def test_removed_mc(ldap_conn, sanity_rfc2307):
"""
Regression test for ticket:
https://fedorahosted.org/sssd/ticket/2726
"""
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
stop_sssd()
# remove cache without invalidation
for path in os.listdir(config.MCACHE_PATH):
os.unlink(config.MCACHE_PATH + "/" + path)
# sssd is stopped; so the memory cache should not be used
# in long living clients (py.test in this case)
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
with pytest.raises(KeyError):
grp.getgrnam('group1')
with pytest.raises(KeyError):
grp.getgrgid(2001)
def test_disabled_mc(ldap_conn, disable_memcache_rfc2307):
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
assert_user_gids_equal('user1', [2000, 2001])
stop_sssd()
# sssd is stopped and the memory cache is disabled;
# so pytest should not be able to find anything
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
with pytest.raises(KeyError):
grp.getgrnam('group1')
with pytest.raises(KeyError):
grp.getgrgid(2001)
with pytest.raises(KeyError):
(res, errno, gids) = sssd_id.get_user_gids('user1')
def test_disabled_passwd_mc(ldap_conn, disable_pwd_mc_rfc2307):
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
assert_user_gids_equal('user1', [2000, 2001])
stop_sssd()
# passwd cache is disabled, other caches should work
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
assert_user_gids_equal('user1', [2000, 2001])
def assert_mc_records_for_user1():
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name(
"group1", dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001, dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_name(
"group0x", dict(mem=ent.contains_only("user1", "user2", "user3")))
ent.assert_group_by_gid(
2000, dict(mem=ent.contains_only("user1", "user2", "user3")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_mc_zero_timeout(ldap_conn, zero_timeout_rfc2307):
"""
Test that the memory cache is not created at all with memcache_timeout=0
"""
# No memory cache files must be created
assert len(os.listdir(config.MCACHE_PATH)) == 0
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
stop_sssd()
# sssd is stopped; so the memory cache should not be used
# in long living clients (py.test in this case)
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
with pytest.raises(KeyError):
grp.getgrnam('group1')
with pytest.raises(KeyError):
grp.getgrgid(2001)
def test_removed_mc(ldap_conn, sanity_rfc2307):
"""
Regression test for ticket:
https://fedorahosted.org/sssd/ticket/2726
"""
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
stop_sssd()
# remove cache without invalidation
for path in os.listdir(config.MCACHE_PATH):
os.unlink(config.MCACHE_PATH + "/" + path)
# sssd is stopped; so the memory cache should not be used
# in long living clients (py.test in this case)
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
with pytest.raises(KeyError):
grp.getgrnam('group1')
with pytest.raises(KeyError):
grp.getgrgid(2001)
def run_simple_test_with_initgroups():
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name(
"group1", dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001, dict(mem=ent.contains_only("user1", "user11", "user21")))
# unrelated group to user1
ent.assert_group_by_name(
"group2", dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002, dict(mem=ent.contains_only("user2", "user12", "user22")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_mc_zero_timeout(ldap_conn, zero_timeout_rfc2307):
"""
Test that the memory cache is not created at all with memcache_timeout=0
"""
# No memory cache files must be created
assert len(os.listdir(config.MCACHE_PATH)) == 0
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
stop_sssd()
# sssd is stopped; so the memory cache should not be used
# in long living clients (py.test in this case)
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
with pytest.raises(KeyError):
grp.getgrnam('group1')
with pytest.raises(KeyError):
grp.getgrgid(2001)
def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid):
"""
Integration test for auto_private_groups - test that even a user with
no GID assigned at all can be resolved including their autogenerated
primary group.
See also ticket https://pagure.io/SSSD/sssd/issue/1872
"""
# Make sure the user's GID is taken from their uidNumber
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
# The group referenced in user's gidNumber attribute should be still
# visible, but shouldn't have any relation to the user
ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
# The user's secondary groups list must be correct as well. This time only
# the generated group and the explicit secondary group are added, since
# there is no original GID
user1_expected_gids = [1001, 2015]
(res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user1_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user1_expected_gids)])
)
def run_simple_test_with_initgroups():
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001,
dict(mem=ent.contains_only("user1", "user11", "user21")))
# unrelated group to user1
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002,
dict(mem=ent.contains_only("user2", "user12", "user22")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_ldap_auto_private_groups_enumerate(ldap_conn,
sanity_rfc2307_bis_mpg):
"""
Test the auto_private_groups together with enumeration
"""
passwd_pattern = ent.contains_only(
dict(name='user1', passwd='*', uid=1001, gid=1001, gecos='1001',
dir='/home/user1', shell='/bin/bash'),
dict(name='user2', passwd='*', uid=1002, gid=1002, gecos='1002',
dir='/home/user2', shell='/bin/bash'),
dict(name='user3', passwd='*', uid=1003, gid=1003, gecos='1003',
dir='/home/user3', shell='/bin/bash')
)
ent.assert_passwd(passwd_pattern)
group_pattern = ent.contains_only(
dict(name='user1', passwd='*', gid=1001, mem=ent.contains_only()),
dict(name='user2', passwd='*', gid=1002, mem=ent.contains_only()),
dict(name='user3', passwd='*', gid=1003, mem=ent.contains_only()),
dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()),
dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
dict(name='empty_group1', passwd='*', gid=2010,
mem=ent.contains_only()),
dict(name='empty_group2', passwd='*', gid=2011,
mem=ent.contains_only()),
dict(name='two_user_group', passwd='*', gid=2012,
mem=ent.contains_only("user1", "user2")),
dict(name='group_empty_group', passwd='*', gid=2013,
mem=ent.contains_only()),
dict(name='group_two_empty_groups', passwd='*', gid=2014,
mem=ent.contains_only()),
dict(name='one_user_group1', passwd='*', gid=2015,
mem=ent.contains_only("user1")),
dict(name='one_user_group2', passwd='*', gid=2016,
mem=ent.contains_only("user2")),
dict(name='group_one_user_group', passwd='*', gid=2017,
mem=ent.contains_only("user1")),
dict(name='group_two_user_group', passwd='*', gid=2018,
mem=ent.contains_only("user1", "user2")),
dict(name='group_two_one_user_groups', passwd='*', gid=2019,
mem=ent.contains_only("user1", "user2"))
)
ent.assert_group(group_pattern)
with pytest.raises(KeyError):
grp.getgrnam("conflict1")
ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
def test_ldap_auto_private_groups_enumerate(ldap_conn,
sanity_rfc2307_bis_mpg):
"""
Test the auto_private_groups together with enumeration
"""
passwd_pattern = ent.contains_only(
dict(name='user1', passwd='*', uid=1001, gid=1001, gecos='1001',
dir='/home/user1', shell='/bin/bash'),
dict(name='user2', passwd='*', uid=1002, gid=1002, gecos='1002',
dir='/home/user2', shell='/bin/bash'),
dict(name='user3', passwd='*', uid=1003, gid=1003, gecos='1003',
dir='/home/user3', shell='/bin/bash')
)
ent.assert_passwd(passwd_pattern)
group_pattern = ent.contains_only(
dict(name='user1', passwd='*', gid=1001, mem=ent.contains_only()),
dict(name='user2', passwd='*', gid=1002, mem=ent.contains_only()),
dict(name='user3', passwd='*', gid=1003, mem=ent.contains_only()),
dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()),
dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
dict(name='empty_group1', passwd='*', gid=2010,
mem=ent.contains_only()),
dict(name='empty_group2', passwd='*', gid=2011,
mem=ent.contains_only()),
dict(name='two_user_group', passwd='*', gid=2012,
mem=ent.contains_only("user1", "user2")),
dict(name='group_empty_group', passwd='*', gid=2013,
mem=ent.contains_only()),
dict(name='group_two_empty_groups', passwd='*', gid=2014,
mem=ent.contains_only()),
dict(name='one_user_group1', passwd='*', gid=2015,
mem=ent.contains_only("user1")),
dict(name='one_user_group2', passwd='*', gid=2016,
mem=ent.contains_only("user2")),
dict(name='group_one_user_group', passwd='*', gid=2017,
mem=ent.contains_only("user1")),
dict(name='group_two_user_group', passwd='*', gid=2018,
mem=ent.contains_only("user1", "user2")),
dict(name='group_two_one_user_groups', passwd='*', gid=2019,
mem=ent.contains_only("user1", "user2"))
)
ent.assert_group(group_pattern)
with pytest.raises(KeyError):
grp.getgrnam("conflict1")
ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
def test_assert_group_by_gid(users_and_groups):
ent.assert_group_by_gid(2001, {})
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, GROUP1)
try:
ent.assert_group_by_gid(2003, {})
assert False
except AssertionError as e:
assert str(e) == "'getgrgid(): gid not found: 2003'"
try:
ent.assert_group_by_gid(2002, dict(name="group1"))
assert False
except AssertionError as e:
assert str(e) == "'name' mismatch: 'group1' != 'group2'"
def test_assert_group_by_gid(users_and_groups):
ent.assert_group_by_gid(2001, {})
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, GROUP1)
try:
ent.assert_group_by_gid(2003, {})
assert False
except AssertionError as e:
assert str(e) == "'getgrgid(): gid not found: 2003'"
try:
ent.assert_group_by_gid(2002, dict(name="group1"))
assert False
except AssertionError as e:
assert str(e) == "'name' mismatch: 'group1' != 'group2'"
def test_disabled_initgr_mc(ldap_conn, disable_initgr_mc_rfc2307):
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
assert_user_gids_equal('user1', [2000, 2001])
stop_sssd()
# initgroups is disabled, other caches should work
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
assert_unsuccessful_initgr('user1')
def test_invalidation_of_gids_after_initgroups(ldap_conn, sanity_rfc2307):
# the sssd cache was empty and not all user's group were
# resolved with getgr{nm,gid}. Therefore there is a change in
# group membership => user groups should be invalidated
run_simple_test_with_initgroups()
assert_initgroups_equal("user1", 2001, [2000, 2001])
stop_sssd()
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
# unrelated group to user1 must be returned
ent.assert_group_by_name(
"group2", dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002, dict(mem=ent.contains_only("user2", "user12", "user22")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
# user groups must be invalidated
for group in ["group1", "group0x"]:
with pytest.raises(KeyError):
grp.getgrnam(group)
for gid in [2000, 2001]:
with pytest.raises(KeyError):
grp.getgrgid(gid)
def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict):
"""
Make sure that conflicts between groups that are auto-created with the
help of the auto_private_groups option and between 'real' LDAP groups
are handled in a predictable manner.
"""
# Make sure the user's GID is taken from their uidNumber
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
# Let's request the group with the same ID as user2's private group
# The request should match the 'real' group
ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only()))
# But because of the GID conflict, the user cannot be resolved
with pytest.raises(KeyError):
pwd.getpwnam("user2")
# This user's GID is the same as the UID in this entry. The most important
# thing here is that the supplementary groups are correct and the GID
# resolves to the private group (as long as the user was requested first)
user3_expected_gids = [1003, 2015]
ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003))
(res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user3_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user3_expected_gids)])
)
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only()))
ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
def test_invalidation_of_gids_after_initgroups(ldap_conn, sanity_rfc2307):
# the sssd cache was empty and not all user's group were
# resolved with getgr{nm,gid}. Therefore there is a change in
# group membership => user groups should be invalidated
run_simple_test_with_initgroups()
assert_initgroups_equal("user1", 2001, [2000, 2001])
stop_sssd()
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
# unrelated group to user1 must be returned
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002,
dict(mem=ent.contains_only("user2", "user12", "user22")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
# user groups must be invalidated
for group in ["group1", "group0x"]:
with pytest.raises(KeyError):
grp.getgrnam(group)
for gid in [2000, 2001]:
with pytest.raises(KeyError):
grp.getgrgid(gid)
def assert_mc_records_for_user1():
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001,
dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_name(
"group0x",
dict(mem=ent.contains_only("user1", "user2", "user3")))
ent.assert_group_by_gid(
2000,
dict(mem=ent.contains_only("user1", "user2", "user3")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_getgrnam_simple(ldap_conn, sanity_rfc2307):
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
ent.assert_group_by_name("group2", dict(name="group2", gid=2002))
ent.assert_group_by_gid(2002, dict(name="group2", gid=2002))
ent.assert_group_by_name("group3", dict(name="group3", gid=2003))
ent.assert_group_by_gid(2003, dict(name="group3", gid=2003))
ent.assert_group_by_name("group0x", dict(name="group0x", gid=2000))
ent.assert_group_by_gid(2000, dict(name="group0x", gid=2000))
ent.assert_group_by_name("group1x", dict(name="group1x", gid=2010))
ent.assert_group_by_gid(2010, dict(name="group1x", gid=2010))
ent.assert_group_by_name("group2x", dict(name="group2x", gid=2020))
ent.assert_group_by_gid(2020, dict(name="group2x", gid=2020))
def test_ldap_auto_private_groups_direct(ldap_conn, mpg_setup):
"""
Integration test for auto_private_groups
See also ticket https://pagure.io/SSSD/sssd/issue/1872
"""
# Make sure the user's GID is taken from their uidNumber
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
# The group referenced in user's gidNumber attribute should be still
# visible, but it's fine that it doesn't contain the user as a member
# as the group is currently added during the initgroups operation only
ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
# The user's secondary groups list must be correct as well
# Note that the original GID is listed as well -- this is correct and expected
# because we save the original GID in the SYSDB_PRIMARY_GROUP_GIDNUM attribute
user1_expected_gids = [1001, 2001, 2012, 2015]
(res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user1_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user1_expected_gids)])
)
# Request user2's private group by GID without resolving the user first.
# This must trigger user resolution through by-GID resolution, since the GID
# doesn't exist on its own in LDAP
ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
# Test supplementary groups for user2 as well
user1_expected_gids = [1002, 2002, 2012, 2016]
(res, errno, gids) = sssd_id.call_sssd_initgroups("user2", 1002)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user1_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user1_expected_gids)])
)
# Request user3's private group by name without resolving the user first
# This must trigger user resolution through by-name resolution, since the
# name doesn't exist on its own in LDAP
ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
# Remove entries and request them again to make sure they are not
# resolvable anymore
cleanup_ldap_entries(ldap_conn, None)
if subprocess.call(["sss_cache", "-GU"]) != 0:
raise Exception("sssd_cache failed")
with pytest.raises(KeyError):
pwd.getpwnam("user1")
with pytest.raises(KeyError):
grp.getgrnam("user1")
with pytest.raises(KeyError):
grp.getgrgid(1002)
with pytest.raises(KeyError):
grp.getgrnam("user3")
def test_getgrnam_membership(ldap_conn, sanity_rfc2307):
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001,
dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002,
dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_name(
"group3",
dict(mem=ent.contains_only("user3", "user13", "user23")))
ent.assert_group_by_gid(
2003,
dict(mem=ent.contains_only("user3", "user13", "user23")))
ent.assert_group_by_name(
"group0x",
dict(mem=ent.contains_only("user1", "user2", "user3")))
ent.assert_group_by_gid(
2000,
dict(mem=ent.contains_only("user1", "user2", "user3")))
ent.assert_group_by_name(
"group1x",
dict(mem=ent.contains_only("user11", "user12", "user13")))
ent.assert_group_by_gid(
2010,
dict(mem=ent.contains_only("user11", "user12", "user13")))
ent.assert_group_by_name(
"group2x",
dict(mem=ent.contains_only("user21", "user22", "user23")))
ent.assert_group_by_gid(
2020,
dict(mem=ent.contains_only("user21", "user22", "user23")))
def test_getgrnam_simple(ldap_conn, sanity_rfc2307):
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
ent.assert_group_by_name("group2", dict(name="group2", gid=2002))
ent.assert_group_by_gid(2002, dict(name="group2", gid=2002))
ent.assert_group_by_name("group3", dict(name="group3", gid=2003))
ent.assert_group_by_gid(2003, dict(name="group3", gid=2003))
ent.assert_group_by_name("group0x", dict(name="group0x", gid=2000))
ent.assert_group_by_gid(2000, dict(name="group0x", gid=2000))
ent.assert_group_by_name("group1x", dict(name="group1x", gid=2010))
ent.assert_group_by_gid(2010, dict(name="group1x", gid=2010))
ent.assert_group_by_name("group2x", dict(name="group2x", gid=2020))
ent.assert_group_by_gid(2020, dict(name="group2x", gid=2020))
except AssertionError, e:
assert str(e) == "'name' mismatch: 'group1' != 'group2'"
def test_assert_group_by_gid(users_and_groups):
ent.assert_group_by_gid(2001, {})
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, GROUP1)
try:
ent.assert_group_by_gid(2003, {})
assert False
except AssertionError, e:
assert str(e) == "'getgrgid(): gid not found: 2003'"
try:
ent.assert_group_by_gid(2002, dict(name="group1"))
assert False
except AssertionError, e:
assert str(e) == "'name' mismatch: 'group1' != 'group2'"
def test_assert_group_list(users_and_groups):
ent.assert_group_list(ent.contains())
ent.assert_group_list(ent.contains(GROUP1))
ent.assert_group_list(ent.contains_only(*GROUP_LIST))
try:
ent.assert_group_list(ent.contains_only())
assert False
except AssertionError, e:
assert not re.search("expected groups not found:", str(e))
assert re.search("unexpected groups found:", str(e))
def test_getgrnam_membership(ldap_conn, sanity_rfc2307):
ent.assert_group_by_name(
"group1", dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001, dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_name(
"group2", dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002, dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_name(
"group3", dict(mem=ent.contains_only("user3", "user13", "user23")))
ent.assert_group_by_gid(
2003, dict(mem=ent.contains_only("user3", "user13", "user23")))
ent.assert_group_by_name(
"group0x", dict(mem=ent.contains_only("user1", "user2", "user3")))
ent.assert_group_by_gid(
2000, dict(mem=ent.contains_only("user1", "user2", "user3")))
ent.assert_group_by_name(
"group1x", dict(mem=ent.contains_only("user11", "user12", "user13")))
ent.assert_group_by_gid(
2010, dict(mem=ent.contains_only("user11", "user12", "user13")))
ent.assert_group_by_name(
"group2x", dict(mem=ent.contains_only("user21", "user22", "user23")))
ent.assert_group_by_gid(
2020, dict(mem=ent.contains_only("user21", "user22", "user23")))
assert str(e) == "'name' mismatch: 'group1' != 'group2'"
def test_assert_group_by_gid(users_and_groups):
ent.assert_group_by_gid(2001, {})
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, GROUP1)
try:
ent.assert_group_by_gid(2003, {})
assert False
except AssertionError, e:
assert str(e) == "'getgrgid(): gid not found: 2003'"
try:
ent.assert_group_by_gid(2002, dict(name="group1"))
assert False
except AssertionError, e:
assert str(e) == "'name' mismatch: 'group1' != 'group2'"
def test_assert_group_list(users_and_groups):
ent.assert_group_list(ent.contains())
ent.assert_group_list(ent.contains(GROUP1))
ent.assert_group_list(ent.contains_only(*GROUP_LIST))
try:
ent.assert_group_list(ent.contains_only())
assert False
except AssertionError, e:
assert not re.search("expected groups not found:", str(e))
assert re.search("unexpected groups found:", str(e))
