def test_removed_mc(ldap_conn, sanity_rfc2307): """ Regression test for ticket: https://fedorahosted.org/sssd/ticket/2726 """ ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) stop_sssd() # remove cache without invalidation for path in os.listdir(config.MCACHE_PATH): os.unlink(config.MCACHE_PATH + "/" + path) # sssd is stopped; so the memory cache should not be used # in long living clients (py.test in this case) with pytest.raises(KeyError): pwd.getpwnam('user1') with pytest.raises(KeyError): pwd.getpwuid(1001) with pytest.raises(KeyError): grp.getgrnam('group1') with pytest.raises(KeyError): grp.getgrgid(2001)
def test_disabled_mc(ldap_conn, disable_memcache_rfc2307): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) assert_user_gids_equal('user1', [2000, 2001]) stop_sssd() # sssd is stopped and the memory cache is disabled; # so pytest should not be able to find anything with pytest.raises(KeyError): pwd.getpwnam('user1') with pytest.raises(KeyError): pwd.getpwuid(1001) with pytest.raises(KeyError): grp.getgrnam('group1') with pytest.raises(KeyError): grp.getgrgid(2001) with pytest.raises(KeyError): (res, errno, gids) = sssd_id.get_user_gids('user1')
def test_disabled_passwd_mc(ldap_conn, disable_pwd_mc_rfc2307): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) assert_user_gids_equal('user1', [2000, 2001]) stop_sssd() # passwd cache is disabled, other caches should work with pytest.raises(KeyError): pwd.getpwnam('user1') with pytest.raises(KeyError): pwd.getpwuid(1001) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) assert_user_gids_equal('user1', [2000, 2001])
def assert_mc_records_for_user1(): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name( "group1", dict(mem=ent.contains_only("user1", "user11", "user21"))) ent.assert_group_by_gid( 2001, dict(mem=ent.contains_only("user1", "user11", "user21"))) ent.assert_group_by_name( "group0x", dict(mem=ent.contains_only("user1", "user2", "user3"))) ent.assert_group_by_gid( 2000, dict(mem=ent.contains_only("user1", "user2", "user3"))) assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_mc_zero_timeout(ldap_conn, zero_timeout_rfc2307): """ Test that the memory cache is not created at all with memcache_timeout=0 """ # No memory cache files must be created assert len(os.listdir(config.MCACHE_PATH)) == 0 ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) stop_sssd() # sssd is stopped; so the memory cache should not be used # in long living clients (py.test in this case) with pytest.raises(KeyError): pwd.getpwnam('user1') with pytest.raises(KeyError): pwd.getpwuid(1001) with pytest.raises(KeyError): grp.getgrnam('group1') with pytest.raises(KeyError): grp.getgrgid(2001)
def run_simple_test_with_initgroups(): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name( "group1", dict(mem=ent.contains_only("user1", "user11", "user21"))) ent.assert_group_by_gid( 2001, dict(mem=ent.contains_only("user1", "user11", "user21"))) # unrelated group to user1 ent.assert_group_by_name( "group2", dict(mem=ent.contains_only("user2", "user12", "user22"))) ent.assert_group_by_gid( 2002, dict(mem=ent.contains_only("user2", "user12", "user22"))) assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid): """ Integration test for auto_private_groups - test that even a user with no GID assigned at all can be resolved including their autogenerated primary group. See also ticket https://pagure.io/SSSD/sssd/issue/1872 """ # Make sure the user's GID is taken from their uidNumber ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) # Make sure the private group is resolvable by name and by GID ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) # The group referenced in user's gidNumber attribute should be still # visible, but shouldn't have any relation to the user ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only())) ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only())) # The user's secondary groups list must be correct as well. This time only # the generated group and the explicit secondary group are added, since # there is no original GID user1_expected_gids = [1001, 2015] (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001) assert res == sssd_id.NssReturnCode.SUCCESS assert sorted(gids) == sorted(user1_expected_gids), \ "result: %s\n expected %s" % ( ", ".join(["%s" % s for s in sorted(gids)]), ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) )
def test_ldap_auto_private_groups_enumerate(ldap_conn, sanity_rfc2307_bis_mpg): """ Test the auto_private_groups together with enumeration """ passwd_pattern = ent.contains_only( dict(name='user1', passwd='*', uid=1001, gid=1001, gecos='1001', dir='/home/user1', shell='/bin/bash'), dict(name='user2', passwd='*', uid=1002, gid=1002, gecos='1002', dir='/home/user2', shell='/bin/bash'), dict(name='user3', passwd='*', uid=1003, gid=1003, gecos='1003', dir='/home/user3', shell='/bin/bash') ) ent.assert_passwd(passwd_pattern) group_pattern = ent.contains_only( dict(name='user1', passwd='*', gid=1001, mem=ent.contains_only()), dict(name='user2', passwd='*', gid=1002, mem=ent.contains_only()), dict(name='user3', passwd='*', gid=1003, mem=ent.contains_only()), dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()), dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()), dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()), dict(name='empty_group1', passwd='*', gid=2010, mem=ent.contains_only()), dict(name='empty_group2', passwd='*', gid=2011, mem=ent.contains_only()), dict(name='two_user_group', passwd='*', gid=2012, mem=ent.contains_only("user1", "user2")), dict(name='group_empty_group', passwd='*', gid=2013, mem=ent.contains_only()), dict(name='group_two_empty_groups', passwd='*', gid=2014, mem=ent.contains_only()), dict(name='one_user_group1', passwd='*', gid=2015, mem=ent.contains_only("user1")), dict(name='one_user_group2', passwd='*', gid=2016, mem=ent.contains_only("user2")), dict(name='group_one_user_group', passwd='*', gid=2017, mem=ent.contains_only("user1")), dict(name='group_two_user_group', passwd='*', gid=2018, mem=ent.contains_only("user1", "user2")), dict(name='group_two_one_user_groups', passwd='*', gid=2019, mem=ent.contains_only("user1", "user2")) ) ent.assert_group(group_pattern) with pytest.raises(KeyError): grp.getgrnam("conflict1") ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
def test_assert_group_by_gid(users_and_groups): ent.assert_group_by_gid(2001, {}) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, GROUP1) try: ent.assert_group_by_gid(2003, {}) assert False except AssertionError as e: assert str(e) == "'getgrgid(): gid not found: 2003'" try: ent.assert_group_by_gid(2002, dict(name="group1")) assert False except AssertionError as e: assert str(e) == "'name' mismatch: 'group1' != 'group2'"
def test_disabled_initgr_mc(ldap_conn, disable_initgr_mc_rfc2307): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) assert_user_gids_equal('user1', [2000, 2001]) stop_sssd() # initgroups is disabled, other caches should work ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) assert_unsuccessful_initgr('user1')
def test_invalidation_of_gids_after_initgroups(ldap_conn, sanity_rfc2307): # the sssd cache was empty and not all user's group were # resolved with getgr{nm,gid}. Therefore there is a change in # group membership => user groups should be invalidated run_simple_test_with_initgroups() assert_initgroups_equal("user1", 2001, [2000, 2001]) stop_sssd() ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) # unrelated group to user1 must be returned ent.assert_group_by_name( "group2", dict(mem=ent.contains_only("user2", "user12", "user22"))) ent.assert_group_by_gid( 2002, dict(mem=ent.contains_only("user2", "user12", "user22"))) assert_initgroups_equal("user1", 2001, [2000, 2001]) # user groups must be invalidated for group in ["group1", "group0x"]: with pytest.raises(KeyError): grp.getgrnam(group) for gid in [2000, 2001]: with pytest.raises(KeyError): grp.getgrgid(gid)
def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict): """ Make sure that conflicts between groups that are auto-created with the help of the auto_private_groups option and between 'real' LDAP groups are handled in a predictable manner. """ # Make sure the user's GID is taken from their uidNumber ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) # Make sure the private group is resolvable by name and by GID ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) # Let's request the group with the same ID as user2's private group # The request should match the 'real' group ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only())) # But because of the GID conflict, the user cannot be resolved with pytest.raises(KeyError): pwd.getpwnam("user2") # This user's GID is the same as the UID in this entry. The most important # thing here is that the supplementary groups are correct and the GID # resolves to the private group (as long as the user was requested first) user3_expected_gids = [1003, 2015] ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003)) (res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003) assert res == sssd_id.NssReturnCode.SUCCESS assert sorted(gids) == sorted(user3_expected_gids), \ "result: %s\n expected %s" % ( ", ".join(["%s" % s for s in sorted(gids)]), ", ".join(["%s" % s for s in sorted(user3_expected_gids)]) ) # Make sure the private group is resolvable by name and by GID ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only())) ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
def test_getgrnam_simple(ldap_conn, sanity_rfc2307): ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) ent.assert_group_by_name("group2", dict(name="group2", gid=2002)) ent.assert_group_by_gid(2002, dict(name="group2", gid=2002)) ent.assert_group_by_name("group3", dict(name="group3", gid=2003)) ent.assert_group_by_gid(2003, dict(name="group3", gid=2003)) ent.assert_group_by_name("group0x", dict(name="group0x", gid=2000)) ent.assert_group_by_gid(2000, dict(name="group0x", gid=2000)) ent.assert_group_by_name("group1x", dict(name="group1x", gid=2010)) ent.assert_group_by_gid(2010, dict(name="group1x", gid=2010)) ent.assert_group_by_name("group2x", dict(name="group2x", gid=2020)) ent.assert_group_by_gid(2020, dict(name="group2x", gid=2020))
def test_ldap_auto_private_groups_direct(ldap_conn, mpg_setup): """ Integration test for auto_private_groups See also ticket https://pagure.io/SSSD/sssd/issue/1872 """ # Make sure the user's GID is taken from their uidNumber ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) # Make sure the private group is resolvable by name and by GID ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) # The group referenced in user's gidNumber attribute should be still # visible, but it's fine that it doesn't contain the user as a member # as the group is currently added during the initgroups operation only ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only())) ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only())) # The user's secondary groups list must be correct as well # Note that the original GID is listed as well -- this is correct and expected # because we save the original GID in the SYSDB_PRIMARY_GROUP_GIDNUM attribute user1_expected_gids = [1001, 2001, 2012, 2015] (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001) assert res == sssd_id.NssReturnCode.SUCCESS assert sorted(gids) == sorted(user1_expected_gids), \ "result: %s\n expected %s" % ( ", ".join(["%s" % s for s in sorted(gids)]), ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) ) # Request user2's private group by GID without resolving the user first. # This must trigger user resolution through by-GID resolution, since the GID # doesn't exist on its own in LDAP ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only())) # Test supplementary groups for user2 as well user1_expected_gids = [1002, 2002, 2012, 2016] (res, errno, gids) = sssd_id.call_sssd_initgroups("user2", 1002) assert res == sssd_id.NssReturnCode.SUCCESS assert sorted(gids) == sorted(user1_expected_gids), \ "result: %s\n expected %s" % ( ", ".join(["%s" % s for s in sorted(gids)]), ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) ) # Request user3's private group by name without resolving the user first # This must trigger user resolution through by-name resolution, since the # name doesn't exist on its own in LDAP ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only())) # Remove entries and request them again to make sure they are not # resolvable anymore cleanup_ldap_entries(ldap_conn, None) if subprocess.call(["sss_cache", "-GU"]) != 0: raise Exception("sssd_cache failed") with pytest.raises(KeyError): pwd.getpwnam("user1") with pytest.raises(KeyError): grp.getgrnam("user1") with pytest.raises(KeyError): grp.getgrgid(1002) with pytest.raises(KeyError): grp.getgrnam("user3")
def test_getgrnam_membership(ldap_conn, sanity_rfc2307): ent.assert_group_by_name( "group1", dict(mem=ent.contains_only("user1", "user11", "user21"))) ent.assert_group_by_gid( 2001, dict(mem=ent.contains_only("user1", "user11", "user21"))) ent.assert_group_by_name( "group2", dict(mem=ent.contains_only("user2", "user12", "user22"))) ent.assert_group_by_gid( 2002, dict(mem=ent.contains_only("user2", "user12", "user22"))) ent.assert_group_by_name( "group3", dict(mem=ent.contains_only("user3", "user13", "user23"))) ent.assert_group_by_gid( 2003, dict(mem=ent.contains_only("user3", "user13", "user23"))) ent.assert_group_by_name( "group0x", dict(mem=ent.contains_only("user1", "user2", "user3"))) ent.assert_group_by_gid( 2000, dict(mem=ent.contains_only("user1", "user2", "user3"))) ent.assert_group_by_name( "group1x", dict(mem=ent.contains_only("user11", "user12", "user13"))) ent.assert_group_by_gid( 2010, dict(mem=ent.contains_only("user11", "user12", "user13"))) ent.assert_group_by_name( "group2x", dict(mem=ent.contains_only("user21", "user22", "user23"))) ent.assert_group_by_gid( 2020, dict(mem=ent.contains_only("user21", "user22", "user23")))
except AssertionError, e: assert str(e) == "'name' mismatch: 'group1' != 'group2'" def test_assert_group_by_gid(users_and_groups): ent.assert_group_by_gid(2001, {}) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, GROUP1) try: ent.assert_group_by_gid(2003, {}) assert False except AssertionError, e: assert str(e) == "'getgrgid(): gid not found: 2003'" try: ent.assert_group_by_gid(2002, dict(name="group1")) assert False except AssertionError, e: assert str(e) == "'name' mismatch: 'group1' != 'group2'" def test_assert_group_list(users_and_groups): ent.assert_group_list(ent.contains()) ent.assert_group_list(ent.contains(GROUP1)) ent.assert_group_list(ent.contains_only(*GROUP_LIST)) try: ent.assert_group_list(ent.contains_only()) assert False except AssertionError, e: assert not re.search("expected groups not found:", str(e)) assert re.search("unexpected groups found:", str(e))
assert str(e) == "'name' mismatch: 'group1' != 'group2'" def test_assert_group_by_gid(users_and_groups): ent.assert_group_by_gid(2001, {}) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, GROUP1) try: ent.assert_group_by_gid(2003, {}) assert False except AssertionError, e: assert str(e) == "'getgrgid(): gid not found: 2003'" try: ent.assert_group_by_gid(2002, dict(name="group1")) assert False except AssertionError, e: assert str(e) == "'name' mismatch: 'group1' != 'group2'" def test_assert_group_list(users_and_groups): ent.assert_group_list(ent.contains()) ent.assert_group_list(ent.contains(GROUP1)) ent.assert_group_list(ent.contains_only(*GROUP_LIST)) try: ent.assert_group_list(ent.contains_only()) assert False except AssertionError, e: assert not re.search("expected groups not found:", str(e)) assert re.search("unexpected groups found:", str(e))