URL: https://github.com/SSSD/sssd/pull/5953 Author: aborah-sudo Title: #5953: Tests: RFE pass KRB5CCNAME to pam_authenticate environment if available Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5953/head:pr5953 git checkout pr5953
From 16d7604c1934eb34538da4082ba55d72f22ff813 Mon Sep 17 00:00:00 2001 From: Anuj Borah <abo...@redhat.com> Date: Tue, 18 Jan 2022 10:56:29 +0530 Subject: [PATCH] Tests: RFE pass KRB5CCNAME to pam_authenticate environment if available Automation of sudo bug 1917379 in sssd tests --- src/tests/multihost/ipa/conftest.py | 34 +++++++++++++++++ src/tests/multihost/ipa/test_misc.py | 57 ++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+) diff --git a/src/tests/multihost/ipa/conftest.py b/src/tests/multihost/ipa/conftest.py index ab8d85dd93..ae6bda1d20 100644 --- a/src/tests/multihost/ipa/conftest.py +++ b/src/tests/multihost/ipa/conftest.py @@ -65,6 +65,40 @@ def remove_ad_user_group(): return ad_user, ad_group +@pytest.fixture(scope="function") +def backup_config_pam_gssapi_services(session_multihost, request): + """ Take backup of files, Configure domain_params + Configure /etc/pam.d/sudo + Configure /etc/pam.d/sudo-i + """ + tools = sssdTools(session_multihost.client[0]) + domain_name = tools.get_domain_section_name() + client = sssdTools(session_multihost.client[0]) + domain_params = {'pam_gssapi_services': 'sudo, sudo-i'} + client.sssd_conf(f'{domain_name}', domain_params) + session_multihost.client[0].service_sssd('restart') + session_multihost.client[0].run_command("cp -vf /etc/pam.d/sudo " + "/etc/pam.d/sudo_bkp") + session_multihost.client[0].run_command("cp -vf /etc/pam.d/sudo-i " + "/etc/pam.d/sudo-i_bkp") + session_multihost.client[0].run_command("sed -i '1 a auth " + "sufficient pam_sss_gss.so' " + "/etc/pam.d/sudo") + session_multihost.client[0].run_command("sed -i '1 a auth sufficient " + "pam_sss_gss.so' " + "/etc/pam.d/sudo-i") + + def restore(): + session_multihost.client[0].run_command("cp -vf " + "/etc/pam.d/sudo_bkp " + "/etc/pam.d/sudo") + session_multihost.client[0].run_command("cp -vf " + "/etc/pam.d/sudo-i_bkp " + "/etc/pam.d/sudo-i") + + request.addfinalizer(restore) + + @pytest.fixture(scope="function") def create_reverse_zone(session_multihost, request): """ Creates reverse zone """ diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..09c1cfbcab 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,60 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + + def test_pass_krb5cname_to_pam(self, multihost, + backupsssdconf, + backup_config_pam_gssapi_services): + """ + :title: pass KRB5CCNAME to pam_authenticate environment + if available + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1917379 + :id: e3a6accc-781d-11ec-a83c-845cf3eff344 + :steps: + 1. Take backup of files + 2. Configure domain_params + 3. Configure /etc/pam.d/sudo + 4. Configur /etc/pam.d/sudo-i + 5. Create IPA sudo rule of /usr/sbin/sssctl + for user admin + 6. Check user admin can use sudo command + 7. Restore of files + :expectedresults: + 1. Should succeed + 2. Should succeed + 3. Should succeed + 4. Should succeed + 5. Should succeed + 6. Should succeed + 7. Should succeed + """ + tools = sssdTools(multihost.client[0]) + domain_name = tools.get_domain_section_name() + user = "admin" + test_password = "Secret123" + sys_hostname = multihost.client[0].sys_hostname + ssh1 = SSHClient(multihost.client[0].ip, + username=user, password=test_password) + (result, result1, exit_status) = ssh1.execute_cmd('kinit', + stdin=test_password) + assert exit_status == 0 + (_, _, _) = ssh1.execute_cmd("ipa sudocmd-add " + "/usr/sbin/sssctl") + (_, _, _) = ssh1.execute_cmd("ipa sudorule-add " + "idm_user_sssctl") + (_, _, _) = ssh1.execute_cmd("ipa sudorule-add-allow-command " + "idm_user_sssctl " + "--sudocmds " + "'/usr/sbin/sssctl'") + (_, _, _) = ssh1.execute_cmd(f"ipa sudorule-add-host " + f"idm_user_sssctl " + f"--hosts " + f"{sys_hostname}") + (_, _, _) = ssh1.execute_cmd("ipa sudorule-add-user " + "idm_user_sssctl " + "--users admin") + (result, result1, exit_status) = ssh1.execute_cmd("sudo -S " + "/usr/sbin/sssctl " + "domain-list", + stdin=test_password) + assert domain_name+'\n' in result.readlines()
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure