diff --git a/src/tests/system/tests/test_sudo.py b/src/tests/system/tests/test_sudo.py index 3afe86f3f49..df471d75cb8 100644 --- a/src/tests/system/tests/test_sudo.py +++ b/src/tests/system/tests/test_sudo.py @@ -556,3 +556,67 @@ def test_sudo__local_users_negative_cache(client: Client, provider: LDAP, sssd_s result = client.tools.tshark(["-r", "/tmp/sssd.pcap", "-V", "-2", "-R", "ldap.filter"]) assert "uid=user-1" not in result.stdout + + +@pytest.mark.importance("critical") +@pytest.mark.authorization +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_sudo__defaults_entry_set_no_auth_and_sudorule_auth_undefined(client: Client, provider: GenericProvider): + """ + :title: defaults sudo entry set !authentication and a sudo rule with undefined authentication type + :setup: + 1. Create user "user-1" + 2. Create an entry in cn=sudoers container defaults with option '!authenticate' + 3. Create a sudorule named allow-user-1 to allow user-1 to run all commands on all hosts + 4. Enable SSSD sudo responder + 5. Start SSSD + :steps: + 1. List sudo rules for "user-1" + 2. Run "sudo /bin/ls root" as user-1 + :expectedresults: + 1. User is able to run sudo commands on client with password authentication + 2. Command is successful without password authentication + :customerscenario: False + """ + provider.user("user-1").add() + provider.sudorule("defaults").add(option="!authenticate") + provider.sudorule("allow-user-1").add(user="user-1", host="ALL", command="ALL") + + client.sssd.common.sudo() + client.sssd.start() + + assert client.auth.sudo.list("user-1", expected=["(root) ALL"]) + assert client.auth.sudo.run("user-1", command="/bin/ls /root") + + +@pytest.mark.importance("critical") +@pytest.mark.authorization +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_sudo__defaults_set_no_auth_and_sudo_rule_has_mandatory_auth(client: Client, provider: GenericProvider): + """ + :title: defaults sudo entry set !authentication and a sudorule has mandatory authentication + :setup: + 1. Create user "user-1" + 2. Create a sudorule named defaults with option '!authenticate' + 3. Create a sudorule named allow-user-1 to allow user-1 to run all commands on all hosts with authentication + forced + 4. Enable SSSD sudo responder + 5. Start SSSD + :steps: + 1. List sudo rules for "user-1" + 2. Run "sudo /bin/ls root" as user-1 + :expectedresults: + 1. User should be able to run sudo commands on client with mandatory password authentication + 2. Command is successful only with password authentication + :customerscenario: False + """ + provider.user("user-1").add() + provider.sudorule("defaults").add(option="!authenticate") + provider.sudorule("allow-user-1").add(user="user-1", host="ALL", command="ALL", option="authenticate") + + client.sssd.common.sudo() + client.sssd.start() + + assert client.auth.sudo.list("user-1", expected=["(root) PASSWD: ALL"]) + assert not client.auth.sudo.run("user-1", command="/bin/ls /root") + assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root")