URL: https://github.com/SSSD/sssd/pull/5830
Author: aborah-sudo
 Title: #5830: Tests: Port the old ns_account_lock.sh script to pytest
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5830/head:pr5830
git checkout pr5830
From 374afd4e636b6576eba6f8dec727249c95229309 Mon Sep 17 00:00:00 2001
From: Anuj Borah <abo...@redhat.com>
Date: Tue, 19 Oct 2021 00:18:27 +0530
Subject: [PATCH] Tests: Port the old ns_account_lock.sh script to pytest

Port the old ns_account_lock.sh script to pytest
---
 src/tests/multihost/alltests/pytest.ini       |   1 +
 src/tests/multihost/alltests/readme.rst       |   1 +
 .../alltests/test_ns_account_lock.py          | 413 ++++++++++++++++++
 3 files changed, 415 insertions(+)
 create mode 100644 src/tests/multihost/alltests/test_ns_account_lock.py

diff --git a/src/tests/multihost/alltests/pytest.ini b/src/tests/multihost/alltests/pytest.ini
index 66519e8003..8702cf9b8d 100644
--- a/src/tests/multihost/alltests/pytest.ini
+++ b/src/tests/multihost/alltests/pytest.ini
@@ -11,6 +11,7 @@ markers =
     ldapextraattrs: Tests related to Ldap Extra attributes
     multidomain: Tests related to SSSD Multiple Domains
     netgroup: Tests related to netgroup
+    nsaccountlock: Tests related to nsaccountlock
     offline: Tests related to ldap offline suite
     services: Tests related to SSSD sanity services
     sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/readme.rst b/src/tests/multihost/alltests/readme.rst
index dd750b358a..3fab51efe4 100644
--- a/src/tests/multihost/alltests/readme.rst
+++ b/src/tests/multihost/alltests/readme.rst
@@ -22,6 +22,7 @@ Following are the pytest markers used
 * ldapextraattrs: Tests related to Ldap Extra attributes
 * multidomain: Tests related to SSSD Multiple Domains
 * netgroup: Tests related to netgroup
+* nsaccountlock: Tests related to nsaccountlock
 * offline: Tests related to ldap offline suite
 * services: Tests related to SSSD sanity services
 * sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/test_ns_account_lock.py b/src/tests/multihost/alltests/test_ns_account_lock.py
new file mode 100644
index 0000000000..09af5e1aec
--- /dev/null
+++ b/src/tests/multihost/alltests/test_ns_account_lock.py
@@ -0,0 +1,413 @@
+""" Automation of nsaccount lock
+
+:subsystemteam: sst_idm_sssd
+:upstream: yes
+"""
+
+from __future__ import print_function
+import re
+import pytest
+import threading
+import time
+import paramiko
+import subprocess
+from sssd.testlib.common.expect import pexpect_ssh
+from sssd.testlib.common.exceptions import SSHLoginException
+from sssd.testlib.common.utils import sssdTools, LdapOperations
+from sssd.testlib.common.utils import SSHClient
+import ldap
+
+
+def execute_cmd(multihost, command):
+    """ Execute command on client """
+    cmd = multihost.client[0].run_command(command)
+    return cmd
+
+
+def lock_check(multihost, user):
+    "Check if user is locked"
+    assert f"Performing RHDS access check for user" \
+           f" [{user}@example1]" \
+           in execute_cmd(multihost,
+                          'grep "Performing RHDS'
+                          ' access check for user"'
+                          ' /var/log/sssd/*').stdout_text
+    assert "pam_sss(sshd:account): system info:" \
+           " [The user account is locked on the server]" \
+           in execute_cmd(multihost,
+                          'grep "pam_sss(sshd:account): '
+                          'system info" /var/log/secure*').stdout_text
+    assert f"pam_sss(sshd:account):" \
+           f" Access denied for user" \
+           f" {user}@example1: 6 (Permission denied)"\
+           in execute_cmd(multihost, 'grep '
+                                     '"Access denied '
+                                     'for user" '
+                                     '/var/log/secure*').stdout_text
+
+
+def unlock_check(multihost, user):
+    "Check if user is unlocked"
+    assert f"Performing RHDS access " \
+           f"check for user [{user}@example1]" \
+           in execute_cmd(multihost,
+                          'grep "Performing RHDS '
+                          'access check for user"'
+                          ' /var/log/sssd/*').stdout_text
+    assert f"{user}@example1" in \
+           execute_cmd(multihost,
+                       'grep "is not locked." '
+                       '/var/log/sssd/*').stdout_text
+
+
+def manage_user_roles(multihost, user, lock, type1):
+    "Manage users and roles"
+    master_e = multihost.master[0].ip
+    assert f"Entry {user},ou=people," \
+           f"dc=example,dc=test is {lock}" in \
+           execute_cmd(multihost, f"dsidm "
+                                  f"ldap://{master_e}:389 -D"
+                                  f" 'cn=Directory Manager'"
+                                  f" -w Secret123 -b dc=example,"
+                                  f"dc=test {type1}"
+                                  f" {lock} {user},ou=people,"
+                                  f"dc=example,dc=test").stdout_text
+
+
+def clean_sys(multihost):
+    "Clean logs and restart"
+    execute_cmd(multihost, "rm -vf /var/log/sssd/*")
+    execute_cmd(multihost, "> /var/log/secure")
+    execute_cmd(multihost, "systemctl restart sssd")
+
+
+@pytest.mark.usefixtures('setup_sssd_krb', 'create_posix_usersgroups')
+@pytest.mark.nsaccountlock
+class TestNsAccountLock(object):
+    """
+    This is for misc bugs automation
+    """
+    @pytest.mark.tier1_2
+    def test_user_inactivated_locked(self, multihost):
+        """
+        :title: User is inactivated or locked
+        :id: 5787bb3e-3045-11ec-8da7-845cf3eff344
+        """
+        client_e = multihost.client[0].ip
+        tools = sssdTools(multihost.client[0])
+        domain_name = tools.get_domain_section_name()
+        client = sssdTools(multihost.client[0])
+        domain_params = {'cache_credentials': 'true',
+                         'enumerate': 'true',
+                         'access_provider': 'ldap',
+                         'ldap_access_order': 'expire',
+                         'ldap_account_expire_policy': '389DS',
+                         'ldap_ns_account_lock': 'nsAccountlock'}
+        client.sssd_conf(f'domain/{domain_name}', domain_params)
+        domain_params = {'reconnection_retries': '3'}
+        client.sssd_conf('pam', domain_params)
+        domain_params = {'filter_groups': 'root',
+                         'filter_users': 'root',
+                         'reconnection_retries': '3',
+                         'debug_level': '9'}
+        client.sssd_conf('nss', domain_params)
+        multihost.client[0].service_sssd('restart')
+        assert "foo1@example1" in \
+               execute_cmd(multihost, "getent -s sss passwd"
+                                      " foo1@example1").stdout_text
+        assert "ldapusers@example1" in \
+               execute_cmd(multihost, "getent -s sss group "
+                                      "ldapusers@example1").stdout_text
+        manage_user_roles(multihost, "uid=foo1", "lock", "account")
+        with pytest.raises(paramiko.ssh_exception.AuthenticationException):
+            SSHClient(client_e,
+                      username="foo1@example1",
+                      password="Secret123")
+        time.sleep(3)
+        lock_check(multihost, "foo1")
+
+    @pytest.mark.tier1_2
+    def test_user_activated_unlocked(self, multihost):
+        """
+        title: User is activated or unlocked
+        :id: 538b0c34-3045-11ec-8c52-845cf3eff344
+        """
+        clean_sys(multihost)
+        client_e = multihost.client[0].ip
+        manage_user_roles(multihost, "uid=foo1", "unlock", "account")
+        ssh1 = SSHClient(client_e,
+                         username="foo1@example1",
+                         password="Secret123")
+        ssh1.close()
+        time.sleep(3)
+        unlock_check(multihost, "foo1")
+
+    @pytest.mark.tier1_2
+    def test_inactive_managed_roles(self, multihost):
+        """
+        title: Inactive managed roles
+        :id: 4f685ee0-3045-11ec-b3f8-845cf3eff344
+        """
+        clean_sys(multihost)
+        client_e = multihost.client[0].ip
+        master_e = multihost.master[0].ip
+        ldap_uri = f'ldap://{master_e}'
+        ds_rootdn = 'cn=Directory Manager'
+        ds_rootpw = 'Secret123'
+        ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+        user_info = {'cn': 'managed'.encode('utf-8'),
+                     'objectClass': [b'top', b'LdapSubEntry',
+                                     b'nsRoleDefinition',
+                                     b'nsSimpleRoleDefinition',
+                                     b'nsManagedRoleDefinition']}
+        user_dn = 'cn=managed,ou=People,dc=example,dc=test'
+        (_, _) = ldap_inst.add_entry(user_info, user_dn)
+        user_dn = 'uid=foo1,ou=People,dc=example,dc=test'
+        role_dn = "cn=managed,ou=people,dc=example,dc=test"
+        add_member = [(ldap.MOD_ADD, 'nsRoleDN', role_dn.encode('utf-8'))]
+        (ret, _) = ldap_inst.modify_ldap(user_dn, add_member)
+        assert ret == 'Success'
+        manage_user_roles(multihost, "cn=managed", "lock", "role")
+        with pytest.raises(paramiko.ssh_exception.AuthenticationException):
+            SSHClient(client_e,
+                      username="foo1@example1",
+                      password="Secret123")
+        time.sleep(3)
+        lock_check(multihost, "foo1")
+
+    @pytest.mark.tier1_2
+    def test_user_added_inactive_managed_roles(self, multihost):
+        """
+        title: User added to the above inactive managed role
+        :id: 4b5541c4-3045-11ec-8cb9-845cf3eff344
+        """
+        clean_sys(multihost)
+        client_e = multihost.client[0].ip
+        master_e = multihost.master[0].ip
+        ldap_uri = f'ldap://{master_e}'
+        ds_rootdn = 'cn=Directory Manager'
+        ds_rootpw = 'Secret123'
+        ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+        user_dn = 'uid=foo2,ou=People,dc=example,dc=test'
+        role_dn = "cn=managed,ou=people,dc=example,dc=test"
+        add_member = [(ldap.MOD_ADD, 'nsRoleDN', role_dn.encode('utf-8'))]
+        (ret, _) = ldap_inst.modify_ldap(user_dn, add_member)
+        assert ret == 'Success'
+        with pytest.raises(paramiko.ssh_exception.AuthenticationException):
+            SSHClient(client_e,
+                      username="foo2@example1",
+                      password="Secret123")
+        time.sleep(3)
+        lock_check(multihost, "foo2")
+
+    @pytest.mark.tier1_2
+    def test_user_removed_inactive_managed_roles(self, multihost):
+        """
+        title: User removed from the above inactive managed role
+        :id: 46a34a18-3045-11ec-953d-845cf3eff344
+        """
+        clean_sys(multihost)
+        client_e = multihost.client[0].ip
+        master_e = multihost.master[0].ip
+        ldap_uri = f'ldap://{master_e}'
+        ds_rootdn = 'cn=Directory Manager'
+        ds_rootpw = 'Secret123'
+        ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+        user_dn = 'uid=foo2,ou=People,dc=example,dc=test'
+        role_dn = "cn=managed,ou=people,dc=example,dc=test"
+        add_member = [(ldap.MOD_DELETE, 'nsRoleDN', role_dn.encode('utf-8'))]
+        (ret, _) = ldap_inst.modify_ldap(user_dn, add_member)
+        assert ret == 'Success'
+        ssh1 = SSHClient(client_e,
+                         username="foo2@example1",
+                         password="Secret123")
+        ssh1.close()
+        time.sleep(3)
+        unlock_check(multihost, "foo2")
+
+    @pytest.mark.tier1_2
+    def test_role_activated_unlocked(self, multihost):
+        """
+        title: Activate managed role
+        :id: ce14c7da-309d-11ec-a6f2-845cf3eff344
+        """
+        clean_sys(multihost)
+        client_e = multihost.client[0].ip
+        manage_user_roles(multihost, "cn=managed", "unlock", "role")
+        ssh1 = SSHClient(client_e,
+                         username="foo1@example1",
+                         password="Secret123")
+        ssh1.close()
+        time.sleep(3)
+        unlock_check(multihost, "foo1")
+
+    @pytest.mark.tier1_2
+    def test_inactivated_filtered_roles(self, multihost):
+        """
+        title: Inactivated filtered roles
+        :id: 4286dac6-3045-11ec-8fd0-845cf3eff344
+        """
+        clean_sys(multihost)
+        client_e = multihost.client[0].ip
+        master_e = multihost.master[0].ip
+        ldap_uri = f'ldap://{master_e}'
+        ds_rootdn = 'cn=Directory Manager'
+        ds_rootpw = 'Secret123'
+        ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+        user_info = {'cn': 'filtered'.encode('utf-8'),
+                     'objectClass': [b'top', b'LdapSubEntry',
+                                     b'nsRoleDefinition',
+                                     b'nsComplexRoleDefinition',
+                                     b'nsFilteredRoleDefinition'],
+                     'nsRoleFilter': 'o=filtered'.encode('utf-8'),
+                     'Description': 'filtered role'.encode('utf-8')}
+        user_dn = 'cn=filtered,ou=People,dc=example,dc=test'
+        (_, _) = ldap_inst.add_entry(user_info, user_dn)
+        user_dn = 'uid=foo3,ou=People,dc=example,dc=test'
+        role_dn = "filtered"
+        add_member = [(ldap.MOD_ADD, 'o', role_dn.encode('utf-8'))]
+        (ret, _) = ldap_inst.modify_ldap(user_dn, add_member)
+        assert ret == 'Success'
+        manage_user_roles(multihost, "cn=filtered", "lock", "role")
+        with pytest.raises(paramiko.ssh_exception.AuthenticationException):
+            SSHClient(client_e,
+                      username="foo3@example1",
+                      password="Secret123")
+        time.sleep(3)
+        lock_check(multihost, "foo3")
+
+    @pytest.mark.tier1_2
+    def test_user_added_inactive_filtered_role(self, multihost):
+        """
+        title: User added to the above inactive filtered role
+        :id: 3e1abea8-3045-11ec-a802-845cf3eff344
+        """
+        clean_sys(multihost)
+        client_e = multihost.client[0].ip
+        master_e = multihost.master[0].ip
+        ldap_uri = f'ldap://{master_e}'
+        ds_rootdn = 'cn=Directory Manager'
+        ds_rootpw = 'Secret123'
+        ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+        user_dn = 'uid=foo4,ou=People,dc=example,dc=test'
+        role_dn = "filtered"
+        add_member = [(ldap.MOD_ADD, 'o', role_dn.encode('utf-8'))]
+        (ret, _) = ldap_inst.modify_ldap(user_dn, add_member)
+        assert ret == 'Success'
+        with pytest.raises(paramiko.ssh_exception.AuthenticationException):
+            SSHClient(client_e,
+                      username="foo4@example1",
+                      password="Secret123")
+        time.sleep(3)
+        lock_check(multihost, "foo4")
+
+    @pytest.mark.tier1_2
+    def test_user_removed_inactive_filtered_roles(self, multihost):
+        """
+        title: User removed from the above inactive filtered role
+        :id: 39f59f3c-3045-11ec-8388-845cf3eff344
+        """
+        clean_sys(multihost)
+        client_e = multihost.client[0].ip
+        master_e = multihost.master[0].ip
+        ldap_uri = f'ldap://{master_e}'
+        ds_rootdn = 'cn=Directory Manager'
+        ds_rootpw = 'Secret123'
+        ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+        user_dn = 'uid=foo3,ou=People,dc=example,dc=test'
+        role_dn = "filtered"
+        add_member = [(ldap.MOD_DELETE, 'o', role_dn.encode('utf-8'))]
+        (ret, _) = ldap_inst.modify_ldap(user_dn, add_member)
+        assert ret == 'Success'
+        ssh1 = SSHClient(client_e,
+                         username="foo3@example1",
+                         password="Secret123")
+        ssh1.close()
+        time.sleep(3)
+        unlock_check(multihost, "foo3")
+
+    @pytest.mark.tier1_2
+    def test_active_filtered_roles(self, multihost):
+        """
+        title: Activate filtered role
+        :id: 3583f0e8-3045-11ec-9bab-845cf3eff344
+        """
+        clean_sys(multihost)
+        client_e = multihost.client[0].ip
+        master_e = multihost.master[0].ip
+        manage_user_roles(multihost, "cn=filtered", "unlock", "role")
+        ssh1 = SSHClient(client_e,
+                         username="foo4@example1",
+                         password="Secret123")
+        ssh1.close()
+        time.sleep(3)
+        unlock_check(multihost, "foo4")
+
+    @pytest.mark.tier1_2
+    def test_nested_role_inactivated(self, multihost):
+        """
+        title: Nested role has both the above roles and inactivated
+        :id: 312e42c8-3045-11ec-88d4-845cf3eff344
+        """
+        clean_sys(multihost)
+        client_e = multihost.client[0].ip
+        master_e = multihost.master[0].ip
+        ldap_uri = f'ldap://{master_e}'
+        ds_rootdn = 'cn=Directory Manager'
+        ds_rootpw = 'Secret123'
+        ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+        user_info = {'cn': 'nested'.encode('utf-8'),
+                     'objectClass': [b'top',
+                                     b'LdapSubEntry',
+                                     b'nsRoleDefinition',
+                                     b'nsComplexRoleDefinition',
+                                     b'nsNestedRoleDefinition'],
+                     'nsRoleDN': [b'cn=filtered,ou=people,'
+                                  b'dc=example,dc=test',
+                                  b'cn=managed,ou=people,'
+                                  b'dc=example,dc=test']}
+        user_dn = 'cn=nested,ou=People,dc=example,dc=test'
+        (_, _) = ldap_inst.add_entry(user_info, user_dn)
+        manage_user_roles(multihost, "cn=nested", "lock", "role")
+        with pytest.raises(paramiko.ssh_exception.AuthenticationException):
+            SSHClient(client_e,
+                      username="foo1@example1",
+                      password="Secret123")
+        time.sleep(3)
+        lock_check(multihost, "foo1")
+        with pytest.raises(paramiko.ssh_exception.AuthenticationException):
+            SSHClient(client_e,
+                      username="foo4@example1",
+                      password="Secret123")
+        time.sleep(3)
+        lock_check(multihost, "foo4")
+
+    @pytest.mark.tier1_2
+    def test_nested_role_activated(self, multihost):
+        """
+        title: Nested role has both the above roles and activated
+        :id: 2be97436-3045-11ec-9f40-845cf3eff344
+        """
+        clean_sys(multihost)
+        client_e = multihost.client[0].ip
+        master_e = multihost.master[0].ip
+        ldap_uri = f'ldap://{master_e}'
+        ds_rootdn = 'cn=Directory Manager'
+        ds_rootpw = 'Secret123'
+        ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+        manage_user_roles(multihost, "cn=nested", "unlock", "role")
+        ssh1 = SSHClient(client_e,
+                         username="foo1@example1",
+                         password="Secret123")
+        ssh1.close()
+        ssh1 = SSHClient(client_e,
+                         username="foo4@example1",
+                         password="Secret123")
+        ssh1.close()
+        time.sleep(3)
+        unlock_check(multihost, "foo1")
+        unlock_check(multihost, "foo4")
+        for i in ['cn=managed,ou=people,dc=example,dc=test',
+                  'cn=filtered,ou=people,dc=example,dc=test',
+                  'cn=nested,ou=People,dc=example,dc=test']:
+            ldap_inst.del_dn(i)
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to