def test_add_remove_membership_rfc2307_bis(ldap_conn,
user_and_groups_rfc2307_bis):
"""
Test user and group membership addition and removal are reflected by SSSD,
with RFC2307bis schema
"""
base_dn_bytes = ldap_conn.ds_inst.base_dn.encode('utf-8')
time.sleep(INTERACTIVE_TIMEOUT/2)
# Add user to group1
ent.assert_group_by_name("group1", dict(mem=ent.contains_only()))
ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_REPLACE, "member",
b"uid=user,ou=Users," + base_dn_bytes)])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user")))
# Add group1 to group2
ldap_conn.modify_s("cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_REPLACE, "member",
b"cn=group1,ou=Groups," + base_dn_bytes)])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group2", dict(mem=ent.contains_only("user")))
# Remove group1 from group2
ldap_conn.modify_s("cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_DELETE, "member", None)])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group2", dict(mem=ent.contains_only()))
# Remove user from group1
ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_DELETE, "member", None)])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group1", dict(mem=ent.contains_only()))
def test_disabled_passwd_mc(ldap_conn, disable_pwd_mc_rfc2307):
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
assert_user_gids_equal('user1', [2000, 2001])
stop_sssd()
# passwd cache is disabled, other caches should work
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
assert_user_gids_equal('user1', [2000, 2001])
def test_mc_zero_timeout(ldap_conn, zero_timeout_rfc2307):
"""
Test that the memory cache is not created at all with memcache_timeout=0
"""
# No memory cache files must be created
assert len(os.listdir(config.MCACHE_PATH)) == 0
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
stop_sssd()
# sssd is stopped; so the memory cache should not be used
# in long living clients (py.test in this case)
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
with pytest.raises(KeyError):
grp.getgrnam('group1')
with pytest.raises(KeyError):
grp.getgrgid(2001)
def run_simple_test_with_initgroups():
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001,
dict(mem=ent.contains_only("user1", "user11", "user21")))
# unrelated group to user1
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002,
dict(mem=ent.contains_only("user2", "user12", "user22")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_groupdel(group_ops_setup):
group_ops_setup.groupadd(**GROUP1)
ent.assert_group_by_name("group1", GROUP1)
group_ops_setup.groupdel("group1")
with pytest.raises(KeyError):
grp.getgrnam("group1")
def test_groupdel(group_ops_setup):
group_ops_setup.groupadd(**GROUP1)
ent.assert_group_by_name("group1", GROUP1)
group_ops_setup.groupdel("group1")
with pytest.raises(KeyError):
grp.getgrnam("group1")
def run_simple_test_with_initgroups():
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name(
"group1", dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001, dict(mem=ent.contains_only("user1", "user11", "user21")))
# unrelated group to user1
ent.assert_group_by_name(
"group2", dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002, dict(mem=ent.contains_only("user2", "user12", "user22")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_group_2307_update_same_attrs(ldap_conn,
ldb_examine,
setup_rfc2307):
"""
Test that a group update with a different modifyTimestamp but the same
attrs does not trigger sysdb cache update
"""
ldb_conn = ldb_examine
old_sysdb_attrs, old_ts_attrs = prime_cache_group(
ldb_conn, "group1",
("user1", "user11", "user21"))
# modify an argument we don't save to the cache. This will bump the
# modifyTimestamp attribute, but the attributes themselves will be the same
# from sssd's point of view
ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_ADD, "description", "group one")])
# wait for slapd to change its database
time.sleep(1)
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user1", "user11", "user21")))
sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1",
SSSD_DOMAIN, TS_ATTRLIST)
assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp")
assert_same_attrval(sysdb_attrs, old_sysdb_attrs,
"originalModifyTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
def setup_gr_with_list(pwd_ops, grp_ops, group_list):
for group in group_list:
add_group_members(pwd_ops, group)
grp_ops.groupadd(**group)
ent.assert_group_by_name(CANARY_GR['name'], CANARY_GR)
return grp_ops
def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid):
"""
Integration test for auto_private_groups - test that even a user with
no GID assigned at all can be resolved including their autogenerated
primary group.
See also ticket https://pagure.io/SSSD/sssd/issue/1872
"""
# Make sure the user's GID is taken from their uidNumber
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
# The group referenced in user's gidNumber attribute should be still
# visible, but shouldn't have any relation to the user
ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
# The user's secondary groups list must be correct as well. This time only
# the generated group and the explicit secondary group are added, since
# there is no original GID
user1_expected_gids = [1001, 2015]
(res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user1_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user1_expected_gids)])
)
def test_removed_mc(ldap_conn, sanity_rfc2307):
"""
Regression test for ticket:
https://fedorahosted.org/sssd/ticket/2726
"""
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
stop_sssd()
# remove cache without invalidation
for path in os.listdir(config.MCACHE_PATH):
os.unlink(config.MCACHE_PATH + "/" + path)
# sssd is stopped; so the memory cache should not be used
# in long living clients (py.test in this case)
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
with pytest.raises(KeyError):
grp.getgrnam('group1')
with pytest.raises(KeyError):
grp.getgrgid(2001)
def test_group_2307bis_update_diff_attrs(ldap_conn, ldb_examine,
setup_rfc2307bis):
"""
Test that a group update with different attribute triggers cache update
"""
ldb_conn = ldb_examine
old_sysdb_attrs, old_ts_attrs = prime_cache_group(
ldb_conn, "group1", ("user1", "user11", "user21"))
user_dn = "uid=user1,ou=Users," + ldap_conn.ds_inst.base_dn
ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_DELETE, "member", user_dn.encode('utf-8'))])
# wait for slapd to change its database
time.sleep(1)
ent.assert_group_by_name("group1",
dict(mem=ent.contains_only("user11", "user21")))
sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", SSSD_DOMAIN,
TS_ATTRLIST)
assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp")
assert_diff_attrval(sysdb_attrs, old_sysdb_attrs,
"originalModifyTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
def test_disabled_mc(ldap_conn, disable_memcache_rfc2307):
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
assert_user_gids_equal('user1', [2000, 2001])
stop_sssd()
# sssd is stopped and the memory cache is disabled;
# so pytest should not be able to find anything
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
with pytest.raises(KeyError):
grp.getgrnam('group1')
with pytest.raises(KeyError):
grp.getgrgid(2001)
with pytest.raises(KeyError):
(res, errno, gids) = sssd_id.get_user_gids('user1')
def test_mc_zero_timeout(ldap_conn, zero_timeout_rfc2307):
"""
Test that the memory cache is not created at all with memcache_timeout=0
"""
# No memory cache files must be created
assert len(os.listdir(config.MCACHE_PATH)) == 0
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
stop_sssd()
# sssd is stopped; so the memory cache should not be used
# in long living clients (py.test in this case)
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
with pytest.raises(KeyError):
grp.getgrnam('group1')
with pytest.raises(KeyError):
grp.getgrgid(2001)
def test_group_2307_update_same_attrs(ldap_conn, ldb_examine, setup_rfc2307):
"""
Test that a group update with a different modifyTimestamp but the same
attrs does not trigger sysdb cache update
"""
ldb_conn = ldb_examine
old_sysdb_attrs, old_ts_attrs = prime_cache_group(
ldb_conn, "group1", ("user1", "user11", "user21"))
# modify an argument we don't save to the cache. This will bump the
# modifyTimestamp attribute, but the attributes themselves will be the same
# from sssd's point of view
ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_ADD, "description", b"group one")])
# wait for slapd to change its database
time.sleep(1)
ent.assert_group_by_name(
"group1", dict(mem=ent.contains_only("user1", "user11", "user21")))
sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", SSSD_DOMAIN,
TS_ATTRLIST)
assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp")
assert_same_attrval(sysdb_attrs, old_sysdb_attrs,
"originalModifyTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
def test_add_remove_membership_rfc2307_bis(ldap_conn, user_and_groups_rfc2307_bis):
"""
Test user and group membership addition and removal are reflected by SSSD,
with RFC2307bis schema
"""
time.sleep(INTERACTIVE_TIMEOUT / 2)
# Add user to group1
ent.assert_group_by_name("group1", dict(mem=ent.contains_only()))
ldap_conn.modify_s(
"cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_REPLACE, "member", "uid=user,ou=Users," + ldap_conn.ds_inst.base_dn)],
)
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user")))
# Add group1 to group2
ldap_conn.modify_s(
"cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_REPLACE, "member", "cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn)],
)
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group2", dict(mem=ent.contains_only("user")))
# Remove group1 from group2
ldap_conn.modify_s("cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_DELETE, "member", None)])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group2", dict(mem=ent.contains_only()))
# Remove user from group1
ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_DELETE, "member", None)])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group1", dict(mem=ent.contains_only()))
def test_group_2307_update_diff_attrs(ldap_conn,
ldb_examine,
setup_rfc2307):
"""
Test that a group update with different attribute triggers cache update
"""
ldb_conn = ldb_examine
old_sysdb_attrs, old_ts_attrs = prime_cache_group(
ldb_conn, "group1",
("user1", "user11", "user21"))
ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_DELETE, "memberUid", "user1")])
# wait for slapd to change its database
time.sleep(1)
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user11", "user21")))
sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1",
SSSD_DOMAIN, TS_ATTRLIST)
assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp")
assert_diff_attrval(sysdb_attrs, old_sysdb_attrs,
"originalModifyTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict):
"""
Make sure that conflicts between groups that are auto-created with the
help of the auto_private_groups option and between 'real' LDAP groups
are handled in a predictable manner.
"""
# Make sure the user's GID is taken from their uidNumber
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
# Let's request the group with the same ID as user2's private group
# The request should match the 'real' group
ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only()))
# But because of the GID conflict, the user cannot be resolved
with pytest.raises(KeyError):
pwd.getpwnam("user2")
# This user's GID is the same as the UID in this entry. The most important
# thing here is that the supplementary groups are correct and the GID
# resolves to the private group (as long as the user was requested first)
user3_expected_gids = [1003, 2015]
ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003))
(res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user3_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user3_expected_gids)])
)
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only()))
ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
def test_removed_mc(ldap_conn, sanity_rfc2307):
"""
Regression test for ticket:
https://fedorahosted.org/sssd/ticket/2726
"""
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
stop_sssd()
# remove cache without invalidation
for path in os.listdir(config.MCACHE_PATH):
os.unlink(config.MCACHE_PATH + "/" + path)
# sssd is stopped; so the memory cache should not be used
# in long living clients (py.test in this case)
with pytest.raises(KeyError):
pwd.getpwnam('user1')
with pytest.raises(KeyError):
pwd.getpwuid(1001)
with pytest.raises(KeyError):
grp.getgrnam('group1')
with pytest.raises(KeyError):
grp.getgrgid(2001)
def assert_mc_records_for_user1():
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name(
"group1", dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001, dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_name(
"group0x", dict(mem=ent.contains_only("user1", "user2", "user3")))
ent.assert_group_by_gid(
2000, dict(mem=ent.contains_only("user1", "user2", "user3")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_groupmod(group_ops_setup):
group_ops_setup.groupadd(**GROUP1)
ent.assert_group_by_name("group1", GROUP1)
modgroup = dict(GROUP1)
modgroup['mem'] = []
group_ops_setup.groupmod(old_name=GROUP1["name"], **modgroup)
ent.assert_group_by_name("group1", modgroup)
def test_groupmod(group_ops_setup):
group_ops_setup.groupadd(**GROUP1)
ent.assert_group_by_name("group1", GROUP1)
modgroup = dict(GROUP1)
modgroup['mem'] = []
group_ops_setup.groupmod(old_name=GROUP1["name"], **modgroup)
ent.assert_group_by_name("group1", modgroup)
def assert_group_overriden():
# There is an issue in nss_wrapper [0] and nss_wrapper always looks into
# the files first before using the NSS module. This lets this check fail
# because the user is found in the file and hence will be returned
# without overridden values.
# In order to work this around while there's no fix for nss_wrapper, let's
# use the fully-qualified name when looking up the GROUP1
#
# https://bugzilla.samba.org/show_bug.cgi?id=12883)
ent.assert_group_by_name(GROUP1["name"]+"@files", OV_GROUP1)
ent.assert_group_by_name(OV_GROUP1["name"], OV_GROUP1)
def assert_group_overriden():
# There is an issue in nss_wrapper [0] and nss_wrapper always looks into
# the files first before using the NSS module. This lets this check fail
# because the user is found in the file and hence will be returned
# without overridden values.
# In order to work this around while there's no fix for nss_wrapper, let's
# use the fully-qualified name when looking up the GROUP1
#
# https://bugzilla.samba.org/show_bug.cgi?id=12883)
ent.assert_group_by_name(GROUP1["name"] + "@files", OV_GROUP1)
ent.assert_group_by_name(OV_GROUP1["name"], OV_GROUP1)
def prime_cache_group(ldb_conn, name, members):
ent.assert_group_by_name(name, dict(mem=ent.contains_only(*members)))
sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, name, SSSD_DOMAIN,
TS_ATTRLIST)
assert_same_attrval(sysdb_attrs, ts_attrs, "dataExpireTimestamp")
assert_same_attrval(sysdb_attrs, ts_attrs, "originalModifyTimestamp")
# just to force different stamps and make sure memcache is gone
time.sleep(1)
invalidate_group(ldb_conn, name)
return sysdb_attrs, ts_attrs
def test_add_local_user_to_local_group(local_domain_only):
"""
Regression test for ticket
https://fedorahosted.org/sssd/ticket/3178
"""
subprocess.check_call(["sss_groupadd", "-g", "10009", "group10009"])
subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user10009"])
subprocess.check_call(["sss_usermod", "-a", "group10009", "user10009"])
ent.assert_group_by_name(
"group10009",
dict(name="group10009", passwd="*", gid=10009,
mem=ent.contains_only("user10009")))
def prime_cache_group(ldb_conn, name, members):
ent.assert_group_by_name(
name,
dict(mem=ent.contains_only(*members)))
sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, name,
SSSD_DOMAIN, TS_ATTRLIST)
assert_same_attrval(sysdb_attrs, ts_attrs, "dataExpireTimestamp")
assert_same_attrval(sysdb_attrs, ts_attrs, "originalModifyTimestamp")
# just to force different stamps and make sure memcache is gone
time.sleep(1)
invalidate_group(name)
return sysdb_attrs, ts_attrs
def test_add_local_user_to_local_group(local_domain_only):
"""
Regression test for ticket
https://fedorahosted.org/sssd/ticket/3178
"""
subprocess.check_call(["sss_groupadd", "-g", "10009", "group10009"])
subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user10009"])
subprocess.check_call(["sss_usermod", "-a", "group10009", "user10009"])
ent.assert_group_by_name(
"group10009",
dict(name="group10009",
passwd="*",
gid=10009,
mem=ent.contains_only("user10009")))
def test_assert_group_by_name(users_and_groups):
ent.assert_group_by_name("group1", {})
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_name("group1", GROUP1)
try:
ent.assert_group_by_name("group3", {})
assert False
except AssertionError as e:
assert str(e) == "'getgrnam(): name not found: group3'"
try:
ent.assert_group_by_name("group2", dict(name="group1"))
assert False
except AssertionError as e:
assert str(e) == "'name' mismatch: 'group1' != 'group2'"
def test_group_show_basic_sanity(ldap_conn, sanity_rfc2307, portable_LC_ALL):
# Fill the cache first
ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1")))
ent.assert_group_by_name("CamelCaseGroup1",
dict(mem=ent.contains_only("CamelCaseUser1")))
output = get_call_output(["sssctl", "group-show", "group1"])
assert output.find("Name: group1") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1"])
assert output.find("Name: CamelCaseGroup1") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "camelcasegroup1"])
assert output.find("Group camelcasegroup1 is not present in cache.") != -1
def test_assert_group_by_name(users_and_groups):
ent.assert_group_by_name("group1", {})
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_name("group1", GROUP1)
try:
ent.assert_group_by_name("group3", {})
assert False
except AssertionError as e:
assert str(e) == "'getgrnam(): name not found: group3'"
try:
ent.assert_group_by_name("group2", dict(name="group1"))
assert False
except AssertionError as e:
assert str(e) == "'name' mismatch: 'group1' != 'group2'"
def test_disabled_initgr_mc(ldap_conn, disable_initgr_mc_rfc2307):
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
assert_user_gids_equal('user1', [2000, 2001])
stop_sssd()
# initgroups is disabled, other caches should work
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
assert_unsuccessful_initgr('user1')
def test_sss_group_add_show_del_fqdn(local_domain_only_fqdn):
"""
Regression test for tickets
https://fedorahosted.org/sssd/ticket/3173
https://fedorahosted.org/sssd/ticket/3175
"""
subprocess.check_call(["sss_groupadd", "foo@LOCAL", "-g", "10001"])
"This should not raise KeyError"
ent.assert_group_by_name("foo@LOCAL", dict(name="foo@LOCAL", gid=10001))
"sss_grupshow should return 0 with existing group name"
subprocess.check_call(["sss_groupshow", "foo@LOCAL"])
subprocess.check_call(["sss_groupdel", "foo@LOCAL"])
assert_nonexistent_group("foo@LOCAL")
def test_special_characters_in_names(ldap_conn, sanity_rfc2307):
"""
Test special characters which could cause malformed filter
in ldb_seach.
Regression test for ticket:
https://fedorahosted.org/sssd/ticket/3121
"""
ent.assert_passwd_by_name(
"t(u)ser",
dict(name="t(u)ser", passwd="*", uid=5000, gid=5001,
gecos="5000", shell="/bin/bash"))
ent.assert_group_by_name(
"group(_u)ser1",
dict(name="group(_u)ser1", passwd="*", gid=5001,
mem=ent.contains_only("t(u)ser")))
def test_special_characters_in_names(ldap_conn, sanity_rfc2307):
"""
Test special characters which could cause malformed filter
in ldb_seach.
Regression test for ticket:
https://fedorahosted.org/sssd/ticket/3121
"""
ent.assert_passwd_by_name(
"t(u)ser",
dict(name="t(u)ser", passwd="*", uid=5000, gid=5001,
gecos="5000", shell="/bin/bash"))
ent.assert_group_by_name(
"group(_u)ser1",
dict(name="group(_u)ser1", passwd="*", gid=5001,
mem=ent.contains_only("t(u)ser")))
def test_zero_nesting_level(ldap_conn, rfc2307bis_no_nesting):
"""
Test initgroups operation with rfc2307bis schema asserting
only primary group and parent groups are included in group
list. No parent groups of groups should be returned with zero
group nesting level.
"""
ent.assert_group_by_name("parentgroup",
dict(mem=ent.contains_only("user1")))
ent.assert_group_by_name("nestedgroup", dict(mem=ent.contains_only()))
(res, errno, grp_list) = sssd_id.get_user_groups("user1")
assert res == sssd_id.NssReturnCode.SUCCESS, \
"Could not find groups for user1, %d" % errno
## test nestedgroup is not returned in group list
assert sorted(grp_list) == sorted(["primarygroup", "parentgroup"])
def test_sss_group_add_show_del_fqdn(local_domain_only_fqdn):
"""
Regression test for tickets
https://fedorahosted.org/sssd/ticket/3173
https://fedorahosted.org/sssd/ticket/3175
"""
subprocess.check_call(["sss_groupadd", "foo@LOCAL", "-g", "10001"])
"This should not raise KeyError"
ent.assert_group_by_name("foo@LOCAL", dict(name="foo@LOCAL", gid=10001))
"sss_grupshow should return 0 with existing group name"
subprocess.check_call(["sss_groupshow", "foo@LOCAL"])
subprocess.check_call(["sss_groupdel", "foo@LOCAL"])
assert_nonexistent_group("foo@LOCAL")
def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task):
"""
Regression test for ticket:
https://fedorahosted.org/sssd/ticket/2676
"""
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user1")))
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
time.sleep(15)
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user1")))
def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task):
"""
Regression test for ticket:
https://fedorahosted.org/sssd/ticket/2676
"""
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user1")))
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
time.sleep(15)
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user1")))
def test_invalidation_of_gids_after_initgroups(ldap_conn, sanity_rfc2307):
# the sssd cache was empty and not all user's group were
# resolved with getgr{nm,gid}. Therefore there is a change in
# group membership => user groups should be invalidated
run_simple_test_with_initgroups()
assert_initgroups_equal("user1", 2001, [2000, 2001])
stop_sssd()
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
# unrelated group to user1 must be returned
ent.assert_group_by_name(
"group2", dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002, dict(mem=ent.contains_only("user2", "user12", "user22")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
# user groups must be invalidated
for group in ["group1", "group0x"]:
with pytest.raises(KeyError):
grp.getgrnam(group)
for gid in [2000, 2001]:
with pytest.raises(KeyError):
grp.getgrgid(gid)
def test_group_show_basic_fqname(ldap_conn, fqname_rfc2307, portable_LC_ALL):
# Fill the cache first
ent.assert_group_by_name(
"group1@LDAP",
dict(mem=ent.contains_only("user1@LDAP")))
ent.assert_group_by_name(
"CamelCaseGroup1@LDAP",
dict(mem=ent.contains_only("CamelCaseUser1@LDAP")))
output = get_call_output(["sssctl", "group-show", "group1@LDAP"])
assert output.find("Name: group1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1@LDAP"])
assert output.find("Name: CamelCaseGroup1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"])
assert output.find("Group camelcasegroup1 is not present in cache.") != -1
def test_add_local_group_to_local_group(local_domain_only):
"""
Regression test for tickets
https://fedorahosted.org/sssd/ticket/3178
"""
subprocess.check_call(["sss_groupadd", "-g", "10009", "group_child"])
subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user_child"])
subprocess.check_call(["sss_usermod", "-a", "group_child", "user_child"])
subprocess.check_call(["sss_groupadd", "-g", "10008", "group_parent"])
subprocess.check_call(
["sss_groupmod", "-a", "group_parent", "group_child"])
# User from child_group is member of parent_group, so child_group's
# member must be also parent_group's member
ent.assert_group_by_name(
"group_parent",
dict(name="group_parent", passwd="*", gid=10008,
mem=ent.contains_only("user_child")))
def test_add_local_group_to_local_group(local_domain_only):
"""
Regression test for tickets
https://fedorahosted.org/sssd/ticket/3178
"""
subprocess.check_call(["sss_groupadd", "-g", "10009", "group_child"])
subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user_child"])
subprocess.check_call(["sss_usermod", "-a", "group_child", "user_child"])
subprocess.check_call(["sss_groupadd", "-g", "10008", "group_parent"])
subprocess.check_call(
["sss_groupmod", "-a", "group_parent", "group_child"])
# User from child_group is member of parent_group, so child_group's
# member must be also parent_group's member
ent.assert_group_by_name(
"group_parent",
dict(name="group_parent",
passwd="*",
gid=10008,
mem=ent.contains_only("user_child")))
def test_group_show_basic_fqname_insensitive(ldap_conn,
fqname_case_insensitive_rfc2307,
portable_LC_ALL):
# Fill the cache first
ent.assert_group_by_name("group1@LDAP",
dict(mem=ent.contains_only("user1@LDAP")))
ent.assert_group_by_name(
"camelcasegroup1@LDAP",
dict(mem=ent.contains_only("camelcaseuser1@LDAP")))
output = get_call_output(["sssctl", "group-show", "group1@LDAP"])
assert output.find("Name: group1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1@LDAP"])
assert output.find("Name: camelcasegroup1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"])
assert output.find("Name: camelcasegroup1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
def test_group_2307_update_same_modstamp(ldap_conn, ldb_examine,
setup_rfc2307):
"""
Test that a group update with the same modifyTimestamp does not trigger
sysdb cache update
"""
ldb_conn = ldb_examine
old_sysdb_attrs, old_ts_attrs = prime_cache_group(
ldb_conn, "group1", ("user1", "user11", "user21"))
ent.assert_group_by_name(
"group1", dict(mem=ent.contains_only("user1", "user11", "user21")))
sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", SSSD_DOMAIN,
TS_ATTRLIST)
assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp")
assert_same_attrval(sysdb_attrs, old_sysdb_attrs,
"originalModifyTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp")
assert_same_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
def test_group_2307_update_same_modstamp(ldap_conn,
ldb_examine,
setup_rfc2307):
"""
Test that a group update with the same modifyTimestamp does not trigger
sysdb cache update
"""
ldb_conn = ldb_examine
old_sysdb_attrs, old_ts_attrs = prime_cache_group(
ldb_conn, "group1",
("user1", "user11", "user21"))
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user1", "user11", "user21")))
sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1",
SSSD_DOMAIN, TS_ATTRLIST)
assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp")
assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "originalModifyTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp")
assert_same_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
def test_group_member_matching(users_and_groups):
ent.assert_group_by_name("empty_group", dict(mem=ent.contains()))
ent.assert_group_by_name("empty_group", dict(mem=ent.contains_only()))
try:
ent.assert_group_by_name("empty_group",
dict(mem=ent.contains("user1")))
except AssertionError, e:
assert re.search("member list mismatch:", str(e))
assert re.search("expected members not found:", str(e))
def test_group_member_matching(users_and_groups):
ent.assert_group_by_name("empty_group", dict(mem=ent.contains()))
ent.assert_group_by_name("empty_group", dict(mem=ent.contains_only()))
try:
ent.assert_group_by_name("empty_group",
dict(mem=ent.contains("user1")))
except AssertionError, e:
assert re.search("member list mismatch:", str(e))
assert re.search("expected members not found:", str(e))
def test_invalidation_of_gids_after_initgroups(ldap_conn, sanity_rfc2307):
# the sssd cache was empty and not all user's group were
# resolved with getgr{nm,gid}. Therefore there is a change in
# group membership => user groups should be invalidated
run_simple_test_with_initgroups()
assert_initgroups_equal("user1", 2001, [2000, 2001])
stop_sssd()
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
# unrelated group to user1 must be returned
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002,
dict(mem=ent.contains_only("user2", "user12", "user22")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
# user groups must be invalidated
for group in ["group1", "group0x"]:
with pytest.raises(KeyError):
grp.getgrnam(group)
for gid in [2000, 2001]:
with pytest.raises(KeyError):
grp.getgrgid(gid)
def assert_mc_records_for_user1():
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001,
dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_name(
"group0x",
dict(mem=ent.contains_only("user1", "user2", "user3")))
ent.assert_group_by_gid(
2000,
dict(mem=ent.contains_only("user1", "user2", "user3")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
def assert_group_default():
# Assert entries are not overridden
with pytest.raises(KeyError):
pwd.getpwnam('ov_group')
with pytest.raises(KeyError):
pwd.getpwnam('ov_group@LDAP')
with pytest.raises(KeyError):
pwd.getpwnam('ov_empty_group')
with pytest.raises(KeyError):
pwd.getpwnam('ov_empty_group@LDAP')
empty_group = dict(gid=2002, mem=ent.contains_only())
group = dict(gid=2001, mem=ent.contains_only("user1", "user2"))
ent.assert_group_by_name("group", group)
ent.assert_group_by_name("group@LDAP", group)
ent.assert_group_by_name("empty_group", empty_group)
ent.assert_group_by_name("empty_group@LDAP", empty_group)
def test_add_remove_membership_rfc2307(ldap_conn, user_and_group_rfc2307):
"""Test user membership addition and removal are reflected by SSSD"""
time.sleep(INTERACTIVE_TIMEOUT / 2)
# Add user to group
ent.assert_group_by_name("group", dict(mem=ent.contains_only()))
ldap_conn.modify_s("cn=group,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_REPLACE, "memberUid", "user")])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group", dict(mem=ent.contains_only("user")))
# Remove user from group
ldap_conn.modify_s("cn=group,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_DELETE, "memberUid", None)])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group", dict(mem=ent.contains_only()))
def assert_group_default():
# Assert entries are not overridden
with pytest.raises(KeyError):
pwd.getpwnam('ov_group')
with pytest.raises(KeyError):
pwd.getpwnam('ov_group@LDAP')
with pytest.raises(KeyError):
pwd.getpwnam('ov_empty_group')
with pytest.raises(KeyError):
pwd.getpwnam('ov_empty_group@LDAP')
empty_group = dict(gid=2002, mem=ent.contains_only())
group = dict(gid=2001, mem=ent.contains_only("user1", "user2"))
ent.assert_group_by_name("group", group)
ent.assert_group_by_name("group@LDAP", group)
ent.assert_group_by_name("empty_group", empty_group)
ent.assert_group_by_name("empty_group@LDAP", empty_group)
def test_remove_user_from_group(ldap_conn, remove_user_from_group):
"""
Removing two users from group, step by step
"""
group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))
ent.assert_group_by_name("group1",
dict(mem=ent.contains_only("user1", "user2")))
# removing of user2 from group1
old = {'member': ["uid=user1,ou=Users,dc=example,dc=com",
"uid=user2,ou=Users,dc=example,dc=com"]}
new = {'member': ["uid=user1,ou=Users,dc=example,dc=com"]}
ldif = ldap.modlist.modifyModlist(old, new)
ldap_conn.modify_s(group1_dn, ldif)
if subprocess.call(["sss_cache", "-GU"]) != 0:
raise Exception("sssd_cache failed")
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))
ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1")))
# removing of user1 from group1
old = {'member': ["uid=user1,ou=Users,dc=example,dc=com"]}
new = {'member': []}
ldif = ldap.modlist.modifyModlist(old, new)
ldap_conn.modify_s(group1_dn, ldif)
if subprocess.call(["sss_cache", "-GU"]) != 0:
raise Exception("sssd_cache failed")
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))
ent.assert_group_by_name("group1", dict(mem=ent.contains_only()))
def test_getgrnam_membership(ldap_conn, sanity_rfc2307):
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001,
dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002,
dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_name(
"group3",
dict(mem=ent.contains_only("user3", "user13", "user23")))
ent.assert_group_by_gid(
2003,
dict(mem=ent.contains_only("user3", "user13", "user23")))
ent.assert_group_by_name(
"group0x",
dict(mem=ent.contains_only("user1", "user2", "user3")))
ent.assert_group_by_gid(
2000,
dict(mem=ent.contains_only("user1", "user2", "user3")))
ent.assert_group_by_name(
"group1x",
dict(mem=ent.contains_only("user11", "user12", "user13")))
ent.assert_group_by_gid(
2010,
dict(mem=ent.contains_only("user11", "user12", "user13")))
ent.assert_group_by_name(
"group2x",
dict(mem=ent.contains_only("user21", "user22", "user23")))
ent.assert_group_by_gid(
2020,
dict(mem=ent.contains_only("user21", "user22", "user23")))
def test_getgrnam_simple(ldap_conn, sanity_rfc2307):
ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
ent.assert_group_by_name("group2", dict(name="group2", gid=2002))
ent.assert_group_by_gid(2002, dict(name="group2", gid=2002))
ent.assert_group_by_name("group3", dict(name="group3", gid=2003))
ent.assert_group_by_gid(2003, dict(name="group3", gid=2003))
ent.assert_group_by_name("group0x", dict(name="group0x", gid=2000))
ent.assert_group_by_gid(2000, dict(name="group0x", gid=2000))
ent.assert_group_by_name("group1x", dict(name="group1x", gid=2010))
ent.assert_group_by_gid(2010, dict(name="group1x", gid=2010))
ent.assert_group_by_name("group2x", dict(name="group2x", gid=2020))
ent.assert_group_by_gid(2020, dict(name="group2x", gid=2020))
def assert_group_overriden():
# Assert entries are overridden
empty_group = dict(gid=3002, mem=ent.contains_only())
group = dict(gid=3001, mem=ent.contains_only("user1", "user2"))
ent.assert_group_by_name("group", group)
ent.assert_group_by_name("group@LDAP", group)
ent.assert_group_by_name("ov_group", group)
ent.assert_group_by_name("ov_group@LDAP", group)
ent.assert_group_by_name("empty_group", empty_group)
ent.assert_group_by_name("empty_group@LDAP", empty_group)
ent.assert_group_by_name("ov_empty_group", empty_group)
ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
def test_root_group_override(ldap_conn, env_root_group_override):
"""Test entries are overriden"""
group = dict(gid=2001, mem=ent.contains_only("user1", "user2"))
empty_group = dict(gid=2002, mem=ent.contains_only())
ent.assert_group_by_name("group", group)
ent.assert_group_by_name("ov_group", group)
ent.assert_group_by_name("group@LDAP", group)
ent.assert_group_by_name("ov_group@LDAP", group)
ent.assert_group_by_name("empty_group", empty_group)
ent.assert_group_by_name("ov_empty_group", empty_group)
ent.assert_group_by_name("empty_group@LDAP", empty_group)
ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
def test_replace_group_override(ldap_conn, env_replace_group_override):
# Test overrides are overridden
with pytest.raises(KeyError):
pwd.getpwnam('ov_group')
with pytest.raises(KeyError):
pwd.getpwnam('ov_group@LDAP')
with pytest.raises(KeyError):
pwd.getpwnam('ov_empty_group')
with pytest.raises(KeyError):
pwd.getpwnam('ov_empty_group@LDAP')
group = dict(gid=4001, mem=ent.contains_only("user1", "user2"))
empty_group = dict(gid=4002, mem=ent.contains_only())
ent.assert_group_by_name("group", group)
ent.assert_group_by_name("ov2_group", group)
ent.assert_group_by_name("group@LDAP", group)
ent.assert_group_by_name("ov2_group@LDAP", group)
ent.assert_group_by_name("empty_group", empty_group)
ent.assert_group_by_name("empty_group@LDAP", empty_group)
ent.assert_group_by_name("ov2_empty_group", empty_group)
ent.assert_group_by_name("ov2_empty_group@LDAP", empty_group)
def group_db_setup(request):
group = request.param
grp_ops = group_ops_setup(request)
grp_ops.groupadd(**group)
ent.assert_group_by_name(group['name'], group)
return grp_ops
