URL: https://github.com/freeipa/freeipa/pull/2654 Author: tiran Title: #2654: [Backport][ipa-4-7] Resolve user/group names in idoverride*-find Action: opened
PR body: """ This PR was opened automatically because PR #2648 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2654/head:pr2654 git checkout pr2654
From 1d68529bad0e257826ff5d507969618a74300869 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 5 Dec 2018 16:59:07 +0100 Subject: [PATCH 1/3] Resolve user/group names in idoverride*-find ipa idoverrideuser-find and ...group-find have an --anchor argument. The anchor argument used to support only anchor UUIDs like ':IPA:domain:UUID' or ':SID:S-sid'. The find commands now detect regular user or group names and translate them to anchors. Fixes: https://pagure.io/freeipa/issue/6594 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/plugins/idviews.py | 52 ++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py index 3252982dac..52134860a7 100644 --- a/ipaserver/plugins/idviews.py +++ b/ipaserver/plugins/idviews.py @@ -766,6 +766,40 @@ def prohibit_ipa_users_in_default_view(self, dn, entry_attrs): error=_('Default Trust View cannot contain IPA users') ) + def filter_for_anchor(self, ldap, filter, options, obj_type): + """Modify filter to support user and group names + + Allow users to pass in an IPA user/group name and resolve it to an + anchor name. + + :param ldap: ldap connection + :param filter: pre_callback filter + :param options: option dict + :param obj_type: 'user' or 'group' + :return: modified or same filter + """ + anchor = options.get('ipaanchoruuid', None) + # return original filter if anchor is absent or correct + if anchor is None or ANCHOR_REGEX.match(anchor): + return filter + try: + resolved_anchor = resolve_object_to_anchor( + ldap, obj_type, anchor, + options.get('fallback_to_ldap', False) + ) + except (errors.NotFound, errors.ValidationError): + # anchor cannot be resolved, let it pass through + return filter + else: + return ldap.make_filter( + { + 'objectClass': self.object_class, + 'ipaanchoruuid': resolved_anchor, + }, + rules=ldap.MATCH_ALL + ) + + class baseidoverride_add(LDAPCreate): __doc__ = _('Add a new ID override.') msg_summary = _('Added ID override "%(value)s"') @@ -1128,6 +1162,15 @@ class idoverrideuser_find(baseidoverride_find): msg_summary = ngettext('%(count)d User ID override matched', '%(count)d User ID overrides matched', 0) + def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, + **options): + result = super(idoverrideuser_find, self).pre_callback( + ldap, filter, attrs_list, base_dn, scope, *args, **options + ) + filter, base_dn, scope = result + filter = self.obj.filter_for_anchor(ldap, filter, options, 'user') + return filter, base_dn, scope + def post_callback(self, ldap, entries, truncated, *args, **options): truncated = super(idoverrideuser_find, self).post_callback( ldap, entries, truncated, *args, **options) @@ -1173,6 +1216,15 @@ class idoverridegroup_find(baseidoverride_find): msg_summary = ngettext('%(count)d Group ID override matched', '%(count)d Group ID overrides matched', 0) + def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, + **options): + result = super(idoverridegroup_find, self).pre_callback( + ldap, filter, attrs_list, base_dn, scope, *args, **options + ) + filter, base_dn, scope = result + filter = self.obj.filter_for_anchor(ldap, filter, options, 'group') + return filter, base_dn, scope + @register() class idoverridegroup_show(baseidoverride_show): From 9c7c70f64bd50924f636c06cbeb786dfb3fa238e Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 5 Dec 2018 17:46:05 +0100 Subject: [PATCH 2/3] Add integration tests for idviews Add several tests to verify new anchor override and general idview override functionality. Fixes: https://pagure.io/freeipa/issue/6594 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipatests/pytest_ipa/integration/tasks.py | 20 +++- ipatests/test_integration/test_idviews.py | 131 ++++++++++++++++++++++ 2 files changed, 146 insertions(+), 5 deletions(-) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 36178e8abb..3548f2b68d 100644 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -1576,9 +1576,19 @@ def strip_cert_header(pem): return pem -def user_add(host, login): - host.run_command([ +def user_add(host, login, first='test', last='user', extra_args=()): + cmd = [ "ipa", "user-add", login, - "--first", "test", - "--last", "user" - ]) + "--first", first, + "--last", last + ] + cmd.extend(extra_args) + return host.run_command(cmd) + + +def group_add(host, groupname, extra_args=()): + cmd = [ + "ipa", "group-add", groupname, + ] + cmd.extend(extra_args) + return host.run_command(cmd) diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py index 9a8f37961a..6ede4d034f 100644 --- a/ipatests/test_integration/test_idviews.py +++ b/ipatests/test_integration/test_idviews.py @@ -165,6 +165,7 @@ class TestRulesWithServicePrincipals(IntegrationTest): topology = 'star' num_replicas = 0 + num_clients = 0 service_certprofile = 'caIPAserviceCert' caacl = 'test_caacl' keytab = "replica.keytab" @@ -238,3 +239,133 @@ def test_rules_with_service_principals(self): raiseonerr=False) assert(result.returncode == 0), ( 'Failed to add a cert to custom certprofile') + + +class TestIDViews(IntegrationTest): + topology = 'star' + num_replicas = 0 + num_clients = 1 + + user1 = 'testuser1' + user1_uid = 10001 + user1_gid = 10001 + user1_uid_override = 5001 + user1_gid_override = 6001 + + user2 = 'testuser2' + user2_uid = 10002 + user2_gid = 10002 + + group1 = 'testgroup1' + group1_gid = 11001 + group1_gid_override = 7001 + + idview = 'testview' + + @classmethod + def install(cls, mh): + super(TestIDViews, cls).install(mh) + master = cls.master + client = cls.clients[0] + tasks.kinit_admin(master) + + tasks.user_add( + master, cls.user1, first='Test1', + extra_args=[ + '--uid', str(cls.user1_uid), + '--gidnumber', str(cls.user1_gid), + ] + ) + tasks.user_add( + master, cls.user2, first='Test2', + extra_args=[ + '--uid', str(cls.user2_uid), + '--gidnumber', str(cls.user2_gid), + ] + ) + tasks.group_add( + master, cls.group1, extra_args=['--gid', str(cls.group1_gid)] + ) + + master.run_command(['ipa', 'idview-add', cls.idview]) + + # add overrides for user1 and its default user group + master.run_command([ + 'ipa', 'idoverrideuser-add', cls.idview, cls.user1, + '--uid', str(cls.user1_uid_override), + '--gid', str(cls.user1_gid_override), + '--homedir', '/special-home/{}'.format(cls.user1), + '--shell', '/bin/special' + ]) + master.run_command([ + 'ipa', 'idoverridegroup-add', cls.idview, cls.group1, + '--gid', str(cls.group1_gid_override), + ]) + + # ID view overrides don't work on IPA masters + master.run_command([ + 'ipa', 'idview-apply', cls.idview, + '--hosts', client.hostname + ]) + # finally restart SSSD to materialize idviews + client.run_command(['systemctl', 'restart', 'sssd.service']) + + def test_useroverride(self): + result = self.clients[0].run_command(['id', self.user1]) + assert 'uid={}'.format(self.user1_uid_override) in result.stdout_text + assert 'gid={}'.format(self.user1_gid_override) in result.stdout_text + + result = self.clients[0].run_command( + ['getent', 'passwd', str(self.user1_uid_override)] + ) + expected = '{}:*:{}:{}'.format( + self.user1, self.user1_uid_override, self.user1_gid_override + ) + assert expected in result.stdout_text + + result = self.master.run_command(['id', self.user1]) + assert 'uid={}'.format(self.user1_uid) in result.stdout_text + assert 'gid={}'.format(self.user1_gid) in result.stdout_text + + def test_useroverride_original_uid(self): + # It's still possible to request the user with its original UID. In + # this case the getent command returns the user with override uid. + result = self.clients[0].run_command( + ['getent', 'passwd', str(self.user1_uid)] + ) + expected = '{}:*:{}:{}'.format( + self.user1, self.user1_uid_override, self.user1_gid_override + ) + assert expected in result.stdout_text + + def test_anchor_username(self): + result = self.master.run_command([ + 'ipa', 'idoverrideuser-find', self.idview, '--anchor', self.user1 + ]) + expected = "Anchor to override: {}".format(self.user1) + assert expected in result.stdout_text + + def test_groupoverride(self): + result = self.clients[0].run_command(['getent', 'group', self.group1]) + assert ':{}:'.format(self.group1_gid_override) in result.stdout_text + + result = self.master.run_command(['getent', 'group', self.group1]) + assert ':{}:'.format(self.group1_gid) in result.stdout_text + + def test_groupoverride_system_objects(self): + # group override for user group should fail + result = self.master.run_command( + ['ipa', 'idoverridegroup-add', self.idview, self.user1, + '--gid', str(self.user1_gid_override)], + raiseonerr=False + ) + assert result.returncode == 1 + assert "cannot be overridden" in result.stderr_text + + def test_anchor_groupname(self): + result = self.master.run_command([ + 'ipa', 'idoverridegroup-find', self.idview, + '--anchor', self.group1 + ]) + expected = "Anchor to override: {}".format(self.group1) + assert expected in result.stdout_text From 4a0c278bf095c17264990134894efeeb37afad45 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 5 Dec 2018 17:51:18 +0100 Subject: [PATCH 3/3] Run idviews integration tests in nightly See: https://pagure.io/freeipa/issue/6594 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipatests/prci_definitions/nightly_f28.yaml | 12 ++++++++++++ ipatests/prci_definitions/nightly_master.yaml | 12 ++++++++++++ ipatests/prci_definitions/nightly_rawhide.yaml | 12 ++++++++++++ 3 files changed, 36 insertions(+) diff --git a/ipatests/prci_definitions/nightly_f28.yaml b/ipatests/prci_definitions/nightly_f28.yaml index 8462c14675..ac792f15de 100644 --- a/ipatests/prci_definitions/nightly_f28.yaml +++ b/ipatests/prci_definitions/nightly_f28.yaml @@ -195,6 +195,18 @@ jobs: timeout: 10800 topology: *master_1repl + fedora-28/test_idviews: + requires: [fedora-28/build] + priority: 50 + job: + class: RunPytest + args: + build_url: '{fedora-28/build_url}' + test_suite: test_integration/test_idviews.py::TestIDViews + template: *ci-master-f28 + timeout: 3600 + topology: *master_1repl_1client + fedora-28/test_caless_TestServerInstall: requires: [fedora-28/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_master.yaml b/ipatests/prci_definitions/nightly_master.yaml index 3f2b3465a2..953a60e5ca 100644 --- a/ipatests/prci_definitions/nightly_master.yaml +++ b/ipatests/prci_definitions/nightly_master.yaml @@ -195,6 +195,18 @@ jobs: timeout: 10800 topology: *master_1repl + fedora-28/test_idviews: + requires: [fedora-29/build] + priority: 50 + job: + class: RunPytest + args: + build_url: '{fedora-29/build_url}' + test_suite: test_integration/test_idviews.py::TestIDViews + template: *ci-master-f29 + timeout: 3600 + topology: *master_1repl_1client + fedora-29/test_caless_TestServerInstall: requires: [fedora-29/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml index bdc34d245c..e74e5f6388 100644 --- a/ipatests/prci_definitions/nightly_rawhide.yaml +++ b/ipatests/prci_definitions/nightly_rawhide.yaml @@ -195,6 +195,18 @@ jobs: timeout: 10800 topology: *master_1repl + fedora-28/test_idviews: + requires: [fedora-rawhide/build] + priority: 50 + job: + class: RunPytest + args: + build_url: '{fedora-rawhide/build_url}' + test_suite: test_integration/test_idviews.py::TestIDViews + template: *ci-master-frawhide + timeout: 3600 + topology: *master_1repl_1client + fedora-rawhide/test_caless_TestServerInstall: requires: [fedora-rawhide/build] priority: 50
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org