def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid): """ Integration test for auto_private_groups - test that even a user with no GID assigned at all can be resolved including their autogenerated primary group. See also ticket https://pagure.io/SSSD/sssd/issue/1872 """ # Make sure the user's GID is taken from their uidNumber ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) # Make sure the private group is resolvable by name and by GID ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) # The group referenced in user's gidNumber attribute should be still # visible, but shouldn't have any relation to the user ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only())) ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only())) # The user's secondary groups list must be correct as well. This time only # the generated group and the explicit secondary group are added, since # there is no original GID user1_expected_gids = [1001, 2015] (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001) assert res == sssd_id.NssReturnCode.SUCCESS assert sorted(gids) == sorted(user1_expected_gids), \ "result: %s\n expected %s" % ( ", ".join(["%s" % s for s in sorted(gids)]), ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) )
def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict): """ Make sure that conflicts between groups that are auto-created with the help of the auto_private_groups option and between 'real' LDAP groups are handled in a predictable manner. """ # Make sure the user's GID is taken from their uidNumber ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) # Make sure the private group is resolvable by name and by GID ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) # Let's request the group with the same ID as user2's private group # The request should match the 'real' group ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only())) # But because of the GID conflict, the user cannot be resolved with pytest.raises(KeyError): pwd.getpwnam("user2") # This user's GID is the same as the UID in this entry. The most important # thing here is that the supplementary groups are correct and the GID # resolves to the private group (as long as the user was requested first) user3_expected_gids = [1003, 2015] ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003)) (res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003) assert res == sssd_id.NssReturnCode.SUCCESS assert sorted(gids) == sorted(user3_expected_gids), \ "result: %s\n expected %s" % ( ", ".join(["%s" % s for s in sorted(gids)]), ", ".join(["%s" % s for s in sorted(user3_expected_gids)]) ) # Make sure the private group is resolvable by name and by GID ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only())) ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
def assert_initgroups_equal(user, primary_gid, expected_gids): (res, errno, gids) = sssd_id.call_sssd_initgroups(user, primary_gid) assert res == sssd_id.NssReturnCode.SUCCESS, \ "Could not find groups for user %s, %d" % (user, errno) assert sorted(gids) == sorted(expected_gids), \ "result: %s\n expected %s" % ( ", ".join(["%s" % s for s in sorted(gids)]), ", ".join(["%s" % s for s in sorted(expected_gids)]) )
def assert_stored_last_initgroups(user1_case1, user1_case2, user1_case_last, primary_gid, expected_gids): assert_initgroups_equal(user1_case1, primary_gid, expected_gids) assert_initgroups_equal(user1_case2, primary_gid, expected_gids) assert_initgroups_equal(user1_case_last, primary_gid, expected_gids) stop_sssd() user = user1_case1 (res, errno, _) = sssd_id.call_sssd_initgroups(user, primary_gid) assert res == sssd_id.NssReturnCode.UNAVAIL, \ "Initgroups for user shoudl fail user %s, %d, %d" % (user, res, errno) user = user1_case2 (res, errno, _) = sssd_id.call_sssd_initgroups(user, primary_gid) assert res == sssd_id.NssReturnCode.UNAVAIL, \ "Initgroups for user shoudl fail user %s, %d, %d" % (user, res, errno) # Just last invocation of initgroups shoudl PASS # Otherwise, we would not be able to invalidate it assert_initgroups_equal(user1_case_last, primary_gid, expected_gids)
def assert_stored_last_initgroups(user1_case1, user1_case2, user1_case_last, primary_gid, expected_gids): assert_initgroups_equal(user1_case1, primary_gid, expected_gids) assert_initgroups_equal(user1_case2, primary_gid, expected_gids) assert_initgroups_equal(user1_case_last, primary_gid, expected_gids) stop_sssd() user = user1_case1 (res, errno, _) = sssd_id.call_sssd_initgroups(user, primary_gid) assert res == sssd_id.NssReturnCode.UNAVAIL, \ "Initgroups for user should fail user %s, %d, %d" % (user, res, errno) user = user1_case2 (res, errno, _) = sssd_id.call_sssd_initgroups(user, primary_gid) assert res == sssd_id.NssReturnCode.UNAVAIL, \ "Initgroups for user should fail user %s, %d, %d" % (user, res, errno) # Just last invocation of initgroups should PASS # Otherwise, we would not be able to invalidate it assert_initgroups_equal(user1_case_last, primary_gid, expected_gids)
def prime_cache_user(ldb_conn, name, primary_gid): # calling initgroups would add the initgExpire timestamp attribute and make sure # that sss_cache doesn't add it with a value of 1, triggering a sysdb update (res, errno, gids) = sssd_id.call_sssd_initgroups(name, primary_gid) assert res == sssd_id.NssReturnCode.SUCCESS sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, name, SSSD_DOMAIN, TS_ATTRLIST) assert_same_attrval(sysdb_attrs, ts_attrs, "dataExpireTimestamp") assert_same_attrval(sysdb_attrs, ts_attrs, "originalModifyTimestamp") # just to force different stamps and make sure memcache is gone time.sleep(1) invalidate_user(name) return sysdb_attrs, ts_attrs
def assert_missing_mc_records_for_user1(): with pytest.raises(KeyError): pwd.getpwnam("user1") with pytest.raises(KeyError): pwd.getpwuid(1001) for gid in [2000, 2001]: with pytest.raises(KeyError): grp.getgrgid(gid) for group in ["group0x", "group1"]: with pytest.raises(KeyError): grp.getgrnam(group) (res, err, _) = sssd_id.call_sssd_initgroups("user1", 2001) assert res == sssd_id.NssReturnCode.UNAVAIL, \ "Initgroups should not find anything after invalidation of mc.\n" \ "User user1, errno:%d" % err
def prime_cache_user(ldb_conn, name, primary_gid): # calling initgroups would add the initgExpire timestamp attribute and # make sure that sss_cache doesn't add it with a value of 1, # triggering a sysdb update (res, errno, gids) = sssd_id.call_sssd_initgroups(name, primary_gid) assert res == sssd_id.NssReturnCode.SUCCESS sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, name, SSSD_DOMAIN, TS_ATTRLIST) assert_same_attrval(sysdb_attrs, ts_attrs, "dataExpireTimestamp") assert_same_attrval(sysdb_attrs, ts_attrs, "originalModifyTimestamp") # just to force different stamps and make sure memcache is gone time.sleep(1) invalidate_user(ldb_conn, name) return sysdb_attrs, ts_attrs
def test_user_2307bis_nested_groups(ldap_conn, sanity_rfc2307_bis): """ Test nested groups. Regression test for ticket: https://fedorahosted.org/sssd/ticket/3093 """ primary_gid = 2001 # group1, two_user_group, one_user_group1, group_one_user_group, # group_two_user_group, group_two_one_user_groups expected_gids = [2001, 2012, 2015, 2017, 2018, 2019] ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=primary_gid)) (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", primary_gid) assert res == sssd_id.NssReturnCode.SUCCESS assert sorted(gids) == sorted(expected_gids), \ "result: %s\n expected %s" % ( ", ".join(["%s" % s for s in sorted(gids)]), ", ".join(["%s" % s for s in sorted(expected_gids)]) )
def test_ldap_auto_private_groups_direct(ldap_conn, mpg_setup): """ Integration test for auto_private_groups See also ticket https://pagure.io/SSSD/sssd/issue/1872 """ # Make sure the user's GID is taken from their uidNumber ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) # Make sure the private group is resolvable by name and by GID ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) # The group referenced in user's gidNumber attribute should be still # visible, but it's fine that it doesn't contain the user as a member # as the group is currently added during the initgroups operation only ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only())) ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only())) # The user's secondary groups list must be correct as well # Note that the original GID is listed as well -- this is correct and expected # because we save the original GID in the SYSDB_PRIMARY_GROUP_GIDNUM attribute user1_expected_gids = [1001, 2001, 2012, 2015] (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001) assert res == sssd_id.NssReturnCode.SUCCESS assert sorted(gids) == sorted(user1_expected_gids), \ "result: %s\n expected %s" % ( ", ".join(["%s" % s for s in sorted(gids)]), ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) ) # Request user2's private group by GID without resolving the user first. # This must trigger user resolution through by-GID resolution, since the GID # doesn't exist on its own in LDAP ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only())) # Test supplementary groups for user2 as well user1_expected_gids = [1002, 2002, 2012, 2016] (res, errno, gids) = sssd_id.call_sssd_initgroups("user2", 1002) assert res == sssd_id.NssReturnCode.SUCCESS assert sorted(gids) == sorted(user1_expected_gids), \ "result: %s\n expected %s" % ( ", ".join(["%s" % s for s in sorted(gids)]), ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) ) # Request user3's private group by name without resolving the user first # This must trigger user resolution through by-name resolution, since the # name doesn't exist on its own in LDAP ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only())) # Remove entries and request them again to make sure they are not # resolvable anymore cleanup_ldap_entries(ldap_conn, None) if subprocess.call(["sss_cache", "-GU"]) != 0: raise Exception("sssd_cache failed") with pytest.raises(KeyError): pwd.getpwnam("user1") with pytest.raises(KeyError): grp.getgrnam("user1") with pytest.raises(KeyError): grp.getgrgid(1002) with pytest.raises(KeyError): grp.getgrnam("user3")