests/test_trust_identity.py rename to src/tests/system/tests/test_trusts.py index 9076b87249d..90b2021fda5 100644 --- a/src/tests/system/tests/test_trust_identity.py +++ b/src/tests/system/tests/test_trusts.py @@ -15,7 +15,7 @@ @pytest.mark.importance("low") @pytest.mark.ticket(jira="RHEL-3925", gh=6942) @pytest.mark.topology(KnownTopologyGroup.IPATrust) -def test_trust_identity__group_without_sid(ipa: IPA, trusted: GenericADProvider): +def test_trusts__lookup_group_without_sid(ipa: IPA, trusted: GenericADProvider): """ :title: Subdomain goes offline if IPA group is missing SID :setup: