URL: https://github.com/SSSD/sssd/pull/5953
Author: aborah-sudo
Title: #5953: Tests: RFE pass KRB5CCNAME to pam_authenticate environment if
available
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5953/head:pr5953
git checkout pr5953
From 16d7604c1934eb34538da4082ba55d72f22ff813 Mon Sep 17 00:00:00 2001
From: Anuj Borah <abo...@redhat.com>
Date: Tue, 18 Jan 2022 10:56:29 +0530
Subject: [PATCH] Tests: RFE pass KRB5CCNAME to pam_authenticate environment if
available
Automation of sudo bug 1917379 in sssd tests
---
src/tests/multihost/ipa/conftest.py | 34 +++++++++++++++++
src/tests/multihost/ipa/test_misc.py | 57 ++++++++++++++++++++++++++++
2 files changed, 91 insertions(+)
diff --git a/src/tests/multihost/ipa/conftest.py b/src/tests/multihost/ipa/conftest.py
index ab8d85dd93..ae6bda1d20 100644
--- a/src/tests/multihost/ipa/conftest.py
+++ b/src/tests/multihost/ipa/conftest.py
@@ -65,6 +65,40 @@ def remove_ad_user_group():
return ad_user, ad_group
+@pytest.fixture(scope="function")
+def backup_config_pam_gssapi_services(session_multihost, request):
+ """ Take backup of files, Configure domain_params
+ Configure /etc/pam.d/sudo
+ Configure /etc/pam.d/sudo-i
+ """
+ tools = sssdTools(session_multihost.client[0])
+ domain_name = tools.get_domain_section_name()
+ client = sssdTools(session_multihost.client[0])
+ domain_params = {'pam_gssapi_services': 'sudo, sudo-i'}
+ client.sssd_conf(f'{domain_name}', domain_params)
+ session_multihost.client[0].service_sssd('restart')
+ session_multihost.client[0].run_command("cp -vf /etc/pam.d/sudo "
+ "/etc/pam.d/sudo_bkp")
+ session_multihost.client[0].run_command("cp -vf /etc/pam.d/sudo-i "
+ "/etc/pam.d/sudo-i_bkp")
+ session_multihost.client[0].run_command("sed -i '1 a auth "
+ "sufficient pam_sss_gss.so' "
+ "/etc/pam.d/sudo")
+ session_multihost.client[0].run_command("sed -i '1 a auth sufficient "
+ "pam_sss_gss.so' "
+ "/etc/pam.d/sudo-i")
+
+ def restore():
+ session_multihost.client[0].run_command("cp -vf "
+ "/etc/pam.d/sudo_bkp "
+ "/etc/pam.d/sudo")
+ session_multihost.client[0].run_command("cp -vf "
+ "/etc/pam.d/sudo-i_bkp "
+ "/etc/pam.d/sudo-i")
+
+ request.addfinalizer(restore)
+
+
@pytest.fixture(scope="function")
def create_reverse_zone(session_multihost, request):
""" Creates reverse zone """
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..09c1cfbcab 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,60 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+ def test_pass_krb5cname_to_pam(self, multihost,
+ backupsssdconf,
+ backup_config_pam_gssapi_services):
+ """
+ :title: pass KRB5CCNAME to pam_authenticate environment
+ if available
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1917379
+ :id: e3a6accc-781d-11ec-a83c-845cf3eff344
+ :steps:
+ 1. Take backup of files
+ 2. Configure domain_params
+ 3. Configure /etc/pam.d/sudo
+ 4. Configur /etc/pam.d/sudo-i
+ 5. Create IPA sudo rule of /usr/sbin/sssctl
+ for user admin
+ 6. Check user admin can use sudo command
+ 7. Restore of files
+ :expectedresults:
+ 1. Should succeed
+ 2. Should succeed
+ 3. Should succeed
+ 4. Should succeed
+ 5. Should succeed
+ 6. Should succeed
+ 7. Should succeed
+ """
+ tools = sssdTools(multihost.client[0])
+ domain_name = tools.get_domain_section_name()
+ user = "admin"
+ test_password = "Secret123"
+ sys_hostname = multihost.client[0].sys_hostname
+ ssh1 = SSHClient(multihost.client[0].ip,
+ username=user, password=test_password)
+ (result, result1, exit_status) = ssh1.execute_cmd('kinit',
+ stdin=test_password)
+ assert exit_status == 0
+ (_, _, _) = ssh1.execute_cmd("ipa sudocmd-add "
+ "/usr/sbin/sssctl")
+ (_, _, _) = ssh1.execute_cmd("ipa sudorule-add "
+ "idm_user_sssctl")
+ (_, _, _) = ssh1.execute_cmd("ipa sudorule-add-allow-command "
+ "idm_user_sssctl "
+ "--sudocmds "
+ "'/usr/sbin/sssctl'")
+ (_, _, _) = ssh1.execute_cmd(f"ipa sudorule-add-host "
+ f"idm_user_sssctl "
+ f"--hosts "
+ f"{sys_hostname}")
+ (_, _, _) = ssh1.execute_cmd("ipa sudorule-add-user "
+ "idm_user_sssctl "
+ "--users admin")
+ (result, result1, exit_status) = ssh1.execute_cmd("sudo -S "
+ "/usr/sbin/sssctl "
+ "domain-list",
+ stdin=test_password)
+ assert domain_name+'\n' in result.readlines()
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
