def test_sudo_rule_restricted_to_one_hostmask_setup(self):
# We need to detect the hostmask first
full_ip = get_host_ip_with_hostmask(self.client)
# Make a note for the next test, which needs to be skipped
# if hostmask detection failed
self.__class__.skip_hostmask_based = False
if not full_ip:
self.__class__.skip_hostmask_based = True
raise pytest.skip("Hostmask could not be detected")
self.master.run_command([
'ipa', '-n', 'sudorule-add-host', 'testrule', '--hostmask', full_ip
])
# SSSD >= 1.13.3-3 uses native IPA schema instead of compat entries to
# pull in sudoers. Since native schema does not (yet) support
# hostmasks, we need to point ldap_sudo_search_base to the old schema
domain = self.client.domain
modify_sssd_conf(
self.client,
domain.name,
{'ldap_sudo_search_base': 'ou=sudoers,{}'.format(domain.basedn)},
provider_subtype='sudo')
def test_ssh_from_controller(self):
"""https://pagure.io/SSSD/sssd/issue/3979
Test ssh from test controller after adding
ldap_deref_threshold=0 to sssd.conf on master
Steps:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3
"""
sssd_version = ''
cmd_output = self.master.run_command(['sssd', '--version'])
sssd_version = platform_tasks.\
parse_ipa_version(cmd_output.stdout_text.strip())
if sssd_version.version < '2.2.0':
pytest.xfail(reason="sssd 2.2.0 unavailable in F29 nightly")
username = "******" + str(random.randint(200000, 9999999))
# add ldap_deref_threshold=0 to /etc/sssd/sssd.conf
domain = self.master.domain
tasks.modify_sssd_conf(
self.master,
domain.name,
{'ldap_deref_threshold': 0},
)
try:
self.master.run_command(['systemctl', 'restart', 'sssd.service'])
# kinit admin
tasks.kinit_admin(self.master)
# add ipa user
cmd = [
'ipa', 'user-add', '--first', username, '--last', username,
'--password', username
]
input_passwd = 'Secret123\nSecret123\n'
cmd_output = self.master.run_command(cmd, stdin_text=input_passwd)
assert 'Added user "%s"' % username in cmd_output.stdout_text
input_passwd = 'Secret123\nSecret123\nSecret123\n'
self.master.run_command(['kinit', username],
stdin_text=input_passwd)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(self.master.hostname,
username=username,
password='******')
client.close()
finally:
# revert back to original ldap config
# remove ldap_deref_threshold=0
tasks.modify_sssd_conf(
self.master,
domain.name,
{'ldap_deref_threshold': None},
)
self.master.run_command(['systemctl', 'restart', 'sssd.service'])
def filter_user_setup(self, user):
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
filter_user = {'filter_users': self.users[user]['name']}
try:
tasks.modify_sssd_conf(self.master, self.master.domain.name,
filter_user)
tasks.clear_sssd_cache(self.master)
yield
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
def test_extdom_plugin(self):
"""Extdom plugin should not return error (32)/'No such object'
Regression test for https://pagure.io/freeipa/issue/8044
If there is a timeout during a request to SSSD the extdom plugin
should not return error 'No such object' and the existing user should
not be added to negative cache on the client.
"""
extdom_dn = DN(('cn', 'ipa_extdom_extop'), ('cn', 'plugins'),
('cn', 'config'))
client = self.clients[0]
tasks.backup_file(self.master, paths.SSSD_CONF)
log_file = '{0}/sssd_{1}.log'.format(paths.VAR_LOG_SSSD_DIR,
client.domain.name)
logsize = len(client.get_file_contents(log_file))
res = self.master.run_command(['pidof', 'sssd_be'])
pid = res.stdout_text.strip()
test_id = 'id testuser@%s' % self.ad_domain
client.run_command(test_id)
conn = self.master.ldap_connect()
entry = conn.get_entry(extdom_dn) # pylint: disable=no-member
orig_extdom_timeout = entry.single_value.get('ipaextdommaxnsstimeout')
# set the extdom plugin timeout to 1s (1000)
entry.single_value['ipaextdommaxnsstimeout'] = 1000
conn.update_entry(entry) # pylint: disable=no-member
self.master.run_command(['ipactl', 'restart'])
domain = self.master.domain
tasks.modify_sssd_conf(self.master, domain.name, {'timeout': '999999'})
remove_cache = 'sss_cache -E'
self.master.run_command(remove_cache)
client.run_command(remove_cache)
try:
# stop sssd_be, needed to simulate a timeout in the extdom plugin.
stop_sssdbe = self.master.run_command('kill -STOP %s' % pid)
client.run_command(test_id)
error = 'ldap_extended_operation result: No such object(32)'
sssd_log2 = client.get_file_contents(log_file)[logsize:]
assert error.encode() not in sssd_log2
finally:
if stop_sssdbe.returncode == 0:
self.master.run_command('kill -CONT %s' % pid)
# reconnect and set back to default extdom plugin
conn = self.master.ldap_connect()
entry = conn.get_entry(extdom_dn) # pylint: disable=no-member
entry.single_value['ipaextdommaxnsstimeout'] = orig_extdom_timeout
conn.update_entry(entry) # pylint: disable=no-member
tasks.restore_files(self.master)
self.master.run_command(['ipactl', 'restart'])
def test_sudo_rule_restricted_to_one_hostmask_negative_teardown(self):
# Remove the master's hostmask from the rule
ip = self.master.ip
self.master.run_command([
'ipa', '-n', 'sudorule-remove-host', 'testrule', '--hostmask',
'%s/32' % ip
])
# reset ldap_sudo_search_base back to the default value, the old
# schema is not needed for the upcoming tests
domain = self.client.domain
modify_sssd_conf(self.client,
domain.name, {'ldap_sudo_search_base': None},
provider_subtype='sudo')
def test_override_homedir(self):
"""POSIX attributes should not be overwritten or missing.
Regression test for bug https://pagure.io/SSSD/sssd/issue/2474
When there is IPA-AD trust with POSIX attributes,
including the home directory set in the AD LDAP and in sssd.conf
subdomain_homedir = %o is added after initgroup call home directory
should be correct and do not report in logs like,
'get_subdomain_homedir_of_user failed: * [Home directory is NULL]'
"""
tasks.backup_file(self.master, paths.SSSD_CONF)
log_file = '{0}/sssd_{1}.log' .format(paths.VAR_LOG_SSSD_DIR,
self.master.domain.name)
logsize = len(self.master.get_file_contents(log_file))
try:
testuser = '******' % self.ad_domain
domain = self.master.domain
tasks.modify_sssd_conf(
self.master,
domain.name,
{
'subdomain_homedir': '%o'
}
)
tasks.clear_sssd_cache(self.master)
# The initgroups operation now uses the LDAP connection because
# the LDAP AD DS server contains the POSIX attributes
self.master.run_command(['getent', 'initgroups', '-s', 'sss',
testuser])
result = self.master.run_command(['getent', 'passwd', testuser])
assert '/home/testuser' in result.stdout_text
sssd_log2 = self.master.get_file_contents(log_file)[logsize:]
assert b'get_subdomain_homedir_of_user failed' not in sssd_log2
finally:
tasks.restore_files(self.master)
tasks.clear_sssd_cache(self.master)
