URL: https://github.com/SSSD/sssd/pull/5681 Author: shridhargadekar Title: #5681: Test: sudo rule with runAS set to short-username value Action: opened
PR body: """ In the AD-server, a sudo rule containing sudoRunAs attribute to a short-username should not generate error in the sssd log. https://bugzilla.redhat.com/show_bug.cgi?id=1910131 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5681/head:pr5681 git checkout pr5681
From 443180e0dfb4f534c6032dd8557e8d887b498a1b Mon Sep 17 00:00:00 2001 From: Shridhar Gadekar <sgade...@sgadekar.pnq.csb> Date: Fri, 11 Jun 2021 14:25:37 +0530 Subject: [PATCH] Test: sudo rule with runAS set to short-username value sudo rule containing sudoRunAs attribute to a short-username should not generate error in the sssd log. --- src/tests/multihost/ad/conftest.py | 19 +++++++++- src/tests/multihost/ad/test_sudo.py | 56 +++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 1 deletion(-) diff --git a/src/tests/multihost/ad/conftest.py b/src/tests/multihost/ad/conftest.py index ce8856e396..d3b67b305e 100644 --- a/src/tests/multihost/ad/conftest.py +++ b/src/tests/multihost/ad/conftest.py @@ -481,6 +481,9 @@ def create_ad_sudousers(session_multihost, request): ad_group1 = 'sudo_groupx' ad.create_ad_nonposix_group(ad_group1) ad.add_user_member_of_group(ad_group1, ad_user1) + ad_user_a = 'sudo_usera' + ad_group_a = 'sudo_groupa' + ad.create_ad_unix_user_group(ad_user_a, ad_group_a) def remove_ad_sudousers(): """ Remove AD sudo users and groups """ @@ -489,7 +492,8 @@ def remove_ad_sudousers(): ad_group = 'sudo_idmgroup%d' % idx ad.delete_ad_user_group(ad_group) ad.delete_ad_user_group(ad_user) - for object in [ad_group1, ad_group2, ad_user1]: + usrgrp = [ad_user1, ad_group1, ad_group2, ad_user_a, ad_group_a] + for object in usrgrp: ad.delete_ad_user_group(object) request.addfinalizer(remove_ad_sudousers) @@ -546,9 +550,22 @@ def sudorules(session_multihost, request): user.encode('utf-8'))] (ret, _) = win_ldap.modify_ldap(rule_dn, extra_sudo_user) assert ret == 'Success' + rule1_dn = 'cn=head_rule1,%s' % (sudo_ou) + sudo_identity = 'sudo_usera' + sudo_options = ["!requiretty", "!authenticate"] + win_ldap.add_sudo_rule(rule1_dn, 'ALL', sudo_cmd, + sudo_identity, sudo_options) + user1 = 'sudo_idmuser1' + extra_sudo_user = [(ldap.MOD_ADD, 'sudoRunAs', + user1.encode('utf-8'))] + (ret, _) = win_ldap.modify_ldap(rule1_dn, extra_sudo_user) + assert ret == 'Success' + def delete_sudorule(): """ Delete sudo rule """ + (ret, _) = win_ldap.del_dn(rule1_dn) + assert ret == 'Success' for item in ['user', 'group']: for idx in range(1, 10): rule_dn = 'cn=less_%s_rule%d,%s' % (item, idx, sudo_ou) diff --git a/src/tests/multihost/ad/test_sudo.py b/src/tests/multihost/ad/test_sudo.py index 26125dbc77..7d090ddc99 100644 --- a/src/tests/multihost/ad/test_sudo.py +++ b/src/tests/multihost/ad/test_sudo.py @@ -8,6 +8,7 @@ import pytest import paramiko import time +import re from sssd.testlib.common.utils import SSHClient from sssd.testlib.common.utils import sssdTools @@ -161,6 +162,61 @@ def test_003_support_non_posix_group_in_sudorule(self, multihost): client.sssd_conf(domain_section, params, action='delete') assert '/usr/bin/head\n' in result + def test_004_sudorule_with_short_username(self, multihost): + """ + :title: sssd should accept a short-username to sudoRunAs option + :id:61b1abf2-310b-4cdf-8238-b32d235df9a9 + :customerscenario: True + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1910131 + :setup: + 1. Add sudo rules with sudoRunAs attribute value set to short-username + 2. Join a client, without fqdn, to the AD + 3. Set debug level to 2 + + :steps: + 1.Run sudo command as AD-user for whom rule is created + :expectedResuls: + 1. There should be no error in the sudo or domain log related + to 'short-username or non-fqdn username' + """ + client = sssdTools(multihost.client[0], multihost.ad[0]) + domain_name = client.get_domain_section_name() + domain_section = 'domain/%s' % (domain_name) + params = { + 'debug_level': '2'} + client.sssd_conf(domain_section, params) + client.sssd_conf('sudo', params) + multihost.client[0].service_sssd('restart') + aduser = 'sudo_usera' + user_as = 'sudo_idmuser1' + client.clear_sssd_cache() + sudo_log = '/var/log/sssd/sssd_sudo.log' + domain_log = '/var/log/sssd/sssd_%s.log' % domain_name + for file in sudo_log, domain_log: + log = multihost.client[0].get_file_contents(file).decode('utf-8') + msg = 'Unable to parse name (.*) The internal name format '\ + 'cannot be parsed' + find = re.compile(r'%s' % msg) + assert not find.search(log) + try: + ssh = SSHClient(multihost.client[0].sys_hostname, + username=aduser, password='Secret123') + + except paramiko.ssh_exception.AuthenticationException: + pytest.fail('%s failed to login' % aduser) + else: + (stdout, _, exit_status) = ssh.execute_cmd('sudo -l') + assert exit_status == 0 + result = [] + assert exit_status == 0 + for line in stdout.readlines(): + if 'NOPASSWD' in line: + line.strip() + result.append(line.strip('(sudo_idmuser1) NOPASSWD: ')) + assert '/usr/bin/head\n' in result + client.sssd_conf('sudo', params, action='delete') + + @classmethod def class_teardown(cls, multihost): """ Remove sudo provider from Domain section """
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure