#
# SSSD files domain tests
#
# Copyright (c) 2016 Red Hat, Inc.
#
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os
import stat
import time
import config
import signal
import subprocess
import pwd
import grp
import pytest
import tempfile
import ent
import sssd_id
# Sync this with files_ops.c
mem=[])
mem=[])
def start_sssd():
"""Start sssd and add teardown for stopping it and removing state"""
raise Exception("sssd start failed")
def stop_sssd():
while True:
try:
except:
break
def restart_sssd():
"""Generate sssd.conf and add teardown for removing it"""
def teardown():
try:
except:
pass
# Fixtures
[sssd]
domains = files
services = nss
id_provider = files
return None
[sssd]
domains = files
services = nss
[nss]
debug_level = 10
id_provider = files
passwd_files = {passwd_list}
group_files = {group_list}
debug_level = 10
"""
Sets up SSSD with multiple sources, but does not actually create
the files.
"""
[sssd]
domains = files
services = nss
[nss]
debug_level = 10
id_provider = files
passwd_files = {passwd_list}
group_files = {group_list}
debug_level = 10
return alt_passwd_path, alt_group_path
[sssd]
domains = proxy, local
services = nss
id_provider = local
id_provider = proxy
proxy_lib_name = files
auth_provider = none
return None
[sssd]
services = nss
enable_files_domain = true
return None
[sssd]
domains = local
services = nss
enable_files_domain = true
id_provider = local
id_provider = files
return None
[sssd]
domains = local
services = nss
enable_files_domain = false
id_provider = local
return None
return None
return pwd_ops
for group in group_list:
return grp_ops
"""
If we query SSSD while it's updating its cache, it would return NOTFOUND
rather than a result from potentially outdated or incomplete cache. In
reality this doesn't hurt because the order of the modules is normally
"sss files" so the user lookup would fall back to files. But in tests
we use this loop to wait until the canary user who is always there is
resolved.
"""
return True
continue
else:
return False
return False
return NssReturnCode.NOTFOUND, None
return call_sssd_getpwnam(name)
return NssReturnCode.NOTFOUND, None
return call_sssd_getpwuid(uid)
return NssReturnCode.NOTFOUND, None
return call_sssd_getgrnam(name)
return NssReturnCode.NOTFOUND, None
return call_sssd_getgrgid(name)
# Helper functions
passwd='x',
gecos='User for tests',
if delay > 0:
assert found_user == exp_user
mem=[])
if delay > 0:
assert found_group == exp_group
if delay > 0:
assert found_group == exp_group
for exp_group in exp_groups_list:
def assert_user_overriden():
# There is an issue in nss_wrapper [0] and nss_wrapper always looks into
# the files first before using the NSS module. This lets this check fail
# because the user is found in the file and hence will be returned
# without overridden values.
# In order to work this around while there's no fix for nss_wrapper, let's
# use the fully-qualified name when looking up the USER1
#
def assert_group_overriden():
# There is an issue in nss_wrapper [0] and nss_wrapper always looks into
# the files first before using the NSS module. This lets this check fail
# because the user is found in the file and hence will be returned
# without overridden values.
# In order to work this around while there's no fix for nss_wrapper, let's
# use the fully-qualified name when looking up the GROUP1
#
# User tests
"""
Test that after startup without any additional operations, a user
can be resolved through sssd
"""
"""
Test that after startup without any additional operations, a user
can be resolved through sssd
"""
"""
Test that user override works with files domain only
"""
# Override
"""
Test that user override works with files domain only
"""
# Override
"""
Test that a nonexistent user cannot be resolved by name
"""
"""
Test that a nonexistent user cannot be resolved by UID
"""
"""
SSSD currently does not resolve the root user even though it can
be resolved through the NSS interface
"""
assert nss_root is not None
"""
SSSD currently does not resolve the UID 0 even though it can
be resolved through the NSS interface
"""
assert nss_root is not None
"""
Test that removing a user is detected and the user
is removed from the sssd database. Similarly, an add
should be detected. Do this several times to test retaining
the inotify watch for moved and unlinked files.
"""
"""
Test that modifying a user shell is detected and the user
is modified in the sssd database
"""
"""
Test that enumerating all users works with the default configuration. Also
test that removing all entries and then enumerating again returns an empty
set
"""
num_users = 10
user = user_generator(i)
# +1 because the canary is added
return exp_user
"""
Test that resolving a user without a shell defined works and returns
a fallback value
"""
"""
Test that resolving a user without a homedir defined works and returns
a fallback value
"""
"""
Test that resolving a user without a gecos defined works and returns
a fallback value
"""
"""
Test that resolving a user without a password defined works and returns
a fallback value
"""
"""
Test resolving an incomplete user where the missing field is required
to be present in the user record and thus the user shouldn't resolve.
We cannot test UID and GID missing because nss_wrapper doesn't even
load the malformed passwd file, then.
"""
"""
Test that after startup without any additional operations, a group
can be resolved through sssd by name
"""
"""
Test that after startup without any additional operations, a group
can be resolved through sssd by GID
"""
"""
Test that a nonexistent group cannot be resolved
"""
"""
Test that a nonexistent group cannot be resolved
"""
"""
SSSD currently does not resolve the root group even though it can
be resolved through the NSS interface
"""
assert nss_root is not None
"""
SSSD currently does not resolve the group with GID 0 even though it
can be resolved through the NSS interface
"""
assert nss_root is not None
"""
Test that removing a group is detected and the group
is removed from the sssd database. Similarly, an add
should be detected. Do this several times to test retaining
the inotify watch for moved and unlinked files.
"""
"""
Test that modifying a group name is detected and the group
is modified in the sssd database
"""
"""
Test that modifying a group name is detected and the group
is modified in the sssd database
"""
"""
Test that after startup without any additional operations, a group
can be resolved through sssd
"""
"""
The reverse is added so that we test cases where a group is added first,
then a user for this group is created -- in that case, we need to properly
link the group after the user is added.
"""
else:
# Test that users are members as per getgrnam
# Test that users are members as per initgroups
for group in added_groups:
"""
A user is linked with a group
"""
[USER1],
[GROUP1],
"""
Multiple users are linked with a group
"""
[GROUP12],
"""
A group is linked with a user
"""
[USER1],
[GROUP1],
True)
"""
Test that a group with members while the members are not present
are added as ghosts. This is also what nss_files does, getgrnam would
return group members that do not exist as well.
"""
[],
[GROUP12],
[USER1],
[GROUP12],
# We checked that the group added has the same members as group12,
# so both user1 and user2. Now check that user1 is a member of
# group12 and its own primary GID but user2 doesn't exist, it's
# just a ghost entry
assert 'group12' in groups
"""
Test that a group with one member and one ghost.
"""
"""
Test that a group with one member and one ghost, adding the group
first and then linking the member
"""
True)
"""
Test that a user is linked with a group
"""
assert 'group_nomem' in groups
assert 'group_nomem' in groups
# User1 exists, but is not a member of any supplementary group anymore
# user2 still is
assert 'group_nomem' in groups
"""
Test that a user is linked with a group
"""
# Add this user and verify it's been added as a member
assert 'group_nomem' in groups
# Intentionally not including the the last one because
# canary is added first
user = user_generator(i)
"""
Test that returning exactly FILES_REALLOC_CHUNK users (see files_ops.c)
works fine to test reallocation logic. Test exact number of users to
check for off-by-one errors.
"""
"""
Test that returning exactly FILES_REALLOC_CHUNK users (see files_ops.c)
works fine to test reallocation logic.
"""
group = group_generator(i)
"""
Test that returning exactly FILES_REALLOC_CHUNK groups (see files_ops.c)
works fine to test reallocation logic. Test exact number of groups to
check for off-by-one errors.
"""
"""
Test that returning exactly FILES_REALLOC_CHUNK groups (see files_ops.c)
works fine to test reallocation logic. Test exact number of groups to
check for off-by-one errors.
"""
# Files domain autoconfiguration tests
"""
Test that if no sssd domain is configured, sssd will add the implicit one
"""
"""
Test that implicit_files domain is not started together with proxy to files
"""
# Add a user with a different UID than the one in files
assert user == local_user1
"""
Test that if no files domain is configured, sssd will add the implicit one
before any explicitly configured domains
"""
# Add a user with a different UID than the one in files
# Even though the local domain is the only one configured,
# files will be resolved first
"""
Test that if no files domain is configured, sssd will add the implicit one
before any explicitly configured domains
"""
# The local user will not be resolvable through nss_sss now
"""
Test that running without sssd.conf implicitly configures one with
id_provider=files
"""
"""
Test that users and groups can be mirrored from multiple files
"""
"""
Test that users and groups can be mirrored from multiple files,
but those files are not created when SSSD starts, only afterwards.
"""
# touch the files
pass