URL: https://github.com/SSSD/sssd/pull/5830 Author: aborah-sudo Title: #5830: Tests: Port the old ns_account_lock.sh script to pytest Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5830/head:pr5830 git checkout pr5830
From 374afd4e636b6576eba6f8dec727249c95229309 Mon Sep 17 00:00:00 2001 From: Anuj Borah <abo...@redhat.com> Date: Tue, 19 Oct 2021 00:18:27 +0530 Subject: [PATCH] Tests: Port the old ns_account_lock.sh script to pytest Port the old ns_account_lock.sh script to pytest --- src/tests/multihost/alltests/pytest.ini | 1 + src/tests/multihost/alltests/readme.rst | 1 + .../alltests/test_ns_account_lock.py | 413 ++++++++++++++++++ 3 files changed, 415 insertions(+) create mode 100644 src/tests/multihost/alltests/test_ns_account_lock.py diff --git a/src/tests/multihost/alltests/pytest.ini b/src/tests/multihost/alltests/pytest.ini index 66519e8003..8702cf9b8d 100644 --- a/src/tests/multihost/alltests/pytest.ini +++ b/src/tests/multihost/alltests/pytest.ini @@ -11,6 +11,7 @@ markers = ldapextraattrs: Tests related to Ldap Extra attributes multidomain: Tests related to SSSD Multiple Domains netgroup: Tests related to netgroup + nsaccountlock: Tests related to nsaccountlock offline: Tests related to ldap offline suite services: Tests related to SSSD sanity services sssctl: Tests related to sssctl tool diff --git a/src/tests/multihost/alltests/readme.rst b/src/tests/multihost/alltests/readme.rst index dd750b358a..3fab51efe4 100644 --- a/src/tests/multihost/alltests/readme.rst +++ b/src/tests/multihost/alltests/readme.rst @@ -22,6 +22,7 @@ Following are the pytest markers used * ldapextraattrs: Tests related to Ldap Extra attributes * multidomain: Tests related to SSSD Multiple Domains * netgroup: Tests related to netgroup +* nsaccountlock: Tests related to nsaccountlock * offline: Tests related to ldap offline suite * services: Tests related to SSSD sanity services * sssctl: Tests related to sssctl tool diff --git a/src/tests/multihost/alltests/test_ns_account_lock.py b/src/tests/multihost/alltests/test_ns_account_lock.py new file mode 100644 index 0000000000..09af5e1aec --- /dev/null +++ b/src/tests/multihost/alltests/test_ns_account_lock.py @@ -0,0 +1,413 @@ +""" Automation of nsaccount lock + +:subsystemteam: sst_idm_sssd +:upstream: yes +""" + +from __future__ import print_function +import re +import pytest +import threading +import time +import paramiko +import subprocess +from sssd.testlib.common.expect import pexpect_ssh +from sssd.testlib.common.exceptions import SSHLoginException +from sssd.testlib.common.utils import sssdTools, LdapOperations +from sssd.testlib.common.utils import SSHClient +import ldap + + +def execute_cmd(multihost, command): + """ Execute command on client """ + cmd = multihost.client[0].run_command(command) + return cmd + + +def lock_check(multihost, user): + "Check if user is locked" + assert f"Performing RHDS access check for user" \ + f" [{user}@example1]" \ + in execute_cmd(multihost, + 'grep "Performing RHDS' + ' access check for user"' + ' /var/log/sssd/*').stdout_text + assert "pam_sss(sshd:account): system info:" \ + " [The user account is locked on the server]" \ + in execute_cmd(multihost, + 'grep "pam_sss(sshd:account): ' + 'system info" /var/log/secure*').stdout_text + assert f"pam_sss(sshd:account):" \ + f" Access denied for user" \ + f" {user}@example1: 6 (Permission denied)"\ + in execute_cmd(multihost, 'grep ' + '"Access denied ' + 'for user" ' + '/var/log/secure*').stdout_text + + +def unlock_check(multihost, user): + "Check if user is unlocked" + assert f"Performing RHDS access " \ + f"check for user [{user}@example1]" \ + in execute_cmd(multihost, + 'grep "Performing RHDS ' + 'access check for user"' + ' /var/log/sssd/*').stdout_text + assert f"{user}@example1" in \ + execute_cmd(multihost, + 'grep "is not locked." ' + '/var/log/sssd/*').stdout_text + + +def manage_user_roles(multihost, user, lock, type1): + "Manage users and roles" + master_e = multihost.master[0].ip + assert f"Entry {user},ou=people," \ + f"dc=example,dc=test is {lock}" in \ + execute_cmd(multihost, f"dsidm " + f"ldap://{master_e}:389 -D" + f" 'cn=Directory Manager'" + f" -w Secret123 -b dc=example," + f"dc=test {type1}" + f" {lock} {user},ou=people," + f"dc=example,dc=test").stdout_text + + +def clean_sys(multihost): + "Clean logs and restart" + execute_cmd(multihost, "rm -vf /var/log/sssd/*") + execute_cmd(multihost, "> /var/log/secure") + execute_cmd(multihost, "systemctl restart sssd") + + +@pytest.mark.usefixtures('setup_sssd_krb', 'create_posix_usersgroups') +@pytest.mark.nsaccountlock +class TestNsAccountLock(object): + """ + This is for misc bugs automation + """ + @pytest.mark.tier1_2 + def test_user_inactivated_locked(self, multihost): + """ + :title: User is inactivated or locked + :id: 5787bb3e-3045-11ec-8da7-845cf3eff344 + """ + client_e = multihost.client[0].ip + tools = sssdTools(multihost.client[0]) + domain_name = tools.get_domain_section_name() + client = sssdTools(multihost.client[0]) + domain_params = {'cache_credentials': 'true', + 'enumerate': 'true', + 'access_provider': 'ldap', + 'ldap_access_order': 'expire', + 'ldap_account_expire_policy': '389DS', + 'ldap_ns_account_lock': 'nsAccountlock'} + client.sssd_conf(f'domain/{domain_name}', domain_params) + domain_params = {'reconnection_retries': '3'} + client.sssd_conf('pam', domain_params) + domain_params = {'filter_groups': 'root', + 'filter_users': 'root', + 'reconnection_retries': '3', + 'debug_level': '9'} + client.sssd_conf('nss', domain_params) + multihost.client[0].service_sssd('restart') + assert "foo1@example1" in \ + execute_cmd(multihost, "getent -s sss passwd" + " foo1@example1").stdout_text + assert "ldapusers@example1" in \ + execute_cmd(multihost, "getent -s sss group " + "ldapusers@example1").stdout_text + manage_user_roles(multihost, "uid=foo1", "lock", "account") + with pytest.raises(paramiko.ssh_exception.AuthenticationException): + SSHClient(client_e, + username="foo1@example1", + password="Secret123") + time.sleep(3) + lock_check(multihost, "foo1") + + @pytest.mark.tier1_2 + def test_user_activated_unlocked(self, multihost): + """ + title: User is activated or unlocked + :id: 538b0c34-3045-11ec-8c52-845cf3eff344 + """ + clean_sys(multihost) + client_e = multihost.client[0].ip + manage_user_roles(multihost, "uid=foo1", "unlock", "account") + ssh1 = SSHClient(client_e, + username="foo1@example1", + password="Secret123") + ssh1.close() + time.sleep(3) + unlock_check(multihost, "foo1") + + @pytest.mark.tier1_2 + def test_inactive_managed_roles(self, multihost): + """ + title: Inactive managed roles + :id: 4f685ee0-3045-11ec-b3f8-845cf3eff344 + """ + clean_sys(multihost) + client_e = multihost.client[0].ip + master_e = multihost.master[0].ip + ldap_uri = f'ldap://{master_e}' + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + user_info = {'cn': 'managed'.encode('utf-8'), + 'objectClass': [b'top', b'LdapSubEntry', + b'nsRoleDefinition', + b'nsSimpleRoleDefinition', + b'nsManagedRoleDefinition']} + user_dn = 'cn=managed,ou=People,dc=example,dc=test' + (_, _) = ldap_inst.add_entry(user_info, user_dn) + user_dn = 'uid=foo1,ou=People,dc=example,dc=test' + role_dn = "cn=managed,ou=people,dc=example,dc=test" + add_member = [(ldap.MOD_ADD, 'nsRoleDN', role_dn.encode('utf-8'))] + (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) + assert ret == 'Success' + manage_user_roles(multihost, "cn=managed", "lock", "role") + with pytest.raises(paramiko.ssh_exception.AuthenticationException): + SSHClient(client_e, + username="foo1@example1", + password="Secret123") + time.sleep(3) + lock_check(multihost, "foo1") + + @pytest.mark.tier1_2 + def test_user_added_inactive_managed_roles(self, multihost): + """ + title: User added to the above inactive managed role + :id: 4b5541c4-3045-11ec-8cb9-845cf3eff344 + """ + clean_sys(multihost) + client_e = multihost.client[0].ip + master_e = multihost.master[0].ip + ldap_uri = f'ldap://{master_e}' + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + user_dn = 'uid=foo2,ou=People,dc=example,dc=test' + role_dn = "cn=managed,ou=people,dc=example,dc=test" + add_member = [(ldap.MOD_ADD, 'nsRoleDN', role_dn.encode('utf-8'))] + (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) + assert ret == 'Success' + with pytest.raises(paramiko.ssh_exception.AuthenticationException): + SSHClient(client_e, + username="foo2@example1", + password="Secret123") + time.sleep(3) + lock_check(multihost, "foo2") + + @pytest.mark.tier1_2 + def test_user_removed_inactive_managed_roles(self, multihost): + """ + title: User removed from the above inactive managed role + :id: 46a34a18-3045-11ec-953d-845cf3eff344 + """ + clean_sys(multihost) + client_e = multihost.client[0].ip + master_e = multihost.master[0].ip + ldap_uri = f'ldap://{master_e}' + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + user_dn = 'uid=foo2,ou=People,dc=example,dc=test' + role_dn = "cn=managed,ou=people,dc=example,dc=test" + add_member = [(ldap.MOD_DELETE, 'nsRoleDN', role_dn.encode('utf-8'))] + (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) + assert ret == 'Success' + ssh1 = SSHClient(client_e, + username="foo2@example1", + password="Secret123") + ssh1.close() + time.sleep(3) + unlock_check(multihost, "foo2") + + @pytest.mark.tier1_2 + def test_role_activated_unlocked(self, multihost): + """ + title: Activate managed role + :id: ce14c7da-309d-11ec-a6f2-845cf3eff344 + """ + clean_sys(multihost) + client_e = multihost.client[0].ip + manage_user_roles(multihost, "cn=managed", "unlock", "role") + ssh1 = SSHClient(client_e, + username="foo1@example1", + password="Secret123") + ssh1.close() + time.sleep(3) + unlock_check(multihost, "foo1") + + @pytest.mark.tier1_2 + def test_inactivated_filtered_roles(self, multihost): + """ + title: Inactivated filtered roles + :id: 4286dac6-3045-11ec-8fd0-845cf3eff344 + """ + clean_sys(multihost) + client_e = multihost.client[0].ip + master_e = multihost.master[0].ip + ldap_uri = f'ldap://{master_e}' + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + user_info = {'cn': 'filtered'.encode('utf-8'), + 'objectClass': [b'top', b'LdapSubEntry', + b'nsRoleDefinition', + b'nsComplexRoleDefinition', + b'nsFilteredRoleDefinition'], + 'nsRoleFilter': 'o=filtered'.encode('utf-8'), + 'Description': 'filtered role'.encode('utf-8')} + user_dn = 'cn=filtered,ou=People,dc=example,dc=test' + (_, _) = ldap_inst.add_entry(user_info, user_dn) + user_dn = 'uid=foo3,ou=People,dc=example,dc=test' + role_dn = "filtered" + add_member = [(ldap.MOD_ADD, 'o', role_dn.encode('utf-8'))] + (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) + assert ret == 'Success' + manage_user_roles(multihost, "cn=filtered", "lock", "role") + with pytest.raises(paramiko.ssh_exception.AuthenticationException): + SSHClient(client_e, + username="foo3@example1", + password="Secret123") + time.sleep(3) + lock_check(multihost, "foo3") + + @pytest.mark.tier1_2 + def test_user_added_inactive_filtered_role(self, multihost): + """ + title: User added to the above inactive filtered role + :id: 3e1abea8-3045-11ec-a802-845cf3eff344 + """ + clean_sys(multihost) + client_e = multihost.client[0].ip + master_e = multihost.master[0].ip + ldap_uri = f'ldap://{master_e}' + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + user_dn = 'uid=foo4,ou=People,dc=example,dc=test' + role_dn = "filtered" + add_member = [(ldap.MOD_ADD, 'o', role_dn.encode('utf-8'))] + (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) + assert ret == 'Success' + with pytest.raises(paramiko.ssh_exception.AuthenticationException): + SSHClient(client_e, + username="foo4@example1", + password="Secret123") + time.sleep(3) + lock_check(multihost, "foo4") + + @pytest.mark.tier1_2 + def test_user_removed_inactive_filtered_roles(self, multihost): + """ + title: User removed from the above inactive filtered role + :id: 39f59f3c-3045-11ec-8388-845cf3eff344 + """ + clean_sys(multihost) + client_e = multihost.client[0].ip + master_e = multihost.master[0].ip + ldap_uri = f'ldap://{master_e}' + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + user_dn = 'uid=foo3,ou=People,dc=example,dc=test' + role_dn = "filtered" + add_member = [(ldap.MOD_DELETE, 'o', role_dn.encode('utf-8'))] + (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) + assert ret == 'Success' + ssh1 = SSHClient(client_e, + username="foo3@example1", + password="Secret123") + ssh1.close() + time.sleep(3) + unlock_check(multihost, "foo3") + + @pytest.mark.tier1_2 + def test_active_filtered_roles(self, multihost): + """ + title: Activate filtered role + :id: 3583f0e8-3045-11ec-9bab-845cf3eff344 + """ + clean_sys(multihost) + client_e = multihost.client[0].ip + master_e = multihost.master[0].ip + manage_user_roles(multihost, "cn=filtered", "unlock", "role") + ssh1 = SSHClient(client_e, + username="foo4@example1", + password="Secret123") + ssh1.close() + time.sleep(3) + unlock_check(multihost, "foo4") + + @pytest.mark.tier1_2 + def test_nested_role_inactivated(self, multihost): + """ + title: Nested role has both the above roles and inactivated + :id: 312e42c8-3045-11ec-88d4-845cf3eff344 + """ + clean_sys(multihost) + client_e = multihost.client[0].ip + master_e = multihost.master[0].ip + ldap_uri = f'ldap://{master_e}' + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + user_info = {'cn': 'nested'.encode('utf-8'), + 'objectClass': [b'top', + b'LdapSubEntry', + b'nsRoleDefinition', + b'nsComplexRoleDefinition', + b'nsNestedRoleDefinition'], + 'nsRoleDN': [b'cn=filtered,ou=people,' + b'dc=example,dc=test', + b'cn=managed,ou=people,' + b'dc=example,dc=test']} + user_dn = 'cn=nested,ou=People,dc=example,dc=test' + (_, _) = ldap_inst.add_entry(user_info, user_dn) + manage_user_roles(multihost, "cn=nested", "lock", "role") + with pytest.raises(paramiko.ssh_exception.AuthenticationException): + SSHClient(client_e, + username="foo1@example1", + password="Secret123") + time.sleep(3) + lock_check(multihost, "foo1") + with pytest.raises(paramiko.ssh_exception.AuthenticationException): + SSHClient(client_e, + username="foo4@example1", + password="Secret123") + time.sleep(3) + lock_check(multihost, "foo4") + + @pytest.mark.tier1_2 + def test_nested_role_activated(self, multihost): + """ + title: Nested role has both the above roles and activated + :id: 2be97436-3045-11ec-9f40-845cf3eff344 + """ + clean_sys(multihost) + client_e = multihost.client[0].ip + master_e = multihost.master[0].ip + ldap_uri = f'ldap://{master_e}' + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + manage_user_roles(multihost, "cn=nested", "unlock", "role") + ssh1 = SSHClient(client_e, + username="foo1@example1", + password="Secret123") + ssh1.close() + ssh1 = SSHClient(client_e, + username="foo4@example1", + password="Secret123") + ssh1.close() + time.sleep(3) + unlock_check(multihost, "foo1") + unlock_check(multihost, "foo4") + for i in ['cn=managed,ou=people,dc=example,dc=test', + 'cn=filtered,ou=people,dc=example,dc=test', + 'cn=nested,ou=People,dc=example,dc=test']: + ldap_inst.del_dn(i)
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure