def test_extdom_group(self):
"""ipa-extdom-extop plugin should allow @ in group name.
Test for : https://bugzilla.redhat.com/show_bug.cgi?id=1746951
If group contains @ in group name from AD, eg. abc@[email protected]
then it should fetch successfully on ipa-client.
"""
client = self.clients[0]
hosts = [self.master, client]
ad_group = 'group@group@{0}'.format(self.ad.domain.name)
expression = '((?P<name>.+)@(?P<domain>[^@]+$))'
master_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
client_conf_backup = tasks.FileBackup(client, paths.SSSD_CONF)
for host in hosts:
with tasks.remote_sssd_config(host) as sssd_conf:
sssd_conf.edit_service('sssd', 're_expression', expression)
tasks.clear_sssd_cache(host)
try:
cmd = ['getent', 'group', ad_group]
result = self.master.run_command(cmd)
assert ad_group in result.stdout_text
result2 = client.run_command(cmd)
assert ad_group in result2.stdout_text
finally:
master_conf_backup.restore()
client_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
tasks.clear_sssd_cache(client)
def test_ipa_adtrust_install_with_locale_issue8066(self):
"""
This test checks that ipa-adtrust-install command runs successfully
on a system with locale en_IN.UTF-8 without displaying error below
'IndexError: list index out of range'
This is a testcase for Pagure issue
https://pagure.io/freeipa/issue/8066
"""
# Set locale to en_IN.UTF-8 in .bashrc file to avoid reboot
tasks.kinit_admin(self.master)
BASHRC_CFG = "/root/.bashrc"
bashrc_backup = tasks.FileBackup(self.master, BASHRC_CFG)
exp_msg = "en_IN.UTF-8"
try:
self.master.run_command(
'echo "export LC_TIME=en_IN.UTF-8" >> ' + BASHRC_CFG
)
result = self.master.run_command('echo "$LC_TIME"')
assert result.stdout_text.rstrip() == exp_msg
# Install ipa-server-adtrust and check status
msg1 = (
"Unexpected error - see /var/log/ipaserver-install.log"
"for details"
)
msg2 = "IndexError: list index out of range"
tasks.install_packages(self.master, ["*ipa-server-trust-ad"])
result = self.master.run_command(
["ipa-adtrust-install", "-U"], raiseonerr=False
)
assert msg1 not in result.stderr_text
assert msg2 not in result.stderr_text
finally:
bashrc_backup.restore()
def samba_share_public(self):
"""Setup share outside /home on samba server."""
share_name = 'shared'
share_path = '/srv/samba_shared'
smbserver = self.smbserver
smbserver.run_command(['mkdir', share_path])
smbserver.run_command(['chmod', '777', share_path])
# apply selinux context only if selinux is enabled
if tasks.is_selinux_enabled(smbserver):
smbserver.run_command(['chcon', '-t', 'samba_share_t', share_path])
with tasks.FileBackup(smbserver, paths.SMB_CONF):
smb_conf = smbserver.get_file_contents(
paths.SMB_CONF, encoding='utf-8')
smb_conf += textwrap.dedent('''
[{name}]
path = {path}
writable = yes
browsable=yes
'''.format(name=share_name, path=share_path))
smbserver.put_file_contents(paths.SMB_CONF, smb_conf)
smbserver.run_command(['systemctl', 'restart', 'smb'])
wait_smbd_functional(smbserver)
yield {
'name': share_name,
'server_path': share_path,
'unc': '//{}/{}'.format(smbserver.hostname, share_name)
}
smbserver.run_command(['systemctl', 'restart', 'smb'])
wait_smbd_functional(smbserver)
smbserver.run_command(['rmdir', share_path])
def _enable_for(smbclient):
with tasks.FileBackup(smbclient, paths.KRB5_CONF):
krb5_conf = smbclient.get_file_contents(paths.KRB5_CONF,
encoding='utf-8')
krb5_conf = krb5_conf.replace('dns_lookup_kdc = false',
'dns_lookup_kdc = true')
smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf)
yield
def enable_dns_lookup_kdc(self, host):
with tasks.FileBackup(host, paths.KRB5_CONF):
krb5_conf = host.get_file_contents(paths.KRB5_CONF,
encoding='utf-8')
krb5_conf = krb5_conf.replace('dns_lookup_kdc = false',
'dns_lookup_kdc = true')
host.put_file_contents(paths.KRB5_CONF, krb5_conf)
yield
def test_sss_ssh_authorizedkeys(self):
"""Login via Ssh using private-key for ipa-user should work.
Test for : https://pagure.io/SSSD/sssd/issue/3937
Steps:
1) setup user with ssh-key and certificate stored in ipaserver
2) simulate p11_child timeout
3) try to login via ssh using private key.
"""
user = '******'
passwd = 'Secret123'
user_key = tasks.create_temp_file(self.master, create_file=False)
pem_file = tasks.create_temp_file(self.master)
# Create a user with a password
tasks.create_active_user(
self.master,
user,
passwd,
extra_args=['--homedir', '/home/{}'.format(user)])
tasks.kinit_admin(self.master)
tasks.run_command_as_user(self.master, user,
['ssh-keygen', '-N', '', '-f', user_key])
ssh_pub_key = self.master.get_file_contents('{}.pub'.format(user_key),
encoding='utf-8')
openssl_cmd = [
'openssl', 'req', '-x509', '-newkey', 'rsa:2048', '-days', '365',
'-nodes', '-out', pem_file, '-subj', '/CN=' + user
]
self.master.run_command(openssl_cmd)
cert_b64 = self.get_cert_base64(self.master, pem_file)
sssd_p11_child = '/usr/libexec/sssd/p11_child'
backup = tasks.FileBackup(self.master, sssd_p11_child)
try:
content = '#!/bin/bash\nsleep 999999'
# added sleep to simulate the timeout for p11_child
self.master.put_file_contents(sssd_p11_child, content)
self.master.run_command(
['ipa', 'user-mod', user, '--ssh', ssh_pub_key])
self.master.run_command(
['ipa', 'user-add-cert', user, '--certificate', cert_b64])
# clear cache to avoid SSSD to check the user in old lookup
tasks.clear_sssd_cache(self.master)
result = self.master.run_command(
[paths.SSS_SSH_AUTHORIZEDKEYS, user])
assert ssh_pub_key in result.stdout_text
# login to the system
self.master.run_command([
'ssh', '-o', 'PasswordAuthentication=no', '-o',
'IdentitiesOnly=yes', '-o', 'StrictHostKeyChecking=no', '-o',
'ConnectTimeout=10', '-l', user, '-i', user_key,
self.master.hostname, 'true'
])
finally:
# cleanup
self.master.run_command(['ipa', 'user-del', user])
backup.restore()
self.master.run_command(
['rm', '-f', pem_file, user_key, '{}.pub'.format(user_key)])
def check_sudorules_for(self, object_type, object_name,
testuser, expected):
"""Verify trusted domain objects can be added to sudorules"""
# Create a SUDO rule that allows test user
# to run any command on any host as root without password
# and check that it is indeed possible to do so with sudo -l
hbacrule = 'hbacsudoers-' + object_type
sudorule = 'testrule-' + object_type
commands = [['ipa', 'hbacrule-add', hbacrule,
'--usercat=all', '--hostcat=all'],
['ipa', 'hbacrule-add-service', hbacrule,
'--hbacsvcs=sudo'],
['ipa', 'sudocmd-add', 'ALL'],
['ipa', 'sudorule-add', sudorule, '--hostcat=all'],
['ipa', 'sudorule-add-user', sudorule,
'--users', object_name],
['ipa', 'sudorule-add-option', sudorule,
'--sudooption', '!authenticate'],
['ipa', 'sudorule-add-allow-command', sudorule,
'--sudocmds', 'ALL']]
for c in commands:
self.master.run_command(c)
# allow additional configuration
yield TestDataRule(sudorule, 'sudo', object_name, testuser)
# Modify refresh_expired_interval to reduce time for refreshing
# expired entries in SSSD cache in order to avoid waiting at least
# 30 seconds before SSSD updates SUDO rules and undertermined time
# that takes to refresh the rules.
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
try:
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(
self.master.domain, 'refresh_expired_interval', 1)
sssd_conf.edit_domain(
self.master.domain, 'entry_cache_timeout', 1)
tasks.clear_sssd_cache(self.master)
# Sleep some time so that SSSD settles down
# cache updates
time.sleep(10)
result = self.master.run_command(
['su', '-', testuser, '-c', 'sudo -l'])
if isinstance(expected, (tuple, list)):
assert any(x for x in expected if x in result.stdout_text)
else:
assert expected in result.stdout_text
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
commands = [['ipa', 'sudorule-del', sudorule],
['ipa', 'sudocmd-del', 'ALL'],
['ipa', 'hbacrule-del', hbacrule]]
for c in commands:
self.master.run_command(c)
def enable_smb_client_dns_lookup_kdc(self):
smbclient = self.smbclient
with tasks.FileBackup(smbclient, paths.KRB5_CONF):
krb5_conf = smbclient.get_file_contents(
paths.KRB5_CONF, encoding='utf-8')
krb5_conf = krb5_conf.replace(
'dns_lookup_kdc = false', 'dns_lookup_kdc = true')
smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf)
yield
def override_gid_setup(self, gid):
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
try:
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(self.master.domain, 'override_gid', gid)
tasks.clear_sssd_cache(self.master)
yield
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
def filter_user_setup(self, user):
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
try:
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_service("nss", 'filter_users',
self.users[user]['name'])
tasks.clear_sssd_cache(self.master)
yield
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
def test_ssh_from_controller(self):
"""https://pagure.io/SSSD/sssd/issue/3979
Test ssh from test controller after adding
ldap_deref_threshold=0 to sssd.conf on master
Steps:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3
"""
if self.master.is_fips_mode: # pylint: disable=no-member
pytest.skip("paramiko is not compatible with FIPS mode")
sssd_version = ''
cmd_output = self.master.run_command(['sssd', '--version'])
sssd_version = platform_tasks.\
parse_ipa_version(cmd_output.stdout_text.strip())
if sssd_version.version < '2.2.0':
pytest.xfail(reason="sssd 2.2.0 unavailable in F29 nightly")
username = "******" + str(random.randint(200000, 9999999))
# add ldap_deref_threshold=0 to /etc/sssd/sssd.conf
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
with tasks.remote_sssd_config(self.master) as sssd_config:
sssd_config.edit_domain(
self.master.domain, 'ldap_deref_threshold', 0)
try:
self.master.run_command(['systemctl', 'restart', 'sssd.service'])
# kinit admin
tasks.kinit_admin(self.master)
# add ipa user
cmd = ['ipa', 'user-add',
'--first', username,
'--last', username,
'--password', username]
input_passwd = 'Secret123\nSecret123\n'
cmd_output = self.master.run_command(cmd, stdin_text=input_passwd)
assert 'Added user "%s"' % username in cmd_output.stdout_text
input_passwd = 'Secret123\nSecret123\nSecret123\n'
self.master.run_command(['kinit', username],
stdin_text=input_passwd)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(self.master.hostname,
username=username,
password='******')
client.close()
finally:
sssd_conf_backup.restore()
self.master.run_command(['systemctl', 'restart', 'sssd.service'])
def filter_user_setup(self, user):
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
filter_user = {'filter_users': self.users[user]['name']}
try:
tasks.modify_sssd_conf(self.master, self.master.domain.name,
filter_user)
tasks.clear_sssd_cache(self.master)
yield
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
def config_sssd_cache_auth(self, cached_auth_timeout):
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(self.master.domain, 'cached_auth_timeout',
cached_auth_timeout)
sssd_conf.edit_service('pam', 'pam_verbosity', '2')
try:
tasks.clear_sssd_cache(self.master)
yield
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
def test_external_group_paging(self):
"""SSSD should fetch external groups without any limit.
Regression test for https://pagure.io/SSSD/sssd/issue/4058
1: Add external groups more than limit.
2: Run the command id [email protected]
3: sssd should retrieve all the external groups.
"""
new_limit = 50
master = self.master
conn = master.ldap_connect()
dn = DN(('cn', 'config'))
entry = conn.get_entry(dn)
orig_limit = entry.single_value.get('nsslapd-sizelimit')
ldap_query = textwrap.dedent("""
dn: cn=config
changetype: modify
replace: nsslapd-sizelimit
nsslapd-sizelimit: {limit}
""")
tasks.ldapmodify_dm(master, ldap_query.format(limit=new_limit))
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
ldap_page_size = new_limit - 1
group_count = new_limit + 2
# default ldap_page_size is '1000', adding workaround as
# ldap_page_size < nsslapd-sizelimit in sssd.conf
# Related issue : https://pagure.io/389-ds-base/issue/50888
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(self.master.domain, 'ldap_page_size',
ldap_page_size)
tasks.clear_sssd_cache(master)
tasks.kinit_admin(master)
for i in range(group_count):
master.run_command(
['ipa', 'group-add', '--external', 'ext-ipatest{0}'.format(i)])
try:
log_file = '{0}/sssd_{1}.log'.format(paths.VAR_LOG_SSSD_DIR,
master.domain.name)
group_entry = b'[%d] external groups found' % group_count
logsize = tasks.get_logsize(master, log_file)
master.run_command(['id', self.users['ad']['name']])
sssd_logs = master.get_file_contents(log_file)[logsize:]
assert group_entry in sssd_logs
finally:
for i in range(group_count):
master.run_command(
['ipa', 'group-del', 'ext-ipatest{0}'.format(i)])
# reset to original limit
tasks.ldapmodify_dm(master, ldap_query.format(limit=orig_limit))
sssd_conf_backup.restore()
def config_sssd_cache_auth(self, cached_auth_timeout):
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
with tasks.remote_ini_file(self.master, paths.SSSD_CONF) as sssd_conf:
domain_section = 'domain/{}'.format(self.master.domain.name)
if cached_auth_timeout is None:
sssd_conf.remove_option(domain_section, 'cached_auth_timeout')
else:
sssd_conf.set(domain_section, 'cached_auth_timeout',
cached_auth_timeout)
sssd_conf.set('pam', 'pam_verbosity', '2')
try:
tasks.clear_sssd_cache(self.master)
yield
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
def test_2fa_disable_single_prompt(self):
"""Test ssh with 2FA when single prompt is disabled.
Test for : https://pagure.io/SSSD/sssd/issue/3264
When [prompting/2fa/sshd] with single_prompt = False is set
then during ssh it should be prompted with given message
for first factor and then for second factor.
This requires paramiko until the 2-prompt sshpass RFE is
fulfilled: https://sourceforge.net/p/sshpass/feature-requests/5/
"""
if self.master.is_fips_mode:
pytest.skip("paramiko is not compatible with FIPS mode")
master = self.master
USER2 = 'sshuser2'
sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF)
first_prompt = 'Enter first factor:'
second_prompt = 'Enter second factor:'
add_contents = textwrap.dedent('''
[prompting/2fa/sshd]
single_prompt = False
first_prompt = {0}
second_prompt = {1}
''').format(first_prompt, second_prompt)
set_sssd_conf(master, add_contents)
tasks.create_active_user(master, USER2, PASSWORD)
tasks.kinit_admin(master)
master.run_command(['ipa', 'user-mod', USER2, '--user-auth-type=otp'])
try:
otpuid, totp = add_otptoken(master, USER2, otptype='totp')
master.run_command(['ipa', 'otptoken-show', otpuid])
otpvalue = totp.generate(int(time.time())).decode('ascii')
answers = {
first_prompt: PASSWORD,
second_prompt: otpvalue
}
ssh_2f(master.hostname, USER2, answers)
# check if user listed in output
cmd = self.master.run_command(['semanage', 'login', '-l'])
assert USER2 in cmd.stdout_text
finally:
master.run_command(['ipa', 'user-del', USER2])
self.master.run_command(['semanage', 'login', '-D'])
sssd_conf_backup.restore()
def test_2fa_enable_single_prompt(self):
"""Test ssh with 2FA when single prompt is enabled.
Test for : https://pagure.io/SSSD/sssd/issue/3264
When [prompting/2fa/sshd] with single_prompt = True is set
then during ssh it should be prompted with given message
for first and second factor at once.
"""
master = self.master
USER1 = 'sshuser1'
sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF)
first_prompt = 'Please enter password + OTP token value:'
add_contents = textwrap.dedent('''
[prompting/2fa/sshd]
single_prompt = True
first_prompt = {0}
''').format(first_prompt)
set_sssd_conf(master, add_contents)
tasks.create_active_user(master, USER1, PASSWORD)
tasks.kinit_admin(master)
master.run_command(['ipa', 'user-mod', USER1, '--user-auth-type=otp'])
try:
otpuid, totp = add_otptoken(master, USER1, otptype='totp')
master.run_command(['ipa', 'otptoken-show', otpuid])
otpvalue = totp.generate(int(time.time())).decode('ascii')
password = '******'.format(PASSWORD, otpvalue)
tasks.run_ssh_cmd(to_host=self.master.external_hostname,
username=USER1,
auth_method="password",
password=password)
# check if user listed in output
cmd = self.master.run_command(['semanage', 'login', '-l'])
assert USER1 in cmd.stdout_text
finally:
master.run_command(['ipa', 'user-del', USER1])
self.master.run_command(['semanage', 'login', '-D'])
sssd_conf_backup.restore()
def test_sssd_cache_refresh(self, user_origin):
"""Check SSSD updates expired cache items for domain and its subdomains
Regression test for https://pagure.io/SSSD/sssd/issue/4012
"""
def get_cache_update_time(obj_kind, obj_name):
res = self.master.run_command(
['sssctl', '{}-show'.format(obj_kind), obj_name])
m = re.search(r'Cache entry last update time:\s+([^\n]+)',
res.stdout_text)
update_time = m.group(1).strip()
assert update_time
return update_time
# by design, sssd does first update of expired records in 30 seconds
# since start
refresh_time = 30
user = self.users[user_origin]['name']
group = self.users[user_origin]['group']
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
try:
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(
self.master.domain, 'refresh_expired_interval', 1)
sssd_conf.edit_domain(
self.master.domain, 'entry_cache_timeout', 1)
tasks.clear_sssd_cache(self.master)
start = time.time()
self.master.run_command(['id', user])
user_update_time = get_cache_update_time('user', user)
group_update_time = get_cache_update_time('group', group)
time.sleep(start + refresh_time - time.time() + 5)
assert get_cache_update_time('user', user) != user_update_time
assert (get_cache_update_time('group', group) !=
group_update_time)
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)