def test_sssd_genconf_add_remove_section(self, multihost): """ Test that --genconf-section can not only modify existing configuration sections, but also add a new section """ # Establish a baseline multihost.master[0].service_sssd('restart') self._assert_config_value(multihost, 'pam', 'debug_level', '9') self._assert_config_value(multihost, 'nss', 'debug_level', '9') set_param(multihost, 'foo', 'bar', 'baz') multihost.master[0].run_command( '/usr/sbin/sssd --genconf-section=foo') ldb_cmd = 'ldbsearch -H /var/lib/sss/db/config.ldb -b cn=foo,cn=config' cmd = multihost.master[0].run_command(ldb_cmd) assert 'bar: baz' in cmd.stdout_text remove_section(multihost, 'foo') multihost.master[0].run_command( '/usr/sbin/sssd --genconf-section=foo') ldb_cmd = 'ldbsearch -H /var/lib/sss/db/config.ldb -b cn=foo,cn=config' cmd = multihost.master[0].run_command(ldb_cmd) assert 'foo' not in cmd.stdout_text # Also make sure the existing sections were intact self._assert_config_value(multihost, 'pam', 'debug_level', '9') self._assert_config_value(multihost, 'nss', 'debug_level', '9')
def test_kcm_payload_low_quota(self, multihost, enable_kcm): """ :title: kcm: Quota enforcement :id: cb3daadb-c5e7-48f8-b419-11c616f0d602 :description: Set a prohibitive quota for the per-ccache payload limit and make sure it gets enforced """ # It is easier to keep these tests stable and independent from others # if they start from a clean slate self._remove_secret_db(multihost) ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') ssh_foo3.execute_cmd('kdestroy -A') ssh_foo3.close() set_param(multihost, 'kcm', 'max_ccache_size', '1') self._restart_kcm(multihost) # We use kinit to exceed the maximum ccache size as it creates payload # of 1280 bytes by acquiring tgt and also some control credentials. # SSH authentication is not sufficient as it stores only tgt. ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') (_, _, exit_status) = ssh_foo3.execute_cmd('kinit [email protected]', 'Secret123') assert exit_status != 0
def test_sssd_genconf_add_remove_section(self, multihost): """ :title: config: sssd --genconf-section can not only modify existing configuration sections, but also add a new section :id: 8df66b51-aadc-456e-8f27-a1a787e61769 """ # Establish a baseline multihost.master[0].service_sssd('restart') self._assert_config_value(multihost, 'pam', 'debug_level', '9') self._assert_config_value(multihost, 'nss', 'debug_level', '9') set_param(multihost, 'foo', 'bar', 'baz') multihost.master[0].run_command( '/usr/sbin/sssd --genconf-section=foo') ldb_cmd = 'ldbsearch -H /var/lib/sss/db/config.ldb -b cn=foo,cn=config' cmd = multihost.master[0].run_command(ldb_cmd) assert 'bar: baz' in cmd.stdout_text remove_section(multihost, 'foo') multihost.master[0].run_command( '/usr/sbin/sssd --genconf-section=foo') ldb_cmd = 'ldbsearch -H /var/lib/sss/db/config.ldb -b cn=foo,cn=config' cmd = multihost.master[0].run_command(ldb_cmd) assert 'foo' not in cmd.stdout_text # Also make sure the existing sections were intact self._assert_config_value(multihost, 'pam', 'debug_level', '9') self._assert_config_value(multihost, 'nss', 'debug_level', '9')
def test_kcm_debug_level_set(self, multihost, enable_kcm): """ :title: kcm: After kcm section with debug level set restaring sssd-kcm service enables kcm debugging :id: 31c74bfc-69d5-46bd-aef8-a5581970832e :description: Test that just adding a [kcm] section and restarting the kcm service enables debugging without having to restart the whole sssd """ # Start from a known-good state where the configuration is refreshed # by the monitor and logging is completely disabled multihost.master[0].service_sssd('stop') self._stop_kcm(multihost) self._remove_kcm_log_file(multihost) set_param(multihost, 'kcm', 'debug_level', '0') multihost.master[0].service_sssd('start') self._start_kcm(multihost) log_lines_pre = self._kcm_log_length(multihost) # Debugging is disabled, kinit and make sure that no debug messages # were produced try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo3')) else: ssh.execute_cmd('kdestroy') ssh.close() log_lines_nodebug = self._kcm_log_length(multihost) assert log_lines_nodebug == log_lines_pre # Enable debugging, restart only the kcm service, make sure some # debug messages were produced set_param(multihost, 'kcm', 'debug_level', '9') self._restart_kcm(multihost) try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo3')) else: ssh.execute_cmd('kdestroy') ssh.close() log_lines_debug = self._kcm_log_length(multihost) assert log_lines_debug > log_lines_pre + 100
def test_sssd_genconf_sssd_running(self, multihost): """ Test that sssd --genconf is able to re-generate the configuration even while SSSD is running. """ multihost.master[0].service_sssd('restart') self._assert_config_value(multihost, 'pam', 'debug_level', '9') set_param(multihost, 'pam', 'debug_level', '1') multihost.master[0].run_command('/usr/sbin/sssd --genconf') self._assert_config_value(multihost, 'pam', 'debug_level', '1') set_param(multihost, 'pam', 'debug_level', '9')
def test_kcm_debug_level_set(self, multihost, enable_kcm): """ @Title: kcm: After kcm section with debug level set restaring sssd-kcm service enables kcm debugging @Description: Test that just adding a [kcm] section and restarting the kcm service enables debugging without having to restart the whole sssd """ # Start from a known-good state where the configuration is refreshed # by the monitor and logging is completely disabled multihost.master[0].service_sssd('stop') self._stop_kcm(multihost) self._remove_kcm_log_file(multihost) set_param(multihost, 'kcm', 'debug_level', '0') multihost.master[0].service_sssd('start') self._start_kcm(multihost) log_lines_pre = self._kcm_log_length(multihost) # Debugging is disabled, kinit and make sure that no debug messages # were produced try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo3')) else: ssh.execute_cmd('kdestroy') ssh.close() log_lines_nodebug = self._kcm_log_length(multihost) assert log_lines_nodebug == log_lines_pre # Enable debugging, restart only the kcm service, make sure some # debug messages were produced set_param(multihost, 'kcm', 'debug_level', '9') self._restart_kcm(multihost) try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo3')) else: ssh.execute_cmd('kdestroy') ssh.close() log_lines_debug = self._kcm_log_length(multihost) assert log_lines_debug > log_lines_pre + 100
def test_sssd_genconf_sssd_running(self, multihost): """ :title: config: sssd --genconf is able to re-generate the configuration even while SSSD is running :id: 078721e9-536b-4fd8-a36d-bd94673228fc """ multihost.master[0].service_sssd('restart') self._assert_config_value(multihost, 'pam', 'debug_level', '9') set_param(multihost, 'pam', 'debug_level', '1') multihost.master[0].run_command('/usr/sbin/sssd --genconf') self._assert_config_value(multihost, 'pam', 'debug_level', '1') set_param(multihost, 'pam', 'debug_level', '9')
def test_kcm_peruid_quota_increase(self, multihost, enable_kcm, create_many_user_principals): """ @Title: kcm: Quota increase Increasing the peruid quota allows a client to store more data """ # It is easier to keep these tests stable and independent from others # if they start from a clean slate self._remove_secret_db(multihost) ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') # The loop would request 63 users, plus there is foo3 we authenticated # earlier, so this should exactly deplete the quota, but should succeed for i in range(1, 64): username = "******" % i (_, _, exit_status) = ssh_foo3.execute_cmd('kinit %s' % username, stdin='Secret123') assert exit_status == 0 # this kinit should be exactly one over the peruid limit (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064', stdin='Secret123') assert exit_status != 0 set_param(multihost, 'kcm', 'max_uid_ccaches', '65') self._restart_kcm(multihost) # Now the kinit should work as we increased the limit (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064', stdin='Secret123') assert exit_status == 0 ssh_foo3.execute_cmd('kdestroy -A') ssh_foo3.close()
def test_kcm_payload_low_quota(self, multihost, enable_kcm): """ @Title: kcm: Quota enforcement Set a prohibitive quota for the per-ccache payload limit and make sure it gets enforced """ # It is easier to keep these tests stable and independent from others # if they start from a clean slate self._remove_secret_db(multihost) ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') ssh_foo3.execute_cmd('kdestroy -A') ssh_foo3.close() set_param(multihost, 'kcm', 'max_ccache_size', '1') self._restart_kcm(multihost) with pytest.raises(paramiko.ssh_exception.AuthenticationException): ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, username='******', password='******')
def test_sssd_genconf_section_only(self, multihost): """ Test that --genconf-section only refreshes those sections given on the command line """ multihost.master[0].service_sssd('restart') self._assert_config_value(multihost, 'pam', 'debug_level', '9') self._assert_config_value(multihost, 'nss', 'debug_level', '9') set_param(multihost, 'pam', 'debug_level', '1') set_param(multihost, 'nss', 'debug_level', '1') multihost.master[0].run_command('/usr/sbin/sssd --genconf-section=pam') # We only told genconf to touch the pam section.. self._assert_config_value(multihost, 'pam', 'debug_level', '1') # ..so the NSS section shouldn't be updated at all self._assert_config_value(multihost, 'nss', 'debug_level', '9') set_param(multihost, 'nss', 'debug_level', '9') set_param(multihost, 'pam', 'debug_level', '9')
def test_sssd_genconf_section_only(self, multihost): """ Test that --genconf-section only refreshes those sections given on the command line """ multihost.master[0].service_sssd('restart') self._assert_config_value(multihost, 'pam', 'debug_level', '9') self._assert_config_value(multihost, 'nss', 'debug_level', '9') set_param(multihost, 'pam', 'debug_level', '1') set_param(multihost, 'nss', 'debug_level', '1') multihost.master[0].run_command( '/usr/sbin/sssd --genconf-section=pam') # We only told genconf to touch the pam section.. self._assert_config_value(multihost, 'pam', 'debug_level', '1') # ..so the NSS section shouldn't be updated at all self._assert_config_value(multihost, 'nss', 'debug_level', '9') set_param(multihost, 'nss', 'debug_level', '9') set_param(multihost, 'pam', 'debug_level', '9')