https://fedorahosted.org/freeipa/ticket/5625
-- Martin^3 Babinsky
From 34dddb8be8dfaf6116af35cfa80929f46dc29deb Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 17 Feb 2016 16:55:56 +0100 Subject: [PATCH] CI tests: use old schema when testing hostmask-based sudo rules Newer versions of sssd use native IPA schema to process sudo rules. However, this schema currently has no support for hostmask-based rules and causes some sudo CI tests to fail. We have to temporarily set sssd.conf to use ou=sudoers,$SUFFIX as a sudo rule search base when executing them. https://fedorahosted.org/freeipa/ticket/5625 --- ipatests/test_integration/tasks.py | 43 ++++++++++++++++++++++++++++++++++ ipatests/test_integration/test_sudo.py | 27 ++++++++++++++++++++- 2 files changed, 69 insertions(+), 1 deletion(-) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 7f1b1eac325c0609214b5837d57635d5972a4c32..6c4f70aa535050989a8c1312e4179b4f5744a59c 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -24,11 +24,13 @@ import textwrap import re import collections import itertools +import tempfile import time import StringIO import dns from ldif import LDIFWriter +from SSSDConfig import SSSDConfig from ipapython import ipautil from ipaplatform.paths import paths @@ -509,6 +511,47 @@ def setup_sssd_debugging(host): clear_sssd_cache(host) +def modify_sssd_conf(host, domain, mod_dict, provider='ipa', + provider_subtype=None): + """ + modify options in a single domain section of host's sssd.conf + :param host: multihost.Host object + :param domain: domain section name to modify + :param mod_dict: dictionary of options which will be passed to + SSSDDomain.set_option(). To remove an option specify its value as + None + :param provider: provider backend to set. Defaults to ipa + :param provider_subtype: backend subtype (e.g. id or sudo), will be added + to the domain config if not present + """ + try: + temp_config_file = tempfile.mkstemp()[1] + current_config = host.transport.get_file_contents(paths.SSSD_CONF) + + with open(temp_config_file, 'wb') as f: + f.write(current_config) + + sssd_config = SSSDConfig() + sssd_config.import_config(temp_config_file) + sssd_domain = sssd_config.get_domain(domain) + + if provider_subtype is not None: + sssd_domain.add_provider(provider, provider_subtype) + + for m in mod_dict: + sssd_domain.set_option(m, mod_dict[m]) + + sssd_config.save_domain(sssd_domain) + + new_config = sssd_config.dump(sssd_config.opts).encode('utf-8') + host.transport.put_file_contents(paths.SSSD_CONF, new_config) + finally: + try: + os.remove(temp_config_file) + except OSError: + pass + + def clear_sssd_cache(host): """ Clears SSSD cache by removing the cache files. Restarts SSSD. diff --git a/ipatests/test_integration/test_sudo.py b/ipatests/test_integration/test_sudo.py index b1f31556a96180c3b30b2fcc03dd35b5cd994ff5..21267454dea9696483fe7725c93a7ef92239710a 100644 --- a/ipatests/test_integration/test_sudo.py +++ b/ipatests/test_integration/test_sudo.py @@ -20,7 +20,7 @@ import pytest from ipatests.test_integration.base import IntegrationTest -from ipatests.test_integration.tasks import clear_sssd_cache +from ipatests.test_integration.tasks import clear_sssd_cache, modify_sssd_conf from ipatests.test_integration import util @@ -287,6 +287,19 @@ class TestSudo(IntegrationTest): 'testrule', '--hostmask', full_ip]) + # SSSD >= 1.13.3-3 uses native IPA schema instead of compat entries to + # pull in sudoers. Since native schema does not (yet) support + # hostmasks, we need to point ldap_sudo_search_base to the old schema + domain = self.client.domain + modify_sssd_conf( + self.client, + domain.name, + { + 'ldap_sudo_search_base': 'ou=sudoers,{}'.format(domain.basedn) + }, + provider_subtype='sudo' + ) + def test_sudo_rule_restricted_to_one_hostmask(self): if self.__class__.skip_hostmask_based: raise pytest.skip("Hostmask could not be detected") @@ -328,6 +341,18 @@ class TestSudo(IntegrationTest): 'testrule', '--hostmask', '%s/32' % ip]) + # reset ldap_sudo_search_base back to the default value, the old + # schema is not needed for the upcoming tests + domain = self.client.domain + modify_sssd_conf( + self.client, + domain.name, + { + 'ldap_sudo_search_base': None + }, + provider_subtype='sudo' + ) + def test_sudo_rule_restricted_to_one_command_setup(self): # Reset testrule configuration self.reset_rule_categories() -- 2.5.0
From 3c6d16a3a9650ea46ffcd52f64b8e2cbd13efbe5 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 17 Feb 2016 16:55:56 +0100 Subject: [PATCH] CI tests: use old schema when testing hostmask-based sudo rules Newer versions of sssd use native IPA schema to process sudo rules. However, this schema currently has no support for hostmask-based rules and causes some sudo CI tests to fail. We have to temporarily set sssd.conf to use ou=sudoers,$SUFFIX as a sudo rule search base when executing them. https://fedorahosted.org/freeipa/ticket/5625 --- ipatests/test_integration/tasks.py | 43 ++++++++++++++++++++++++++++++++++ ipatests/test_integration/test_sudo.py | 27 ++++++++++++++++++++- 2 files changed, 69 insertions(+), 1 deletion(-) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index d37b616bd6efe437a1a979cc7a9ad8c7ea803773..90c63ac6ebe3c763fe0e62bced23d29eaf580b01 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -24,10 +24,12 @@ import textwrap import re import collections import itertools +import tempfile import time import dns from ldif import LDIFWriter +from SSSDConfig import SSSDConfig from six import StringIO from ipapython import ipautil @@ -591,6 +593,47 @@ def setup_sssd_debugging(host): clear_sssd_cache(host) +def modify_sssd_conf(host, domain, mod_dict, provider='ipa', + provider_subtype=None): + """ + modify options in a single domain section of host's sssd.conf + :param host: multihost.Host object + :param domain: domain section name to modify + :param mod_dict: dictionary of options which will be passed to + SSSDDomain.set_option(). To remove an option specify its value as + None + :param provider: provider backend to set. Defaults to ipa + :param provider_subtype: backend subtype (e.g. id or sudo), will be added + to the domain config if not present + """ + try: + temp_config_file = tempfile.mkstemp()[1] + current_config = host.transport.get_file_contents(paths.SSSD_CONF) + + with open(temp_config_file, 'wb') as f: + f.write(current_config) + + sssd_config = SSSDConfig() + sssd_config.import_config(temp_config_file) + sssd_domain = sssd_config.get_domain(domain) + + if provider_subtype is not None: + sssd_domain.add_provider(provider, provider_subtype) + + for m in mod_dict: + sssd_domain.set_option(m, mod_dict[m]) + + sssd_config.save_domain(sssd_domain) + + new_config = sssd_config.dump(sssd_config.opts).encode('utf-8') + host.transport.put_file_contents(paths.SSSD_CONF, new_config) + finally: + try: + os.remove(temp_config_file) + except OSError: + pass + + def clear_sssd_cache(host): """ Clears SSSD cache by removing the cache files. Restarts SSSD. diff --git a/ipatests/test_integration/test_sudo.py b/ipatests/test_integration/test_sudo.py index b1f31556a96180c3b30b2fcc03dd35b5cd994ff5..21267454dea9696483fe7725c93a7ef92239710a 100644 --- a/ipatests/test_integration/test_sudo.py +++ b/ipatests/test_integration/test_sudo.py @@ -20,7 +20,7 @@ import pytest from ipatests.test_integration.base import IntegrationTest -from ipatests.test_integration.tasks import clear_sssd_cache +from ipatests.test_integration.tasks import clear_sssd_cache, modify_sssd_conf from ipatests.test_integration import util @@ -287,6 +287,19 @@ class TestSudo(IntegrationTest): 'testrule', '--hostmask', full_ip]) + # SSSD >= 1.13.3-3 uses native IPA schema instead of compat entries to + # pull in sudoers. Since native schema does not (yet) support + # hostmasks, we need to point ldap_sudo_search_base to the old schema + domain = self.client.domain + modify_sssd_conf( + self.client, + domain.name, + { + 'ldap_sudo_search_base': 'ou=sudoers,{}'.format(domain.basedn) + }, + provider_subtype='sudo' + ) + def test_sudo_rule_restricted_to_one_hostmask(self): if self.__class__.skip_hostmask_based: raise pytest.skip("Hostmask could not be detected") @@ -328,6 +341,18 @@ class TestSudo(IntegrationTest): 'testrule', '--hostmask', '%s/32' % ip]) + # reset ldap_sudo_search_base back to the default value, the old + # schema is not needed for the upcoming tests + domain = self.client.domain + modify_sssd_conf( + self.client, + domain.name, + { + 'ldap_sudo_search_base': None + }, + provider_subtype='sudo' + ) + def test_sudo_rule_restricted_to_one_command_setup(self): # Reset testrule configuration self.reset_rule_categories() -- 2.5.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
