diff --git a/src/tests/system/tests/test_gpo.py b/src/tests/system/tests/test_gpo.py index a4323bf993d..5b05be4c17b 100644 --- a/src/tests/system/tests/test_gpo.py +++ b/src/tests/system/tests/test_gpo.py @@ -8,11 +8,12 @@ The following code will modify both SeInteractiveActiveLogonRight and SeRemoteInteractiveLogonRight. .. code-block:: - ad.gpo("site policy").add().policy( + provider.gpo("site policy").add().policy( { - "SeInteractiveLogonRight": [user1, group, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, group, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [], } + ) An administrative user or group always needs to be specified, to prevent administrative lock outs, for the tests "Domain Admins" group is used. @@ -33,15 +34,15 @@ import pytest from sssd_test_framework.roles.ad import AD -from sssd_test_framework.roles.samba import Samba from sssd_test_framework.roles.client import Client -from sssd_test_framework.topology import KnownTopologyGroup, KnownTopology +from sssd_test_framework.roles.generic import GenericADProvider +from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["su", "ssh"]) @pytest.mark.topology(KnownTopologyGroup.AnyAD) -def test_gpo__is_set_to_enforcing(client: Client, samba: Samba, method: str): +def test_gpo__is_set_to_enforcing(client: Client, provider: GenericADProvider, method: str): """ :title: Group policy object host base access control is set to enforcing and users are allowed :description: @@ -64,22 +65,20 @@ def test_gpo__is_set_to_enforcing(client: Client, samba: Samba, method: str): 3. User authentications are unsuccessful :customerscenario: True """ - samba.user("user").add() - user1 = samba.user("user1").add() - user2 = samba.user("user2").add() - deny_user1 = samba.user("deny_user1").add() - deny_user2 = samba.user("deny_user2").add() - group = samba.group("group").add().add_members([user2]) - deny_group = samba.group("deny_group").add().add_members([deny_user2]) - - gpo = samba.gpo("site policy").add() - - gpo.policy( + provider.user("user").add() + user1 = provider.user("user1").add() + user2 = provider.user("user2").add() + deny_user1 = provider.user("deny_user1").add() + deny_user2 = provider.user("deny_user2").add() + group = provider.group("group").add().add_members([user2]) + deny_group = provider.group("deny_group").add().add_members([deny_user2]) + + provider.gpo("site policy").add().policy( { - "SeInteractiveLogonRight": [user1, group, samba.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, group, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [deny_user1, deny_group], } - ) + ).link() client.sssd.domain["ad_gpo_access_control"] = "enforcing" client.sssd.start() @@ -107,8 +106,8 @@ def test_gpo__is_set_to_enforcing(client: Client, samba: Samba, method: str): @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["su", "ssh"]) -@pytest.mark.topology(KnownTopology.AD) -def test_gpo__is_set_to_enforcing_with_no_policy(client: Client, ad: AD, method: str): +@pytest.mark.topology(KnownTopologyGroup.AnyAD) +def test_gpo__is_set_to_enforcing_with_no_policy(client: Client, provider: GenericADProvider, method: str): """ :title: Group policy object host base access control is set to enforcing with no policy :description: @@ -126,7 +125,7 @@ def test_gpo__is_set_to_enforcing_with_no_policy(client: Client, ad: AD, method: 2. Access check result is granted :customerscenario: True """ - ad.user("user").add() + provider.user("user").add() client.sssd.domain["ad_gpo_access_control"] = "enforcing" client.sssd.start() @@ -136,8 +135,8 @@ def test_gpo__is_set_to_enforcing_with_no_policy(client: Client, ad: AD, method: @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["su", "ssh"]) -@pytest.mark.topology(KnownTopology.AD) -def test_gpo__is_set_to_permissive_and_users_are_allowed(client: Client, ad: AD, method: str): +@pytest.mark.topology(KnownTopologyGroup.AnyAD) +def test_gpo__is_set_to_permissive_and_users_are_allowed(client: Client, provider: GenericADProvider, method: str): """ :title: Group policy object host base access control is set to permissive :description: @@ -159,11 +158,11 @@ def test_gpo__is_set_to_permissive_and_users_are_allowed(client: Client, ad: AD, 3. Access check result is granted :customerscenario: True """ - user1 = ad.user("user1").add() + user1 = provider.user("user1").add() - ad.gpo("site policy").add().policy( + provider.gpo("site policy").add().policy( { - "SeInteractiveLogonRight": [user1, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [], } ).link() @@ -185,8 +184,8 @@ def test_gpo__is_set_to_permissive_and_users_are_allowed(client: Client, ad: AD, @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["su", "ssh"]) -@pytest.mark.topology(KnownTopology.AD) -def test_gpo__is_set_to_permissive_and_users_are_denied(client: Client, ad: AD, method: str): +@pytest.mark.topology(KnownTopologyGroup.AnyAD) +def test_gpo__is_set_to_permissive_and_users_are_denied(client: Client, provider: GenericADProvider, method: str): """ :title: Group policy object host base access control is set to permissive :description: @@ -208,11 +207,11 @@ def test_gpo__is_set_to_permissive_and_users_are_denied(client: Client, ad: AD, 3. Access check result is denied :customerscenario: True """ - deny_user1 = ad.user("deny_user1").add() + deny_user1 = provider.user("deny_user1").add() - ad.gpo("site policy").add().policy( + provider.gpo("site policy").add().policy( { - "SeInteractiveLogonRight": [ad.group("Domain Admins")], + "SeInteractiveLogonRight": [provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [deny_user1], } ).link() @@ -234,8 +233,8 @@ def test_gpo__is_set_to_permissive_and_users_are_denied(client: Client, ad: AD, @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["su", "ssh"]) -@pytest.mark.topology(KnownTopology.AD) -def test_gpo__is_set_to_disabled_and_all_users_are_allowed(client: Client, ad: AD, method: str): +@pytest.mark.topology(KnownTopologyGroup.AnyAD) +def test_gpo__is_set_to_disabled_and_all_users_are_allowed(client: Client, provider: GenericADProvider, method: str): """ :title: Group policy object host base access control is set to disabled and all users are allowed :description: @@ -255,13 +254,13 @@ def test_gpo__is_set_to_disabled_and_all_users_are_allowed(client: Client, ad: A 2. ad_gpo_access_control is disabled :customerscenario: True """ - ad.user("user").add() - user1 = ad.user("user1").add() - deny_user1 = ad.user("deny_user1").add() + provider.user("user").add() + user1 = provider.user("user1").add() + deny_user1 = provider.user("deny_user1").add() - ad.gpo("site policy").add().policy( + provider.gpo("site policy").add().policy( { - "SeInteractiveLogonRight": [user1, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [deny_user1], } ).link() @@ -289,9 +288,9 @@ def test_gpo__is_set_to_disabled_and_all_users_are_allowed(client: Client, ad: A @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["ssh", "su"]) -@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopologyGroup.AnyAD) @pytest.mark.ticket(bz=1695576) -def test_gpo__implicit_deny_is_set_to_true(client: Client, ad: AD, method: str): +def test_gpo__implicit_deny_is_set_to_true(client: Client, provider: GenericADProvider, method: str): """ :title: Group policy object host base access control is set to enforcing and implicit deny is true :description: @@ -307,7 +306,7 @@ def test_gpo__implicit_deny_is_set_to_true(client: Client, ad: AD, method: str): 1. 'user' authentication is unsuccessful :customerscenario: True """ - ad.user("user").add() + provider.user("user").add() client.sssd.domain["ad_gpo_access_control"] = "enforcing" client.sssd.domain["ad_gpo_implicit_deny"] = "True" @@ -320,8 +319,10 @@ def test_gpo__implicit_deny_is_set_to_true(client: Client, ad: AD, method: str): @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["ssh", "su"]) -@pytest.mark.topology(KnownTopology.AD) -def test_gpo__domain_and_sites_inheritance_when_site_is_enforcing(client: Client, ad: AD, method: str): +@pytest.mark.topology(KnownTopologyGroup.AnyAD) +def test_gpo__domain_and_sites_inheritance_when_site_is_enforcing( + client: Client, provider: GenericADProvider, method: str +): """ :title: Group policy object host base access control checking inheritance for sites enforced and domains :description: @@ -346,29 +347,27 @@ def test_gpo__domain_and_sites_inheritance_when_site_is_enforcing(client: Client 2. 'user2' authentication is unsuccessful :customerscenario: True """ - user1 = ad.user("user1").add() - user2 = ad.user("user2").add() + user1 = provider.user("user1").add() + user2 = provider.user("user2").add() site_policy = ( - ad.gpo("site policy") + provider.gpo("site policy") .add() .policy( { - "SeInteractiveLogonRight": [user1, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [user2], } ) - .link() + .link(enforced=True) ) - ad.gpo("domain policy").add().policy( + provider.gpo("domain policy").add().policy( { - "SeInteractiveLogonRight": [user2, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user2, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [user1], } - ).link(target=f"{ad.host.naming_context}") - - site_policy.link("Set", args=["-Enforced Yes"]) + ).link(target=f"{provider.host.naming_context}") client.sssd.domain["ad_gpo_access_control"] = "enforcing" client.sssd.start() @@ -540,7 +539,7 @@ def test_gpo__sites_inheritance_using_gpo_link_order(client: Client, ad: AD, met "SeInteractiveLogonRight": [user2, ad.group("Domain Admins")], "SeDenyInteractiveLogonRight": [user1], } - ).link(args=["-Order 1"]) + ).link(order=1) client.sssd.domain["ad_gpo_access_control"] = "enforcing" client.sssd.start() @@ -553,8 +552,8 @@ def test_gpo__sites_inheritance_using_gpo_link_order(client: Client, ad: AD, met @pytest.mark.importance("critical") -@pytest.mark.topology(KnownTopology.AD) -def test_gpo__map_interactive_disabling_login_su_and_su_l(client: Client, ad: AD): +@pytest.mark.topology(KnownTopologyGroup.AnyAD) +def test_gpo__map_interactive_disabling_login_su_and_su_l(client: Client, provider: GenericADProvider): """ :title: Group policy object host based access disabling logon, su, su-l GPO evaluation. :description: @@ -580,12 +579,12 @@ def test_gpo__map_interactive_disabling_login_su_and_su_l(client: Client, ad: AD 4. 'deny_user1' authentication is unsuccessful for ssh :customerscenario: True """ - user1 = ad.user("user1").add() - deny_user1 = ad.user("deny_user1").add() + user1 = provider.user("user1").add() + deny_user1 = provider.user("deny_user1").add() - ad.gpo("site policy").add().policy( + provider.gpo("site policy").add().policy( { - "SeInteractiveLogonRight": [user1, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [deny_user1], } ).link() @@ -607,8 +606,8 @@ def test_gpo__map_interactive_disabling_login_su_and_su_l(client: Client, ad: AD @pytest.mark.importance("critical") -@pytest.mark.topology(KnownTopology.AD) -def test_gpo__map_remote_interactive_disabling_sshd(client: Client, ad: AD): +@pytest.mark.topology(KnownTopologyGroup.AnyAD) +def test_gpo__map_remote_interactive_disabling_sshd(client: Client, provider: GenericADProvider): """ :title: Group policy object host based access disabling ssh and cockpit GPO evaluation. :description: @@ -633,12 +632,12 @@ def test_gpo__map_remote_interactive_disabling_sshd(client: Client, ad: AD): 4. 'deny_user1' authentication is unsuccessful for ssh :customerscenario: True """ - user1 = ad.user("user1").add() - deny_user1 = ad.user("deny_user1").add() + user1 = provider.user("user1").add() + deny_user1 = provider.user("deny_user1").add() - ad.gpo("site policy").add().policy( + provider.gpo("site policy").add().policy( { - "SeInteractiveLogonRight": [user1, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [deny_user1], } ).link() @@ -661,8 +660,8 @@ def test_gpo__map_remote_interactive_disabling_sshd(client: Client, ad: AD): @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["ssh", "su"]) -@pytest.mark.topology(KnownTopology.AD) -def test_gpo__works_when_the_server_is_unreachable(client: Client, ad: AD, method: str): +@pytest.mark.topology(KnownTopologyGroup.AnyAD) +def test_gpo__works_when_the_server_is_unreachable(client: Client, provider: GenericADProvider, method: str): """ :title: Group policy object host based works when the server is unreachable. :description: Tests that gpo processing works from the cache when the server is unreachable @@ -687,12 +686,12 @@ def test_gpo__works_when_the_server_is_unreachable(client: Client, ad: AD, metho 5. 'deny_user1' authentication is unsuccessful :customerscenario: True """ - user1 = ad.user("user1").add() - deny_user1 = ad.user("deny_user1").add() + user1 = provider.user("user1").add() + deny_user1 = provider.user("deny_user1").add() - ad.gpo("site policy").add().policy( + provider.gpo("site policy").add().policy( { - "SeInteractiveLogonRight": [user1, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [deny_user1], } ).link() @@ -711,7 +710,7 @@ def test_gpo__works_when_the_server_is_unreachable(client: Client, ad: AD, metho "deny_user1", password="Secret123" ), "Denied user authenticated successfully!" - client.firewall.outbound.drop_host(ad) + client.firewall.outbound.drop_host(provider) client.sssd.bring_offline() assert client.auth.parametrize(method).password( @@ -725,9 +724,9 @@ def test_gpo__works_when_the_server_is_unreachable(client: Client, ad: AD, metho @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["ssh", "su"]) -@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopologyGroup.AnyAD) @pytest.mark.ticket(bz=1547234) -def test_gpo__honors_the_ad_site_parameter(client: Client, ad: AD, method: str): +def test_gpo__honors_the_ad_site_parameter(client: Client, provider: GenericADProvider, method: str): """ :title: Group policy object host based access control honors the ad_site parameter in the configuration. :description: @@ -753,16 +752,16 @@ def test_gpo__honors_the_ad_site_parameter(client: Client, ad: AD, method: str): 2. 'deny_user1' authentication is unsuccessful :customerscenario: True """ - user1 = ad.user("user1").add() - deny_user1 = ad.user("deny_user1").add() - ad.site("New-Site").add() + user1 = provider.user("user1").add() + deny_user1 = provider.user("deny_user1").add() + provider.site("New-Site").add() - ad.gpo("site policy").add().policy( + provider.gpo("site policy").add().policy( { - "SeInteractiveLogonRight": [user1, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [deny_user1], } - ).link(target=f"cn=New-Site,cn=sites,cn=configuration,{ad.host.naming_context}") + ).link(target=f"cn=New-Site,cn=sites,cn=configuration,{provider.host.naming_context}") client.sssd.domain["ad_gpo_access_control"] = "enforcing" client.sssd.domain["ad_site"] = "New-Site" @@ -837,9 +836,11 @@ def test_gpo__only_needs_host_security_filters_and_permissions(client: Client, a @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["ssh", "su"]) -@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopologyGroup.AnyAD) @pytest.mark.ticket(bz=1316164) -def test_gpo__ignores_invalid_and_unnecessary_keys_and_values(client: Client, ad: AD, method: str): +def test_gpo__ignores_invalid_and_unnecessary_keys_and_values( + client: Client, provider: GenericADProvider, method: str +): """ :title: Group policy object host based access control ignores invalid and unnecessary keys and values. :description: @@ -861,12 +862,12 @@ def test_gpo__ignores_invalid_and_unnecessary_keys_and_values(client: Client, ad 2. 'deny_user1' authentication is unsuccessful :customerscenario: True """ - user1 = ad.user("user1").add() - deny_user1 = ad.user("deny_user1").add() + user1 = provider.user("user1").add() + deny_user1 = provider.user("deny_user1").add() - ad.gpo("policy invalid keys and values").add().policy( + provider.gpo("policy invalid keys and values").add().policy( { - "SeInteractiveLogonRight": [user1, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [deny_user1], }, cfg={"Service General Setting": {"BITS": "2", "wuaserv": "2", "MpsSvc": "2"}}, @@ -939,9 +940,11 @@ def test_gpo__skips_unreadable_gpo_policies(client: Client, ad: AD, method: str) @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["ssh", "su"]) -@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopologyGroup.AnyAD) @pytest.mark.ticket(bz=2151450) -def test_gpo__finds_all_groups_when_auto_private_groups_is_set_true(client: Client, ad: AD, method: str): +def test_gpo__finds_all_groups_when_auto_private_groups_is_set_true( + client: Client, provider: GenericADProvider, method: str +): """ :title: Primary group is missing from users when auto_private_groups are enabled :description: @@ -960,11 +963,11 @@ def test_gpo__finds_all_groups_when_auto_private_groups_is_set_true(client: Clie 2. User found and primary group 'Domain Users' is listed :customerscenario: True """ - user1 = ad.user("user1").add() + user1 = provider.user("user1").add() - ad.gpo("site policy").add().policy( + provider.gpo("site policy").add().policy( { - "SeInteractiveLogonRight": [user1, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [], } ).link() @@ -986,10 +989,10 @@ def test_gpo__finds_all_groups_when_auto_private_groups_is_set_true(client: Clie @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["ssh", "su"]) @pytest.mark.parametrize("auto_private_groups", ["true", "false", "hybrid"]) -@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopologyGroup.AnyAD) @pytest.mark.ticket(gh=7452) def test_gpo__works_when_auto_private_group_is_used_with_posix_accounts( - client: Client, ad: AD, method: str, auto_private_groups: str + client: Client, provider: GenericADProvider, method: str, auto_private_groups: str ): """ :title: GPO evaluation fails when auto_private_groups used with posix accounts @@ -1008,12 +1011,12 @@ def test_gpo__works_when_auto_private_group_is_used_with_posix_accounts( 2. Authenticated user is unsuccessful :customerscenario: True """ - user1 = ad.user("user1").add(uid=10000, gid=10000) - deny_user1 = ad.user("deny_user1").add(uid=10001, gid=10001) + user1 = provider.user("user1").add(uid=10000, gid=10000) + deny_user1 = provider.user("deny_user1").add(uid=10001, gid=10001) - ad.gpo("site policy").add().policy( + provider.gpo("site policy").add().policy( { - "SeInteractiveLogonRight": [user1, ad.group("Domain Admins")], + "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")], "SeDenyInteractiveLogonRight": [deny_user1], } ).link()