URL: https://github.com/freeipa/freeipa/pull/4487 Author: wladich Title: #4487: [Backport][ipa-4-8] ipatests: add test for sssd behavior with disabled trustdomains Action: opened
PR body: """ This is a manual backport of #3924 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4487/head:pr4487 git checkout pr4487
From 3f411206078d61c5249a1c99498965599a5f82b7 Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Thu, 12 Mar 2020 15:17:22 +0100 Subject: [PATCH 1/6] ipatests: add test for sssd behavior with disabled trustdomains When a trusted subdomain is disabled in ipa, users from this domain should not be able to access ipa resources. Related to: https://pagure.io/SSSD/sssd/issue/4078 --- ipatests/test_integration/test_sssd.py | 47 ++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/ipatests/test_integration/test_sssd.py b/ipatests/test_integration/test_sssd.py index 8e2f62c083..1b98bbd027 100644 --- a/ipatests/test_integration/test_sssd.py +++ b/ipatests/test_integration/test_sssd.py @@ -26,6 +26,7 @@ class TestSSSDWithAdTrust(IntegrationTest): topology = 'star' num_ad_domains = 1 + num_ad_subdomains = 1 num_clients = 1 users = { @@ -39,6 +40,10 @@ class TestSSSDWithAdTrust(IntegrationTest): 'password': 'Secret123', 'group_tmpl': 'testgroup@{domain}', }, + 'child_ad': { + 'name_tmpl': 'subdomaintestuser@{domain}', + 'password': 'Secret123', + }, 'fakeuser': { 'name': 'some_user@some.domain' }, @@ -54,6 +59,7 @@ def install(cls, mh): super(TestSSSDWithAdTrust, cls).install(mh) cls.ad = cls.ads[0] + cls.child_ad = cls.ad_subdomains[0] tasks.install_adtrust(cls.master) tasks.configure_dns_for_trust(cls.master, cls.ad) @@ -63,6 +69,9 @@ def install(cls, mh): domain=cls.ad.domain.name) cls.users['ad']['group'] = cls.users['ad']['group_tmpl'].format( domain=cls.ad.domain.name) + cls.users['child_ad']['name'] = ( + cls.users['child_ad']['name_tmpl'].format( + domain=cls.child_ad.domain.name)) tasks.user_add(cls.master, cls.intermed_user) tasks.create_active_user(cls.master, cls.ipa_user, cls.ipa_user_password) @@ -352,3 +361,41 @@ def test_external_group_member_mismatch(self, user_origin): assert user_origin == 'ipa' finally: master.run_command(['ipa', 'group-del', 'ext-ipatest']) + + @contextmanager + def disabled_trustdomain(self): + ad_domain_name = self.ad.domain.name + ad_subdomain_name = self.child_ad.domain.name + self.master.run_command(['ipa', 'trustdomain-disable', + ad_domain_name, ad_subdomain_name]) + tasks.clear_sssd_cache(self.master) + try: + yield + finally: + self.master.run_command(['ipa', 'trustdomain-enable', + ad_domain_name, ad_subdomain_name]) + tasks.clear_sssd_cache(self.master) + + @pytest.mark.parametrize('user_origin', ['ipa', 'ad']) + def test_trustdomain_disable_does_not_disable_root_domain(self, + user_origin): + """Test that disabling trustdomain does not affect other domains.""" + user = self.users[user_origin]['name'] + with self.disabled_trustdomain(): + self.master.run_command(['id', user]) + + def test_trustdomain_disable_disables_subdomain(self): + """Test that users from disabled trustdomains can not use ipa resources + + This is a regression test for sssd bug: + https://pagure.io/SSSD/sssd/issue/4078 + """ + user = self.users['child_ad']['name'] + # verify the user can be retrieved initially + self.master.run_command(['id', user]) + with self.disabled_trustdomain(): + res = self.master.run_command(['id', user], raiseonerr=False) + assert res.returncode == 1 + assert 'no such user' in res.stderr_text + # verify the user can be retrieved after re-enabling trustdomain + self.master.run_command(['id', user]) From 878f43902f6683e51884b249527d5b76a6f12f53 Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Thu, 12 Mar 2020 15:21:12 +0100 Subject: [PATCH 2/6] update prci definitions for test_sssd.py The test now requires AD domain + subdomain Related to: https://pagure.io/SSSD/sssd/issue/4078 --- ipatests/prci_definitions/nightly_ipa-4-8_latest.yaml | 4 ++-- ipatests/prci_definitions/nightly_ipa-4-8_previous.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ipatests/prci_definitions/nightly_ipa-4-8_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-8_latest.yaml index 4eb0b8aa07..150596c408 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-8_latest.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-8_latest.yaml @@ -1458,8 +1458,8 @@ jobs: build_url: '{fedora-latest-ipa-4-8/build_url}' test_suite: test_integration/test_sssd.py template: *ci-ipa-4-8-latest - timeout: 4800 - topology: *ad_master_2client + timeout: 7200 + topology: *adroot_adchild_adtree_master_1client fedora-latest-ipa-4-8/test_ca_custom_sdn: requires: [fedora-latest-ipa-4-8/build] diff --git a/ipatests/prci_definitions/nightly_ipa-4-8_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-8_previous.yaml index 705ee9a5df..006f1cd1fb 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-8_previous.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-8_previous.yaml @@ -1458,8 +1458,8 @@ jobs: build_url: '{fedora-previous-ipa-4-8/build_url}' test_suite: test_integration/test_sssd.py template: *ci-ipa-4-8-previous - timeout: 4800 - topology: *ad_master_2client + timeout: 7200 + topology: *adroot_adchild_adtree_master_1client fedora-previous-ipa-4-8/test_ca_custom_sdn: requires: [fedora-previous-ipa-4-8/build] From 554a4f13ba37b9781c00548c905e5ebd6f88f4f5 Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Thu, 12 Mar 2020 15:34:47 +0100 Subject: [PATCH 3/6] ipatests: add utility for getting sssd version on remote host This function should be used to conditionally skip tests or mark them xfail when installed version of sssd does not yet contain patch for the tested issue. --- ipatests/pytest_ipa/integration/tasks.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 5fb1988ee6..f19728cc62 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -34,6 +34,7 @@ from pipes import quote import configparser from contextlib import contextmanager +from pkg_resources import parse_version import dns from ldif import LDIFWriter @@ -2174,3 +2175,9 @@ def wait_for_sssd_domain_status_online(host, timeout=120): time.sleep(5) else: raise RuntimeError("SSSD still offline") + + +def get_sssd_version(host): + """Get sssd version on remote host.""" + version = host.run_command('sssd --version').stdout_text.strip() + return parse_version(version) From 18d08982a35c20921fd5ec63271e0133f8aba4b5 Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Thu, 21 Nov 2019 15:30:32 +0100 Subject: [PATCH 4/6] ipatests: add context manager for declaring part of test as xfail This function provides functionality similar to pytest.mark.xfail but for a block of code instead of the whole test function. This has two benefits: 1) you can mark single line as expectedly failing without suppressing all other errors in the test function 2) you can use conditions which can not be evaluated before the test start. The check is always done in "strict" mode, i.e. if test is expected to fail but succeeds then it will be marked as failing. --- ipatests/util.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/ipatests/util.py b/ipatests/util.py index 398ed2d6ce..24e149dafa 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -887,3 +887,28 @@ def get_group_dn(cn): def get_user_dn(uid): return DN(('uid', uid), api.env.container_user, api.env.basedn) + + +@contextmanager +def xfail_context(condition, reason): + """Expect a block of code to fail. + + This function provides functionality similar to pytest.mark.xfail + but for a block of code instead of the whole test function. This has + two benefits: + 1) you can mark single line as expectedly failing without suppressing + all other errors in the test function + 2) you can use conditions which can not be evaluated before the test start. + + The check is always done in "strict" mode, i.e. if test is expected to + fail but succeeds then it will be marked as failing. + """ + try: + yield + except Exception: + if condition: + pytest.xfail(reason) + raise + else: + if condition: + pytest.fail('XPASS(strict) reason: {}'.format(reason), False) From 0d7c36ff716b40c2df0aab3c2ec928cdf9ec0ebd Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Thu, 12 Mar 2020 15:29:14 +0100 Subject: [PATCH 5/6] ipatests: mark test_trustdomain_disable test as expectedly failing The fix for issue https://pagure.io/SSSD/sssd/issue/4078 have not landed Fedora 30 version yet. --- ipatests/test_integration/test_sssd.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/test_sssd.py b/ipatests/test_integration/test_sssd.py index 1b98bbd027..f516e169a6 100644 --- a/ipatests/test_integration/test_sssd.py +++ b/ipatests/test_integration/test_sssd.py @@ -16,6 +16,7 @@ from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks +from ipatests.util import xfail_context from ipaplatform.tasks import tasks as platform_tasks from ipaplatform.osinfo import osinfo from ipaplatform.paths import paths @@ -395,7 +396,10 @@ def test_trustdomain_disable_disables_subdomain(self): self.master.run_command(['id', user]) with self.disabled_trustdomain(): res = self.master.run_command(['id', user], raiseonerr=False) - assert res.returncode == 1 - assert 'no such user' in res.stderr_text + sssd_version = tasks.get_sssd_version(self.master) + with xfail_context(sssd_version < tasks.parse_version('2.2.3'), + 'https://pagure.io/SSSD/sssd/issue/4078'): + assert res.returncode == 1 + assert 'no such user' in res.stderr_text # verify the user can be retrieved after re-enabling trustdomain self.master.run_command(['id', user]) From 719895028d2a4a0ca592cef8d23e103a7735adb9 Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Fri, 3 Apr 2020 11:29:08 +0200 Subject: [PATCH 6/6] temp commit --- .freeipa-pr-ci.yaml | 2 +- ipatests/prci_definitions/temp_commit.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 120000 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index 8b60773b98..05ed15aa41 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -61,14 +61,14 @@ jobs: timeout: 1800 topology: *build - fedora-latest-ipa-4-8/temp_commit: + fedora-latest-ipa-4-8/test_sssd: requires: [fedora-latest-ipa-4-8/build] priority: 50 job: - class: RunPytest + class: RunADTests args: build_url: '{fedora-latest-ipa-4-8/build_url}' - test_suite: test_integration/test_REPLACEME.py + test_suite: test_integration/test_sssd.py template: *ci-ipa-4-8-latest - timeout: 3600 - topology: *master_1repl_1client + timeout: 7200 + topology: *adroot_adchild_adtree_master_1client
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
