def test_root_user_override(ldap_conn, env_root_user_override): """Test entries are not overriden to root""" # Override does not have to happen completly, trying to set uid or gid # to 0 is simply ignored. ent.assert_passwd_by_name( "ov_user1", dict( name="ov_user1", passwd="*", uid=10001, gid=20001, gecos="Overriden User 1", dir="/home/ov/user1", shell="/bin/ov_user1_shell", ), ) # We can create override with name root. This test is just for tracking # that this particular behavior won't change. ent.assert_passwd_by_name( "user2", dict( name="root", passwd="*", uid=10020, gid=20020, gecos="Overriden User 2", dir="/home/ov/user2", shell="/bin/ov_user2_shell", ), ) ent.assert_passwd_by_uid(0, dict(name="root"))
def test_user_update_diff_attrs(ldap_conn, ldb_examine, setup_rfc2307bis): """ Test that a user update with the same modifyTimestamp does not trigger sysdb cache update """ ldb_conn = ldb_examine old_sysdb_attrs, old_ts_attrs = prime_cache_user(ldb_conn, "user1", 2001) # modify an argument we don't save to the cache. This will bump the # modifyTimestamp attribute, but the attributes themselves will be the same # from sssd's point of view ldap_conn.modify_s("uid=user1,ou=Users," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_REPLACE, "loginShell", "/bin/zsh")]) # wait for slapd to change its database time.sleep(1) ent.assert_passwd_by_name("user1", dict(name="user1")) sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, "user1", SSSD_DOMAIN, TS_ATTRLIST) assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp") assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, "originalModifyTimestamp") assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp") assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
def test_userdel(passwd_ops_setup): passwd_ops_setup.useradd(**USER1) ent.assert_passwd_by_name("user1", USER1) passwd_ops_setup.userdel("user1") with pytest.raises(KeyError): pwd.getpwnam("user1")
def test_extra_attribute_already_exists(ldap_conn, extra_attributes): """Test the effect of the "vetoed_shells" option""" user = '******' extra_attribute = 'givenName' given_name = 'unix_user' user_dn = "uid=" + user + ",ou=Users," + ldap_conn.ds_inst.base_dn old = {'objectClass': ['top', 'inetOrgPerson', 'posixAccount']} new = {'objectClass': ['top', 'inetOrgPerson', 'posixAccount', 'extensibleObject']} ldif = ldap.modlist.modifyModlist(old, new) ldap_conn.modify_s(user_dn, ldif) ldap_conn.modify_s(user_dn, [(ldap.MOD_ADD, extra_attribute, given_name)]) ent.assert_passwd_by_name( user, dict(name="user", uid=2001, gid=2000, shell="/bin/bash"), ) domain = 'LDAP' ldb_conn = sssd_ldb.SssdLdb('LDAP') val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.sysdb, sssd_ldb.TsCacheEntry.user, user, domain, extra_attribute) assert val == given_name
def env_root_user_override(request, ldap_conn, env_two_users_and_group): # Assert entries are not overriden ent.assert_passwd_by_name( 'root', dict(name='root', uid=0, gid=0)) ent.assert_passwd_by_uid(0, dict(name="root")) # Override subprocess.check_call(["sss_override", "user-add", "user1", "-u", "0", "-g", "0", "-n", "ov_user1", "-c", "Overriden User 1", "-h", "/home/ov/user1", "-s", "/bin/ov_user1_shell"]) subprocess.check_call(["sss_override", "user-add", "user2", "-u", "10020", "-g", "20020", "-n", "root", "-c", "Overriden User 2", "-h", "/home/ov/user2", "-s", "/bin/ov_user2_shell"]) # Restart SSSD so the override might take effect restart_sssd()
def test_mc_zero_timeout(ldap_conn, zero_timeout_rfc2307): """ Test that the memory cache is not created at all with memcache_timeout=0 """ # No memory cache files must be created assert len(os.listdir(config.MCACHE_PATH)) == 0 ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) stop_sssd() # sssd is stopped; so the memory cache should not be used # in long living clients (py.test in this case) with pytest.raises(KeyError): pwd.getpwnam('user1') with pytest.raises(KeyError): pwd.getpwuid(1001) with pytest.raises(KeyError): grp.getgrnam('group1') with pytest.raises(KeyError): grp.getgrgid(2001)
def run_simple_test_with_initgroups(): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name( "group1", dict(mem=ent.contains_only("user1", "user11", "user21"))) ent.assert_group_by_gid( 2001, dict(mem=ent.contains_only("user1", "user11", "user21"))) # unrelated group to user1 ent.assert_group_by_name( "group2", dict(mem=ent.contains_only("user2", "user12", "user22"))) ent.assert_group_by_gid( 2002, dict(mem=ent.contains_only("user2", "user12", "user22"))) assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_removed_mc(ldap_conn, sanity_rfc2307): """ Regression test for ticket: https://fedorahosted.org/sssd/ticket/2726 """ ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) stop_sssd() # remove cache without invalidation for path in os.listdir(config.MCACHE_PATH): os.unlink(config.MCACHE_PATH + "/" + path) # sssd is stopped; so the memory cache should not be used # in long living clients (py.test in this case) with pytest.raises(KeyError): pwd.getpwnam('user1') with pytest.raises(KeyError): pwd.getpwuid(1001) with pytest.raises(KeyError): grp.getgrnam('group1') with pytest.raises(KeyError): grp.getgrgid(2001)
def test_usermod(passwd_ops_setup): passwd_ops_setup.useradd(**USER1) ent.assert_passwd_by_name("user1", USER1) USER1['shell'] = '/bin/zsh' passwd_ops_setup.usermod(**USER1) ent.assert_passwd_by_name("user1", USER1)
def test_user_show_basic_fqname_insensitive(ldap_conn, fqname_case_insensitive_rfc2307, portable_LC_ALL): # Fill the cache first ent.assert_passwd_by_name( 'user1@LDAP', dict(name='user1@LDAP', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_name( 'CamelCaseUser1@LDAP', dict(name='camelcaseuser1@LDAP', passwd='*', uid=1002, gid=2002, gecos='1002', shell='/bin/bash')) output = get_call_output(["sssctl", "user-show", "user1@LDAP"]) assert output.find("Name: user1@LDAP") != -1 assert output.find("Initgroups expiration time: Initgroups were not yet " "performed") != -1 assert output.find("Cached in InfoPipe: No") != -1 output = get_call_output(["sssctl", "user-show", "CamelCaseUser1@LDAP"]) assert output.find("Name: camelcaseuser1@LDAP") != -1 assert output.find("Initgroups expiration time: Initgroups were not yet " "performed") != -1 assert output.find("Cached in InfoPipe: No") != -1 output = get_call_output(["sssctl", "user-show", "camelcaseuser1@LDAP"]) assert output.find("Name: camelcaseuser1@LDAP") != -1 assert output.find("Initgroups expiration time: Initgroups were not yet " "performed") != -1 assert output.find("Cached in InfoPipe: No") != -1
def env_replace_user_override(request, ldap_conn): prepare_sssd(request, ldap_conn) # Add entries ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user("user1", 10001, 20001, gecos='User Number 1', loginShell='/bin/user1_shell', homeDirectory='/home/user1') create_ldap_fixture(request, ldap_conn, ent_list) # Assert entries are not overriden ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=10001, gid=20001, gecos='User Number 1', dir='/home/user1', shell='/bin/user1_shell')) # Override subprocess.check_call([ "sss_override", "user-add", "user1", "-u", "10010", "-g", "20010", "-n", "ov_user1", "-c", "Overriden User 1", "-h", "/home/ov/user1", "-s", "/bin/ov_user1_shell" ]) # Restart SSSD so the override might take effect restart_sssd() # Assert entries are overriden ent.assert_passwd_by_name( 'user1', dict(name='ov_user1', passwd='*', uid=10010, gid=20010, gecos='Overriden User 1', dir='/home/ov/user1', shell='/bin/ov_user1_shell')) # Override of override subprocess.check_call([ "sss_override", "user-add", "user1", "-u", "10100", "-g", "20100", "-n", "ov2_user1", "-c", "Overriden2 User 1", "-h", "/home/ov2/user1", "-s", "/bin/ov2_user1_shell" ]) # Restart SSSD so the override might take effect restart_sssd()
def test_regr_2757_override(ldap_conn, env_regr_2757_override): # Assert entries are overridden ent.assert_passwd_by_name("user1@LDAP", dict(name="alias1@LDAP", passwd="*", uid=10001, gid=20001)) ent.assert_passwd_by_name("alias1@LDAP", dict(name="alias1@LDAP", passwd="*", uid=10001, gid=20001)) with pytest.raises(KeyError): pwd.getpwnam("user1") with pytest.raises(KeyError): pwd.getpwnam("alias1")
def assert_user_overriden(): # There is an issue in nss_wrapper [0] and nss_wrapper always looks into # the files first before using the NSS module. This lets this check fail # because the user is found in the file and hence will be returned # without overridden values. # In order to work this around while there's no fix for nss_wrapper, let's # use the fully-qualified name when looking up the USER1 # # https://bugzilla.samba.org/show_bug.cgi?id=12883) ent.assert_passwd_by_name(USER1["name"]+"@files", OV_USER1) ent.assert_passwd_by_name(OV_USER1["name"], OV_USER1)
def assert_user_overriden(): # There is an issue in nss_wrapper [0] and nss_wrapper always looks into # the files first before using the NSS module. This lets this check fail # because the user is found in the file and hence will be returned # without overridden values. # In order to work this around while there's no fix for nss_wrapper, let's # use the fully-qualified name when looking up the USER1 # # https://bugzilla.samba.org/show_bug.cgi?id=12883) ent.assert_passwd_by_name(USER1["name"] + "@files", OV_USER1) ent.assert_passwd_by_name(OV_USER1["name"], OV_USER1)
def env_replace_user_override(request, ldap_conn): prepare_sssd(request, ldap_conn) # Add entries ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user("user1", 10001, 20001, gecos='User Number 1', loginShell='/bin/user1_shell', homeDirectory='/home/user1') create_ldap_fixture(request, ldap_conn, ent_list) # Assert entries are not overriden ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=10001, gid=20001, gecos='User Number 1', dir='/home/user1', shell='/bin/user1_shell')) # Override subprocess.check_call(["sss_override", "user-add", "user1", "-u", "10010", "-g", "20010", "-n", "ov_user1", "-c", "Overriden User 1", "-h", "/home/ov/user1", "-s", "/bin/ov_user1_shell"]) # Restart SSSD so the override might take effect restart_sssd() # Assert entries are overriden ent.assert_passwd_by_name( 'user1', dict(name='ov_user1', passwd='*', uid=10010, gid=20010, gecos='Overriden User 1', dir='/home/ov/user1', shell='/bin/ov_user1_shell')) # Override of override subprocess.check_call(["sss_override", "user-add", "user1", "-u", "10100", "-g", "20100", "-n", "ov2_user1", "-c", "Overriden2 User 1", "-h", "/home/ov2/user1", "-s", "/bin/ov2_user1_shell"]) # Restart SSSD so the override might take effect restart_sssd()
def test_mix_cased_name_override(ldap_conn, env_mix_cased_name_override): """Test if names with upper and lower case letter are overridden""" # Assert entries are overridden user1 = dict( name="ov_user1@LDAP", passwd="*", uid=10010, gid=20010, gecos="Overriden User 1", dir="/home/ov/user1", shell="/bin/ov_user1_shell", ) user2 = dict( name="ov_user2@LDAP", passwd="*", uid=10020, gid=20020, gecos="Overriden User 2", dir="/home/ov/user2", shell="/bin/ov_user2_shell", ) ent.assert_passwd_by_name("user1@LDAP", user1) ent.assert_passwd_by_name("ov_user1@LDAP", user1) ent.assert_passwd_by_name("user2@LDAP", user2) ent.assert_passwd_by_name("ov_user2@LDAP", user2)
def test_regr_2757_override(ldap_conn, env_regr_2757_override): # Assert entries are overridden ent.assert_passwd_by_name( 'user1@LDAP', dict(name='alias1@LDAP', passwd='*', uid=10001, gid=20001)) ent.assert_passwd_by_name( 'alias1@LDAP', dict(name='alias1@LDAP', passwd='*', uid=10001, gid=20001)) with pytest.raises(KeyError): pwd.getpwnam('user1') with pytest.raises(KeyError): pwd.getpwnam('alias1')
def test_mix_cased_name_override(ldap_conn, env_mix_cased_name_override): """Test if names with upper and lower case letter are overridden""" # Assert entries are overridden user1 = dict(name='ov_user1@LDAP', passwd='*', uid=10010, gid=20010, gecos='Overriden User 1', dir='/home/ov/user1', shell='/bin/ov_user1_shell') user2 = dict(name='ov_user2@LDAP', passwd='*', uid=10020, gid=20020, gecos='Overriden User 2', dir='/home/ov/user2', shell='/bin/ov_user2_shell') ent.assert_passwd_by_name('user1@LDAP', user1) ent.assert_passwd_by_name('ov_user1@LDAP', user1) ent.assert_passwd_by_name('user2@LDAP', user2) ent.assert_passwd_by_name('ov_user2@LDAP', user2)
def test_replace_user_override(ldap_conn, env_replace_user_override): user = dict(name='ov2_user1', passwd='*', uid=10100, gid=20100, gecos='Overriden2 User 1', dir='/home/ov2/user1', shell='/bin/ov2_user1_shell') ent.assert_passwd_by_name('ov2_user1', user) ent.assert_passwd_by_name('ov2_user1@LDAP', user) with pytest.raises(KeyError): pwd.getpwnam('ov_user1') with pytest.raises(KeyError): pwd.getpwnam('ov_user1@LDAP')
def assert_user_default(): # Assert entries are not overriden with pytest.raises(KeyError): pwd.getpwnam('ov_user1') with pytest.raises(KeyError): pwd.getpwnam('ov_user1@LDAP') with pytest.raises(KeyError): pwd.getpwnam('ov_user2') with pytest.raises(KeyError): pwd.getpwnam('ov_user2@LDAP') user1 = dict(name='user1', passwd='*', uid=10001, gid=20001, gecos='User Number 1', dir='/home/user1', shell='/bin/user1_shell') user2 = dict(name='user2', passwd='*', uid=10002, gid=20001, gecos='User Number 2', dir='/home/user2', shell='/bin/user2_shell') ent.assert_passwd_by_name('user1', user1) ent.assert_passwd_by_name('user1@LDAP', user1) ent.assert_passwd_by_name('user2', user2) ent.assert_passwd_by_name('user2@LDAP', user2)
def test_disabled_group_mc(ldap_conn, disable_grp_mc_rfc2307): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) assert_user_gids_equal('user1', [2000, 2001]) stop_sssd() # group cache is disabled, other caches should work ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) with pytest.raises(KeyError): grp.getgrnam('group1') with pytest.raises(KeyError): grp.getgrgid(2001) assert_user_gids_equal('user1', [2000, 2001])
def test_assert_passwd_by_name(users_and_groups): ent.assert_passwd_by_name("user1", {}) ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001)) ent.assert_passwd_by_name("user1", USER1) try: ent.assert_passwd_by_name("user3", {}) assert False except AssertionError as e: assert str(e) == "'getpwnam(): name not found: user3'" try: ent.assert_passwd_by_name("user2", dict(name="user1")) assert False except AssertionError as e: assert str(e) == "'name' mismatch: 'user1' != 'user2'"
def test_disabled_initgr_mc(ldap_conn, disable_initgr_mc_rfc2307): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) assert_user_gids_equal('user1', [2000, 2001]) stop_sssd() # initgroups is disabled, other caches should work ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) assert_unsuccessful_initgr('user1')
def test_special_characters_in_names(ldap_conn, sanity_rfc2307): """ Test special characters which could cause malformed filter in ldb_seach. Regression test for ticket: https://fedorahosted.org/sssd/ticket/3121 """ ent.assert_passwd_by_name( "t(u)ser", dict(name="t(u)ser", passwd="*", uid=5000, gid=5001, gecos="5000", shell="/bin/bash")) ent.assert_group_by_name( "group(_u)ser1", dict(name="group(_u)ser1", passwd="*", gid=5001, mem=ent.contains_only("t(u)ser")))
def test_user_update_same_modstamp(ldap_conn, ldb_examine, setup_rfc2307bis): """ Test that a user update with the same modifyTimestamp does not trigger sysdb cache update """ ldb_conn = ldb_examine old_sysdb_attrs, old_ts_attrs = prime_cache_user(ldb_conn, "user1", 2001) ent.assert_passwd_by_name("user1", dict(name="user1")) sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, "user1", SSSD_DOMAIN, TS_ATTRLIST) assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp") assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "originalModifyTimestamp") assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp") assert_same_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
def test_replace_user_override(ldap_conn, env_replace_user_override): user = dict( name="ov2_user1", passwd="*", uid=10100, gid=20100, gecos="Overriden2 User 1", dir="/home/ov2/user1", shell="/bin/ov2_user1_shell", ) ent.assert_passwd_by_name("ov2_user1", user) ent.assert_passwd_by_name("ov2_user1@LDAP", user) with pytest.raises(KeyError): pwd.getpwnam("ov_user1") with pytest.raises(KeyError): pwd.getpwnam("ov_user1@LDAP")
def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task): """ Regression test for ticket: https://fedorahosted.org/sssd/ticket/2676 """ ent.assert_group_by_name( "group2", dict(mem=ent.contains_only("user1"))) ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) time.sleep(15) ent.assert_group_by_name( "group2", dict(mem=ent.contains_only("user1")))
def test_invalidation_of_gids_after_initgroups(ldap_conn, sanity_rfc2307): # the sssd cache was empty and not all user's group were # resolved with getgr{nm,gid}. Therefore there is a change in # group membership => user groups should be invalidated run_simple_test_with_initgroups() assert_initgroups_equal("user1", 2001, [2000, 2001]) stop_sssd() ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) # unrelated group to user1 must be returned ent.assert_group_by_name( "group2", dict(mem=ent.contains_only("user2", "user12", "user22"))) ent.assert_group_by_gid( 2002, dict(mem=ent.contains_only("user2", "user12", "user22"))) assert_initgroups_equal("user1", 2001, [2000, 2001]) # user groups must be invalidated for group in ["group1", "group0x"]: with pytest.raises(KeyError): grp.getgrnam(group) for gid in [2000, 2001]: with pytest.raises(KeyError): grp.getgrgid(gid)
def env_regr_2757_override(request, ldap_conn): prepare_sssd(request, ldap_conn, use_fully_qualified_names=True) # Add entries ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user("user1", 10001, 20001) create_ldap_fixture(request, ldap_conn, ent_list) # Assert entries are not overridden ent.assert_passwd_by_name("user1@LDAP", dict(name="user1@LDAP", passwd="*", uid=10001, gid=20001)) with pytest.raises(KeyError): pwd.getpwnam("alias1") with pytest.raises(KeyError): pwd.getpwnam("alias1@LDAP") # Override subprocess.check_call(["sss_override", "user-add", "user1@LDAP", "-n", "alias1"]) restart_sssd()
def test_disabled_initgr_mc(ldap_conn, disable_initgr_mc_rfc2307): # Even if initgroups is disabled, passwd should work ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) stop_sssd() ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash'))
def test_colliding_hashes(ldap_conn, sanity_rfc2307): """ Regression test for ticket: https://pagure.io/SSSD/sssd/issue/3571 """ first_user = '******' # initialize data in memcache ent.assert_passwd_by_name( first_user, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) mem_cache = MemoryCache(config.MCACHE_PATH + '/passwd') colliding_hash = mem_cache.sss_nss_mc_hash(first_user) while True: # string for colliding hash need to be longer then data for user1 # stored in memory cache (almost equivalent to: # `getent passwd user1 | wc -c` ==> 45 second_user = get_random_string(80) val = mem_cache.sss_nss_mc_hash(second_user) if val == colliding_hash: break # add new user to LDAP ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user(second_user, 5001, 5001) ldap_conn.add_s(ent_list[0][0], ent_list[0][1]) ent.assert_passwd_by_name( second_user, dict(name=second_user, passwd='*', uid=5001, gid=5001, gecos='5001', shell='/bin/bash')) stop_sssd() # check that both users are stored in cache ent.assert_passwd_by_name( first_user, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_name( second_user, dict(name=second_user, passwd='*', uid=5001, gid=5001, gecos='5001', shell='/bin/bash'))
def env_root_user_override(request, ldap_conn, env_two_users_and_group): # Assert entries are not overriden ent.assert_passwd_by_name('root', dict(name='root', uid=0, gid=0)) ent.assert_passwd_by_uid(0, dict(name="root")) # Override subprocess.check_call([ "sss_override", "user-add", "user1", "-u", "0", "-g", "0", "-n", "ov_user1", "-c", "Overriden User 1", "-h", "/home/ov/user1", "-s", "/bin/ov_user1_shell" ]) subprocess.check_call([ "sss_override", "user-add", "user2", "-u", "10020", "-g", "20020", "-n", "root", "-c", "Overriden User 2", "-h", "/home/ov/user2", "-s", "/bin/ov_user2_shell" ]) # Restart SSSD so the override might take effect restart_sssd()
def test_disabled_mc(ldap_conn, disable_memcache_rfc2307): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) assert_user_gids_equal('user1', [2000, 2001]) stop_sssd() # sssd is stopped and the memory cache is disabled; # so pytest should not be able to find anything with pytest.raises(KeyError): pwd.getpwnam('user1') with pytest.raises(KeyError): pwd.getpwuid(1001) with pytest.raises(KeyError): grp.getgrnam('group1') with pytest.raises(KeyError): grp.getgrgid(2001) with pytest.raises(KeyError): (res, errno, gids) = sssd_id.get_user_gids('user1')
def test_root_user_override(ldap_conn, env_root_user_override): """Test entries are not overriden to root""" # Override does not have to happen completly, trying to set uid or gid # to 0 is simply ignored. ent.assert_passwd_by_name( 'ov_user1', dict(name='ov_user1', passwd='*', uid=10001, gid=20001, gecos='Overriden User 1', dir='/home/ov/user1', shell='/bin/ov_user1_shell')) # We can create override with name root. This test is just for tracking # that this particular behavior won't change. ent.assert_passwd_by_name( 'user2', dict(name='root', passwd='*', uid=10020, gid=20020, gecos='Overriden User 2', dir='/home/ov/user2', shell='/bin/ov_user2_shell')) ent.assert_passwd_by_uid(0, dict(name="root"))
def test_colliding_hashes(ldap_conn, sanity_rfc2307): """ Regression test for ticket: https://github.com/SSSD/sssd/issues/4595 """ first_user = '******' # initialize data in memcache ent.assert_passwd_by_name( first_user, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) mem_cache = MemoryCache(config.MCACHE_PATH + '/passwd') colliding_hash = mem_cache.sss_nss_mc_hash(first_user) while True: # string for colliding hash need to be longer then data for user1 # stored in memory cache (almost equivalent to: # `getent passwd user1 | wc -c` ==> 45 second_user = get_random_string(80) val = mem_cache.sss_nss_mc_hash(second_user) if val == colliding_hash: break # add new user to LDAP ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user(second_user, 5001, 5001) ldap_conn.add_s(ent_list[0][0], ent_list[0][1]) ent.assert_passwd_by_name( second_user, dict(name=second_user, passwd='*', uid=5001, gid=5001, gecos='5001', shell='/bin/bash')) stop_sssd() # check that both users are stored in cache ent.assert_passwd_by_name( first_user, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_name( second_user, dict(name=second_user, passwd='*', uid=5001, gid=5001, gecos='5001', shell='/bin/bash'))
def test_user_2307bis_nested_groups(ldap_conn, sanity_rfc2307_bis): """ Test nested groups. Regression test for ticket: https://fedorahosted.org/sssd/ticket/3093 """ primary_gid = 2001 # group1, two_user_group, one_user_group1, group_one_user_group, # group_two_user_group, group_two_one_user_groups expected_gids = [2001, 2012, 2015, 2017, 2018, 2019] ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=primary_gid)) (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", primary_gid) assert res == sssd_id.NssReturnCode.SUCCESS assert sorted(gids) == sorted(expected_gids), \ "result: %s\n expected %s" % ( ", ".join(["%s" % s for s in sorted(gids)]), ", ".join(["%s" % s for s in sorted(expected_gids)]) )
def env_regr_2757_override(request, ldap_conn): prepare_sssd(request, ldap_conn, use_fully_qualified_names=True) # Add entries ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user("user1", 10001, 20001) create_ldap_fixture(request, ldap_conn, ent_list) # Assert entries are not overridden ent.assert_passwd_by_name( 'user1@LDAP', dict(name='user1@LDAP', passwd='*', uid=10001, gid=20001)) with pytest.raises(KeyError): pwd.getpwnam('alias1') with pytest.raises(KeyError): pwd.getpwnam('alias1@LDAP') # Override subprocess.check_call(["sss_override", "user-add", "user1@LDAP", "-n", "alias1"]) restart_sssd()
def assert_mc_records_for_user1(): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_group_by_name( "group1", dict(mem=ent.contains_only("user1", "user11", "user21"))) ent.assert_group_by_gid( 2001, dict(mem=ent.contains_only("user1", "user11", "user21"))) ent.assert_group_by_name( "group0x", dict(mem=ent.contains_only("user1", "user2", "user3"))) ent.assert_group_by_gid( 2000, dict(mem=ent.contains_only("user1", "user2", "user3"))) assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_disabled_passwd_mc(ldap_conn, disable_pwd_mc_rfc2307): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) assert_user_gids_equal('user1', [2000, 2001]) stop_sssd() # passwd cache is disabled with pytest.raises(KeyError): pwd.getpwnam('user1') with pytest.raises(KeyError): pwd.getpwuid(1001) # Initgroups looks up the user first, hence KeyError from the # passwd database even if the initgroups cache is active. with pytest.raises(KeyError): (res, errno, gids) = sssd_id.get_user_gids('user1')
def assert_user_default(): # Assert entries are not overriden with pytest.raises(KeyError): pwd.getpwnam("ov_user1") with pytest.raises(KeyError): pwd.getpwnam("ov_user1@LDAP") with pytest.raises(KeyError): pwd.getpwnam("ov_user2") with pytest.raises(KeyError): pwd.getpwnam("ov_user2@LDAP") user1 = dict( name="user1", passwd="*", uid=10001, gid=20001, gecos="User Number 1", dir="/home/user1", shell="/bin/user1_shell", ) user2 = dict( name="user2", passwd="*", uid=10002, gid=20001, gecos="User Number 2", dir="/home/user2", shell="/bin/user2_shell", ) ent.assert_passwd_by_name("user1", user1) ent.assert_passwd_by_name("user1@LDAP", user1) ent.assert_passwd_by_name("user2", user2) ent.assert_passwd_by_name("user2@LDAP", user2)
def test_getpwnam(ldap_conn, sanity_rfc2307): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_uid( 1001, dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', shell='/bin/bash')) ent.assert_passwd_by_name( 'user2', dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002', shell='/bin/bash')) ent.assert_passwd_by_uid( 1002, dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002', shell='/bin/bash')) ent.assert_passwd_by_name( 'user3', dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003', shell='/bin/bash')) ent.assert_passwd_by_uid( 1003, dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003', shell='/bin/bash')) ent.assert_passwd_by_name( 'user11', dict(name='user11', passwd='*', uid=1011, gid=2001, gecos='1011', shell='/bin/bash')) ent.assert_passwd_by_uid( 1011, dict(name='user11', passwd='*', uid=1011, gid=2001, gecos='1011', shell='/bin/bash')) ent.assert_passwd_by_name( 'user12', dict(name='user12', passwd='*', uid=1012, gid=2002, gecos='1012', shell='/bin/bash')) ent.assert_passwd_by_uid( 1012, dict(name='user12', passwd='*', uid=1012, gid=2002, gecos='1012', shell='/bin/bash')) ent.assert_passwd_by_name( 'user13', dict(name='user13', passwd='*', uid=1013, gid=2003, gecos='1013', shell='/bin/bash')) ent.assert_passwd_by_uid( 1013, dict(name='user13', passwd='*', uid=1013, gid=2003, gecos='1013', shell='/bin/bash')) ent.assert_passwd_by_name( 'user21', dict(name='user21', passwd='*', uid=1021, gid=2001, gecos='1021', shell='/bin/bash')) ent.assert_passwd_by_uid( 1021, dict(name='user21', passwd='*', uid=1021, gid=2001, gecos='1021', shell='/bin/bash')) ent.assert_passwd_by_name( 'user22', dict(name='user22', passwd='*', uid=1022, gid=2002, gecos='1022', shell='/bin/bash')) ent.assert_passwd_by_uid( 1022, dict(name='user22', passwd='*', uid=1022, gid=2002, gecos='1022', shell='/bin/bash')) ent.assert_passwd_by_name( 'user23', dict(name='user23', passwd='*', uid=1023, gid=2003, gecos='1023', shell='/bin/bash')) ent.assert_passwd_by_uid( 1023, dict(name='user23', passwd='*', uid=1023, gid=2003, gecos='1023', shell='/bin/bash'))
def setup_pw_with_list(request, user_list): pwd_ops = passwd_ops_setup(request) for user in user_list: pwd_ops.useradd(**user) ent.assert_passwd_by_name(CANARY['name'], CANARY) return pwd_ops
def assert_user_overriden(override_name=True): if override_name: name1 = "ov_user1" name2 = "ov_user2" else: name1 = "user1" name2 = "user2" user1 = dict(name=name1, passwd='*', uid=10010, gid=20010, gecos='Overriden User 1', dir='/home/ov/user1', shell='/bin/ov_user1_shell') user2 = dict(name=name2, passwd='*', uid=10020, gid=20020, gecos='Overriden User 2', dir='/home/ov/user2', shell='/bin/ov_user2_shell') ent.assert_passwd_by_name('user1', user1) ent.assert_passwd_by_name('user1@LDAP', user1) if override_name: ent.assert_passwd_by_name('ov_user1', user1) ent.assert_passwd_by_name('ov_user1@LDAP', user1) ent.assert_passwd_by_name('user2', user2) ent.assert_passwd_by_name('user2@LDAP', user2) if override_name: ent.assert_passwd_by_name('ov_user2', user2) ent.assert_passwd_by_name('ov_user2@LDAP', user2)
def test_override_homedir_option(ldap_conn, env_override_homedir_option): """Test if overrides will overwrite override_homedir option""" # Assert entries are overridden, user1 has no homedir override and # override_homedir option should be used, user2 has a homedir override # which should be used. user1 = dict(name='ov_user1', passwd='*', uid=10010, gid=20010, gecos='Overriden User 1', dir='/home/ov_option/ov_user1', shell='/bin/ov_user1_shell') user2 = dict(name='ov_user2', passwd='*', uid=10020, gid=20020, gecos='Overriden User 2', dir='/home/ov/user2', shell='/bin/ov_user2_shell') ent.assert_passwd_by_name('user1@LDAP', user1) ent.assert_passwd_by_name('ov_user1@LDAP', user1) ent.assert_passwd_by_name('user1', user1) ent.assert_passwd_by_name('ov_user1', user1) ent.assert_passwd_by_name('user2@LDAP', user2) ent.assert_passwd_by_name('ov_user2@LDAP', user2) ent.assert_passwd_by_name('user2', user2) ent.assert_passwd_by_name('ov_user2', user2)
def setup_pw_with_list(pwd_ops, user_list): for user in user_list: pwd_ops.useradd(**user) ent.assert_passwd_by_name(CANARY['name'], CANARY) return pwd_ops