URL: https://github.com/SSSD/sssd/pull/680 Author: mrniranjan Title: #680: pytest: Add test case for Expired sudo rule Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/680/head:pr680 git checkout pr680
From 8cddf199d93b5c5e9898cda260524facfe854725 Mon Sep 17 00:00:00 2001 From: "Niranjan M.R" <mrniran...@redhat.com> Date: Tue, 16 Oct 2018 14:00:30 +0530 Subject: [PATCH 1/6] pytest/sudo: Modify fixture to restore sssd.conf Modify set_case_sensitive_false fixture to restore sssd.conf back to the original sssd.conf after running test_case_senitivity test case. Signed-off-by: Niranjan M.R <mrniran...@redhat.com> --- src/tests/multihost/basic/conftest.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/tests/multihost/basic/conftest.py b/src/tests/multihost/basic/conftest.py index 0d3b831bea..376a3b415b 100644 --- a/src/tests/multihost/basic/conftest.py +++ b/src/tests/multihost/basic/conftest.py @@ -15,6 +15,7 @@ import os import tempfile import ldap +import time def pytest_namespace(): @@ -193,8 +194,10 @@ def create_casesensitive_posix_user(session_multihost): @pytest.fixture -def set_case_sensitive_false(session_multihost): +def set_case_sensitive_false(session_multihost, request): """ Set case_sensitive to false in sssd domain section """ + bkup_sssd = 'cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig' + session_multihost.master[0].run_command(bkup_sssd) session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', '/tmp/sssd.conf') sssdconfig = ConfigParser.SafeConfigParser() @@ -208,6 +211,14 @@ def set_case_sensitive_false(session_multihost): '/etc/sssd/sssd.conf') session_multihost.master[0].service_sssd('restart') + def restore_sssd(): + """ Restore sssd.conf """ + restore_sssd = 'cp -f /etc/sssd/sssd.conf.orig /etc/sssd/sssd.conf' + session_multihost.master[0].run_command(restore_sssd) + session_multihost.master[0].service_sssd('restart') + time.sleep(5) + request.addfinalizer(restore_sssd) + @pytest.fixture def enable_files_domain(session_multihost): From f8926ab5817696c8825b5a8d2388a002266b1e56 Mon Sep 17 00:00:00 2001 From: "Niranjan M.R" <mrniran...@redhat.com> Date: Tue, 16 Oct 2018 16:31:25 +0530 Subject: [PATCH 2/6] pytest/sudo: Rename create_sudorule to case_sensitive_sudorule Add del_sudo_rule function to delete the sudo rules after test_sensitivity completes Signed-off-by: Niranjan M.R <mrniran...@redhat.com> --- src/tests/multihost/basic/conftest.py | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/tests/multihost/basic/conftest.py b/src/tests/multihost/basic/conftest.py index 376a3b415b..cfc35d527a 100644 --- a/src/tests/multihost/basic/conftest.py +++ b/src/tests/multihost/basic/conftest.py @@ -254,10 +254,10 @@ def teardown_files_domain_users(): @pytest.fixture -def create_sudorule(session_multihost, create_casesensitive_posix_user): +def case_sensitive_sudorule(session_multihost, + create_casesensitive_posix_user, + request): """ Create posix user and groups """ - # pylint: disable=unused-argument - _pytest_fixtures = [create_casesensitive_posix_user] ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' @@ -280,6 +280,17 @@ def create_sudorule(session_multihost, create_casesensitive_posix_user): except LdapException: pytest.fail("Failed to add sudo rule %s" % rule_dn2) + def del_sensitive_sudo_rule(): + """ Delete sudo rule """ + (ret, _) = ldap_inst.del_dn(rule_dn1) + assert ret == 'Success' + (ret, _) = ldap_inst.del_dn(rule_dn2) + assert ret == 'Success' + (ret, _) = ldap_inst.del_dn(sudo_ou) + assert ret == 'Success' + time.sleep(5) + request.addfinalizer(del_sensitive_sudo_rule) + @pytest.fixture def enable_sss_sudo_nsswitch(session_multihost, tmpdir, request): From 2e2240c2e3d7dc9be0f85a746855b20390aaa6c0 Mon Sep 17 00:00:00 2001 From: "Niranjan M.R" <mrniran...@redhat.com> Date: Tue, 16 Oct 2018 16:35:43 +0530 Subject: [PATCH 3/6] pytest/sudo: call case_sensitive_sudorule fixture instead of create_sudorule Signed-off-by: Niranjan M.R <mrniran...@redhat.com> --- src/tests/multihost/basic/test_sudo.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tests/multihost/basic/test_sudo.py b/src/tests/multihost/basic/test_sudo.py index ecf41ffb1a..af9b7a8e87 100644 --- a/src/tests/multihost/basic/test_sudo.py +++ b/src/tests/multihost/basic/test_sudo.py @@ -6,12 +6,12 @@ class TestSanitySudo(object): """ Basic Sanity Test cases for sudo service in sssd """ - def test_case_senitivity(self, multihost, create_sudorule, + def test_case_senitivity(self, multihost, case_sensitive_sudorule, enable_sss_sudo_nsswitch, set_case_sensitive_false): """ Verify case sensitivity in sudo responder """ # pylint: disable=unused-argument - _pytest_fixtures = [create_sudorule, enable_sss_sudo_nsswitch, + _pytest_fixtures = [case_sensitive_sudorule, enable_sss_sudo_nsswitch, set_case_sensitive_false] try: ssh = SSHClient(multihost.master[0].sys_hostname, From 604876b498bd53d30f8eac36331b3cc538643854 Mon Sep 17 00:00:00 2001 From: "Niranjan M.R" <mrniran...@redhat.com> Date: Tue, 16 Oct 2018 16:45:31 +0530 Subject: [PATCH 4/6] pytest/sudo: Add 2 fixtures set_entry_cache_timeout and generic_sudorule set_entry_cache_timeout: this fixture adds entry_cache_timeout to domain sections of sssd.conf. generic_sudorule: Adds a generic sudo rule to access /usr/bin/less Signed-off-by: Niranjan M.R <mrniran...@redhat.com> --- src/tests/multihost/basic/conftest.py | 54 +++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/src/tests/multihost/basic/conftest.py b/src/tests/multihost/basic/conftest.py index cfc35d527a..94b58f7a4e 100644 --- a/src/tests/multihost/basic/conftest.py +++ b/src/tests/multihost/basic/conftest.py @@ -220,6 +220,60 @@ def restore_sssd(): request.addfinalizer(restore_sssd) +@pytest.fixture +def set_entry_cache_timeout(session_multihost, request): + """ Set case_sensitive to false in sssd domain section """ + bkup_sssd = 'cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig' + session_multihost.master[0].run_command(bkup_sssd) + session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', + '/tmp/sssd.conf') + sssdconfig = ConfigParser.ConfigParser() + sssdconfig.read('/tmp/sssd.conf') + domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST') + if domain_section in sssdconfig.sections(): + sssdconfig.set(domain_section, 'entry_cache_sudo_timeout', '30') + with open('/tmp/sssd.conf', "w") as sssconf: + sssdconfig.write(sssconf) + session_multihost.master[0].transport.put_file('/tmp/sssd.conf', + '/etc/sssd/sssd.conf') + session_multihost.master[0].service_sssd('restart') + + def restore_sssd(): + """ Restore sssd.conf """ + restore_sssd = 'cp -f /etc/sssd/sssd.conf.orig /etc/sssd/sssd.conf' + session_multihost.master[0].run_command(restore_sssd) + session_multihost.master[0].service_sssd('restart') + time.sleep(5) + request.addfinalizer(restore_sssd) + + +@pytest.fixture +def generic_sudorule(session_multihost, request): + """ Create a generic sudo rule """ + ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + ldap_inst.org_unit('sudoers', 'dc=example,dc=test') + sudo_ou = 'ou=sudoers,dc=example,dc=test' + rule_dn1 = "%s,%s" % ('cn=lessrule', sudo_ou) + sudo_options = ["!requiretty", "!authenticate"] + try: + ldap_inst.add_sudo_rule(rule_dn1, 'ALL', + '/usr/bin/less', 'foo1', + sudo_options) + except LdapException: + pytest.fail("Failed to add sudo rule %s" % rule_dn1) + + def del_sudo_rule(): + """ Delete sudo rule """ + (ret, _) = ldap_inst.del_dn(rule_dn1) + assert ret == 'Success' + (ret, _) = ldap_inst.del_dn(sudo_ou) + assert ret == 'Success' + request.addfinalizer(del_sudo_rule) + + @pytest.fixture def enable_files_domain(session_multihost): """ From 7cff0800c0dade5259d064266a485c7f86c63785 Mon Sep 17 00:00:00 2001 From: "Niranjan M.R" <mrniran...@redhat.com> Date: Tue, 16 Oct 2018 18:33:24 +0530 Subject: [PATCH 5/6] pytest/sudo: Add Testcase: sssd crashes when refreshing expired sudo rules. Signed-off-by: Niranjan M.R <mrniran...@redhat.com> --- src/tests/multihost/basic/test_sudo.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/tests/multihost/basic/test_sudo.py b/src/tests/multihost/basic/test_sudo.py index af9b7a8e87..065319b1c4 100644 --- a/src/tests/multihost/basic/test_sudo.py +++ b/src/tests/multihost/basic/test_sudo.py @@ -2,6 +2,7 @@ from sssd.testlib.common.utils import SSHClient import paramiko import pytest +import time class TestSanitySudo(object): @@ -29,3 +30,27 @@ def test_case_senitivity(self, multihost, case_sensitive_sudorule, assert '/usr/bin/less\n' in result assert '/usr/bin/more\n' in result ssh.close() + + def test_refresh_expired_rule(self, multihost, + enable_sss_sudo_nsswitch, + generic_sudorule, + set_entry_cache_timeout): + """ Verify refreshing expired sudo rules doesn't crash sssd_sudo """ + # pylint: disable=unused-argument + _pytest_fixtures = [enable_sss_sudo_nsswitch, generic_sudorule, + set_entry_cache_timeout] + try: + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo1', password='Secret123') + except paramiko.ssh_exception.AuthenticationException: + pytest.fail("%s failed to login" % 'foo1') + else: + print("Executing %s command as %s user" % ('sudo -l', 'foo1')) + (_, _, exit_status) = ssh.execute_cmd('sudo -l') + assert exit_status == 0 + time.sleep(30) + if exit_status != 0: + journalctl_cmd = 'journalctl -x -n 100 --no-pager' + multihost.master[0].run_command(journalctl_cmd) + pytest.fail("%s cmd failed for user %s" % ('sudo -l', 'foo1')) + ssh.close() From c323e90c951e71318e03188332c9fc922fe190e5 Mon Sep 17 00:00:00 2001 From: "Niranjan M.R" <mrniran...@redhat.com> Date: Tue, 16 Oct 2018 19:42:15 +0530 Subject: [PATCH 6/6] pytest: use ConfigParser() instead of SafeConfigParser() fix the warnings of SafeConfigParser being deprectated. Signed-off-by: Niranjan M.R <mrniran...@redhat.com> --- src/tests/multihost/basic/conftest.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tests/multihost/basic/conftest.py b/src/tests/multihost/basic/conftest.py index 94b58f7a4e..d7e0851700 100644 --- a/src/tests/multihost/basic/conftest.py +++ b/src/tests/multihost/basic/conftest.py @@ -102,7 +102,7 @@ def setup_sssd(session_multihost, request): ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) krb5_server = session_multihost.master[0].sys_hostname cacert_loc = '/etc/openldap/cacerts/cacert.pem' - sssdConfig = ConfigParser.SafeConfigParser() + sssdConfig = ConfigParser.ConfigParser() sssdConfig.optionxform = str sssdConfig.add_section('sssd') sssdConfig.set('sssd', 'domains', 'EXAMPLE.TEST') @@ -200,7 +200,7 @@ def set_case_sensitive_false(session_multihost, request): session_multihost.master[0].run_command(bkup_sssd) session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', '/tmp/sssd.conf') - sssdconfig = ConfigParser.SafeConfigParser() + sssdconfig = ConfigParser.ConfigParser() sssdconfig.read('/tmp/sssd.conf') domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST') if domain_section in sssdconfig.sections():
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org