def test_user_show_basic_fqname(ldap_conn, fqname_rfc2307, portable_LC_ALL):
# Fill the cache first
ent.assert_passwd_by_name(
'user1@LDAP',
dict(name='user1@LDAP',
passwd='*',
uid=1001,
gid=2001,
gecos='1001',
shell='/bin/bash'))
ent.assert_passwd_by_name(
'CamelCaseUser1@LDAP',
dict(name='CamelCaseUser1@LDAP',
passwd='*',
uid=1002,
gid=2002,
gecos='1002',
shell='/bin/bash'))
output = get_call_output(["sssctl", "user-show", "user1@LDAP"])
assert output.find("Name: user1@LDAP") != -1
assert output.find("Initgroups expiration time: Initgroups were not yet "
"performed") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "user-show", "CamelCaseUser1@LDAP"])
assert output.find("Name: CamelCaseUser1@LDAP") != -1
assert output.find("Initgroups expiration time: Initgroups were not yet "
"performed") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "user-show", "camelcaseuser1@LDAP"])
assert output.find("User camelcaseuser1 is not present in cache.") != -1
def test_user_show_basic_fqname_insensitive(ldap_conn,
fqname_case_insensitive_rfc2307,
portable_LC_ALL):
# Fill the cache first
ent.assert_passwd_by_name(
'user1@LDAP',
dict(name='user1@LDAP', passwd='*', uid=1001, gid=2001,
gecos='1001', shell='/bin/bash'))
ent.assert_passwd_by_name(
'CamelCaseUser1@LDAP',
dict(name='camelcaseuser1@LDAP', passwd='*', uid=1002, gid=2002,
gecos='1002', shell='/bin/bash'))
output = get_call_output(["sssctl", "user-show", "user1@LDAP"])
assert output.find("Name: user1@LDAP") != -1
assert output.find("Initgroups expiration time: Initgroups were not yet "
"performed") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "user-show", "CamelCaseUser1@LDAP"])
assert output.find("Name: camelcaseuser1@LDAP") != -1
assert output.find("Initgroups expiration time: Initgroups were not yet "
"performed") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "user-show", "camelcaseuser1@LDAP"])
assert output.find("Name: camelcaseuser1@LDAP") != -1
assert output.find("Initgroups expiration time: Initgroups were not yet "
"performed") != -1
assert output.find("Cached in InfoPipe: No") != -1
def test_ssh_pubkey_retrieve(add_user_with_ssh_key):
"""
Test that we can retrieve an SSH public key for a user who has one
and can't retrieve a key for a user who does not have one.
"""
sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user1"])
assert sshpubkey == USER1_PUBKEY1 + '\n' + USER1_PUBKEY2 + '\n'
sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user2"])
assert len(sshpubkey) == 0
def test_ssh_pubkey_retrieve(add_user_with_ssh_key):
"""
Test that we can retrieve an SSH public key for a user who has one
and can't retrieve a key for a user who does not have one.
"""
sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user1"])
assert sshpubkey == USER1_PUBKEY1 + '\n' + USER1_PUBKEY2 + '\n'
sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user2"])
assert len(sshpubkey) == 0
def test_netgroup_show(ldap_conn, sanity_rfc2307, portable_LC_ALL,
add_tripled_netgroup):
output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"])
assert "Name: tripled_netgroup" not in output
res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
assert res == sssd_netgroup.NssReturnCode.SUCCESS
assert netgrps == [("host", "user", "domain")]
output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"])
assert "Name: tripled_netgroup" in output
def test_sudo_rule_for_user(add_common_rules, sudocli_tool):
"""
Test that user1 is allowed in the rule but user2 is not
"""
user1_rules = get_call_output([sudocli_tool, "user1"])
reply = SudoReply(user1_rules)
assert len(reply.sudo_rules.rules) == 1
assert reply.sudo_rules.rules[0]['cn'] == 'user1_allow_less_shadow'
user2_rules = get_call_output([sudocli_tool, "user2"])
reply = SudoReply(user2_rules)
assert len(reply.sudo_rules.rules) == 0
def test_sudo_rule_for_user(add_common_rules, sudocli_tool):
"""
Test that user1 is allowed in the rule but user2 is not
"""
user1_rules = get_call_output([sudocli_tool, "user1"])
reply = SudoReply(user1_rules)
assert len(reply.sudo_rules.rules) == 1
assert reply.sudo_rules.rules[0]['cn'] == 'user1_allow_less_shadow'
user2_rules = get_call_output([sudocli_tool, "user2"])
reply = SudoReply(user2_rules)
assert len(reply.sudo_rules.rules) == 0
def test_netgroup_show(ldap_conn,
sanity_rfc2307,
portable_LC_ALL,
add_tripled_netgroup):
output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"])
assert "Name: tripled_netgroup" not in output
res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
assert res == sssd_netgroup.NssReturnCode.SUCCESS
assert netgrps == [("host", "user", "domain")]
output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"])
assert "Name: tripled_netgroup" in output
def test_debug_level_no_sssd():
# Once we are sure all tests run using Python 3.5 or newer,
# we can remove the redirections STDOUT > STDERR and check cpe.stderr.
try:
get_call_output(["sssctl", "debug-level"],
check=True,
stderr_output=subprocess.STDOUT)
except subprocess.CalledProcessError as cpe:
assert cpe.returncode == 1
assert "SSSD is not running" in cpe.output
try:
get_call_output(["sssctl", "debug-level", "0x70"],
check=True,
stderr_output=subprocess.STDOUT)
except subprocess.CalledProcessError as cpe:
assert cpe.returncode == 1
assert "SSSD is not running" in cpe.output
try:
get_call_output(["sssctl", "debug-level", "--nss"],
check=True,
stderr_output=subprocess.STDOUT)
except subprocess.CalledProcessError as cpe:
assert cpe.returncode == 1
assert "SSSD is not running" in cpe.output
try:
get_call_output(["sssctl", "debug-level", "--nss", "0x70"],
check=True,
stderr_output=subprocess.STDOUT)
except subprocess.CalledProcessError as cpe:
assert cpe.returncode == 1
assert "SSSD is not running" in cpe.output
def test_sudo_rule_duplicate_sudo_user(add_double_qualified_rules,
sudocli_tool):
"""
Test that despite user1 and user1@LDAP meaning the same user,
the rule is still usable
"""
# Try several users to make sure we don't mangle the list
for u in ["user1", "user2", "user3"]:
user_rules = get_call_output([sudocli_tool, u])
reply = SudoReply(user_rules)
assert len(reply.sudo_rules.rules) == 1
assert reply.sudo_rules.rules[0]['cn'] == 'user1_allow_less_shadow'
user4_rules = get_call_output([sudocli_tool, "user4"])
reply = SudoReply(user4_rules)
assert len(reply.sudo_rules.rules) == 0
def test_sssctl_domain_list_app_domain(dbus_system_bus, ldap_conn,
sanity_rfc2307):
output = get_call_output(["sssctl", "domain-list"], subprocess.STDOUT)
assert "Error" not in output
assert output.find("LDAP") != -1
assert output.find("app") != -1
def test_sudo_rule_duplicate_sudo_user(add_double_qualified_rules,
sudocli_tool):
"""
Test that despite user1 and user1@LDAP meaning the same user,
the rule is still usable
"""
# Try several users to make sure we don't mangle the list
for u in ["user1", "user2", "user3"]:
user_rules = get_call_output([sudocli_tool, u])
reply = SudoReply(user_rules)
assert len(reply.sudo_rules.rules) == 1
assert reply.sudo_rules.rules[0]['cn'] == 'user1_allow_less_shadow'
user4_rules = get_call_output([sudocli_tool, "user4"])
reply = SudoReply(user4_rules)
assert len(reply.sudo_rules.rules) == 0
def test_group_show_basic_sanity(ldap_conn, sanity_rfc2307, portable_LC_ALL):
# Fill the cache first
ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1")))
ent.assert_group_by_name("CamelCaseGroup1",
dict(mem=ent.contains_only("CamelCaseUser1")))
output = get_call_output(["sssctl", "group-show", "group1"])
assert output.find("Name: group1") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1"])
assert output.find("Name: CamelCaseGroup1") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "camelcasegroup1"])
assert output.find("Group camelcasegroup1 is not present in cache.") != -1
def test_sssctl_domain_list_app_domain(dbus_system_bus,
ldap_conn,
sanity_rfc2307):
output = get_call_output(["sssctl", "domain-list"], subprocess.STDOUT)
assert "Error" not in output
assert output.find("LDAP") != -1
assert output.find("app") != -1
def test_group_show_basic_fqname(ldap_conn, fqname_rfc2307, portable_LC_ALL):
# Fill the cache first
ent.assert_group_by_name(
"group1@LDAP",
dict(mem=ent.contains_only("user1@LDAP")))
ent.assert_group_by_name(
"CamelCaseGroup1@LDAP",
dict(mem=ent.contains_only("CamelCaseUser1@LDAP")))
output = get_call_output(["sssctl", "group-show", "group1@LDAP"])
assert output.find("Name: group1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1@LDAP"])
assert output.find("Name: CamelCaseGroup1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"])
assert output.find("Group camelcasegroup1 is not present in cache.") != -1
def test_group_show_basic_fqname_insensitive(ldap_conn,
fqname_case_insensitive_rfc2307,
portable_LC_ALL):
# Fill the cache first
ent.assert_group_by_name("group1@LDAP",
dict(mem=ent.contains_only("user1@LDAP")))
ent.assert_group_by_name(
"camelcasegroup1@LDAP",
dict(mem=ent.contains_only("camelcaseuser1@LDAP")))
output = get_call_output(["sssctl", "group-show", "group1@LDAP"])
assert output.find("Name: group1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1@LDAP"])
assert output.find("Name: camelcasegroup1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"])
assert output.find("Name: camelcasegroup1@LDAP") != -1
assert output.find("Cached in InfoPipe: No") != -1
def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert):
"""
Test that we can retrieve an SSH public key derived from a cert in ldap.
Compare with the sshpubkey derived via ssh-keygen, they should match.
"""
for u in [1, 7]:
pubsshkey_path = os.path.dirname(config.PAM_CERT_DB_PATH)
pubsshkey_path += "/SSSD_test_cert_pubsshkey_000%s.pub" % u
with open(pubsshkey_path, 'r') as f:
pubsshkey = f.read()
sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u])
print(sshpubkey)
print(pubsshkey)
assert sshpubkey == pubsshkey
def test_sssctl_no_config(portable_LC_ALL):
output = get_call_output(["sssctl", "config-check"])
assert "There is no configuration" in output
def test_debug_level_sanity(ldap_conn, sanity_rfc2307, portable_LC_ALL):
output = get_call_output(["sssctl", "debug-level", "0x00F0"], check=True)
assert output.strip() == ""
output = get_call_output(["sssctl", "debug-level"], check=True)
for line in output.splitlines():
elems = line.split()
assert elems[0] in [
"sssd", "nss", "domain/LDAP", "domain/implicit_files"
]
assert elems[1] == "0x00f0"
output = get_call_output(["sssctl", "debug-level", "--sssd", "0x0270"],
check=True)
assert output.strip() == ""
output = get_call_output(["sssctl", "debug-level", "--sssd"], check=True)
assert "sssd " in output
assert "0x0270" in output
output = get_call_output(["sssctl", "debug-level", "--nss", "0x0370"],
check=True)
assert output.strip() == ""
output = get_call_output(["sssctl", "debug-level", "--nss"], check=True)
assert "nss " in output
assert "0x0370" in output
output = get_call_output(["sssctl", "debug-level", "--domain=LDAP", "8"],
check=True)
assert output.strip() == ""
output = get_call_output(["sssctl", "debug-level", "--domain=LDAP"],
check=True)
assert "domain/LDAP " in output
assert "0x37f0" in output
try:
get_call_output(["sssctl", "debug-level", "--domain=FAKE"], check=True)
except subprocess.CalledProcessError as cpe:
assert cpe.returncode == 1
assert "domain/FAKE " in cpe.output
assert " Unknown domain" in cpe.output
try:
get_call_output(["sssctl", "debug-level", "--pac"], check=True)
except subprocess.CalledProcessError as cpe:
assert cpe.returncode == 1
assert "pac " in cpe.output
assert " Unreachable service" in cpe.output
try:
get_call_output(["sssctl", "debug-level", "--domain=FAKE", "8"],
check=True)
except subprocess.CalledProcessError as cpe:
assert cpe.returncode == 1
assert cpe.output.strip() == ""
def test_sssctl_snippets_only(conf_snippets_only, portable_LC_ALL):
output = get_call_output(["sssctl", "config-check"])
assert "There is no configuration" not in output
assert config.CONF_SNIPPET_PATH in output
