Пример #1
0
def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid):
    """
    Integration test for auto_private_groups - test that even a user with
    no GID assigned at all can be resolved including their autogenerated
    primary group.

    See also ticket https://pagure.io/SSSD/sssd/issue/1872
    """
    # Make sure the user's GID is taken from their uidNumber
    ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
    # Make sure the private group is resolvable by name and by GID
    ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
    ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))

    # The group referenced in user's gidNumber attribute should be still
    # visible, but shouldn't have any relation to the user
    ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
    ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))

    # The user's secondary groups list must be correct as well. This time only
    # the generated group and the explicit secondary group are added, since
    # there is no original GID
    user1_expected_gids = [1001, 2015]
    (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
    assert res == sssd_id.NssReturnCode.SUCCESS

    assert sorted(gids) == sorted(user1_expected_gids), \
        "result: %s\n expected %s" % (
            ", ".join(["%s" % s for s in sorted(gids)]),
            ", ".join(["%s" % s for s in sorted(user1_expected_gids)])
        )
Пример #2
0
def run_simple_test_with_initgroups():
    ent.assert_passwd_by_name(
        'user1',
        dict(name='user1', passwd='*', uid=1001, gid=2001,
             gecos='1001', shell='/bin/bash'))
    ent.assert_passwd_by_uid(
        1001,
        dict(name='user1', passwd='*', uid=1001, gid=2001,
             gecos='1001', shell='/bin/bash'))

    ent.assert_group_by_name(
        "group1",
        dict(mem=ent.contains_only("user1", "user11", "user21")))
    ent.assert_group_by_gid(
        2001,
        dict(mem=ent.contains_only("user1", "user11", "user21")))

    # unrelated group to user1
    ent.assert_group_by_name(
        "group2",
        dict(mem=ent.contains_only("user2", "user12", "user22")))
    ent.assert_group_by_gid(
        2002,
        dict(mem=ent.contains_only("user2", "user12", "user22")))

    assert_initgroups_equal("user1", 2001, [2000, 2001])
Пример #3
0
def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict):
    """
    Make sure that conflicts between groups that are auto-created with the
    help of the auto_private_groups option and between 'real' LDAP groups
    are handled in a predictable manner.
    """
    # Make sure the user's GID is taken from their uidNumber
    ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
    # Make sure the private group is resolvable by name and by GID
    ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
    ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))

    # Let's request the group with the same ID as user2's private group
    # The request should match the 'real' group
    ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only()))
    # But because of the GID conflict, the user cannot be resolved
    with pytest.raises(KeyError):
        pwd.getpwnam("user2")

    # This user's GID is the same as the UID in this entry. The most important
    # thing here is that the supplementary groups are correct and the GID
    # resolves to the private group (as long as the user was requested first)
    user3_expected_gids = [1003, 2015]
    ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003))
    (res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003)
    assert res == sssd_id.NssReturnCode.SUCCESS

    assert sorted(gids) == sorted(user3_expected_gids), \
        "result: %s\n expected %s" % (
            ", ".join(["%s" % s for s in sorted(gids)]),
            ", ".join(["%s" % s for s in sorted(user3_expected_gids)])
        )
    # Make sure the private group is resolvable by name and by GID
    ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only()))
    ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
Пример #4
0
def test_add_remove_membership_rfc2307_bis(ldap_conn, user_and_groups_rfc2307_bis):
    """
    Test user and group membership addition and removal are reflected by SSSD,
    with RFC2307bis schema
    """
    time.sleep(INTERACTIVE_TIMEOUT / 2)
    # Add user to group1
    ent.assert_group_by_name("group1", dict(mem=ent.contains_only()))
    ldap_conn.modify_s(
        "cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
        [(ldap.MOD_REPLACE, "member", "uid=user,ou=Users," + ldap_conn.ds_inst.base_dn)],
    )
    time.sleep(INTERACTIVE_TIMEOUT)
    ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user")))

    # Add group1 to group2
    ldap_conn.modify_s(
        "cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn,
        [(ldap.MOD_REPLACE, "member", "cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn)],
    )
    time.sleep(INTERACTIVE_TIMEOUT)
    ent.assert_group_by_name("group2", dict(mem=ent.contains_only("user")))

    # Remove group1 from group2
    ldap_conn.modify_s("cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_DELETE, "member", None)])
    time.sleep(INTERACTIVE_TIMEOUT)
    ent.assert_group_by_name("group2", dict(mem=ent.contains_only()))

    # Remove user from group1
    ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_DELETE, "member", None)])
    time.sleep(INTERACTIVE_TIMEOUT)
    ent.assert_group_by_name("group1", dict(mem=ent.contains_only()))
Пример #5
0
def run_simple_test_with_initgroups():
    ent.assert_passwd_by_name(
        'user1',
        dict(name='user1',
             passwd='*',
             uid=1001,
             gid=2001,
             gecos='1001',
             shell='/bin/bash'))
    ent.assert_passwd_by_uid(
        1001,
        dict(name='user1',
             passwd='*',
             uid=1001,
             gid=2001,
             gecos='1001',
             shell='/bin/bash'))

    ent.assert_group_by_name(
        "group1", dict(mem=ent.contains_only("user1", "user11", "user21")))
    ent.assert_group_by_gid(
        2001, dict(mem=ent.contains_only("user1", "user11", "user21")))

    # unrelated group to user1
    ent.assert_group_by_name(
        "group2", dict(mem=ent.contains_only("user2", "user12", "user22")))
    ent.assert_group_by_gid(
        2002, dict(mem=ent.contains_only("user2", "user12", "user22")))

    assert_initgroups_equal("user1", 2001, [2000, 2001])
Пример #6
0
def assert_mc_records_for_user1():
    ent.assert_passwd_by_name(
        'user1',
        dict(name='user1',
             passwd='*',
             uid=1001,
             gid=2001,
             gecos='1001',
             shell='/bin/bash'))
    ent.assert_passwd_by_uid(
        1001,
        dict(name='user1',
             passwd='*',
             uid=1001,
             gid=2001,
             gecos='1001',
             shell='/bin/bash'))

    ent.assert_group_by_name(
        "group1", dict(mem=ent.contains_only("user1", "user11", "user21")))
    ent.assert_group_by_gid(
        2001, dict(mem=ent.contains_only("user1", "user11", "user21")))
    ent.assert_group_by_name(
        "group0x", dict(mem=ent.contains_only("user1", "user2", "user3")))
    ent.assert_group_by_gid(
        2000, dict(mem=ent.contains_only("user1", "user2", "user3")))

    assert_initgroups_equal("user1", 2001, [2000, 2001])
Пример #7
0
def test_sanity_rfc2307(ldap_conn, sanity_rfc2307):
    passwd_pattern = expected_list_to_name_dict([
        dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001',
             dir='/home/user1', shell='/bin/bash'),
        dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002',
             dir='/home/user2', shell='/bin/bash'),
        dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003',
             dir='/home/user3', shell='/bin/bash')
    ])
    ent.assert_each_passwd_by_name(passwd_pattern)

    group_pattern = expected_list_to_name_dict([
        dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
        dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()),
        dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
        dict(name='empty_group', passwd='*', gid=2010,
             mem=ent.contains_only()),
        dict(name='two_user_group', passwd='*', gid=2012,
             mem=ent.contains_only("user1", "user2"))
    ])
    ent.assert_each_group_by_name(group_pattern)

    with pytest.raises(KeyError):
        pwd.getpwnam("non_existent_user")
    with pytest.raises(KeyError):
        pwd.getpwuid(1)
    with pytest.raises(KeyError):
        grp.getgrnam("non_existent_group")
    with pytest.raises(KeyError):
        grp.getgrgid(1)
Пример #8
0
def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached):
    passwd_pattern = expected_list_to_name_dict([
        dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001',
             dir='/home/user1', shell='/bin/bash'),
        dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003',
             dir='/home/user3', shell='/bin/bash')
    ])
    ent.assert_each_passwd_by_name(passwd_pattern)

    # test filtered user
    with pytest.raises(KeyError):
        pwd.getpwuid(1002)
    time.sleep(2)
    with pytest.raises(KeyError):
        pwd.getpwuid(1002)

    group_pattern = expected_list_to_name_dict([
        dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
        dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
    ])
    ent.assert_each_group_by_name(group_pattern)

    # test filtered group
    with pytest.raises(KeyError):
        grp.getgrgid(2002)
    time.sleep(2)
    with pytest.raises(KeyError):
        grp.getgrgid(2002)
Пример #9
0
def test_sanity_rfc2307(ldap_conn, sanity_rfc2307):
    passwd_pattern = expected_list_to_name_dict([
        dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001',
             dir='/home/user1', shell='/bin/bash'),
        dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002',
             dir='/home/user2', shell='/bin/bash'),
        dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003',
             dir='/home/user3', shell='/bin/bash')
    ])
    ent.assert_each_passwd_by_name(passwd_pattern)

    group_pattern = expected_list_to_name_dict([
        dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
        dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()),
        dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
        dict(name='empty_group', passwd='*', gid=2010,
             mem=ent.contains_only()),
        dict(name='two_user_group', passwd='*', gid=2012,
             mem=ent.contains_only("user1", "user2"))
    ])
    ent.assert_each_group_by_name(group_pattern)

    with pytest.raises(KeyError):
        pwd.getpwnam("non_existent_user")
    with pytest.raises(KeyError):
        pwd.getpwuid(1)
    with pytest.raises(KeyError):
        grp.getgrnam("non_existent_group")
    with pytest.raises(KeyError):
        grp.getgrgid(1)
Пример #10
0
def test_assert_passwd_list(users_and_groups):
    ent.assert_passwd_list(ent.contains())
    ent.assert_passwd_list(ent.contains(USER1))
    ent.assert_passwd_list(ent.contains_only(*USER_LIST))
    try:
        ent.assert_passwd_list(ent.contains_only())
        assert False
    except AssertionError, e:
        assert not re.search("expected users not found:", str(e))
        assert re.search("unexpected users found:", str(e))
Пример #11
0
def test_assert_group_list(users_and_groups):
    ent.assert_group_list(ent.contains())
    ent.assert_group_list(ent.contains(GROUP1))
    ent.assert_group_list(ent.contains_only(*GROUP_LIST))
    try:
        ent.assert_group_list(ent.contains_only())
        assert False
    except AssertionError, e:
        assert not re.search("expected groups not found:", str(e))
        assert re.search("unexpected groups found:", str(e))
Пример #12
0
def test_assert_passwd_list(users_and_groups):
    ent.assert_passwd_list(ent.contains())
    ent.assert_passwd_list(ent.contains(USER1))
    ent.assert_passwd_list(ent.contains_only(*USER_LIST))
    try:
        ent.assert_passwd_list(ent.contains_only())
        assert False
    except AssertionError, e:
        assert not re.search("expected users not found:", str(e))
        assert re.search("unexpected users found:", str(e))
Пример #13
0
def test_assert_group_list(users_and_groups):
    ent.assert_group_list(ent.contains())
    ent.assert_group_list(ent.contains(GROUP1))
    ent.assert_group_list(ent.contains_only(*GROUP_LIST))
    try:
        ent.assert_group_list(ent.contains_only())
        assert False
    except AssertionError, e:
        assert not re.search("expected groups not found:", str(e))
        assert re.search("unexpected groups found:", str(e))
Пример #14
0
def test_add_remove_membership_rfc2307(ldap_conn, user_and_group_rfc2307):
    """Test user membership addition and removal are reflected by SSSD"""
    time.sleep(INTERACTIVE_TIMEOUT / 2)
    # Add user to group
    ent.assert_group_by_name("group", dict(mem=ent.contains_only()))
    ldap_conn.modify_s("cn=group,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_REPLACE, "memberUid", "user")])
    time.sleep(INTERACTIVE_TIMEOUT)
    ent.assert_group_by_name("group", dict(mem=ent.contains_only("user")))
    # Remove user from group
    ldap_conn.modify_s("cn=group,ou=Groups," + ldap_conn.ds_inst.base_dn, [(ldap.MOD_DELETE, "memberUid", None)])
    time.sleep(INTERACTIVE_TIMEOUT)
    ent.assert_group_by_name("group", dict(mem=ent.contains_only()))
Пример #15
0
def test_remove_user_from_nested_group(ldap_conn,
                                       remove_user_from_nested_group):

    group3_dn = 'cn=group3,ou=Groups,' + ldap_conn.ds_inst.base_dn

    ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
    ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))

    ent.assert_group_by_name("group1",
                             dict(mem=ent.contains_only("user1")))
    ent.assert_group_by_name("group2",
                             dict(mem=ent.contains_only("user2")))

    ent.assert_group_by_name("group3",
                             dict(mem=ent.contains_only("user1",
                                                        "user2")))

    # removing of group2 from group3
    old = {'member': [b"cn=group1,ou=Groups,dc=example,dc=com",
                      b"cn=group2,ou=Groups,dc=example,dc=com"]}
    new = {'member': [b"cn=group1,ou=Groups,dc=example,dc=com"]}

    ldif = ldap.modlist.modifyModlist(old, new)
    ldap_conn.modify_s(group3_dn, ldif)

    if subprocess.call(["sss_cache", "-GU"]) != 0:
        raise Exception("sssd_cache failed")

    ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
    ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))

    ent.assert_group_by_name("group1",
                             dict(mem=ent.contains_only("user1")))
    ent.assert_group_by_name("group2",
                             dict(mem=ent.contains_only("user2")))
    ent.assert_group_by_name("group3",
                             dict(mem=ent.contains_only("user1")))

    # removing of group1 from group3
    old = {'member': [b"cn=group1,ou=Groups,dc=example,dc=com"]}
    new = {'member': []}

    ldif = ldap.modlist.modifyModlist(old, new)
    ldap_conn.modify_s(group3_dn, ldif)

    if subprocess.call(["sss_cache", "-GU"]) != 0:
        raise Exception("sssd_cache failed")

    ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
    ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))

    ent.assert_group_by_name("group1",
                             dict(mem=ent.contains_only("user1")))
    ent.assert_group_by_name("group2",
                             dict(mem=ent.contains_only("user2")))
    ent.assert_group_by_name("group3",
                             dict(mem=ent.contains_only()))
Пример #16
0
def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached):
    passwd_pattern = expected_list_to_name_dict([
        dict(name='user1',
             passwd='*',
             uid=1001,
             gid=2001,
             gecos='1001',
             dir='/home/user1',
             shell='/bin/bash'),
        dict(name='user3',
             passwd='*',
             uid=1003,
             gid=2003,
             gecos='1003',
             dir='/home/user3',
             shell='/bin/bash')
    ])
    ent.assert_each_passwd_by_name(passwd_pattern)

    # test filtered user
    with pytest.raises(KeyError):
        pwd.getpwuid(1002)
    time.sleep(2)
    with pytest.raises(KeyError):
        pwd.getpwuid(1002)

    group_pattern = expected_list_to_name_dict([
        dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
        dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
    ])
    ent.assert_each_group_by_name(group_pattern)

    # test filtered group
    with pytest.raises(KeyError):
        grp.getgrgid(2002)
    time.sleep(2)
    with pytest.raises(KeyError):
        grp.getgrgid(2002)

    # test that root is always filtered even if filter_users contains other
    # entries. This is a regression test for upstream ticket #3460
    res, _ = call_sssd_getpwnam("root")
    assert res == NssReturnCode.NOTFOUND

    res, _ = call_sssd_getgrnam("root")
    assert res == NssReturnCode.NOTFOUND

    res, _ = call_sssd_getpwuid(0)
    assert res == NssReturnCode.NOTFOUND

    res, _ = call_sssd_getgrgid(0)
    assert res == NssReturnCode.NOTFOUND
Пример #17
0
def test_remove_user_from_nested_group(ldap_conn,
                                       remove_user_from_nested_group):

    group3_dn = 'cn=group3,ou=Groups,' + ldap_conn.ds_inst.base_dn

    ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
    ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))

    ent.assert_group_by_name("group1",
                             dict(mem=ent.contains_only("user1")))
    ent.assert_group_by_name("group2",
                             dict(mem=ent.contains_only("user2")))

    ent.assert_group_by_name("group3",
                             dict(mem=ent.contains_only("user1",
                                                        "user2")))

    # removing of group2 from group3
    old = {'member': ["cn=group1,ou=Groups,dc=example,dc=com",
                      "cn=group2,ou=Groups,dc=example,dc=com"]}
    new = {'member': ["cn=group1,ou=Groups,dc=example,dc=com"]}

    ldif = ldap.modlist.modifyModlist(old, new)
    ldap_conn.modify_s(group3_dn, ldif)

    if subprocess.call(["sss_cache", "-GU"]) != 0:
        raise Exception("sssd_cache failed")

    ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
    ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))

    ent.assert_group_by_name("group1",
                             dict(mem=ent.contains_only("user1")))
    ent.assert_group_by_name("group2",
                             dict(mem=ent.contains_only("user2")))
    ent.assert_group_by_name("group3",
                             dict(mem=ent.contains_only("user1")))

    # removing of group1 from group3
    old = {'member': ["cn=group1,ou=Groups,dc=example,dc=com"]}
    new = {'member': []}

    ldif = ldap.modlist.modifyModlist(old, new)
    ldap_conn.modify_s(group3_dn, ldif)

    if subprocess.call(["sss_cache", "-GU"]) != 0:
        raise Exception("sssd_cache failed")

    ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
    ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))

    ent.assert_group_by_name("group1",
                             dict(mem=ent.contains_only("user1")))
    ent.assert_group_by_name("group2",
                             dict(mem=ent.contains_only("user2")))
    ent.assert_group_by_name("group3",
                             dict(mem=ent.contains_only()))
Пример #18
0
def test_add_remove_group_rfc2307_bis(ldap_conn, blank_rfc2307_bis):
    """Test RFC2307bis group addition and removal are reflected by SSSD"""
    e = ldap_ent.group_bis(ldap_conn.ds_inst.base_dn, "group", 2001)
    time.sleep(INTERACTIVE_TIMEOUT / 2)
    # Add the group
    ent.assert_group(ent.contains_only())
    ldap_conn.add_s(*e)
    time.sleep(INTERACTIVE_TIMEOUT)
    ent.assert_group(ent.contains_only(dict(name="group", gid=2001)))
    # Remove the group
    ldap_conn.delete_s(e[0])
    time.sleep(INTERACTIVE_TIMEOUT)
    ent.assert_group(ent.contains_only())
Пример #19
0
def test_add_remove_user(ldap_conn, blank_rfc2307):
    """Test user addition and removal are reflected by SSSD"""
    e = ldap_ent.user(ldap_conn.ds_inst.base_dn, "user", 2001, 2000)
    time.sleep(INTERACTIVE_TIMEOUT / 2)
    # Add the user
    ent.assert_passwd(ent.contains_only())
    ldap_conn.add_s(*e)
    time.sleep(INTERACTIVE_TIMEOUT)
    ent.assert_passwd(ent.contains_only(dict(name="user", uid=2001)))
    # Remove the user
    ldap_conn.delete_s(e[0])
    time.sleep(INTERACTIVE_TIMEOUT)
    ent.assert_passwd(ent.contains_only())
Пример #20
0
def test_root_group_override(ldap_conn, env_root_group_override):
    """Test entries are overriden"""

    group = dict(gid=2001, mem=ent.contains_only("user1", "user2"))
    empty_group = dict(gid=2002, mem=ent.contains_only())

    ent.assert_group_by_name("group", group)
    ent.assert_group_by_name("ov_group", group)
    ent.assert_group_by_name("group@LDAP", group)
    ent.assert_group_by_name("ov_group@LDAP", group)
    ent.assert_group_by_name("empty_group", empty_group)
    ent.assert_group_by_name("ov_empty_group", empty_group)
    ent.assert_group_by_name("empty_group@LDAP", empty_group)
    ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
Пример #21
0
def assert_group_overriden():

    # Assert entries are overridden
    empty_group = dict(gid=3002, mem=ent.contains_only())
    group = dict(gid=3001, mem=ent.contains_only("user1", "user2"))

    ent.assert_group_by_name("group", group)
    ent.assert_group_by_name("group@LDAP", group)
    ent.assert_group_by_name("ov_group", group)
    ent.assert_group_by_name("ov_group@LDAP", group)

    ent.assert_group_by_name("empty_group", empty_group)
    ent.assert_group_by_name("empty_group@LDAP", empty_group)
    ent.assert_group_by_name("ov_empty_group", empty_group)
    ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
Пример #22
0
def assert_group_overriden():

    # Assert entries are overridden
    empty_group = dict(gid=3002, mem=ent.contains_only())
    group = dict(gid=3001, mem=ent.contains_only("user1", "user2"))

    ent.assert_group_by_name("group", group)
    ent.assert_group_by_name("group@LDAP", group)
    ent.assert_group_by_name("ov_group", group)
    ent.assert_group_by_name("ov_group@LDAP", group)

    ent.assert_group_by_name("empty_group", empty_group)
    ent.assert_group_by_name("empty_group@LDAP", empty_group)
    ent.assert_group_by_name("ov_empty_group", empty_group)
    ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
Пример #23
0
def test_override_shell(override_shell):
    """Test the effect of the "override_shell" option"""
    ent.assert_passwd(
        ent.contains_only(
            dict(name="user_with_shell_A", uid=1001, shell="/bin/B"),
            dict(name="user_with_shell_B", uid=1002, shell="/bin/B"),
            dict(name="user_with_empty_shell", uid=1003, shell="/bin/B")))
Пример #24
0
def test_group_2307_update_same_attrs(ldap_conn,
                                      ldb_examine,
                                      setup_rfc2307):
    """
    Test that a group update with a different modifyTimestamp but the same
    attrs does not trigger sysdb cache update
    """
    ldb_conn = ldb_examine
    old_sysdb_attrs, old_ts_attrs = prime_cache_group(
                                                ldb_conn, "group1",
                                                ("user1", "user11", "user21"))

    # modify an argument we don't save to the cache. This will bump the
    # modifyTimestamp attribute, but the attributes themselves will be the same
    # from sssd's point of view
    ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
                       [(ldap.MOD_ADD, "description", "group one")])
    # wait for slapd to change its database
    time.sleep(1)

    ent.assert_group_by_name(
        "group1",
        dict(mem=ent.contains_only("user1", "user11", "user21")))
    sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1",
                                            SSSD_DOMAIN, TS_ATTRLIST)

    assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp")
    assert_same_attrval(sysdb_attrs, old_sysdb_attrs,
                        "originalModifyTimestamp")

    assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp")
    assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
Пример #25
0
def test_group_2307_update_diff_attrs(ldap_conn,
                                      ldb_examine,
                                      setup_rfc2307):
    """
    Test that a group update with different attribute triggers cache update
    """
    ldb_conn = ldb_examine
    old_sysdb_attrs, old_ts_attrs = prime_cache_group(
                                                ldb_conn, "group1",
                                                ("user1", "user11", "user21"))

    ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn,
                       [(ldap.MOD_DELETE, "memberUid", "user1")])
    # wait for slapd to change its database
    time.sleep(1)

    ent.assert_group_by_name(
        "group1",
        dict(mem=ent.contains_only("user11", "user21")))
    sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1",
                                            SSSD_DOMAIN, TS_ATTRLIST)

    assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp")
    assert_diff_attrval(sysdb_attrs, old_sysdb_attrs,
                        "originalModifyTimestamp")

    assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp")
    assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp")
Пример #26
0
def test_group_show_basic_sanity(ldap_conn, sanity_rfc2307, portable_LC_ALL):
    # Fill the cache first
    ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1")))
    ent.assert_group_by_name("CamelCaseGroup1",
                             dict(mem=ent.contains_only("CamelCaseUser1")))

    output = get_call_output(["sssctl", "group-show", "group1"])
    assert output.find("Name: group1") != -1
    assert output.find("Cached in InfoPipe: No") != -1

    output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1"])
    assert output.find("Name: CamelCaseGroup1") != -1
    assert output.find("Cached in InfoPipe: No") != -1

    output = get_call_output(["sssctl", "group-show", "camelcasegroup1"])
    assert output.find("Group camelcasegroup1 is not present in cache.") != -1
Пример #27
0
def test_fallback_homedir(fallback_homedir):
    """Test the effect of the "fallback_homedir" option"""
    ent.assert_passwd(
        ent.contains_only(
            dict(name="user_with_homedir_A", uid=1001, dir="/home/A"),
            dict(name="user_with_homedir_B", uid=1002, dir="/home/B"),
            dict(name="user_with_empty_homedir", uid=1003, dir="/home/B")))
Пример #28
0
def test_zero_nesting_level(ldap_conn, rfc2307bis_no_nesting):
    """
    Test initgroups operation with rfc2307bis schema asserting
    only primary group and parent groups are included in group
    list. No parent groups of groups should be returned with zero
    group nesting level.
    """
    ent.assert_group_by_name("parentgroup",
                             dict(mem=ent.contains_only("user1")))
    ent.assert_group_by_name("nestedgroup", dict(mem=ent.contains_only()))

    (res, errno, grp_list) = sssd_id.get_user_groups("user1")
    assert res == sssd_id.NssReturnCode.SUCCESS, \
        "Could not find groups for user1, %d" % errno

    ## test nestedgroup is not returned in group list
    assert sorted(grp_list) == sorted(["primarygroup", "parentgroup"])
Пример #29
0
def test_sanity_rfc2307(ldap_conn, sanity_rfc2307):
    passwd_pattern = ent.contains_only(
        dict(name="user1", passwd="*", uid=1001, gid=2001, gecos="1001", dir="/home/user1", shell="/bin/bash"),
        dict(name="user2", passwd="*", uid=1002, gid=2002, gecos="1002", dir="/home/user2", shell="/bin/bash"),
        dict(name="user3", passwd="*", uid=1003, gid=2003, gecos="1003", dir="/home/user3", shell="/bin/bash"),
    )
    ent.assert_passwd(passwd_pattern)

    group_pattern = ent.contains_only(
        dict(name="group1", passwd="*", gid=2001, mem=ent.contains_only()),
        dict(name="group2", passwd="*", gid=2002, mem=ent.contains_only()),
        dict(name="group3", passwd="*", gid=2003, mem=ent.contains_only()),
        dict(name="empty_group", passwd="*", gid=2010, mem=ent.contains_only()),
        dict(name="two_user_group", passwd="*", gid=2012, mem=ent.contains_only("user1", "user2")),
    )
    ent.assert_group(group_pattern)

    with pytest.raises(KeyError):
        pwd.getpwnam("non_existent_user")
    with pytest.raises(KeyError):
        pwd.getpwuid(1)
    with pytest.raises(KeyError):
        grp.getgrnam("non_existent_group")
    with pytest.raises(KeyError):
        grp.getgrgid(1)
Пример #30
0
def test_all_ent(all):
    """Test "all" scope with getpwent"""
    ent.assert_passwd_list(
        ent.contains_only(
            dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
            dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
            dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
            dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
        ))
Пример #31
0
def test_assert_group(users_and_groups):
    ent.assert_group(ent.contains())
    ent.assert_group(ent.contains(GROUP1))
    ent.assert_group(ent.contains_only(*GROUP_LIST))
    try:
        ent.assert_group(ent.contains(dict(name="group3", gid=2003)))
        assert False
    except AssertionError as e:
        assert re.search("list mismatch:", str(e))
        assert re.search("expected groups not found:", str(e))
        assert not re.search("unexpected groups found:", str(e))
    try:
        ent.assert_group(ent.contains_only(GROUP1))
        assert False
    except AssertionError as e:
        assert re.search("list mismatch:", str(e))
        assert not re.search("expected groups not found:", str(e))
        assert re.search("unexpected groups found:", str(e))
Пример #32
0
def test_assert_passwd(users_and_groups):
    ent.assert_passwd(ent.contains())
    ent.assert_passwd(ent.contains(USER1))
    ent.assert_passwd(ent.contains_only(*USER_LIST))
    try:
        ent.assert_passwd(ent.contains(dict(name="user3", uid=1003)))
        assert False
    except AssertionError as e:
        assert re.search("list mismatch:", str(e))
        assert re.search("expected users not found:", str(e))
        assert not re.search("unexpected users found:", str(e))
    try:
        ent.assert_passwd(ent.contains_only(USER1))
        assert False
    except AssertionError as e:
        assert re.search("list mismatch:", str(e))
        assert not re.search("expected users not found:", str(e))
        assert re.search("unexpected users found:", str(e))
Пример #33
0
def test_all_exclude_groups_ent(all_exclude_groups):
    """Test "all" scope with group list and getpwent"""
    ent.assert_passwd_list(
        ent.contains_only(
            dict(name="user1", uid=1001, shell="/bin/sh1"),
            dict(name="user2", uid=1002, shell="/bin/sh2"),
            dict(name="user3", uid=1003, shell="/bin/sh3"),
            dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
        ))
Пример #34
0
def test_some_groups4_ent(some_groups4):
    """Test "some" scope with group list and getpwent"""
    ent.assert_passwd_list(
        ent.contains_only(
            dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
            dict(name="user2", uid=1002, shell="/bin/sh2"),
            dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
            dict(name="user4", uid=1004, shell="/bin/sh4"),
        ))
Пример #35
0
def test_fallback_homedir(fallback_homedir):
    """Test the effect of the "fallback_homedir" option"""
    ent.assert_passwd(
        ent.contains_only(
            dict(name="user_with_homedir_A", uid=1001, dir="/home/A"),
            dict(name="user_with_homedir_B", uid=1002, dir="/home/B"),
            dict(name="user_with_empty_homedir", uid=1003, dir="/home/B"),
        )
    )
Пример #36
0
def test_override_shell(override_shell):
    """Test the effect of the "override_shell" option"""
    ent.assert_passwd(
        ent.contains_only(
            dict(name="user_with_shell_A", uid=1001, shell="/bin/B"),
            dict(name="user_with_shell_B", uid=1002, shell="/bin/B"),
            dict(name="user_with_empty_shell", uid=1003, shell="/bin/B"),
        )
    )
Пример #37
0
def test_default_shell(default_shell):
    """Test the effect of the "default_shell" option"""
    ent.assert_passwd(
        ent.contains_only(
            dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"),
            dict(name="user_with_not_installed_shell", uid=1002, shell="/bin/fallback"),
            dict(name="user_with_empty_shell", uid=1003, shell="/bin/default"),
        )
    )
Пример #38
0
def test_none(none):
    """Test "none" scope"""
    ent.assert_passwd(
        ent.contains_only(
            dict(name="user1", uid=1001, shell="/bin/sh1"),
            dict(name="user2", uid=1002, shell="/bin/sh2"),
            dict(name="user3", uid=1003, shell="/bin/sh3"),
            dict(name="user4", uid=1004, shell="/bin/sh4"),
        ))
Пример #39
0
def test_group_member_matching(users_and_groups):
    ent.assert_group_by_name("empty_group", dict(mem=ent.contains()))
    ent.assert_group_by_name("empty_group", dict(mem=ent.contains_only()))
    try:
        ent.assert_group_by_name("empty_group",
                                 dict(mem=ent.contains("user1")))
    except AssertionError, e:
        assert re.search("member list mismatch:", str(e))
        assert re.search("expected members not found:", str(e))
Пример #40
0
def test_vetoed_shells(vetoed_shells):
    """Test the effect of the "vetoed_shells" option"""
    ent.assert_passwd(
        ent.contains_only(
            dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"),
            dict(name="user_with_vetoed_shell", uid=1002, shell="/bin/fallback"),
            dict(name="user_with_empty_shell", uid=1003, shell="/bin/default"),
        )
    )
Пример #41
0
def test_some_empty(some_empty):
    """Test "some" scope with no users or groups"""
    ent.assert_passwd(
        ent.contains_only(
            dict(name="user1", uid=1001, shell="/bin/sh1"),
            dict(name="user2", uid=1002, shell="/bin/sh2"),
            dict(name="user3", uid=1003, shell="/bin/sh3"),
            dict(name="user4", uid=1004, shell="/bin/sh4"),
        ))
Пример #42
0
def test_shell_fallback(shell_fallback):
    """Test the effect of the "shell_fallback" option"""
    ent.assert_passwd(
        ent.contains_only(
            dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"),
            dict(name="user_with_not_installed_shell",
                 uid=1002,
                 shell="/bin/fallback"),
            dict(name="user_with_empty_shell", uid=1003, shell="")))
Пример #43
0
def test_group_show_basic_fqname(ldap_conn, fqname_rfc2307, portable_LC_ALL):
    # Fill the cache first
    ent.assert_group_by_name(
        "group1@LDAP",
        dict(mem=ent.contains_only("user1@LDAP")))
    ent.assert_group_by_name(
        "CamelCaseGroup1@LDAP",
        dict(mem=ent.contains_only("CamelCaseUser1@LDAP")))

    output = get_call_output(["sssctl", "group-show", "group1@LDAP"])
    assert output.find("Name: group1@LDAP") != -1
    assert output.find("Cached in InfoPipe: No") != -1

    output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1@LDAP"])
    assert output.find("Name: CamelCaseGroup1@LDAP") != -1
    assert output.find("Cached in InfoPipe: No") != -1

    output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"])
    assert output.find("Group camelcasegroup1 is not present in cache.") != -1
Пример #44
0
def assert_group_default():

    # Assert entries are not overridden
    with pytest.raises(KeyError):
        pwd.getpwnam('ov_group')
    with pytest.raises(KeyError):
        pwd.getpwnam('ov_group@LDAP')
    with pytest.raises(KeyError):
        pwd.getpwnam('ov_empty_group')
    with pytest.raises(KeyError):
        pwd.getpwnam('ov_empty_group@LDAP')

    empty_group = dict(gid=2002, mem=ent.contains_only())
    group = dict(gid=2001, mem=ent.contains_only("user1", "user2"))

    ent.assert_group_by_name("group", group)
    ent.assert_group_by_name("group@LDAP", group)
    ent.assert_group_by_name("empty_group", empty_group)
    ent.assert_group_by_name("empty_group@LDAP", empty_group)
Пример #45
0
def test_none(none):
    """Test "none" scope"""
    ent.assert_passwd(
        ent.contains_only(
            dict(name="user1", uid=1001, shell="/bin/sh1"),
            dict(name="user2", uid=1002, shell="/bin/sh2"),
            dict(name="user3", uid=1003, shell="/bin/sh3"),
            dict(name="user4", uid=1004, shell="/bin/sh4"),
        )
    )
Пример #46
0
def test_all_ent(all):
    """Test "all" scope with getpwent"""
    ent.assert_passwd_list(
        ent.contains_only(
            dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
            dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
            dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
            dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
        )
    )
Пример #47
0
def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task):
    """
    Regression test for ticket:
    https://fedorahosted.org/sssd/ticket/2676
    """
    ent.assert_group_by_name(
        "group2",
        dict(mem=ent.contains_only("user1")))

    ent.assert_passwd_by_name(
        'user1',
        dict(name='user1', passwd='*', uid=1001, gid=2001,
             gecos='1001', shell='/bin/bash'))

    time.sleep(15)

    ent.assert_group_by_name(
        "group2",
        dict(mem=ent.contains_only("user1")))
Пример #48
0
def test_some_empty(some_empty):
    """Test "some" scope with no users or groups"""
    ent.assert_passwd(
        ent.contains_only(
            dict(name="user1", uid=1001, shell="/bin/sh1"),
            dict(name="user2", uid=1002, shell="/bin/sh2"),
            dict(name="user3", uid=1003, shell="/bin/sh3"),
            dict(name="user4", uid=1004, shell="/bin/sh4"),
        )
    )
Пример #49
0
def test_some_groups4_ent(some_groups4):
    """Test "some" scope with group list and getpwent"""
    ent.assert_passwd_list(
        ent.contains_only(
            dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
            dict(name="user2", uid=1002, shell="/bin/sh2"),
            dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
            dict(name="user4", uid=1004, shell="/bin/sh4"),
        )
    )
Пример #50
0
def test_add_local_user_to_local_group(local_domain_only):
    """
    Regression test for ticket
    https://fedorahosted.org/sssd/ticket/3178
    """
    subprocess.check_call(["sss_groupadd", "-g", "10009", "group10009"])
    subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user10009"])
    subprocess.check_call(["sss_usermod", "-a", "group10009", "user10009"])

    ent.assert_group_by_name(
        "group10009",
        dict(name="group10009", passwd="*", gid=10009,
             mem=ent.contains_only("user10009")))
Пример #51
0
def test_some_groups_overridden4_ent(some_groups_overridden3):
    """
    Test "some" scope with group list containing some
    overridden group, and users requested with getpwent.
    """
    ent.assert_passwd_list(
        ent.contains_only(
            dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
            dict(name="user2", uid=1002, shell="/bin/sh2"),
            dict(name="user3", uid=1003, shell="/bin/sh3"),
            dict(name="user4", uid=1004, shell="/bin/sh4"),
        )
    )