-
Notifications
You must be signed in to change notification settings - Fork 249
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tests: housekeeping, test_authenticaiton.py
housekeeping, the following is looked at and may have been done: * fixed typos and standardized formatting * renamed test cases to improve the clarity of what the test does * improved docstring language, setup, steps and expected results * synced code with the docstring order * removed necessary configuration relevant to the test * added pytest.mark.importance to test cases noteable changes: * big rename on the test case names, after discussing that some cases will have the positive and negative test, it no longers to be specified (cherry picked from commit ddea67c)
- Loading branch information
Dan Lavu
committed
Jul 26, 2024
1 parent
e9a8029
commit 0a3acc9
Showing
1 changed file
with
48 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
""" | ||
SSSD Authentication Test Cases | ||
:requirement: offline | ||
:requirement: authentication | ||
""" | ||
|
||
from __future__ import annotations | ||
|
@@ -15,55 +15,60 @@ | |
|
||
@pytest.mark.topology(KnownTopologyGroup.AnyProvider) | ||
@pytest.mark.parametrize("method", ["su", "ssh"]) | ||
def test_authentication__using_a_good_then_bad_password(client: Client, provider: GenericProvider, method: str): | ||
@pytest.mark.importance("critical") | ||
def test_authentication__with_default_settings( | ||
client: Client, | ||
provider: GenericProvider, | ||
method: str, | ||
): | ||
""" | ||
:title: SSH and su authentication | ||
:title: Authenticate with default settings | ||
:setup: | ||
1. Add user to SSSD | ||
2. Set password for user | ||
3. Start SSSD | ||
1. Create user | ||
2. Start SSSD | ||
:steps: | ||
1. Authenticate user with correct password | ||
2. Authenticate user with incorrect password | ||
:expectedresults: | ||
1. User is authenticated | ||
2. User is not authenticated | ||
1. Authentication is successful | ||
2. Authentication is unsuccessful | ||
:customerscenario: False | ||
""" | ||
provider.user("user1").add(password="Secret123") | ||
|
||
client.sssd.start() | ||
|
||
assert client.auth.parametrize(method).password("user1", "Secret123"), "login with correct password failed" | ||
assert not client.auth.parametrize(method).password("user1", "NOTSecret123"), "login with wrong password succeeded" | ||
assert client.auth.parametrize(method).password("user1", "Secret123"), "User failed login!" | ||
assert not client.auth.parametrize(method).password( | ||
"user1", "NOTSecret123" | ||
), "User logged in with an invalid password!" | ||
|
||
|
||
@pytest.mark.topology(KnownTopologyGroup.AnyProvider) | ||
@pytest.mark.parametrize("method", ["su", "ssh"]) | ||
def test_authentication__using_a_good_then_bad_password_when_offline( | ||
client: Client, provider: GenericProvider, method: str | ||
@pytest.mark.importance("critical") | ||
def test_authentication__default_settings_when_the_provider_is_offline( | ||
client: Client, | ||
provider: GenericProvider, | ||
method: str, | ||
): | ||
""" | ||
:title: Offline ssh/su login | ||
:title: Authenticate with default settings when the provider is offline | ||
:setup: | ||
1. Add user to SSSD and set its password | ||
2. In SSSD domain change "cache_credentials" and "krb5_store_password_if_offline" to "True" | ||
3. In SSSD pam change "offline_credentials_expiration" to "0" | ||
4. Start SSSD | ||
1. Create user | ||
2. Configure SSSD with "cache_credentials = true" and "krb5_store_password_if_offline = true" and | ||
"offline_credentials_expiration = 0" | ||
3. Start SSSD | ||
:steps: | ||
1. Authenticate user with wrong password | ||
2. Authenticate user with correct password | ||
3. Make server offline (by blocking traffic to the provider) | ||
4. Bring SSSD offline explicitly | ||
5. Offline authentication of user with correct password | ||
6. Offline authentication of user with wrong password | ||
1. Authenticate user with correct password | ||
2. Block outbound traffic to the provider and force SSSD offline | ||
3. Authenticate user with correct password | ||
4. Authenticate user with incorrect password | ||
:expectedresults: | ||
1. User is not authenticated | ||
2. User is authenticated | ||
3. Firewall rule added, traffic is dropped. | ||
4. SSSD is offline | ||
5. Offline authentication is successful | ||
6. Offline authentication is not successful | ||
1. User authentication is successful | ||
2. No traffic is getting to the provider | ||
3. User authentication is successful | ||
4. User authentication is unsuccessful | ||
:customerscenario: False | ||
""" | ||
user = "user1" | ||
|
@@ -76,57 +81,50 @@ def test_authentication__using_a_good_then_bad_password_when_offline( | |
client.sssd.pam["offline_credentials_expiration"] = "0" | ||
client.sssd.start() | ||
|
||
assert not client.auth.parametrize(method).password(user, wrong), "login with wrong password succeeded" | ||
assert client.auth.parametrize(method).password(user, correct), "login with correct password failed" | ||
assert client.auth.parametrize(method).password(user, correct), "User failed login!" | ||
|
||
# Block provider. | ||
client.firewall.outbound.reject_host(provider) | ||
|
||
# There might be active connections that are not terminated by creating firewall rule. | ||
# We need to terminated it by bringing SSSD to offline state explicitly. | ||
# We need to terminate it by forcing SSSD offline. | ||
client.sssd.bring_offline() | ||
|
||
assert client.auth.parametrize(method).password(user, correct), "offline login with correct password failed" | ||
assert not client.auth.parametrize(method).password(user, wrong), "offline login with wrong password succeeded" | ||
assert client.auth.parametrize(method).password(user, correct), "User failed login!" | ||
assert not client.auth.parametrize(method).password(user, wrong), "User logged in with an incorrect password!" | ||
|
||
|
||
@pytest.mark.topology(KnownTopology.AD) | ||
@pytest.mark.ticket(gh=7174) | ||
@pytest.mark.parametrize("method", ["su", "ssh"]) | ||
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) | ||
@pytest.mark.require( | ||
lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]), | ||
"SSSD was built without support for running under non-root", | ||
) | ||
def test_authentication__login_using_email_address(client: Client, ad: AD, method: str, sssd_service_user: str): | ||
@pytest.mark.importance("critical") | ||
def test_authentication__using_the_users_email_address(client: Client, ad: AD, method: str): | ||
""" | ||
:title: Login using user's email address | ||
:title: Login using the user's email address | ||
:description: | ||
Testing the feature to login using an email address instead of the userid. The username used, must match one of | ||
directory attribute values for "EmailAddress". The login should be case insensitive and permit special | ||
characters. | ||
Testing the feature to login using an email address instead of the userid. The username used, | ||
must match one of the user's LDAP attribute values, "EmailAddress". The login should be | ||
case-insensitive and permit special characters. | ||
:setup: | ||
1. Add AD users with different email addresses | ||
2. Start SSSD | ||
:steps: | ||
1. Authenticate users using their email address and in different cases | ||
:expectedresults: | ||
1. Authentication is successful using the email address and is case insensitive | ||
1. Authentication is successful using the email address and is case-insensitive | ||
:customerscenario: False | ||
""" | ||
ad.user("user-1").add(password="Secret123", email=f"user-1@{ad.host.domain}") | ||
ad.user("user-2").add(password="Secret123", email="[email protected]") | ||
ad.user("user_3").add(password="Secret123", email="[email protected]") | ||
|
||
client.sssd.set_service_user(sssd_service_user) | ||
client.sssd.start() | ||
|
||
assert client.auth.parametrize(method).password( | ||
f"user-1@{ad.host.domain}", "Secret123" | ||
), "login with correct password failed" | ||
), f"User user-1@{ad.host.domain} failed login!" | ||
assert client.auth.parametrize(method).password( | ||
"[email protected]", "Secret123" | ||
), "login with correct password failed" | ||
), "User [email protected] failed login!" | ||
assert client.auth.parametrize(method).password( | ||
"[email protected]", "Secret123" | ||
), "login with correct password failed" | ||
), "User [email protected] failed login!" |