URL: https://github.com/SSSD/sssd/pull/5761
Author: shridhargadekar
Title: #5761: Tests: Randomize sudo refresh timeouts
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5761/head:pr5761
git checkout pr5761
From 7a7c072cec4fa76725333fe98aac09cef38a7421 Mon Sep 17 00:00:00 2001
From: Shridhar Gadekar <sgade...@sgadekar.pnq.csb>
Date: Wed, 25 Aug 2021 23:31:50 +0530
Subject: [PATCH] Tests: Randomize sudo refresh timeouts
Veifies: #5609
Bugzilla: @pytest.fixture(scope='function')
Signed-off-by: Shridhar Gadekar <sgade...@sgadekar.pnq.csb>
---
src/tests/multihost/alltests/conftest.py | 37 ++++++++++++
src/tests/multihost/alltests/test_sudo.py | 73 ++++++++++++++++++++++-
2 files changed, 109 insertions(+), 1 deletion(-)
diff --git a/src/tests/multihost/alltests/conftest.py b/src/tests/multihost/alltests/conftest.py
index 3996459632..fa97ac5d61 100644
--- a/src/tests/multihost/alltests/conftest.py
+++ b/src/tests/multihost/alltests/conftest.py
@@ -395,6 +395,43 @@ def restore_sssd_conf():
request.addfinalizer(restore_sssd_conf)
+@pytest.fixture(scope='function')
+def sudo_rule(session_multihost, request):
+ """ Create sudoers ldap entries """
+ ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
+ sudo_ou = 'ou=sudoers, %s' % ds_suffix
+ ds_rootdn = 'cn=Directory Manager'
+ ds_rootpw = 'Secret123'
+ ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+ try:
+ ldap_inst.org_unit('sudoers', ds_suffix)
+ except LdapException:
+ pytest.fail("already exist or failed to add sudo ou ")
+ sudo_options = ["!requiretty", "!authenticate"]
+ sudo_cmd = '/usr/bin/head'
+ sudo_user = 'foo1'
+ rule_dn = "cn=%s, %s" % (sudo_cmd, sudo_ou)
+ try:
+ ldap_inst.add_sudo_rule(rule_dn, 'ALL', '/usr/bin/head',
+ sudo_user, sudo_options)
+ except LdapException:
+ pytest.fail("Failed to add sudo rule %s" % rule_dn)
+ else:
+ extra_user = 'foo2'
+ add_extra = [(ldap.MOD_ADD, 'sudoUser',
+ extra_user.encode('utf-8'))]
+ (ret, _) = ldap_inst.modify_ldap(rule_dn, add_extra)
+ assert ret == 'Success'
+
+ def del_sudo_rule():
+ """ Delete sudo rule """
+ rule_dn = 'cn=%s,%s' % (sudo_cmd, sudo_ou)
+ (_, _) = ldap_inst.del_dn(rule_dn)
+ (ret, _) = ldap_inst.del_dn(sudo_ou)
+ assert ret == 'Success'
+ request.addfinalizer(del_sudo_rule)
+
+
testdata = [
[(datetime.today() - timedelta(days=1)).strftime('%Y%m%d%H') + 'Z',
'sudoNotBefore'],
diff --git a/src/tests/multihost/alltests/test_sudo.py b/src/tests/multihost/alltests/test_sudo.py
index 271d9474f8..823ac3fbfe 100644
--- a/src/tests/multihost/alltests/test_sudo.py
+++ b/src/tests/multihost/alltests/test_sudo.py
@@ -4,7 +4,7 @@
import paramiko
from sssd.testlib.common.utils import SSHClient
from sssd.testlib.common.utils import sssdTools
-from constants import ds_instance_name
+from constants import ds_instance_name, ds_suffix
@pytest.mark.usefixtures('setup_sssd', 'create_posix_usersgroups',
@@ -110,3 +110,74 @@ def test_timed_sudoers_entry(self,
multihost.master[0].run_command(journalctl_cmd)
pytest.fail("%s cmd failed for user %s" % ('sudo -l', 'foo1'))
ssh.close()
+
+ @pytest.mark.tier2
+ def test_randomize_sudo_timeout(self, multihost,
+ backupsssdconf, sudo_rule):
+ """
+ :title: sudo: randomize sudo refresh timeouts
+ :id: 57720975-29ba-4ed7-868a-f9b784bbfed2
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1925514
+ :customerscenario: True
+ :steps:
+ 1. Edit sssdconfig and specify sssd smart, full timeout option
+ 2. Restart sssd with cleared logs and cache
+ 3. Wait for 120 seconds
+ 4. Parse logs and confirm sudo refresh timeouts are random
+ :expectedresults:
+ 1. Should succeed
+ 2. Should succeed
+ 3. Should succeed
+ 4. Should succeed
+ """
+ tools = sssdTools(multihost.client[0])
+ multihost.client[0].service_sssd('stop')
+ tools.remove_sss_cache('/var/lib/sss/db')
+ tools.remove_sss_cache('/var/log/sssd')
+ sudo_base = 'ou=sudoers,%s' % (ds_suffix)
+ sudo_uri = "ldap://%s"; % multihost.master[0].sys_hostname
+ params = {'ldap_sudo_search_base': sudo_base,
+ 'ldap_uri': sudo_uri,
+ 'sudo_provider': "ldap",
+ 'ldap_sudo_full_refresh_interval': '25',
+ 'ldap_sudo_smart_refresh_interval': '15',
+ 'ldap_sudo_random_offset': '5'}
+ domain_section = 'domain/%s' % ds_instance_name
+ tools.sssd_conf(domain_section, params, action='update')
+ section = "sssd"
+ sssd_params = {'services': 'nss, pam, sudo'}
+ tools.sssd_conf(section, sssd_params, action='update')
+ multihost.client[0].service_sssd('start')
+ time.sleep(120)
+ logfile = '/var/log/sssd/sssd_%s.log' % ds_instance_name
+ tmout_ptrn = r"(SUDO.*\:\sscheduling task \d+ seconds)"
+ regex_tmout = re.compile("%s" % tmout_ptrn)
+ smart_tmout = []
+ full_tmout = []
+ log = multihost.client[0].get_file_contents(logfile).decode('utf-8')
+ for line in log.split('\n'):
+ if line:
+ if (regex_tmout.findall(line)):
+ rfrsh_type = regex_tmout.findall(line)[0].split()[1]
+ timeout = regex_tmout.findall(line)[0].split()[5]
+ if rfrsh_type == 'Smart':
+ smart_tmout.append(timeout)
+ elif rfrsh_type == 'Full':
+ full_tmout.append(timeout)
+ rand_intvl, same_intvl = 0, 0
+ for timeout in smart_tmout, full_tmout:
+ index = 1
+ rand_intvl, same_intvl = 0, 0
+ while index < len(timeout):
+ if timeout[index] != timeout[index-1]:
+ rand_intvl += 1
+ else:
+ same_intvl += 1
+ index += 1
+ assert rand_intvl > same_intvl
+ multihost.client[0].service_sssd('stop')
+ params = {'ldap_sudo_full_refresh_interval': '25',
+ 'ldap_sudo_smart_refresh_interval': '15',
+ 'ldap_sudo_random_offset': '5'}
+ tools.sssd_conf(domain_section, params, action='delete')
+ multihost.client[0].service_sssd('start')
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
