dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0009-TESTS-Add-integration-tests-for-the-auto_private_gro.patch

9f2ebf
From 95053cd058a9045c45c59e002fd6078048fdca76 Mon Sep 17 00:00:00 2001
9f2ebf
From: Jakub Hrozek <jhrozek@redhat.com>
9f2ebf
Date: Tue, 3 Oct 2017 16:55:40 +0200
9f2ebf
Subject: [PATCH 09/21] TESTS: Add integration tests for the
9f2ebf
 auto_private_groups option
9f2ebf
MIME-Version: 1.0
9f2ebf
Content-Type: text/plain; charset=UTF-8
9f2ebf
Content-Transfer-Encoding: 8bit
9f2ebf
9f2ebf
Related:
9f2ebf
    https://pagure.io/SSSD/sssd/issue/1872
9f2ebf
9f2ebf
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
9f2ebf
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
9f2ebf
(cherry picked from commit 6c802b2009c1b6dd0c3306ba97056e64acc0ec9e)
9f2ebf
---
9f2ebf
 src/tests/intg/test_enumeration.py |  79 +++++++++++++-
9f2ebf
 src/tests/intg/test_ldap.py        | 214 +++++++++++++++++++++++++++++++++++++
9f2ebf
 2 files changed, 290 insertions(+), 3 deletions(-)
9f2ebf
9f2ebf
diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py
9f2ebf
index fdb8d376879f756957f8f25fd28b37d7178aeff5..c7d78155c64dc6c85cb4dc070b205bdcfceff6af 100644
9f2ebf
--- a/src/tests/intg/test_enumeration.py
9f2ebf
+++ b/src/tests/intg/test_enumeration.py
9f2ebf
@@ -237,9 +237,7 @@ def sanity_rfc2307(request, ldap_conn):
9f2ebf
     create_sssd_fixture(request)
9f2ebf
     return None
9f2ebf
 
9f2ebf
-
9f2ebf
-@pytest.fixture
9f2ebf
-def sanity_rfc2307_bis(request, ldap_conn):
9f2ebf
+def populate_rfc2307bis(request, ldap_conn):
9f2ebf
     ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
9f2ebf
     ent_list.add_user("user1", 1001, 2001)
9f2ebf
     ent_list.add_user("user2", 1002, 2002)
9f2ebf
@@ -266,6 +264,11 @@ def sanity_rfc2307_bis(request, ldap_conn):
9f2ebf
                            [], ["one_user_group1", "one_user_group2"])
9f2ebf
 
9f2ebf
     create_ldap_fixture(request, ldap_conn, ent_list)
9f2ebf
+
9f2ebf
+
9f2ebf
+@pytest.fixture
9f2ebf
+def sanity_rfc2307_bis(request, ldap_conn):
9f2ebf
+    populate_rfc2307bis(request, ldap_conn)
9f2ebf
     conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
9f2ebf
     create_conf_fixture(request, conf)
9f2ebf
     create_sssd_fixture(request)
9f2ebf
@@ -695,3 +698,73 @@ def test_vetoed_shells(vetoed_shells):
9f2ebf
                  shell="/bin/default")
9f2ebf
         )
9f2ebf
     )
9f2ebf
+
9f2ebf
+
9f2ebf
+@pytest.fixture
9f2ebf
+def sanity_rfc2307_bis_mpg(request, ldap_conn):
9f2ebf
+    populate_rfc2307bis(request, ldap_conn)
9f2ebf
+
9f2ebf
+    ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
9f2ebf
+    ent_list.add_group_bis("conflict1", 1001)
9f2ebf
+    ent_list.add_group_bis("conflict2", 1002)
9f2ebf
+    create_ldap_fixture(request, ldap_conn, ent_list)
9f2ebf
+
9f2ebf
+    conf = \
9f2ebf
+        format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
9f2ebf
+        unindent("""
9f2ebf
+            [domain/LDAP]
9f2ebf
+            auto_private_groups = True
9f2ebf
+        """).format(**locals())
9f2ebf
+    create_conf_fixture(request, conf)
9f2ebf
+    create_sssd_fixture(request)
9f2ebf
+    return None
9f2ebf
+
9f2ebf
+
9f2ebf
+def test_ldap_auto_private_groups_enumerate(ldap_conn,
9f2ebf
+                                            sanity_rfc2307_bis_mpg):
9f2ebf
+    """
9f2ebf
+    Test the auto_private_groups together with enumeration
9f2ebf
+    """
9f2ebf
+    passwd_pattern = ent.contains_only(
9f2ebf
+        dict(name='user1', passwd='*', uid=1001, gid=1001, gecos='1001',
9f2ebf
+             dir='/home/user1', shell='/bin/bash'),
9f2ebf
+        dict(name='user2', passwd='*', uid=1002, gid=1002, gecos='1002',
9f2ebf
+             dir='/home/user2', shell='/bin/bash'),
9f2ebf
+        dict(name='user3', passwd='*', uid=1003, gid=1003, gecos='1003',
9f2ebf
+             dir='/home/user3', shell='/bin/bash')
9f2ebf
+    )
9f2ebf
+    ent.assert_passwd(passwd_pattern)
9f2ebf
+
9f2ebf
+    group_pattern = ent.contains_only(
9f2ebf
+        dict(name='user1', passwd='*', gid=1001, mem=ent.contains_only()),
9f2ebf
+        dict(name='user2', passwd='*', gid=1002, mem=ent.contains_only()),
9f2ebf
+        dict(name='user3', passwd='*', gid=1003, mem=ent.contains_only()),
9f2ebf
+        dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
9f2ebf
+        dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()),
9f2ebf
+        dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
9f2ebf
+        dict(name='empty_group1', passwd='*', gid=2010,
9f2ebf
+             mem=ent.contains_only()),
9f2ebf
+        dict(name='empty_group2', passwd='*', gid=2011,
9f2ebf
+             mem=ent.contains_only()),
9f2ebf
+        dict(name='two_user_group', passwd='*', gid=2012,
9f2ebf
+             mem=ent.contains_only("user1", "user2")),
9f2ebf
+        dict(name='group_empty_group', passwd='*', gid=2013,
9f2ebf
+             mem=ent.contains_only()),
9f2ebf
+        dict(name='group_two_empty_groups', passwd='*', gid=2014,
9f2ebf
+             mem=ent.contains_only()),
9f2ebf
+        dict(name='one_user_group1', passwd='*', gid=2015,
9f2ebf
+             mem=ent.contains_only("user1")),
9f2ebf
+        dict(name='one_user_group2', passwd='*', gid=2016,
9f2ebf
+             mem=ent.contains_only("user2")),
9f2ebf
+        dict(name='group_one_user_group', passwd='*', gid=2017,
9f2ebf
+             mem=ent.contains_only("user1")),
9f2ebf
+        dict(name='group_two_user_group', passwd='*', gid=2018,
9f2ebf
+             mem=ent.contains_only("user1", "user2")),
9f2ebf
+        dict(name='group_two_one_user_groups', passwd='*', gid=2019,
9f2ebf
+             mem=ent.contains_only("user1", "user2"))
9f2ebf
+    )
9f2ebf
+    ent.assert_group(group_pattern)
9f2ebf
+
9f2ebf
+    with pytest.raises(KeyError):
9f2ebf
+        grp.getgrnam("conflict1")
9f2ebf
+    ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
9f2ebf
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
9f2ebf
index f2467f1ffe9890049ad73bba6432102d029510e8..a6659b1b78df4d72eb98c208d67ee5d10c9c88ea 100644
9f2ebf
--- a/src/tests/intg/test_ldap.py
9f2ebf
+++ b/src/tests/intg/test_ldap.py
9f2ebf
@@ -1169,3 +1169,217 @@ def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached):
9f2ebf
 
9f2ebf
     res, _ = call_sssd_getgrgid(0)
9f2ebf
     assert res == NssReturnCode.NOTFOUND
9f2ebf
+
9f2ebf
+
9f2ebf
+@pytest.fixture
9f2ebf
+def mpg_setup(request, ldap_conn):
9f2ebf
+    ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
9f2ebf
+    ent_list.add_user("user1", 1001, 2001)
9f2ebf
+    ent_list.add_user("user2", 1002, 2002)
9f2ebf
+    ent_list.add_user("user3", 1003, 2003)
9f2ebf
+
9f2ebf
+    ent_list.add_group_bis("group1", 2001)
9f2ebf
+    ent_list.add_group_bis("group2", 2002)
9f2ebf
+    ent_list.add_group_bis("group3", 2003)
9f2ebf
+
9f2ebf
+    ent_list.add_group_bis("two_user_group", 2012, ["user1", "user2"])
9f2ebf
+    ent_list.add_group_bis("one_user_group1", 2015, ["user1"])
9f2ebf
+    ent_list.add_group_bis("one_user_group2", 2016, ["user2"])
9f2ebf
+
9f2ebf
+    create_ldap_entries(ldap_conn, ent_list)
9f2ebf
+    create_ldap_cleanup(request, ldap_conn, None)
9f2ebf
+
9f2ebf
+    conf = \
9f2ebf
+        format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
9f2ebf
+        unindent("""
9f2ebf
+            [domain/LDAP]
9f2ebf
+            auto_private_groups = True
9f2ebf
+        """).format(**locals())
9f2ebf
+    create_conf_fixture(request, conf)
9f2ebf
+    create_sssd_fixture(request)
9f2ebf
+    return None
9f2ebf
+
9f2ebf
+
9f2ebf
+def test_ldap_auto_private_groups_direct(ldap_conn, mpg_setup):
9f2ebf
+    """
9f2ebf
+    Integration test for auto_private_groups
9f2ebf
+
9f2ebf
+    See also ticket https://pagure.io/SSSD/sssd/issue/1872
9f2ebf
+    """
9f2ebf
+    # Make sure the user's GID is taken from their uidNumber
9f2ebf
+    ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
9f2ebf
+    # Make sure the private group is resolvable by name and by GID
9f2ebf
+    ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
9f2ebf
+    ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
9f2ebf
+
9f2ebf
+    # The group referenced in user's gidNumber attribute should be still
9f2ebf
+    # visible, but it's fine that it doesn't contain the user as a member
9f2ebf
+    # as the group is currently added during the initgroups operation only
9f2ebf
+    ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
9f2ebf
+    ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
9f2ebf
+
9f2ebf
+    # The user's secondary groups list must be correct as well
9f2ebf
+    # Note that the original GID is listed as well -- this is correct and expected
9f2ebf
+    # because we save the original GID in the SYSDB_PRIMARY_GROUP_GIDNUM attribute
9f2ebf
+    user1_expected_gids = [1001, 2001, 2012, 2015]
9f2ebf
+    (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
9f2ebf
+    assert res == sssd_id.NssReturnCode.SUCCESS
9f2ebf
+
9f2ebf
+    assert sorted(gids) == sorted(user1_expected_gids), \
9f2ebf
+        "result: %s\n expected %s" % (
9f2ebf
+            ", ".join(["%s" % s for s in sorted(gids)]),
9f2ebf
+            ", ".join(["%s" % s for s in sorted(user1_expected_gids)])
9f2ebf
+        )
9f2ebf
+
9f2ebf
+    # Request user2's private group by GID without resolving the user first.
9f2ebf
+    # This must trigger user resolution through by-GID resolution, since the GID
9f2ebf
+    # doesn't exist on its own in LDAP
9f2ebf
+    ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
9f2ebf
+
9f2ebf
+    # Test supplementary groups for user2 as well
9f2ebf
+    user1_expected_gids = [1002, 2002, 2012, 2016]
9f2ebf
+    (res, errno, gids) = sssd_id.call_sssd_initgroups("user2", 1002)
9f2ebf
+    assert res == sssd_id.NssReturnCode.SUCCESS
9f2ebf
+
9f2ebf
+    assert sorted(gids) == sorted(user1_expected_gids), \
9f2ebf
+        "result: %s\n expected %s" % (
9f2ebf
+            ", ".join(["%s" % s for s in sorted(gids)]),
9f2ebf
+            ", ".join(["%s" % s for s in sorted(user1_expected_gids)])
9f2ebf
+        )
9f2ebf
+
9f2ebf
+    # Request user3's private group by name without resolving the user first
9f2ebf
+    # This must trigger user resolution through by-name resolution, since the
9f2ebf
+    # name doesn't exist on its own in LDAP
9f2ebf
+    ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
9f2ebf
+
9f2ebf
+    # Remove entries and request them again to make sure they are not
9f2ebf
+    # resolvable anymore
9f2ebf
+    cleanup_ldap_entries(ldap_conn, None)
9f2ebf
+
9f2ebf
+    if subprocess.call(["sss_cache", "-GU"]) != 0:
9f2ebf
+        raise Exception("sssd_cache failed")
9f2ebf
+
9f2ebf
+    with pytest.raises(KeyError):
9f2ebf
+        pwd.getpwnam("user1")
9f2ebf
+    with pytest.raises(KeyError):
9f2ebf
+        grp.getgrnam("user1")
9f2ebf
+    with pytest.raises(KeyError):
9f2ebf
+        grp.getgrgid(1002)
9f2ebf
+    with pytest.raises(KeyError):
9f2ebf
+        grp.getgrnam("user3")
9f2ebf
+
9f2ebf
+
9f2ebf
+@pytest.fixture
9f2ebf
+def mpg_setup_conflict(request, ldap_conn):
9f2ebf
+    ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
9f2ebf
+    ent_list.add_user("user1", 1001, 2001)
9f2ebf
+    ent_list.add_user("user2", 1002, 2002)
9f2ebf
+    ent_list.add_user("user3", 1003, 1003)
9f2ebf
+    ent_list.add_group_bis("group1", 1001)
9f2ebf
+    ent_list.add_group_bis("group2", 1002)
9f2ebf
+    ent_list.add_group_bis("group3", 1003)
9f2ebf
+    ent_list.add_group_bis("supp_group", 2015, ["user3"])
9f2ebf
+    create_ldap_fixture(request, ldap_conn, ent_list)
9f2ebf
+
9f2ebf
+    conf = \
9f2ebf
+        format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
9f2ebf
+        unindent("""
9f2ebf
+            [domain/LDAP]
9f2ebf
+            auto_private_groups = True
9f2ebf
+        """).format(**locals())
9f2ebf
+    create_conf_fixture(request, conf)
9f2ebf
+    create_sssd_fixture(request)
9f2ebf
+    return None
9f2ebf
+
9f2ebf
+
9f2ebf
+def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict):
9f2ebf
+    """
9f2ebf
+    Make sure that conflicts between groups that are auto-created with the
9f2ebf
+    help of the auto_private_groups option and between 'real' LDAP groups
9f2ebf
+    are handled in a predictable manner.
9f2ebf
+    """
9f2ebf
+    # Make sure the user's GID is taken from their uidNumber
9f2ebf
+    ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
9f2ebf
+    # Make sure the private group is resolvable by name and by GID
9f2ebf
+    ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
9f2ebf
+    ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
9f2ebf
+
9f2ebf
+    # Let's request the group with the same ID as user2's private group
9f2ebf
+    # The request should match the 'real' group
9f2ebf
+    ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only()))
9f2ebf
+    # But because of the GID conflict, the user cannot be resolved
9f2ebf
+    with pytest.raises(KeyError):
9f2ebf
+        pwd.getpwnam("user2")
9f2ebf
+
9f2ebf
+    # This user's GID is the same as the UID in this entry. The most important
9f2ebf
+    # thing here is that the supplementary groups are correct and the GID
9f2ebf
+    # resolves to the private group (as long as the user was requested first)
9f2ebf
+    user3_expected_gids = [1003, 2015]
9f2ebf
+    ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003))
9f2ebf
+    (res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003)
9f2ebf
+    assert res == sssd_id.NssReturnCode.SUCCESS
9f2ebf
+
9f2ebf
+    assert sorted(gids) == sorted(user3_expected_gids), \
9f2ebf
+        "result: %s\n expected %s" % (
9f2ebf
+            ", ".join(["%s" % s for s in sorted(gids)]),
9f2ebf
+            ", ".join(["%s" % s for s in sorted(user3_expected_gids)])
9f2ebf
+        )
9f2ebf
+    # Make sure the private group is resolvable by name and by GID
9f2ebf
+    ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only()))
9f2ebf
+    ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
9f2ebf
+
9f2ebf
+
9f2ebf
+@pytest.fixture
9f2ebf
+def mpg_setup_no_gid(request, ldap_conn):
9f2ebf
+    ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
9f2ebf
+    ent_list.add_user("user1", 1001, 2001)
9f2ebf
+
9f2ebf
+    ent_list.add_group_bis("group1", 2001)
9f2ebf
+    ent_list.add_group_bis("one_user_group1", 2015, ["user1"])
9f2ebf
+
9f2ebf
+    create_ldap_entries(ldap_conn, ent_list)
9f2ebf
+    create_ldap_cleanup(request, ldap_conn, None)
9f2ebf
+
9f2ebf
+    conf = \
9f2ebf
+        format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
9f2ebf
+        unindent("""
9f2ebf
+            [domain/LDAP]
9f2ebf
+            auto_private_groups = True
9f2ebf
+            ldap_user_gid_number = no_such_attribute
9f2ebf
+        """).format(**locals())
9f2ebf
+    create_conf_fixture(request, conf)
9f2ebf
+    create_sssd_fixture(request)
9f2ebf
+    return None
9f2ebf
+
9f2ebf
+
9f2ebf
+def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid):
9f2ebf
+    """
9f2ebf
+    Integration test for auto_private_groups - test that even a user with
9f2ebf
+    no GID assigned at all can be resolved including their autogenerated
9f2ebf
+    primary group.
9f2ebf
+
9f2ebf
+    See also ticket https://pagure.io/SSSD/sssd/issue/1872
9f2ebf
+    """
9f2ebf
+    # Make sure the user's GID is taken from their uidNumber
9f2ebf
+    ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
9f2ebf
+    # Make sure the private group is resolvable by name and by GID
9f2ebf
+    ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
9f2ebf
+    ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
9f2ebf
+
9f2ebf
+    # The group referenced in user's gidNumber attribute should be still
9f2ebf
+    # visible, but shouldn't have any relation to the user
9f2ebf
+    ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
9f2ebf
+    ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
9f2ebf
+
9f2ebf
+    # The user's secondary groups list must be correct as well. This time only
9f2ebf
+    # the generated group and the explicit secondary group are added, since
9f2ebf
+    # there is no original GID
9f2ebf
+    user1_expected_gids = [1001, 2015]
9f2ebf
+    (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
9f2ebf
+    assert res == sssd_id.NssReturnCode.SUCCESS
9f2ebf
+
9f2ebf
+    assert sorted(gids) == sorted(user1_expected_gids), \
9f2ebf
+        "result: %s\n expected %s" % (
9f2ebf
+            ", ".join(["%s" % s for s in sorted(gids)]),
9f2ebf
+            ", ".join(["%s" % s for s in sorted(user1_expected_gids)])
9f2ebf
+        )
9f2ebf
-- 
9f2ebf
2.13.5
9f2ebf