URL: https://github.com/SSSD/sssd/pull/5681
Author: shridhargadekar
Title: #5681: Test: sudo rule with runAS set to short-username value
Action: opened
PR body:
"""
In the AD-server, a sudo rule containing sudoRunAs attribute to a
short-username should not generate error in the sssd log.
https://bugzilla.redhat.com/show_bug.cgi?id=1910131
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5681/head:pr5681
git checkout pr5681
From 443180e0dfb4f534c6032dd8557e8d887b498a1b Mon Sep 17 00:00:00 2001
From: Shridhar Gadekar <sgade...@sgadekar.pnq.csb>
Date: Fri, 11 Jun 2021 14:25:37 +0530
Subject: [PATCH] Test: sudo rule with runAS set to short-username value
sudo rule containing sudoRunAs attribute to a short-username
should not generate error in the sssd log.
---
src/tests/multihost/ad/conftest.py | 19 +++++++++-
src/tests/multihost/ad/test_sudo.py | 56 +++++++++++++++++++++++++++++
2 files changed, 74 insertions(+), 1 deletion(-)
diff --git a/src/tests/multihost/ad/conftest.py b/src/tests/multihost/ad/conftest.py
index ce8856e396..d3b67b305e 100644
--- a/src/tests/multihost/ad/conftest.py
+++ b/src/tests/multihost/ad/conftest.py
@@ -481,6 +481,9 @@ def create_ad_sudousers(session_multihost, request):
ad_group1 = 'sudo_groupx'
ad.create_ad_nonposix_group(ad_group1)
ad.add_user_member_of_group(ad_group1, ad_user1)
+ ad_user_a = 'sudo_usera'
+ ad_group_a = 'sudo_groupa'
+ ad.create_ad_unix_user_group(ad_user_a, ad_group_a)
def remove_ad_sudousers():
""" Remove AD sudo users and groups """
@@ -489,7 +492,8 @@ def remove_ad_sudousers():
ad_group = 'sudo_idmgroup%d' % idx
ad.delete_ad_user_group(ad_group)
ad.delete_ad_user_group(ad_user)
- for object in [ad_group1, ad_group2, ad_user1]:
+ usrgrp = [ad_user1, ad_group1, ad_group2, ad_user_a, ad_group_a]
+ for object in usrgrp:
ad.delete_ad_user_group(object)
request.addfinalizer(remove_ad_sudousers)
@@ -546,9 +550,22 @@ def sudorules(session_multihost, request):
user.encode('utf-8'))]
(ret, _) = win_ldap.modify_ldap(rule_dn, extra_sudo_user)
assert ret == 'Success'
+ rule1_dn = 'cn=head_rule1,%s' % (sudo_ou)
+ sudo_identity = 'sudo_usera'
+ sudo_options = ["!requiretty", "!authenticate"]
+ win_ldap.add_sudo_rule(rule1_dn, 'ALL', sudo_cmd,
+ sudo_identity, sudo_options)
+ user1 = 'sudo_idmuser1'
+ extra_sudo_user = [(ldap.MOD_ADD, 'sudoRunAs',
+ user1.encode('utf-8'))]
+ (ret, _) = win_ldap.modify_ldap(rule1_dn, extra_sudo_user)
+ assert ret == 'Success'
+
def delete_sudorule():
""" Delete sudo rule """
+ (ret, _) = win_ldap.del_dn(rule1_dn)
+ assert ret == 'Success'
for item in ['user', 'group']:
for idx in range(1, 10):
rule_dn = 'cn=less_%s_rule%d,%s' % (item, idx, sudo_ou)
diff --git a/src/tests/multihost/ad/test_sudo.py b/src/tests/multihost/ad/test_sudo.py
index 26125dbc77..7d090ddc99 100644
--- a/src/tests/multihost/ad/test_sudo.py
+++ b/src/tests/multihost/ad/test_sudo.py
@@ -8,6 +8,7 @@
import pytest
import paramiko
import time
+import re
from sssd.testlib.common.utils import SSHClient
from sssd.testlib.common.utils import sssdTools
@@ -161,6 +162,61 @@ def test_003_support_non_posix_group_in_sudorule(self, multihost):
client.sssd_conf(domain_section, params, action='delete')
assert '/usr/bin/head\n' in result
+ def test_004_sudorule_with_short_username(self, multihost):
+ """
+ :title: sssd should accept a short-username to sudoRunAs option
+ :id:61b1abf2-310b-4cdf-8238-b32d235df9a9
+ :customerscenario: True
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1910131
+ :setup:
+ 1. Add sudo rules with sudoRunAs attribute value set to short-username
+ 2. Join a client, without fqdn, to the AD
+ 3. Set debug level to 2
+
+ :steps:
+ 1.Run sudo command as AD-user for whom rule is created
+ :expectedResuls:
+ 1. There should be no error in the sudo or domain log related
+ to 'short-username or non-fqdn username'
+ """
+ client = sssdTools(multihost.client[0], multihost.ad[0])
+ domain_name = client.get_domain_section_name()
+ domain_section = 'domain/%s' % (domain_name)
+ params = {
+ 'debug_level': '2'}
+ client.sssd_conf(domain_section, params)
+ client.sssd_conf('sudo', params)
+ multihost.client[0].service_sssd('restart')
+ aduser = 'sudo_usera'
+ user_as = 'sudo_idmuser1'
+ client.clear_sssd_cache()
+ sudo_log = '/var/log/sssd/sssd_sudo.log'
+ domain_log = '/var/log/sssd/sssd_%s.log' % domain_name
+ for file in sudo_log, domain_log:
+ log = multihost.client[0].get_file_contents(file).decode('utf-8')
+ msg = 'Unable to parse name (.*) The internal name format '\
+ 'cannot be parsed'
+ find = re.compile(r'%s' % msg)
+ assert not find.search(log)
+ try:
+ ssh = SSHClient(multihost.client[0].sys_hostname,
+ username=aduser, password='Secret123')
+
+ except paramiko.ssh_exception.AuthenticationException:
+ pytest.fail('%s failed to login' % aduser)
+ else:
+ (stdout, _, exit_status) = ssh.execute_cmd('sudo -l')
+ assert exit_status == 0
+ result = []
+ assert exit_status == 0
+ for line in stdout.readlines():
+ if 'NOPASSWD' in line:
+ line.strip()
+ result.append(line.strip('(sudo_idmuser1) NOPASSWD: '))
+ assert '/usr/bin/head\n' in result
+ client.sssd_conf('sudo', params, action='delete')
+
+
@classmethod
def class_teardown(cls, multihost):
""" Remove sudo provider from Domain section """
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
