def test_getgrnam_add_remove_ghosts(setup_pw_with_canary, add_group_nomem_with_canary, files_domain_only): """ Test that a user is linked with a group """ pwd_ops = setup_pw_with_canary check_group(GROUP_NOMEM) modgroup = dict(GROUP_NOMEM) modgroup['mem'] = ['user1', 'user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) check_group(modgroup) modgroup['mem'] = ['user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) check_group(modgroup) res, _ = call_sssd_getpwnam('user1') assert res == NssReturnCode.NOTFOUND res, _ = call_sssd_getpwnam('user2') assert res == NssReturnCode.NOTFOUND # Add this user and verify it's been added as a member pwd_ops.useradd(**USER2) # The negative cache might still have user2 from the previous request, # flushing the caches might help to prevent a failed lookup after adding # the user. subprocess.call(["sss_cache", "-E"]) res, groups = sssd_id_sync('user2') assert res == sssd_id.NssReturnCode.SUCCESS assert len(groups) == 2 assert 'group_nomem' in groups
def test_getgrnam_add_remove_ghosts(setup_pw_with_canary, add_group_nomem_with_canary, files_domain_only): """ Test that a user is linked with a group """ pwd_ops = setup_pw_with_canary check_group(GROUP_NOMEM) modgroup = dict(GROUP_NOMEM) modgroup['mem'] = ['user1', 'user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) check_group(modgroup) modgroup['mem'] = ['user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) check_group(modgroup) res, _ = call_sssd_getpwnam('user1') assert res == NssReturnCode.NOTFOUND res, _ = call_sssd_getpwnam('user2') assert res == NssReturnCode.NOTFOUND # Add this user and verify it's been added as a member pwd_ops.useradd(**USER2) res, groups = sssd_id_sync('user2') assert res == sssd_id.NssReturnCode.SUCCESS assert len(groups) == 2 assert 'group_nomem' in groups
def test_getgrnam_add_remove_ghosts(setup_pw_with_canary, add_group_nomem_with_canary, files_domain_only): """ Test that a user is linked with a group """ pwd_ops = setup_pw_with_canary check_group(GROUP_NOMEM) modgroup = dict(GROUP_NOMEM) modgroup['mem'] = ['user1', 'user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) time.sleep(1) res, group = call_sssd_getgrnam(modgroup['name']) assert res == sssd_id.NssReturnCode.NOTFOUND modgroup['mem'] = ['user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) time.sleep(1) res, group = call_sssd_getgrnam(modgroup['name']) assert res == sssd_id.NssReturnCode.NOTFOUND res, _ = call_sssd_getpwnam('user1') assert res == NssReturnCode.NOTFOUND res, _ = call_sssd_getpwnam('user2') assert res == NssReturnCode.NOTFOUND
def test_getgrnam_add_remove_ghosts(setup_pw_with_canary, add_group_nomem_with_canary, files_domain_only): """ Test that a user is linked with a group """ pwd_ops = setup_pw_with_canary check_group(GROUP_NOMEM) modgroup = dict(GROUP_NOMEM) modgroup['mem'] = ['user1', 'user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) check_group(modgroup) modgroup['mem'] = ['user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) check_group(modgroup) res, _ = call_sssd_getpwnam('user1') assert res == NssReturnCode.NOTFOUND res, _ = call_sssd_getpwnam('user2') assert res == NssReturnCode.NOTFOUND # Add this user and verify it's been added as a member pwd_ops.useradd(**USER2) # The negative cache might still have user2 from the previous request, # flushing the caches might help to prevent a failed lookup after adding # the user. subprocess.call(["sss_cache", "-E"]) res, groups = sssd_id_sync('user2') assert res == sssd_id.NssReturnCode.SUCCESS assert len(groups) == 2 assert 'group_nomem' in groups
def test_proxy_to_files_domain_only(add_user_with_canary, proxy_to_files_domain_only): """ Test that implicit_files domain is not started together with proxy to files """ res, _ = call_sssd_getpwnam("{0}@implicit_files".format(USER1["name"])) assert res == NssReturnCode.NOTFOUND
def test_proxy_to_files_domain_only(add_user_with_canary, proxy_to_files_domain_only): """ Test that implicit_files domain is not started together with proxy to files """ local_user1 = dict(name='user1', passwd='*', uid=10009, gid=10009, gecos='user1', dir='/home/user1', shell='/bin/bash') # Add a user with a different UID than the one in files subprocess.check_call( ["sss_useradd", "-u", "10009", "-M", USER1["name"]]) res, user = call_sssd_getpwnam(USER1["name"]) assert res == NssReturnCode.SUCCESS assert user == local_user1 res, _ = call_sssd_getpwnam("{0}@implicit_files".format(USER1["name"])) assert res == NssReturnCode.NOTFOUND
def test_proxy_to_files_domain_only(add_user_with_canary, proxy_to_files_domain_only): """ Test that implicit_files domain is not started together with proxy to files """ local_user1 = dict(name='user1', passwd='*', uid=10009, gid=10009, gecos='user1', dir='/home/user1', shell='/bin/bash') # Add a user with a different UID than the one in files subprocess.check_call( ["sss_useradd", "-u", "10009", "-M", USER1["name"]]) res, user = call_sssd_getpwnam(USER1["name"]) assert res == NssReturnCode.SUCCESS assert user == local_user1 res, _ = call_sssd_getpwnam("{0}@implicit_files".format(USER1["name"])) assert res == NssReturnCode.NOTFOUND
def test_root_does_not_resolve(files_domain_only): """ SSSD currently does not resolve the root user even though it can be resolved through the NSS interface """ nss_root = pwd.getpwnam("root") assert nss_root is not None res, _ = call_sssd_getpwnam("root") assert res == NssReturnCode.NOTFOUND
def test_root_does_not_resolve(files_domain_only): """ SSSD currently does not resolve the root user even though it can be resolved through the NSS interface """ nss_root = pwd.getpwnam("root") assert nss_root is not None res, _ = call_sssd_getpwnam("root") assert res == NssReturnCode.NOTFOUND
def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached): passwd_pattern = expected_list_to_name_dict([ dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', dir='/home/user1', shell='/bin/bash'), dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003', dir='/home/user3', shell='/bin/bash') ]) ent.assert_each_passwd_by_name(passwd_pattern) # test filtered user with pytest.raises(KeyError): pwd.getpwuid(1002) time.sleep(2) with pytest.raises(KeyError): pwd.getpwuid(1002) group_pattern = expected_list_to_name_dict([ dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()), dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()), ]) ent.assert_each_group_by_name(group_pattern) # test filtered group with pytest.raises(KeyError): grp.getgrgid(2002) time.sleep(2) with pytest.raises(KeyError): grp.getgrgid(2002) # test that root is always filtered even if filter_users contains other # entries. This is a regression test for upstream ticket #3460 res, _ = call_sssd_getpwnam("root") assert res == NssReturnCode.NOTFOUND res, _ = call_sssd_getgrnam("root") assert res == NssReturnCode.NOTFOUND res, _ = call_sssd_getpwuid(0) assert res == NssReturnCode.NOTFOUND res, _ = call_sssd_getgrgid(0) assert res == NssReturnCode.NOTFOUND
def test_getgrnam_ghost(setup_pw_with_canary, setup_gr_with_canary, files_domain_only): """ Test that a group with members while the members are not present are added as ghosts. This is also what nss_files does, getgrnam would return group members that do not exist as well. """ user_and_group_setup(setup_pw_with_canary, setup_gr_with_canary, [], [GROUP12], False) check_group(GROUP12) for member in GROUP12['mem']: res, _ = call_sssd_getpwnam(member) assert res == NssReturnCode.NOTFOUND
def ghost_and_member_test(pw_ops, grp_ops, reverse): user_and_group_setup(pw_ops, grp_ops, [USER1], [GROUP12], reverse) check_group(GROUP12) # We checked that the group added has the same members as group12, # so both user1 and user2. Now check that user1 is a member of # group12 and its own primary GID but user2 doesn't exist, it's # just a ghost entry res, groups = sssd_id_sync('user1') assert res == sssd_id.NssReturnCode.SUCCESS assert len(groups) == 2 assert 'group12' in groups res, _ = call_sssd_getpwnam('user2') assert res == NssReturnCode.NOTFOUND
def test_getgrnam_ghost(setup_pw_with_canary, setup_gr_with_canary, files_domain_only): """ Test that group if not found (and will be handled by nss_files) if there are any ghost members. """ user_and_group_setup(setup_pw_with_canary, setup_gr_with_canary, [], [GROUP12], False) time.sleep(1) res, group = call_sssd_getgrnam(GROUP12["name"]) assert res == NssReturnCode.NOTFOUND for member in GROUP12['mem']: res, _ = call_sssd_getpwnam(member) assert res == NssReturnCode.NOTFOUND
def test_getgrnam_ghost(setup_pw_with_canary, setup_gr_with_canary, files_domain_only): """ Test that a group with members while the members are not present are added as ghosts. This is also what nss_files does, getgrnam would return group members that do not exist as well. """ user_and_group_setup(setup_pw_with_canary, setup_gr_with_canary, [], [GROUP12], False) check_group(GROUP12) for member in GROUP12['mem']: res, _ = call_sssd_getpwnam(member) assert res == NssReturnCode.NOTFOUND
def ghost_and_member_test(pw_ops, grp_ops, reverse): user_and_group_setup(pw_ops, grp_ops, [USER1], [GROUP12], reverse) check_group(GROUP12) # We checked that the group added has the same members as group12, # so both user1 and user2. Now check that user1 is a member of # group12 and its own primary GID but user2 doesn't exist, it's # just a ghost entry res, groups = sssd_id_sync('user1') assert res == sssd_id.NssReturnCode.SUCCESS assert len(groups) == 2 assert 'group12' in groups res, _ = call_sssd_getpwnam('user2') assert res == NssReturnCode.NOTFOUND
def test_getgrnam_add_remove_members(setup_pw_with_canary, add_group_nomem_with_canary, files_domain_only): """ Test that a user is linked with a group """ pwd_ops = setup_pw_with_canary check_group(GROUP_NOMEM) for usr in [USER1, USER2]: pwd_ops.useradd(**usr) modgroup = dict(GROUP_NOMEM) modgroup['mem'] = ['user1', 'user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) check_group(modgroup) res, groups = sssd_id_sync('user1') assert res == sssd_id.NssReturnCode.SUCCESS assert len(groups) == 2 assert 'group_nomem' in groups res, groups = sssd_id_sync('user2') assert res == sssd_id.NssReturnCode.SUCCESS assert 'group_nomem' in groups modgroup['mem'] = ['user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) check_group(modgroup) # User1 exists, but is not a member of any supplementary group anymore res, _ = call_sssd_getpwnam('user1') assert res == sssd_id.NssReturnCode.SUCCESS res, groups = sssd_id_sync('user1') assert res == sssd_id.NssReturnCode.NOTFOUND # user2 still is res, groups = sssd_id_sync('user2') assert res == sssd_id.NssReturnCode.SUCCESS assert len(groups) == 2 assert 'group_nomem' in groups
def test_getgrnam_add_remove_members(setup_pw_with_canary, add_group_nomem_with_canary, files_domain_only): """ Test that a user is linked with a group """ pwd_ops = setup_pw_with_canary check_group(GROUP_NOMEM) for usr in [USER1, USER2]: pwd_ops.useradd(**usr) modgroup = dict(GROUP_NOMEM) modgroup['mem'] = ['user1', 'user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) check_group(modgroup) res, groups = sssd_id_sync('user1') assert res == sssd_id.NssReturnCode.SUCCESS assert len(groups) == 2 assert 'group_nomem' in groups res, groups = sssd_id_sync('user2') assert res == sssd_id.NssReturnCode.SUCCESS assert 'group_nomem' in groups modgroup['mem'] = ['user2'] add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) check_group(modgroup) # User1 exists, but is not a member of any supplementary group anymore res, _ = call_sssd_getpwnam('user1') assert res == sssd_id.NssReturnCode.SUCCESS res, groups = sssd_id_sync('user1') assert res == sssd_id.NssReturnCode.NOTFOUND # user2 still is res, groups = sssd_id_sync('user2') assert res == sssd_id.NssReturnCode.SUCCESS assert len(groups) == 2 assert 'group_nomem' in groups
def test_add_remove_add_file_user(setup_pw_with_canary, files_domain_only): """ Test that removing a user is detected and the user is removed from the sssd database. Similarly, an add should be detected. Do this several times to test retaining the inotify watch for moved and unlinked files. """ res, _ = call_sssd_getpwnam(USER1["name"]) assert res == NssReturnCode.NOTFOUND setup_pw_with_canary.useradd(**USER1) check_user(USER1) setup_pw_with_canary.userdel(USER1["name"]) time.sleep(1.0) res, _ = sssd_getpwnam_sync(USER1["name"]) assert res == NssReturnCode.NOTFOUND setup_pw_with_canary.useradd(**USER1) check_user(USER1)
def test_add_remove_add_file_user(setup_pw_with_canary, files_domain_only): """ Test that removing a user is detected and the user is removed from the sssd database. Similarly, an add should be detected. Do this several times to test retaining the inotify watch for moved and unlinked files. """ res, _ = call_sssd_getpwnam(USER1["name"]) assert res == NssReturnCode.NOTFOUND setup_pw_with_canary.useradd(**USER1) check_user(USER1) setup_pw_with_canary.userdel(USER1["name"]) time.sleep(1.0) res, _ = sssd_getpwnam_sync(USER1["name"]) assert res == NssReturnCode.NOTFOUND setup_pw_with_canary.useradd(**USER1) check_user(USER1)
def test_getpwnam_neg(files_domain_only): """ Test that a nonexistent user cannot be resolved by name """ res, _ = call_sssd_getpwnam("nosuchuser") assert res == NssReturnCode.NOTFOUND
def sssd_getpwnam_sync(name): ret = poll_canary(call_sssd_getpwnam, CANARY["name"]) if ret is False: return NssReturnCode.NOTFOUND, None return call_sssd_getpwnam(name)
def sssd_getpwnam_sync(name): ret = poll_canary(call_sssd_getpwnam, CANARY["name"]) if ret is False: return NssReturnCode.NOTFOUND, None return call_sssd_getpwnam(name)
def test_getpwnam_neg(files_domain_only): """ Test that a nonexistent user cannot be resolved by name """ res, _ = call_sssd_getpwnam("nosuchuser") assert res == NssReturnCode.NOTFOUND