Skip to content

Commit

Permalink
COMPONENTS: (1)bash sudo codes ported to python codes, (2)expectsudo.py
Browse files Browse the repository at this point in the history 
Explanation
- This MR contains 2 components:
  (I) Ported python codes of the following sudo bash scripts:
      1. defaults ported as test_defaults()
         :description: Add 2 sudo rules, first one with 'sudoOption:
                       !authenticate' and second one without it. Change order of
                       sudo rules and test sudo command with 2 users.

      2. order ported as test_order()
         :description: Add 2 sudo rules, first one with 'sudoOption:
                       !authenticate' and second one without it. Change order of
                       sudo rules and test sudo command with 2 users.

      3. offline ported as test_offline()
         :description: Add a sudo rule that authenticates user to perform sudo
                       then go offline by adding a jump rule in iptables and
                       testing user again to confirm that user is able to sudo
                       with cached credentials then making change to sudoCommand:!ALL
                       to check if user is denied and then constantly make calls to
                       SSSD to come online and then verify it.

      4. refresh ported as test_refresh()
         :description: Check sudo with sudo user and sudo group after
                       OVERLAP_INTERVAL and SMART_INTERVAL with modifying
                       values of sudoUser, sudoHost, sudoCommand, sudoRunAsUser,
                       sudoRunAsGroup and sudoOption.

      5. host_filter ported as test_host_filter()
         :description: Value of host_filter can be true or false,
                       ldap_sudo_hostnames, ldap_sudo_ip, ldap_sudo_include_netgroups
                       and ldap_sudo_include_regexp.

      6. full_refresh ported as test_full_refresh()
         :description: Check sudo with a full refresh of sudo rules.

      7. stress_refresh ported as test_stress_refresh()
         :description: Check sudo by stressing attribute refreshes and test
                       rule-matching/non-rule-matching attributes.

      8. attrs_command ported as test_attrs_command()
         :description: Check sudo by changing 'sudoCommand' with several
                       attributes.

      9. attrs ported as test_attrs()
         :description: Test sudo with empty attributes and attributes with
                       value.

      --- BELOW TESTS CODES ARE FROM misc WHICH HAVE BEEN PORTED INDIVIDUALLY---

      10. test_bz996020()
          :description: sssd fails instead of skipping when a sudo ldap
                        filter returns entries with multiple CN.
	  :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=996020

      11. test_bz1003567()
          :description: large number of sudo rules results in error.
          :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1003567

      12. test_bz995737()
          :description: sudo backed by sssd ldap denies all access.
          :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=995737

      13. test_bz1042922()
          :description: Add fallback to sudoRunAs when sudoRunasUser is
                        not defined.
          :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1042922

      14. test_bz1422183()
          :description: Duplicate usernames with difference of upper and
                        lower case.
          bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1422183

      15. test_bz1590603()
          :description: information leak from sssd sudo responder.
          :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1590603

      16. test_bz1607313()
          :description: private pipe ownership when sssd is running as
                        non root user.
          :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1607313

      17. test_bz1132264()
          :description: allow sssd to retrieve sudo rules of local users
                        whose sudo rules stored in ldap server.
	  :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1132264

      18. test_bz1208507()
	  :description: sysdb sudo search does not escape special characters.
 	  :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1208507

      19. test_bz1084532()
	  :description: sssd sudo process segfaults.
          :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1084532

  (II) expectsudo.py code for automating insertion of sudo password.
       - This utility is built using pexpect library:
         https://pexpect.readthedocs.io/en/stable/api/pexpect.html
       - Intended to automatate insertion of sudo passwords during
         test case execution.
       - It uses regexes to search for a particular line/set of lines
         for asserting whether:
         (1) sudo permissed is granted -> sudo_permission_granted()
         (2) sudo permission is denied -> sudo_permission_denied()
         (3) if sudo password is incorrect -> sudo_incorrect_password()
         (4) if sudo authentication is required -> sudo_requires_auth()
  • Loading branch information
@jakub-vavra-cz
Dhairya Parmar authored and jakub-vavra-cz committed Nov 25, 2022
1 parent 6b0d175 commit e27fdea
Show file tree
Hide file tree
Showing 3 changed files with 3,148 additions and 1 deletion.
75 changes: 75 additions & 0 deletions src/tests/multihost/alltests/constants.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,78 @@
krb_realm = 'EXAMPLE.TEST'
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
user1 = 'foo1@example1'
user2 = 'foo2@example1'
group_user1 = "ldapusers@example1"
group_user2 = "ldapusers1@example1"
user1_password = ds_rootpw
netgroups_ou = f"ou=Netgroups,{ds_suffix}"
ou_name = "sudoers"
sudo_ou = f"ou={ou_name},{ds_suffix}"
sudo_host = "ALL"
sudo_command = "ALL"
sudo_user = "ALL"
sudo_command_echo = f"sudo -u {user2} echo SSSD"
sudo_command_bin_true = f"sudo -u {user2} /bin/true"
sudo_command_bin_echo = f"sudo -u {user2} /bin/echo"
sudo_command_dev_null = "sudo -l > /dev/null"
sudo_command_group = f"sudo -g {group_user2} echo SSSD"
sudo_rule_test = f"cn=test,{sudo_ou}"
sudo_rule_test1 = f"cn=test1,{sudo_ou}"
sudo_rule_test2 = f"cn=test2,{sudo_ou}"
sudo_rule_testrule = f"cn=testrule,{sudo_ou}"
sudo_rule_defaults = f"cn=defaults,{sudo_ou}"
sudo_password = ds_rootpw
smart_interval = 1
ldapusers1 = "ldapusers1"
netgroup_client = f"cn=netgroup_client,ou=Netgroups,{ds_suffix}"
netgroup_client_not = f"cn=netgroup_client_not,ou=Netgroups,{ds_suffix}"
sudo_test_user_dn = f"uid=sudo_test_user,{ds_suffix}"
sudo_test_user_attrs = {
'cn': 'Temp',
'uidNumber': '13111',
'gidNumber': '10021',
'gecos': 'random strings',
'homeDirectory': '/home/sudo_test_user',
'loginShell': '/bin/bash',
'userPassword': 'Secret123'
}
sudo_test_user2_dn = f"uid=sudo_test_user2,{ds_suffix}"
sudo_test_user2_attrs = {
'cn': 'Temp2',
'uidNumber': '13112',
'gidNumber': '10022',
'gecos': 'Test user for 500 rules',
'homeDirectory': '/home/sudo_test_user2',
'loginShell': '/bin/bash',
'userPassword': 'Secret123'
}
sudo_tuser_dn = f"uid=tuser,{ds_suffix}"
sudo_tuser_attrs = {
'cn': 'example tuser',
'uidNumber': '1000013',
'gidNumber': '1000013',
'homeDirectory': '/home/tuser',
'loginShell': '/bin/bash',
'userPassword': 'Secret123'
}

sudo_testuser_dn = f"uid=testuser,{ds_suffix}"
sudo_testuser_attrs = {
'cn': 'example testuser',
'uidNumber': '1000014',
'gidNumber': '1000014',
'homeDirectory': '/home/testuser',
'loginShell': '/bin/bash',
'userPassword': 'Secret123'
}

sudo_tuser1_dn = f"uid=t(u)ser,ou=People,{ds_suffix}"
sudo_tuser1_attrs = {
'cn': 'example t(u)ser',
'uidNumber': '10013',
'gidNumber': '10013',
'homeDirectory': '/home/tuser',
'loginShell': '/bin/bash',
'userPassword': 'Secret123'
}
Loading

0 comments on commit e27fdea

Please sign in to comment.