URL: https://github.com/SSSD/sssd/pull/5892 Author: jakub-vavra-cz Title: #5892: Tests: Add a test for BZ2004406 Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5892/head:pr5892 git checkout pr5892
From f68e905a5fb60c224bccdb15ab65dcbf08be3d57 Mon Sep 17 00:00:00 2001 From: Jakub Vavra <jva...@redhat.com> Date: Fri, 26 Nov 2021 07:24:15 +0100 Subject: [PATCH 1/3] Tests: Add a test for BZ2004406 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2004406 Verifies: MR#5791 --- src/tests/multihost/ipa/test_adtrust.py | 148 +++++++++++++++++++++++- 1 file changed, 147 insertions(+), 1 deletion(-) diff --git a/src/tests/multihost/ipa/test_adtrust.py b/src/tests/multihost/ipa/test_adtrust.py index 3f2fc66c1b..7cc2d0ab46 100644 --- a/src/tests/multihost/ipa/test_adtrust.py +++ b/src/tests/multihost/ipa/test_adtrust.py @@ -6,13 +6,14 @@ :upstream: yes """ +import random import re import time import pytest import paramiko from sssd.testlib.common.utils import sssdTools from sssd.testlib.common.utils import SSHClient - +from sssd.testlib.common.utils import ADOperations @pytest.mark.usefixtures('setup_ipa_client') @pytest.mark.tier2 @@ -379,3 +380,148 @@ def test_nss_get_by_name_with_private_group(self, multihost): assert cmd_adm.returncode == 0, 'Something wrong with setup!' assert cmd_usr.returncode == 0, \ f"pysss_nss_idmap.getsidbyname for {username} failed" + + @staticmethod + def test_idview_override_group_default(multihost, create_aduser_group): + """ + :title: IPA clients fail to resolve override group names in default + view + :id: 5ad7f363-9259-467c-a609-b8522359e5a6 + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2004406 + :description: Overriding both group names and ids in an idview for + group from AD results in error in sssd when running id command + for IPA user that was assigned to overridden AD group via his gid. + :setup: + 1. Create group (group1) on AD. + 2. Create IPA user with gid=<GID1>. + :steps: + 1. ID views to override AD groupname and gid of group1 to <GID1> in + the 'Default Trust View'. + 2. Run an "id" command for the user. + :expectedresults: + 1. View with an override is created. + 2. Id command succeeds, group override is visible, all groups are + properly resolved. + """ + (_, adgroup) = create_aduser_group + run_id = f"{random.randint(9999, 999999)}" + + domain = multihost.ad[0].domainname + + ipauser = f"ipauser_{run_id}" + + multihost.master[0].run_command(f"ipa user-add {ipauser} --first=Bob " + f"--last=Sad --gid=987654", + raiseonerr=False) + + multihost.master[0].run_command("service ipa.service restart", + raiseonerr=False) + ipa_client = sssdTools(multihost.client[0]) + ipa_client.clear_sssd_cache() + + view = 'Default Trust View' + + create_grp_override = f'ipa idoverridegroup-add "{view}" ' \ + f'{adgroup}@{domain} --group-name "borci" ' \ + f'--gid=987654' + multihost.master[0].run_command(create_grp_override, raiseonerr=False) + + ipa_client.clear_sssd_cache() + time.sleep(5) + + id_cmd = f'id {ipauser}' + cmd = multihost.client[0].run_command(id_cmd, raiseonerr=False) + + # TEARDOWN + multihost.master[0].run_command(f"ipa user-del {ipauser} ", + raiseonerr=False) + + ipa_client.clear_sssd_cache() + # Test result Evaluation + assert cmd.returncode == 0, f"User {ipauser} was not found." + assert f"borci@{domain}" in cmd.stdout_text,\ + f"Group 1 {adgroup} name was not overridden/resolved." + assert "987654" in cmd.stdout_text, "Group id was not overridden." + + @staticmethod + def test_idview_override_group_custom(multihost, create_aduser_group): + """ + :title: IPA clients fail to resolve override group names in custom view + :id: 7a0dc871-fdad-4c07-9d07-a092baa83178 + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2004406 + :description: Overriding both user and group names and ids in + an idview for user and group from AD results in error in sssd + when running id command. + :setup: + 1. Create user and group (group1) on AD. + 2. Make AD user member of group1. + 2. Create additional group (group2) on AD. + :steps: + 1. ID views to override AD groupname and gid of group1. + 2. ID views to override AD groupname and gid of group2. + 3. ID view to override AD username, uid and gid (to gid of group2). + 4. Run an "id" command for the override user. + client + :expectedresults: + 1. View with an override is created. + 2. View with an override is created. + 3. User override is added to the view. + 4. Id command succeeds, group override is visible, all groups are + properly resolved. + """ + (aduser, adgroup) = create_aduser_group + + adgroup2 = f"group2_{random.randint(9999, 999999)}" + ado = ADOperations(multihost.ad[0]) + ado.create_ad_unix_group(adgroup2) + domain = multihost.ad[0].domainname + + multihost.master[0].run_command("service ipa.service restart", + raiseonerr=False) + ipa_client = sssdTools(multihost.client[0]) + ipa_client.clear_sssd_cache() + + view = f'prygl_trust_view_{random.randint(9999, 999999)}' + create_view = f'ipa idview-add {view}' + multihost.master[0].run_command(create_view, raiseonerr=False) + + create_grp_override = f'ipa idoverridegroup-add "{view}" ' \ + f'{adgroup}@{domain} --group-name "borci" ' \ + f'--gid=987654' + multihost.master[0].run_command(create_grp_override, raiseonerr=False) + + create_grp2_override = f'ipa idoverridegroup-add "{view}" ' \ + f'{adgroup2}@{domain} --group-name "magori" ' \ + f'--gid=876543' + multihost.master[0].run_command(create_grp2_override, raiseonerr=False) + + create_user_override = f'ipa idoverrideuser-add "{view}" ' \ + f'{aduser}@{domain} --login ferko ' \ + f'--uid=50001 --gidnumber=876543' + multihost.master[0].run_command(create_user_override, raiseonerr=False) + + # Apply the view on client + apply_view = f"ipa idview-apply '{view}' " \ + f"--hosts={multihost.client[0].sys_hostname}" + multihost.master[0].run_command(apply_view, raiseonerr=False) + ipa_client.clear_sssd_cache() + time.sleep(5) + + cmd = multihost.client[0].run_command(f'id ferko@{domain}', + raiseonerr=False) + + # TEARDOWN + ado.delete_ad_user_group(adgroup2) + delete_id_view = f'ipa idview-del {view}' + multihost.master[0].run_command(delete_id_view) + ipa_client.clear_sssd_cache() + # Test result Evaluation + assert cmd.returncode == 0, f"User {aduser} was not found." + assert f"borci@{domain}" in cmd.stdout_text,\ + f"Group 1 {adgroup} name was not overridden/resolved." + assert f"magori@{domain}" in cmd.stdout_text,\ + f"Group 2 {adgroup2} name was not overridden/resolved." + assert "987654" in cmd.stdout_text, "Group 1 id was not overridden." + assert "876543" in cmd.stdout_text, "Group 2 id was not overridden." + assert f"domain users@{domain}" in cmd.stdout_text, \ + "Group domain users is missing." From 91dca3629e26f6674e8c86ebb72d47f16a890c53 Mon Sep 17 00:00:00 2001 From: Jakub Vavra <jva...@redhat.com> Date: Fri, 10 Dec 2021 07:22:05 +0100 Subject: [PATCH 2/3] Fix test cleanup --- src/tests/multihost/ipa/test_adtrust.py | 87 ++++++++++++------------- 1 file changed, 43 insertions(+), 44 deletions(-) diff --git a/src/tests/multihost/ipa/test_adtrust.py b/src/tests/multihost/ipa/test_adtrust.py index 7cc2d0ab46..fa008da818 100644 --- a/src/tests/multihost/ipa/test_adtrust.py +++ b/src/tests/multihost/ipa/test_adtrust.py @@ -404,44 +404,43 @@ def test_idview_override_group_default(multihost, create_aduser_group): properly resolved. """ (_, adgroup) = create_aduser_group - run_id = f"{random.randint(9999, 999999)}" - + run_id_int = random.randint(9999, 999999) domain = multihost.ad[0].domainname + ipauser = f"ipauser{run_id_int}" + view = 'Default Trust View' - ipauser = f"ipauser_{run_id}" - - multihost.master[0].run_command(f"ipa user-add {ipauser} --first=Bob " - f"--last=Sad --gid=987654", - raiseonerr=False) + multihost.master[0].run_command( + f"ipa user-add {ipauser} --first=Bob --last=Sad --gid=" + f"{run_id_int}", raiseonerr=False) - multihost.master[0].run_command("service ipa.service restart", - raiseonerr=False) ipa_client = sssdTools(multihost.client[0]) ipa_client.clear_sssd_cache() - view = 'Default Trust View' - create_grp_override = f'ipa idoverridegroup-add "{view}" ' \ - f'{adgroup}@{domain} --group-name "borci" ' \ - f'--gid=987654' + f'{adgroup}@{domain} --group-name "borci{run_id_int}" ' \ + f'--gid={run_id_int}' multihost.master[0].run_command(create_grp_override, raiseonerr=False) ipa_client.clear_sssd_cache() time.sleep(5) - id_cmd = f'id {ipauser}' - cmd = multihost.client[0].run_command(id_cmd, raiseonerr=False) + # Run the test part + cmd = multihost.client[0].run_command( + f'id {ipauser}', raiseonerr=False) # TEARDOWN - multihost.master[0].run_command(f"ipa user-del {ipauser} ", - raiseonerr=False) + multihost.master[0].run_command( + f"ipa user-del {ipauser} ", raiseonerr=False) + multihost.master[0].run_command( + f'ipa idoverridegroup-del "{view}" {adgroup}@{domain}', + raiseonerr=False) - ipa_client.clear_sssd_cache() # Test result Evaluation assert cmd.returncode == 0, f"User {ipauser} was not found." - assert f"borci@{domain}" in cmd.stdout_text,\ + assert f"borci{run_id_int}@{domain}" in cmd.stdout_text,\ f"Group 1 {adgroup} name was not overridden/resolved." - assert "987654" in cmd.stdout_text, "Group id was not overridden." + assert f"{run_id_int+1}" in cmd.stdout_text,\ + f"Group id was not overridden to {run_id_int+1}." @staticmethod def test_idview_override_group_custom(multihost, create_aduser_group): @@ -470,58 +469,58 @@ def test_idview_override_group_custom(multihost, create_aduser_group): properly resolved. """ (aduser, adgroup) = create_aduser_group - - adgroup2 = f"group2_{random.randint(9999, 999999)}" + run_id_int = random.randint(9999, 999999) + adgroup2 = f"group2_{run_id_int}" ado = ADOperations(multihost.ad[0]) ado.create_ad_unix_group(adgroup2) domain = multihost.ad[0].domainname - multihost.master[0].run_command("service ipa.service restart", - raiseonerr=False) ipa_client = sssdTools(multihost.client[0]) ipa_client.clear_sssd_cache() - view = f'prygl_trust_view_{random.randint(9999, 999999)}' + view = f'prygl_trust_view_{run_id_int}' create_view = f'ipa idview-add {view}' multihost.master[0].run_command(create_view, raiseonerr=False) create_grp_override = f'ipa idoverridegroup-add "{view}" ' \ - f'{adgroup}@{domain} --group-name "borci" ' \ - f'--gid=987654' + f'{adgroup}@{domain} --group-name ' \ + f'"borci{run_id_int}" --gid={run_id_int+1}' multihost.master[0].run_command(create_grp_override, raiseonerr=False) create_grp2_override = f'ipa idoverridegroup-add "{view}" ' \ - f'{adgroup2}@{domain} --group-name "magori" ' \ - f'--gid=876543' + f'{adgroup2}@{domain} --group-name ' \ + f'"magori{run_id_int}" --gid={run_id_int+2}' multihost.master[0].run_command(create_grp2_override, raiseonerr=False) create_user_override = f'ipa idoverrideuser-add "{view}" ' \ - f'{aduser}@{domain} --login ferko ' \ - f'--uid=50001 --gidnumber=876543' + f'{aduser}@{domain} --login ferko{run_id_int} ' \ + f'--uid=50001 --gidnumber={run_id_int+2}' multihost.master[0].run_command(create_user_override, raiseonerr=False) # Apply the view on client - apply_view = f"ipa idview-apply '{view}' " \ - f"--hosts={multihost.client[0].sys_hostname}" - multihost.master[0].run_command(apply_view, raiseonerr=False) + multihost.master[0].run_command( + f"ipa idview-apply '{view}' --hosts=" + f"{multihost.client[0].sys_hostname}", raiseonerr=False) + ipa_client.clear_sssd_cache() time.sleep(5) - - cmd = multihost.client[0].run_command(f'id ferko@{domain}', - raiseonerr=False) + cmd = multihost.client[0].run_command( + f'id ferko{run_id_int}@{domain}', raiseonerr=False) # TEARDOWN ado.delete_ad_user_group(adgroup2) - delete_id_view = f'ipa idview-del {view}' - multihost.master[0].run_command(delete_id_view) - ipa_client.clear_sssd_cache() + multihost.master[0].run_command( + f'ipa idview-del {view}', raiseonerr=False) + # Test result Evaluation assert cmd.returncode == 0, f"User {aduser} was not found." - assert f"borci@{domain}" in cmd.stdout_text,\ + assert f"borci{run_id_int}@{domain}" in cmd.stdout_text,\ f"Group 1 {adgroup} name was not overridden/resolved." - assert f"magori@{domain}" in cmd.stdout_text,\ + assert f"magori{run_id_int}@{domain}" in cmd.stdout_text,\ f"Group 2 {adgroup2} name was not overridden/resolved." - assert "987654" in cmd.stdout_text, "Group 1 id was not overridden." - assert "876543" in cmd.stdout_text, "Group 2 id was not overridden." + assert f"{run_id_int+1}" in cmd.stdout_text,\ + "Group 1 id was not overridden." + assert f"{run_id_int+2}" in cmd.stdout_text,\ + "Group 2 id was not overridden." assert f"domain users@{domain}" in cmd.stdout_text, \ "Group domain users is missing." From 8aad75e376ee1ae3fac765fdee2639977e6d11c2 Mon Sep 17 00:00:00 2001 From: Jakub Vavra <jva...@redhat.com> Date: Mon, 13 Dec 2021 10:59:38 +0100 Subject: [PATCH 3/3] removed unfinished test --- src/tests/multihost/ipa/test_adtrust.py | 61 ------------------------- 1 file changed, 61 deletions(-) diff --git a/src/tests/multihost/ipa/test_adtrust.py b/src/tests/multihost/ipa/test_adtrust.py index fa008da818..3515c5f5d1 100644 --- a/src/tests/multihost/ipa/test_adtrust.py +++ b/src/tests/multihost/ipa/test_adtrust.py @@ -381,67 +381,6 @@ def test_nss_get_by_name_with_private_group(self, multihost): assert cmd_usr.returncode == 0, \ f"pysss_nss_idmap.getsidbyname for {username} failed" - @staticmethod - def test_idview_override_group_default(multihost, create_aduser_group): - """ - :title: IPA clients fail to resolve override group names in default - view - :id: 5ad7f363-9259-467c-a609-b8522359e5a6 - :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2004406 - :description: Overriding both group names and ids in an idview for - group from AD results in error in sssd when running id command - for IPA user that was assigned to overridden AD group via his gid. - :setup: - 1. Create group (group1) on AD. - 2. Create IPA user with gid=<GID1>. - :steps: - 1. ID views to override AD groupname and gid of group1 to <GID1> in - the 'Default Trust View'. - 2. Run an "id" command for the user. - :expectedresults: - 1. View with an override is created. - 2. Id command succeeds, group override is visible, all groups are - properly resolved. - """ - (_, adgroup) = create_aduser_group - run_id_int = random.randint(9999, 999999) - domain = multihost.ad[0].domainname - ipauser = f"ipauser{run_id_int}" - view = 'Default Trust View' - - multihost.master[0].run_command( - f"ipa user-add {ipauser} --first=Bob --last=Sad --gid=" - f"{run_id_int}", raiseonerr=False) - - ipa_client = sssdTools(multihost.client[0]) - ipa_client.clear_sssd_cache() - - create_grp_override = f'ipa idoverridegroup-add "{view}" ' \ - f'{adgroup}@{domain} --group-name "borci{run_id_int}" ' \ - f'--gid={run_id_int}' - multihost.master[0].run_command(create_grp_override, raiseonerr=False) - - ipa_client.clear_sssd_cache() - time.sleep(5) - - # Run the test part - cmd = multihost.client[0].run_command( - f'id {ipauser}', raiseonerr=False) - - # TEARDOWN - multihost.master[0].run_command( - f"ipa user-del {ipauser} ", raiseonerr=False) - multihost.master[0].run_command( - f'ipa idoverridegroup-del "{view}" {adgroup}@{domain}', - raiseonerr=False) - - # Test result Evaluation - assert cmd.returncode == 0, f"User {ipauser} was not found." - assert f"borci{run_id_int}@{domain}" in cmd.stdout_text,\ - f"Group 1 {adgroup} name was not overridden/resolved." - assert f"{run_id_int+1}" in cmd.stdout_text,\ - f"Group id was not overridden to {run_id_int+1}." - @staticmethod def test_idview_override_group_custom(multihost, create_aduser_group): """
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure