def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid):
"""
Integration test for auto_private_groups - test that even a user with
no GID assigned at all can be resolved including their autogenerated
primary group.
See also ticket https://pagure.io/SSSD/sssd/issue/1872
"""
# Make sure the user's GID is taken from their uidNumber
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
# The group referenced in user's gidNumber attribute should be still
# visible, but shouldn't have any relation to the user
ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
# The user's secondary groups list must be correct as well. This time only
# the generated group and the explicit secondary group are added, since
# there is no original GID
user1_expected_gids = [1001, 2015]
(res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user1_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user1_expected_gids)])
)
def run_simple_test_with_initgroups():
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001,
dict(mem=ent.contains_only("user1", "user11", "user21")))
# unrelated group to user1
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002,
dict(mem=ent.contains_only("user2", "user12", "user22")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict):
"""
Make sure that conflicts between groups that are auto-created with the
help of the auto_private_groups option and between 'real' LDAP groups
are handled in a predictable manner.
"""
# Make sure the user's GID is taken from their uidNumber
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
# Let's request the group with the same ID as user2's private group
# The request should match the 'real' group
ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only()))
# But because of the GID conflict, the user cannot be resolved
with pytest.raises(KeyError):
pwd.getpwnam("user2")
# This user's GID is the same as the UID in this entry. The most important
# thing here is that the supplementary groups are correct and the GID
# resolves to the private group (as long as the user was requested first)
user3_expected_gids = [1003, 2015]
ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003))
(res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003)
assert res == sssd_id.NssReturnCode.SUCCESS
assert sorted(gids) == sorted(user3_expected_gids), \
"result: %s\n expected %s" % (
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user3_expected_gids)])
)
# Make sure the private group is resolvable by name and by GID
ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only()))
ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
def test_add_remove_membership_rfc2307_bis(ldap_conn, user_and_groups_rfc2307_bis):
"""
Test user and group membership addition and removal are reflected by SSSD,
with RFC2307bis schema
"""
time.sleep(INTERACTIVE_TIMEOUT / 2)
# Add user to group1
ent.assert_group_by_name("group1", dict(mem=ent.contains_only()))
ldap_conn.modify_s(
"cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_REPLACE, "member", "uid=user,ou=Users," + ldap_conn.ds_inst.base_dn)],
)
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user")))
# Add group1 to group2
ldap_conn.modify_s(
"cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_REPLACE, "member", "cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn)],
)
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group2", dict(mem=ent.contains_only("user")))
# Remove group1 from group2
ldap_conn.modify_s("cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_DELETE, "member", None)])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group2", dict(mem=ent.contains_only()))
# Remove user from group1
ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_DELETE, "member", None)])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group1", dict(mem=ent.contains_only()))
def run_simple_test_with_initgroups():
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name(
"group1", dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001, dict(mem=ent.contains_only("user1", "user11", "user21")))
# unrelated group to user1
ent.assert_group_by_name(
"group2", dict(mem=ent.contains_only("user2", "user12", "user22")))
ent.assert_group_by_gid(
2002, dict(mem=ent.contains_only("user2", "user12", "user22")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
def assert_mc_records_for_user1():
ent.assert_passwd_by_name(
'user1',
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_uid(
1001,
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_group_by_name(
"group1", dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_gid(
2001, dict(mem=ent.contains_only("user1", "user11", "user21")))
ent.assert_group_by_name(
"group0x", dict(mem=ent.contains_only("user1", "user2", "user3")))
ent.assert_group_by_gid(
2000, dict(mem=ent.contains_only("user1", "user2", "user3")))
assert_initgroups_equal("user1", 2001, [2000, 2001])
def test_sanity_rfc2307(ldap_conn, sanity_rfc2307):
passwd_pattern = expected_list_to_name_dict([
dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001',
dir='/home/user1', shell='/bin/bash'),
dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002',
dir='/home/user2', shell='/bin/bash'),
dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003',
dir='/home/user3', shell='/bin/bash')
])
ent.assert_each_passwd_by_name(passwd_pattern)
group_pattern = expected_list_to_name_dict([
dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()),
dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
dict(name='empty_group', passwd='*', gid=2010,
mem=ent.contains_only()),
dict(name='two_user_group', passwd='*', gid=2012,
mem=ent.contains_only("user1", "user2"))
])
ent.assert_each_group_by_name(group_pattern)
with pytest.raises(KeyError):
pwd.getpwnam("non_existent_user")
with pytest.raises(KeyError):
pwd.getpwuid(1)
with pytest.raises(KeyError):
grp.getgrnam("non_existent_group")
with pytest.raises(KeyError):
grp.getgrgid(1)
def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached):
passwd_pattern = expected_list_to_name_dict([
dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001',
dir='/home/user1', shell='/bin/bash'),
dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003',
dir='/home/user3', shell='/bin/bash')
])
ent.assert_each_passwd_by_name(passwd_pattern)
# test filtered user
with pytest.raises(KeyError):
pwd.getpwuid(1002)
time.sleep(2)
with pytest.raises(KeyError):
pwd.getpwuid(1002)
group_pattern = expected_list_to_name_dict([
dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
])
ent.assert_each_group_by_name(group_pattern)
# test filtered group
with pytest.raises(KeyError):
grp.getgrgid(2002)
time.sleep(2)
with pytest.raises(KeyError):
grp.getgrgid(2002)
def test_sanity_rfc2307(ldap_conn, sanity_rfc2307):
passwd_pattern = expected_list_to_name_dict([
dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001',
dir='/home/user1', shell='/bin/bash'),
dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002',
dir='/home/user2', shell='/bin/bash'),
dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003',
dir='/home/user3', shell='/bin/bash')
])
ent.assert_each_passwd_by_name(passwd_pattern)
group_pattern = expected_list_to_name_dict([
dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()),
dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
dict(name='empty_group', passwd='*', gid=2010,
mem=ent.contains_only()),
dict(name='two_user_group', passwd='*', gid=2012,
mem=ent.contains_only("user1", "user2"))
])
ent.assert_each_group_by_name(group_pattern)
with pytest.raises(KeyError):
pwd.getpwnam("non_existent_user")
with pytest.raises(KeyError):
pwd.getpwuid(1)
with pytest.raises(KeyError):
grp.getgrnam("non_existent_group")
with pytest.raises(KeyError):
grp.getgrgid(1)
def test_assert_passwd_list(users_and_groups):
ent.assert_passwd_list(ent.contains())
ent.assert_passwd_list(ent.contains(USER1))
ent.assert_passwd_list(ent.contains_only(*USER_LIST))
try:
ent.assert_passwd_list(ent.contains_only())
assert False
except AssertionError, e:
assert not re.search("expected users not found:", str(e))
assert re.search("unexpected users found:", str(e))
def test_assert_group_list(users_and_groups):
ent.assert_group_list(ent.contains())
ent.assert_group_list(ent.contains(GROUP1))
ent.assert_group_list(ent.contains_only(*GROUP_LIST))
try:
ent.assert_group_list(ent.contains_only())
assert False
except AssertionError, e:
assert not re.search("expected groups not found:", str(e))
assert re.search("unexpected groups found:", str(e))
def test_assert_passwd_list(users_and_groups):
ent.assert_passwd_list(ent.contains())
ent.assert_passwd_list(ent.contains(USER1))
ent.assert_passwd_list(ent.contains_only(*USER_LIST))
try:
ent.assert_passwd_list(ent.contains_only())
assert False
except AssertionError, e:
assert not re.search("expected users not found:", str(e))
assert re.search("unexpected users found:", str(e))
def test_assert_group_list(users_and_groups):
ent.assert_group_list(ent.contains())
ent.assert_group_list(ent.contains(GROUP1))
ent.assert_group_list(ent.contains_only(*GROUP_LIST))
try:
ent.assert_group_list(ent.contains_only())
assert False
except AssertionError, e:
assert not re.search("expected groups not found:", str(e))
assert re.search("unexpected groups found:", str(e))
def test_add_remove_membership_rfc2307(ldap_conn, user_and_group_rfc2307):
"""Test user membership addition and removal are reflected by SSSD"""
time.sleep(INTERACTIVE_TIMEOUT / 2)
# Add user to group
ent.assert_group_by_name("group", dict(mem=ent.contains_only()))
ldap_conn.modify_s("cn=group,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_REPLACE, "memberUid", "user")])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group", dict(mem=ent.contains_only("user")))
# Remove user from group
ldap_conn.modify_s("cn=group,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_DELETE, "memberUid", None)])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group_by_name("group", dict(mem=ent.contains_only()))
def test_remove_user_from_nested_group(ldap_conn,
remove_user_from_nested_group):
group3_dn = 'cn=group3,ou=Groups,' + ldap_conn.ds_inst.base_dn
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))
ent.assert_group_by_name("group1",
dict(mem=ent.contains_only("user1")))
ent.assert_group_by_name("group2",
dict(mem=ent.contains_only("user2")))
ent.assert_group_by_name("group3",
dict(mem=ent.contains_only("user1",
"user2")))
# removing of group2 from group3
old = {'member': [b"cn=group1,ou=Groups,dc=example,dc=com",
b"cn=group2,ou=Groups,dc=example,dc=com"]}
new = {'member': [b"cn=group1,ou=Groups,dc=example,dc=com"]}
ldif = ldap.modlist.modifyModlist(old, new)
ldap_conn.modify_s(group3_dn, ldif)
if subprocess.call(["sss_cache", "-GU"]) != 0:
raise Exception("sssd_cache failed")
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))
ent.assert_group_by_name("group1",
dict(mem=ent.contains_only("user1")))
ent.assert_group_by_name("group2",
dict(mem=ent.contains_only("user2")))
ent.assert_group_by_name("group3",
dict(mem=ent.contains_only("user1")))
# removing of group1 from group3
old = {'member': [b"cn=group1,ou=Groups,dc=example,dc=com"]}
new = {'member': []}
ldif = ldap.modlist.modifyModlist(old, new)
ldap_conn.modify_s(group3_dn, ldif)
if subprocess.call(["sss_cache", "-GU"]) != 0:
raise Exception("sssd_cache failed")
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))
ent.assert_group_by_name("group1",
dict(mem=ent.contains_only("user1")))
ent.assert_group_by_name("group2",
dict(mem=ent.contains_only("user2")))
ent.assert_group_by_name("group3",
dict(mem=ent.contains_only()))
def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached):
passwd_pattern = expected_list_to_name_dict([
dict(name='user1',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
dir='/home/user1',
shell='/bin/bash'),
dict(name='user3',
passwd='*',
uid=1003,
gid=2003,
gecos='1003',
dir='/home/user3',
shell='/bin/bash')
])
ent.assert_each_passwd_by_name(passwd_pattern)
# test filtered user
with pytest.raises(KeyError):
pwd.getpwuid(1002)
time.sleep(2)
with pytest.raises(KeyError):
pwd.getpwuid(1002)
group_pattern = expected_list_to_name_dict([
dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
])
ent.assert_each_group_by_name(group_pattern)
# test filtered group
with pytest.raises(KeyError):
grp.getgrgid(2002)
time.sleep(2)
with pytest.raises(KeyError):
grp.getgrgid(2002)
# test that root is always filtered even if filter_users contains other
# entries. This is a regression test for upstream ticket #3460
res, _ = call_sssd_getpwnam("root")
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getgrnam("root")
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwuid(0)
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getgrgid(0)
assert res == NssReturnCode.NOTFOUND
def test_remove_user_from_nested_group(ldap_conn,
remove_user_from_nested_group):
group3_dn = 'cn=group3,ou=Groups,' + ldap_conn.ds_inst.base_dn
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))
ent.assert_group_by_name("group1",
dict(mem=ent.contains_only("user1")))
ent.assert_group_by_name("group2",
dict(mem=ent.contains_only("user2")))
ent.assert_group_by_name("group3",
dict(mem=ent.contains_only("user1",
"user2")))
# removing of group2 from group3
old = {'member': ["cn=group1,ou=Groups,dc=example,dc=com",
"cn=group2,ou=Groups,dc=example,dc=com"]}
new = {'member': ["cn=group1,ou=Groups,dc=example,dc=com"]}
ldif = ldap.modlist.modifyModlist(old, new)
ldap_conn.modify_s(group3_dn, ldif)
if subprocess.call(["sss_cache", "-GU"]) != 0:
raise Exception("sssd_cache failed")
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))
ent.assert_group_by_name("group1",
dict(mem=ent.contains_only("user1")))
ent.assert_group_by_name("group2",
dict(mem=ent.contains_only("user2")))
ent.assert_group_by_name("group3",
dict(mem=ent.contains_only("user1")))
# removing of group1 from group3
old = {'member': ["cn=group1,ou=Groups,dc=example,dc=com"]}
new = {'member': []}
ldif = ldap.modlist.modifyModlist(old, new)
ldap_conn.modify_s(group3_dn, ldif)
if subprocess.call(["sss_cache", "-GU"]) != 0:
raise Exception("sssd_cache failed")
ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))
ent.assert_group_by_name("group1",
dict(mem=ent.contains_only("user1")))
ent.assert_group_by_name("group2",
dict(mem=ent.contains_only("user2")))
ent.assert_group_by_name("group3",
dict(mem=ent.contains_only()))
def test_add_remove_group_rfc2307_bis(ldap_conn, blank_rfc2307_bis):
"""Test RFC2307bis group addition and removal are reflected by SSSD"""
e = ldap_ent.group_bis(ldap_conn.ds_inst.base_dn, "group", 2001)
time.sleep(INTERACTIVE_TIMEOUT / 2)
# Add the group
ent.assert_group(ent.contains_only())
ldap_conn.add_s(*e)
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group(ent.contains_only(dict(name="group", gid=2001)))
# Remove the group
ldap_conn.delete_s(e[0])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_group(ent.contains_only())
def test_add_remove_user(ldap_conn, blank_rfc2307):
"""Test user addition and removal are reflected by SSSD"""
e = ldap_ent.user(ldap_conn.ds_inst.base_dn, "user", 2001, 2000)
time.sleep(INTERACTIVE_TIMEOUT / 2)
# Add the user
ent.assert_passwd(ent.contains_only())
ldap_conn.add_s(*e)
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_passwd(ent.contains_only(dict(name="user", uid=2001)))
# Remove the user
ldap_conn.delete_s(e[0])
time.sleep(INTERACTIVE_TIMEOUT)
ent.assert_passwd(ent.contains_only())
def test_root_group_override(ldap_conn, env_root_group_override):
"""Test entries are overriden"""
group = dict(gid=2001, mem=ent.contains_only("user1", "user2"))
empty_group = dict(gid=2002, mem=ent.contains_only())
ent.assert_group_by_name("group", group)
ent.assert_group_by_name("ov_group", group)
ent.assert_group_by_name("group@LDAP", group)
ent.assert_group_by_name("ov_group@LDAP", group)
ent.assert_group_by_name("empty_group", empty_group)
ent.assert_group_by_name("ov_empty_group", empty_group)
ent.assert_group_by_name("empty_group@LDAP", empty_group)
ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
def assert_group_overriden():
# Assert entries are overridden
empty_group = dict(gid=3002, mem=ent.contains_only())
group = dict(gid=3001, mem=ent.contains_only("user1", "user2"))
ent.assert_group_by_name("group", group)
ent.assert_group_by_name("group@LDAP", group)
ent.assert_group_by_name("ov_group", group)
ent.assert_group_by_name("ov_group@LDAP", group)
ent.assert_group_by_name("empty_group", empty_group)
ent.assert_group_by_name("empty_group@LDAP", empty_group)
ent.assert_group_by_name("ov_empty_group", empty_group)
ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
def assert_group_overriden():
# Assert entries are overridden
empty_group = dict(gid=3002, mem=ent.contains_only())
group = dict(gid=3001, mem=ent.contains_only("user1", "user2"))
ent.assert_group_by_name("group", group)
ent.assert_group_by_name("group@LDAP", group)
ent.assert_group_by_name("ov_group", group)
ent.assert_group_by_name("ov_group@LDAP", group)
ent.assert_group_by_name("empty_group", empty_group)
ent.assert_group_by_name("empty_group@LDAP", empty_group)
ent.assert_group_by_name("ov_empty_group", empty_group)
ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
def test_override_shell(override_shell):
"""Test the effect of the "override_shell" option"""
ent.assert_passwd(
ent.contains_only(
dict(name="user_with_shell_A", uid=1001, shell="/bin/B"),
dict(name="user_with_shell_B", uid=1002, shell="/bin/B"),
dict(name="user_with_empty_shell", uid=1003, shell="/bin/B")))
def test_group_2307_update_same_attrs(ldap_conn,
ldb_examine,
setup_rfc2307):
"""
Test that a group update with a different modifyTimestamp but the same
attrs does not trigger sysdb cache update
"""
ldb_conn = ldb_examine
old_sysdb_attrs, old_ts_attrs = prime_cache_group(
ldb_conn, "group1",
("user1", "user11", "user21"))
# modify an argument we don't save to the cache. This will bump the
# modifyTimestamp attribute, but the attributes themselves will be the same
# from sssd's point of view
ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_ADD, "description", "group one")])
# wait for slapd to change its database
time.sleep(1)
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user1", "user11", "user21")))
sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1",
SSSD_DOMAIN, TS_ATTRLIST)
assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp")
assert_same_attrval(sysdb_attrs, old_sysdb_attrs,
"originalModifyTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
def test_group_2307_update_diff_attrs(ldap_conn,
ldb_examine,
setup_rfc2307):
"""
Test that a group update with different attribute triggers cache update
"""
ldb_conn = ldb_examine
old_sysdb_attrs, old_ts_attrs = prime_cache_group(
ldb_conn, "group1",
("user1", "user11", "user21"))
ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
[(ldap.MOD_DELETE, "memberUid", "user1")])
# wait for slapd to change its database
time.sleep(1)
ent.assert_group_by_name(
"group1",
dict(mem=ent.contains_only("user11", "user21")))
sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1",
SSSD_DOMAIN, TS_ATTRLIST)
assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp")
assert_diff_attrval(sysdb_attrs, old_sysdb_attrs,
"originalModifyTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp")
assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
def test_group_show_basic_sanity(ldap_conn, sanity_rfc2307, portable_LC_ALL):
# Fill the cache first
ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1")))
ent.assert_group_by_name("CamelCaseGroup1",
dict(mem=ent.contains_only("CamelCaseUser1")))
output = get_call_output(["sssctl", "group-show", "group1"])
assert output.find("Name: group1") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1"])
assert output.find("Name: CamelCaseGroup1") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "camelcasegroup1"])
assert output.find("Group camelcasegroup1 is not present in cache.") != -1
def test_fallback_homedir(fallback_homedir):
"""Test the effect of the "fallback_homedir" option"""
ent.assert_passwd(
ent.contains_only(
dict(name="user_with_homedir_A", uid=1001, dir="/home/A"),
dict(name="user_with_homedir_B", uid=1002, dir="/home/B"),
dict(name="user_with_empty_homedir", uid=1003, dir="/home/B")))
def test_zero_nesting_level(ldap_conn, rfc2307bis_no_nesting):
"""
Test initgroups operation with rfc2307bis schema asserting
only primary group and parent groups are included in group
list. No parent groups of groups should be returned with zero
group nesting level.
"""
ent.assert_group_by_name("parentgroup",
dict(mem=ent.contains_only("user1")))
ent.assert_group_by_name("nestedgroup", dict(mem=ent.contains_only()))
(res, errno, grp_list) = sssd_id.get_user_groups("user1")
assert res == sssd_id.NssReturnCode.SUCCESS, \
"Could not find groups for user1, %d" % errno
## test nestedgroup is not returned in group list
assert sorted(grp_list) == sorted(["primarygroup", "parentgroup"])
def test_sanity_rfc2307(ldap_conn, sanity_rfc2307):
passwd_pattern = ent.contains_only(
dict(name="user1", passwd="*", uid=1001, gid=2001, gecos="1001", dir="/home/user1", shell="/bin/bash"),
dict(name="user2", passwd="*", uid=1002, gid=2002, gecos="1002", dir="/home/user2", shell="/bin/bash"),
dict(name="user3", passwd="*", uid=1003, gid=2003, gecos="1003", dir="/home/user3", shell="/bin/bash"),
)
ent.assert_passwd(passwd_pattern)
group_pattern = ent.contains_only(
dict(name="group1", passwd="*", gid=2001, mem=ent.contains_only()),
dict(name="group2", passwd="*", gid=2002, mem=ent.contains_only()),
dict(name="group3", passwd="*", gid=2003, mem=ent.contains_only()),
dict(name="empty_group", passwd="*", gid=2010, mem=ent.contains_only()),
dict(name="two_user_group", passwd="*", gid=2012, mem=ent.contains_only("user1", "user2")),
)
ent.assert_group(group_pattern)
with pytest.raises(KeyError):
pwd.getpwnam("non_existent_user")
with pytest.raises(KeyError):
pwd.getpwuid(1)
with pytest.raises(KeyError):
grp.getgrnam("non_existent_group")
with pytest.raises(KeyError):
grp.getgrgid(1)
def test_all_ent(all):
"""Test "all" scope with getpwent"""
ent.assert_passwd_list(
ent.contains_only(
dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
))
def test_assert_group(users_and_groups):
ent.assert_group(ent.contains())
ent.assert_group(ent.contains(GROUP1))
ent.assert_group(ent.contains_only(*GROUP_LIST))
try:
ent.assert_group(ent.contains(dict(name="group3", gid=2003)))
assert False
except AssertionError as e:
assert re.search("list mismatch:", str(e))
assert re.search("expected groups not found:", str(e))
assert not re.search("unexpected groups found:", str(e))
try:
ent.assert_group(ent.contains_only(GROUP1))
assert False
except AssertionError as e:
assert re.search("list mismatch:", str(e))
assert not re.search("expected groups not found:", str(e))
assert re.search("unexpected groups found:", str(e))
def test_assert_passwd(users_and_groups):
ent.assert_passwd(ent.contains())
ent.assert_passwd(ent.contains(USER1))
ent.assert_passwd(ent.contains_only(*USER_LIST))
try:
ent.assert_passwd(ent.contains(dict(name="user3", uid=1003)))
assert False
except AssertionError as e:
assert re.search("list mismatch:", str(e))
assert re.search("expected users not found:", str(e))
assert not re.search("unexpected users found:", str(e))
try:
ent.assert_passwd(ent.contains_only(USER1))
assert False
except AssertionError as e:
assert re.search("list mismatch:", str(e))
assert not re.search("expected users not found:", str(e))
assert re.search("unexpected users found:", str(e))
def test_all_exclude_groups_ent(all_exclude_groups):
"""Test "all" scope with group list and getpwent"""
ent.assert_passwd_list(
ent.contains_only(
dict(name="user1", uid=1001, shell="/bin/sh1"),
dict(name="user2", uid=1002, shell="/bin/sh2"),
dict(name="user3", uid=1003, shell="/bin/sh3"),
dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
))
def test_some_groups4_ent(some_groups4):
"""Test "some" scope with group list and getpwent"""
ent.assert_passwd_list(
ent.contains_only(
dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
dict(name="user2", uid=1002, shell="/bin/sh2"),
dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
dict(name="user4", uid=1004, shell="/bin/sh4"),
))
def test_fallback_homedir(fallback_homedir):
"""Test the effect of the "fallback_homedir" option"""
ent.assert_passwd(
ent.contains_only(
dict(name="user_with_homedir_A", uid=1001, dir="/home/A"),
dict(name="user_with_homedir_B", uid=1002, dir="/home/B"),
dict(name="user_with_empty_homedir", uid=1003, dir="/home/B"),
)
)
def test_override_shell(override_shell):
"""Test the effect of the "override_shell" option"""
ent.assert_passwd(
ent.contains_only(
dict(name="user_with_shell_A", uid=1001, shell="/bin/B"),
dict(name="user_with_shell_B", uid=1002, shell="/bin/B"),
dict(name="user_with_empty_shell", uid=1003, shell="/bin/B"),
)
)
def test_default_shell(default_shell):
"""Test the effect of the "default_shell" option"""
ent.assert_passwd(
ent.contains_only(
dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"),
dict(name="user_with_not_installed_shell", uid=1002, shell="/bin/fallback"),
dict(name="user_with_empty_shell", uid=1003, shell="/bin/default"),
)
)
def test_none(none):
"""Test "none" scope"""
ent.assert_passwd(
ent.contains_only(
dict(name="user1", uid=1001, shell="/bin/sh1"),
dict(name="user2", uid=1002, shell="/bin/sh2"),
dict(name="user3", uid=1003, shell="/bin/sh3"),
dict(name="user4", uid=1004, shell="/bin/sh4"),
))
def test_group_member_matching(users_and_groups):
ent.assert_group_by_name("empty_group", dict(mem=ent.contains()))
ent.assert_group_by_name("empty_group", dict(mem=ent.contains_only()))
try:
ent.assert_group_by_name("empty_group",
dict(mem=ent.contains("user1")))
except AssertionError, e:
assert re.search("member list mismatch:", str(e))
assert re.search("expected members not found:", str(e))
def test_vetoed_shells(vetoed_shells):
"""Test the effect of the "vetoed_shells" option"""
ent.assert_passwd(
ent.contains_only(
dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"),
dict(name="user_with_vetoed_shell", uid=1002, shell="/bin/fallback"),
dict(name="user_with_empty_shell", uid=1003, shell="/bin/default"),
)
)
def test_some_empty(some_empty):
"""Test "some" scope with no users or groups"""
ent.assert_passwd(
ent.contains_only(
dict(name="user1", uid=1001, shell="/bin/sh1"),
dict(name="user2", uid=1002, shell="/bin/sh2"),
dict(name="user3", uid=1003, shell="/bin/sh3"),
dict(name="user4", uid=1004, shell="/bin/sh4"),
))
def test_shell_fallback(shell_fallback):
"""Test the effect of the "shell_fallback" option"""
ent.assert_passwd(
ent.contains_only(
dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"),
dict(name="user_with_not_installed_shell",
uid=1002,
shell="/bin/fallback"),
dict(name="user_with_empty_shell", uid=1003, shell="")))
def test_group_show_basic_fqname(ldap_conn, fqname_rfc2307, portable_LC_ALL):
# Fill the cache first
ent.assert_group_by_name(
"group1@LDAP",
dict(mem=ent.contains_only("user1@LDAP")))
ent.assert_group_by_name(
"CamelCaseGroup1@LDAP",
dict(mem=ent.contains_only("CamelCaseUser1@LDAP")))
output = get_call_output(["sssctl", "group-show", "group1@LDAP"])
assert output.find("Name: group1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1@LDAP"])
assert output.find("Name: CamelCaseGroup1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"])
assert output.find("Group camelcasegroup1 is not present in cache.") != -1
def assert_group_default():
# Assert entries are not overridden
with pytest.raises(KeyError):
pwd.getpwnam('ov_group')
with pytest.raises(KeyError):
pwd.getpwnam('ov_group@LDAP')
with pytest.raises(KeyError):
pwd.getpwnam('ov_empty_group')
with pytest.raises(KeyError):
pwd.getpwnam('ov_empty_group@LDAP')
empty_group = dict(gid=2002, mem=ent.contains_only())
group = dict(gid=2001, mem=ent.contains_only("user1", "user2"))
ent.assert_group_by_name("group", group)
ent.assert_group_by_name("group@LDAP", group)
ent.assert_group_by_name("empty_group", empty_group)
ent.assert_group_by_name("empty_group@LDAP", empty_group)
def test_none(none):
"""Test "none" scope"""
ent.assert_passwd(
ent.contains_only(
dict(name="user1", uid=1001, shell="/bin/sh1"),
dict(name="user2", uid=1002, shell="/bin/sh2"),
dict(name="user3", uid=1003, shell="/bin/sh3"),
dict(name="user4", uid=1004, shell="/bin/sh4"),
)
)
def test_all_ent(all):
"""Test "all" scope with getpwent"""
ent.assert_passwd_list(
ent.contains_only(
dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
)
)
def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task):
"""
Regression test for ticket:
https://fedorahosted.org/sssd/ticket/2676
"""
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user1")))
ent.assert_passwd_by_name(
'user1',
dict(name='user1', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
time.sleep(15)
ent.assert_group_by_name(
"group2",
dict(mem=ent.contains_only("user1")))
def test_some_empty(some_empty):
"""Test "some" scope with no users or groups"""
ent.assert_passwd(
ent.contains_only(
dict(name="user1", uid=1001, shell="/bin/sh1"),
dict(name="user2", uid=1002, shell="/bin/sh2"),
dict(name="user3", uid=1003, shell="/bin/sh3"),
dict(name="user4", uid=1004, shell="/bin/sh4"),
)
)
def test_some_groups4_ent(some_groups4):
"""Test "some" scope with group list and getpwent"""
ent.assert_passwd_list(
ent.contains_only(
dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
dict(name="user2", uid=1002, shell="/bin/sh2"),
dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
dict(name="user4", uid=1004, shell="/bin/sh4"),
)
)
def test_add_local_user_to_local_group(local_domain_only):
"""
Regression test for ticket
https://fedorahosted.org/sssd/ticket/3178
"""
subprocess.check_call(["sss_groupadd", "-g", "10009", "group10009"])
subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user10009"])
subprocess.check_call(["sss_usermod", "-a", "group10009", "user10009"])
ent.assert_group_by_name(
"group10009",
dict(name="group10009", passwd="*", gid=10009,
mem=ent.contains_only("user10009")))
def test_some_groups_overridden4_ent(some_groups_overridden3):
"""
Test "some" scope with group list containing some
overridden group, and users requested with getpwent.
"""
ent.assert_passwd_list(
ent.contains_only(
dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
dict(name="user2", uid=1002, shell="/bin/sh2"),
dict(name="user3", uid=1003, shell="/bin/sh3"),
dict(name="user4", uid=1004, shell="/bin/sh4"),
)
)
