Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tests: multihost/basic/test_kcm converted #6990

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions src/tests/multihost/basic/test_kcm.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,17 @@
"""
import os
import re

import pytest
from pexpect import pxssh
from utils_config import set_param

from sssd.testlib.common.utils import sssdTools


class TestSanityKCM(object):
""" KCM Sanity Test cases """

def _kcm_service_op(self, multihost, svc_op):
systemd_kcm_op = 'systemctl %s sssd-kcm' % (svc_op)
multihost.master[0].run_command(systemd_kcm_op)
Expand Down Expand Up @@ -51,6 +54,7 @@ def _remove_secret_db(self, multihost):
'rm -f /var/lib/sss/secrets/secrets.ldb')
self._restart_kcm(multihost)

@pytest.mark.converted('test_kcm.py', 'test_kcm__kinit_kcm_krb5ccname')
@pytest.mark.usefixtures("enable_kcm")
def test_kinit_kcm(self, multihost):
"""
Expand All @@ -70,6 +74,7 @@ def test_kinit_kcm(self, multihost):
assert cmd2.returncode == 0, "klist failed!"
assert 'Ticket cache: KCM:14583103' in cmd2.stdout_text

@pytest.mark.converted('test_kcm.py', 'test_kcm_ssh_login_creates_kerberos_ticket')
@staticmethod
@pytest.mark.usefixtures("enable_kcm")
def test_ssh_login_kcm(multihost):
Expand All @@ -85,6 +90,7 @@ def test_ssh_login_kcm(multihost):
'journalctl -u sssd -n 50 --no-pager')
assert ssh0, "Authentication Failed as user foo4"

@pytest.mark.converted('test_kcm.py', 'test_kcm__debug_log_enabled')
@pytest.mark.usefixtures("enable_kcm")
def test_kcm_debug_level_set(self, multihost):
"""
Expand Down Expand Up @@ -133,6 +139,7 @@ def test_kcm_debug_level_set(self, multihost):
log_lines_debug = self._kcm_log_length(multihost)
assert log_lines_debug > log_lines_pre + 100

@pytest.mark.converted('test_kcm.py', 'test_kcm__kdestroy_nocache')
@staticmethod
@pytest.mark.usefixtures("enable_kcm")
def test_kdestroy_retval(multihost):
Expand Down Expand Up @@ -191,6 +198,7 @@ def test_ssh_forward_creds(multihost):
assert 'KCM:14583103' in klist, "kinit did not work!"
assert 'KCM:14583109' in ssh_output, "Ticket not forwarded!"

@pytest.mark.converted('test_kcm.py', 'test_kcm__display_correct_kvno')
@staticmethod
@pytest.mark.usefixtures("enable_kcm")
def test_kvno_display(multihost):
Expand All @@ -216,6 +224,7 @@ def test_kvno_display(multihost):
else:
pytest.fail("kvno display was improper")

@pytest.mark.converted('test_kcm.py', 'test_kcm__configure_max_uid_ccaches_with_different_values')
@pytest.mark.usefixtures("enable_kcm", "create_many_user_principals")
def test_kcm_peruid_quota(self, multihost):
"""
Expand Down Expand Up @@ -268,6 +277,7 @@ def test_kcm_peruid_quota(self, multihost):
multihost.master[0].run_command(
'su -l foo3 -c "kdestroy -A"', raiseonerr=False)

@pytest.mark.converted('test_kcm.py', 'test_kcm__configure_max_uid_ccaches_with_different_values')
@pytest.mark.usefixtures("enable_kcm", "create_many_user_principals")
def test_kcm_peruid_quota_increase(self, multihost):
"""
Expand Down Expand Up @@ -310,6 +320,7 @@ def test_kcm_peruid_quota_increase(self, multihost):
multihost.master[0].run_command(
f'su -l {user} -c "kdestroy -A"', raiseonerr=False)

@pytest.mark.converted('test_kcm.py', 'test_kcm__configure_max_uid_ccaches_with_different_values')
@pytest.mark.usefixtures("enable_kcm")
def test_kcm_payload_low_quota(self, multihost):
"""
Expand Down
183 changes: 183 additions & 0 deletions src/tests/system/tests/test_kcm.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
from pytest_mh.ssh import SSHProcessError
from sssd_test_framework.roles.client import Client
from sssd_test_framework.roles.kdc import KDC
from sssd_test_framework.roles.ldap import LDAP
from sssd_test_framework.topology import KnownTopology


Expand Down Expand Up @@ -413,3 +414,185 @@ def test_kcm__simple_kinit(client: Client, kdc: KDC):
with pytest.raises(SSHProcessError):
krb.kinit(username, password="wrong")
assert krb.klist().rc == 0, "Klist failed"


@pytest.mark.importance("high")
@pytest.mark.topology(KnownTopology.Client)
def test_kcm__debug_log_enabled(client: Client, kdc: KDC):
"""
:title: Kcm debug is enabled after sssd-kcm restart, when
"debug_level" in kcm section is set to 9
:setup:
1. Add Kerberos principal "user1" to KDC
2. Add local user "user1"
3. Remove log files
4. Set "debug_level" in kcm config section to "0"
5. Remove kcm log files
6. Start SSSD
:steps:
1. Try to produce some debug messages e.g. kdestroy
2. Check that kcm debug messages were not generated
3. Set "debug_level" in kcm config section to "9"
4. Restart kcm
5. Try to produce some debug messages e.g. kdestroy
6. Check that kcm debug messages were generated
:expectedresults:
1. No messages were generated
2. Log file did not get bigger
3. Successfully set
4. Successfully restarted
5. Some messages were generated
6. Log file did get bigger
:customerscenario: False
"""

def kcm_log_length() -> int:
try:
output = client.fs.wc(kcm_log_file, lines=True).stdout
return int(output.split()[0])
except SSHProcessError:
return 0

user = "user1"
password = "Secret123"
kcm_log_file = "/var/log/sssd/sssd_kcm.log"

kdc.principal(user).add(password=password)
client.local.user(user).add(password=password)
client.sssd.common.kcm(kdc)

client.sssd.kcm["debug_level"] = "0"
client.sssd.config_apply()

client.ssh(user, password).exec(["rm", "-f", kcm_log_file], raise_on_error=False)
client.sssd.start()

start_log_length = kcm_log_length()

with client.ssh(user, password) as ssh:
with client.auth.kerberos(ssh) as krb:
krb.kdestroy()

end_log_nodebug = kcm_log_length()
assert start_log_length == end_log_nodebug, "Debug messages were generated"

client.sssd.kcm["debug_level"] = "9"
client.sssd.config_apply()
assert client.svc.restart("sssd-kcm").rc == 0, "Restart of kcm failed"

with client.ssh(user, password) as ssh:
with client.auth.kerberos(ssh) as krb:
krb.kdestroy()

end_log_debug = kcm_log_length()
assert start_log_length + 100 < end_log_debug, "Debug messages were not generated"


@pytest.mark.importance("high")
@pytest.mark.topology(KnownTopology.LDAP)
patriki01 marked this conversation as resolved.
Show resolved Hide resolved
def test_kcm_ssh_login_creates_kerberos_ticket(client: Client, ldap: LDAP, kdc: KDC):
"""
:title: kcm: Verify ssh login is successuful with kcm as default
:setup:
1. Add user and principal
2. Set kerberos as default auth provider
3. Start SSSD
:steps:
1. Authenticate as "user1" over SSH using kcm
:expectedresults:
1. Authenticated successfully
:customerscenario: False
"""
ldap.user("user1").add()
kdc.principal("user1").add()

client.sssd.common.krb5_auth(kdc)
client.sssd.start()

with client.ssh("user1", "Secret123") as ssh:
with client.auth.kerberos(ssh) as krb:
res = krb.klist()
assert res.rc == 0, "Klist failed"


@pytest.mark.importance("high")
@pytest.mark.topology(KnownTopology.Client)
def test_kcm__configure_max_uid_ccaches_with_different_values(client: Client, kdc: KDC):
"""
:title: "max_uid_ccaches" are enforced and limit only specific user
:setup:
1. Add local user "user0" and "user1"
2. Add 66 Kerberos principals to KDC
3. Start SSSD
:steps:
1. Authenticate as "user0" over SSH
2. Set "max_uid_ccaches" to "1" and check its enforcement
3. Remove "max_uid_ccaches" so its set to default
4. Check the enforcement of quotas
5. Set "max_uid_ccaches" to "65" and check its enforcement
6. Kinit principal "user65" as "user1"
7. Call kdestroy to destroy all caches as "user0"
8. Kinit principal "user64" as "user0"
:expectedresults:
1. Authenticated successfully
2. "max_uid_ccaches" are properly enforced
3. Removed successfully
4. "max_uid_ccaches" are properly enforced
5. "max_uid_ccaches" are properly enforced
6. Kinit is successful
7. Kdestroy is successful
8. Kinit is successful
:customerscenario: False
"""
user0 = "user0"
user1 = "user1"
password = "Secret123"
client.local.user(user0).add(password=password)
client.local.user(user1).add(password=password)

for i in range(66):
user = f"user{i}"
kdc.principal(user).add(password=password)

client.sssd.common.kcm(kdc)
client.sssd.start()

with client.ssh(user0, password) as ssh:
with client.auth.kerberos(ssh) as krb:

# max_uid_ccaches set to 1
client.sssd.kcm["max_uid_ccaches"] = "1"
client.sssd.config_apply()
client.svc.restart("sssd-kcm")
assert krb.kinit(user0, password=password).rc == 0
with pytest.raises(SSHProcessError):
krb.kinit(user1, password=password)

# max_uid_ccaches set to default (64)
client.sssd.config.remove_option("kcm", "max_uid_ccaches")
client.sssd.config_apply()
client.svc.restart("sssd-kcm")
for i in range(1, 64):
user = f"user{i}"
assert krb.kinit(user, password=password).rc == 0
with pytest.raises(SSHProcessError):
krb.kinit("user64", password=password)

# max_uid_ccaches set to 65
client.sssd.kcm["max_uid_ccaches"] = "65"
client.sssd.config_apply()
client.svc.restart("sssd-kcm")
assert krb.kinit("user64", password=password).rc == 0
with pytest.raises(SSHProcessError):
krb.kinit("user65", password=password)

# kinit as another user
with client.ssh(user1, password) as ssh:
with client.auth.kerberos(ssh) as krb:
assert krb.kinit("user65", password=password).rc == 0

# kdestroy and then kinit
with client.ssh("user0", password) as ssh:
with client.auth.kerberos(ssh) as krb:
assert krb.kdestroy(all=True).rc == 0
assert krb.kinit("user65", password=password).rc == 0
Loading