def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid):
"""
Integration test for auto_private_groups - test that even a user with
no GID assigned at all can be resolved including their autogenerated
primary group.
See also ticket https://pagure.io/SSSD/sssd/issue/1872
"""
# Make sure the user's GID is taken from their uidNumber
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
# The group referenced in user's gidNumber attribute should be still
# visible, but shouldn't have any relation to the user
ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
# The user's secondary groups list must be correct as well. This time only
# the generated group and the explicit secondary group are added, since
# there is no original GID
user1_expected_gids = [1001, 2015]
(res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user1_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user1_expected_gids)])
)
def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict):
"""
Make sure that conflicts between groups that are auto-created with the
help of the auto_private_groups option and between 'real' LDAP groups
are handled in a predictable manner.
"""
# Make sure the user's GID is taken from their uidNumber
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
# Let's request the group with the same ID as user2's private group
# The request should match the 'real' group
ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only()))
# But because of the GID conflict, the user cannot be resolved
with pytest.raises(KeyError):
pwd.getpwnam("user2")
# This user's GID is the same as the UID in this entry. The most important
# thing here is that the supplementary groups are correct and the GID
# resolves to the private group (as long as the user was requested first)
user3_expected_gids = [1003, 2015]
ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003))
(res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user3_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user3_expected_gids)])
)
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only()))
ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
def assert_initgroups_equal(user, primary_gid, expected_gids):
(res, errno, gids) = sssd_id.call_sssd_initgroups(user, primary_gid)
assert res == sssd_id.NssReturnCode.SUCCESS, \
"Could not find groups for user %s, %d" % (user, errno)
assert sorted(gids) == sorted(expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(expected_gids)])
)
def assert_initgroups_equal(user, primary_gid, expected_gids):
(res, errno, gids) = sssd_id.call_sssd_initgroups(user, primary_gid)
assert res == sssd_id.NssReturnCode.SUCCESS, \
"Could not find groups for user %s, %d" % (user, errno)
assert sorted(gids) == sorted(expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(expected_gids)])
)
def assert_stored_last_initgroups(user1_case1, user1_case2, user1_case_last,
primary_gid, expected_gids):
assert_initgroups_equal(user1_case1, primary_gid, expected_gids)
assert_initgroups_equal(user1_case2, primary_gid, expected_gids)
assert_initgroups_equal(user1_case_last, primary_gid, expected_gids)
stop_sssd()
user = user1_case1
(res, errno, _) = sssd_id.call_sssd_initgroups(user, primary_gid)
assert res == sssd_id.NssReturnCode.UNAVAIL, \
"Initgroups for user shoudl fail user %s, %d, %d" % (user, res, errno)
user = user1_case2
(res, errno, _) = sssd_id.call_sssd_initgroups(user, primary_gid)
assert res == sssd_id.NssReturnCode.UNAVAIL, \
"Initgroups for user shoudl fail user %s, %d, %d" % (user, res, errno)
# Just last invocation of initgroups shoudl PASS
# Otherwise, we would not be able to invalidate it
assert_initgroups_equal(user1_case_last, primary_gid, expected_gids)
def assert_stored_last_initgroups(user1_case1, user1_case2, user1_case_last,
primary_gid, expected_gids):
assert_initgroups_equal(user1_case1, primary_gid, expected_gids)
assert_initgroups_equal(user1_case2, primary_gid, expected_gids)
assert_initgroups_equal(user1_case_last, primary_gid, expected_gids)
stop_sssd()
user = user1_case1
(res, errno, _) = sssd_id.call_sssd_initgroups(user, primary_gid)
assert res == sssd_id.NssReturnCode.UNAVAIL, \
"Initgroups for user should fail user %s, %d, %d" % (user, res, errno)
user = user1_case2
(res, errno, _) = sssd_id.call_sssd_initgroups(user, primary_gid)
assert res == sssd_id.NssReturnCode.UNAVAIL, \
"Initgroups for user should fail user %s, %d, %d" % (user, res, errno)
# Just last invocation of initgroups should PASS
# Otherwise, we would not be able to invalidate it
assert_initgroups_equal(user1_case_last, primary_gid, expected_gids)
def prime_cache_user(ldb_conn, name, primary_gid):
# calling initgroups would add the initgExpire timestamp attribute and make sure
# that sss_cache doesn't add it with a value of 1, triggering a sysdb update
(res, errno, gids) = sssd_id.call_sssd_initgroups(name, primary_gid)
assert res == sssd_id.NssReturnCode.SUCCESS
sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, name,
SSSD_DOMAIN, TS_ATTRLIST)
assert_same_attrval(sysdb_attrs, ts_attrs, "dataExpireTimestamp")
assert_same_attrval(sysdb_attrs, ts_attrs, "originalModifyTimestamp")
# just to force different stamps and make sure memcache is gone
time.sleep(1)
invalidate_user(name)
return sysdb_attrs, ts_attrs
def assert_missing_mc_records_for_user1():
with pytest.raises(KeyError):
pwd.getpwnam("user1")
with pytest.raises(KeyError):
pwd.getpwuid(1001)
for gid in [2000, 2001]:
with pytest.raises(KeyError):
grp.getgrgid(gid)
for group in ["group0x", "group1"]:
with pytest.raises(KeyError):
grp.getgrnam(group)
(res, err, _) = sssd_id.call_sssd_initgroups("user1", 2001)
assert res == sssd_id.NssReturnCode.UNAVAIL, \
"Initgroups should not find anything after invalidation of mc.\n" \
"User user1, errno:%d" % err
def prime_cache_user(ldb_conn, name, primary_gid):
# calling initgroups would add the initgExpire timestamp attribute and
# make sure that sss_cache doesn't add it with a value of 1,
# triggering a sysdb update
(res, errno, gids) = sssd_id.call_sssd_initgroups(name, primary_gid)
assert res == sssd_id.NssReturnCode.SUCCESS
sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, name, SSSD_DOMAIN,
TS_ATTRLIST)
assert_same_attrval(sysdb_attrs, ts_attrs, "dataExpireTimestamp")
assert_same_attrval(sysdb_attrs, ts_attrs, "originalModifyTimestamp")
# just to force different stamps and make sure memcache is gone
time.sleep(1)
invalidate_user(ldb_conn, name)
return sysdb_attrs, ts_attrs
def assert_missing_mc_records_for_user1():
with pytest.raises(KeyError):
pwd.getpwnam("user1")
with pytest.raises(KeyError):
pwd.getpwuid(1001)
for gid in [2000, 2001]:
with pytest.raises(KeyError):
grp.getgrgid(gid)
for group in ["group0x", "group1"]:
with pytest.raises(KeyError):
grp.getgrnam(group)
(res, err, _) = sssd_id.call_sssd_initgroups("user1", 2001)
assert res == sssd_id.NssReturnCode.UNAVAIL, \
"Initgroups should not find anything after invalidation of mc.\n" \
"User user1, errno:%d" % err
def test_user_2307bis_nested_groups(ldap_conn, sanity_rfc2307_bis):
"""
Test nested groups.
Regression test for ticket:
https://fedorahosted.org/sssd/ticket/3093
"""
primary_gid = 2001
# group1, two_user_group, one_user_group1, group_one_user_group,
# group_two_user_group, group_two_one_user_groups
expected_gids = [2001, 2012, 2015, 2017, 2018, 2019]
ent.assert_passwd_by_name("user1",
dict(name="user1", uid=1001, gid=primary_gid))
(res, errno, gids) = sssd_id.call_sssd_initgroups("user1", primary_gid)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(expected_gids)])
)
def test_user_2307bis_nested_groups(ldap_conn,
sanity_rfc2307_bis):
"""
Test nested groups.
Regression test for ticket:
https://fedorahosted.org/sssd/ticket/3093
"""
primary_gid = 2001
# group1, two_user_group, one_user_group1, group_one_user_group,
# group_two_user_group, group_two_one_user_groups
expected_gids = [2001, 2012, 2015, 2017, 2018, 2019]
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001,
gid=primary_gid))
(res, errno, gids) = sssd_id.call_sssd_initgroups("user1", primary_gid)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(expected_gids)])
)
def test_ldap_auto_private_groups_direct(ldap_conn, mpg_setup):
"""
Integration test for auto_private_groups
See also ticket https://pagure.io/SSSD/sssd/issue/1872
"""
# Make sure the user's GID is taken from their uidNumber
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
# The group referenced in user's gidNumber attribute should be still
# visible, but it's fine that it doesn't contain the user as a member
# as the group is currently added during the initgroups operation only
ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
# The user's secondary groups list must be correct as well
# Note that the original GID is listed as well -- this is correct and expected
# because we save the original GID in the SYSDB_PRIMARY_GROUP_GIDNUM attribute
user1_expected_gids = [1001, 2001, 2012, 2015]
(res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user1_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user1_expected_gids)])
)
# Request user2's private group by GID without resolving the user first.
# This must trigger user resolution through by-GID resolution, since the GID
# doesn't exist on its own in LDAP
ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
# Test supplementary groups for user2 as well
user1_expected_gids = [1002, 2002, 2012, 2016]
(res, errno, gids) = sssd_id.call_sssd_initgroups("user2", 1002)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user1_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user1_expected_gids)])
)
# Request user3's private group by name without resolving the user first
# This must trigger user resolution through by-name resolution, since the
# name doesn't exist on its own in LDAP
ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
# Remove entries and request them again to make sure they are not
# resolvable anymore
cleanup_ldap_entries(ldap_conn, None)
if subprocess.call(["sss_cache", "-GU"]) != 0:
raise Exception("sssd_cache failed")
with pytest.raises(KeyError):
pwd.getpwnam("user1")
with pytest.raises(KeyError):
grp.getgrnam("user1")
with pytest.raises(KeyError):
grp.getgrgid(1002)
with pytest.raises(KeyError):
grp.getgrnam("user3")
