URL: https://github.com/freeipa/freeipa/pull/2494 Author: wladich Title: #2494: ipatests: add test for ipa-advise for enabling sudo for admins group Action: opened
PR body: """ Test that 1) sudo is not enabled for members of admins group by default 2) sudo is enabled for them after execution of script provided by ipa-advise enable_admins_sudo Related to https://pagure.io/freeipa/issue/7538 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2494/head:pr2494 git checkout pr2494
From 9c941ec2e52dc4fae8fb99f775b9671ddc4abc02 Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Fri, 26 Oct 2018 14:35:09 +0200 Subject: [PATCH] ipatests: add test for ipa-advise for enabling sudo for admins group Test that 1) sudo is not enabled for members of admins group by default 2) sudo is enabled for them after execution of script provided by ipa-advise enable_admins_sudo Related to https://pagure.io/freeipa/issue/7538 --- ipatests/test_integration/test_sudo.py | 79 +++++++++++++++++++++----- 1 file changed, 65 insertions(+), 14 deletions(-) diff --git a/ipatests/test_integration/test_sudo.py b/ipatests/test_integration/test_sudo.py index 211a11f269..968ce9398f 100644 --- a/ipatests/test_integration/test_sudo.py +++ b/ipatests/test_integration/test_sudo.py @@ -24,22 +24,42 @@ clear_sssd_cache, get_host_ip_with_hostmask, modify_sssd_conf) -class TestSudo(IntegrationTest): - """ - Test Sudo - http://www.freeipa.org/page/V4/Sudo_Integration#Test_Plan - """ +class TestSudoBase(IntegrationTest): num_clients = 1 topology = 'line' @classmethod def install(cls, mh): - super(TestSudo, cls).install(mh) + super(TestSudoBase, cls).install(mh) cls.client = cls.clients[0] cls.clientname = cls.client.run_command( ['hostname', '-s']).stdout_text.strip() + def list_sudo_commands(self, user, raiseonerr=False, verbose=False, password=None): + clear_sssd_cache(self.client) + sudo_args = '-ll' if verbose else '-l' + stdin_text = None + if password is None: + sudo_args += ' -n' + else: + sudo_args += ' -S' + stdin_text = password + '\n' + return self.client.run_command( + 'su -c "sudo %s" %s' % (sudo_args, user), + raiseonerr=raiseonerr, stdin_text=stdin_text) + + +class TestSudo(TestSudoBase): + """ + Test Sudo + http://www.freeipa.org/page/V4/Sudo_Integration#Test_Plan + """ + + @classmethod + def install(cls, mh): + super(TestSudo, cls).install(mh) + for i in range(1, 3): # Add 1. and 2. testing user cls.master.run_command(['ipa', 'user-add', @@ -80,20 +100,12 @@ def install(cls, mh): 'defaults', '--sudooption', "!authenticate"]) - @classmethod def uninstall(cls, mh): cls.client.run_command(['groupdel', 'localgroup'], raiseonerr=False) cls.client.run_command(['userdel', 'localuser'], raiseonerr=False) super(TestSudo, cls).uninstall(mh) - def list_sudo_commands(self, user, raiseonerr=False, verbose=False): - clear_sssd_cache(self.client) - list_flag = '-ll' if verbose else '-l' - return self.client.run_command( - 'su -c "sudo %s -n" %s' % (list_flag, user), - raiseonerr=raiseonerr) - def reset_rule_categories(self, safe_delete=True): if safe_delete: # Remove and then add the rule back, since the deletion of some @@ -680,3 +692,42 @@ def test_category_all_validation_runasgroup(self): '--groups', 'testgroup2'], raiseonerr=False) assert result.returncode != 0 + + +class TestSudoAdvise(TestSudoBase): + """ + Tests for sudo permissions for admin users + https://pagure.io/freeipa/issue/7538 + """ + test_user_name = 'admin2' + test_user_password = 'Secret123' + + @classmethod + def install(cls, mh): + super(TestSudoAdvise, cls).install(mh) + + cls.master.run_command(['ipa', 'user-add', + cls.test_user_name, + '--first', 'Admin', + '--last', 'Second', + '--password'], + stdin_text='{0}\n{0}\n'.format(cls.test_user_password)) + cls.master.run_command(['ipa', 'user-mod', cls.test_user_name, + '--setattr=krbPasswordExpiration=20371231010101Z']) + cls.master.run_command(['ipa', 'group-add-member', + 'admins', + '--users', cls.test_user_name]) + + def test_admins_group_does_not_have_sudo_permission(self): + result = self.list_sudo_commands(self.test_user_name, raiseonerr=False, password=self.test_user_password) + assert result.returncode == 1 + assert "Sorry, user admin2 may not run sudo on {}.".format( + self.clientname) in result.stderr_text + + def test_install_advise_script(self): + script = self.master.run_command('ipa-advise enable_admins_sudo').stdout_text + self.master.run_command('bash', stdin_text=script) + + def test_admins_have_sudo_permission(self): + result = self.list_sudo_commands(self.test_user_name, password=self.test_user_password) + assert '(root) ALL' in result.stdout_text
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org