def test_rhsso_login_using_hammer(self, enable_external_auth_rhsso,
rhsso_setting_setup,
rh_sso_hammer_auth_setup):
"""verify the hammer auth login using RHSSO auth source
:id: 56c09a1a-d0e5-11ea-9024-d46d6dd3b5b2
:expectedresults: hammer auth login should be suceessful for a rhsso user
:CaseImportance: High
"""
result = AuthLogin.oauth({
'oidc-token-endpoint':
get_oidc_token_endpoint(),
'oidc-client-id':
get_oidc_client_id(),
'username':
settings.rhsso.rhsso_user,
'password':
settings.rhsso.password,
})
assert f"Successfully logged in as '{settings.rhsso.rhsso_user}'." == result[
0]['message']
result = Auth.with_user(username=settings.rhsso.rhsso_user,
password=settings.rhsso.password).status()
assert (
f"Session exists, currently logged in as '{settings.rhsso.rhsso_user}'."
== result[0]['message'])
task_list = Task.with_user(username=settings.rhsso.rhsso_user,
password=settings.rhsso.password).list()
assert len(task_list) >= 0
with pytest.raises(CLIReturnCodeError) as error:
Role.with_user(username=settings.rhsso.rhsso_user,
password=settings.rhsso.password).list()
assert 'Missing one of the required permissions' in error.value.message
def test_positive_refresh_usergroup_with_ad(self, member_group, ad_data, ldap_tear_down):
"""Verify the usergroup-sync functionality in AD Auth Source
:id: 2e913e76-49c3-11eb-b4c6-d46d6dd3b5b2
:customerscenario: true
:CaseImportance: Medium
:bz: 1901392
:parametrized: yes
:expectedresults: external user-group sync works as expected automatically
based on user-sync
"""
ad_data = ad_data()
group_base_dn = ','.join(ad_data['group_base_dn'].split(',')[1:])
LOGEDIN_MSG = "Using configured credentials for user '{0}'."
auth_source = make_ldap_auth_source(
{
'name': gen_string('alpha'),
'onthefly-register': 'true',
'host': ad_data['ldap_hostname'],
'server-type': LDAP_SERVER_TYPE['CLI']['ad'],
'attr-login': LDAP_ATTR['login_ad'],
'attr-firstname': LDAP_ATTR['firstname'],
'attr-lastname': LDAP_ATTR['surname'],
'attr-mail': LDAP_ATTR['mail'],
'account': ad_data['ldap_user_name'],
'account-password': ad_data['ldap_user_passwd'],
'base-dn': ad_data['base_dn'],
'groups-base': group_base_dn,
}
)
# assert auth_source['account']['groups-base'] == group_base_dn
viewer_role = Role.info({'name': 'Viewer'})
user_group = make_usergroup()
make_usergroup_external(
{
'auth-source-id': auth_source['server']['id'],
'user-group-id': user_group['id'],
'name': member_group,
}
)
UserGroup.add_role({'id': user_group['id'], 'role-id': viewer_role['id']})
user_group = UserGroup.info({'id': user_group['id']})
result = Auth.with_user(
username=ad_data['ldap_user_name'], password=ad_data['ldap_user_passwd']
).status()
assert LOGEDIN_MSG.format(ad_data['ldap_user_name']) in result[0]['message']
UserGroupExternal.refresh({'user-group-id': user_group['id'], 'name': member_group})
user_group = UserGroup.info({'id': user_group['id']})
list = Role.with_user(
username=ad_data['ldap_user_name'], password=ad_data['ldap_user_passwd']
).list()
assert len(list) > 1
def test_usergroup_with_usergroup_sync(self, ipa_data):
"""Verify the usergroup-sync functionality in Ldap Auth Source
:id: 2b63e886-2c53-11ea-9da5-db3ae0527554
:expectedresults: external user-group sync works as expected automatically
based on user-sync
:CaseImportance: Medium
"""
self._clean_up_previous_ldap()
self.ldap_ipa_hostname = ipa_data['ldap_ipa_hostname']
self.ldap_ipa_user_passwd = ipa_data['ldap_ipa_user_passwd']
ldap_ipa_user_name = ipa_data['ldap_ipa_user_name']
ipa_group_base_dn = ipa_data['ipa_group_base_dn'].replace(
'foobargroup', 'foreman_group')
member_username = '******'
member_group = 'foreman_group'
LOGEDIN_MSG = "Using configured credentials for user '{0}'."
auth_source_name = gen_string('alpha')
auth_source = make_ldap_auth_source({
'name':
auth_source_name,
'onthefly-register':
'true',
'usergroup-sync':
'true',
'host':
ipa_data['ldap_ipa_hostname'],
'server-type':
LDAP_SERVER_TYPE['CLI']['ipa'],
'attr-login':
LDAP_ATTR['login'],
'attr-firstname':
LDAP_ATTR['firstname'],
'attr-lastname':
LDAP_ATTR['surname'],
'attr-mail':
LDAP_ATTR['mail'],
'account':
ldap_ipa_user_name,
'account-password':
ipa_data['ldap_ipa_user_passwd'],
'base-dn':
ipa_data['ipa_base_dn'],
'groups-base':
ipa_group_base_dn,
})
auth_source = LDAPAuthSource.info({'id': auth_source['server']['id']})
# Adding User in IPA UserGroup
self._add_user_in_IPA_usergroup(member_username, member_group)
viewer_role = Role.info({'name': 'Viewer'})
user_group = make_usergroup()
ext_user_group = make_usergroup_external({
'auth-source-id':
auth_source['server']['id'],
'user-group-id':
user_group['id'],
'name':
member_group,
})
UserGroup.add_role({
'id': user_group['id'],
'role-id': viewer_role['id']
})
assert ext_user_group['auth-source'] == auth_source['server']['name']
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 0
result = Auth.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).status()
assert LOGEDIN_MSG.format(member_username) in result[0]['message']
list = Role.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).list()
assert len(list) > 1
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 1
assert user_group['users'][0] == member_username
# Removing User in IPA UserGroup
self._remove_user_in_IPA_usergroup(member_username, member_group)
with pytest.raises(CLIReturnCodeError) as error:
Role.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).list()
assert 'Missing one of the required permissions' in error.value.message
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 0
def test_system_admin_role_end_to_end(self):
"""Test System admin role with a end to end workflow
:id: da6b3549-d1cf-44fc-869f-08d15d407fa2
:steps:
1. Create a System admin role user1
2. Login with the user1 and change global settings
"Out of sync interval" to 31
3. Create user2 with system admin role
4. Login with user2 to create a Organization
5. Clone a Org-admin role
6. Edit the Architecture Filter and search name = x86_64
7. Create a User with Cloned Org admin
8. Login with user.
:expectedresults:
1. User should be assigned with System Admin role.
2. User with sys admin role should be able to update settings
3. User with sys admin role should be able to create users and
assign Organizations to them.
4. System Admin role should be able to create Organization admins
5. User with sys admin role should be able to edit filters on roles
:CaseLevel: System
"""
org = make_org()
location = make_location()
common_pass = gen_string('alpha')
role = Role.info({'name': 'System admin'})
system_admin_1 = make_user(
{
'password': common_pass,
'organization-ids': org['id'],
'location-ids': location['id'],
}
)
User.add_role({'id': system_admin_1['id'], 'role-id': role['id']})
Settings.with_user(username=system_admin_1['login'], password=common_pass).set(
{'name': "outofsync_interval", 'value': "32"}
)
sync_time = Settings.list({'search': 'name=outofsync_interval'})[0]
# Asserts if the setting was updated successfully
assert '32' == sync_time['value']
# Create another System Admin user using the first one
system_admin = User.with_user(
username=system_admin_1['login'], password=common_pass
).create(
{
'auth-source-id': 1,
'firstname': gen_string('alpha'),
'lastname': gen_string('alpha'),
'login': gen_string('alpha'),
'mail': '{}@example.com'.format(gen_string('alpha')),
'password': common_pass,
'organizations': org['name'],
'role-ids': role['id'],
'locations': location['name'],
}
)
# Create the Org Admin user
org_role = Role.with_user(username=system_admin['login'], password=common_pass).clone(
{
'name': 'Organization admin',
'new-name': gen_string('alpha'),
'organization-ids': org['id'],
'location-ids': location['id'],
}
)
org_admin = User.with_user(username=system_admin['login'], password=common_pass).create(
{
'auth-source-id': 1,
'firstname': gen_string('alpha'),
'lastname': gen_string('alpha'),
'login': gen_string('alpha'),
'mail': '{}@example.com'.format(gen_string('alpha')),
'password': common_pass,
'organizations': org['name'],
'role-ids': org_role['id'],
'location-ids': location['id'],
}
)
# Assert if the cloning was successful
assert org_role['id'] is not None
org_role_filters = Role.filters({'id': org_role['id']})
search_filter = None
for arch_filter in org_role_filters:
if arch_filter['resource-type'] == 'Architecture':
search_filter = arch_filter
break
Filter.with_user(username=system_admin['login'], password=common_pass).update(
{'role-id': org_role['id'], 'id': arch_filter['id'], 'search': 'name=x86_64'}
)
# Asserts if the filter is updated
assert 'name=x86_64' in Filter.info({'id': search_filter['id']}).values()
org_admin = User.with_user(username=system_admin['login'], password=common_pass).info(
{'id': org_admin['id']}
)
# Asserts Created Org Admin
assert org_role['name'] in org_admin['roles']
assert org['name'] in org_admin['organizations']
def test_system_admin_role_end_to_end(self):
"""Test System admin role with a end to end workflow
:id: da6b3549-d1cf-44fc-869f-08d15d407fa2
:steps:
1. Create a System admin role user1
2. Login with the user1 and change global settings
"Out of sync interval" to 31
3. Create user2 with system admin role
4. Login with user2 to create a Organization
5. Clone a Org-admin role
6. Edit the Architecture Filter and search name = x86_64
7. Create a User with Cloned Org admin
8. Login with user.
:expectedresults:
1. User should be assigned with System Admin role.
2. User with sys admin role should be able to update settings
3. User with sys admin role should be able to create users and
assign Organizations to them.
4. System Admin role should be able to create Organization admins
5. User with sys admin role should be able to edit filters on roles
:CaseLevel: System
"""
org = make_org()
location = make_location()
common_pass = gen_string('alpha')
role = Role.info({'name': 'System admin'})
system_admin_1 = make_user({
'password': common_pass,
'organization-ids': org['id'],
'location-ids': location['id']
})
User.add_role({
'id': system_admin_1['id'],
'role-id': role['id']
})
Settings.with_user(
username=system_admin_1['login'],
password=common_pass).set({
'name': "outofsync_interval",
'value': "32"
})
sync_time = Settings.list({
'search': 'name=outofsync_interval'
})[0]
# Asserts if the setting was updated successfully
self.assertEqual('32', sync_time['value'])
# Create another System Admin user using the first one
system_admin = User.with_user(
username=system_admin_1['login'],
password=common_pass).create({
u'auth-source-id': 1,
u'firstname': gen_string('alpha'),
u'lastname': gen_string('alpha'),
u'login': gen_string('alpha'),
u'mail': '{0}@example.com'.format(gen_string('alpha')),
u'password': common_pass,
u'organizations': org['name'],
u'role-ids': role['id'],
u'locations': location['name']
})
# Create the Org Admin user
org_role = Role.with_user(
username=system_admin['login'],
password=common_pass).clone({
'name': 'Organization admin',
'new-name': gen_string('alpha'),
'organization-ids': org['id'],
'location-ids': location['id']
})
org_admin = User.with_user(
username=system_admin['login'],
password=common_pass).create({
u'auth-source-id': 1,
u'firstname': gen_string('alpha'),
u'lastname': gen_string('alpha'),
u'login': gen_string('alpha'),
u'mail': '{0}@example.com'.format(gen_string('alpha')),
u'password': common_pass,
u'organizations': org['name'],
u'role-ids': org_role['id'],
u'location-ids': location['id']
})
# Assert if the cloning was successful
self.assertIsNotNone(org_role['id'])
org_role_filters = Role.filters({'id': org_role['id']})
search_filter = None
for arch_filter in org_role_filters:
if arch_filter['resource-type'] == 'Architecture':
search_filter = arch_filter
break
Filter.with_user(
username=system_admin['login'],
password=common_pass).update({
'role-id': org_role['id'],
'id': arch_filter['id'],
'search': 'name=x86_64'
})
# Asserts if the filter is updated
self.assertIn('name=x86_64',
Filter.info({
'id': search_filter['id']
}).values()
)
org_admin = User.with_user(
username=system_admin['login'],
password=common_pass).info({'id': org_admin['id']})
# Asserts Created Org Admin
self.assertIn(org_role['name'], org_admin['roles'])
self.assertIn(org['name'], org_admin['organizations'])
def test_usergroup_sync_with_refresh(self):
"""Verify the refresh functionality in Ldap Auth Source
:id: c905eb80-2bd0-11ea-abc3-ddb7dbb3c930
:expectedresults: external user-group sync works as expected as on-demand
sync based on refresh works
:CaseImportance: Medium
"""
self._clean_up_previous_ldap()
ldap_ipa_user_name = self.ldap_ipa_user_name
ipa_group_base_dn = self.ipa_group_base_dn.replace(
'foobargroup', 'foreman_group')
member_username = '******'
member_group = 'foreman_group'
LOGEDIN_MSG = "Using configured credentials for user '{0}'."
auth_source_name = gen_string('alpha')
auth_source = make_ldap_auth_source({
'name':
auth_source_name,
'onthefly-register':
'true',
'usergroup-sync':
'false',
'host':
self.ldap_ipa_hostname,
'server-type':
LDAP_SERVER_TYPE['CLI']['ipa'],
'attr-login':
LDAP_ATTR['login'],
'attr-firstname':
LDAP_ATTR['firstname'],
'attr-lastname':
LDAP_ATTR['surname'],
'attr-mail':
LDAP_ATTR['mail'],
'account':
ldap_ipa_user_name,
'account-password':
self.ldap_ipa_user_passwd,
'base-dn':
self.ipa_base_dn,
'groups-base':
ipa_group_base_dn,
})
auth_source = LDAPAuthSource.info({'id': auth_source['server']['id']})
# Adding User in IPA UserGroup
self._add_user_in_IPA_usergroup(member_username, member_group)
viewer_role = Role.info({'name': 'Viewer'})
user_group = make_usergroup()
ext_user_group = make_usergroup_external({
'auth-source-id':
auth_source['server']['id'],
'user-group-id':
user_group['id'],
'name':
member_group,
})
UserGroup.add_role({
'id': user_group['id'],
'role-id': viewer_role['id']
})
assert ext_user_group['auth-source'] == auth_source['server']['name']
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 0
result = Auth.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).status()
assert LOGEDIN_MSG.format(member_username) in result[0]['message']
with self.assertRaises(CLIReturnCodeError) as error:
Role.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).list()
assert 'Missing one of the required permissions' in error.exception.message
with self.assertNotRaises(CLIReturnCodeError):
UserGroupExternal.refresh({
'user-group-id': user_group['id'],
'name': member_group
})
list = Role.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).list()
assert len(list) > 1
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 1
assert user_group['users'][0] == member_username
# Removing User in IPA UserGroup
self._remove_user_in_IPA_usergroup(member_username, member_group)
with self.assertNotRaises(CLIReturnCodeError):
UserGroupExternal.refresh({
'user-group-id': user_group['id'],
'name': member_group
})
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 0
with self.assertRaises(CLIReturnCodeError) as error:
Role.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).list()
assert 'Missing one of the required permissions' in error.exception.message
