def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
add_group_nomem_with_canary,
files_domain_only):
"""
Test that a user is linked with a group
"""
pwd_ops = setup_pw_with_canary
check_group(GROUP_NOMEM)
modgroup = dict(GROUP_NOMEM)
modgroup['mem'] = ['user1', 'user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
time.sleep(1)
res, group = call_sssd_getgrnam(modgroup['name'])
assert res == sssd_id.NssReturnCode.NOTFOUND
modgroup['mem'] = ['user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
time.sleep(1)
res, group = call_sssd_getgrnam(modgroup['name'])
assert res == sssd_id.NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwnam('user1')
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwnam('user2')
assert res == NssReturnCode.NOTFOUND
def test_root_group_does_not_resolve(files_domain_only):
"""
SSSD currently does not resolve the root group even though it can
be resolved through the NSS interface
"""
nss_root = grp.getgrnam("root")
assert nss_root is not None
res, user = call_sssd_getgrnam("root")
assert res == NssReturnCode.NOTFOUND
def test_root_group_does_not_resolve(files_domain_only):
"""
SSSD currently does not resolve the root group even though it can
be resolved through the NSS interface
"""
nss_root = grp.getgrnam("root")
assert nss_root is not None
res, user = call_sssd_getgrnam("root")
assert res == NssReturnCode.NOTFOUND
def test_add_remove_add_file_group(setup_gr_with_canary, files_domain_only):
"""
Test that removing a group is detected and the group
is removed from the sssd database. Similarly, an add
should be detected. Do this several times to test retaining
the inotify watch for moved and unlinked files.
"""
res, group = call_sssd_getgrnam(GROUP1["name"])
assert res == NssReturnCode.NOTFOUND
setup_gr_with_canary.groupadd(**GROUP1)
check_group(GROUP1)
setup_gr_with_canary.groupdel(GROUP1["name"])
time.sleep(1)
res, group = call_sssd_getgrnam(GROUP1["name"])
assert res == NssReturnCode.NOTFOUND
setup_gr_with_canary.groupadd(**GROUP1)
check_group(GROUP1)
def test_add_remove_add_file_group(setup_gr_with_canary, files_domain_only):
"""
Test that removing a group is detected and the group
is removed from the sssd database. Similarly, an add
should be detected. Do this several times to test retaining
the inotify watch for moved and unlinked files.
"""
res, group = call_sssd_getgrnam(GROUP1["name"])
assert res == NssReturnCode.NOTFOUND
setup_gr_with_canary.groupadd(**GROUP1)
check_group(GROUP1)
setup_gr_with_canary.groupdel(GROUP1["name"])
time.sleep(1)
res, group = call_sssd_getgrnam(GROUP1["name"])
assert res == NssReturnCode.NOTFOUND
setup_gr_with_canary.groupadd(**GROUP1)
check_group(GROUP1)
def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached):
passwd_pattern = expected_list_to_name_dict([
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
dir='/home/user1',
shell='/bin/bash'),
dict(name='user3',
passwd='*',
uid=1003,
gid=2003,
gecos='1003',
dir='/home/user3',
shell='/bin/bash')
])
ent.assert_each_passwd_by_name(passwd_pattern)
# test filtered user
with pytest.raises(KeyError):
pwd.getpwuid(1002)
time.sleep(2)
with pytest.raises(KeyError):
pwd.getpwuid(1002)
group_pattern = expected_list_to_name_dict([
dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
])
ent.assert_each_group_by_name(group_pattern)
# test filtered group
with pytest.raises(KeyError):
grp.getgrgid(2002)
time.sleep(2)
with pytest.raises(KeyError):
grp.getgrgid(2002)
# test that root is always filtered even if filter_users contains other
# entries. This is a regression test for upstream ticket #3460
res, _ = call_sssd_getpwnam("root")
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getgrnam("root")
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwuid(0)
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getgrgid(0)
assert res == NssReturnCode.NOTFOUND
def test_getgrnam_ghost(setup_pw_with_canary, setup_gr_with_canary,
files_domain_only):
"""
Test that group if not found (and will be handled by nss_files) if there
are any ghost members.
"""
user_and_group_setup(setup_pw_with_canary, setup_gr_with_canary, [],
[GROUP12], False)
time.sleep(1)
res, group = call_sssd_getgrnam(GROUP12["name"])
assert res == NssReturnCode.NOTFOUND
for member in GROUP12['mem']:
res, _ = call_sssd_getpwnam(member)
assert res == NssReturnCode.NOTFOUND
def ghost_and_member_test(pw_ops, grp_ops, reverse):
user_and_group_setup(pw_ops, grp_ops, [USER1], [GROUP12], reverse)
time.sleep(1)
res, group = call_sssd_getgrnam(GROUP12["name"])
assert res == NssReturnCode.NOTFOUND
# We checked that the group added has the same members as group12,
# so both user1 and user2. Now check that user1 is a member of
# group12 and its own primary GID but user2 doesn't exist, it's
# just a ghost entry
res, groups = sssd_id_sync('user1')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
assert 'group12' in groups
res, _ = call_sssd_getpwnam('user2')
assert res == NssReturnCode.NOTFOUND
def sssd_getgrnam_sync(name):
ret = poll_canary(call_sssd_getgrnam, CANARY_GR["name"])
if ret is False:
return NssReturnCode.NOTFOUND, None
return call_sssd_getgrnam(name)
def sssd_getgrnam_sync(name):
ret = poll_canary(call_sssd_getgrnam, CANARY_GR["name"])
if ret is False:
return NssReturnCode.NOTFOUND, None
return call_sssd_getgrnam(name)
