From 4c77f1d5172b427aad0124d7970fb6905fb0a14a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 2 Sep 2019 02:01:54 +0200 Subject: [PATCH] TESTS: Sync. multihost kcm tests with master --- src/tests/multihost/basic/conftest.py | 8 ++ src/tests/multihost/basic/test_kcm.py | 138 ++++++++++++++++++++++++++ 2 files changed, 146 insertions(+) diff --git a/src/tests/multihost/basic/conftest.py b/src/tests/multihost/basic/conftest.py index 87f74031c..dd3c6f001 100644 --- a/src/tests/multihost/basic/conftest.py +++ b/src/tests/multihost/basic/conftest.py @@ -397,6 +397,14 @@ def create_posix_usersgroups(session_multihost): assert ret == 'Success' +@pytest.fixture(scope='session') +def create_many_user_principals(session_multihost): + krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') + for i in range(1, 65): + username = "user%04d" % i + krb.add_principal(username, 'user', 'Secret123') + + @pytest.fixture(scope="session", autouse=True) def setup_session(request, session_multihost, package_install, diff --git a/src/tests/multihost/basic/test_kcm.py b/src/tests/multihost/basic/test_kcm.py index 54b3f7ecd..f18748af7 100644 --- a/src/tests/multihost/basic/test_kcm.py +++ b/src/tests/multihost/basic/test_kcm.py @@ -3,6 +3,7 @@ from sssd.testlib.common.utils import SSHClient import paramiko import pytest import os +import re from utils_config import set_param, remove_section @@ -38,6 +39,11 @@ class TestSanityKCM(object): os.remove(local_kcm_log_file) return nlines + def _remove_secret_db(self, multihost): + multihost.master[0].run_command( + 'rm -f /var/lib/sss/secrets/secrets.ldb') + self._restart_kcm(multihost) + def test_kinit_kcm(self, multihost, enable_kcm): """ @Title: kcm: Run kinit with KRB5CCNAME=KCM @@ -175,3 +181,135 @@ class TestSanityKCM(object): if 'KCM:14583109' in line: has_cache = True assert has_cache is True + + def test_kvno_display(self, multihost, enable_kcm): + """ + @Title: kcm: Test kvno correctly displays vesion numbers of principals + #https://pagure.io/SSSD/sssd/issue/3757 + """ + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo4', password='Secret123') + host_princ = 'host/%s@%s' % (multihost.master[0].sys_hostname, + 'EXAMPLE.TEST') + kvno_cmd = 'kvno %s' % (host_princ) + (stdout, _, exit_status) = ssh.execute_cmd(kvno_cmd) + for line in stdout.readlines(): + kvno_check = re.search(r'%s: kvno = (\d+)' % host_princ, line) + if kvno_check: + print(kvno_check.group()) + else: + pytest.fail("kvno display was improper") + ssh.close() + + def test_kcm_peruid_quota(self, + multihost, + enable_kcm, + create_many_user_principals): + """ + @Title: kcm: Make sure the quota limits a client, but only that client + """ + # It is easier to keep these tests stable and independent from others + # if they start from a clean slate + self._remove_secret_db(multihost) + + ssh_foo2 = SSHClient(multihost.master[0].sys_hostname, + username='foo2', password='Secret123') + ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, + username='foo3', password='Secret123') + + # The loop would request 63 users, plus there is foo3 we authenticated + # earlier, so this should exactly deplete the quota, but should succeed + for i in range(1, 64): + username = "user%04d" % i + (_, _, exit_status) = ssh_foo3.execute_cmd('kinit %s' % username, + stdin='Secret123') + assert exit_status == 0 + + # this kinit should be exactly one over the peruid limit + (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064', + stdin='Secret123') + assert exit_status != 0 + + # Since this is a per-uid limit, another user should be able to kinit + # just fine + (_, _, exit_status) = ssh_foo2.execute_cmd('kinit user0064', + stdin='Secret123') + assert exit_status == 0 + + # kdestroy as the original user, the quota should allow a subsequent + # kinit + ssh_foo3.execute_cmd('kdestroy -A') + (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064', + stdin='Secret123') + assert exit_status == 0 + + ssh_foo2.execute_cmd('kdestroy -A') + ssh_foo2.close() + ssh_foo3.execute_cmd('kdestroy -A') + ssh_foo3.close() + + def test_kcm_peruid_quota_increase(self, + multihost, + enable_kcm, + create_many_user_principals): + """ + @Title: kcm: Quota increase + + Increasing the peruid quota allows a client to store more + data + """ + # It is easier to keep these tests stable and independent from others + # if they start from a clean slate + self._remove_secret_db(multihost) + + ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, + username='foo3', password='Secret123') + + # The loop would request 63 users, plus there is foo3 we authenticated + # earlier, so this should exactly deplete the quota, but should succeed + for i in range(1, 64): + username = "user%04d" % i + (_, _, exit_status) = ssh_foo3.execute_cmd('kinit %s' % username, + stdin='Secret123') + assert exit_status == 0 + + # this kinit should be exactly one over the peruid limit + (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064', + stdin='Secret123') + assert exit_status != 0 + + set_param(multihost, 'kcm', 'max_uid_ccaches', '65') + self._restart_kcm(multihost) + + # Now the kinit should work as we increased the limit + (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064', + stdin='Secret123') + assert exit_status == 0 + + ssh_foo3.execute_cmd('kdestroy -A') + ssh_foo3.close() + + def test_kcm_payload_low_quota(self, + multihost, + enable_kcm): + """ + @Title: kcm: Quota enforcement + + Set a prohibitive quota for the per-ccache payload limit and + make sure it gets enforced + """ + # It is easier to keep these tests stable and independent from others + # if they start from a clean slate + self._remove_secret_db(multihost) + + ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, + username='foo3', password='Secret123') + ssh_foo3.execute_cmd('kdestroy -A') + ssh_foo3.close() + + set_param(multihost, 'kcm', 'max_ccache_size', '1') + self._restart_kcm(multihost) + + with pytest.raises(paramiko.ssh_exception.AuthenticationException): + ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, + username='foo3', password='Secret123') -- 2.20.1