Skip to content

Commit

Permalink
TESTS: passkey: force 'root' service user
Browse files Browse the repository at this point in the history
Passkey tests still don't work when SSSD runs under 'sssd' user.
Configure SSSD to run under 'root' explicitly instead of skipping tests.
  • Loading branch information
alexey-tikhonov committed Aug 8, 2024
1 parent ee3f436 commit 730c5c5
Showing 1 changed file with 12 additions and 32 deletions.
44 changes: 12 additions & 32 deletions src/tests/system/tests/test_passkey.py
Original file line number Diff line number Diff line change
Expand Up @@ -77,14 +77,6 @@
from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup


def passkey_requires_root(client: Client) -> tuple[bool, str] | bool:
user = client.svc.get_property("sssd", "User")
if user and user != "root":
return False, "Passkey tests don't work if SSSD runs under non-root"

return True


@mh_fixture()
def umockdev_ipaotpd_update(ipa: IPA, request: pytest.FixtureRequest):
"""
Expand Down Expand Up @@ -159,7 +151,6 @@ def test_passkey__register_ipa(ipa: IPA, moduledatadir: str, testdatadir: str):
@pytest.mark.importance("critical")
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.builtwith(client="passkey", provider="passkey")
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__su_user(client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str):
"""
:title: Check su authentication of user with LDAP, IPA, AD and Samba
Expand All @@ -179,7 +170,7 @@ def test_passkey__su_user(client: Client, provider: GenericProvider, moduledatad
with open(f"{testdatadir}/passkey-mapping.{suffix}") as f:
provider.user("user1").add().passkey_add(f.read().strip())

client.sssd.start()
client.sssd.start(service_user="root")

assert client.auth.su.passkey(
username="user1",
Expand All @@ -193,7 +184,6 @@ def test_passkey__su_user(client: Client, provider: GenericProvider, moduledatad
@pytest.mark.importance("high")
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.builtwith(client="passkey", provider="passkey")
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__su_user_with_failed_pin(
client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str
):
Expand All @@ -215,7 +205,7 @@ def test_passkey__su_user_with_failed_pin(
with open(f"{testdatadir}/passkey-mapping.{suffix}") as f:
provider.user("user1").add().passkey_add(f.read().strip())

client.sssd.start()
client.sssd.start(service_user="root")

assert not client.auth.su.passkey(
username="user1",
Expand All @@ -229,7 +219,6 @@ def test_passkey__su_user_with_failed_pin(
@pytest.mark.importance("critical")
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.builtwith(client="passkey", provider="passkey")
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__su_user_with_incorrect_mapping(
client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str
):
Expand All @@ -253,7 +242,7 @@ def test_passkey__su_user_with_incorrect_mapping(
with open(f"{testdatadir}/passkey-mapping.{suffix}") as f:
provider.user("user1").add().passkey_add(f.read().strip())

client.sssd.start()
client.sssd.start(service_user="root")

assert not client.auth.su.passkey(
username="user1",
Expand All @@ -267,7 +256,6 @@ def test_passkey__su_user_with_incorrect_mapping(
@pytest.mark.importance("high")
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.builtwith(client="passkey", provider="passkey")
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__su_user_when_server_is_not_resolvable(
client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str
):
Expand Down Expand Up @@ -301,7 +289,7 @@ def test_passkey__su_user_when_server_is_not_resolvable(
with open(f"{testdatadir}/passkey-mapping.{suffix}") as f:
provider.user("user1").add().passkey_add(f.read().strip())

client.sssd.start()
client.sssd.start(service_user="root")

# First time check authentication to cache the user
assert client.auth.su.passkey(
Expand Down Expand Up @@ -329,7 +317,6 @@ def test_passkey__su_user_when_server_is_not_resolvable(
@pytest.mark.importance("high")
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.builtwith(client="passkey", provider="passkey")
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__su_user_when_offline(
client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str
):
Expand Down Expand Up @@ -357,7 +344,7 @@ def test_passkey__su_user_when_offline(

client.sssd.domain["local_auth_policy"] = "only"

client.sssd.start()
client.sssd.start(service_user="root")

# First time check authentication to cache the user
assert client.auth.su.passkey(
Expand Down Expand Up @@ -424,7 +411,6 @@ def test_passkey__lookup_user_from_cache(
@pytest.mark.importance("high")
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.builtwith(client="passkey", provider="passkey")
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__su_user_with_multiple_keys(
client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str
):
Expand All @@ -449,7 +435,7 @@ def test_passkey__su_user_with_multiple_keys(
with open(f"{testdatadir}/passkey-mapping.{suffix}{n}") as f:
user_add.passkey_add(f.read().strip())

client.sssd.start()
client.sssd.start(service_user="root")

assert client.auth.su.passkey(
username="user1",
Expand All @@ -463,7 +449,6 @@ def test_passkey__su_user_with_multiple_keys(
@pytest.mark.importance("high")
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.builtwith(client="passkey", provider="passkey")
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__su_user_same_key_for_other_users(
client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str
):
Expand All @@ -482,7 +467,7 @@ def test_passkey__su_user_same_key_for_other_users(

client.sssd.domain["local_auth_policy"] = "only"

client.sssd.start()
client.sssd.start(service_user="root")

for user in ["user1", "user2", "user3"]:
user_add = provider.user(user).add()
Expand Down Expand Up @@ -539,7 +524,6 @@ def test_passkey__check_passkey_mapping_token_as_ssh_key_only(
@pytest.mark.topology(KnownTopologyGroup.AnyAD)
@pytest.mark.topology(KnownTopology.LDAP)
@pytest.mark.builtwith(client="passkey", provider="passkey")
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__su_user_when_add_with_ssh_key_and_mapping(
client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str
):
Expand All @@ -565,7 +549,7 @@ def test_passkey__su_user_when_add_with_ssh_key_and_mapping(
with open(f"{testdatadir}/{mapping}") as f:
user_add.passkey_add(f.read().strip())

client.sssd.start()
client.sssd.start(service_user="root")

assert client.auth.su.passkey(
username="user1",
Expand All @@ -582,7 +566,6 @@ def test_passkey__su_user_when_add_with_ssh_key_and_mapping(
@pytest.mark.importance("critical")
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.builtwith(client="passkey", provider="passkey")
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__su_fips_fido_key(client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str):
"""
:title: Check su authentication of user with LDAP, IPA, AD and Samba with FIPS Fido key
Expand All @@ -605,7 +588,7 @@ def test_passkey__su_fips_fido_key(client: Client, provider: GenericProvider, mo
with open(f"{testdatadir}/passkey-mapping.{suffix}") as f:
provider.user("user1").add().passkey_add(f.read().strip())

client.sssd.start()
client.sssd.start(service_user="root")

assert client.auth.su.passkey(
username="user1",
Expand All @@ -619,7 +602,6 @@ def test_passkey__su_fips_fido_key(client: Client, provider: GenericProvider, mo
@pytest.mark.importance("critical")
@pytest.mark.topology(KnownTopology.IPA)
@pytest.mark.builtwith(client="passkey", ipa="passkey")
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__check_tgt(client: Client, ipa: IPA, moduledatadir: str, testdatadir: str, umockdev_ipaotpd_update):
"""
:title: Check the TGT of user after authentication.
Expand All @@ -637,7 +619,7 @@ def test_passkey__check_tgt(client: Client, ipa: IPA, moduledatadir: str, testda
with open(f"{testdatadir}/passkey-mapping.ipa") as f:
ipa.user("user1").add(user_auth_type="passkey").passkey_add(f.read().strip())

client.sssd.start()
client.sssd.start(service_user="root")

rc, _, output, _ = client.auth.su.passkey_with_output(
username="user1",
Expand All @@ -655,7 +637,6 @@ def test_passkey__check_tgt(client: Client, ipa: IPA, moduledatadir: str, testda
@pytest.mark.importance("critical")
@pytest.mark.topology(KnownTopology.IPA)
@pytest.mark.builtwith(client="passkey", ipa="passkey")
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__ipa_server_offline(
client: Client, ipa: IPA, moduledatadir: str, testdatadir: str, umockdev_ipaotpd_update
):
Expand All @@ -679,7 +660,7 @@ def test_passkey__ipa_server_offline(
with open(f"{testdatadir}/passkey-mapping.ipa") as f:
ipa.user("user1").add(user_auth_type="passkey").passkey_add(f.read().strip())

client.sssd.start()
client.sssd.start(service_user="root")

rc, _, output, _ = client.auth.su.passkey_with_output(
username="user1",
Expand Down Expand Up @@ -715,7 +696,6 @@ def test_passkey__ipa_server_offline(
@pytest.mark.topology(KnownTopology.IPA)
@pytest.mark.builtwith(client="passkey", ipa="passkey")
@pytest.mark.ticket(gh=6931)
@pytest.mark.require.with_args(passkey_requires_root)
def test_passkey__su_with_12_mappings(
client: Client, ipa: IPA, moduledatadir: str, testdatadir: str, umockdev_ipaotpd_update
):
Expand All @@ -740,7 +720,7 @@ def test_passkey__su_with_12_mappings(
with open(f"{testdatadir}/passkey-mapping.ipa{n}") as f:
user_add.passkey_add(f.read().strip())

client.sssd.start()
client.sssd.start(service_user="root")

rc, _, output, _ = client.auth.su.passkey_with_output(
username="user1",
Expand Down

0 comments on commit 730c5c5

Please sign in to comment.