From cebcfa32df1bb61d056719cf507e4298b1e1d4a5 Mon Sep 17 00:00:00 2001 From: Dan Lavu Date: Fri, 12 Jul 2024 14:42:37 -0400 Subject: [PATCH 1/2] tests: remove multihost basic tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * test_ifp.py test are now convered in system/test_infopipe.py * test_kcm.py test are now covered in system/test_kdm.py and authselect/system/test_sssd.py , the functional credential delegation ** a functional test has been added to the test plan * test_ldapapi.py tests are low priority with a larger effort to move. ** test configures ldap, using the 389 slapd file for it's URI, this test can only be performed on a server and does not offer much value. this test has been added to the test plan and will be re-implemented if approved. Reviewed-by: Jakub Vávra Reviewed-by: Pavel Březina Reviewed-by: Scott Poore --- .github/workflows/ci.yml | 117 +---- src/tests/multihost/basic/conftest.py | 481 ------------------ src/tests/multihost/basic/mhc.yaml | 8 - src/tests/multihost/basic/pytest.ini | 3 - src/tests/multihost/basic/test_basic.py | 84 --- src/tests/multihost/basic/test_config.py | 109 ---- src/tests/multihost/basic/test_files.py | 61 --- src/tests/multihost/basic/test_ifp.py | 31 -- src/tests/multihost/basic/test_kcm.py | 340 ------------- src/tests/multihost/basic/test_ldap.py | 110 ---- .../basic/test_sssctl_config_check.py | 102 ---- src/tests/multihost/basic/test_sudo.py | 66 --- src/tests/multihost/basic/utils_config.py | 32 -- 13 files changed, 1 insertion(+), 1543 deletions(-) delete mode 100644 src/tests/multihost/basic/conftest.py delete mode 100644 src/tests/multihost/basic/mhc.yaml delete mode 100644 src/tests/multihost/basic/pytest.ini delete mode 100644 src/tests/multihost/basic/test_basic.py delete mode 100644 src/tests/multihost/basic/test_config.py delete mode 100644 src/tests/multihost/basic/test_files.py delete mode 100644 src/tests/multihost/basic/test_ifp.py delete mode 100644 src/tests/multihost/basic/test_kcm.py delete mode 100644 src/tests/multihost/basic/test_ldap.py delete mode 100644 src/tests/multihost/basic/test_sssctl_config_check.py delete mode 100644 src/tests/multihost/basic/test_sudo.py delete mode 100644 src/tests/multihost/basic/utils_config.py diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b2b52c2b086..1d2228ace8f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -134,120 +134,6 @@ jobs: path: | ./sssd/ci-build-debug/*.valgrind.log - multihost: - needs: [prepare, build] - strategy: - fail-fast: false - matrix: - tag: ${{ fromJson(needs.prepare.outputs.matrix).multihost }} - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: Checkout sssd repository - uses: actions/checkout@v3 - with: - path: sssd - - - name: Setup containers - uses: SSSD/sssd-ci-containers/actions/setup@master - with: - path: sssd-ci-containers - tag: ${{ matrix.tag }} - limit: dns client - override: | - services: - client: - image: ${REGISTRY}/ci-client-devel:${TAG} - shm_size: 4G - tmpfs: - - /dev/shm - volumes: - - ../sssd:/sssd:rw - - - name: Build SSSD on the client - uses: SSSD/sssd-ci-containers/actions/exec@master - with: - log-file: multihost-build.log - working-directory: /sssd - script: | - #!/bin/bash - set -ex - - ./contrib/ci/run --deps-only - autoreconf -if - - mkdir -p /dev/shm/sssd - pushd /dev/shm/sssd - /sssd/configure --enable-silent-rules - make rpms - - - name: Install SSSD on the client - uses: SSSD/sssd-ci-containers/actions/exec@master - with: - log-file: multihost-install.log - user: root - script: | - #!/bin/bash - set -ex - - dnf remove -y --noautoremove sssd\* - dnf install -y /dev/shm/sssd/rpmbuild/RPMS/*/*.rpm - rm -fr /dev/shm/sssd - - - name: Install multihost tests dependencies - shell: bash - run: | - set -ex - - sudo apt-get update - - # Install certutil and dependencies for python-ldap - sudo apt-get install -y libnss3-tools libsasl2-dev python3-dev libldap2-dev libssl-dev - - # Virtualenv - pip3 install virtualenv - python3 -m venv .venv - source .venv/bin/activate - - # Install multihost tests requirements - pip3 install -r ./sssd/src/tests/multihost/requirements.txt - - - name: Create multihost configuration - uses: DamianReeves/write-file-action@41569a7dac64c252caacca7bceefe28b70b38db1 - with: - path: mhc.yml - write-mode: overwrite - contents: | - root_password: 'Secret123' - domains: - - name: tier0.tests - type: sssd - hosts: - - name: client - external_hostname: client.test - role: master - - - name: Run basic multihost tests - run: | - set -ex -o pipefail - - source .venv/bin/activate - export PYTHONPATH="${PYTHONPATH}:$(realpath ./sssd/src/tests/multihost)" - pytest -s --multihost-config=./mhc.yml ./sssd/src/tests/multihost/basic |& tee multihost-pytest.log - - - name: Upload artifacts - if: always() - uses: actions/upload-artifact@v3 - with: - if-no-files-found: ignore - name: ${{ matrix.tag }}-multihost - path: | - sssd/ci-install-deps.log - multihost-build.log - multihost-install.log - multihost-pytest.log - system: needs: [prepare, build] strategy: @@ -376,12 +262,11 @@ jobs: name: All tests are successful if: ${{ always() }} runs-on: ubuntu-latest - needs: [build, intgcheck, multihost, system] + needs: [build, intgcheck, system] steps: - name: Fail on failure if: | needs.build.result != 'success' || needs.intgcheck.result != 'success' - || needs.multihost.result != 'success' || needs.system.result != 'success' run: exit 1 diff --git a/src/tests/multihost/basic/conftest.py b/src/tests/multihost/basic/conftest.py deleted file mode 100644 index 8856fa36002..00000000000 --- a/src/tests/multihost/basic/conftest.py +++ /dev/null @@ -1,481 +0,0 @@ -from sssd.testlib.common.libkrb5 import krb5srv -from sssd.testlib.common.utils import sssdTools, PkiTools -from sssd.testlib.common.utils import LdapOperations -from sssd.testlib.common.libdirsrv import DirSrvWrap -from sssd.testlib.common.exceptions import PkiLibException -from sssd.testlib.common.exceptions import LdapException -from sssd.testlib.common.exceptions import SSSDException - -import pytest -try: - import ConfigParser -except ImportError: - import configparser as ConfigParser -import os -import tempfile -import ldap - - -pytest_plugins = ( - 'sssd.testlib.common.fixtures', - 'pytest_importance', - 'pytest_ticket', - 'sssd.testlib.common.custom_log', -) - - -def pytest_configure(): - pytest.num_masters = 1 - pytest.num_ad = 0 - pytest.num_atomic = 0 - pytest.num_replicas = 0 - pytest.num_clients = 0 - pytest.num_others = 0 - - -@pytest.fixture(scope="class") -def multihost(session_multihost): - """ multihost fixture """ - return session_multihost - - -@pytest.fixture(scope="session") -def package_install(session_multihost): - """ Install required packages """ - distro = session_multihost.master[0].distro - pkg_list = 'acl authselect nss-tools 389-ds-base krb5-server '\ - 'openldap-clients krb5-workstation '\ - 'sssd sssd-dbus sssd-kcm ' \ - 'expect ldb-tools sssd-tools' - cmd = 'yum install -y %s' % (pkg_list) - if '8.' in distro: - enableidm = 'yum -y module enable idm:DL1' - session_multihost.master[0].run_command(enableidm) - session_multihost.master[0].run_command(cmd) - - -@pytest.fixture(scope="session") -def run_authselect(session_multihost): - """ Run authconfig to configure Kerberos and SSSD auth on remote host """ - authselect_cmd = 'authselect select sssd with-mkhomedir --force' - session_multihost.master[0].run_command(authselect_cmd) - - -@pytest.fixture(scope="session") -def nssdir(session_multihost): - """ Setup Self signed CA """ - server_list = [session_multihost.master[0].sys_hostname] - pki_inst = PkiTools() - try: - certdb = pki_inst.createselfsignedcerts(server_list) - except PkiLibException as err: - return (err.msg, err.rval) - else: - return certdb - - -@pytest.fixture(scope="session") -def setup_ldap(session_multihost, nssdir, request): - """ Setup Directory Server """ - ds_obj = DirSrvWrap(session_multihost.master[0], ssl=True, ssldb=nssdir) - ds_obj.create_ds_instance('example1', 'dc=example,dc=test') - - def remove_ldap(): - """ Remove ldap server instance """ - ds_obj.remove_ds_instance('example1') - request.addfinalizer(remove_ldap) - - -@pytest.fixture(scope="session") -def setup_kerberos(session_multihost, request): - """ Setup kerberos """ - tools = sssdTools(session_multihost.master[0]) - tools.config_etckrb5('EXAMPLE.TEST') - krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') - krb.krb_setup_new() - - def remove_kerberos(): - """ Remove kerberos instance """ - krb.destroy_krb5server() - remove_keytab = 'rm -f /etc/krb5.keytab' - session_multihost.master[0].run_command(remove_keytab) - request.addfinalizer(remove_kerberos) - - -@pytest.fixture(scope='class', autouse=True) -def setup_sssd(session_multihost, request): - """ Configure sssd.conf """ - domain_section = 'domain/EXAMPLE.TEST' - ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) - krb5_server = session_multihost.master[0].sys_hostname - cacert_loc = '/etc/openldap/cacerts/cacert.pem' - sssdConfig = ConfigParser.ConfigParser() - sssdConfig.optionxform = str - sssdConfig.add_section('sssd') - sssdConfig.set('sssd', 'domains', 'EXAMPLE.TEST') - sssdConfig.set('sssd', 'config_file_version', '2') - sssdConfig.set('sssd', 'services', 'nss, pam, sudo, ifp') - sssdConfig.add_section(domain_section) - sssdConfig.set(domain_section, 'enumerate', 'false') - sssdConfig.set(domain_section, 'id_provider', 'ldap') - sssdConfig.set(domain_section, 'ldap_uri', ldap_uri) - sssdConfig.set(domain_section, 'ldap_search_base', 'dc=example,dc=test') - sssdConfig.set(domain_section, 'ldap_tls_cacert', cacert_loc) - sssdConfig.set(domain_section, 'auth_provider', 'krb5') - sssdConfig.set(domain_section, 'krb5_server', krb5_server) - sssdConfig.set(domain_section, 'krb5_kpasswd', krb5_server) - sssdConfig.set(domain_section, 'krb5_realm', 'EXAMPLE.TEST') - sssdConfig.set(domain_section, 'debug_level', '9') - sssdConfig.set(domain_section, 'ldap_sudo_random_offset', '0') - sssdConfig.add_section('nss') - sssdConfig.set('nss', 'debug_level', '9') - sssdConfig.add_section('pam') - sssdConfig.set('pam', 'debug_level', '9') - sssdConfig.add_section('kcm') - sssdConfig.set('kcm', 'debug_level', '9') - temp_fd, temp_file_path = tempfile.mkstemp(suffix='conf', prefix='sssd') - with open(temp_file_path, "w") as outfile: - sssdConfig.write(outfile) - session_multihost.master[0].transport.put_file(temp_file_path, - '/etc/sssd/sssd.conf') - chg_perm = 'chmod 600 /etc/sssd/sssd.conf' - session_multihost.master[0].run_command(chg_perm) - os.close(temp_fd) - try: - session_multihost.master[0].service_sssd('restart') - except SSSDException: - journalctl_cmd = "journalctl -x -n 50 --no-pager" - session_multihost.master[0].run_command(journalctl_cmd) - assert False - - def stop_sssd(): - """ Stop sssd service """ - session_multihost.master[0].service_sssd('stop') - sssd_cache = ['cache_%s.ldb' % ('EXAMPLE.TEST'), 'config.ldb', - 'sssd.ldb', 'timestamps_%s.ldb' % ('EXAMPLE.TEST')] - for cache_file in sssd_cache: - db_file = '/var/lib/sss/db/%s' % (cache_file) - session_multihost.master[0].run_command(['rm', '-f', db_file]) - secrets_db = '/var/lib/sss/secrets/secrets.ldb' - session_multihost.master[0].run_command(['rm', '-f', secrets_db]) - request.addfinalizer(stop_sssd) - - -@pytest.fixture -def enable_kcm(session_multihost, request): - """ Enable sssd kcm """ - backup_krb5_conf = 'cp /etc/krb5.conf /etc/krb5.conf.nokcm' - session_multihost.master[0].run_command(backup_krb5_conf) - session_multihost.master[0].service_sssd('stop') - tools = sssdTools(session_multihost.master[0]) - tools.enable_kcm() - start_kcm = 'systemctl start sssd-kcm' - session_multihost.master[0].service_sssd('start') - session_multihost.master[0].run_command(start_kcm) - - def disable_kcm(): - """ Disable sssd kcm """ - restore_krb5_conf = 'cp /etc/krb5.conf.nokcm /etc/krb5.conf' - session_multihost.master[0].run_command(restore_krb5_conf) - stop_kcm = 'systemctl stop sssd-kcm' - session_multihost.master[0].run_command(stop_kcm) - request.addfinalizer(disable_kcm) - - -@pytest.fixture(scope='session') -def enable_oddjob(session_multihost, request): - """Enables and starts oddjob service""" - check_enabled = session_multihost.master[0].run_command( - 'systemctl is-enabled oddjobd.service', raiseonerr=False) - enabled = "enabled" in check_enabled.stdout_text - check_active = session_multihost.master[0].run_command( - 'systemctl is-active oddjobd.service', raiseonerr=False) - active = "inactive" not in check_active.stdout_text - if not enabled: - session_multihost.master[0].run_command( - 'systemctl enable oddjobd.service', raiseonerr=False) - if not active: - session_multihost.master[0].run_command( - 'systemctl start oddjobd.service', raiseonerr=False) - - def revert_odjob(): - """Reverts changes to oddjob service.""" - if not enabled: - session_multihost.master[0].run_command( - 'systemctl disable oddjobd.service', raiseonerr=False) - if not active: - session_multihost.master[0].run_command( - 'systemctl stop oddjobd.service', raiseonerr=False) - - request.addfinalizer(revert_odjob) - - -@pytest.fixture -def create_casesensitive_posix_user(session_multihost): - """ Create a case sensitive posix user """ - ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) - krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') - ds_rootdn = 'cn=Directory Manager' - ds_rootpw = 'Secret123' - ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) - username = 'CAPSUSER-1' - user_info = {'cn': username, - 'uid': username, - 'uidNumber': '24583100', - 'gidNumber': '14564100'} - ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info) - krb.add_principal('CAPSUSER-1', 'user', 'Secret123') - - -@pytest.fixture -def set_case_sensitive_false(session_multihost, request): - """ Set case_sensitive to false in sssd domain section """ - bkup_sssd = 'cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig' - session_multihost.master[0].run_command(bkup_sssd) - session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', - '/tmp/sssd.conf') - sssdconfig = ConfigParser.ConfigParser() - sssdconfig.read('/tmp/sssd.conf') - domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST') - if domain_section in sssdconfig.sections(): - sssdconfig.set(domain_section, 'case_sensitive', 'false') - with open('/tmp/sssd.conf', "w") as sssconf: - sssdconfig.write(sssconf) - session_multihost.master[0].transport.put_file('/tmp/sssd.conf', - '/etc/sssd/sssd.conf') - session_multihost.master[0].service_sssd('restart') - - def restore_sssd(): - """ Restore sssd.conf """ - restore_sssd = 'cp -f /etc/sssd/sssd.conf.orig /etc/sssd/sssd.conf' - session_multihost.master[0].run_command(restore_sssd) - session_multihost.master[0].service_sssd('restart') - request.addfinalizer(restore_sssd) - - -@pytest.fixture -def set_entry_cache_sudo_timeout(session_multihost, request): - """ Set entry cache sudo timeout in sssd.conf """ - bkup_sssd = 'cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig' - session_multihost.master[0].run_command(bkup_sssd) - session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', - '/tmp/sssd.conf') - sssdconfig = ConfigParser.ConfigParser() - sssdconfig.read('/tmp/sssd.conf') - domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST') - if domain_section in sssdconfig.sections(): - sssdconfig.set(domain_section, 'entry_cache_sudo_timeout', '30') - with open('/tmp/sssd.conf', "w") as sssconf: - sssdconfig.write(sssconf) - session_multihost.master[0].transport.put_file('/tmp/sssd.conf', - '/etc/sssd/sssd.conf') - session_multihost.master[0].service_sssd('restart') - - def restore_sssd(): - """ Restore sssd.conf """ - restore_sssd = 'cp -f /etc/sssd/sssd.conf.orig /etc/sssd/sssd.conf' - session_multihost.master[0].run_command(restore_sssd) - session_multihost.master[0].service_sssd('restart') - request.addfinalizer(restore_sssd) - - -@pytest.fixture -def generic_sudorule(session_multihost, request): - """ Create a generic sudo rule """ - ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) - ds_rootdn = 'cn=Directory Manager' - ds_rootpw = 'Secret123' - ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) - ldap_inst.org_unit('sudoers', 'dc=example,dc=test') - sudo_ou = 'ou=sudoers,dc=example,dc=test' - rule_dn1 = "%s,%s" % ('cn=lessrule', sudo_ou) - sudo_options = ["!requiretty", "!authenticate"] - try: - ldap_inst.add_sudo_rule(rule_dn1, 'ALL', - '/usr/bin/less', 'foo1', - sudo_options) - except LdapException: - pytest.fail("Failed to add sudo rule %s" % rule_dn1) - - def del_sudo_rule(): - """ Delete sudo rule """ - (ret, _) = ldap_inst.del_dn(rule_dn1) - assert ret == 'Success' - (ret, _) = ldap_inst.del_dn(sudo_ou) - assert ret == 'Success' - request.addfinalizer(del_sudo_rule) - - -@pytest.fixture -def enable_files_domain(session_multihost): - """ - Enable the implicit files domain - """ - session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', - '/tmp/sssd.conf') - sssdconfig = ConfigParser.RawConfigParser(delimiters=('=')) - sssdconfig.read('/tmp/sssd.conf') - sssd_section = 'sssd' - if sssd_section in sssdconfig.sections(): - sssdconfig.set(sssd_section, 'enable_files_domain', 'true') - with open('/tmp/sssd.conf', "w") as sssconf: - sssdconfig.write(sssconf) - session_multihost.master[0].transport.put_file('/tmp/sssd.conf', - '/etc/sssd/sssd.conf') - session_multihost.master[0].service_sssd('restart') - - -@pytest.fixture(scope="class") -def files_domain_users_class(request, session_multihost): - users = ('lcl1', 'lcl2', 'lcl3') - for user in users: - useradd_cmd = "useradd %s" % (user) - session_multihost.master[0].run_command(useradd_cmd) - - no_home_users = ('no_home_user', ) - for user in no_home_users: - useradd_cmd = "useradd --no-create-home %s" % (user) - session_multihost.master[0].run_command(useradd_cmd) - usermod_cmd = "usermod -d /tmp %s" % (user) - session_multihost.master[0].run_command(usermod_cmd) - - def teardown_files_domain_users(): - for user in users + no_home_users: - userdel_cmd = "userdel %s" % (user) - session_multihost.master[0].run_command(userdel_cmd) - request.addfinalizer(teardown_files_domain_users) - - -@pytest.fixture -def case_sensitive_sudorule(session_multihost, - create_casesensitive_posix_user, - request): - """ Create posix user and groups """ - ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) - ds_rootdn = 'cn=Directory Manager' - ds_rootpw = 'Secret123' - ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) - ldap_inst.org_unit('sudoers', 'dc=example,dc=test') - sudo_ou = 'ou=sudoers,dc=example,dc=test' - rule_dn1 = "%s,%s" % ('cn=lessrule', sudo_ou) - rule_dn2 = "%s,%s" % ('cn=morerule', sudo_ou) - sudo_options = ["!requiretty", "!authenticate"] - try: - ldap_inst.add_sudo_rule(rule_dn1, 'ALL', - '/usr/bin/less', 'capsuser-1', - sudo_options) - except LdapException: - pytest.fail("Failed to add sudo rule %s" % rule_dn1) - try: - ldap_inst.add_sudo_rule(rule_dn2, 'ALL', - '/usr/bin/more', 'CAPSUSER-1', - sudo_options) - except LdapException: - pytest.fail("Failed to add sudo rule %s" % rule_dn2) - - def del_sensitive_sudo_rule(): - """ Delete sudo rule """ - (ret, _) = ldap_inst.del_dn(rule_dn1) - assert ret == 'Success' - (ret, _) = ldap_inst.del_dn(rule_dn2) - assert ret == 'Success' - (ret, _) = ldap_inst.del_dn(sudo_ou) - assert ret == 'Success' - request.addfinalizer(del_sensitive_sudo_rule) - - -@pytest.fixture -def enable_sss_sudo_nsswitch(session_multihost, tmpdir, request): - """Enable sss backend for sudoers in nsswitch.conf """ - conf = '/etc/nsswitch.conf' - local_conf = tmpdir.mkdir("tmpdir").join('nsswitch.conf') - backup_cmd = "cp -f /etc/nsswitch.conf /etc/nsswitch.conf.backup" - session_multihost.master[0].run_command(backup_cmd) - content = '\nsudoers: sss\n' - session_multihost.master[0].transport.get_file(conf, str(local_conf)) - - local_conf.write(content, mode='a') - session_multihost.master[0].transport.put_file(str(local_conf), - '/etc/nsswitch.conf') - - def restore_nsswitch(): - """ Restore nsswitch.conf """ - restore_cmd = 'cp -f /etc/nsswitch.conf.backup /etc/nsswitch.conf' - session_multihost.master[0].run_command(restore_cmd) - request.addfinalizer(restore_nsswitch) - - -@pytest.fixture(scope='session') -def create_posix_usersgroups(session_multihost): - """ Create posix user and groups """ - ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) - ds_rootdn = 'cn=Directory Manager' - ds_rootpw = 'Secret123' - ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) - krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') - for i in range(10): - user_info = {'cn': 'foo%d' % i, - 'uid': 'foo%d' % i, - 'uidNumber': '1458310%d' % i, - 'gidNumber': '14564100', - 'userPassword': 'Secret123'} - if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info): - krb.add_principal('foo%d' % i, 'user', 'Secret123') - else: - print("Unable to add ldap User %s" % (user_info)) - assert False - memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0') - group_info = {'cn': 'ldapusers', - 'gidNumber': '14564100', - 'uniqueMember': memberdn} - try: - ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info) - except LdapException: - assert False - group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test' - for i in range(1, 10): - user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i - add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))] - (ret, _) = ldap_inst.modify_ldap(group_dn, add_member) - assert ret == 'Success' - - -@pytest.fixture(scope='session') -def create_many_user_principals(session_multihost): - krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') - for i in range(1, 65): - username = "user%04d" % i - krb.add_principal(username, 'user', 'Secret123') - - -@pytest.fixture(scope="session", autouse=True) -def setup_session(request, session_multihost, - package_install, - run_authselect, - setup_ldap, - setup_kerberos, - create_posix_usersgroups, - enable_oddjob, - create_testdir): - """ Run all session scoped fixtures """ - tp = TestPrep(session_multihost) - tp.setup() - - def teardown_session(): - """ Run teardown session scoped fixtures """ - tp.teardown() - request.addfinalizer(teardown_session) - - -class TestPrep(object): - """ Initialize Session """ - def __init__(self, multihost): - self.multihost = multihost - - def setup(self): - """ Start session """ - print("\n............Session Setup...............") - - def teardown(self): - """ End session """ - print("\n............Session Ends.................") diff --git a/src/tests/multihost/basic/mhc.yaml b/src/tests/multihost/basic/mhc.yaml deleted file mode 100644 index 24d505481a6..00000000000 --- a/src/tests/multihost/basic/mhc.yaml +++ /dev/null @@ -1,8 +0,0 @@ -root_password: 'vagrant' -domains: -- name: tier0.tests - type: sssd - hosts: - - name: client - external_hostname: client.test - role: master diff --git a/src/tests/multihost/basic/pytest.ini b/src/tests/multihost/basic/pytest.ini deleted file mode 100644 index d65ce07a35b..00000000000 --- a/src/tests/multihost/basic/pytest.ini +++ /dev/null @@ -1,3 +0,0 @@ -[pytest] -markers = - converted: Tests that are already converted to the new framework. diff --git a/src/tests/multihost/basic/test_basic.py b/src/tests/multihost/basic/test_basic.py deleted file mode 100644 index 214cecc48e5..00000000000 --- a/src/tests/multihost/basic/test_basic.py +++ /dev/null @@ -1,84 +0,0 @@ -""" SSSD Sanity Test Cases - -:requirement: IDM-SSSD-REQ : KRB5 Provider -:casecomponent: sssd -:subsystemteam: sst_idm_sssd -:upstream: yes -:status: approved -""" -import time -import configparser as ConfigParser -from sssd.testlib.common.utils import sssdTools - - -class TestSanitySSSD(object): - """ Basic Sanity Test cases """ - @staticmethod - def test_ssh_user_login(multihost): - """ - :title: Login: Check ssh login as LDAP user with Kerberos credentials - :id: b7600a46-1827-486a-ae2e-cbedad6ddf41 - """ - client = sssdTools(multihost.master[0]) - ssh0 = client.auth_from_client("foo1", 'Secret123') == 3 - assert ssh0, "Authentication Failed as user foo1" - - @staticmethod - def test_kinit(multihost): - """ - :title: Login: Verify kinit is successfull after user login - :id: 5e15e9e9-c559-49b8-a164-abe13d82d0fd - """ - user = 'foo2' - cmd = multihost.master[0].run_command( - f'su - {user} -c "kinit"', stdin_text='Secret123', - raiseonerr=False) - assert cmd.returncode == 0, "kinit failed!" - - cmd2 = multihost.master[0].run_command( - f'su - {user} -c "klist"', raiseonerr=False) - assert cmd2.returncode == 0, "klist failed!" - - @staticmethod - def test_offline_ssh_login(multihost): - """ - :title: Login: Verify offline ssh login - :id: 90e9a834-a1f9-4bef-bdae-57a7b411cce4 - """ - multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', - '/tmp/sssd.conf') - sssdconfig = ConfigParser.RawConfigParser() - sssdconfig.read('/tmp/sssd.conf') - domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST') - if domain_section in sssdconfig.sections(): - sssdconfig.set(domain_section, 'cache_credentials', 'True') - sssdconfig.set(domain_section, 'krb5_store_password_if_offline', - 'True') - sssdconfig.set('pam', 'offline_credentials_expiration', '0') - with open('/tmp/sssd.conf', "w") as file_d: - sssdconfig.write(file_d) - else: - print("Could not fetch sssd.conf") - assert False - multihost.master[0].transport.put_file('/tmp/sssd.conf', - '/etc/sssd/sssd.conf') - multihost.master[0].service_sssd('restart') - time.sleep(5) - client = sssdTools(multihost.master[0]) - user = 'foo4' - ssh0 = client.auth_from_client(user, password='Secret123') == 3 - assert ssh0, f"Initial ssh login as {user} failed." - - stop_dirsrv = 'systemctl stop dirsrv@example1' - stop_krb5kdc = 'systemctl stop krb5kdc' - multihost.master[0].run_command(stop_dirsrv) - multihost.master[0].run_command(stop_krb5kdc) - - ssh1 = client.auth_from_client(user, password='Secret123') == 3 - - start_dirsrv = 'systemctl start dirsrv@example1' - start_krb5kdc = 'systemctl start krb5kdc' - multihost.master[0].run_command(start_dirsrv) - multihost.master[0].run_command(start_krb5kdc) - - assert ssh1, f"Offline ssh login as {user} failed." diff --git a/src/tests/multihost/basic/test_config.py b/src/tests/multihost/basic/test_config.py deleted file mode 100644 index 00a82204cb6..00000000000 --- a/src/tests/multihost/basic/test_config.py +++ /dev/null @@ -1,109 +0,0 @@ -""" SSSD Configuration-related Test Cases - -:requirement: IDM-SSSD-REQ: Configuration merging -:casecomponent: sssd -:subsystemteam: sst_idm_sssd -:upstream: yes -:status: approved -""" - -from utils_config import set_param, remove_section - - -class TestSSSDConfig(object): - """ - Test cases around SSSD config management - """ - def _assert_config_value(self, multihost, section, key, value): - # This would really be much, much nicer to implement using python-ldb - # but at the moment, the multihost tests rely on a virtual environment - # where everything is pip-installed..and python-ldb is not present in - # pip - confdb_dn = 'cn=%s,cn=config' % (section) - ldb_cmd = 'ldbsearch -H /var/lib/sss/db/config.ldb -b %s' % (confdb_dn) - cmd = multihost.master[0].run_command(ldb_cmd) - check_str = '%s: %s' % (key, value) - assert check_str in cmd.stdout_text - - def test_sssd_genconf_sssd_running(self, multihost): - """ - :title: config: sssd --genconf is able to re-generate - the configuration even while SSSD is running - :id: 078721e9-536b-4fd8-a36d-bd94673228fc - """ - multihost.master[0].service_sssd('restart') - - self._assert_config_value(multihost, 'pam', 'debug_level', '9') - - set_param(multihost, 'pam', 'debug_level', '1') - multihost.master[0].run_command('/usr/sbin/sssd --genconf') - self._assert_config_value(multihost, 'pam', 'debug_level', '1') - - set_param(multihost, 'pam', 'debug_level', '9') - - def test_sssd_genconf_section_only(self, multihost): - """ - :title: config: sssd --genconf-section only - refreshes those sections given on the command line - :id: 011bf2ad-4a2a-4350-adfa-7826349e262f - """ - multihost.master[0].service_sssd('restart') - - self._assert_config_value(multihost, 'pam', 'debug_level', '9') - self._assert_config_value(multihost, 'nss', 'debug_level', '9') - - set_param(multihost, 'pam', 'debug_level', '1') - set_param(multihost, 'nss', 'debug_level', '1') - multihost.master[0].run_command( - '/usr/sbin/sssd --genconf-section=pam') - - # We only told genconf to touch the pam section.. - self._assert_config_value(multihost, 'pam', 'debug_level', '1') - # ..so the NSS section shouldn't be updated at all - self._assert_config_value(multihost, 'nss', 'debug_level', '9') - - set_param(multihost, 'nss', 'debug_level', '9') - set_param(multihost, 'pam', 'debug_level', '9') - - def test_sssd_genconf_add_remove_section(self, multihost): - """ - :title: config: sssd --genconf-section can not only modify - existing configuration sections, but also add a new section - :id: 8df66b51-aadc-456e-8f27-a1a787e61769 - """ - # Establish a baseline - multihost.master[0].service_sssd('restart') - self._assert_config_value(multihost, 'pam', 'debug_level', '9') - self._assert_config_value(multihost, 'nss', 'debug_level', '9') - - set_param(multihost, 'foo', 'bar', 'baz') - - multihost.master[0].run_command( - '/usr/sbin/sssd --genconf-section=foo') - - ldb_cmd = 'ldbsearch -H /var/lib/sss/db/config.ldb -b cn=foo,cn=config' - cmd = multihost.master[0].run_command(ldb_cmd) - assert 'bar: baz' in cmd.stdout_text - - remove_section(multihost, 'foo') - multihost.master[0].run_command( - '/usr/sbin/sssd --genconf-section=foo') - - ldb_cmd = 'ldbsearch -H /var/lib/sss/db/config.ldb -b cn=foo,cn=config' - cmd = multihost.master[0].run_command(ldb_cmd) - assert 'foo' not in cmd.stdout_text - # Also make sure the existing sections were intact - self._assert_config_value(multihost, 'pam', 'debug_level', '9') - self._assert_config_value(multihost, 'nss', 'debug_level', '9') - - def test_sssd_genconf_no_such_section(self, multihost): - """ - :title: config: Referencing a non-existant section must not fail - :id: 4e160dcc-9789-4f3f-b8d4-c67d27ef4a1c - :description: Referencing a non-existant section must not fail, - because we want to call this command from the systemd unit files - and by default the sections don't have to be present - """ - multihost.master[0].service_sssd('restart') - multihost.master[0].run_command( - '/usr/sbin/sssd --genconf-section=xyz') diff --git a/src/tests/multihost/basic/test_files.py b/src/tests/multihost/basic/test_files.py deleted file mode 100644 index c5c921b3644..00000000000 --- a/src/tests/multihost/basic/test_files.py +++ /dev/null @@ -1,61 +0,0 @@ -"""Files test provider cases - -:requirement: IDM-SSSD-REQ :: SSSD is default for local resolution -:casecomponent: sssd -:subsystemteam: sst_idm_sssd -:upstream: yes -:status: approved -""" -import pytest - - -def get_sss_entry(multihost, db, ent_name): - cmd = multihost.master[0].run_command('getent %s -s sss %s' % (db, ent_name), raiseonerr=False) - return cmd.returncode, cmd.stdout_text - - -def get_sss_user(multihost, username): - return get_sss_entry(multihost, 'passwd', username) - - -@pytest.mark.usefixtures('enable_files_domain', 'files_domain_users_class') -class TestImplicitFilesProvider(object): - """ - Test the files provider. This test runs the implicit files provider - together with another domain to stick close to what users use in Fedora - """ - def test_files_does_not_handle_root(self, multihost): - """ - :title: files: files provider does not handle root - :id: 5aa5165d-379f-4fc6-b4ed-b32b66406d4f - """ - exit_status, _ = get_sss_user(multihost, 'root') - assert exit_status == 2 - - def test_files_sanity(self, multihost): - """ - :title: files: Test that the files provider can resolve a user - :id: 242cd094-b04d-4857-981a-8624573dde84 - """ - exit_status, _ = get_sss_user(multihost, 'lcl1') - assert exit_status == 0 - - def test_files_enumeration(self, multihost): - """ - :title: files: Verify files provider do not enumerate - :id: e6d922bf-3af2-4cea-8570-6dd9233da624 - :description: Since nss_files enumerates and libc would - concatenate the results, the files provider of SSSD should - not enumerate - """ - cmd = multihost.master[0].run_command('getent passwd -s sss') - assert len(cmd.stdout_text) == 0 - - def test_updated_homedir(self, multihost): - """ - :title: files: Test that homedir is updated - :id: a9a0a911-1818-40d1-b897-0397ef107fd4 - """ - exit_status, output = get_sss_user(multihost, 'no_home_user') - assert exit_status == 0 - assert ":/tmp:" in output diff --git a/src/tests/multihost/basic/test_ifp.py b/src/tests/multihost/basic/test_ifp.py deleted file mode 100644 index 81737645a2a..00000000000 --- a/src/tests/multihost/basic/test_ifp.py +++ /dev/null @@ -1,31 +0,0 @@ -"""InfoPipe test cases - -:requirement: IDM-SSSD-REQ : Configuration and Service Management -:casecomponent: sssd -:subsystemteam: sst_idm_sssd -:upstream: yes -:status: approved -""" - - -class TestInfoPipe(object): - """ - Test the InfoPipe responder - """ - def test_ifp_extra_attributes_property(self, multihost): - """ - :title: ifp: requesting the extraAttributes property works - :id: 23b8c7e8-df4b-47ef-b38e-0503040e1d67 - see e.g. https://github.com/SSSD/sssd/issues/4891 - """ - dbus_send_cmd = \ - """ - dbus-send --print-reply --system \ - --dest=org.freedesktop.sssd.infopipe \ - /org/freedesktop/sssd/infopipe/Users/LDAP_2eTEST/123 \ - org.freedesktop.DBus.Properties.Get \ - string:"org.freedesktop.sssd.infopipe.Users.User" \ - string:"extraAttributes" - """ - cmd = multihost.master[0].run_command(dbus_send_cmd) - assert cmd.returncode == 0 diff --git a/src/tests/multihost/basic/test_kcm.py b/src/tests/multihost/basic/test_kcm.py deleted file mode 100644 index 53c34e6d5f0..00000000000 --- a/src/tests/multihost/basic/test_kcm.py +++ /dev/null @@ -1,340 +0,0 @@ -""" KCM Responder Sanity Test Cases - -:requirement: IDM-SSSD-REQ :: SSSD KCM as default Kerberos CCACHE provider -:casecomponent: sssd -:subsystemteam: sst_idm_sssd -:upstream: yes -:status: approved -""" -import os -import re -import pytest -from pexpect import pxssh -from utils_config import set_param -from sssd.testlib.common.utils import sssdTools - - -class TestSanityKCM(object): - """ KCM Sanity Test cases """ - def _kcm_service_op(self, multihost, svc_op): - systemd_kcm_op = 'systemctl %s sssd-kcm' % (svc_op) - multihost.master[0].run_command(systemd_kcm_op) - - def _start_kcm(self, multihost): - self._kcm_service_op(multihost, 'start') - - def _stop_kcm(self, multihost): - self._kcm_service_op(multihost, 'stop') - - def _restart_kcm(self, multihost): - self._kcm_service_op(multihost, 'restart') - - def _remove_kcm_log_file(self, multihost): - multihost.master[0].run_command('rm -f /var/log/sssd/sssd_kcm.log') - - def _kcm_log_length(self, multihost): - basename = 'sssd_kcm.log' - kcm_log_file = '/var/log/sssd/' + basename - local_kcm_log_file = '/tmp/kcm.log' - try: - multihost.master[0].transport.get_file(kcm_log_file, - local_kcm_log_file) - except (FileNotFoundError, OSError): - return 0 - - nlines = sum(1 for line in open(local_kcm_log_file)) - os.remove(local_kcm_log_file) - return nlines - - def _remove_secret_db(self, multihost): - multihost.master[0].run_command( - 'rm -f /var/lib/sss/secrets/secrets.ldb') - self._restart_kcm(multihost) - - @pytest.mark.usefixtures("enable_kcm") - def test_kinit_kcm(self, multihost): - """ - :title: kcm: Run kinit with KRB5CCNAME=KCM - :id: 245eecf6-04b9-4c9f-8685-681d184fbbcf - """ - self._start_kcm(multihost) - - user = 'foo3' - cmd = multihost.master[0].run_command( - f'su - {user} -c "KRB5CCNAME=KCM:; kinit"', stdin_text='Secret123', - raiseonerr=False) - assert cmd.returncode == 0, "kinit failed!" - - cmd2 = multihost.master[0].run_command( - f'su - {user} -c "KRB5CCNAME=KCM:; klist"', raiseonerr=False) - assert cmd2.returncode == 0, "klist failed!" - assert 'Ticket cache: KCM:14583103' in cmd2.stdout_text - - @staticmethod - @pytest.mark.usefixtures("enable_kcm") - def test_ssh_login_kcm(multihost): - """ - :title: kcm: Verify ssh logins are successuful with kcm as default - :id: 458ed1e4-b908-40d3-b2fd-392e8d2dcf4b - """ - # pylint: disable=unused-argument - client = sssdTools(multihost.master[0]) - ssh0 = client.auth_from_client("foo4", 'Secret123') == 3 - if not ssh0: - multihost.master[0].run_command( - 'journalctl -u sssd -n 50 --no-pager') - assert ssh0, "Authentication Failed as user foo4" - - @pytest.mark.usefixtures("enable_kcm") - def test_kcm_debug_level_set(self, multihost): - """ - :title: kcm: After kcm section with debug - level set restaring sssd-kcm service enables kcm debugging - :id: 31c74bfc-69d5-46bd-aef8-a5581970832e - :description: Test that just adding a [kcm] section and restarting - the kcm service enables debugging without having to restart the - whole sssd - """ - # Start from a known-good state where the configuration is refreshed - # by the monitor and logging is completely disabled - multihost.master[0].service_sssd('stop') - self._stop_kcm(multihost) - self._remove_kcm_log_file(multihost) - set_param(multihost, 'kcm', 'debug_level', '0') - multihost.master[0].service_sssd('start') - self._start_kcm(multihost) - - log_lines_pre = self._kcm_log_length(multihost) - - # Debugging is disabled, kinit and make sure that no debug messages - # were produced - user = 'foo3' - client = sssdTools(multihost.master[0]) - ssh0 = client.auth_from_client(user, 'Secret123') == 3 - assert ssh0, f"Authentication Failed as user {user}." - - multihost.master[0].run_command( - f'su - {user} -c "kdestroy"', raiseonerr=False) - - log_lines_nodebug = self._kcm_log_length(multihost) - assert log_lines_nodebug == log_lines_pre - - # Enable debugging, restart only the kcm service, make sure some - # debug messages were produced - set_param(multihost, 'kcm', 'debug_level', '9') - self._restart_kcm(multihost) - - ssh1 = client.auth_from_client(user, 'Secret123') == 3 - assert ssh1, f"Authentication Failed as user {user}." - - multihost.master[0].run_command( - f'su - {user} -c "kdestroy"', raiseonerr=False) - - log_lines_debug = self._kcm_log_length(multihost) - assert log_lines_debug > log_lines_pre + 100 - - @staticmethod - @pytest.mark.usefixtures("enable_kcm") - def test_kdestroy_retval(multihost): - """ - :title: kcm: Test that destroying an empty cache does - not return a non-zero return code - :id: 2826097f-e6d7-4d99-ac85-3ee081aa681a - """ - - user = 'foo3' - client = sssdTools(multihost.master[0]) - ssh0 = client.auth_from_client(user, 'Secret123') == 3 - assert ssh0, f"Authentication Failed as user {user}." - - kd1 = multihost.master[0].run_command( - f'su -l {user} -c "kdestroy"', raiseonerr=False) - assert kd1.returncode == 0, "First kdestroy failed!" - - # Run the command again in case there was something in the ccache - # previously - kd2 = multihost.master[0].run_command( - f'su -l {user} -c "kdestroy"', raiseonerr=False) - assert kd2.returncode == 0, "Second kdestroy failed!" - - @staticmethod - @pytest.mark.usefixtures("enable_kcm") - def test_ssh_forward_creds(multihost): - """ - :title: kcm: Test that SSH can forward credentials with KCM - :id: f4b0c785-a895-48a1-a55e-7519cf221393 - :ticket: https://github.com/SSSD/sssd/issues/4863 - """ - ssh = pxssh.pxssh(options={"StrictHostKeyChecking": "no", - "UserKnownHostsFile": "/dev/null"}) - ssh.force_password = True - try: - ssh.login(multihost.master[0].sys_hostname, 'foo3', 'Secret123') - ssh.sendline('kdestroy -A -q') - ssh.prompt(timeout=5) - ssh.sendline('kinit foo9') - ssh.expect('Password for .*:', timeout=10) - ssh.sendline('Secret123') - ssh.prompt(timeout=5) - ssh.sendline('klist') - ssh.prompt(timeout=5) - klist = str(ssh.before) - ssh.sendline(f'ssh -v -o StrictHostKeyChecking=no -K -l foo9 ' - f'{multihost.master[0].sys_hostname} klist') - ssh.prompt(timeout=30) - ssh_output = str(ssh.before) - ssh.logout() - except pxssh.ExceptionPxssh as ex: - pytest.fail(ex) - # Note: The cache is based on uid so for foo3 it is 14583103 and - # for foo9 it is 14583109 (see create_posix_usersgroups fixture) - assert 'KCM:14583103' in klist, "kinit did not work!" - assert 'KCM:14583109' in ssh_output, "Ticket not forwarded!" - - @staticmethod - @pytest.mark.usefixtures("enable_kcm") - def test_kvno_display(multihost): - """ - :title: kcm: Test kvno correctly displays version numbers of principals - :id: 7c9178e6-fea5-44a1-b473-76667624cee2 - :ticket: https://github.com/SSSD/sssd/issues/4763 - """ - host_princ = f'host/{multihost.master[0].sys_hostname}@EXAMPLE.TEST' - kvno_cmd = f'kvno {host_princ}' - - client = sssdTools(multihost.master[0]) - client.auth_from_client('foo4', 'Secret123') - - kvno = multihost.master[0].run_command( - f'su -l foo4 -c "{kvno_cmd}"', raiseonerr=False) - assert kvno.returncode == 0, "kvno failed!" - - for line in kvno.stdout_text.splitlines(): - kvno_check = re.search(r'%s: kvno = (\d+)' % host_princ, line) - if kvno_check: - print(kvno_check.group()) - else: - pytest.fail("kvno display was improper") - - @pytest.mark.usefixtures("enable_kcm", "create_many_user_principals") - def test_kcm_peruid_quota(self, multihost): - """ - :title: kcm: Make sure the quota limits a client, but only that client - :id: 3ac8f62e-05e4-4ca7-b588-145fd6258c2a - """ - # It is easier to keep these tests stable and independent from others - # if they start from a clean slate - self._remove_secret_db(multihost) - - client = sssdTools(multihost.master[0]) - client.auth_from_client('foo2', 'Secret123') - client.auth_from_client('foo3', 'Secret123') - - # The loop would request 63 users, plus there is foo3 we authenticated - # earlier, so this should exactly deplete the quota, but should succeed - for i in range(1, 64): - username = "user%04d" % i - kinit = multihost.master[0].run_command( - f'su -l foo3 -c "kinit {username}"', - stdin_text='Secret123', raiseonerr=False) - assert kinit.returncode == 0 - - # this kinit should be exactly one over the peruid limit - kinit_f = multihost.master[0].run_command( - 'su -l foo3 -c "kinit user0064"', - stdin_text='Secret123', raiseonerr=False) - assert kinit_f.returncode != 0 - - # Since this is a per-uid limit, another user should be able to kinit - # just fine - # this kinit should be exactly one over the peruid limit - kinit_o = multihost.master[0].run_command( - 'su -l foo2 -c "kinit user0064"', - stdin_text='Secret123', raiseonerr=False) - assert kinit_o.returncode == 0 - - # kdestroy as the original user, the quota should allow a subsequent - # kinit - multihost.master[0].run_command( - 'su -l foo3 -c "kdestroy -A"', raiseonerr=False) - kinit_p = multihost.master[0].run_command( - 'su -l foo3 -c "kinit user0064"', - stdin_text='Secret123', raiseonerr=False) - assert kinit_p.returncode == 0 - - multihost.master[0].run_command( - 'su -l foo2 -c "kdestroy -A"', raiseonerr=False) - - multihost.master[0].run_command( - 'su -l foo3 -c "kdestroy -A"', raiseonerr=False) - - @pytest.mark.usefixtures("enable_kcm", "create_many_user_principals") - def test_kcm_peruid_quota_increase(self, multihost): - """ - :title: kcm: Quota increase - :id: 0b3cab49-befb-4ab2-bb12-b102d94249aa - :description: Increasing the peruid quota allows a client to store - more data - """ - # It is easier to keep these tests stable and independent from others - # if they start from a clean slate - self._remove_secret_db(multihost) - user = 'foo3' - client = sssdTools(multihost.master[0]) - client.auth_from_client(user, 'Secret123') - - # The loop would request 63 users, plus there is foo3 we authenticated - # earlier, so this should exactly deplete the quota, but should succeed - for i in range(1, 64): - username = "user%04d" % i - kinit = multihost.master[0].run_command( - f'su -l {user} -c "kinit {username}"', - stdin_text='Secret123', raiseonerr=False) - assert kinit.returncode == 0 - - # this kinit should be exactly one over the peruid limit - kinit_f = multihost.master[0].run_command( - f'su -l {user} -c "kinit user0064"', - stdin_text='Secret123', raiseonerr=False) - assert kinit_f.returncode != 0 - - set_param(multihost, 'kcm', 'max_uid_ccaches', '65') - self._restart_kcm(multihost) - - # Now the kinit should work as we increased the limit - kinit_p = multihost.master[0].run_command( - f'su -l {user} -c "kinit user0064"', - stdin_text='Secret123', raiseonerr=False) - assert kinit_p.returncode == 0 - - multihost.master[0].run_command( - f'su -l {user} -c "kdestroy -A"', raiseonerr=False) - - @pytest.mark.usefixtures("enable_kcm") - def test_kcm_payload_low_quota(self, multihost): - """ - :title: kcm: Quota enforcement - :id: cb3daadb-c5e7-48f8-b419-11c616f0d602 - :description: Set a prohibitive quota for the per-ccache payload - limit and make sure it gets enforced - """ - # It is easier to keep these tests stable and independent from others - # if they start from a clean slate - self._remove_secret_db(multihost) - user = 'foo3' - client = sssdTools(multihost.master[0]) - client.auth_from_client(user, 'Secret123') - - multihost.master[0].run_command( - f'su -l {user} -c "kdestroy -A"', raiseonerr=False) - - set_param(multihost, 'kcm', 'max_ccache_size', '1') - self._restart_kcm(multihost) - - # We use kinit to exceed the maximum ccache size as it creates payload - # of 1280 bytes by acquiring tgt and also some control credentials. - # SSH authentication is not sufficient as it stores only tgt. - kv_p = multihost.master[0].run_command( - f'su -l foo3 -c "kinit {user}@EXAMPLE.TEST"', - stdin_text='Secret123', raiseonerr=False) - assert kv_p.returncode != 0 diff --git a/src/tests/multihost/basic/test_ldap.py b/src/tests/multihost/basic/test_ldap.py deleted file mode 100644 index 2ea483b8d82..00000000000 --- a/src/tests/multihost/basic/test_ldap.py +++ /dev/null @@ -1,110 +0,0 @@ -""" SSSD LDAP provider tests - -:requirement: IDM-SSSD-REQ : LDAP Provider -:casecomponent: sssd -:subsystemteam: sst_idm_sssd -:upstream: yes -:status: approved -""" - -import pytest -from sssd.testlib.common.utils import sssdTools -try: - import ConfigParser -except ImportError: - import configparser as ConfigParser - - -@pytest.fixture -def set_ldap_auth_provider(session_multihost, request): - """ Set entry cache sudo timeout in sssd.conf """ - bkup_sssd = 'cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig' - session_multihost.master[0].run_command(bkup_sssd) - session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', - '/tmp/sssd.conf') - sssdconfig = ConfigParser.ConfigParser() - sssdconfig.read('/tmp/sssd.conf') - domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST') - if domain_section in sssdconfig.sections(): - sssdconfig.set(domain_section, 'auth_provider', 'ldap') - sssdconfig.set(domain_section, - 'ldap_auth_disable_tls_never_use_in_production', - 'true') - with open('/tmp/sssd.conf', "w") as sssconf: - sssdconfig.write(sssconf) - session_multihost.master[0].transport.put_file('/tmp/sssd.conf', - '/etc/sssd/sssd.conf') - session_multihost.master[0].service_sssd('restart') - - def restore_sssd(): - """ Restore sssd.conf """ - restore_sssd = 'cp -f /etc/sssd/sssd.conf.orig /etc/sssd/sssd.conf' - session_multihost.master[0].run_command(restore_sssd) - session_multihost.master[0].service_sssd('restart') - request.addfinalizer(restore_sssd) - - -@pytest.fixture -def set_ldap_pwmodify_mode_ldap_modify(session_multihost, request): - """ Set entry cache sudo timeout in sssd.conf """ - bkup_sssd = 'cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig' - session_multihost.master[0].run_command(bkup_sssd) - session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', - '/tmp/sssd.conf') - sssdconfig = ConfigParser.ConfigParser() - sssdconfig.read('/tmp/sssd.conf') - domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST') - if domain_section in sssdconfig.sections(): - sssdconfig.set(domain_section, 'ldap_pwmodify_mode', 'ldap_modify') - with open('/tmp/sssd.conf', "w") as sssconf: - sssdconfig.write(sssconf) - session_multihost.master[0].transport.put_file('/tmp/sssd.conf', - '/etc/sssd/sssd.conf') - session_multihost.master[0].service_sssd('restart') - - def restore_sssd(): - """ Restore sssd.conf """ - restore_sssd = 'cp -f /etc/sssd/sssd.conf.orig /etc/sssd/sssd.conf' - session_multihost.master[0].run_command(restore_sssd) - session_multihost.master[0].service_sssd('restart') - request.addfinalizer(restore_sssd) - - -class TestLDAPChpass(object): - """ Test changing LDAP password """ - - @staticmethod - def _change_test_reset_password(multihost): - user = 'foo1' - client = sssdTools(multihost.master[0]) - ssh0 = client.auth_from_client(user, 'Secret123') == 3 - assert ssh0, f"Authentication Failed as user {user}" - client.change_user_password( - user, 'Secret123', 'Secret123', 'Secret1234', 'Secret1234') - - # Try logging in with the new password - ssh1 = client.auth_from_client(user, 'Secret1234') == 3 - assert ssh1, f"Authentication Failed as {user} with the new password." - - # Clean up and change the password back - client.change_user_password( - user, 'Secret1234', 'Secret1234', 'Secret123', 'Secret123') - - @staticmethod - def test_ldap_chpass_extop(multihost): - """ - :title: chpass: Test password change using the default extended - operation - :id: 4b3ab9a6-d26f-484d-994f-8bc74c31b9dd - """ - TestLDAPChpass._change_test_reset_password(multihost) - - @staticmethod - @pytest.mark.usefixtures("set_ldap_auth_provider", - "set_ldap_pwmodify_mode_ldap_modify") - def test_ldap_chpass_modify(multihost): - """ - :title: chpass: Test password change using LDAP modify - :id: 554c989d-f99b-4722-925b-5be54a33af89 - """ - TestLDAPChpass._change_test_reset_password(multihost) diff --git a/src/tests/multihost/basic/test_sssctl_config_check.py b/src/tests/multihost/basic/test_sssctl_config_check.py deleted file mode 100644 index f003a8d1967..00000000000 --- a/src/tests/multihost/basic/test_sssctl_config_check.py +++ /dev/null @@ -1,102 +0,0 @@ -"""sssctl config-check Test Cases - -:requirement: IDM-SSSD-REQ: Status utility -:casecomponent: sssd -:subsystemteam: sst_idm_sssd -:upstream: yes -:status: approved -""" - -import re - - -class TestSssctlConfigCheck(object): - def test_verify_typo_option_name(self, multihost): - """ - :title: sssctl: Verify typos in option name (not value) - of configuration file - :id: 4089f5d6-cdeb-4bcb-9028-cabd97d43045 - """ - cfgget = '/etc/sssd/sssd.conf' - cfgput = '/tmp/sssd.conf.backup' - multihost.master[0].run_command(['/bin/cp', - '-a', cfgget, cfgput], - raiseonerr=False) - sssdcfg = multihost.master[0].get_file_contents(cfgget) - - # replacing ldap_search_base option with search_base - sssdcfg = re.sub(b"ldap_search_base", - b"search_base", sssdcfg) - multihost.master[0].put_file_contents(cfgget, sssdcfg) - sssctl_cmd = 'sssctl config-check' - cmd = multihost.master[0].run_command(sssctl_cmd, raiseonerr=False) - if cmd.returncode == 1: - log = re.compile(r'Attribute\s.search.base.\sis\snot\sallowed.*') - if log.search(cmd.stdout_text): - assert True - else: - assert False - else: - assert False - multihost.master[0].run_command(['/bin/cp', '-a', cfgput, cfgget], - raiseonerr=False) - - def test_verify_typo_domain_name(self, multihost): - """ - :title: sssctl: Verify typos in domain name of configuration file - :id: a5d3a3a5-f832-4fc6-a628-9165dab69dd2 - """ - cfgget = '/etc/sssd/sssd.conf' - cfgput = '/tmp/sssd.conf.backup' - multihost.master[0].run_command(['/bin/cp', - '-a', cfgget, cfgput], - raiseonerr=False) - sssdcfg = multihost.master[0].get_file_contents(cfgget) - - # replacing the domain name with typo - sssdcfg = re.sub(b"domain/EXAMPLE.TEST", - b"domain/", sssdcfg) - multihost.master[0].put_file_contents(cfgget, sssdcfg) - sssctl_cmd = 'sssctl config-check' - cmd = multihost.master[0].run_command(sssctl_cmd, raiseonerr=False) - if cmd.returncode == 1: - log = re.compile(r'Section\s\[domain\/\]\sis\snot\sallowed.*') - if log.search(cmd.stdout_text): - assert True - else: - assert False - else: - assert False - multihost.master[0].run_command(['/bin/cp', '-a', cfgput, cfgget], - raiseonerr=False) - - def test_misplaced_option(self, multihost): - """ - :title: sssctl: Verify misplace options in default configuration file - :id: ed814158-dea5-4f62-8500-fe62087332f9 - """ - cfgget = '/etc/sssd/sssd.conf' - cfgput = '/tmp/sssd.conf.backup' - sssdcfg = multihost.master[0].get_file_contents(cfgget) - - # adding services option under domain section - sssdcfg = re.sub(b"services = nss, pam, sudo, ifp", - b"#services = nss, pam, sudo, ifp", sssdcfg) - sssdcfg = re.sub(b".domain/EXAMPLE.TEST.", - b"[domain/EXAMPLE.TEST]" - b"\nservices = nss, pam, sudo, ifp", sssdcfg) - multihost.master[0].put_file_contents(cfgget, sssdcfg) - sssctl_cmd = 'sssctl config-check' - cmd = multihost.master[0].run_command(sssctl_cmd, - raiseonerr=False) - if cmd.returncode == 1: - log = re.compile( - r'.Attribute\s.services.\sis\snot\sallowed\sin\ssection\s.*') - if log.search(cmd.stdout_text): - assert True - else: - assert False - else: - assert False - multihost.master[0].run_command(['/bin/cp', '-a', cfgput, cfgget], - raiseonerr=False) diff --git a/src/tests/multihost/basic/test_sudo.py b/src/tests/multihost/basic/test_sudo.py deleted file mode 100644 index 35861defd34..00000000000 --- a/src/tests/multihost/basic/test_sudo.py +++ /dev/null @@ -1,66 +0,0 @@ -""" SUDO responder sanity Test Cases - -:requirement: sudo -:casecomponent: sssd -:subsystemteam: sst_idm_sssd -:upstream: yes -:status: approved -""" - -import time -import pytest -from sssd.testlib.common.utils import sssdTools - - -class TestSanitySudo(object): - """ Basic Sanity Test cases for sudo service in sssd """ - @staticmethod - @pytest.mark.converted('test_sudo.py', 'test_sudo__case_sensitive_false') - @pytest.mark.usefixtures( - "case_sensitive_sudorule", "enable_sss_sudo_nsswitch", - "set_case_sensitive_false") - def test_case_senitivity(multihost): - """ - :title: sudo: Verify case sensitivity in sudo responder - :id: 64ab80be-17fd-4c3b-9d9b-7d07c6279975 - """ - user = 'capsuser-1' - # Test ssh login - client = sssdTools(multihost.master[0]) - ssh_result = client.auth_from_client(user, 'Secret123') == 3 - cmd = multihost.master[0].run_command( - f'su - {user} -c "sudo -l"', raiseonerr=False) - rule_result = cmd.returncode == 0 and \ - '(root) NOPASSWD: /usr/bin/less' in cmd.stdout_text - rule2_result = cmd.returncode == 0 and \ - '(root) NOPASSWD: /usr/bin/more' in cmd.stdout_text - assert ssh_result, f"Ssh failed for user: {user}." - assert rule_result, f"Rules missing for user: {user}." - assert rule2_result, f"Rules missing for user: {user}." - - @staticmethod - @pytest.mark.converted('test_sudo.py', 'test_sudo__rules_refresh') - @pytest.mark.usefixtures("enable_sss_sudo_nsswitch", "generic_sudorule", - "set_entry_cache_sudo_timeout") - def test_refresh_expired_rule(multihost): - """ - :title: sudo: Verify refreshing expired sudo rules - do not crash sssd_sudo - :id: 532513b2-15bc-46ac-8fc9-19fd0bf485c4 - """ - - user = 'foo1' - # Test ssh login - client = sssdTools(multihost.master[0]) - ssh_result = client.auth_from_client(user, 'Secret123') == 3 - cmd = multihost.master[0].run_command( - f'su - {user} -c "sudo -l"', raiseonerr=False) - time.sleep(30) - cmd2 = multihost.master[0].run_command( - f'su - {user} -c "sudo -l"', raiseonerr=False) - - assert ssh_result, f"Ssh failed for user: {user}." - assert cmd.returncode == 0, \ - f"First sudo -l failed for user: {user}." - assert cmd2.returncode == 0, \ - f"Second sudo -l failed for user: {user}." diff --git a/src/tests/multihost/basic/utils_config.py b/src/tests/multihost/basic/utils_config.py deleted file mode 100644 index 11b718e1380..00000000000 --- a/src/tests/multihost/basic/utils_config.py +++ /dev/null @@ -1,32 +0,0 @@ -""" Various utilities for manipulating SSSD configuration """ -import configparser as ConfigParser - - -def set_param(multihost, section, key, value): - multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', - '/tmp/sssd.conf') - sssdconfig = ConfigParser.ConfigParser() - sssdconfig.read('/tmp/sssd.conf') - if section not in sssdconfig.sections(): - sssdconfig.add_section(section) - - sssdconfig.set(section, key, value) - with open(str('/tmp/sssd.conf'), "w") as sssconf: - sssdconfig.write(sssconf) - - multihost.master[0].transport.put_file('/tmp/sssd.conf', - '/etc/sssd/sssd.conf') - - -def remove_section(multihost, section): - multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', - '/tmp/sssd.conf') - sssdconfig = ConfigParser.ConfigParser() - sssdconfig.read('/tmp/sssd.conf') - sssdconfig.remove_section(section) - - with open(str('/tmp/sssd.conf'), "w") as sssconf: - sssdconfig.write(sssconf) - - multihost.master[0].transport.put_file('/tmp/sssd.conf', - '/etc/sssd/sssd.conf') From a935c93bfe0140893494c4efb901bfc73192610b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20V=C3=A1vra?= Date: Wed, 4 Sep 2024 12:53:36 +0200 Subject: [PATCH 2/2] tests: remove additional multihost/basic references --- Makefile.am | 11 -------- src/tests/multihost/README.md | 49 +---------------------------------- 2 files changed, 1 insertion(+), 59 deletions(-) diff --git a/Makefile.am b/Makefile.am index 3e5fc5a0cf0..72198bb725c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5463,17 +5463,6 @@ dist_noinst_DATA += \ contrib/sssd.spec.in \ BUILD.txt \ COPYING \ - src/tests/multihost/README.md \ - src/tests/multihost/conftest.py \ - src/tests/multihost/basic/mhc.yaml \ - src/tests/multihost/basic/test_basic.py \ - src/tests/multihost/basic/test_config.py \ - src/tests/multihost/basic/test_files.py \ - src/tests/multihost/basic/test_ifp.py \ - src/tests/multihost/basic/test_kcm.py \ - src/tests/multihost/basic/test_sssctl_config_check.py \ - src/tests/multihost/basic/test_sudo.py \ - src/tests/multihost/basic/utils_config.py \ $(NULL) rpmroot: diff --git a/src/tests/multihost/README.md b/src/tests/multihost/README.md index 3f4a8fa912c..7ed7953cfaa 100644 --- a/src/tests/multihost/README.md +++ b/src/tests/multihost/README.md @@ -1,49 +1,2 @@ # Instructions on executing tests - -Multihost tests uses the `python-multihost` framework to execute test commands -on remote machines. The tests themselves are run locally via pytest. - -## Install requirements - -``` -sudo pip3 install -r src/tests/multihost/requirements.txt -``` - -You can also install them in virtual environment using the virtualenv command -if you wish. - -## Prepare remote machines - -Existing tests currently requires only one remote machine where the SSSD version -that you want to test is installed. The machine must be Fedora or RHEL so it can -be correctly provisioned. The **tests will modify the machine** so use something -disposable. - -It is recommended to use [sssd-test-suite] project to create such machine. The -multihost tests can run out of the box using [sssd-test-suite] without any -further changes. - -[sssd-test-suite]: https://github.com/SSSD/sssd-test-suite - -## Prepare multihost configuration - -Edit `src/tests/multihost/basic/mhc.yaml`: - -```yaml -root_password: 'vagrant' # use remote machine root password -domains: -- name: tier0.tests - type: sssd - hosts: - - name: client - external_hostname: master.client.vm # your machine fully qualified name - role: master -``` - -Note: You can skip this step if you use machines from sssd-test-suite. - -## Run the tests - -``` -pytest-3 -s --multihost-config=src/tests/multihost/basic/mhc.yaml src/tests/multihost/basic -``` +See [tests.sssd.io] https://tests.sssd.io/en/latest/ \ No newline at end of file