def test_sudo_rule_restricted_to_one_hostmask_setup(self):
# We need to detect the hostmask first
full_ip = get_host_ip_with_hostmask(self.client)
# Make a note for the next test, which needs to be skipped
# if hostmask detection failed
self.__class__.skip_hostmask_based = False
if not full_ip:
self.__class__.skip_hostmask_based = True
raise pytest.skip("Hostmask could not be detected")
self.master.run_command(['ipa', '-n', 'sudorule-add-host',
'testrule',
'--hostmask', full_ip])
# SSSD >= 1.13.3-3 uses native IPA schema instead of compat entries to
# pull in sudoers. Since native schema does not (yet) support
# hostmasks, we need to point ldap_sudo_search_base to the old schema
self.__class__.client_sssd_conf_backup = FileBackup(
self.client, paths.SSSD_CONF)
domain = self.client.domain
with remote_sssd_config(self.client) as sssd_conf:
sssd_conf.edit_domain(domain, 'sudo_provider', 'ipa')
sssd_conf.edit_domain(domain, 'ldap_sudo_search_base',
'ou=sudoers,{}'.format(domain.basedn))
def test_extdom_group(self):
"""ipa-extdom-extop plugin should allow @ in group name.
Test for : https://bugzilla.redhat.com/show_bug.cgi?id=1746951
If group contains @ in group name from AD, eg. abc@[email protected]
then it should fetch successfully on ipa-client.
"""
client = self.clients[0]
hosts = [self.master, client]
ad_group = 'group@group@{0}'.format(self.ad.domain.name)
expression = '((?P<name>.+)@(?P<domain>[^@]+$))'
master_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
client_conf_backup = tasks.FileBackup(client, paths.SSSD_CONF)
for host in hosts:
with tasks.remote_sssd_config(host) as sssd_conf:
sssd_conf.edit_service('sssd', 're_expression', expression)
tasks.clear_sssd_cache(host)
try:
cmd = ['getent', 'group', ad_group]
result = self.master.run_command(cmd)
assert ad_group in result.stdout_text
result2 = client.run_command(cmd)
assert ad_group in result2.stdout_text
finally:
master_conf_backup.restore()
client_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
tasks.clear_sssd_cache(client)
def test_extdom_plugin(self):
"""Extdom plugin should not return error (32)/'No such object'
Regression test for https://pagure.io/freeipa/issue/8044
If there is a timeout during a request to SSSD the extdom plugin
should not return error 'No such object' and the existing user should
not be added to negative cache on the client.
"""
extdom_dn = DN(
('cn', 'ipa_extdom_extop'), ('cn', 'plugins'),
('cn', 'config')
)
client = self.clients[0]
tasks.backup_file(self.master, paths.SSSD_CONF)
res = self.master.run_command(['pidof', 'sssd_be'])
pid = res.stdout_text.strip()
test_id = 'id testuser@%s' % self.ad_domain
client.run_command(test_id)
conn = self.master.ldap_connect()
entry = conn.get_entry(extdom_dn) # pylint: disable=no-member
orig_extdom_timeout = entry.single_value.get('ipaextdommaxnsstimeout')
# set the extdom plugin timeout to 1s (1000)
entry.single_value['ipaextdommaxnsstimeout'] = 1000
conn.update_entry(entry) # pylint: disable=no-member
self.master.run_command(['ipactl', 'restart'])
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(self.master.domain, 'timeout', '999999')
remove_cache = 'sss_cache -E'
self.master.run_command(remove_cache)
client.run_command(remove_cache)
log_file = '{0}/sssd_{1}.log'.format(paths.VAR_LOG_SSSD_DIR,
client.domain.name)
logsize = len(client.get_file_contents(log_file))
try:
# stop sssd_be, needed to simulate a timeout in the extdom plugin.
stop_sssdbe = self.master.run_command('kill -STOP %s' % pid)
client.run_command(test_id)
error = 'ldap_extended_operation result: No such object(32)'
sssd_log2 = client.get_file_contents(log_file)[logsize:]
assert error.encode() not in sssd_log2
finally:
if stop_sssdbe.returncode == 0:
self.master.run_command('kill -CONT %s' % pid)
# reconnect and set back to default extdom plugin
conn = self.master.ldap_connect()
entry = conn.get_entry(extdom_dn) # pylint: disable=no-member
entry.single_value['ipaextdommaxnsstimeout'] = orig_extdom_timeout
conn.update_entry(entry) # pylint: disable=no-member
tasks.restore_files(self.master)
self.master.run_command(['ipactl', 'restart'])
def check_sudorules_for(self, object_type, object_name,
testuser, expected):
"""Verify trusted domain objects can be added to sudorules"""
# Create a SUDO rule that allows test user
# to run any command on any host as root without password
# and check that it is indeed possible to do so with sudo -l
hbacrule = 'hbacsudoers-' + object_type
sudorule = 'testrule-' + object_type
commands = [['ipa', 'hbacrule-add', hbacrule,
'--usercat=all', '--hostcat=all'],
['ipa', 'hbacrule-add-service', hbacrule,
'--hbacsvcs=sudo'],
['ipa', 'sudocmd-add', 'ALL'],
['ipa', 'sudorule-add', sudorule, '--hostcat=all'],
['ipa', 'sudorule-add-user', sudorule,
'--users', object_name],
['ipa', 'sudorule-add-option', sudorule,
'--sudooption', '!authenticate'],
['ipa', 'sudorule-add-allow-command', sudorule,
'--sudocmds', 'ALL']]
for c in commands:
self.master.run_command(c)
# allow additional configuration
yield TestDataRule(sudorule, 'sudo', object_name, testuser)
# Modify refresh_expired_interval to reduce time for refreshing
# expired entries in SSSD cache in order to avoid waiting at least
# 30 seconds before SSSD updates SUDO rules and undertermined time
# that takes to refresh the rules.
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
try:
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(
self.master.domain, 'refresh_expired_interval', 1)
sssd_conf.edit_domain(
self.master.domain, 'entry_cache_timeout', 1)
tasks.clear_sssd_cache(self.master)
# Sleep some time so that SSSD settles down
# cache updates
time.sleep(10)
result = self.master.run_command(
['su', '-', testuser, '-c', 'sudo -l'])
if isinstance(expected, (tuple, list)):
assert any(x for x in expected if x in result.stdout_text)
else:
assert expected in result.stdout_text
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
commands = [['ipa', 'sudorule-del', sudorule],
['ipa', 'sudocmd-del', 'ALL'],
['ipa', 'hbacrule-del', hbacrule]]
for c in commands:
self.master.run_command(c)
def override_gid_setup(self, gid):
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
try:
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(self.master.domain, 'override_gid', gid)
tasks.clear_sssd_cache(self.master)
yield
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
def filter_user_setup(self, user):
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
try:
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_service("nss", 'filter_users',
self.users[user]['name'])
tasks.clear_sssd_cache(self.master)
yield
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
def test_ssh_from_controller(self):
"""https://pagure.io/SSSD/sssd/issue/3979
Test ssh from test controller after adding
ldap_deref_threshold=0 to sssd.conf on master
Steps:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3
"""
if self.master.is_fips_mode: # pylint: disable=no-member
pytest.skip("paramiko is not compatible with FIPS mode")
sssd_version = ''
cmd_output = self.master.run_command(['sssd', '--version'])
sssd_version = platform_tasks.\
parse_ipa_version(cmd_output.stdout_text.strip())
if sssd_version.version < '2.2.0':
pytest.xfail(reason="sssd 2.2.0 unavailable in F29 nightly")
username = "******" + str(random.randint(200000, 9999999))
# add ldap_deref_threshold=0 to /etc/sssd/sssd.conf
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
with tasks.remote_sssd_config(self.master) as sssd_config:
sssd_config.edit_domain(
self.master.domain, 'ldap_deref_threshold', 0)
try:
self.master.run_command(['systemctl', 'restart', 'sssd.service'])
# kinit admin
tasks.kinit_admin(self.master)
# add ipa user
cmd = ['ipa', 'user-add',
'--first', username,
'--last', username,
'--password', username]
input_passwd = 'Secret123\nSecret123\n'
cmd_output = self.master.run_command(cmd, stdin_text=input_passwd)
assert 'Added user "%s"' % username in cmd_output.stdout_text
input_passwd = 'Secret123\nSecret123\nSecret123\n'
self.master.run_command(['kinit', username],
stdin_text=input_passwd)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(self.master.hostname,
username=username,
password='******')
client.close()
finally:
sssd_conf_backup.restore()
self.master.run_command(['systemctl', 'restart', 'sssd.service'])
def config_sssd_cache_auth(self, cached_auth_timeout):
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(self.master.domain, 'cached_auth_timeout',
cached_auth_timeout)
sssd_conf.edit_service('pam', 'pam_verbosity', '2')
try:
tasks.clear_sssd_cache(self.master)
yield
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
def sssd_config_allows_ipaapi_access_to_ifp(host):
"""Checks that the sssd configuration allows the ipaapi user to access
ifp
:param host the machine on which to check that sssd allows ipaapi
access to ifp
"""
with tasks.remote_sssd_config(host) as sssd_conf:
ifp = sssd_conf.get_service('ifp')
uids = [
uid.strip() for uid in ifp.get_option('allowed_uids').split(',')
]
assert 'ipaapi' in uids
def test_external_group_paging(self):
"""SSSD should fetch external groups without any limit.
Regression test for https://pagure.io/SSSD/sssd/issue/4058
1: Add external groups more than limit.
2: Run the command id [email protected]
3: sssd should retrieve all the external groups.
"""
new_limit = 50
master = self.master
conn = master.ldap_connect()
dn = DN(('cn', 'config'))
entry = conn.get_entry(dn)
orig_limit = entry.single_value.get('nsslapd-sizelimit')
ldap_query = textwrap.dedent("""
dn: cn=config
changetype: modify
replace: nsslapd-sizelimit
nsslapd-sizelimit: {limit}
""")
tasks.ldapmodify_dm(master, ldap_query.format(limit=new_limit))
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
ldap_page_size = new_limit - 1
group_count = new_limit + 2
# default ldap_page_size is '1000', adding workaround as
# ldap_page_size < nsslapd-sizelimit in sssd.conf
# Related issue : https://pagure.io/389-ds-base/issue/50888
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(self.master.domain, 'ldap_page_size',
ldap_page_size)
tasks.clear_sssd_cache(master)
tasks.kinit_admin(master)
for i in range(group_count):
master.run_command(
['ipa', 'group-add', '--external', 'ext-ipatest{0}'.format(i)])
try:
log_file = '{0}/sssd_{1}.log'.format(paths.VAR_LOG_SSSD_DIR,
master.domain.name)
group_entry = b'[%d] external groups found' % group_count
logsize = tasks.get_logsize(master, log_file)
master.run_command(['id', self.users['ad']['name']])
sssd_logs = master.get_file_contents(log_file)[logsize:]
assert group_entry in sssd_logs
finally:
for i in range(group_count):
master.run_command(
['ipa', 'group-del', 'ext-ipatest{0}'.format(i)])
# reset to original limit
tasks.ldapmodify_dm(master, ldap_query.format(limit=orig_limit))
sssd_conf_backup.restore()
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True)
tasks.install_client(cls.master, cls.replicas[0])
content = cls.master.get_file_contents(paths.IPA_DEFAULT_CONF,
encoding='utf-8')
new_content = content + "\noidc_child_debug_level = 10"
cls.master.put_file_contents(paths.IPA_DEFAULT_CONF, new_content)
with tasks.remote_sssd_config(cls.master) as sssd_config:
sssd_config.edit_domain(
cls.master.domain, 'krb5_auth_timeout', 1100)
tasks.clear_sssd_cache(cls.master)
tasks.kinit_admin(cls.master)
cls.master.run_command(["ipa", "config-mod", "--user-auth-type=idp",
"--user-auth-type=password"])
xvfb = ("nohup /usr/bin/Xvfb :99 -ac -noreset -screen 0 1400x1200x8 "
"</dev/null &>/dev/null &")
cls.replicas[0].run_command(xvfb)
def test_sssd_cache_refresh(self, user_origin):
"""Check SSSD updates expired cache items for domain and its subdomains
Regression test for https://pagure.io/SSSD/sssd/issue/4012
"""
def get_cache_update_time(obj_kind, obj_name):
res = self.master.run_command(
['sssctl', '{}-show'.format(obj_kind), obj_name])
m = re.search(r'Cache entry last update time:\s+([^\n]+)',
res.stdout_text)
update_time = m.group(1).strip()
assert update_time
return update_time
# by design, sssd does first update of expired records in 30 seconds
# since start
refresh_time = 30
user = self.users[user_origin]['name']
group = self.users[user_origin]['group']
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
try:
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(
self.master.domain, 'refresh_expired_interval', 1)
sssd_conf.edit_domain(
self.master.domain, 'entry_cache_timeout', 1)
tasks.clear_sssd_cache(self.master)
start = time.time()
self.master.run_command(['id', user])
user_update_time = get_cache_update_time('user', user)
group_update_time = get_cache_update_time('group', group)
time.sleep(start + refresh_time - time.time() + 5)
assert get_cache_update_time('user', user) != user_update_time
assert (get_cache_update_time('group', group) !=
group_update_time)
finally:
sssd_conf_backup.restore()
tasks.clear_sssd_cache(self.master)
def test_override_homedir(self):
"""POSIX attributes should not be overwritten or missing.
Regression test for bug https://pagure.io/SSSD/sssd/issue/2474
When there is IPA-AD trust with POSIX attributes,
including the home directory set in the AD LDAP and in sssd.conf
subdomain_homedir = %o is added after initgroup call home directory
should be correct and do not report in logs like,
'get_subdomain_homedir_of_user failed: * [Home directory is NULL]'
"""
tasks.backup_file(self.master, paths.SSSD_CONF)
log_file = '{0}/sssd_{1}.log'.format(paths.VAR_LOG_SSSD_DIR,
self.master.domain.name)
logsize = len(self.master.get_file_contents(log_file))
try:
testuser = '******' % self.ad_domain
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(self.master.domain, 'subdomain_homedir',
'%o')
tasks.clear_sssd_cache(self.master)
# The initgroups operation now uses the LDAP connection because
# the LDAP AD DS server contains the POSIX attributes
self.master.run_command(
['getent', 'initgroups', '-s', 'sss', testuser])
result = self.master.run_command(['getent', 'passwd', testuser])
assert '/home/testuser' in result.stdout_text
sssd_log2 = self.master.get_file_contents(log_file)[logsize:]
assert b'get_subdomain_homedir_of_user failed' not in sssd_log2
finally:
tasks.restore_files(self.master)
tasks.clear_sssd_cache(self.master)
def install(cls, mh):
cls.client = cls.replicas[0]
cls.replica = cls.replicas[1]
tasks.install_master(cls.master, extra_args=['--no-dnssec-validation'])
tasks.install_client(cls.master, cls.replicas[0],
extra_args=["--mkhomedir"])
tasks.install_replica(cls.master, cls.replicas[1])
for host in [cls.master, cls.replicas[0], cls.replicas[1]]:
content = host.get_file_contents(paths.IPA_DEFAULT_CONF,
encoding='utf-8')
new_content = content + "\noidc_child_debug_level = 10"
host.put_file_contents(paths.IPA_DEFAULT_CONF, new_content)
with tasks.remote_sssd_config(cls.master) as sssd_config:
sssd_config.edit_domain(
cls.master.domain, 'krb5_auth_timeout', 1100)
tasks.clear_sssd_cache(cls.master)
tasks.clear_sssd_cache(cls.replicas[0])
tasks.kinit_admin(cls.master)
cls.master.run_command(["ipa", "config-mod", "--user-auth-type=idp",
"--user-auth-type=password"])
xvfb = ("nohup /usr/bin/Xvfb :99 -ac -noreset -screen 0 1400x1200x8 "
"</dev/null &>/dev/null &")
cls.replicas[0].run_command(xvfb)
def install(cls, mh):
super(TestCertsInIDOverrides, cls).install(mh)
cls.ad = config.ad_domains[0].ads[0]
cls.ad_domain = cls.ad.domain.name
cls.aduser = "******" % cls.ad_domain
master = cls.master
# A setup for test_dbus_user_lookup
master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
raiseonerr=False)
master.run_command("sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF,
raiseonerr=False)
with tasks.remote_sssd_config(master) as sssd_config:
try:
sssd_config.new_service('ifp')
except ServiceAlreadyExists:
pass
sssd_config.activate_service('ifp')
master.run_command(['systemctl', 'restart', 'sssd.service'])
# End of setup for test_dbus_user_lookup
# AD-related stuff
tasks.install_adtrust(master)
tasks.sync_time(master, cls.ad)
tasks.configure_dns_for_trust(master, cls.ad)
tasks.establish_trust_with_ad(
cls.master,
cls.ad_domain,
extra_args=['--range-type', 'ipa-ad-trust'])
cls.reqdir = os.path.join(master.config.test_dir, "certs")
cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
cls.pwname = os.path.join(cls.reqdir, "pwd")
# Create a NSS database folder
master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
# Create an empty password file
master.run_command(["touch", cls.pwname], raiseonerr=False)
# Initialize NSS database
tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
# Now generate self-signed certs for a windows user
stdin_text = string.digits + string.ascii_letters[2:] + '\n'
tasks.run_certutil(master, [
'-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert1, '-n', cls.adcert1, '-x', '-t',
'CT,C,C', '-v', '120', '-m', '1234'
],
cls.reqdir,
stdin=stdin_text)
tasks.run_certutil(master, [
'-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert2, '-n', cls.adcert2, '-x', '-t',
'CT,C,C', '-v', '120', '-m', '1234'
],
cls.reqdir,
stdin=stdin_text)
# Export the previously generated cert
res = tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a'],
cls.reqdir)
master.put_file_contents(
os.path.join(master.config.test_dir, cls.adcert1_file),
res.stdout_text)
res = tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a'],
cls.reqdir)
master.put_file_contents(
os.path.join(master.config.test_dir, cls.adcert2_file),
res.stdout_text)
cls.cert1_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" %
cls.adcert1_file).stdout_text
cls.cert2_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" %
cls.adcert2_file).stdout_text
cls.cert1_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert1_file).stdout_text
cls.cert2_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert2_file).stdout_text