URL: https://github.com/freeipa/freeipa/pull/4488 Author: wladich Title: #4488: [Backport][ipa-4-6] ipatests: add test for sssd behavior with disabled trustdomains Action: opened
PR body: """ This is a manual backport of #3924 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4488/head:pr4488 git checkout pr4488
From b89785744fef479f4829d26803ebae51c50e3a9d Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Thu, 12 Mar 2020 15:17:22 +0100 Subject: [PATCH 1/5] ipatests: add test for sssd behavior with disabled trustdomains When a trusted subdomain is disabled in ipa, users from this domain should not be able to access ipa resources. Related to: https://pagure.io/SSSD/sssd/issue/4078 --- ipatests/test_integration/test_sssd.py | 52 +++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_sssd.py b/ipatests/test_integration/test_sssd.py index d0271f029a..239d7cbdf2 100644 --- a/ipatests/test_integration/test_sssd.py +++ b/ipatests/test_integration/test_sssd.py @@ -24,6 +24,7 @@ class TestSSSDWithAdTrust(IntegrationTest): topology = 'star' num_ad_domains = 1 + num_ad_subdomains = 1 num_clients = 1 users = { @@ -35,6 +36,10 @@ class TestSSSDWithAdTrust(IntegrationTest): 'name_tmpl': 'testuser@{domain}', 'password': 'Secret123' }, + 'child_ad': { + 'name_tmpl': 'subdomaintestuser@{domain}', + 'password': 'Secret123', + }, 'fakeuser': { 'name': 'some_user@some.domain' }, @@ -47,7 +52,8 @@ class TestSSSDWithAdTrust(IntegrationTest): def install(cls, mh): super(TestSSSDWithAdTrust, cls).install(mh) - cls.ad = cls.ads[0] # pylint: disable=no-member + cls.ad = cls.ads[0] + cls.child_ad = cls.ad_subdomains[0] tasks.install_adtrust(cls.master) tasks.configure_dns_for_trust(cls.master, cls.ad) @@ -55,6 +61,12 @@ def install(cls, mh): cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format( domain=cls.ad.domain.name) + cls.users['ad']['group'] = cls.users['ad']['group_tmpl'].format( + domain=cls.ad.domain.name) + cls.users['child_ad']['name'] = ( + cls.users['child_ad']['name_tmpl'].format( + domain=cls.child_ad.domain.name)) + tasks.user_add(cls.master, cls.intermed_user) tasks.create_active_user(cls.master, cls.ipa_user, cls.ipa_user_password) @@ -245,3 +257,41 @@ def test_external_group_member_mismatch(self, user_origin): assert user_origin == 'ipa' finally: master.run_command(['ipa', 'group-del', 'ext-ipatest']) + + @contextmanager + def disabled_trustdomain(self): + ad_domain_name = self.ad.domain.name + ad_subdomain_name = self.child_ad.domain.name + self.master.run_command(['ipa', 'trustdomain-disable', + ad_domain_name, ad_subdomain_name]) + tasks.clear_sssd_cache(self.master) + try: + yield + finally: + self.master.run_command(['ipa', 'trustdomain-enable', + ad_domain_name, ad_subdomain_name]) + tasks.clear_sssd_cache(self.master) + + @pytest.mark.parametrize('user_origin', ['ipa', 'ad']) + def test_trustdomain_disable_does_not_disable_root_domain(self, + user_origin): + """Test that disabling trustdomain does not affect other domains.""" + user = self.users[user_origin]['name'] + with self.disabled_trustdomain(): + self.master.run_command(['id', user]) + + def test_trustdomain_disable_disables_subdomain(self): + """Test that users from disabled trustdomains can not use ipa resources + + This is a regression test for sssd bug: + https://pagure.io/SSSD/sssd/issue/4078 + """ + user = self.users['child_ad']['name'] + # verify the user can be retrieved initially + self.master.run_command(['id', user]) + with self.disabled_trustdomain(): + res = self.master.run_command(['id', user], raiseonerr=False) + assert res.returncode == 1 + assert 'no such user' in res.stderr_text + # verify the user can be retrieved after re-enabling trustdomain + self.master.run_command(['id', user]) From 07ade8db4bbbb94381bb2edb3b4e0ff7e98d5167 Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Thu, 12 Mar 2020 15:21:12 +0100 Subject: [PATCH 2/5] update prci definitions for test_sssd.py The test now requires AD domain + subdomain Related to: https://pagure.io/SSSD/sssd/issue/4078 --- ipatests/prci_definitions/nightly_ipa-4-6.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipatests/prci_definitions/nightly_ipa-4-6.yaml b/ipatests/prci_definitions/nightly_ipa-4-6.yaml index b9d9bf49c5..b8f4ebd483 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-6.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-6.yaml @@ -1108,8 +1108,8 @@ jobs: build_url: '{fedora-27/build_url}' test_suite: test_integration/test_sssd.py template: *ci-master-f27 - timeout: 4800 - topology: *ad_master_2client + timeout: 7200 + topology: *adroot_adchild_adtree_master_1client fedora-27/test_adtrust_install: requires: [fedora-27/build] From c3d9fae5236d8f1d14857c4313eafbac5f18f7e9 Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Thu, 12 Mar 2020 15:34:47 +0100 Subject: [PATCH 3/5] ipatests: add utility for getting sssd version on remote host This function should be used to conditionally skip tests or mark them xfail when installed version of sssd does not yet contain patch for the tested issue. --- ipatests/pytest_ipa/integration/tasks.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 26e03e90cb..1851637425 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -33,6 +33,7 @@ from pipes import quote from six.moves import configparser from contextlib import contextmanager +from pkg_resources import parse_version import dns from ldif import LDIFWriter @@ -1903,3 +1904,9 @@ def ldapmodify_dm(host, ldif_text, **kwargs): '-w', host.config.dirman_password ] return host.run_command(args, stdin_text=ldif_text, **kwargs) + + +def get_sssd_version(host): + """Get sssd version on remote host.""" + version = host.run_command('sssd --version').stdout_text.strip() + return parse_version(version) From f106fd9eb205222384e75ad09ef52f8996243055 Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Thu, 21 Nov 2019 15:30:32 +0100 Subject: [PATCH 4/5] ipatests: add context manager for declaring part of test as xfail This function provides functionality similar to pytest.mark.xfail but for a block of code instead of the whole test function. This has two benefits: 1) you can mark single line as expectedly failing without suppressing all other errors in the test function 2) you can use conditions which can not be evaluated before the test start. The check is always done in "strict" mode, i.e. if test is expected to fail but succeeds then it will be marked as failing. --- ipatests/util.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/ipatests/util.py b/ipatests/util.py index 6d1e782600..1ec0fb8844 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -883,3 +883,28 @@ def get_group_dn(cn): def get_user_dn(uid): return DN(('uid', uid), api.env.container_user, api.env.basedn) + + +@contextmanager +def xfail_context(condition, reason): + """Expect a block of code to fail. + + This function provides functionality similar to pytest.mark.xfail + but for a block of code instead of the whole test function. This has + two benefits: + 1) you can mark single line as expectedly failing without suppressing + all other errors in the test function + 2) you can use conditions which can not be evaluated before the test start. + + The check is always done in "strict" mode, i.e. if test is expected to + fail but succeeds then it will be marked as failing. + """ + try: + yield + except Exception: + if condition: + pytest.xfail(reason) + raise + else: + if condition: + pytest.fail('XPASS(strict) reason: {}'.format(reason), False) From 93a1a798f38c2a740a565613832c5a75db923563 Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Thu, 12 Mar 2020 15:29:14 +0100 Subject: [PATCH 5/5] ipatests: mark test_trustdomain_disable test as expectedly failing The fix for issue https://pagure.io/SSSD/sssd/issue/4078 have not landed Fedora 30 version yet. --- ipatests/test_integration/test_sssd.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/test_sssd.py b/ipatests/test_integration/test_sssd.py index 239d7cbdf2..0ee48871c4 100644 --- a/ipatests/test_integration/test_sssd.py +++ b/ipatests/test_integration/test_sssd.py @@ -15,6 +15,7 @@ from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks +from ipatests.util import xfail_context from ipaplatform.tasks import tasks as platform_tasks from ipaplatform.paths import paths from ipapython.dn import DN @@ -291,7 +292,10 @@ def test_trustdomain_disable_disables_subdomain(self): self.master.run_command(['id', user]) with self.disabled_trustdomain(): res = self.master.run_command(['id', user], raiseonerr=False) - assert res.returncode == 1 - assert 'no such user' in res.stderr_text + sssd_version = tasks.get_sssd_version(self.master) + with xfail_context(sssd_version < tasks.parse_version('2.2.3'), + 'https://pagure.io/SSSD/sssd/issue/4078'): + assert res.returncode == 1 + assert 'no such user' in res.stderr_text # verify the user can be retrieved after re-enabling trustdomain self.master.run_command(['id', user])
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org