diff --git a/src/tests/system/tests/test_sss_override.py b/src/tests/system/tests/test_sss_override.py new file mode 100644 index 00000000000..d5d76d75fa7 --- /dev/null +++ b/src/tests/system/tests/test_sss_override.py @@ -0,0 +1,263 @@ +from __future__ import annotations + +import pytest +from sssd_test_framework.roles.client import Client +from sssd_test_framework.roles.generic import GenericProvider +from sssd_test_framework.topology import KnownTopology + + +@pytest.mark.topology(KnownTopology.LDAP) +@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopology.Samba) +@pytest.mark.topology(KnownTopology.IPA) +def test_local_overrides__user(client: Client, provider: GenericProvider): + """ + :title: Local override user account + :setup: + 1. Create posix user "user1" with posix attributes defined + 2. Start SSSD + :steps: + 1. Override "user1" to "o-user1" + 2. Authenticate as "user1", short and fully qualified name + 3. Authenticate as "o-user1", short and fully qualified name + 4. Override posix attributes for "o-user1" + 5. Search for user override + 6. Delete override + :expectedresults: + 1. User local override is created + 2. Authentication successful for both short and fully qualified name + 3. Authentication successful for both short and fully qualified name + 4. Local override posix attribute updated + 5. Local override "o-user1" found + 6. Local override is deleted + :customerscenario: False + """ + provider.user("user1").add( + uid=999011, gid=999011, home="/home/user1", gecos="user", shell="/bin/bash", password="Secret123" + ) + client.sssd.start() + client.sss_override.user("user1").add(name="o-user1") + client.sssd.restart() + + assert client.auth.ssh.password("user1", "Secret123") + assert client.auth.ssh.password("o-user1", "Secret123") + assert client.auth.ssh.password(f"user1@{client.sssd.default_domain}", "Secret123") + assert client.auth.ssh.password(f"o-user1@{client.sssd.default_domain}", "Secret123") + + result = client.tools.getent.passwd("user1") + assert result.uid == 999011 + assert result.gid == 999011 + client.sss_override.user("user1").modify(name="o-user1", uid=999999, gid=888888, home="/home/o-user1") + client.sssd.restart() + + result = client.tools.getent.passwd("user1") + assert result.uid == 999011 + assert result.gid == 999011 + assert result.home == "/home/o-user1" + + client.sss_override.user("user1").delete() + assert not client.sss_override.user("user1").get() + assert not client.tools.getent.passwd("user1") + + +@pytest.mark.topology(KnownTopology.LDAP) +@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopology.Samba) +@pytest.mark.topology(KnownTopology.IPA) +def test_local_overrides__group(client: Client, provider: GenericProvider): + """ + :title: Locally override group + :setup: + 1. Create group "group1" with posix attributes defined + 2. Start SSSD + :steps: + 1. Override "group1" to "o-group1" + 2. Search for group override + 3. Override posix attributes for "o-group1" + 4. Search for group override + 5. Delete override + :expectedresults: + 1. Group local override is created + 2. Local override for "o-group1" found + 3. Local override posix attribute updated + 4. Local override "o-group1" found + 5. Local override is deleted + :customerscenario: False + """ + provider.group("group1").add(gid=999999) + client.sssd.start() + client.sss_override.group("group1").add(name="o-group1") + client.sssd.restart() + + assert client.tools.getent.group("group1") + assert client.tools.getent.group("o-group1") + assert client.tools.getent.group("group1").gid != 888888 + client.sss_override.group("group1").modify(gid=888888) + client.sssd.restart() + assert client.tools.getent.group("group1").gid == 888888 + + client.sss_override.group("group1").delete() + assert not client.sss_override.group("group1").get() + assert not client.tools.getent.group("o-group1") + + +@pytest.mark.topology(KnownTopology.LDAP) +@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopology.Samba) +@pytest.mark.topology(KnownTopology.IPA) +def test_local_overrides__root_user(client: Client, provider: GenericProvider): + """ + :title: Local override root user + :setup: + 1. Start SSSD + :steps: + 1. Create local override "root" for the user1 user + :expectedresults: + 1. Local override is created but the root user contents are not modified + :customerscenario: False + """ + provider.user("user1").add( + uid=999011, gid=999011, home="/home/user1", gecos="user", shell="/bin/bash", password="Secret123" + ) + client.sssd.start() + client.sss_override.user("user1").add(name="root", uid=999022, gid=999022) + client.sssd.restart() + + assert client.tools.getent.passwd("root").uid == 0 + assert client.tools.getent.passwd("root").gid == 0 + + client.sss_override.user("user1").delete() + + +@pytest.mark.topology(KnownTopology.LDAP) +@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopology.Samba) +@pytest.mark.topology(KnownTopology.IPA) +def test_local_overrides__nested(client: Client, provider: GenericProvider): + """ + :title: Local override the local override + :setup: + 1. Create posix user "user1" with posix attributes defined + 2. Start SSSD + :steps: + 1. Override "user1" to "o-user1" + 2. Override "o-user1" to "lo-user1" + 3. Authenticate as "user1", short and fully qualified name + 4. Authenticate as "o-user1", short and fully qualified name + 5. Authenticate as "lo-user1", short and fully qualified name + 6. Search for user local overrides + :expectedresults: + 1. User local override is created + 2. Nested user local override is created + 3. Authentication successful for both short and fully qualified name + 4. Authentication successful for both short and fully qualified name + 5. Authentication successful for both short and fully qualified name + 6. Local overrides is found for all users + :customerscenario: False + """ + provider.user("user1").add( + uid=999011, gid=999011, home="/home/user1", gecos="user", shell="/bin/bash", password="Secret123" + ) + client.sssd.start() + client.sss_override.user("user1").add(name="o-user1") + client.sssd.restart() + client.sss_override.user("o-user1").add(name="lo-user1") + assert client.auth.ssh.password("user1", "Secret123") + assert client.auth.ssh.password("o-user1", "Secret123") + assert client.auth.ssh.password("lo-user1", "Secret123") + assert client.auth.ssh.password(f"user1@{client.sssd.default_domain}", "Secret123") + assert client.auth.ssh.password(f"o-user1@{client.sssd.default_domain}", "Secret123") + assert client.auth.ssh.password(f"lo-user1@{client.sssd.default_domain}", "Secret123") + + client.sss_override.user("user1").delete() + + +@pytest.mark.topology(KnownTopology.LDAP) +@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopology.Samba) +@pytest.mark.topology(KnownTopology.IPA) +def test_local_overrides__import_export(client: Client, provider: GenericProvider): + """ + :title: Import and export local override data to and from a file + :setup: + 1. Create posix user "user1" with posix attributes defined + 2. Start SSSD + :steps: + 1. Override user "user1" to "o-user1" and group "group1" to "o-group1" + 2. Search for overrides + 3. Export user and group local overrides data to a file + 4. Delete overrides + 5. Import user and group local overrides data + 6. Search for user and group local overrides + :expectedresults: + 1. User local override is created + 2. User local overrides is found + 3. Local overrides data is exported to a file + 4. Local override is deleted + 5. Local override data is imported from file + 6. Local overrides are found + :customerscenario: False + """ + + provider.user("user1").add( + uid=999011, gid=999011, home="/home/user1", gecos="user", shell="/bin/bash", password="Secret123" + ) + provider.group("group1").add(gid=999999) + client.sssd.start() + client.sss_override.user("user1").add(name="o-user1") + client.sssd.restart() + client.sss_override.group("group1").add(name="o-group1") + + # local_override.user().backup() exports all user data + client.sss_override.user("user1").backup() + client.sss_override.group("group1").backup() + client.sss_override.user("user1").delete() + client.sss_override.group("group1").delete() + assert not client.sss_override.user("user1").get() + assert not client.sss_override.group("group1").get() + + client.sss_override.user("user1").restore() + client.sss_override.group("group1").restore() + + assert client.sss_override.user("user1").get(["name"]) == {"name": ["o-user1"]} + assert client.sss_override.group("group1").get(["name"]) == {"name": ["o-group1"]} + + client.sss_override.user("user1").delete() + client.sss_override.group("group1").delete() + + +@pytest.mark.ticket(bz=2757) +@pytest.mark.topology(KnownTopology.LDAP) +@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopology.Samba) +@pytest.mark.topology(KnownTopology.IPA) +def test_local_overrides__fqn_true(client: Client, provider: GenericProvider): + """ + :title: Local overrides with use_fully_qualified_names = True + :setup: + 1. Create posix user "user1" with posix attributes defined + 2. Edit SSSD configuration and set "use_fully_qualified_names" = True + 3. Start SSSD + :steps: + 1. Override "user1" to "o-user1" + 2. Authenticate as "user1", only the fully qualified name + 3. Authenticate as "o-user1", only the fully qualified name + :expectedresults: + 1. User local override is created + 2. Authentication successful + 3. Authentication successful + :customerscenario: False + """ + provider.user("user1").add( + uid=999011, gid=999011, home="/home/user1", gecos="user", shell="/bin/bash", password="Secret123" + ) + client.sssd.domain["use_fully_qualified_names"] = "True" + client.sssd.start() + client.sss_override.user(f"user1@{client.sssd.default_domain}").add(name="o-user1") + client.sssd.restart() + assert client.auth.ssh.password("user1", "Secret123") != 0 + assert client.auth.ssh.password("o-user1", "Secret123") != 0 + assert client.auth.ssh.password(f"user1@{client.sssd.default_domain}", "Secret123") + assert client.auth.ssh.password(f"o-user1@{client.sssd.default_domain}", "Secret123") + + client.sss_override.user("user1").delete()