From c4e80942fe071781ecda1b2ff24ab75af57af1a8 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 4 Dec 2023 16:45:12 +0100 Subject: [PATCH] SYSTEM TESTS: run core set of tests against SSSD MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit running in two modes: under 'root' and under 'sssd' user (where supported) Reviewed-by: Alejandro López Reviewed-by: Dan Lavu Reviewed-by: Tomáš Halman --- src/tests/system/tests/test_authentication.py | 16 +++++++++++-- src/tests/system/tests/test_autofs.py | 8 ++++++- src/tests/system/tests/test_identity.py | 24 ++++++++++++++++--- src/tests/system/tests/test_ldap.py | 8 ++++++- src/tests/system/tests/test_sudo.py | 24 ++++++++++++++++--- 5 files changed, 70 insertions(+), 10 deletions(-) diff --git a/src/tests/system/tests/test_authentication.py b/src/tests/system/tests/test_authentication.py index 46341f05173..1b65555505b 100644 --- a/src/tests/system/tests/test_authentication.py +++ b/src/tests/system/tests/test_authentication.py @@ -13,7 +13,12 @@ @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.parametrize("method", ["su", "ssh"]) -def test_authentication__login(client: Client, provider: GenericProvider, method: str): +@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) +@pytest.mark.require( + lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), + "SSSD was built without support for running under non-root" +) +def test_authentication__login(client: Client, provider: GenericProvider, method: str, sssd_service_user: str): """ :title: ssh/su login :setup: @@ -30,6 +35,7 @@ def test_authentication__login(client: Client, provider: GenericProvider, method """ provider.user("user1").add(password="Secret123") + client.sssd.set_service_user(sssd_service_user) client.sssd.start() assert client.auth.parametrize(method).password("user1", "Secret123"), "login with correct password failed" @@ -38,7 +44,12 @@ def test_authentication__login(client: Client, provider: GenericProvider, method @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.parametrize("method", ["su", "ssh"]) -def test_authentication__offline_login(client: Client, provider: GenericProvider, method: str): +@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) +@pytest.mark.require( + lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), + "SSSD was built without support for running under non-root" +) +def test_authentication__offline_login(client: Client, provider: GenericProvider, method: str, sssd_service_user: str): """ :title: Offline ssh/su login :setup: @@ -67,6 +78,7 @@ def test_authentication__offline_login(client: Client, provider: GenericProvider wrong = "Wrong123" provider.user(user).add(password=correct) + client.sssd.set_service_user(sssd_service_user) client.sssd.domain["cache_credentials"] = "True" client.sssd.domain["krb5_store_password_if_offline"] = "True" client.sssd.pam["offline_credentials_expiration"] = "0" diff --git a/src/tests/system/tests/test_autofs.py b/src/tests/system/tests/test_autofs.py index dacb0bcfd4c..65dbf784c0d 100644 --- a/src/tests/system/tests/test_autofs.py +++ b/src/tests/system/tests/test_autofs.py @@ -17,7 +17,12 @@ @pytest.mark.ticket(gh=6739) @pytest.mark.parametrize("cache_first", [False, True]) @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_autofs__cache_first(client: Client, nfs: NFS, provider: GenericProvider, cache_first: bool): +@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) +@pytest.mark.require( + lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), + "SSSD was built without support for running under non-root" +) +def test_autofs__cache_first(client: Client, nfs: NFS, provider: GenericProvider, cache_first: bool, sssd_service_user: str): """ :title: Autofs works correctly with any cache_first value :setup: @@ -45,6 +50,7 @@ def test_autofs__cache_first(client: Client, nfs: NFS, provider: GenericProvider key = auto_export.key("export").add(info=nfs_export) # Start SSSD + client.sssd.set_service_user(sssd_service_user) client.sssd.common.autofs() client.sssd.autofs["cache_first"] = str(cache_first) client.sssd.start() diff --git a/src/tests/system/tests/test_identity.py b/src/tests/system/tests/test_identity.py index f09d5bb61fd..607451bd082 100644 --- a/src/tests/system/tests/test_identity.py +++ b/src/tests/system/tests/test_identity.py @@ -14,7 +14,12 @@ @pytest.mark.importance("critical") @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_identity__lookup_username_with_id(client: Client, provider: GenericProvider): +@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) +@pytest.mark.require( + lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), + "SSSD was built without support for running under non-root" +) +def test_identity__lookup_username_with_id(client: Client, provider: GenericProvider, sssd_service_user: str): """ :title: Resolve user by name with id :setup: @@ -35,6 +40,7 @@ def test_identity__lookup_username_with_id(client: Client, provider: GenericProv for user, id in ids: provider.user(user).add(uid=id, gid=id + 500) + client.sssd.set_service_user(sssd_service_user) client.sssd.domain["ldap_id_mapping"] = "false" client.sssd.start() @@ -47,7 +53,12 @@ def test_identity__lookup_username_with_id(client: Client, provider: GenericProv @pytest.mark.importance("critical") @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_identity__lookup_uid_with_id(client: Client, provider: GenericProvider): +@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) +@pytest.mark.require( + lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), + "SSSD was built without support for running under non-root" +) +def test_identity__lookup_uid_with_id(client: Client, provider: GenericProvider, sssd_service_user: str): """ :title: Resolve user by uid with id :setup: @@ -68,6 +79,7 @@ def test_identity__lookup_uid_with_id(client: Client, provider: GenericProvider) for user, id in ids: provider.user(user).add(uid=id, gid=id + 500) + client.sssd.set_service_user(sssd_service_user) client.sssd.domain["ldap_id_mapping"] = "false" client.sssd.start() @@ -228,7 +240,12 @@ def test_identity__lookup_user_by_group_with_getent(client: Client, provider: Ge @pytest.mark.importance("critical") @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_identity__lookup_group_membership_by_username_with_id(client: Client, provider: GenericProvider): +@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) +@pytest.mark.require( + lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), + "SSSD was built without support for running under non-root" +) +def test_identity__lookup_group_membership_by_username_with_id(client: Client, provider: GenericProvider, sssd_service_user: str): """ :title: Check membership of user by group name with id :setup: @@ -251,6 +268,7 @@ def test_identity__lookup_group_membership_by_username_with_id(client: Client, p provider.group("group1").add().add_members([u1, u2, u3]) + client.sssd.set_service_user(sssd_service_user) client.sssd.start() for name, groups in users: diff --git a/src/tests/system/tests/test_ldap.py b/src/tests/system/tests/test_ldap.py index fde23d9cf9b..35687f59f6a 100644 --- a/src/tests/system/tests/test_ldap.py +++ b/src/tests/system/tests/test_ldap.py @@ -18,7 +18,12 @@ @pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"]) @pytest.mark.parametrize("use_ppolicy", ["true", "false"]) @pytest.mark.topology(KnownTopology.LDAP) -def test_ldap__change_password(client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str): +@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) +@pytest.mark.require( + lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), + "SSSD was built without support for running under non-root" +) +def test_ldap__change_password(client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str, sssd_service_user: str): """ :title: Change password with "ldap_pwmodify_mode" set to @modify_mode :setup: @@ -45,6 +50,7 @@ def test_ldap__change_password(client: Client, ldap: LDAP, modify_mode: str, use ldap.user(user).add(password=old_pass) ldap.aci.add('(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)') + client.sssd.set_service_user(sssd_service_user) client.sssd.domain["ldap_pwmodify_mode"] = modify_mode client.sssd.domain["ldap_use_ppolicy"] = use_ppolicy client.sssd.start() diff --git a/src/tests/system/tests/test_sudo.py b/src/tests/system/tests/test_sudo.py index cf53e56f54d..a0210f4e39a 100644 --- a/src/tests/system/tests/test_sudo.py +++ b/src/tests/system/tests/test_sudo.py @@ -22,7 +22,12 @@ @pytest.mark.importance("critical") @pytest.mark.authorization @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_sudo__user_allowed(client: Client, provider: GenericProvider): +@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) +@pytest.mark.require( + lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), + "SSSD was built without support for running under non-root" +) +def test_sudo__user_allowed(client: Client, provider: GenericProvider, sssd_service_user: str): """ :title: One user is allowed to run command, other user is not :setup: @@ -47,6 +52,7 @@ def test_sudo__user_allowed(client: Client, provider: GenericProvider): provider.user("user-2").add() provider.sudorule("test").add(user=u, host="ALL", command="/bin/ls") + client.sssd.set_service_user(sssd_service_user) client.sssd.common.sudo() client.sssd.start() @@ -155,7 +161,12 @@ def test_sudo__case_sensitive_false(client: Client, provider: GenericProvider): @pytest.mark.importance("critical") @pytest.mark.authorization @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_sudo__rules_refresh(client: Client, provider: GenericProvider): +@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) +@pytest.mark.require( + lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), + "SSSD was built without support for running under non-root" +) +def test_sudo__rules_refresh(client: Client, provider: GenericProvider, sssd_service_user: str): """ :title: Sudo rules refresh works :setup: @@ -179,6 +190,7 @@ def test_sudo__rules_refresh(client: Client, provider: GenericProvider): u = provider.user("user-1").add() r = provider.sudorule("test").add(user=u, host="ALL", command="/bin/ls") + client.sssd.set_service_user(sssd_service_user) client.sssd.common.sudo() client.sssd.domain["entry_cache_sudo_timeout"] = "2" client.sssd.start() @@ -495,7 +507,12 @@ def is_smart_skipped(line: str) -> bool: @pytest.mark.authorization @pytest.mark.ticket(bz=1294670, gh=3969) @pytest.mark.topology(KnownTopologyGroup.AnyProvider) -def test_sudo__local_users_negative_cache(client: Client, provider: LDAP): +@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) +@pytest.mark.require( + lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), + "SSSD was built without support for running under non-root" +) +def test_sudo__local_users_negative_cache(client: Client, provider: LDAP, sssd_service_user: str): """ :title: Sudo responder hits negative cache for local users :setup: @@ -522,6 +539,7 @@ def test_sudo__local_users_negative_cache(client: Client, provider: LDAP): client.local.user("user-1").add() client.fs.write("/etc/sudoers.d/test", "user-1 ALL=(ALL) NOPASSWD:ALL") + client.sssd.set_service_user(sssd_service_user) client.sssd.common.sudo() client.sssd.nss.update( entry_negative_timeout="0", # disable standard negative cache to make sure we hit the local user case