def test_sssd_genconf_add_remove_section(self, multihost):
"""
Test that --genconf-section can not only modify existing
configuration sections, but also add a new section
"""
# Establish a baseline
multihost.master[0].service_sssd('restart')
self._assert_config_value(multihost, 'pam', 'debug_level', '9')
self._assert_config_value(multihost, 'nss', 'debug_level', '9')
set_param(multihost, 'foo', 'bar', 'baz')
multihost.master[0].run_command(
'/usr/sbin/sssd --genconf-section=foo')
ldb_cmd = 'ldbsearch -H /var/lib/sss/db/config.ldb -b cn=foo,cn=config'
cmd = multihost.master[0].run_command(ldb_cmd)
assert 'bar: baz' in cmd.stdout_text
remove_section(multihost, 'foo')
multihost.master[0].run_command(
'/usr/sbin/sssd --genconf-section=foo')
ldb_cmd = 'ldbsearch -H /var/lib/sss/db/config.ldb -b cn=foo,cn=config'
cmd = multihost.master[0].run_command(ldb_cmd)
assert 'foo' not in cmd.stdout_text
# Also make sure the existing sections were intact
self._assert_config_value(multihost, 'pam', 'debug_level', '9')
self._assert_config_value(multihost, 'nss', 'debug_level', '9')
def test_kcm_payload_low_quota(self, multihost, enable_kcm):
"""
:title: kcm: Quota enforcement
:id: cb3daadb-c5e7-48f8-b419-11c616f0d602
:description: Set a prohibitive quota for the per-ccache payload
limit and make sure it gets enforced
"""
# It is easier to keep these tests stable and independent from others
# if they start from a clean slate
self._remove_secret_db(multihost)
ssh_foo3 = SSHClient(multihost.master[0].sys_hostname,
username='******',
password='******')
ssh_foo3.execute_cmd('kdestroy -A')
ssh_foo3.close()
set_param(multihost, 'kcm', 'max_ccache_size', '1')
self._restart_kcm(multihost)
# We use kinit to exceed the maximum ccache size as it creates payload
# of 1280 bytes by acquiring tgt and also some control credentials.
# SSH authentication is not sufficient as it stores only tgt.
ssh_foo3 = SSHClient(multihost.master[0].sys_hostname,
username='******',
password='******')
(_, _, exit_status) = ssh_foo3.execute_cmd('kinit [email protected]',
'Secret123')
assert exit_status != 0
def test_sssd_genconf_add_remove_section(self, multihost):
"""
:title: config: sssd --genconf-section can not only modify
existing configuration sections, but also add a new section
:id: 8df66b51-aadc-456e-8f27-a1a787e61769
"""
# Establish a baseline
multihost.master[0].service_sssd('restart')
self._assert_config_value(multihost, 'pam', 'debug_level', '9')
self._assert_config_value(multihost, 'nss', 'debug_level', '9')
set_param(multihost, 'foo', 'bar', 'baz')
multihost.master[0].run_command(
'/usr/sbin/sssd --genconf-section=foo')
ldb_cmd = 'ldbsearch -H /var/lib/sss/db/config.ldb -b cn=foo,cn=config'
cmd = multihost.master[0].run_command(ldb_cmd)
assert 'bar: baz' in cmd.stdout_text
remove_section(multihost, 'foo')
multihost.master[0].run_command(
'/usr/sbin/sssd --genconf-section=foo')
ldb_cmd = 'ldbsearch -H /var/lib/sss/db/config.ldb -b cn=foo,cn=config'
cmd = multihost.master[0].run_command(ldb_cmd)
assert 'foo' not in cmd.stdout_text
# Also make sure the existing sections were intact
self._assert_config_value(multihost, 'pam', 'debug_level', '9')
self._assert_config_value(multihost, 'nss', 'debug_level', '9')
def test_kcm_debug_level_set(self, multihost, enable_kcm):
"""
:title: kcm: After kcm section with debug
level set restaring sssd-kcm service enables kcm debugging
:id: 31c74bfc-69d5-46bd-aef8-a5581970832e
:description: Test that just adding a [kcm] section and restarting
the kcm service enables debugging without having to restart the
whole sssd
"""
# Start from a known-good state where the configuration is refreshed
# by the monitor and logging is completely disabled
multihost.master[0].service_sssd('stop')
self._stop_kcm(multihost)
self._remove_kcm_log_file(multihost)
set_param(multihost, 'kcm', 'debug_level', '0')
multihost.master[0].service_sssd('start')
self._start_kcm(multihost)
log_lines_pre = self._kcm_log_length(multihost)
# Debugging is disabled, kinit and make sure that no debug messages
# were produced
try:
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******',
password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail("Authentication Failed as user %s" % ('foo3'))
else:
ssh.execute_cmd('kdestroy')
ssh.close()
log_lines_nodebug = self._kcm_log_length(multihost)
assert log_lines_nodebug == log_lines_pre
# Enable debugging, restart only the kcm service, make sure some
# debug messages were produced
set_param(multihost, 'kcm', 'debug_level', '9')
self._restart_kcm(multihost)
try:
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******',
password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail("Authentication Failed as user %s" % ('foo3'))
else:
ssh.execute_cmd('kdestroy')
ssh.close()
log_lines_debug = self._kcm_log_length(multihost)
assert log_lines_debug > log_lines_pre + 100
def test_sssd_genconf_sssd_running(self, multihost):
"""
Test that sssd --genconf is able to re-generate the configuration
even while SSSD is running.
"""
multihost.master[0].service_sssd('restart')
self._assert_config_value(multihost, 'pam', 'debug_level', '9')
set_param(multihost, 'pam', 'debug_level', '1')
multihost.master[0].run_command('/usr/sbin/sssd --genconf')
self._assert_config_value(multihost, 'pam', 'debug_level', '1')
set_param(multihost, 'pam', 'debug_level', '9')
def test_sssd_genconf_sssd_running(self, multihost):
"""
Test that sssd --genconf is able to re-generate the configuration
even while SSSD is running.
"""
multihost.master[0].service_sssd('restart')
self._assert_config_value(multihost, 'pam', 'debug_level', '9')
set_param(multihost, 'pam', 'debug_level', '1')
multihost.master[0].run_command('/usr/sbin/sssd --genconf')
self._assert_config_value(multihost, 'pam', 'debug_level', '1')
set_param(multihost, 'pam', 'debug_level', '9')
def test_kcm_debug_level_set(self, multihost, enable_kcm):
"""
@Title: kcm: After kcm section with debug
level set restaring sssd-kcm service enables kcm debugging
@Description: Test that just adding a [kcm] section and restarting
the kcm service enables debugging without having to restart the
whole sssd
"""
# Start from a known-good state where the configuration is refreshed
# by the monitor and logging is completely disabled
multihost.master[0].service_sssd('stop')
self._stop_kcm(multihost)
self._remove_kcm_log_file(multihost)
set_param(multihost, 'kcm', 'debug_level', '0')
multihost.master[0].service_sssd('start')
self._start_kcm(multihost)
log_lines_pre = self._kcm_log_length(multihost)
# Debugging is disabled, kinit and make sure that no debug messages
# were produced
try:
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail("Authentication Failed as user %s" % ('foo3'))
else:
ssh.execute_cmd('kdestroy')
ssh.close()
log_lines_nodebug = self._kcm_log_length(multihost)
assert log_lines_nodebug == log_lines_pre
# Enable debugging, restart only the kcm service, make sure some
# debug messages were produced
set_param(multihost, 'kcm', 'debug_level', '9')
self._restart_kcm(multihost)
try:
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail("Authentication Failed as user %s" % ('foo3'))
else:
ssh.execute_cmd('kdestroy')
ssh.close()
log_lines_debug = self._kcm_log_length(multihost)
assert log_lines_debug > log_lines_pre + 100
def test_sssd_genconf_sssd_running(self, multihost):
"""
:title: config: sssd --genconf is able to re-generate
the configuration even while SSSD is running
:id: 078721e9-536b-4fd8-a36d-bd94673228fc
"""
multihost.master[0].service_sssd('restart')
self._assert_config_value(multihost, 'pam', 'debug_level', '9')
set_param(multihost, 'pam', 'debug_level', '1')
multihost.master[0].run_command('/usr/sbin/sssd --genconf')
self._assert_config_value(multihost, 'pam', 'debug_level', '1')
set_param(multihost, 'pam', 'debug_level', '9')
def test_kcm_peruid_quota_increase(self,
multihost,
enable_kcm,
create_many_user_principals):
"""
@Title: kcm: Quota increase
Increasing the peruid quota allows a client to store more
data
"""
# It is easier to keep these tests stable and independent from others
# if they start from a clean slate
self._remove_secret_db(multihost)
ssh_foo3 = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
# The loop would request 63 users, plus there is foo3 we authenticated
# earlier, so this should exactly deplete the quota, but should succeed
for i in range(1, 64):
username = "******" % i
(_, _, exit_status) = ssh_foo3.execute_cmd('kinit %s' % username,
stdin='Secret123')
assert exit_status == 0
# this kinit should be exactly one over the peruid limit
(_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064',
stdin='Secret123')
assert exit_status != 0
set_param(multihost, 'kcm', 'max_uid_ccaches', '65')
self._restart_kcm(multihost)
# Now the kinit should work as we increased the limit
(_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064',
stdin='Secret123')
assert exit_status == 0
ssh_foo3.execute_cmd('kdestroy -A')
ssh_foo3.close()
def test_kcm_payload_low_quota(self,
multihost,
enable_kcm):
"""
@Title: kcm: Quota enforcement
Set a prohibitive quota for the per-ccache payload limit and
make sure it gets enforced
"""
# It is easier to keep these tests stable and independent from others
# if they start from a clean slate
self._remove_secret_db(multihost)
ssh_foo3 = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
ssh_foo3.execute_cmd('kdestroy -A')
ssh_foo3.close()
set_param(multihost, 'kcm', 'max_ccache_size', '1')
self._restart_kcm(multihost)
with pytest.raises(paramiko.ssh_exception.AuthenticationException):
ssh_foo3 = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
def test_sssd_genconf_section_only(self, multihost):
"""
Test that --genconf-section only refreshes those sections given
on the command line
"""
multihost.master[0].service_sssd('restart')
self._assert_config_value(multihost, 'pam', 'debug_level', '9')
self._assert_config_value(multihost, 'nss', 'debug_level', '9')
set_param(multihost, 'pam', 'debug_level', '1')
set_param(multihost, 'nss', 'debug_level', '1')
multihost.master[0].run_command('/usr/sbin/sssd --genconf-section=pam')
# We only told genconf to touch the pam section..
self._assert_config_value(multihost, 'pam', 'debug_level', '1')
# ..so the NSS section shouldn't be updated at all
self._assert_config_value(multihost, 'nss', 'debug_level', '9')
set_param(multihost, 'nss', 'debug_level', '9')
set_param(multihost, 'pam', 'debug_level', '9')
def test_sssd_genconf_section_only(self, multihost):
"""
Test that --genconf-section only refreshes those sections given
on the command line
"""
multihost.master[0].service_sssd('restart')
self._assert_config_value(multihost, 'pam', 'debug_level', '9')
self._assert_config_value(multihost, 'nss', 'debug_level', '9')
set_param(multihost, 'pam', 'debug_level', '1')
set_param(multihost, 'nss', 'debug_level', '1')
multihost.master[0].run_command(
'/usr/sbin/sssd --genconf-section=pam')
# We only told genconf to touch the pam section..
self._assert_config_value(multihost, 'pam', 'debug_level', '1')
# ..so the NSS section shouldn't be updated at all
self._assert_config_value(multihost, 'nss', 'debug_level', '9')
set_param(multihost, 'nss', 'debug_level', '9')
set_param(multihost, 'pam', 'debug_level', '9')
