def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
add_group_nomem_with_canary,
files_domain_only):
"""
Test that a user is linked with a group
"""
pwd_ops = setup_pw_with_canary
check_group(GROUP_NOMEM)
modgroup = dict(GROUP_NOMEM)
modgroup['mem'] = ['user1', 'user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
check_group(modgroup)
modgroup['mem'] = ['user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
check_group(modgroup)
res, _ = call_sssd_getpwnam('user1')
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwnam('user2')
assert res == NssReturnCode.NOTFOUND
# Add this user and verify it's been added as a member
pwd_ops.useradd(**USER2)
# The negative cache might still have user2 from the previous request,
# flushing the caches might help to prevent a failed lookup after adding
# the user.
subprocess.call(["sss_cache", "-E"])
res, groups = sssd_id_sync('user2')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
assert 'group_nomem' in groups
def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
add_group_nomem_with_canary,
files_domain_only):
"""
Test that a user is linked with a group
"""
pwd_ops = setup_pw_with_canary
check_group(GROUP_NOMEM)
modgroup = dict(GROUP_NOMEM)
modgroup['mem'] = ['user1', 'user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
check_group(modgroup)
modgroup['mem'] = ['user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
check_group(modgroup)
res, _ = call_sssd_getpwnam('user1')
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwnam('user2')
assert res == NssReturnCode.NOTFOUND
# Add this user and verify it's been added as a member
pwd_ops.useradd(**USER2)
res, groups = sssd_id_sync('user2')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
assert 'group_nomem' in groups
def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
add_group_nomem_with_canary,
files_domain_only):
"""
Test that a user is linked with a group
"""
pwd_ops = setup_pw_with_canary
check_group(GROUP_NOMEM)
modgroup = dict(GROUP_NOMEM)
modgroup['mem'] = ['user1', 'user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
time.sleep(1)
res, group = call_sssd_getgrnam(modgroup['name'])
assert res == sssd_id.NssReturnCode.NOTFOUND
modgroup['mem'] = ['user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
time.sleep(1)
res, group = call_sssd_getgrnam(modgroup['name'])
assert res == sssd_id.NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwnam('user1')
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwnam('user2')
assert res == NssReturnCode.NOTFOUND
def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
add_group_nomem_with_canary,
files_domain_only):
"""
Test that a user is linked with a group
"""
pwd_ops = setup_pw_with_canary
check_group(GROUP_NOMEM)
modgroup = dict(GROUP_NOMEM)
modgroup['mem'] = ['user1', 'user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
check_group(modgroup)
modgroup['mem'] = ['user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
check_group(modgroup)
res, _ = call_sssd_getpwnam('user1')
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwnam('user2')
assert res == NssReturnCode.NOTFOUND
# Add this user and verify it's been added as a member
pwd_ops.useradd(**USER2)
# The negative cache might still have user2 from the previous request,
# flushing the caches might help to prevent a failed lookup after adding
# the user.
subprocess.call(["sss_cache", "-E"])
res, groups = sssd_id_sync('user2')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
assert 'group_nomem' in groups
def test_proxy_to_files_domain_only(add_user_with_canary,
proxy_to_files_domain_only):
"""
Test that implicit_files domain is not started together with proxy to files
"""
res, _ = call_sssd_getpwnam("{0}@implicit_files".format(USER1["name"]))
assert res == NssReturnCode.NOTFOUND
def test_proxy_to_files_domain_only(add_user_with_canary,
proxy_to_files_domain_only):
"""
Test that implicit_files domain is not started together with proxy to files
"""
local_user1 = dict(name='user1', passwd='*', uid=10009, gid=10009,
gecos='user1', dir='/home/user1', shell='/bin/bash')
# Add a user with a different UID than the one in files
subprocess.check_call(
["sss_useradd", "-u", "10009", "-M", USER1["name"]])
res, user = call_sssd_getpwnam(USER1["name"])
assert res == NssReturnCode.SUCCESS
assert user == local_user1
res, _ = call_sssd_getpwnam("{0}@implicit_files".format(USER1["name"]))
assert res == NssReturnCode.NOTFOUND
def test_proxy_to_files_domain_only(add_user_with_canary,
proxy_to_files_domain_only):
"""
Test that implicit_files domain is not started together with proxy to files
"""
local_user1 = dict(name='user1', passwd='*', uid=10009, gid=10009,
gecos='user1', dir='/home/user1', shell='/bin/bash')
# Add a user with a different UID than the one in files
subprocess.check_call(
["sss_useradd", "-u", "10009", "-M", USER1["name"]])
res, user = call_sssd_getpwnam(USER1["name"])
assert res == NssReturnCode.SUCCESS
assert user == local_user1
res, _ = call_sssd_getpwnam("{0}@implicit_files".format(USER1["name"]))
assert res == NssReturnCode.NOTFOUND
def test_root_does_not_resolve(files_domain_only):
"""
SSSD currently does not resolve the root user even though it can
be resolved through the NSS interface
"""
nss_root = pwd.getpwnam("root")
assert nss_root is not None
res, _ = call_sssd_getpwnam("root")
assert res == NssReturnCode.NOTFOUND
def test_root_does_not_resolve(files_domain_only):
"""
SSSD currently does not resolve the root user even though it can
be resolved through the NSS interface
"""
nss_root = pwd.getpwnam("root")
assert nss_root is not None
res, _ = call_sssd_getpwnam("root")
assert res == NssReturnCode.NOTFOUND
def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached):
passwd_pattern = expected_list_to_name_dict([
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
dir='/home/user1',
shell='/bin/bash'),
dict(name='user3',
passwd='*',
uid=1003,
gid=2003,
gecos='1003',
dir='/home/user3',
shell='/bin/bash')
])
ent.assert_each_passwd_by_name(passwd_pattern)
# test filtered user
with pytest.raises(KeyError):
pwd.getpwuid(1002)
time.sleep(2)
with pytest.raises(KeyError):
pwd.getpwuid(1002)
group_pattern = expected_list_to_name_dict([
dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
])
ent.assert_each_group_by_name(group_pattern)
# test filtered group
with pytest.raises(KeyError):
grp.getgrgid(2002)
time.sleep(2)
with pytest.raises(KeyError):
grp.getgrgid(2002)
# test that root is always filtered even if filter_users contains other
# entries. This is a regression test for upstream ticket #3460
res, _ = call_sssd_getpwnam("root")
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getgrnam("root")
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwuid(0)
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getgrgid(0)
assert res == NssReturnCode.NOTFOUND
def test_getgrnam_ghost(setup_pw_with_canary, setup_gr_with_canary,
files_domain_only):
"""
Test that a group with members while the members are not present
are added as ghosts. This is also what nss_files does, getgrnam would
return group members that do not exist as well.
"""
user_and_group_setup(setup_pw_with_canary, setup_gr_with_canary, [],
[GROUP12], False)
check_group(GROUP12)
for member in GROUP12['mem']:
res, _ = call_sssd_getpwnam(member)
assert res == NssReturnCode.NOTFOUND
def ghost_and_member_test(pw_ops, grp_ops, reverse):
user_and_group_setup(pw_ops, grp_ops, [USER1], [GROUP12], reverse)
check_group(GROUP12)
# We checked that the group added has the same members as group12,
# so both user1 and user2. Now check that user1 is a member of
# group12 and its own primary GID but user2 doesn't exist, it's
# just a ghost entry
res, groups = sssd_id_sync('user1')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
assert 'group12' in groups
res, _ = call_sssd_getpwnam('user2')
assert res == NssReturnCode.NOTFOUND
def test_getgrnam_ghost(setup_pw_with_canary, setup_gr_with_canary,
files_domain_only):
"""
Test that group if not found (and will be handled by nss_files) if there
are any ghost members.
"""
user_and_group_setup(setup_pw_with_canary, setup_gr_with_canary, [],
[GROUP12], False)
time.sleep(1)
res, group = call_sssd_getgrnam(GROUP12["name"])
assert res == NssReturnCode.NOTFOUND
for member in GROUP12['mem']:
res, _ = call_sssd_getpwnam(member)
assert res == NssReturnCode.NOTFOUND
def test_getgrnam_ghost(setup_pw_with_canary,
setup_gr_with_canary,
files_domain_only):
"""
Test that a group with members while the members are not present
are added as ghosts. This is also what nss_files does, getgrnam would
return group members that do not exist as well.
"""
user_and_group_setup(setup_pw_with_canary,
setup_gr_with_canary,
[],
[GROUP12],
False)
check_group(GROUP12)
for member in GROUP12['mem']:
res, _ = call_sssd_getpwnam(member)
assert res == NssReturnCode.NOTFOUND
def ghost_and_member_test(pw_ops, grp_ops, reverse):
user_and_group_setup(pw_ops,
grp_ops,
[USER1],
[GROUP12],
reverse)
check_group(GROUP12)
# We checked that the group added has the same members as group12,
# so both user1 and user2. Now check that user1 is a member of
# group12 and its own primary GID but user2 doesn't exist, it's
# just a ghost entry
res, groups = sssd_id_sync('user1')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
assert 'group12' in groups
res, _ = call_sssd_getpwnam('user2')
assert res == NssReturnCode.NOTFOUND
def test_getgrnam_add_remove_members(setup_pw_with_canary,
add_group_nomem_with_canary,
files_domain_only):
"""
Test that a user is linked with a group
"""
pwd_ops = setup_pw_with_canary
check_group(GROUP_NOMEM)
for usr in [USER1, USER2]:
pwd_ops.useradd(**usr)
modgroup = dict(GROUP_NOMEM)
modgroup['mem'] = ['user1', 'user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
check_group(modgroup)
res, groups = sssd_id_sync('user1')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
assert 'group_nomem' in groups
res, groups = sssd_id_sync('user2')
assert res == sssd_id.NssReturnCode.SUCCESS
assert 'group_nomem' in groups
modgroup['mem'] = ['user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
check_group(modgroup)
# User1 exists, but is not a member of any supplementary group anymore
res, _ = call_sssd_getpwnam('user1')
assert res == sssd_id.NssReturnCode.SUCCESS
res, groups = sssd_id_sync('user1')
assert res == sssd_id.NssReturnCode.NOTFOUND
# user2 still is
res, groups = sssd_id_sync('user2')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
assert 'group_nomem' in groups
def test_getgrnam_add_remove_members(setup_pw_with_canary,
add_group_nomem_with_canary,
files_domain_only):
"""
Test that a user is linked with a group
"""
pwd_ops = setup_pw_with_canary
check_group(GROUP_NOMEM)
for usr in [USER1, USER2]:
pwd_ops.useradd(**usr)
modgroup = dict(GROUP_NOMEM)
modgroup['mem'] = ['user1', 'user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
check_group(modgroup)
res, groups = sssd_id_sync('user1')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
assert 'group_nomem' in groups
res, groups = sssd_id_sync('user2')
assert res == sssd_id.NssReturnCode.SUCCESS
assert 'group_nomem' in groups
modgroup['mem'] = ['user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
check_group(modgroup)
# User1 exists, but is not a member of any supplementary group anymore
res, _ = call_sssd_getpwnam('user1')
assert res == sssd_id.NssReturnCode.SUCCESS
res, groups = sssd_id_sync('user1')
assert res == sssd_id.NssReturnCode.NOTFOUND
# user2 still is
res, groups = sssd_id_sync('user2')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
assert 'group_nomem' in groups
def test_add_remove_add_file_user(setup_pw_with_canary, files_domain_only):
"""
Test that removing a user is detected and the user
is removed from the sssd database. Similarly, an add
should be detected. Do this several times to test retaining
the inotify watch for moved and unlinked files.
"""
res, _ = call_sssd_getpwnam(USER1["name"])
assert res == NssReturnCode.NOTFOUND
setup_pw_with_canary.useradd(**USER1)
check_user(USER1)
setup_pw_with_canary.userdel(USER1["name"])
time.sleep(1.0)
res, _ = sssd_getpwnam_sync(USER1["name"])
assert res == NssReturnCode.NOTFOUND
setup_pw_with_canary.useradd(**USER1)
check_user(USER1)
def test_add_remove_add_file_user(setup_pw_with_canary, files_domain_only):
"""
Test that removing a user is detected and the user
is removed from the sssd database. Similarly, an add
should be detected. Do this several times to test retaining
the inotify watch for moved and unlinked files.
"""
res, _ = call_sssd_getpwnam(USER1["name"])
assert res == NssReturnCode.NOTFOUND
setup_pw_with_canary.useradd(**USER1)
check_user(USER1)
setup_pw_with_canary.userdel(USER1["name"])
time.sleep(1.0)
res, _ = sssd_getpwnam_sync(USER1["name"])
assert res == NssReturnCode.NOTFOUND
setup_pw_with_canary.useradd(**USER1)
check_user(USER1)
def test_getpwnam_neg(files_domain_only):
"""
Test that a nonexistent user cannot be resolved by name
"""
res, _ = call_sssd_getpwnam("nosuchuser")
assert res == NssReturnCode.NOTFOUND
def sssd_getpwnam_sync(name):
ret = poll_canary(call_sssd_getpwnam, CANARY["name"])
if ret is False:
return NssReturnCode.NOTFOUND, None
return call_sssd_getpwnam(name)
def sssd_getpwnam_sync(name):
ret = poll_canary(call_sssd_getpwnam, CANARY["name"])
if ret is False:
return NssReturnCode.NOTFOUND, None
return call_sssd_getpwnam(name)
def test_getpwnam_neg(files_domain_only):
"""
Test that a nonexistent user cannot be resolved by name
"""
res, _ = call_sssd_getpwnam("nosuchuser")
assert res == NssReturnCode.NOTFOUND
