URL: https://github.com/SSSD/sssd/pull/394 Author: jhrozek Title: #394: TESTS: Add an integration test for renaming incomplete groups during initgroups Action: opened
PR body: """ This PR depends on https://github.com/SSSD/sssd/pull/128 Adds two regression tests for https://pagure.io/SSSD/sssd/issue/3282 As we implemented the group renaming heuristics to rename only if we can use another "hint" like the original DN or the SID to know the group is the same, this patch adds two tests (positive and negative) to make sure a group with a totally different RDN and hence different originalDN cannot be renamed but a group whose name changed but the RDN stays the same can be renamed. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/394/head:pr394 git checkout pr394
From dd9ab46838b5f4424ea242e89c7efcf4d6cbb52c Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Tue, 26 Sep 2017 12:39:30 +0200 Subject: [PATCH] TESTS: Add an integration test for renaming incomplete groups during initgroups Adds two regression tests for https://pagure.io/SSSD/sssd/issue/3282 As we implemented the group renaming heuristics to rename only if we can use another "hint" like the original DN or the SID to know the group is the same, this patch adds two tests (positive and negative) to make sure a group with a totally different RDN and hence different originalDN cannot be renamed but a group whose name changed but the RDN stays the same can be renamed. --- src/tests/intg/test_ldap.py | 132 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 130 insertions(+), 2 deletions(-) diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py index f2467f1ff..4f1c0da10 100644 --- a/src/tests/intg/test_ldap.py +++ b/src/tests/intg/test_ldap.py @@ -94,10 +94,11 @@ def create_ldap_cleanup(request, ldap_conn, ent_list=None): request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) -def create_ldap_fixture(request, ldap_conn, ent_list=None): +def create_ldap_fixture(request, ldap_conn, ent_list=None, cleanup=True): """Add LDAP entries and add teardown for removing them""" create_ldap_entries(ldap_conn, ent_list) - create_ldap_cleanup(request, ldap_conn, ent_list) + if cleanup: + create_ldap_cleanup(request, ldap_conn, ent_list) SCHEMA_RFC2307 = "rfc2307" @@ -1169,3 +1170,130 @@ def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached): res, _ = call_sssd_getgrgid(0) assert res == NssReturnCode.NOTFOUND + + +def rename_setup_no_cleanup(request, ldap_conn, cleanup_ent=None): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_group_bis("user1_private", 2001) + ent_list.add_group_bis("group1", 2015, ["user1"]) + + if cleanup_ent is None: + create_ldap_fixture(request, ldap_conn, ent_list) + else: + # Since the entries were renamed, we need to clean up + # the renamed entries.. + create_ldap_fixture(request, ldap_conn, ent_list, cleanup=False) + request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, + cleanup_ent)) + + +@pytest.fixture +def rename_setup_cleanup(request, ldap_conn): + cleanup_ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + cleanup_ent_list.add_user("user1", 1001, 2001) + cleanup_ent_list.add_group_bis("new_user1_private", 2001) + cleanup_ent_list.add_group_bis("new_group1", 2015, ["user1"]) + + rename_setup_no_cleanup(request, ldap_conn, cleanup_ent_list) + + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def rename_setup_with_name(request, ldap_conn): + rename_setup_no_cleanup(request, ldap_conn) + + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ + unindent(""" + [nss] + [domain/LDAP] + ldap_group_name = name + timeout = 3000 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_rename_incomplete_group_same_dn(ldap_conn, rename_setup_with_name): + """ + Test that if a group's name attribute changes, but the DN stays the same, + the incomplete group object will be renamed. + + Because the RDN attribute must be present in the entry, we add another + attribute "name" that is purposefully different from the CN and make + sure the group names are reflected in name + + Regression test for https://pagure.io/SSSD/sssd/issue/3282 + """ + pvt_dn = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn + group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn + + # Add the name we want for both private and secondary group + old = {'name': []} + new = {'name': [b"user1_group1"]} + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(group1_dn, ldif) + + new = {'name': [b"pvt_user1"]} + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(pvt_dn, ldif) + + # Make sure the old name shows up in the id output + (res, errno, grp_list) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + + assert sorted(grp_list) == sorted(["pvt_user1", "user1_group1"]) + + # Rename the group by changing the cn attribute, but keep the DN the same + old = {'name': [b"user1_group1"]} + new = {'name': [b"new_user1_group1"]} + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(group1_dn, ldif) + + if subprocess.call(["sss_cache", "-GU"]) != 0: + raise Exception("sssd_cache failed") + + (res, errno, grp_list) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + + assert sorted(grp_list) == sorted(["pvt_user1", "new_user1_group1"]) + + +def test_rename_incomplete_group_rdn_changed(ldap_conn, rename_setup_cleanup): + """ + Test that if a group's name attribute changes, and the DN changes with + the RDN. Then adding the second group will fail because we can't tell if + there are two duplicate groups in LDAP when saving the group or if the + group was renamed. + + Please note that with many directories (AD, IPA), the code can rely on + other heuristics (SID, UUID) to find out the group is in fact the same. + + Regression test for https://pagure.io/SSSD/sssd/issue/3282 + """ + pvt_dn = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn + group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn + + # Make sure the old name shows up in the id output + (res, errno, grp_list) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + + assert sorted(grp_list) == sorted(["user1_private", "group1"]) + + # Rename the groups, changing the RDN + ldap_conn.rename_s(group1_dn, "cn=new_group1") + ldap_conn.rename_s(pvt_dn, "cn=new_user1_private") + + if subprocess.call(["sss_cache", "-GU"]) != 0: + raise Exception("sssd_cache failed") + + # The initgroups fails and we fall back to the old names in the cache + assert sorted(grp_list) == sorted(["user1_private", "group1"])
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
