From 4c77f1d5172b427aad0124d7970fb6905fb0a14a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Mon, 2 Sep 2019 02:01:54 +0200
Subject: [PATCH] TESTS: Sync. multihost kcm tests with master
---
src/tests/multihost/basic/conftest.py | 8 ++
src/tests/multihost/basic/test_kcm.py | 138 ++++++++++++++++++++++++++
2 files changed, 146 insertions(+)
diff --git a/src/tests/multihost/basic/conftest.py b/src/tests/multihost/basic/conftest.py
index 87f74031c..dd3c6f001 100644
--- a/src/tests/multihost/basic/conftest.py
+++ b/src/tests/multihost/basic/conftest.py
@@ -397,6 +397,14 @@ def create_posix_usersgroups(session_multihost):
assert ret == 'Success'
+@pytest.fixture(scope='session')
+def create_many_user_principals(session_multihost):
+ krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
+ for i in range(1, 65):
+ username = "user%04d" % i
+ krb.add_principal(username, 'user', 'Secret123')
+
+
@pytest.fixture(scope="session", autouse=True)
def setup_session(request, session_multihost,
package_install,
diff --git a/src/tests/multihost/basic/test_kcm.py b/src/tests/multihost/basic/test_kcm.py
index 54b3f7ecd..f18748af7 100644
--- a/src/tests/multihost/basic/test_kcm.py
+++ b/src/tests/multihost/basic/test_kcm.py
@@ -3,6 +3,7 @@ from sssd.testlib.common.utils import SSHClient
import paramiko
import pytest
import os
+import re
from utils_config import set_param, remove_section
@@ -38,6 +39,11 @@ class TestSanityKCM(object):
os.remove(local_kcm_log_file)
return nlines
+ def _remove_secret_db(self, multihost):
+ multihost.master[0].run_command(
+ 'rm -f /var/lib/sss/secrets/secrets.ldb')
+ self._restart_kcm(multihost)
+
def test_kinit_kcm(self, multihost, enable_kcm):
"""
@Title: kcm: Run kinit with KRB5CCNAME=KCM
@@ -175,3 +181,135 @@ class TestSanityKCM(object):
if 'KCM:14583109' in line:
has_cache = True
assert has_cache is True
+
+ def test_kvno_display(self, multihost, enable_kcm):
+ """
+ @Title: kcm: Test kvno correctly displays vesion numbers of principals
+ #https://pagure.io/SSSD/sssd/issue/3757
+ """
+ ssh = SSHClient(multihost.master[0].sys_hostname,
+ username='foo4', password='Secret123')
+ host_princ = 'host/%s@%s' % (multihost.master[0].sys_hostname,
+ 'EXAMPLE.TEST')
+ kvno_cmd = 'kvno %s' % (host_princ)
+ (stdout, _, exit_status) = ssh.execute_cmd(kvno_cmd)
+ for line in stdout.readlines():
+ kvno_check = re.search(r'%s: kvno = (\d+)' % host_princ, line)
+ if kvno_check:
+ print(kvno_check.group())
+ else:
+ pytest.fail("kvno display was improper")
+ ssh.close()
+
+ def test_kcm_peruid_quota(self,
+ multihost,
+ enable_kcm,
+ create_many_user_principals):
+ """
+ @Title: kcm: Make sure the quota limits a client, but only that client
+ """
+ # It is easier to keep these tests stable and independent from others
+ # if they start from a clean slate
+ self._remove_secret_db(multihost)
+
+ ssh_foo2 = SSHClient(multihost.master[0].sys_hostname,
+ username='foo2', password='Secret123')
+ ssh_foo3 = SSHClient(multihost.master[0].sys_hostname,
+ username='foo3', password='Secret123')
+
+ # The loop would request 63 users, plus there is foo3 we authenticated
+ # earlier, so this should exactly deplete the quota, but should succeed
+ for i in range(1, 64):
+ username = "user%04d" % i
+ (_, _, exit_status) = ssh_foo3.execute_cmd('kinit %s' % username,
+ stdin='Secret123')
+ assert exit_status == 0
+
+ # this kinit should be exactly one over the peruid limit
+ (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064',
+ stdin='Secret123')
+ assert exit_status != 0
+
+ # Since this is a per-uid limit, another user should be able to kinit
+ # just fine
+ (_, _, exit_status) = ssh_foo2.execute_cmd('kinit user0064',
+ stdin='Secret123')
+ assert exit_status == 0
+
+ # kdestroy as the original user, the quota should allow a subsequent
+ # kinit
+ ssh_foo3.execute_cmd('kdestroy -A')
+ (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064',
+ stdin='Secret123')
+ assert exit_status == 0
+
+ ssh_foo2.execute_cmd('kdestroy -A')
+ ssh_foo2.close()
+ ssh_foo3.execute_cmd('kdestroy -A')
+ ssh_foo3.close()
+
+ def test_kcm_peruid_quota_increase(self,
+ multihost,
+ enable_kcm,
+ create_many_user_principals):
+ """
+ @Title: kcm: Quota increase
+
+ Increasing the peruid quota allows a client to store more
+ data
+ """
+ # It is easier to keep these tests stable and independent from others
+ # if they start from a clean slate
+ self._remove_secret_db(multihost)
+
+ ssh_foo3 = SSHClient(multihost.master[0].sys_hostname,
+ username='foo3', password='Secret123')
+
+ # The loop would request 63 users, plus there is foo3 we authenticated
+ # earlier, so this should exactly deplete the quota, but should succeed
+ for i in range(1, 64):
+ username = "user%04d" % i
+ (_, _, exit_status) = ssh_foo3.execute_cmd('kinit %s' % username,
+ stdin='Secret123')
+ assert exit_status == 0
+
+ # this kinit should be exactly one over the peruid limit
+ (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064',
+ stdin='Secret123')
+ assert exit_status != 0
+
+ set_param(multihost, 'kcm', 'max_uid_ccaches', '65')
+ self._restart_kcm(multihost)
+
+ # Now the kinit should work as we increased the limit
+ (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064',
+ stdin='Secret123')
+ assert exit_status == 0
+
+ ssh_foo3.execute_cmd('kdestroy -A')
+ ssh_foo3.close()
+
+ def test_kcm_payload_low_quota(self,
+ multihost,
+ enable_kcm):
+ """
+ @Title: kcm: Quota enforcement
+
+ Set a prohibitive quota for the per-ccache payload limit and
+ make sure it gets enforced
+ """
+ # It is easier to keep these tests stable and independent from others
+ # if they start from a clean slate
+ self._remove_secret_db(multihost)
+
+ ssh_foo3 = SSHClient(multihost.master[0].sys_hostname,
+ username='foo3', password='Secret123')
+ ssh_foo3.execute_cmd('kdestroy -A')
+ ssh_foo3.close()
+
+ set_param(multihost, 'kcm', 'max_ccache_size', '1')
+ self._restart_kcm(multihost)
+
+ with pytest.raises(paramiko.ssh_exception.AuthenticationException):
+ ssh_foo3 = SSHClient(multihost.master[0].sys_hostname,
+ username='foo3', password='Secret123')
--
2.20.1