Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tests: sudo defaults rule #7255

Closed
wants to merge 1 commit into from
Closed

Tests: sudo defaults rule #7255

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions src/tests/system/tests/test_sudo.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -556,3 +556,68 @@ def test_sudo__local_users_negative_cache(client: Client, provider: LDAP, sssd_s

result = client.tools.tshark(["-r", "/tmp/sssd.pcap", "-V", "-2", "-R", "ldap.filter"])
assert "uid=user-1" not in result.stdout


@pytest.mark.importance("critical")
@pytest.mark.authorization
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
def test_sudo__defaults_set_no_auth_and_sudorule_has_auth_undefined(client: Client, provider: GenericProvider):
"""
:title: defaults sudo entry set !authentication and a sudo rule with undefined authentication
:setup:
1. Create user "user-1"
2. Create an entry in cn=sudoers container defaults with option '!authenticate'
3. Create a sudorule named allow-user-1 to allow user-1 to run all commands on all hosts, keep
authentication option unset
4. Enable SSSD sudo responder
5. Start SSSD
:steps:
1. List sudo rules for "user-1"
2. Run "sudo /bin/ls root" as user-1
:expectedresults:
1. User is able to run sudo commands on client with password authentication
2. Command is successful without password authentication
:customerscenario: False
"""
provider.user("user-1").add()
provider.sudorule("defaults").add(option="!authenticate")
provider.sudorule("allow-user-1").add(user="user-1", host="ALL", command="ALL")

client.sssd.common.sudo()
client.sssd.start()

assert client.auth.sudo.list("user-1", expected=["(root) ALL"])
assert client.auth.sudo.run("user-1", command="/bin/ls /root")


@pytest.mark.importance("critical")
@pytest.mark.authorization
@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
def test_sudo__defaults_set_no_auth_and_sudo_rule_has_mandatory_auth(client: Client, provider: GenericProvider):
"""
:title: defaults sudo entry set !authentication and a sudorule has mandatory authentication
:setup:
1. Create user "user-1"
2. Create a sudorule named defaults with option '!authenticate'
3. Create a sudorule named allow-user-1 to allow user-1 to run all commands on all hosts with authentication
forced
4. Enable SSSD sudo responder
5. Start SSSD
:steps:
1. List sudo rules for "user-1"
2. Run "sudo /bin/ls root" as user-1
:expectedresults:
1. User should be able to run sudo commands on client with mandatory password authentication
2. Command is successful only with password authentication
:customerscenario: False
"""
provider.user("user-1").add()
provider.sudorule("defaults").add(option="!authenticate")
provider.sudorule("allow-user-1").add(user="user-1", host="ALL", command="ALL", option="authenticate")

client.sssd.common.sudo()
client.sssd.start()

assert client.auth.sudo.list("user-1", expected=["(root) PASSWD: ALL"])
assert not client.auth.sudo.run("user-1", command="/bin/ls /root")
assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root")
Loading