8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# SSSD files domain tests
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# Copyright (c) 2016 Red Hat, Inc.
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# This is free software; you can redistribute it and/or modify it
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# under the terms of the GNU General Public License as published by
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# the Free Software Foundation; version 2 only
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# This program is distributed in the hope that it will be useful, but
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# WITHOUT ANY WARRANTY; without even the implied warranty of
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# General Public License for more details.
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# You should have received a copy of the GNU General Public License
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# along with this program. If not, see <http://www.gnu.org/licenses/>.
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozekfrom sssd_group import call_sssd_getgrnam, call_sssd_getgrgid
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozekfrom files_ops import passwd_ops_setup, group_ops_setup, PasswdOps, GroupOps
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek# Sync this with files_ops.c
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub HrozekCANARY = dict(name='canary', passwd='x', uid=100001, gid=200001,
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub HrozekUSER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub HrozekUSER2 = dict(name='user2', passwd='x', uid=10002, gid=20001,
b294f9f082c97f0c6ef16739e19826a16375444eFabiano FidêncioOV_USER1 = dict(name='ov_user1', passwd='x', uid=10010, gid=20010,
4a9100a588ade253cecb2224b95bd8caa8136109Jakub HrozekALT_USER1 = dict(name='altuser1', passwd='x', uid=60001, gid=70001,
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio """Start sssd and add teardown for stopping it and removing state"""
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"]
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"]
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio if subprocess.call(["sssd", "-D", "-f"]) != 0:
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek """Generate sssd.conf and add teardown for removing it"""
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR)
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek request.addfinalizer(lambda: os.unlink(config.CONF_PATH))
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek domains = files
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek services = nss
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek id_provider = files
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek _, alt_passwd_path = tempfile.mkstemp(prefix='altpasswd')
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek request.addfinalizer(lambda: os.unlink(alt_passwd_path))
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek _, alt_group_path = tempfile.mkstemp(prefix='altgroup')
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek request.addfinalizer(lambda: os.unlink(alt_group_path))
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path])
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path])
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek domains = files
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek services = nss
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek debug_level = 10
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek id_provider = files
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek passwd_files = {passwd_list}
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek group_files = {group_list}
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek debug_level = 10
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek Sets up SSSD with multiple sources, but does not actually create
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek alt_passwd_path = tempfile.mktemp(prefix='altpasswd')
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek request.addfinalizer(lambda: os.unlink(alt_passwd_path))
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek alt_group_path = tempfile.mktemp(prefix='altgroup')
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek request.addfinalizer(lambda: os.unlink(alt_group_path))
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path])
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path])
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek domains = files
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek services = nss
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek debug_level = 10
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek id_provider = files
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek passwd_files = {passwd_list}
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek group_files = {group_list}
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek debug_level = 10
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik domains = proxy, local
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik services = nss
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik id_provider = local
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik id_provider = proxy
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik proxy_lib_name = files
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik auth_provider = none
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek services = nss
1732c40287be0ff918e42ae0045aafeee91b3c7bLukas Slebodnik enable_files_domain = true
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek domains = local
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek services = nss
1732c40287be0ff918e42ae0045aafeee91b3c7bLukas Slebodnik enable_files_domain = true
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek id_provider = local
30621369bbf6c554401a20d84e447f872608bc53Lukas Slebodnik id_provider = files
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek domains = local
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek services = nss
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek enable_files_domain = false
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek id_provider = local
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek ent.assert_passwd_by_name(CANARY['name'], CANARY)
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek return setup_pw_with_list(request, [CANARY, USER1])
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek ent.assert_group_by_name(CANARY_GR['name'], CANARY_GR)
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek return setup_gr_with_list(request, [GROUP1, CANARY_GR])
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek return setup_gr_with_list(request, [CANARY_GR])
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek If we query SSSD while it's updating its cache, it would return NOTFOUND
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek rather than a result from potentially outdated or incomplete cache. In
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek reality this doesn't hurt because the order of the modules is normally
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek "sss files" so the user lookup would fall back to files. But in tests
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek we use this loop to wait until the canary user who is always there is
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek ret = poll_canary(call_sssd_getpwnam, CANARY["name"])
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek ret = poll_canary(call_sssd_getpwnam, CANARY["name"])
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek ret = poll_canary(call_sssd_getgrnam, CANARY_GR["name"])
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek ret = poll_canary(call_sssd_getgrnam, CANARY_GR["name"])
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek# Helper functions
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek res, found_user = sssd_getpwnam_sync(exp_user["name"])
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek res, found_group = sssd_getgrnam_sync(exp_group["name"])
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek res, found_group = sssd_getgrgid_sync(exp_group["gid"])
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # There is an issue in nss_wrapper [0] and nss_wrapper always looks into
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # the files first before using the NSS module. This lets this check fail
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # because the user is found in the file and hence will be returned
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # without overridden values.
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # In order to work this around while there's no fix for nss_wrapper, let's
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # use the fully-qualified name when looking up the USER1
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # https://bugzilla.samba.org/show_bug.cgi?id=12883)
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio ent.assert_passwd_by_name(USER1["name"]+"@files", OV_USER1)
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio ent.assert_passwd_by_name(OV_USER1["name"], OV_USER1)
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # There is an issue in nss_wrapper [0] and nss_wrapper always looks into
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # the files first before using the NSS module. This lets this check fail
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # because the user is found in the file and hence will be returned
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # without overridden values.
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # In order to work this around while there's no fix for nss_wrapper, let's
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # use the fully-qualified name when looking up the GROUP1
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio # https://bugzilla.samba.org/show_bug.cgi?id=12883)
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio ent.assert_group_by_name(GROUP1["name"]+"@files", OV_GROUP1)
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio ent.assert_group_by_name(OV_GROUP1["name"], OV_GROUP1)
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_getpwnam_after_start(add_user_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that after startup without any additional operations, a user
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek can be resolved through sssd
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozekdef test_getpwuid_after_start(add_user_with_canary, files_domain_only):
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek Test that after startup without any additional operations, a user
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek can be resolved through sssd
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidênciodef test_user_overriden(add_user_with_canary, files_domain_only):
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio Test that user override works with files domain only
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio subprocess.check_call(["sss_override", "user-add", USER1["name"],
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidênciodef test_group_overriden(add_group_with_canary, files_domain_only):
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio Test that user override works with files domain only
b294f9f082c97f0c6ef16739e19826a16375444eFabiano Fidêncio subprocess.check_call(["sss_override", "group-add", GROUP1["name"],
49dd8ee2834d9477418961dbaffa4a03cfa9fd1eRené Genz Test that a nonexistent user cannot be resolved by name
49dd8ee2834d9477418961dbaffa4a03cfa9fd1eRené Genz Test that a nonexistent user cannot be resolved by UID
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_root_does_not_resolve(files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek SSSD currently does not resolve the root user even though it can
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek be resolved through the NSS interface
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek assert nss_root is not None
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozekdef test_uid_zero_does_not_resolve(files_domain_only):
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek SSSD currently does not resolve the UID 0 even though it can
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek be resolved through the NSS interface
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek assert nss_root is not None
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_add_remove_add_file_user(setup_pw_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that removing a user is detected and the user
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek is removed from the sssd database. Similarly, an add
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek should be detected. Do this several times to test retaining
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek the inotify watch for moved and unlinked files.
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_mod_user_shell(add_user_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that modifying a user shell is detected and the user
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek is modified in the sssd database
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_enum_users(setup_pw_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that enumerating all users works with the default configuration. Also
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek test that removing all entries and then enumerating again returns an empty
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek # +1 because the canary is added
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef incomplete_user_setup(pwd_ops, del_field, exp_field):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_user_no_shell(setup_pw_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that resolving a user without a shell defined works and returns
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek a fallback value
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek check_user(incomplete_user_setup(setup_pw_with_canary, 'shell', ''))
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_user_no_dir(setup_pw_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that resolving a user without a homedir defined works and returns
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek a fallback value
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '/'))
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_user_no_gecos(setup_pw_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that resolving a user without a gecos defined works and returns
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek a fallback value
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek check_user(incomplete_user_setup(setup_pw_with_canary, 'gecos', ''))
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_user_no_passwd(setup_pw_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that resolving a user without a password defined works and returns
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek a fallback value
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek check_user(incomplete_user_setup(setup_pw_with_canary, 'passwd', 'x'))
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef bad_incomplete_user_setup(pwd_ops, del_field):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_incomplete_user_fail(setup_pw_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test resolving an incomplete user where the missing field is required
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek to be present in the user record and thus the user shouldn't resolve.
0a86dede8773ecce91b5bd2ae75a02f9ff89a358René Genz We cannot test UID and GID missing because nss_wrapper doesn't even
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek load the malformed passwd file, then.
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek bad_incomplete_user_setup(setup_pw_with_canary, 'name')
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_getgrnam_after_start(add_group_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that after startup without any additional operations, a group
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek can be resolved through sssd by name
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozekdef test_getgrgid_after_start(add_group_with_canary, files_domain_only):
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek Test that after startup without any additional operations, a group
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek can be resolved through sssd by GID
49dd8ee2834d9477418961dbaffa4a03cfa9fd1eRené Genz Test that a nonexistent group cannot be resolved
49dd8ee2834d9477418961dbaffa4a03cfa9fd1eRené Genz Test that a nonexistent group cannot be resolved
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_root_group_does_not_resolve(files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek SSSD currently does not resolve the root group even though it can
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek be resolved through the NSS interface
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek assert nss_root is not None
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozekdef test_gid_zero_does_not_resolve(files_domain_only):
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek SSSD currently does not resolve the group with GID 0 even though it
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek can be resolved through the NSS interface
5883b99fa0d13368f6e79fdb40b6637d36ed1801Jakub Hrozek assert nss_root is not None
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_add_remove_add_file_group(setup_gr_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that removing a group is detected and the group
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek is removed from the sssd database. Similarly, an add
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek should be detected. Do this several times to test retaining
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek the inotify watch for moved and unlinked files.
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek res, group = call_sssd_getgrnam(GROUP1["name"])
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek res, group = call_sssd_getgrnam(GROUP1["name"])
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_mod_group_name(add_group_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that modifying a group name is detected and the group
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek is modified in the sssd database
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek add_group_with_canary.groupmod(old_name=GROUP1["name"], **modgroup)
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_mod_group_gid(add_group_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that modifying a group name is detected and the group
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek is modified in the sssd database
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek add_group_with_canary.groupmod(old_name=GROUP1["name"], **modgroup)
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek return setup_gr_with_list(request, [GROUP_NOMEM, CANARY_GR])
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_getgrnam_no_members(add_group_nomem_with_canary, files_domain_only):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that after startup without any additional operations, a group
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek can be resolved through sssd
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef user_and_group_setup(pwd_ops, grp_ops, users, groups, reverse):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek The reverse is added so that we test cases where a group is added first,
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek then a user for this group is created -- in that case, we need to properly
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek link the group after the user is added.
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek # Test that users are members as per getgrnam
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek # Test that users are members as per initgroups
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_getgrnam_members_users_first(setup_pw_with_canary,
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek A user is linked with a group
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_getgrnam_members_users_multiple(setup_pw_with_canary,
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Multiple users are linked with a group
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_getgrnam_members_groups_first(setup_pw_with_canary,
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek A group is linked with a user
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that a group with members while the members are not present
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek are added as ghosts. This is also what nss_files does, getgrnam would
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek return group members that do not exist as well.
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef ghost_and_member_test(pw_ops, grp_ops, reverse):
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek # We checked that the group added has the same members as group12,
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek # so both user1 and user2. Now check that user1 is a member of
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek # group12 and its own primary GID but user2 doesn't exist, it's
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek # just a ghost entry
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_getgrnam_user_ghost_and_member(setup_pw_with_canary,
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that a group with one member and one ghost.
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_getgrnam_user_member_and_ghost(setup_pw_with_canary,
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that a group with one member and one ghost, adding the group
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek first and then linking the member
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_getgrnam_add_remove_members(setup_pw_with_canary,
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that a user is linked with a group
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek # User1 exists, but is not a member of any supplementary group anymore
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek # user2 still is
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozekdef test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek Test that a user is linked with a group
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
8bdb8c0970dc9acb5b0a54dab0bae306ca964944Jakub Hrozek # Add this user and verify it's been added as a member
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek # Intentionally not including the the last one because
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek # canary is added first
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozekdef test_realloc_users_exact(setup_pw_with_canary, files_domain_only):
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek Test that returning exactly FILES_REALLOC_CHUNK users (see files_ops.c)
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek works fine to test reallocation logic. Test exact number of users to
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek check for off-by-one errors.
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek realloc_users(setup_pw_with_canary, FILES_REALLOC_CHUNK)
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozekdef test_realloc_users(setup_pw_with_canary, files_domain_only):
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek Test that returning exactly FILES_REALLOC_CHUNK users (see files_ops.c)
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek works fine to test reallocation logic.
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek realloc_users(setup_pw_with_canary, FILES_REALLOC_CHUNK*3)
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozekdef test_realloc_groups_exact(setup_gr_with_canary, files_domain_only):
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek Test that returning exactly FILES_REALLOC_CHUNK groups (see files_ops.c)
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek works fine to test reallocation logic. Test exact number of groups to
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek check for off-by-one errors.
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK*3)
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozekdef test_realloc_groups(setup_gr_with_canary, files_domain_only):
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek Test that returning exactly FILES_REALLOC_CHUNK groups (see files_ops.c)
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek works fine to test reallocation logic. Test exact number of groups to
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek check for off-by-one errors.
fc91d72f32660712f7c9e872e00deb91f188fea3Jakub Hrozek realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK*3)
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek# Files domain autoconfiguration tests
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozekdef test_no_sssd_domain(add_user_with_canary, no_sssd_domain):
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek Test that if no sssd domain is configured, sssd will add the implicit one
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnikdef test_proxy_to_files_domain_only(add_user_with_canary,
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik Test that implicit_files domain is not started together with proxy to files
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik local_user1 = dict(name='user1', passwd='*', uid=10009, gid=10009,
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik gecos='user1', dir='/home/user1', shell='/bin/bash')
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik # Add a user with a different UID than the one in files
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik ["sss_useradd", "-u", "10009", "-M", USER1["name"]])
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik res, user = call_sssd_getpwnam(USER1["name"])
34e5190f9a47e4a2e15d825123b33d42c7e72cccLukas Slebodnik res, _ = call_sssd_getpwnam("{0}@implicit_files".format(USER1["name"]))
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozekdef test_no_files_domain(add_user_with_canary, no_files_domain):
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek Test that if no files domain is configured, sssd will add the implicit one
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek before any explicitly configured domains
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek # Add a user with a different UID than the one in files
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek ["sss_useradd", "-u", "10009", "-M", USER1["name"]])
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek # Even though the local domain is the only one configured,
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek # files will be resolved first
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozekdef test_disable_files_domain(add_user_with_canary, disabled_files_domain):
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek Test that if no files domain is configured, sssd will add the implicit one
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek before any explicitly configured domains
13294bedc56faf1011f5ba7b1ed9a53b08e71c00Jakub Hrozek # The local user will not be resolvable through nss_sss now
a4837791f62283079e7be4b17efb769be8b2dfd1Jakub Hrozekdef test_no_sssd_conf(add_user_with_canary, no_sssd_conf):
a4837791f62283079e7be4b17efb769be8b2dfd1Jakub Hrozek Test that running without sssd.conf implicitly configures one with
a4837791f62283079e7be4b17efb769be8b2dfd1Jakub Hrozek id_provider=files
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozekdef test_multiple_passwd_group_files(add_user_with_canary,
4a9100a588ade253cecb2224b95bd8caa8136109Jakub Hrozek Test that users and groups can be mirrored from multiple files
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozekdef test_multiple_files_created_after_startup(add_user_with_canary,
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek Test that users and groups can be mirrored from multiple files,
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek but those files are not created when SSSD starts, only afterwards.
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek alt_passwd_path, alt_group_path = files_multiple_sources_nocreate
c1bce7da6c33b352dc708a5dd9712a4d96c63057Jakub Hrozek # touch the files