def test_positive_session_survives_unauthenticated_call(
admin_user, target_sat):
"""Check if session stays up after unauthenticated call
:id: 8bc304a0-70ea-489c-9c3f-ea8343c5284c
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Run `hammer ping`
:CaseImportance: Medium
:expectedresults: The session is unchanged
"""
result = configure_sessions(target_sat)
assert result == 0, 'Failed to configure hammer sessions'
AuthLogin.basic({'username': admin_user['login'], 'password': password})
result = Auth.with_user().status()
assert LOGEDIN_MSG.format(admin_user['login']) in result[0]['message']
# list organizations without supplying credentials
Org.with_user().list()
result = target_sat.execute('hammer ping')
assert result.status == 0, 'Failed to run hammer ping'
result = Auth.with_user().status()
assert LOGEDIN_MSG.format(admin_user['login']) in result[0]['message']
Org.with_user().list()
def test_positive_log_out_from_session(self):
"""Check if session is terminated when user logs out
:id: 0ba05f2d-7b83-4b0c-a04c-80e62b7c4cf2
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Run `hammer auth logout`
:expectedresults: The session is terminated
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
AuthLogin.basic({'username': self.uname_admin, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(LOGEDIN_MSG.format(self.uname_admin), result[0]['message'])
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
Auth.logout()
result = Auth.with_user().status()
self.assertIn(LOGEDOFF_MSG.format(self.uname_admin), result[0]['message'])
with self.assertRaises(CLIReturnCodeError):
Org.with_user().list()
def test_positive_disable_session(admin_user, target_sat):
"""Check if user logs out when session is disabled
:id: 38ee0d85-c2fe-4cac-a992-c5dbcec11031
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Disable use_sessions
:expectedresults: The session is terminated
"""
result = configure_sessions(target_sat)
assert result == 0, 'Failed to configure hammer sessions'
AuthLogin.basic({'username': admin_user['login'], 'password': password})
result = Auth.with_user().status()
assert LOGEDIN_MSG.format(admin_user['login']) in result[0]['message']
# list organizations without supplying credentials
assert Org.with_user().list()
# disabling sessions
result = configure_sessions(satellite=target_sat, enable=False)
assert result == 0, 'Failed to configure hammer sessions'
result = Auth.with_user().status()
assert NOTCONF_MSG.format(admin_user['login']) in result[0]['message']
with pytest.raises(CLIReturnCodeError):
Org.with_user().list()
def test_positive_session_survives_failed_login(admin_user, non_admin_user,
target_sat):
"""Check if session stays up after failed login attempt
:id: 6c4d5c4c-eff0-411b-829f-0c2f2ec26132
:BZ: 1465552
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Run login with invalid credentials
:expectedresults: The session is unchanged
"""
result = configure_sessions(target_sat)
assert result == 0, 'Failed to configure hammer sessions'
AuthLogin.basic({'username': admin_user['login'], 'password': password})
result = Auth.with_user().status()
assert LOGEDIN_MSG.format(admin_user['login']) in result[0]['message']
Org.with_user().list()
# using invalid password
with pytest.raises(CLIReturnCodeError):
AuthLogin.basic({
'username': non_admin_user['login'],
'password': gen_string('alpha')
})
# checking the session status again
result = Auth.with_user().status()
assert LOGEDIN_MSG.format(admin_user['login']) in result[0]['message']
Org.with_user().list()
def test_positive_change_session(self):
"""Change from existing session to a different session
:id: b6ea6f3c-fcbd-4e7b-97bd-f3e0e6b9da8f
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Login as a different user
:expectedresults: The session is altered
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
AuthLogin.basic({'username': self.uname_admin, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(LOGEDIN_MSG.format(self.uname_admin), result[0]['message'])
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
AuthLogin.basic({'username': self.uname_viewer, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(LOGEDIN_MSG.format(self.uname_viewer), result[0]['message'])
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
def test_positive_session_survives_failed_login(self):
"""Check if session stays up after failed login attempt
:id: 6c4d5c4c-eff0-411b-829f-0c2f2ec26132
:BZ: 1465552
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Run login with invalid credentials
:expectedresults: The session is unchanged
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
AuthLogin.basic({'username': self.uname_admin, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(LOGEDIN_MSG.format(self.uname_admin), result[0]['message'])
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
# using invalid password
with self.assertRaises(CLIReturnCodeError):
AuthLogin.basic({'username': self.uname_viewer, 'password': gen_string('alpha')})
# checking the session status again
result = Auth.with_user().status()
self.assertIn(LOGEDIN_MSG.format(self.uname_admin), result[0]['message'])
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
def test_positive_session_survives_unauthenticated_call(self):
"""Check if session stays up after unauthenticated call
:id: 8bc304a0-70ea-489c-9c3f-ea8343c5284c
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Run `hammer ping`
:expectedresults: The session is unchanged
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({'username': self.uname_admin, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(
LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message']
)
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
result = ssh.command('hammer ping')
self.assertEqual(result.return_code, 0, 'Failed to run hammer ping')
result = Auth.with_user().status()
self.assertIn(
LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message']
)
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
def test_positive_disable_session(self):
"""Check if user logs out when session is disabled
:id: 38ee0d85-c2fe-4cac-a992-c5dbcec11031
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Disable use_sessions
:expectedresults: The session is terminated
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({'username': self.uname_admin, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message'])
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
# disabling sessions
result = configure_sessions(False)
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
result = Auth.with_user().status()
self.assertIn(NOTCONF_MSG.format(self.uname_admin),
result[0][u'message'])
with self.assertRaises(CLIReturnCodeError):
Org.with_user().list()
def test_positive_session_survives_unauthenticated_call(self):
"""Check if session stays up after unauthenticated call
:id: 8bc304a0-70ea-489c-9c3f-ea8343c5284c
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Run `hammer ping`
:expectedresults: The session is unchanged
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({'username': self.uname_admin, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message'])
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
result = ssh.command('hammer ping')
self.assertEqual(result.return_code, 0, 'Failed to run hammer ping')
result = Auth.with_user().status()
self.assertIn(LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message'])
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
def test_positive_change_session(admin_user, non_admin_user, target_sat):
"""Change from existing session to a different session
:id: b6ea6f3c-fcbd-4e7b-97bd-f3e0e6b9da8f
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Login as a different user
:CaseImportance: High
:expectedresults: The session is altered
"""
result = configure_sessions(target_sat)
assert result == 0, 'Failed to configure hammer sessions'
AuthLogin.basic({'username': admin_user['login'], 'password': password})
result = Auth.with_user().status()
assert LOGEDIN_MSG.format(admin_user['login']) in result[0]['message']
# list organizations without supplying credentials
assert User.with_user().list()
AuthLogin.basic({
'username': non_admin_user['login'],
'password': password
})
result = Auth.with_user().status()
assert LOGEDIN_MSG.format(non_admin_user['login']) in result[0]['message']
assert User.with_user().list()
def test_positive_log_out_from_session(admin_user, target_sat):
"""Check if session is terminated when user logs out
:id: 0ba05f2d-7b83-4b0c-a04c-80e62b7c4cf2
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Run `hammer auth logout`
:expectedresults: The session is terminated
"""
result = configure_sessions(target_sat)
assert result == 0, 'Failed to configure hammer sessions'
AuthLogin.basic({'username': admin_user['login'], 'password': password})
result = Auth.with_user().status()
assert LOGEDIN_MSG.format(admin_user['login']) in result[0]['message']
# list organizations without supplying credentials
assert Org.with_user().list()
Auth.logout()
result = Auth.with_user().status()
assert LOGEDOFF_MSG.format(admin_user['login']) in result[0]['message']
with pytest.raises(CLIReturnCodeError):
Org.with_user().list()
def test_positive_session_preceeds_saved_credentials(self):
"""Check if enabled session is mutually exclusive with
saved credentials in hammer config
:id: e4277298-1c24-494b-84a6-22f45f96e144
:BZ: 1471099
:Steps:
1. Set use_sessions, set usernam and password,
set short expiration time
2. Authenticate, assert credentials are not demanded
on next command run
3. Wait until session expires
:expectedresults: Session expires after specified time
and saved credentials are not applied
"""
try:
idle_timeout = Settings.list({
'search': 'name=idle_timeout'})[0][u'value']
Settings.set({'name': 'idle_timeout', 'value': 1})
result = configure_sessions(add_default_creds=True)
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({
'username': self.uname_admin,
'password': self.password
})
result = Auth.with_user().status()
self.assertIn(
LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message']
)
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
# wait until session expires
sleep(70)
with self.assertRaises(CLIReturnCodeError):
Org.with_user().list()
result = Auth.with_user().status()
self.assertIn(
LOGEDOFF_MSG.format(self.uname_admin),
result[0][u'message']
)
finally:
# reset timeout to default
Settings.set({'name': 'idle_timeout', 'value': '{}'.format(
idle_timeout)})
def test_positive_session_preceeds_saved_credentials(self):
"""Check if enabled session is mutually exclusive with
saved credentials in hammer config
:id: e4277298-1c24-494b-84a6-22f45f96e144
:BZ: 1471099
:Steps:
1. Set use_sessions, set usernam and password,
set short expiration time
2. Authenticate, assert credentials are not demanded
on next command run
3. Wait until session expires
:expectedresults: Session expires after specified time
and saved credentials are not applied
"""
try:
idle_timeout = Settings.list({'search':
'name=idle_timeout'})[0][u'value']
Settings.set({'name': 'idle_timeout', 'value': 1})
result = configure_sessions(add_default_creds=True)
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({
'username': self.uname_admin,
'password': self.password
})
result = Auth.with_user().status()
self.assertIn(LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message'])
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
# wait until session expires
sleep(70)
with self.assertRaises(CLIReturnCodeError):
Org.with_user().list()
result = Auth.with_user().status()
self.assertIn(LOGEDOFF_MSG.format(self.uname_admin),
result[0][u'message'])
finally:
# reset timeout to default
Settings.set({
'name': 'idle_timeout',
'value': '{}'.format(idle_timeout)
})
def test_rhsso_login_using_hammer(self, enable_external_auth_rhsso,
rhsso_setting_setup,
rh_sso_hammer_auth_setup):
"""verify the hammer auth login using RHSSO auth source
:id: 56c09a1a-d0e5-11ea-9024-d46d6dd3b5b2
:expectedresults: hammer auth login should be suceessful for a rhsso user
:CaseImportance: High
"""
result = AuthLogin.oauth({
'oidc-token-endpoint':
get_oidc_token_endpoint(),
'oidc-client-id':
get_oidc_client_id(),
'username':
settings.rhsso.rhsso_user,
'password':
settings.rhsso.password,
})
assert f"Successfully logged in as '{settings.rhsso.rhsso_user}'." == result[
0]['message']
result = Auth.with_user(username=settings.rhsso.rhsso_user,
password=settings.rhsso.password).status()
assert (
f"Session exists, currently logged in as '{settings.rhsso.rhsso_user}'."
== result[0]['message'])
task_list = Task.with_user(username=settings.rhsso.rhsso_user,
password=settings.rhsso.password).list()
assert len(task_list) >= 0
with pytest.raises(CLIReturnCodeError) as error:
Role.with_user(username=settings.rhsso.rhsso_user,
password=settings.rhsso.password).list()
assert 'Missing one of the required permissions' in error.value.message
def test_positive_create_session(self):
"""Check if user stays authenticated with session enabled
:id: fcee7f5f-1040-41a9-bf17-6d0c24a93e22
:Steps:
1. Set use_sessions, set short expiration time
2. Authenticate, assert credentials are not demanded
on next command run
3. Wait until session expires, assert credentials
are required
:expectedresults: The session is successfully created and
expires after specified time
"""
try:
idle_timeout = Settings.list({
'search': 'name=idle_timeout'})[0][u'value']
Settings.set({'name': 'idle_timeout', 'value': 1})
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({
'username': self.uname_admin,
'password': self.password
})
result = Auth.with_user().status()
self.assertIn(
LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message']
)
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
# wait until session expires
sleep(70)
with self.assertRaises(CLIReturnCodeError):
Org.with_user().list()
result = Auth.with_user().status()
self.assertIn(
LOGEDOFF_MSG.format(self.uname_admin),
result[0][u'message']
)
finally:
# reset timeout to default
Settings.set({'name': 'idle_timeout', 'value': '{}'.format(
idle_timeout)})
def test_positive_session_preceeds_saved_credentials(admin_user, target_sat):
"""Check if enabled session is mutually exclusive with
saved credentials in hammer config
:id: e4277298-1c24-494b-84a6-22f45f96e144
:BZ: 1471099, 1903693
:CaseImportance: High
:Steps:
1. Set use_sessions, set username and password,
set short expiration time
2. Authenticate, assert credentials are not demanded
on next command run
3. Wait until session expires
:expectedresults: Session expires after specified time
and saved credentials are not applied
"""
try:
idle_timeout = Settings.list({'search':
'name=idle_timeout'})[0]['value']
Settings.set({'name': 'idle_timeout', 'value': 1})
result = configure_sessions(satellite=target_sat,
add_default_creds=True)
assert result == 0, 'Failed to configure hammer sessions'
AuthLogin.basic({
'username': admin_user['login'],
'password': password
})
result = Auth.with_user().status()
assert LOGEDIN_MSG.format(admin_user['login']) in result[0]['message']
# list organizations without supplying credentials
sleep(70)
if not is_open('BZ:1903693'):
result = Auth.with_user().status()
assert LOGEDOFF_MSG.format(
admin_user['login']) in result[0]['message']
with pytest.raises(CLIReturnCodeError):
Org.with_user().list()
finally:
# reset timeout to default
Settings.set({'name': 'idle_timeout', 'value': f'{idle_timeout}'})
def test_positive_create_session(self):
"""Check if user stays authenticated with session enabled
:id: fcee7f5f-1040-41a9-bf17-6d0c24a93e22
:Steps:
1. Set use_sessions, set short expiration time
2. Authenticate, assert credentials are not demanded
on next command run
3. Wait until session expires, assert credentials
are required
:expectedresults: The session is successfully created and
expires after specified time
"""
try:
idle_timeout = Settings.list({'search':
'name=idle_timeout'})[0][u'value']
Settings.set({'name': 'idle_timeout', 'value': 1})
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({
'username': self.uname_admin,
'password': self.password
})
result = Auth.with_user().status()
self.assertIn(LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message'])
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
# wait until session expires
sleep(70)
with self.assertRaises(CLIReturnCodeError):
Org.with_user().list()
result = Auth.with_user().status()
self.assertIn(LOGEDOFF_MSG.format(self.uname_admin),
result[0][u'message'])
finally:
# reset timeout to default
Settings.set({
'name': 'idle_timeout',
'value': '{}'.format(idle_timeout)
})
def test_positive_refresh_usergroup_with_ad(self, member_group, ad_data, ldap_tear_down):
"""Verify the usergroup-sync functionality in AD Auth Source
:id: 2e913e76-49c3-11eb-b4c6-d46d6dd3b5b2
:customerscenario: true
:CaseImportance: Medium
:bz: 1901392
:parametrized: yes
:expectedresults: external user-group sync works as expected automatically
based on user-sync
"""
ad_data = ad_data()
group_base_dn = ','.join(ad_data['group_base_dn'].split(',')[1:])
LOGEDIN_MSG = "Using configured credentials for user '{0}'."
auth_source = make_ldap_auth_source(
{
'name': gen_string('alpha'),
'onthefly-register': 'true',
'host': ad_data['ldap_hostname'],
'server-type': LDAP_SERVER_TYPE['CLI']['ad'],
'attr-login': LDAP_ATTR['login_ad'],
'attr-firstname': LDAP_ATTR['firstname'],
'attr-lastname': LDAP_ATTR['surname'],
'attr-mail': LDAP_ATTR['mail'],
'account': ad_data['ldap_user_name'],
'account-password': ad_data['ldap_user_passwd'],
'base-dn': ad_data['base_dn'],
'groups-base': group_base_dn,
}
)
# assert auth_source['account']['groups-base'] == group_base_dn
viewer_role = Role.info({'name': 'Viewer'})
user_group = make_usergroup()
make_usergroup_external(
{
'auth-source-id': auth_source['server']['id'],
'user-group-id': user_group['id'],
'name': member_group,
}
)
UserGroup.add_role({'id': user_group['id'], 'role-id': viewer_role['id']})
user_group = UserGroup.info({'id': user_group['id']})
result = Auth.with_user(
username=ad_data['ldap_user_name'], password=ad_data['ldap_user_passwd']
).status()
assert LOGEDIN_MSG.format(ad_data['ldap_user_name']) in result[0]['message']
UserGroupExternal.refresh({'user-group-id': user_group['id'], 'name': member_group})
user_group = UserGroup.info({'id': user_group['id']})
list = Role.with_user(
username=ad_data['ldap_user_name'], password=ad_data['ldap_user_passwd']
).list()
assert len(list) > 1
def test_negative_no_permissions(self):
"""Attempt to execute command out of user's permissions
:id: 756f666f-270a-4b02-b587-a2ab09b7d46c
:expectedresults: Command is not executed
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({'username': self.uname_viewer, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(LOGEDIN_MSG.format(self.uname_viewer),
result[0][u'message'])
# try to update user from viewer's session
with self.assertRaises(CLIReturnCodeError):
User.with_user().update({
'login': self.uname_admin,
'new-login': gen_string('alpha'),
})
def test_positive_log_out_from_session(self):
"""Check if session is terminated when user logs out
:id: 0ba05f2d-7b83-4b0c-a04c-80e62b7c4cf2
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Run `hammer auth logout`
:expectedresults: The session is terminated
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({'username': self.uname_admin, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(
LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message']
)
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
Auth.logout()
result = Auth.with_user().status()
self.assertIn(
LOGEDOFF_MSG.format(self.uname_admin),
result[0][u'message']
)
with self.assertRaises(CLIReturnCodeError):
Org.with_user().list()
def test_positive_change_session(self):
"""Change from existing session to a different session
:id: b6ea6f3c-fcbd-4e7b-97bd-f3e0e6b9da8f
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Login as a different user
:expectedresults: The session is altered
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({'username': self.uname_admin, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(
LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message']
)
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
Auth.login({'username': self.uname_viewer, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(
LOGEDIN_MSG.format(self.uname_viewer),
result[0][u'message']
)
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
def test_negative_no_credentials():
"""Attempt to execute command without authentication
:id: 8a3b5c68-1027-450f-997c-c5630218f49f
:expectedresults: Command is not executed
"""
result = configure_sessions(False)
assert result == 0, 'Failed to configure hammer sessions'
result = Auth.with_user().status()
assert NOTCONF_MSG in result[0]['message']
with pytest.raises(CLIReturnCodeError):
Org.with_user().list()
def test_negative_no_credentials(self):
"""Attempt to execute command without authentication
:id: 8a3b5c68-1027-450f-997c-c5630218f49f
:expectedresults: Command is not executed
"""
result = configure_sessions(False)
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
result = Auth.with_user().status()
self.assertIn(NOTCONF_MSG.format(self.uname_admin), result[0]['message'])
with self.assertRaises(CLIReturnCodeError):
Org.with_user().list()
def test_positive_create_session(admin_user, target_sat):
"""Check if user stays authenticated with session enabled
:id: fcee7f5f-1040-41a9-bf17-6d0c24a93e22
:Steps:
1. Set use_sessions, set short expiration time
2. Authenticate, assert credentials are not demanded
on next command run
3. Wait until session expires, assert credentials
are required
:expectedresults: The session is successfully created and
expires after specified time
"""
try:
idle_timeout = Settings.list({'search':
'name=idle_timeout'})[0]['value']
Settings.set({'name': 'idle_timeout', 'value': 1})
result = configure_sessions(target_sat)
assert result == 0, 'Failed to configure hammer sessions'
AuthLogin.basic({
'username': admin_user['login'],
'password': password
})
result = Auth.with_user().status()
assert LOGEDIN_MSG.format(admin_user['login']) in result[0]['message']
# list organizations without supplying credentials
assert Org.with_user().list()
# wait until session expires
sleep(70)
with pytest.raises(CLIReturnCodeError):
Org.with_user().list()
result = Auth.with_user().status()
assert LOGEDOFF_MSG.format(admin_user['login']) in result[0]['message']
finally:
# reset timeout to default
Settings.set({'name': 'idle_timeout', 'value': f'{idle_timeout}'})
def test_negative_no_permissions(self):
"""Attempt to execute command out of user's permissions
:id: 756f666f-270a-4b02-b587-a2ab09b7d46c
:expectedresults: Command is not executed
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({'username': self.uname_viewer, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(
LOGEDIN_MSG.format(self.uname_viewer),
result[0][u'message']
)
# try to update user from viewer's session
with self.assertRaises(CLIReturnCodeError):
User.with_user().update({
'login': self.uname_admin,
'new-login': gen_string('alpha'),
})
def test_positive_disable_session(self):
"""Check if user logs out when session is disabled
:id: 38ee0d85-c2fe-4cac-a992-c5dbcec11031
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Disable use_sessions
:expectedresults: The session is terminated
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({'username': self.uname_admin, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(
LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message']
)
# list organizations without supplying credentials
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
# disabling sessions
result = configure_sessions(False)
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
result = Auth.with_user().status()
self.assertIn(
NOTCONF_MSG.format(self.uname_admin),
result[0][u'message']
)
with self.assertRaises(CLIReturnCodeError):
Org.with_user().list()
def test_negative_no_credentials(self):
"""Attempt to execute command without authentication
:id: 8a3b5c68-1027-450f-997c-c5630218f49f
:expectedresults: Command is not executed
"""
result = configure_sessions(False)
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
result = Auth.with_user().status()
self.assertIn(
NOTCONF_MSG.format(self.uname_admin),
result[0][u'message']
)
with self.assertRaises(CLIReturnCodeError):
Org.with_user().list()
def test_negative_no_permissions(admin_user, non_admin_user):
"""Attempt to execute command out of user's permissions
:id: 756f666f-270a-4b02-b587-a2ab09b7d46c
:expectedresults: Command is not executed
"""
result = configure_sessions()
assert result == 0, 'Failed to configure hammer sessions'
AuthLogin.basic({
'username': non_admin_user['login'],
'password': password
})
result = Auth.with_user().status()
assert LOGEDIN_MSG.format(non_admin_user['login']) in result[0]['message']
# try to update user from viewer's session
with pytest.raises(CLIReturnCodeError):
User.with_user().update({
'login': admin_user['login'],
'new-login': gen_string('alpha')
})
def test_positive_session_survives_failed_login(self):
"""Check if session stays up after failed login attempt
:id: 6c4d5c4c-eff0-411b-829f-0c2f2ec26132
:BZ: 1465552
:Steps:
1. Set use_sessions
2. Authenticate, assert credentials are not demanded
on next command run
3. Run login with invalid credentials
:expectedresults: The session is unchanged
"""
result = configure_sessions()
self.assertEqual(result, 0, 'Failed to configure hammer sessions')
Auth.login({'username': self.uname_admin, 'password': self.password})
result = Auth.with_user().status()
self.assertIn(
LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message']
)
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
# using invalid password
with self.assertRaises(CLIReturnCodeError):
Auth.login({
'username': self.uname_viewer,
'password': gen_string('alpha')})
# checking the session status again
result = Auth.with_user().status()
self.assertIn(
LOGEDIN_MSG.format(self.uname_admin),
result[0][u'message']
)
with self.assertNotRaises(CLIReturnCodeError):
Org.with_user().list()
def test_usergroup_with_usergroup_sync(self, ipa_data):
"""Verify the usergroup-sync functionality in Ldap Auth Source
:id: 2b63e886-2c53-11ea-9da5-db3ae0527554
:expectedresults: external user-group sync works as expected automatically
based on user-sync
:CaseImportance: Medium
"""
self._clean_up_previous_ldap()
self.ldap_ipa_hostname = ipa_data['ldap_ipa_hostname']
self.ldap_ipa_user_passwd = ipa_data['ldap_ipa_user_passwd']
ldap_ipa_user_name = ipa_data['ldap_ipa_user_name']
ipa_group_base_dn = ipa_data['ipa_group_base_dn'].replace(
'foobargroup', 'foreman_group')
member_username = '******'
member_group = 'foreman_group'
LOGEDIN_MSG = "Using configured credentials for user '{0}'."
auth_source_name = gen_string('alpha')
auth_source = make_ldap_auth_source({
'name':
auth_source_name,
'onthefly-register':
'true',
'usergroup-sync':
'true',
'host':
ipa_data['ldap_ipa_hostname'],
'server-type':
LDAP_SERVER_TYPE['CLI']['ipa'],
'attr-login':
LDAP_ATTR['login'],
'attr-firstname':
LDAP_ATTR['firstname'],
'attr-lastname':
LDAP_ATTR['surname'],
'attr-mail':
LDAP_ATTR['mail'],
'account':
ldap_ipa_user_name,
'account-password':
ipa_data['ldap_ipa_user_passwd'],
'base-dn':
ipa_data['ipa_base_dn'],
'groups-base':
ipa_group_base_dn,
})
auth_source = LDAPAuthSource.info({'id': auth_source['server']['id']})
# Adding User in IPA UserGroup
self._add_user_in_IPA_usergroup(member_username, member_group)
viewer_role = Role.info({'name': 'Viewer'})
user_group = make_usergroup()
ext_user_group = make_usergroup_external({
'auth-source-id':
auth_source['server']['id'],
'user-group-id':
user_group['id'],
'name':
member_group,
})
UserGroup.add_role({
'id': user_group['id'],
'role-id': viewer_role['id']
})
assert ext_user_group['auth-source'] == auth_source['server']['name']
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 0
result = Auth.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).status()
assert LOGEDIN_MSG.format(member_username) in result[0]['message']
list = Role.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).list()
assert len(list) > 1
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 1
assert user_group['users'][0] == member_username
# Removing User in IPA UserGroup
self._remove_user_in_IPA_usergroup(member_username, member_group)
with pytest.raises(CLIReturnCodeError) as error:
Role.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).list()
assert 'Missing one of the required permissions' in error.value.message
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 0
def test_usergroup_sync_with_refresh(self):
"""Verify the refresh functionality in Ldap Auth Source
:id: c905eb80-2bd0-11ea-abc3-ddb7dbb3c930
:expectedresults: external user-group sync works as expected as on-demand
sync based on refresh works
:CaseImportance: Medium
"""
self._clean_up_previous_ldap()
ldap_ipa_user_name = self.ldap_ipa_user_name
ipa_group_base_dn = self.ipa_group_base_dn.replace(
'foobargroup', 'foreman_group')
member_username = '******'
member_group = 'foreman_group'
LOGEDIN_MSG = "Using configured credentials for user '{0}'."
auth_source_name = gen_string('alpha')
auth_source = make_ldap_auth_source({
'name':
auth_source_name,
'onthefly-register':
'true',
'usergroup-sync':
'false',
'host':
self.ldap_ipa_hostname,
'server-type':
LDAP_SERVER_TYPE['CLI']['ipa'],
'attr-login':
LDAP_ATTR['login'],
'attr-firstname':
LDAP_ATTR['firstname'],
'attr-lastname':
LDAP_ATTR['surname'],
'attr-mail':
LDAP_ATTR['mail'],
'account':
ldap_ipa_user_name,
'account-password':
self.ldap_ipa_user_passwd,
'base-dn':
self.ipa_base_dn,
'groups-base':
ipa_group_base_dn,
})
auth_source = LDAPAuthSource.info({'id': auth_source['server']['id']})
# Adding User in IPA UserGroup
self._add_user_in_IPA_usergroup(member_username, member_group)
viewer_role = Role.info({'name': 'Viewer'})
user_group = make_usergroup()
ext_user_group = make_usergroup_external({
'auth-source-id':
auth_source['server']['id'],
'user-group-id':
user_group['id'],
'name':
member_group,
})
UserGroup.add_role({
'id': user_group['id'],
'role-id': viewer_role['id']
})
assert ext_user_group['auth-source'] == auth_source['server']['name']
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 0
result = Auth.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).status()
assert LOGEDIN_MSG.format(member_username) in result[0]['message']
with self.assertRaises(CLIReturnCodeError) as error:
Role.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).list()
assert 'Missing one of the required permissions' in error.exception.message
with self.assertNotRaises(CLIReturnCodeError):
UserGroupExternal.refresh({
'user-group-id': user_group['id'],
'name': member_group
})
list = Role.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).list()
assert len(list) > 1
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 1
assert user_group['users'][0] == member_username
# Removing User in IPA UserGroup
self._remove_user_in_IPA_usergroup(member_username, member_group)
with self.assertNotRaises(CLIReturnCodeError):
UserGroupExternal.refresh({
'user-group-id': user_group['id'],
'name': member_group
})
user_group = UserGroup.info({'id': user_group['id']})
assert len(user_group['users']) == 0
with self.assertRaises(CLIReturnCodeError) as error:
Role.with_user(username=member_username,
password=self.ldap_ipa_user_passwd).list()
assert 'Missing one of the required permissions' in error.exception.message
