Skip to content

Commit

Permalink
Tests: sudo defaults rule
Browse files Browse the repository at this point in the history
Added new testcase for defaults set !authentication and sudorule
has mandatory authentication.
Changed doc-strings and steps accordingly
  • Loading branch information
shridhargadekar committed Apr 9, 2024
1 parent 0d5e8f1 commit 6e90832
Showing 1 changed file with 64 additions and 0 deletions.
64 changes: 64 additions & 0 deletions src/tests/system/tests/test_sudo.py
Original file line number Diff line number Diff line change
Expand Up @@ -556,3 +556,67 @@ def test_sudo__local_users_negative_cache(client: Client, provider: LDAP, sssd_s

result = client.tools.tshark(["-r", "/tmp/sssd.pcap", "-V", "-2", "-R", "ldap.filter"])
assert "uid=user-1" not in result.stdout


@pytest.mark.importance("critical")
@pytest.mark.authorization
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
def test_sudo__defaults_entry_set_no_auth_and_sudorule_auth_undefined(client: Client, provider: GenericProvider):
"""
:title: defaults sudo entry set !authentication and a sudo rule with undefined authentication type
:setup:
1. Create user "user-1"
2. Create an entry in cn=sudoers container defaults with option '!authenticate'
3. Create a sudorule named allow-user-1 to allow user-1 to run all commands on all hosts
4. Enable SSSD sudo responder
5. Start SSSD
:steps:
1. List sudo rules for "user-1"
2. Run "sudo /bin/ls root" as user-1
:expectedresults:
1. User is able to run sudo commands on client with password authentication
2. Command is successful without password authentication
:customerscenario: False
"""
provider.user("user-1").add()
provider.sudorule("defaults").add(option="!authenticate")
provider.sudorule("allow-user-1").add(user="user-1", host="ALL", command="ALL")

client.sssd.common.sudo()
client.sssd.start()

assert client.auth.sudo.list("user-1", expected=["(root) ALL"])
assert client.auth.sudo.run("user-1", command="/bin/ls /root")


@pytest.mark.importance("critical")
@pytest.mark.authorization
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
def test_sudo__defaults_set_no_auth_and_sudo_rule_has_mandatory_auth(client: Client, provider: GenericProvider):
"""
:title: defaults sudo entry set !authentication and a sudorule has mandatory authentication
:setup:
1. Create user "user-1"
2. Create a sudorule named defaults with option '!authenticate'
3. Create a sudorule named allow-user-1 to allow user-1 to run all commands on all hosts with authentication
forced
4. Enable SSSD sudo responder
5. Start SSSD
:steps:
1. List sudo rules for "user-1"
2. Run "sudo /bin/ls root" as user-1
:expectedresults:
1. User should be able to run sudo commands on client with mandatory password authentication
2. Command is successful only with password authentication
:customerscenario: False
"""
provider.user("user-1").add()
provider.sudorule("defaults").add(option="!authenticate")
provider.sudorule("allow-user-1").add(user="user-1", host="ALL", command="ALL", option="authenticate")

client.sssd.common.sudo()
client.sssd.start()

assert client.auth.sudo.list("user-1", expected=["(root) PASSWD: ALL"])
assert not client.auth.sudo.run("user-1", command="/bin/ls /root")
assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root")

0 comments on commit 6e90832

Please sign in to comment.