From 5c82172fa651b37ae463b81a2f90760046661172 Mon Sep 17 00:00:00 2001 From: Dan Lavu Date: Tue, 19 Nov 2024 09:35:57 -0500 Subject: [PATCH] test plan - do not merge --- src/tests/system/tests/notes.txt | 93 ++++++ src/tests/system/tests/test_access_control.py | 146 +++++++++ src/tests/system/tests/test_ad.py | 220 +++++++++++++ src/tests/system/tests/test_ad_servers.py | 168 ++++++++++ src/tests/system/tests/test_authentication.py | 105 +++++- src/tests/system/tests/test_autofs.py | 68 ++++ src/tests/system/tests/test_cache.py | 59 ++++ src/tests/system/tests/test_dns.py | 299 ++++++++++++++++++ src/tests/system/tests/test_failover.py | 82 +++++ src/tests/system/tests/test_files.py | 63 ++++ src/tests/system/tests/test_gpo.py | 20 ++ src/tests/system/tests/test_hosts.py | 0 src/tests/system/tests/test_identity.py | 113 ++++++- .../system/tests/test_identity_client.py | 67 ++++ .../system/tests/test_identity_mapping.py | 32 ++ src/tests/system/tests/test_ipa.py | 70 ++++ src/tests/system/tests/test_kerberos.py | 65 ++++ src/tests/system/tests/test_ldap.py | 202 ++++++++++++ src/tests/system/tests/test_logging.py | 30 ++ src/tests/system/tests/test_memcache.py | 127 ++++++++ .../system/tests/test_multiple_domains.py | 50 +++ src/tests/system/tests/test_netgroups.py | 36 ++- src/tests/system/tests/test_performance.py | 63 ++++ src/tests/system/tests/test_proxy.py | 72 ++++- src/tests/system/tests/test_python_sss.py | 26 ++ src/tests/system/tests/test_resolver.py | 23 ++ src/tests/system/tests/test_responders.py | 76 +++++ src/tests/system/tests/test_schema.py | 2 +- src/tests/system/tests/test_services.py | 51 +++ src/tests/system/tests/test_sssctl.py | 85 +++++ src/tests/system/tests/test_sudo.py | 50 +++ src/tests/system/tests/test_tools.py | 41 +++ 32 files changed, 2599 insertions(+), 5 deletions(-) create mode 100644 src/tests/system/tests/notes.txt create mode 100644 src/tests/system/tests/test_access_control.py create mode 100644 src/tests/system/tests/test_ad.py create mode 100644 src/tests/system/tests/test_ad_servers.py create mode 100644 src/tests/system/tests/test_dns.py create mode 100644 src/tests/system/tests/test_hosts.py create mode 100644 src/tests/system/tests/test_identity_client.py create mode 100644 src/tests/system/tests/test_identity_mapping.py create mode 100644 src/tests/system/tests/test_kerberos.py create mode 100644 src/tests/system/tests/test_multiple_domains.py create mode 100644 src/tests/system/tests/test_performance.py create mode 100644 src/tests/system/tests/test_python_sss.py create mode 100644 src/tests/system/tests/test_resolver.py create mode 100644 src/tests/system/tests/test_responders.py create mode 100644 src/tests/system/tests/test_services.py diff --git a/src/tests/system/tests/notes.txt b/src/tests/system/tests/notes.txt new file mode 100644 index 00000000000..e9f3f300b86 --- /dev/null +++ b/src/tests/system/tests/notes.txt @@ -0,0 +1,93 @@ +Notes +===== + +process +======= +Look at all the existing test cases, and determine the following +1. Is this test case already covered +2. If not, do we need to cover this? +3. If yes, is it in the right category? +4. Can we combine, parametrized the test? +5. If yes, add it to the skeleton for QE review with one docstring, :title: +6. Define what kind of test it is, integration, sanity or system (no marker) +7. After QE review, proceed with the test plan and all steps, setup, steps and expected results for DEV review. + + + +test_access_control.py +====================== +* parametrize the search attributes, allowing ad and ldap filters be one test +* parametrize fully qualified names, maybe extend the function to check both? + + +test_authentication.py +====================== +* feature, add generic provider password/security policy configuration +** remove test overlap from test_ldap.py + + +test_cache.py +============= +* ldap provider test, the discussion of the single run generic provider + + +test_ad.py +========== +** create sssd common configuration for LDAP/KRB5 + + +test_ad_servers.py +====================== +* multidomain topology (parent, child, tree) +* primary, secondary ad topology (ad sites) +* multidomain topology with two child domains (parent, child, child) +* multidomain topology with a grandchild domain (parent, child, grandchild) +* multiforest topology with two separate forests and no trust, client configuration contains two keytabs +* add topology_controller to join the child and tree domain +** all of these topologies are high resource with few tests cases, this is low priority + +test_memcache.py +================ +* single provider, no value testing against multiple providers +* this can be parametrized, I think it'll be easier to parametrized the stop, because the assertions for users and groups are so different. + + +test_identity.py +================ +* There are a lot of test cases, that I think we should split the tests into test_identity_client.py which will contain lookup tests that checks something on the client. Where test_identity.py will be tests that modify the directory or object. + + +test_identity_client.py +======================= +* extending test_identity.py, where test_identity.py setup contains changes in the provider. +This file contains setup with the client. + + +test_python_sss.py +================== +* test_pynsss_nss_idmap.py doesn't seem like it really belongs here. + + +test_ldap.py +============ +* generic provider covers rfc2307 tests and are rfc2307bis tests are cloned here +* parametrized SSL and StartTLS +* parameterize getent.passwd[name, uid]: + + +test_files.py +============= +* I think we should drop most of these tests except the ones that checks the data that is extracted from /etc/passwd, homedir, gecos +* Dropping the modifying value entry tests, cache tests, override tests + + +test_proxy.py - merge with test_files.py? +============= +* All of these tests can apply to the files provider, while files provider is being removed, is it worth it to parameterized these providers, if builtwith("files-provider") will re-run the test using that provider? +** the coverage should be identical + + +test_autofs +============ +* feature, add the ability to create samba shares as well +* do we want to test file access and assert ownership in these tests? \ No newline at end of file diff --git a/src/tests/system/tests/test_access_control.py b/src/tests/system/tests/test_access_control.py new file mode 100644 index 00000000000..aab26d36446 --- /dev/null +++ b/src/tests/system/tests/test_access_control.py @@ -0,0 +1,146 @@ +""" +SSSD Access Control Tests + +Tests pertaining to user, group and host access control providers and or filters. Some of the providers will be +in their own python file. + +* Simple access-control provider +* LDAP and AD access filter +* Kerberos access provider (k5login): test_kerberos.py +* Group Policy Objects (GPO) access control: test_gpo.py + +:requirement: access control +""" + +from __future__ import annotations + +import pytest + +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +intg +==== + +multihost +========= +# test_ns_account_lock.py +?:test_user_inactivated_locked +?:test_inactive_managed_roles +?:test_inactivated_filtered_roles +?:test_nested_role_inactivated + +# test_access_control.py +test_001_simple_allow_user_to_user1 -> test_access_control.py +?:test_002_too_much_logging_from_sssd_be -> test_access_controlpy +?:test_003_simple_allow_user_to_dollar_symbol +?:test_simple_allow_user_to_invalid_user +?:test_simple_deny_user_to_user1 +?:test_simple_deny_user_to_invalid_user +?:test_simple_allow_groups_top_nested +?:test_simple_deny_groups_top_nested +?:test_simple_allow_groups_invalid_group +?:test_simple_deny_groups_invalid_grp +?:test_permit_all_users +?:test_deny_all_users +?:test_dont_fail_auth_with_allow_rules + +notes +===== +* parametrize the search attributes, allowing ad and ldap filters be one test +* parametrize fully qualified names +""" + + +def test_access_control__disabled_user_cannot_login(): + """ + :title: Disabled user account is denied access + TODO: sssd_framework, add enable/disable user account functionality to all role user classes + """ + pass + + +@pytest.mark.parametrize("name", ["name", "fully_qualified_name"]) +def test_access_control__simple_filter_users(name: str): + """ + :title: User access is managed by the simple access filter parameter + """ + pass + + +@pytest.mark.parametrize("name", ["name", "fully_qualified_name"]) +def test_access_control__simple_filter_groups(name: str): + """ + :title: User is a member of a group that is managed by the simple access filter + """ + pass + + +@pytest.mark.parametrize("name", ["name", "fully_qualified_name"]) +def test_access_control__simple_filter_nested_groups(name: str): + """ + :title: User is a member of a nested group that is managed by the simple access filter + """ + pass + + +@pytest.mark.sanity +@pytest.mark.parametrize("users", [("user1 user2", False), ("user1, user2", True)]) +def test_access_control__simple_filter_valid_strings_in_users_field_work(users: str): + """ + :title: Check possible valid or invalid permutations when users are in the value + """ + pass + + +@pytest.mark.sanity +@pytest.mark.parametrize("groups", [("group1 group2", False), ("group1, group2", True)]) +def test_access_control__simple_filter_valid_strings_in_group_field_work(groups: str): + """ + :title: Check possible valid or invalid permutations when groups are in the value + """ + pass + + +def test_access_control__simple_filter_implicitly_deny_users_and_groups(): + """ + :title: Users and groups with no access are implicitly denied + """ + pass + + +@pytest.mark.parametrize("attr", [("samAccountName", "ad"), ("cn", "ldap"), ("dn", "")]) +def test_access_control__ldap_filter_searches_a_single_user_attribute(attr: tuple): + """ + :title: Access control filter uses one attribute + """ + pass + + +@pytest.mark.parametrize("attr", [("samAccountName", "ad"), ("cn", "ldap"), ("dn", "")]) +def test_access_control__ldap_filter_searches_group_members(attr: tuple): + """ + :title: Access control filter searches by group membership + """ + pass + + +@pytest.mark.parametrize("attr", [("samAccountName", "ad"), ("cn", "ldap"), ("dn", "")]) +def test_access_control__ldap_filter_query_contains_conditions_and_or(attr: tuple): + """ + :title: Access control filters contains conditionals + """ + pass + + +@pytest.mark.parametrize("attr", [("samAccountName", "ad"), ("cn", "ldap"), ("dn", "")]) +def test_access_control__ldap_filter_query_contains_arithmetic_operators(attr: tuple): + """ + :title: Access control filters contain arithmetic operators + """ + pass diff --git a/src/tests/system/tests/test_ad.py b/src/tests/system/tests/test_ad.py new file mode 100644 index 00000000000..b1dc842bb10 --- /dev/null +++ b/src/tests/system/tests/test_ad.py @@ -0,0 +1,220 @@ +""" +Active Directory Provider SSSD Tests + +:requirement: AD: + +""" + +from __future__ import annotations + +import pytest + +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +todo +==== +* multidomain topology - child, tree domain + +bash +==== +# ad_large_dataset/ad_large_dataset.sh +?:'Users in large group non posix id mapping' +?:'Users in large group posix id mapping bz1226119 bz1201840' +?:'User in large number of groups non posix id mapping' +?:'User in large number of groups posix id mapping' + + + +# ldap_krb5/ldap_krb5.sh +?:#Enumerate AD User user01 over LDAP without SSL +?:Enumerate and Authenticate user01 over STARTTLS bz748833 +?:AD user authentication with GSSAPI only +?:Enumerate and Authenticate user01 over LDAPS +?:Authenticate lkuser01 over KRB5 +?:Lookup valid LDAP Groups +?:Enumerate user belonging to multiple groups +?:Enumerate user belonging to nested groups +?:Enumerate user without UNIX attributes belonging to nested groups and intermediate groups bz748822 +?:Enumerate non existing user +?:Enumerate non existing group +?:Enumerate valid user and group with id less than min id bz692455 +?:Enumerate valid user and group with id more than max id bz692455 +?:Check with ldap access filter +?:Check with ldap access filter and global character +?:Check when ldap sasl mech set to GSSAPI +?:Check login for disabled AD user account +?:Check Active Directory Account Lockout for expired user +?:Check GECOS Fallback to cn +?:Users lacking posix attribute breaks group lookup bz791208 +?:Lookup users and groups with backslash and comma bz683158 +?:Allow SSSD to notify user of denial due to AD account lockout bz1264705 + +# range_retrieval/runtest -> test_identity_client.py +?:ldap provider lookup group with large number of users +?:ad provider search base with filter bz848031 +?:ad provider lookup user belonging to large number of groups +?:ad provider ldap user search base with filter +?:Setting up ldap disable range retrieval to true bz928807 bz916997 +?:setting up ldap disable range retrieval to false bz928807 bz916997 + +# shortnames/shortnames.sh +b:Parent domain get users +b:Parent domain get child users +b:Parent domain get tree users +b:Parent domain get groups +b:Parent domain get child groups +b:Parent domain get tree groups +b:Child domain get parent users +b:Child domain get child users +b:Child domain get tree users +b:Child domain get parent groups +b:Child domain get child groups +b:Child domain get tree groups +b:Tree domain get parent users +b:Tree domain get child users +b:Tree domain get tree users +b:Tree domain get parent groups +b:Tree domain get child groups +b:Tree domain get tree groups + + + +# cifs/smbd_client/smbd_client.sh +?:Check alternatives link +?:Create files on share1 with mount cifs +?:Read files on share1 with mount cifs +?:Update files on share1 with mount cifs +?:Delete files on share1 with mount cifs + +# cifs/smbd_server/smbd_server.sh +?:Check alternatives link +?:Check cifs share1 created files +?:Check cifs share1 updated files +?:check cifs share1 deleted files +?:sssd libwbclient causes crash in wbinfo bz1175705 + +multihost +========= + + +# test_ad_misc.py +?:test_0001_provider_config_cross_interference +?:test_0002_improved_use_negative_sid_for_sid_lookup +?:test_0003_gssapi_ssh +?:test_0004_bz2110091 +?:test_0005_get_sid_by_username + +# test_adparameters_ported.py +?:test_0001_ad_parameters_domain +?:test_0002_ad_parameters_junk_domain +?:test_0003_ad_parameters_junk_domain_invalid_keytab +?:test_0004_ad_parameters_valid_domain_shorthost +?:test_0005_ad_parameters_blank_domain +?:test_0006_ad_parameters_homedir_override_nss +?:test_0007_ad_parameters_homedir_override_domain +?:test_0008_ad_parameters_homedir_override_both +?:test_0009_ad_parameters_ldap_sasl_full +?:test_0010_ad_parameters_ldap_sasl_short +?:test_0011_ad_parameters_server_resolvable +?:test_0012_ad_parameters_server_unresolvable +?:test_0013_ad_parameters_server_srv_record +?:test_0014_ad_parameters_server_blank +?:test_0015_ad_parameters_ad_hostname_machine +?:test_0016_ad_parameters_ad_hostname_valid +?:test_0017_ad_parameters_krb5_keytab_nonexistent +?:test_0018_ad_parameters_krb5_keytab_elsewhere +?:test_0019_ad_parameters_ldap_id_mapping_false +?:test_0020_ad_parameters_ssh_change_password +?:test_0021_ad_parameters_ssh_change_password_logon +?:test_0022_ad_parameters_account_disabled +?:test_0023_ad_parameters_account_expired +?:test_0024_ad_parameters_getgrgid_nested +?:test_0025_ad_parameters_empty_group +?:test_0026_ad_parameters_dns_failover +?:test_0027_ad_parameters_group_membership_empty +?:test_0028_ad_parameters_nested_in_nonposix_group +?:test_0029_ad_parameters_tokengroups_with_ldap +?:test_0030_ad_parameters_tokengroups_searchbase +?:test_0031_ad_parameters_custom_re +?:test_0032_ad_parameters_group_name_attribute +?:test_0033_ad_parameters_group_cleanup_sanitize +?:test_0034_ad_parameters_group_work_intermittently +?:test_0035_ad_parameters_delete_cache +?:test_0036_ad_parameters_renewal_leaks_descriptors +?:test_0037_ad_parameters_extra_attrs_mail +?:test_0038_ad_parameters_authentication_failure_invalid_keytab +?:test_0039_ad_parameters_auth_krb5 +?:test_0040_ad_parameters_newline_ssh_key +?:test_0041_ad_parameters_sss_ssh_knownhostsproxy +?:test_0042_ad_parameters_nonroot_user_sssd +?:test_0043_sssd_not_using_given_krb_port +?:test_0044_ad_parameters_homedir_override_lowercase +?:test_0045_ad_parameters_upn_mismatch_check +?:test_0046_ad_parameters_upn_empty_skip_check +?:test_0047_ad_parameters_filter_group + +# test_adparameters.py +?:test_0001_bz1296618 +?:test_0002_bz1287209 +?:test_0003_bz1421622 +?:test_00015_authselect_cannot_validate_its_own_files +?:test_0005_BZ1527149_BZ1549675 +?:test_0006_bz1592964 +?:test_0007_bz1361597 +?:test_0008_bz1431858 +?:test_0009_bz1565761 +?:test_0010_bz1527662 +?:test_0011_bz1571526 +?:test_0012_bz1738532 +?:test_0013_bz1794016 +?:test_0014_user_filtering +?:test_0016_forceLDAPS +?:test_0017_gssspnego_adjoin + +# test_adschema.py +?:test_0001_ad_schema_idmapping_true_user +?:test_0002_ad_schema_idmapping_true_group +?:test_0003_ad_schema_idmapping_false_user +?:test_0004_ad_schema_idmapping_false_group + +# test_hostkeytabrotation.py +?:test_001_rotation +?:test_002_updatedkeytab +?:test_003_delentry +?:test_004_multiplespn +?:test_005_deletespn + +# test__id_mapping.py +?:test_001_findrid +?:test_002_rangelessthansid +?:test_003_disablerange +?:test_004_rangeequalsid +?:test_005_disablerange +?:test_006_rangevalues +?:test_007_disablerangevalues + +# test_idmap.py +?:test_001_idmap_disable + +# test_memcache_sid.py +?:test_0001_memcache_sid + +# test_samba_data.py +?:test_0001_rotation + +# test_multiforest.py +?:test_0001_multiforest +""" + + +def test_ad__authentication_using_ldap_and_krb_providers(): + """ + :title: Users can login when SSSD is configured to connect to AD using ldap provider to connect + """ + pass diff --git a/src/tests/system/tests/test_ad_servers.py b/src/tests/system/tests/test_ad_servers.py new file mode 100644 index 00000000000..92773079f1b --- /dev/null +++ b/src/tests/system/tests/test_ad_servers.py @@ -0,0 +1,168 @@ +""" +Active Directory Provider Multiple Server Tests + +All SSSD tests pertaining to topologies that contain more than one AD server, tests require +subdomains, nested subdomains, primary and secondary domain controller and multiple forests. + +:requirement: AD: +""" + +from __future__ import annotations + +import pytest + +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +todo +==== +* multidomain topology - child, tree domain + +bash +==== +# ad_forest/ad_access_filter.sh +?:ad_forest/ad_access_filter.sh:Access provider defaults to ad +?:ad_forest/ad_access_filter.sh:Access provider ad without any other options denies expired users +?:ad_forest/ad_access_filter.sh:An expired user even though he matches the filter is denied access +?:ad_forest/ad_access_filter.sh:Access provider ad without any other options allows non expired users +?:ad_forest/ad_access_filter.sh:Allow users from group of domain0 only +?:ad_forest/ad_access_filter.sh:Allow only single user from domain0 +?:ad_forest/ad_access_filter.sh:Allow users from group of domain0 with different syntax +?:ad_forest/ad_access_filter.sh:Allow only users of a group from domain2 +?:ad_forest/ad_access_filter.sh:sssd be process crashes when ad access filter uses FOREST keyword bz1032982 +?:ad_forest/ad_access_filter.sh:Invalid ad access filter bz1033132 + +# ad_forest/ad_other_dc.sh: +b:Forest DNS service records lookup child domain bz974149 bz1263735 +b:ad_forest/ad_other_dc.sh:kdcinfo files are not created for subdomains of a directly joined AD client +b:ad_forest/ad_other_dc.sh:Forest user lookup when joined to child domain bz1077327 bz1090653 bz1097323 +b:ad_forest/ad_other_dc.sh:Forest DNS service records lookup second tree domain bz974149 +b:ad_forest/ad_other_dc.sh:Forest user lookup when joined to second tree domain bz1077327 bz1090653 bz1097323 +b:ad_forest/ad_other_dc.sh:UPN root join test +b:ad_forest/ad_other_dc.sh:UPN second tree join test +b:ad_forest/ad_other_dc.sh:UPN child join test +b:ad_forest/ad_other_dc.sh:Different OU root join test +b:ad_forest/ad_other_dc.sh:Different OU second tree join test +b:ad_forest/ad_other_dc.sh:Different OU child join test + +# ad_forest/auth.sh +b:ad_forest/auth.sh:Auth users from all domains +b:ad_forest/auth.sh:Change password for all users from all domains bz1078839 +b:ad_forest/auth.sh:Support of enterprise principals bz924403 bz1079783 +b:ad_forest/auth.sh:Cached credentials are not working with enterprise UPN logins bz1002590 +b:ad_forest/auth.sh:Cannot login to the 0st domain when 2 domain is configured in sssd bz966557 +b:ad_forest/auth.sh:Subdomains list is never read if sssd starts offline bz1038636 + +# ad_forest/lookup.sh +b:ad_forest/lookup.sh:Lookup users and groups bz1002591 bz1001318 bz1033096 bz969882 +b:ad_forest/lookup.sh:Group renaming not reflecting correctly +b:ad_forest/lookup.sh:id root user triggers LDAP lookup +b:ad_forest/lookup.sh:User and group memberships from different domains bz1059422 bz1028057 bz1002597 +b:ad_forest/lookup.sh:Enumerate users and groups bz1009613 bz1028039 +b:ad_forest/lookup.sh:Use flatname in the fully qualified format bz969881 +b:ad_forest/lookup.sh:Subdomain do not inherit fallbacks and overrides settings bz1053105 +b:ad_forest/lookup.sh:Individual group search returned multiple results in GC lookups bz1030482 +b:ad_forest/lookup.sh:Detect if posix attributes have been replicated to the global catalog bz1033080 +b:ad_forest/lookup.sh:Not retrieving homedirs of AD users with posix attributes bz1066095 +b:ad_forest/lookup.sh:Inconsistent results for id bz1072994 +b:ad_forest/lookup.sh:Enumeration reads data from ldap while regular lookups connect to gc bz1028038 +b:ad_forest/lookup.sh:sssd nss segfaults if initgroups request is by UPN and does not find anything bz1200092 +b:ad_forest/lookup.sh:Ignore group members does not work for subdomains bz1227862 +b:ad_forest/lookup.sh:Use TCP for kerberos by default +b:ad_forest/lookup.sh:removing subdomain from ad_enabled_domains does not disable old subdomain bz1708322 +b:ad_forest/lookup.sh:sssd can be marked offline if a trusted domain is not reachable bz1301739 + + +# ad_gpo_hbac_multidomain +b:child.sh:child domain gpo is disabled +b:child.sh:child domain gpo is enforcing +b:child.sh:child domain gpo is enforcing with no gpo applied +b:child.sh:child domain gpo is permissive +b:child.sh:child domain testing domain and ou inheritance +b:child.sh:child domain testing gpo mapping +b:child.sh:#child domain testing offline mode +b:child.sh:child domain gpo child fails when log is enabled in smb bz1177139 +b:child.sh:child domain sssd crashes intermittently in GPO code bz1206091 bz1204203 +b:child.sh:child domain invalid/empty values in GptTmpl.inf bz1316163 +b:child.sh:child domain gpos code ignores ad_site option +b:child.sh:child domain changed default behavior from allow any to deny any +b:child.sh:child domain sssd doesn't follow the link order of AD Group Policy Management +b:tree.sh:tree domain gpo is disabled +b:tree.sh:tree domain gpo is enforcing +b:tree.sh:tree domain gpo is enforcing with no gpo applied +b:tree.sh:tree domain gpo is permissive +b:tree.sh:tree domain testing domain and ou inheritance +b:tree.sh:tree domain testing gpo mapping +b:tree.sh:#tree domain testing offline mode +b:tree.sh:tree domain gpo tree fails when log is enabled in smb bz1177139 +b:tree.sh:tree domain sssd crashes intermittently in GPO code bz1206091 bz1204203 +b:tree.sh:tree domain invalid/empty values in GptTmpl.inf bz1316163 +b:tree.sh:tree domain gpos code ignores ad_site option +b:tree.sh:tree domain changed default behavior from allow any to deny any +b:tree.sh:tree domain sssd doesn't follow the link order of AD Group Policy Management +b:tree.sh:tree domain skip GPOs that have groupPolicyContainers unreadable by sssd + + +# ad_forest/multidomain_legacy.sh +b:crash when looking up the Domain Users group on second domain bz1148572 + +# ad_forest/simple_access_control.sh +b:Allowing access for only user0 from domain1 with simple allow users +b:Simple access provider support subdomain users and groups bz991054 +b:Access denied for users from gc domain when using format DOMAIN backward slash username bz1048101 +b:Blocking access of users from another domain and child domain specifically +b:Allowing access to the group from domain0 and domain2 and child domain with single syntax +b:Simple allow groups does not find group from other AD domains bz1125186 +b:With realm permit command groups option does not work bz982618 +b:Permit All Users +b:Deny All Users + +# dns_sites/ad_sites.sh +?:ad site unset and Default First Site Name is default +?:ad site equal to LocalSite but AD has Default First Site Name as default bz1161564 + +# dns_sites/runtest +?:ad enable dns sites option set to false +?:Only default site Default First Site Name exists +?:Empty LocalSite for the client subnet +?:PDC exists in the LocalSite +?:Both Servers are in LocalSite +?:Secondary DC has higher priority SRV Record +?:Only secondary DC is in LocalSite + +# test_multidomain.py +?:test_0000_bz2013297 +?:test_0001_bz2018432 +?:test_0002_bz2167728 +?:test_0003_bz1913284_keytab_as_nonroot + +# test_adsites.py +?:test_001_ad_startup_discovery +?:test_002_ad_startup_discovery_one_server_unreachable +?:test_003_ad_startup_discovery_two_different_sites +?:test_004_ad_startup_discovery_one_server_unreachable +""" + + +@pytest.mark.parametrize("domain", ["child", "tree"]) +def test_ad_forest__trusted_user_can_authenticate_to_parent_domain(domain: str): + """ + :title: User from a child or tree domain can login to the parent domain + TODO: create a new topology and topology_controller to join the client to the trusted domain + """ + pass + + +@pytest.mark.parametrize("domain", ["child", "tree"]) +def test_ad_forest__lookup_trusted_users_when_they_are_members_of_parent_domain_group(domain: str): + """ + :title: Users in a trusted domain are a part of a global or enterprise group are resolved + """ + pass + +# diff --git a/src/tests/system/tests/test_authentication.py b/src/tests/system/tests/test_authentication.py index 4f25228a3d4..8181afbbe27 100644 --- a/src/tests/system/tests/test_authentication.py +++ b/src/tests/system/tests/test_authentication.py @@ -1,5 +1,7 @@ """ -SSSD Authentication Test Cases +SSSD Authentication Tests + +Tests pertaining to the authentication mechanisms and security policies. :requirement: authentication """ @@ -12,6 +14,107 @@ from sssd_test_framework.roles.generic import GenericProvider from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +intg +==== + +multihost +========= +# test_password_policy.py +?:test_0001_changeuserpass +?:test_0002_newpassnotmatch +?:test_0003_smallnewpass +?:test_0004_wrongcurrentpass + +# test_login_attr.py +?:test_0001_login_by_samaccountname +?:test_0002_login_by_userprincipalname +?:test_0003_login_sssd_domain +?:test_0004_login_sssd_domain_fqn +?:test_0005_login_sssd_domain_uppercase +""" + + +@pytest.mark.sanity +@pytest.mark.parametrize("username", [("user", True), ("user%", False), ("user_", False)]) +def test_authentication__username_characters_combinations_are_valid(username: str): + """ + :title: Checking valid username character combinations + # intg/test_ldap.py - test_regression_ticket2163 + """ + pass + + +def test_authentication__user_is_forced_to_change_expired_password(): + """ + :title: User is prompted and forced to change an expired password + TODO: framework, user objects in some provider roles need to have this feature added + TODO: This test exist in test_ldap.py and are current not generic + """ + pass + + +def test_authentication__user_password_confirmation_does_not_match(): + """ + :title: User is prompted and the password confirmation contains a typo + TODO: This test exist in test_ldap.py and are current not generic + """ + + +def test_authentication__user_enters_wrong_current_password(): + """ + :title: User enters the wrong current password + TODO: This test exist in test_ldap.py and are current not generic + """ + + +def test_authentication__user_is_locked_after_failed_login_attempts(): + """ + :title: User is locked after a number of failed login attempts + TODO: framework, adding a password policy feature to set the number of attempts before lockout + """ + pass + + +def test_authentication__user_changed_password_meets_complexity_requirements(): + """ + :title: User password change works when a complexity password policy is present + TODO: framework, ability to enable password policy complexity + TODO: suggestion, provider.policy(complex=True | None = False) + """ + pass + + +def test_authentication__user_can_login_using_ssh_keys_stored_in_the_directory(): + """ + :title: User can authenticate with no password using the public key attribute + TODO: framework, some providers do not have the ability to add the public key to the user (easy) + """ + pass + + +def test_authentication__with_a_different_auth_provider(): + """ + :title: Authenticate the user using a different provider + TODO: suggestion, create sssd.common.config with id using local users and krb for auth + """ + pass + + +def test_authentication__multiple_sssd_domains_are_configured(): + """ + :title: Authenticate user(s) when more than one SSSD domain is configured + TODO: create sssd.common.config with two domains, ldap.test and samba.test? + """ + pass + @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.parametrize("method", ["su", "ssh"]) diff --git a/src/tests/system/tests/test_autofs.py b/src/tests/system/tests/test_autofs.py index 7ce11874c7f..fef9584ebcc 100644 --- a/src/tests/system/tests/test_autofs.py +++ b/src/tests/system/tests/test_autofs.py @@ -13,6 +13,74 @@ from sssd_test_framework.topology import KnownTopologyGroup +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +discussions +=========== +?:expand these tests to create files, directories and assert ownership +?:extend samba and ad role and create cifs share + +intg +==== + +multihost +========= +# test_automount.py +?:test_001_searchbasedn +?:test_002_offline +?:test_003_setbasedn +?:test_004_autofsnone +?:test_two_automount_maps +?:test_005_autofsnotset +?:test_006_updatedmaps +?:test_007_1206221 +?:test_008_wildcardsearch +?:test_009_maps_after_coming_online +?:test_010_delay_in_unknown_mnt_pt_lookup_error + +# test_automount_from_bash.py +?:test_autofs_search +?:test_ldap_search_base +?:test_ldap_autofs_search_base +?:test_autofs_provider_none +?:test_autofs_id_provider +?:test_autofs_provider_ldap +?:test_available_automount_maps +?:test_autofs_shares +?:test_autofs_timeout +?:test_key_location +?:test_change_key_map +?:test_bz870045 +?:test_bz876531_bz894428 +?:test_bz811987 +?:test_autofs_dumpmaps +?:test_autofs_segfaults + +# test_automount.py +?:test_001_searchbasedn +?:test_002_offline +?:test_003_setbasedn +?:test_004_autofsnone +?:test_005_autofsnotset +?:test_006_updatedmaps + +# test_cifs.py +?:test_0001_wbinfo +?:test_0002_smb1mount +?:test_0003_smb3mount +?:test_0004_writeable +?:test_0005_aclcheck +?:test_0006_readfromclient +?:test_0007_readfromserver +""" + + @pytest.mark.importance("critical") @pytest.mark.ticket(gh=6739) @pytest.mark.parametrize("cache_first", [False, True]) diff --git a/src/tests/system/tests/test_cache.py b/src/tests/system/tests/test_cache.py index 7aa2e2bde39..8b82f4cb22b 100644 --- a/src/tests/system/tests/test_cache.py +++ b/src/tests/system/tests/test_cache.py @@ -22,6 +22,65 @@ from sssd_test_framework.topology import KnownTopology +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +bash +==== +# cache_auth_timeout +?:Verify the CachedAuth default behaviour +?:Set CachedAuth longer than pam id timeout and verify the behaviour +?:Verify cached authentication after successful online auth +?:Verify online authentication after the expiry of CachedAuth timeout +?:Verify local password change for CachedAuth timeout +?:Verify user password change on server within CachedAuth timeout limits +?:Verify cached authentication behaviour with wrong password +?:Verify password guessing attack against online OR cache authentication +?:Verify offline authentication behaviour for CachedAuth timeout +?:Verify offline failed login attempts and offline failed login delay + +intg +==== +?:test_group_2307bis_update_same_modstamp +?:test_group_2307bis_update_same_attrs +?:test_group_2307bis_update_diff_attrs +?:test_group_2307bis_delete_group +?:test_group_2307_update_same_modstamp +?:test_group_2307_update_same_attrs +?:test_group_2307_update_diff_attrs +?:test_group_2307_delete_group +?:test_user_update_same_modstamp +?:test_user_update_same_attrs +?:test_user_update_diff_attrs +?:test_user_2307bis_delete_user +?:test_sss_cache_invalidate_user +?:test_sss_cache_invalidate_group + +multihost +========= +**test_cache_testing.py** +?:test_0001_Verify_Timestamp_Cache_Exists +?:test_0002_Verify_Cache_on_User_Lookup +?:test_0003_Expire_User_Entries_and_Verify_Updates +?:test_0004_Refresh_User_Entries_After_Expiry +?:test_0005_Expire_User_Entries_ans_Run_User_Auth +?:test_0006_Set_refresh_expired_interval_to_40 +?:test_0007_Set_use_fully_qualified_names_to_true +?:test_0008_Set_case_sensitive_to_false +?:test_0009_Verify_ldb_cache_updates_on_group_lookup +?:test_0010_Expire_group_record_in_cache +?:test_0011_Refresh_group_record_after_expiry +?:test_0012_Set_refresh_expired_interval_to_40 +?:test_0013_Modify_User_Attribute +?:test_0014_Delete_an_existing_user +""" + + @pytest.mark.integration @pytest.mark.importance("low") @pytest.mark.topology(KnownTopology.LDAP) diff --git a/src/tests/system/tests/test_dns.py b/src/tests/system/tests/test_dns.py new file mode 100644 index 00000000000..b2a18e06c0f --- /dev/null +++ b/src/tests/system/tests/test_dns.py @@ -0,0 +1,299 @@ +""" +SSSD Dynamic DNS Tests. + +Tests pertaining to dynamic DNS. + +:requirement: dynamic dns +""" + +""" +TODO: + +SSSDTestFramework + ad, samba, ipa host - backup dns server + ad, samba, ipa host - restore dns server + client role - backup ethernet interfaces ? + client role restore ethernet interfaces ? + + +# class to manage, create interfaces +NIC(BaseObject[BaseHost, role]) + self.name: str + self.ip: list[str] + self.gw: str + self.netmask: str + self.nameservers: list[str] + + + client.nic.create + client.nic.delete + client.nic.get() -> list[str] + client.nic.modify + + +# class to manage AD/Samba/IPA DNS servers +DNS(BaseObject[ADHost, AD]) + __init__(self, role, name) + self.name: str + if x.x.x.x append in-addr.arpa to name + + + role.ad.dns.create(self) # create zone -> None + role.ad.dns.delete(self) # delete zone -> None + role.ad.dns.add(record: dict[type: str, name: str]) - None + role.ad.dns.remove(record: list[str]) -> None + role.ad.dns.get(record: str) -> tuple(bool, bool) # A, AAAA + role.ad.dns.check(record: str) -> bool # for assertions + role.ad.dns.print(zone: str) -> SSHProcess + role.ad.dns.forwarders(disable: bool | None = False, nameservers: list[str] | None) + +# in our existing tests we had to disable forwarders in AD otherwise the internal rh corp ptr record would resolve + role.ad.dns.zone(name: str | None = domain, secure_updates: bool | None = True) + +""" + + +def test_dns__dynamic_updates_using_default_configuration(): + """ + :title: Dynamic DNS updates A/AAAA/PTR records on all interfaces + :description: By default, SSSD will create and update its A/AAAA/PTR records of the joined domain + :setup: + 1. Create PTR zone + 2. Start SSSD + :steps: + 1. Check forward zone for client’s A record + 2. Check forward zone for client’s AAAA record + 3. Check reverse zone for client’s pointer record + :expectedresults: + 1. Client A record exists in the zone file + 2. Client AAAA record exists in the zone file + 3. Client PTR record exists + :customerscenario: True + """ + + +def test_dns__dynamic_update_creates_forward_ipv4_records(): + """ + :title: Dynamic DNS updates IPV4 address only + :description: SSSD should create records for network addresses that are on the client + :setup: + 1. Remove IPV6 address from ethernet interface + 2. Create PTR zone for default network + 3. Start SSSD + :steps: + 1. Check forward zone for client’s A record + :expectedresults: + 1. Client A record exists and is the only client record in the zone file + :customerscenario: True + """ + + +def test_dns__dynamic_updates_all_forward_records(): + """ + :title: Dynamic DNS updates AAAA records on all interfaces + :description: SSSD should update all records if the IP changes + :setup: + 1. Create PTR zone + 2. A/AAAA/PTR records that DO NOT match the client’s IP Address + 3. Start SSSD + :steps: + 1. Check forward zone for client’s A record + 2. Check forward zone for client’s AAAA record + 3. Check reverse zone for client’s pointer record + :expectedresults: + 1. Client A record exists in the zone file + 2. Client AAAA record exists in the zone file + 3. Client PTR record exists and points to the latest IP + :customerscenario: True + """ + + +def test_dns__dynamic_update_is_disabled(): + """ + :title: Dynamic DNS is disabled + :description: SSSD will not create any records on the DNS server + :setup: + 1. Create PTR zone + 2. Set dyndns_update_ptr = false and dyndns_update = false in sssd.conf + 3. Start SSSD + :steps: + 1. Check forward zone for client’s A record + 2. Check reverse zone for client’s PTR record + :expectedresults: + 1. Client A record does not exist + 2. Client PTR record does not exist + :customerscenario: True + """ + + +def test_dns__dynamic_update_updates_ttl_settings_when_configured(): + """ + :title: Dynamic DNS will set the configured TTL value with the forward records + :description: SSSD can update the DNS records with a custom Time-To-Live value + :setup: + 1. Create PTR zone + 2. Set dyndns_ttl = 9200 + 3. Start SSSD + :steps: + 1. Check forward zone for client’s forward record + :expectedresults: + 1. Client forward exists with the TTL set to 9200 + :customerscenario: true + """ + + +def test_dns__dynamic_updates_multiple_interfaces(): + """ + :title: Dynamic DNS supports multiple interfaces + :description: SSSD will update all available interfaces + :setup: + 1. Create PTR zone + 2. Create bogus network interface on client + 3. Create PTR zone for bogus network matching bogus client interface + 4. Start SSSD + :steps: + 1. Check forward zone for client’s forward record + 2. Check reverse zone for client’s pointer record + 3. Check reverse zone for client’s bogus interface pointer record + :expectedresults: + 1. Client forward exists + 2. Client pointer record exist in zone file + 3. Client bogus pointer record exists in bogus network zone file + :customerscenario: true + """ + + +def test_dns__dynamic_updates_specific_interface(): + """ + :title: Dynamic DNS update specific interface + :description: SSSD will update the DNS with the configured interface + :setup: + 1. Create PTR zone + 2. Create bogus network interface on client + 3. Create PTR zone for bogus network matching bogus client interface + 4. Configure sssd with ‘dyndns_iface = bogus interface’ + 5. Start SSSD + :steps: + 1. Check forward zone for client’s forward record + 2. Check reverse zone for client’s pointer record + 3. Check reverse zone for client’s bogus interface pointer record + :expectedresults: + 1. Client forward exists + 2. Client pointer record does not exist in primary network zone file + 3. Client bogus pointer record exists in bogus network zone file + :customerscenario: true +""" + + +def test_dns__dynamic_updates_at_configured_interval(): + """ + :title: Dynamic DNS updates at configured interval + :description: SSSD will update the DNS server at the configured timed interval + :setup: + 1. Create PTR zone + 2. Configure sssd with ‘dyndns_refresh_interval = X’ + 3. Start SSSD + :steps: + 1. Check forward zone for client’s forward record + 2. Delete A record + 3. Check forward zone for client’s A record + 4. Wait X seconds and check for client’s A record + :expectedresults: + 1. Client A record exists + 2. A record is deleted + 3. Client A record does not exist + 4. Client’s A record exists + :customerscenario: true + """ + + +def test_dns__dynamic_updates_works_over_tcp_only(): + """ + :title: Dynamic DNS updates works with TCP only + :description: SSSD will update the DNS server using TCP only, instead requiring UDP as well + :setup: + 1. Create PTR zone + 2. Configure SSSD with ldap_purge_cache_timeout = 0, krb5_auth_timeout = 12, dyndns_force_tcp = true + 3. Block all UDP traffic from client + 4. Start SSSD + :steps: + 1. Check forward zone for client’s forward record + 2. Check reverse zone for client’s pointer record + :expectedresults: + 1. Client A record exists + 2. Client PTR record exists + :customerscenario: true + """ + + +def test_dns__dynamic_updates_works_using_insecure_nsupdate(): + """ + :title: Dynamic DNS updates using nsupdate instead of gss-tsig + :description: SSSD can update DNS using insecure nsupdate + :setup: + 1. Create PTR zone + 2. Disable secure updates for forward and reverse zones + 3. Configure sssd with dyndns_auth = None + 4. Start SSSD + :steps: + 1. Check forward zone for client’s forward record + 2. Check reverse zone for client’s pointer record + :expectedresults: + 1. Client A record exists + 2. Client PTR record exists + :customerscenario: true + """ + + +def test_dns__dynamic_secure_updates_works_using_tsig(): + """ + :title: Dynamic DNS updates using gss-tsig only + :description: SSSD can update DNS using tsig + :setup: + 1. Create PTR zone + 2. Disable secure updates for forward and reverse zones + 3. Configure sssd zone allowing tsig updates only + 4. Start SSSD + :steps: + 1. Check forward zone for client’s forward record + 2. Check reverse zone for client’s pointer record + :expectedresults: + 1. Client A record exists + 2. Client PTR record exists + :customerscenario: true + """ + + +def test_dns__dynamic_insecure_updates_do_not_work_using_tsig(): + """ + :title: Insecure dynamic DNS updates do not work using gss-tsig + :description: SSSD cannot update DNS using nsupdate when the server only expects tsig + :setup: + 1. Create PTR zone + 2. Disable secure updates for forward and reverse zones + 3. Configure sssd zone allowing tsig updates only + 4. Start SSSD + :steps: + 1. Check forward zone for client’s forward record + 2. Check reverse zone for client’s pointer record + :expectedresults: + 1. Client records do not exist + 2. Client records do not exist + :customerscenario: true + """ + + +def test_dns__dynamic_updates_an_external_dns_server_with_a_non_integrated_zone_file(): + """ + :TODO: Not supported ATM + :title: Dynamic DNS updates an external DNS server + :description: SSSD updates a third-party DNS server with a non-integrated zone file + + A lot of customers use a third-party DNS like infoblox. I’m not that familiar with the product to determine, + if we setup a test to update bind/dnsmasq or even IPA, just not the realm DNS server + + :setup: + :steps: + :expectedresults: + :customerscenario: true + """ \ No newline at end of file diff --git a/src/tests/system/tests/test_failover.py b/src/tests/system/tests/test_failover.py index 49f1720db63..de1339235dc 100644 --- a/src/tests/system/tests/test_failover.py +++ b/src/tests/system/tests/test_failover.py @@ -14,6 +14,88 @@ from sssd_test_framework.roles.ldap import LDAP from sssd_test_framework.roles.samba import Samba from sssd_test_framework.topology import KnownTopologyGroup +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +bash +==== +# failover +?:Infinite loop checking kerberos credentials bz795562 +?:sssd does not try another server when unable to resolve hostname bz845251 +?:Failover does not happen from SRV to etc hosts bz1122873 +?:sssd does not handle kerberos server IP change bz721052 +?:sssd is not closing sockets properly bz1313014 +?:krb5 kpasswd Server1 down Server2 online +?:krb5 kpasswd failover with single server different ports +?:krb5 server Server1 down online after 96s +?:krb5 server failover with single server different ports +?:ldap chpass uri Server1 down Server2 online +?:ldap chpass uri failover with single server different ports +?:ldap chpass uri First Server in the list cannot be resolved +?:ldap connection expire timeout Single Domain +?:ldap connection expire timeout MultiDomain +?:Test Authentication Both Servers Available +?:failover when a ldapserver is reachable but ldapsearch times out +?:Test Authentication Server 1 Unavailable +?:Test Authentication Server 2 Unavailable +?:Test Authentication Server 1 Unavailable Again +?:Test Authentication Both Servers available Again +?:iptables drop connection for server 1 +?:iptables reject connection for server 1 +?:ldap uri failover with single server different ports +?:multiple srv records with same weight and priority bz1110247 +?:Read and use the TTL value when resolving a SRV query +?:krb5 backup kpasswd Server1 down Server2 online +?:krb5 backup kpasswd failover with single server different ports +?:krb5provider One primary server down online after 30s +?:krb5provider IP Address in backup server +?:krb5provider Service lookup in primary +?:krb5provider Service lookup in backup server list +?:krb5provider Primary and Backup list empty +?:krb5provider Primary list is empty should default to Service lookup +?:krb5provider Multiple Primary servers +?:krb5provider Multiple Backup servers +?:krb5provider Primary list has multiple servers and a service entry +?:krb5provider Primary list has multiple servers and a service entry in between +?:krb5provider Backup list has multiple servers and a service entry at the start +?:krb5provider Backup list has multiple krb5 servers and a service entry in between +?:krb5provider Backup list has multiple krb5 servers and a service entry at the end +?:krb5provider Primary list has a typo and ends with service lookup +?:krb5provider Primary and Backup list has a typo and ends with appropriate uri bz921259 +?:ldap chpass backup uri Server1 down Server2 online +?:ldap chpass backup uri failover with single server different ports +?:ldap chpass backup uri First Server in the list cannot be resolved +?:ldaprovider One primary server down online after 31s +?:ldaprovider IP Address in backup server +?:ldaprovider Service lookup in primary +?:ldaprovider Service lookup in backup server list +?:ldaprovider Primary and Backup list empty +?:ldaprovider Primary list is empty should default to Service lookup +?:ldaprovider Multiple Primary servers +?:ldaprovider Multiple Backup servers +?:ldaprovider Primary list has multiple ldap uris and a service entry +?:ldaprovider Primary list has multiple ldap uri and a service entry in between +?:ldaprovider Backup list has multiple ldap uri and a service entry at the start +?:ldaprovider Backup list has multiple ldap uri and a service entry in between +?:ldaprovider Backup list has multiple ldap uri and a service entry at the end +?:ldaprovider Primary list has a typo and ends with service lookup bz921259 +?:ldaprovider Primary and Backup list has a typo and ends with appropriate uri bz921259 + +intg +==== + +multihost +========= +# test_failover.py +?:test_0001_getent +?:test_0002_login +?:test_0003_stopsecondds +""" @pytest.mark.parametrize("value, expected", [(None, 31), (15, 31), (60, 60)]) diff --git a/src/tests/system/tests/test_files.py b/src/tests/system/tests/test_files.py index 77ca0d15f90..31ad8809d1d 100644 --- a/src/tests/system/tests/test_files.py +++ b/src/tests/system/tests/test_files.py @@ -16,6 +16,69 @@ from sssd_test_framework.topology import KnownTopology +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +notes +===== +* I think we should drop most of these tests except the ones that checks the data that is extracted from /etc/passwd, homedir, gecos +* Dropping the modifying value entry tests, cache tests, override tests + +intg +==== ++:test_getpwnam_after_start ++:test_getpwuid_after_start +p:test_user_overriden::test_sss_overrides__overriding_username_and_posix_attributes +p:test_group_overriden::test_sss_overrides__overriding_group_name_and_gid +-:test_getpwnam_neg::asserts non-existent user +-:test_getpwuid_neg::asserts non-existent group +p:test_root_does_not_resolve::test_files__root_user_is_ignored_on_lookups ++:test_uid_zero_does_not_resolve::extend test_files__root_user_is_ignored_on_lookups +-:test_add_remove_add_file_user::asserts the sss ldb cache changes when modified ++:test_mod_user_shell::test_authentication.py,default_shell ++:test_user_no_shell ++:test_user_no_dir ++:test_user_no_gecos ++:test_user_no_passwd +-:test_incomplete_user_fail::asserts user with no password field +-:test_getgrnam_after_start +-:test_getgrgid_after_start +-:test_getgrnam_neg +-:test_getgrgid_neg ++:test_root_group_does_not_resolve::test_files.py ++:test_gid_zero_does_not_resolve::test_files.py +-:test_add_remove_add_file_group +-:test_mod_group_name +-:test_mod_group_gid ++:test_getgrnam_no_members +p:test_getgrnam_members_users_first +p:test_getgrnam_members_users_multiple +p:test_getgrnam_members_groups_first +-:test_getgrnam_ghost +-:test_getgrnam_user_ghost_and_member +-:test_getgrnam_user_member_and_ghost ++:test_getgrnam_add_remove_members +-:test_getgrnam_add_remove_ghosts +?:test_realloc_users_exact +?:test_realloc_users +?:test_realloc_groups_exact +?:test_realloc_groups +?:test_proxy_to_files_domain_only ++:test_disable_files_domain::test_files.py +-:test_multiple_passwd_group_files::not important +-:test_multiple_files_created_after_startup:: not important +-:test_files_with_domain_resolution_order +-:test_files_with_default_domain_suffix +-:test_files_with_override_homedir::test_sss_override.py +-:test_files_with_override_shell::test_sss_override.py +""" + + @pytest.mark.importance("low") @pytest.mark.builtwith("files-provider") @pytest.mark.topology(KnownTopology.Client) diff --git a/src/tests/system/tests/test_gpo.py b/src/tests/system/tests/test_gpo.py index 619a04d2f3f..9b7a8f1e32b 100644 --- a/src/tests/system/tests/test_gpo.py +++ b/src/tests/system/tests/test_gpo.py @@ -40,6 +40,26 @@ from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup +""" +# ad_gpo_hbac/root.sh +p:parent domain gpo is disabled +p:parent domain gpo is enforcing +p:parent domain gpo is enforcing with no gpo applied +p:parent domain gpo is permissive +p:parent domain testing domain and ou inheritance +p:parent domain testing gpo mapping +p:#parent domain testing offline mode +p:parent domain gpo child fails when log is enabled in smb bz1177140 +p:parent domain sssd crashes intermittently in GPO code bz1206092 bz1204203 +p:parent domain invalid/empty values in GptTmpl.inf bz1316164 +p:parent domain gpos code ignores ad_site option +p:parent domain changed default behavior from allow any to deny any +p:parent domain sssd doesn't follow the link order of AD Group Policy Management +p:parent domain Don't ignore host entries in Group Policy security filters +p:parent domain skip GPOs that have groupPolicyContainers unreadable by sssd +""" + + @pytest.mark.importance("critical") @pytest.mark.parametrize("method", ["su", "ssh"]) @pytest.mark.topology(KnownTopologyGroup.AnyAD) diff --git a/src/tests/system/tests/test_hosts.py b/src/tests/system/tests/test_hosts.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/src/tests/system/tests/test_identity.py b/src/tests/system/tests/test_identity.py index e92d10c016c..b6928039ea0 100644 --- a/src/tests/system/tests/test_identity.py +++ b/src/tests/system/tests/test_identity.py @@ -1,7 +1,8 @@ """ Identity Tests -These tests cover all the searches, queries, and lookups performed by SSSD. +These tests cover all the kinds of searches and handling of the differences of the object and the directory. Similar +tests that covers client configuration changes are in test_identity_client.py. :requirement: Identity """ @@ -16,6 +17,116 @@ from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +notes +===== +* cover rfc2307 with the generic provider and clone the test into test_ldap.py and have it cover rfc2307bis only + +bash +==== +# case_sensitive +?:lookup user group and netgroup -> test_netgroup.py +?:rfc2307bis lookup user group and netgroup -> test_ldap.py +Set simple deny groups to user cs1 grp1 -> test_access_control.py +Set simple deny groups to USER CS2 GRP1 -> test_access_control.py +set simple allow groups to user cs1 grp1 bz950874 -> test_access_control.py +Set simple allow groups to USER CS2 GRP1 -> test_access_control.py +Set simple deny users to user cs1 -> test_access_control.py +Set simple deny users to USER CS2 -> test_access_control.py +Set simple allow users to user cs1 -> test_access_control.py +Set simple allow users to USER CS2 -> test_access_control.py +?:Lookup user with different cases and aliases +?:Lookup group with different cases and aliases +Netgroup lookup with different cases and aliases -> test_netgroup.py +?:Service lookup with different cases and aliases +?:id lookup user with different cases and aliases +?:Enumerate users and groups +Simple access control provider group acl with different cases -> test_access_control.py +Simple access control provider user acl with different cases -> test_access_control.py + +?:Proxy backend lookup users and group, do we need simple access coverage for the proxy provider? +?:Proxy backend and Simple access control provider user acl, do we need simple access coverage for the proxy provider? +?:Proxy backend and Simple access control provider group acl, do we need simple access coverage for the proxy provider? + +Set case sensitive to true lookup user group and netgroup bz1368496 -> test_netgroup.py +rfc2307bis Set case sensitive to true lookup user group and netgroup -> test_ldap.py +Set case sensitive to true simple deny groups to User CS1 grp1 -> test_access_control.py +Set case sensitive to true simple allow groups to User CS2 grp1 -> test_access_control.py +case sensitive to true simple deny groups to user cs1 grp1 -> test_access_control.py +case sensitive to true simple allow groups to user cs2 grp1 -> test_access_control.py +case sensitive to true simple deny users to User uppercase CS1 -> test_access_control.py +case sensitive to true simple allow users to User uppercase CS2 -> test_access_control.py +case sensitive to true simple deny users to user lowercase cs1 -> test_access_control.py +case sensitive to true simple allow users to user lowercase cs2 - test_access_control.py + +# ignore_group_members +?:Test group member list +?:Test user membership list +?:Test cache consistency +?:Test performance + + +intg +==== +# test_enumeration.py +-:test_sanity_rfc2307 +-:test_sanity_rfc2307_bis +-:test_add_remove_user +-:test_add_remove_group_rfc2307 +-:test_add_remove_group_rfc2307_bis +-:test_add_remove_membership_rfc2307 +-:test_add_remove_membership_rfc2307_bis +test_override_homedir -> test_authentication.py +test_fallback_homedir -> test_authentication.py +test_override_shell -> test_authentication.py +test_shell_fallback -> test_authentication.py +test_default_shell -> test_authentication.py +test_vetoed_shells -> test_authentication.py +?:test_ldap_auto_private_groups_enumerate + + +multihost +========= +# test_autoprivategroup.py +?:test_0001_bz1695577 +?:test_0002_bz1695577 + +# test_rfc2307.py +?:test_0001_bz1362023 + +# test_hosts.py +?:test_001_ldap_iphost_search_base +?:test_002_ldap_iphost_object_class +?:test_003_ldap_iphost_name +?:test_004_ldap_iphost_number +?:test_005_ldap_ipnetwork_search_base +?:test_006_ldap_ipnetwork_object_class +?:test_007_ldap_ipnetwork_name +?:test_008_ldap_ipnetwork_number +?:test_009_ipnetwork_iphost +?:test_more_than_one_cn + +# test_misc.py +?:test_0001_ldapcachepurgetimeout +?:test_0003_sssd_crashes_after_update +?:test_0004_sssd_api_conf +?:test_0005_getent_homedirectory +?:test_0006_getent_group +?:test_0007_getent_admproxy +?:test_0008_1636002 +?:test_0009_dbus_method_find_usrby_attr +?:test_bz822236 +?:test_0017_filesldap +""" + + @pytest.mark.importance("critical") @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) diff --git a/src/tests/system/tests/test_identity_client.py b/src/tests/system/tests/test_identity_client.py new file mode 100644 index 00000000000..c059e2b6910 --- /dev/null +++ b/src/tests/system/tests/test_identity_client.py @@ -0,0 +1,67 @@ +""" + +Tests pertaining to the client configuration rather than the setup of the provider or contents, like object classes, +attributes, or the DIT structure. + +:requirement: identity +""" + +import pytest + +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +bash +==== +# multiple_namingcontext ++:ldap search base is not specified ++:ldap search base and ldap user search base is specified ++:ldap search base is specified ++:ldap search base is not specified and ldap user search base is specified bz784870 + +?:Enumerate user belonging to multiple groups +?:Enumerate user belonging to nested groups +?:Enumerate user without UNIX attributes belonging to nested groups and intermediate groups bz748822 +?:Enumerate non existing user +?:Enumerate non existing group +?:Enumerate valid user and group with id less than min id bz692455 +?:Enumerate valid user and group with id more than max id bz692455 +Identity Client Configuration Tests + +multihost +========= +# test_range_retrieval.py +?:test_0001_grouplookup_large_members +?:test_0002_ad_provider_search_base_with_filter +?:test_0003_ad_provider_userlookup_large_numberof_groups +?:test_0004_ad_provider_ldap_user_searchbase_with_filter +?:test_0005_setting_up_ldap_disable_range_retrieval_to_true +?:test_0006_setting_up_ldap_disable_range_retrieval_to_false +""" + + +@pytest.mark.parametrize("ldap_searchbase", [None, "basedn", "userdn", "both"]) +def test_identity_client__ldap_search_base(ldap_searchbase: str): + """ + :title: Configure the client with explicitly defining ldap_search_base and ldap_user_searchbase + """ + pass + + +def test_identity__lookup_username_with_enumeration_enabled(): + """ + :title: Resolve user by name with enumeration is enabled + """ + + +def test_identity__lookup_group_with_enumeration_enabled(): + """ + :title: Resolve group by name with enumeration is enabled + """ + + diff --git a/src/tests/system/tests/test_identity_mapping.py b/src/tests/system/tests/test_identity_mapping.py new file mode 100644 index 00000000000..61d37c04ac3 --- /dev/null +++ b/src/tests/system/tests/test_identity_mapping.py @@ -0,0 +1,32 @@ +""" +SSSD Identity Mapping (idmap) Tests. + +:requirement: idmapping +""" + +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +bash +=== +# idmap/idmap.sh +?:ldap provider +?:#with ldap provider idmapping is disabled +?:ldap idmap range size option has value more than the maximum minus minimum +?:ldap idmap range min option is negative bz1077695 +?:ldap idmap range max or ldap idmap range min is a very large +?:All values are negative +?:ldap idmap range min is zero +?:ldap idmap range max is less than ldap idmap range min +?:ldap idmap default domain sid option is set to junk value +?:ldap idmap default domain sid value does not match AD domain sid +?:ldap idmap default domain sid option matches the AD domain sid correctly +?:ldap idmap autorid compat is set to true and ldap idmap default domain sid is not mentioned +?:ldap idmap autorid compat is set True and ldap idmap default domain sid is not matching the AD domain SID +?:Silence DEBUG messages when dealing with built in SIDs bz874616 +""" \ No newline at end of file diff --git a/src/tests/system/tests/test_ipa.py b/src/tests/system/tests/test_ipa.py index 068bda282c3..330a4a65843 100644 --- a/src/tests/system/tests/test_ipa.py +++ b/src/tests/system/tests/test_ipa.py @@ -17,6 +17,76 @@ from sssd_test_framework.topology import KnownTopology +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +intg +==== +# test_ssh_pubkey.py +?:test_ssh_pubkey_retrieve +?:test_ssh_pubkey_retrieve_cert +?:test_ssh_sighup + +multihost +========= +# test_adhbac.py +?:def test_allowed_ad_group +?:def test_disallowed_ad_group +?:def test_multiple_ad_groups +?:def test_hbac_nested_group + +# test_adtrust.py +?:def test_basic_sssctl_list +?:def test_pam_sss_gss_handle_large_krb_ticket +?:def test_adusrname_beginning_with_at_rate_sign +?:def test_adgrpwith_at_ratesign +?:def test_ipaserver_sss_cache_user +?:def test_enforce_gid +?:def test_honour_idoverride +?:def test_ipa_missing_secondary_ipa_posix_groups +?:def test_nss_get_by_name_with_private_group +?:def test_idview_override_group_fails +?:def test_ad_user_ssh_ipa_client +?:def test_skip_members_in_view_search +?:def test_search_filter_for_override_usrgrp +?:def test_ldap_user_extra_attrs +?:def test_s2n_get_request + +# test_hbac.py +?:def test_sssctl_sshd +?:def test_hbac_changes +?:def test_hbac_refresh_time +?:def test_multiple_hbac_rules +?:def test_nested_groups +?:def test_auto_private_group + +# test_misc.py +?:def test_blank_kinit +?:def test_2f_auth_prompt +?:def test_sssdconfig_remove_domains +?:def test_filter_groups +?:def test_asymmetric_auth_for_nsupdate +?:def test_authentication_indicators +?:def test_pass_krb5cname_to_pam +?:def test_ssh_hash_knownhosts +?:def test_ssh_expiration_warning +?:def test_ssh_expired_warning +?:def test_anonymous_pkinit_for_fast +?:def test_anonymous_pkinit_for_fast_false +?:def test_pam_misc_conv_bufsize + +# test_subid_ranges.py +?:def test_podmanmap_feature +?:def test_subid_feature +?:def test_list_subid_ranges +""" + + @pytest.fixture(scope="module") def public_keys(moduledatadir: str) -> list[str]: """ diff --git a/src/tests/system/tests/test_kerberos.py b/src/tests/system/tests/test_kerberos.py new file mode 100644 index 00000000000..fcaeb2e8cae --- /dev/null +++ b/src/tests/system/tests/test_kerberos.py @@ -0,0 +1,65 @@ +""" +SSSD Kerberos Provider Tests + +These tests cover everything specific to Kerberos provider such as authentication, +principals and access control. The Kerberos Cache Manager (KCM) has a dedicated file, +test_kcm.py. + +:requirement: krb +""" + +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +intg +==== + +multihost +========= +# test_krb5.py +?:test_0001_krb5_not_working_based_on_k5login +?:test_0002_generating_lot_of + +# test_krb_access_provider.py +?:test_0001_k5login_empty +?:test_0002_k5login_user3 +?:test_0003_k5login_user3_with_user4 +?:test_0004_k5login_user4_with_deleted_user3 + +# test_krb_fast_principal.py +?:test_0001_valid_principal +?:test_0002_invalid_principal +?:test_0003_principal_at_?:test_test +?:test_0004_null_principal +?:test_0005_valid_principal_and_krb5_validate_true +?:test_0006_invalid_principal_and_krb5_validate_true +?:test_0007_principal_at_?:test_?:test_and_krb5_validate_true +?:test_0008_null_principal_and_krb5_validate_true + +# test_krb_fips.py +?:test_krb_ptr_hash_crash_1792331 +?:test_fips_login +?:test_kcm_not_store_tgt +?:test_child_logs_after_receiving_hup +?:test_sssd_not_check_gss_spengo +?:test_fips_as_req +?:test_fips_as_rep +?:test_login_fips_weak_crypto +?:test_ldap_gssapi +?:test_tgs_nonfips + +# test_krb_ldap_connection.py +?:test_0001_timeoutdefault +?:test_0002_timeout100 +?:test_0003_timeouttimeoutoutofrange +?:test_0004_timeoutminus100 +?:test_0005_timeout0 + +# test_krb_ldap_connection_gssapi.py +?:test_timeoutkrb +""" \ No newline at end of file diff --git a/src/tests/system/tests/test_ldap.py b/src/tests/system/tests/test_ldap.py index 251663e5f65..1bed3eb99e8 100644 --- a/src/tests/system/tests/test_ldap.py +++ b/src/tests/system/tests/test_ldap.py @@ -14,6 +14,208 @@ from sssd_test_framework.topology import KnownTopology +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move +->> duplicate test, test_ldap.py::rfc2307bis, test_**::generic + +notes +===== +* generic provider covers rfc2307 tests and are rfc2307bis tests are cloned here +* parametrized SSL and StartTLS +* parameterize getent.passwd[name, uid]: + + +bash +==== +# ldap_deref +?:Set deref to never +?:Set deref to always +?:Set deref to finding +?:Set deref to searching +?:Points to a different common name +?:Deref object does not exist +?:Deref objects in closed cycle +?:auth with deref object +?:Without deref in sssd conf should default to never + +# ldap_id_ldap_auth +?:Raise limits for max num of files sssd nss or sssd pam can use bz799929 +?:netgroups do not honor entry cache nowait percentage bz822236 +?:Honour TTL when resolving host names bz785884 +?:Crash with netgroup lookup after cache lifetime bz682807 +?:id command shows recently deleted users bz678410 bz894381 +?:debug timestamps equals to 1 is not passed to providers bz785909 +?:client idle timeout set to 30 bz827036 +?:Warn to syslog when dereference requests fail bz799009 +?:sss debuglevel help should not list debug bz799039 +?:SSSD will sometimes lose groups from the cache bz649286 +?:getent passwd username returns nothing if its uidNumber gt 2147483647 bz645449 +?:sssd be crashes when resolving non trivial nested group structure bz801533 +?:SSSD starts multiple processes due to syntax error in ldap uri bz869466 +?:Verify when nesting limit is reached bz790848 bz894997 +?:SSSD fails to store users if any of the requested attribute is empty bz842842 +?:Verifying ldb +?:Get Valid LDAP Users +?:Get Valid LDAP Groups +?:Users uidNumbers below Minimum and above Maximum +?:Groups gidNumbers below Minimum and above Maximum +?:Enumerating Non Posix User +?:Enumerating Non Posix Group +?:Authentication LDAP User with Password Assigned +?:Change LDAP Users Password and Authenticate +?:Authentication LDAP User Without Password Assigned +?:Authentication LDAP User with Incorrect Password +?:Get Valid LDAP Users Fully Qualified Names +?:Get Valid LDAP Groups Fully Qualified Names +?:LDAP User uidNumber not Within Allowed Range +?:Group gidNumber not Within Allowed Range +?:New LDAP User Added Cache Test +?:New LDAP Group Added Negative Cache Test +?:Authentication fully qualified LDAP User with Password Assigned +?:Change Password and Authenticate LDAP user with FQDN +?:Get Valid LDAP Users LDAPS +?:Get valid LDAP Groups LDAPS +?:Authentication LDAP User with Passwd Assigned Require Cert Never +?:Get Valid LDAP Users Require Cert Hard +?:Get Valid LDAP Groups Require Cert Hard +?:Authentication LDAP User with Password Assigned Require Cert Hard +?:Get Valid LDAP Users Bind DN +?:Get Valid LDAP Groups Bind DN +?:LDAP BE Unreachable +?:id Command and Group Memberships +?:Verify Groups and Users same OU +?:Case Sensitive Group Memberships +?:Change LDAP Domain User Passwd default chpass provider +?:Wrapping the value for ldap access filter in parentheses causes ldap search ext to fail bz600352 +?:Multiple entries of ldap access filter and lower one wins +?:ldap access filter with a global character +?:ldap access filter with memberOf option +?:ldap access filter with long version of memberOf option +?:Multiple entries of ldap search file and lower one wins offline +?:ldap access filter with a global character offline -> test_access_filter.py +?:ldap access filter with memberOf option offline -> test_access_filter.py +?:ldap access filter with long version of memberOf option offline +?:ldap access allow attribute in cache LDAP ldb +?:SSSD segfaults when c ares is using tcp scokets +?:Authentication succeeds if user is in whitelist +?:Authentication fails if the user is not in whitelist +?:getent returns both users +?:Authentication succeeds and connection closes if user is in blacklist +?:Authentication succeeds if the user is not in blacklist +?:sssd with ldap backend throws error domain log bz1227685 +?:SSSD ldap ldap rfc2307 test trac 622 625 +?:SSSD ldap ldap rfc2307bis test trac 595 620 621 626 +?:Create a ou set to netgroup and nisNetgroupTriple +?:Decrease the cache time out and add new entry for nisNetgroupTriple +?:Create multiple netgroups +?:Adding memberNisNetgroup +?:Adding dn to memberNisNetgroup +?:Using different syntax for nisNetgroupTriple +?:With just host and domain info +?:netgroups with nested loop +?:ldapsearch base specified in sssd conf +?:Without ldapsearch base specified in sssd conf and rootDSE exists +?:Without ldapsearch base and with ldap user search base specified +?:Without ldapsearch base and with ldap group search base specified +?:Without ldapsearch base and with ldap netgroup search base specified +?:Without ldapsearch base and multiple namingContexts and 1 defaultnamingcontext +?:With ldapsearch base and with ldap user search base specified +?:With ldapsearch base and with ldap user search base specified multi namingContexts + +# paging +?:Set maxpagesize equals to 10 on ldapserver +?:Enumerate users with maxpagesize 10 in ldap server and ldap page size 10 in sssd +?:Enumerate groups with maxpagesize 10 in ldap server and ldap page size 10 in sssd +?:paging plus filter +?:Enumerate user in 20 groups with enumerate false +?:Enumerate user in 20 groups with enumerate false and totalpageentries 5 in ldap server +?:Enumerate false and totalpageentries 5 in ldap server and ldap page size 5 in sssd +?:Primary group of user is not enumerated when prtotal set to 5 +?:Set paging disabled on ldapserver bz728212 +?:Page size unlimited on ldap server and ldap disable paging is false in sssd +?:Page size unlimited on ldap server and ldap disable paging is true in sssd +?:LDAP server page size is 10 sssd page size is 5 and ldap disable paging is false +?:LDAP server page size is 10 sssd page size is 20 and ldap disable paging is false +?:LDAP server page size is 10 sssd page size is 5 and ldap disable paging is true +?:LDAP server page size disabled and sssd ldap disable paging is true +?:LDAP server page size disabled sssd page size 10 and ldap disable paging is false +?:LDAP server page size is 10 and sssd ldap disable paging is true + + +intg tests +========== ++:test_regression_ticket2163:'\\' character is permitted -> test_authentication.py +-:test_sanity_rfc2307 +-:test_sanity_rfc2307_bis ++:test_member_with_different_cases_rfc2307_bis::bz1817122 ->> test_identity.py ++:test_refresh_after_cleanup_task::sssd.conf,entry_cache_timeout -> test_cache.py ++:test_update_ts_cache_after_cleanup_task::sssd.conf,ldap_purge_cache_timeout -> test_cache.py +-:test_ldap_group_dereference +p:test_override_homedir::test_authentication.py ++:test_fallback_homedir -> test_authentication.py ++:test_override_shell -> test_authentication.py ++:test_shell_fallback -> test_authentication.py ++:test_default_shell -> test_authentication.py ++:test_vetoed_shells -> test_authentication.py ++:test_user_2307bis_nested_groups -> test_identity.py ++:test_special_characters_in_names -> test_authentication.py +-:test_extra_attribute_already_exists::vetoed shells +p:test_add_user_to_group::test_identity__lookup_groups_by_name_and_gid_with_getent ++:test_remove_user_from_group -> test_cache.py ++:test_remove_user_from_nested_group -> test_cache.py ++:test_zero_nesting_level -> test_identity.py ++:test_nss_filters -> test_nss.py ++:test_nss_filters_cached -> test_nss.py +p:test_ldap_auto_private_groups_direct::test_identity__lookup_when_auto_private_groups_is_set_to_true +p:test_ldap_auto_private_groups_conflict::test_identity__lookup_when_auto_private_groups_is_set_to_true +p:test_ldap_auto_private_groups_direct_no_gid::test_identity__lookup_when_auto_private_groups_is_set_to_true +p:test_ldap_auto_private_groups_hybrid_direct::test_identity__lookup_when_auto_private_groups_is_set_to_hybrid +p:test_ldap_auto_private_groups_hybrid_priv_group_byname::test_identity__lookup_when_auto_private_groups_is_set_to_hybrid +p:test_ldap_auto_private_groups_hybrid_priv_group_byid::test_identity__lookup_when_auto_private_groups_is_set_to_hybrid +p:test_ldap_auto_private_groups_hybrid_name_gid_identical::test_identity__lookup_when_auto_private_groups_is_set_to_hybrid +p:test_ldap_auto_private_groups_hybrid_initgr::gh2914 ++:test_rename_incomplete_group_same_dn -> test_cache.py, rename group by modifying the name ++:test_rename_incomplete_group_rdn_changed -> test_cache.py, rename group by the cn ++:test_local_negative_timeout_enabled_by_default -> test_cache.py, local_negative_timeout value ++:test_local_negative_timeout_disabled -> test_cache.py, local_negative_timeout value = 0 +p:test_lookup_by_email::test_authentication__using_the_users_email_address ++:test_conflicting_mail_addresses_and_fqdn::email == fqn :: gh4630 ++:test_conflicting_mail_addresses::lookup email owned by two accounts, negative + +multihost +========= +# test_ldap_extra_attrs.py +?:test_0001_bz1362023 +?:test_0002_givenmail +?:test_0003_checkldb +?:test_0004_negativecache +?:test_0005_ldapextraattrs +?:test_0006_bz1667252 +?:test_bz847043 + +# test_ldap_library_debug_level.py +?:test_ldap_library_debug_level.py:?:test_0001_bz1884207 +?:test_ldap_library_debug_level.py:?:test_0002_bz1884207 +?:test_ldap_library_debug_level.py:?:test_0003_bz1884207 + +# test_ldap_password_policy.py +?:test_bz748856 +?:test_maxage +?:test_bz954323 +?:test_bz1146198_bz1144011 + +# test_ldap_time_logging.py +?:test_0001_bz1925559 +?:test_0002_bz1925559 +?:test_0003_bz1925559 +""" + + @pytest.mark.ticket(bz=[795044, 1695574]) @pytest.mark.importance("critical") @pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify", "exop_force"]) diff --git a/src/tests/system/tests/test_logging.py b/src/tests/system/tests/test_logging.py index 3be50e35bd2..2f75a860b7b 100644 --- a/src/tests/system/tests/test_logging.py +++ b/src/tests/system/tests/test_logging.py @@ -16,6 +16,36 @@ from sssd_test_framework.topology import KnownTopology +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +intg +==== + +multihost +========= +# test_journald.py +?:test_0001_bz1115508 +?:test_0002_bz1460724 + +# test_default_debug_logging.py +?:test_bz785908 +?:test_bz785898 + +# test_backtrace.py +?:test_0001_bz2021196 +?:test_0002_bz1949149 +?:test_0003_bz1949149 +?:test_0004_bz1949149 +?:test_0005_bz1949149 +""" + + @pytest.mark.integration @pytest.mark.importance("low") @pytest.mark.topology(KnownTopology.Client) diff --git a/src/tests/system/tests/test_memcache.py b/src/tests/system/tests/test_memcache.py index a6e98bf6e2f..ed1ca5ffdf2 100644 --- a/src/tests/system/tests/test_memcache.py +++ b/src/tests/system/tests/test_memcache.py @@ -13,6 +13,133 @@ from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup +""" +todo +==== +* parametrize these tests so they are easier to maintain + +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +notes +===== +* single provider, no value testing against multiple providers +* this can be parametrized, I think it'll be easier to parametrized the service, because the assertions for users and groups are so different. +* is it important to invalidate a user and then users? and a group and groups? + + +intg +==== +**test_memory_cache.py** +c:test_getpwnam +c:test_getpwnam_with_mc +c:test_getgrnam_simple +c:test_getgrnam_simple_with_mc +c:test_getgrnam_simple_disabled_pwd_mc +c:test_getgrnam_simple_disabled_intitgr_mc +c:test_getgrnam_membership +c:test_getgrnam_membership_with_mc +c:test_initgroups +c:test_initgroups_with_mc +c:test_initgroups_fqname_with_mc +c:test_initgroups_case_insensitive_with_mc1 +c:test_initgroups_case_insensitive_with_mc2 +c:test_initgroups_case_insensitive_with_mc3 +c:test_invalidation_of_gids_after_initgroups +c:test_initgroups_without_change_in_membership +c:test_invalidate_user_before_stop +c:test_invalidate_user_after_stop +c:test_invalidate_users_before_stop +c:test_invalidate_users_after_stop +c:test_invalidate_group_before_stop +c:test_invalidate_group_after_stop +c:test_invalidate_groups_before_stop +c:test_invalidate_groups_after_stop +c:test_invalidate_everything_before_stop +c:test_invalidate_everything_after_stop +c:test_colliding_hashes +c:test_removed_mc +c:test_mc_zero_timeout +c:test_disabled_mc +c:test_disabled_passwd_mc +c:test_disabled_group_mc +c:test_disabled_initgr_mc + +multihost +========= +# test_inmemory_cache.py +?:test_bz789507 +?:test_maxage +?:test_invalidate_inmemory_cache +?:test_bz867933 +?:test_memcache_timeout +?:test_bz1484376 +?:test_time_out_300 +?:test_default_behaviour + +""" + + +@pytest.mark.parametrize("clear", ["before", "after"]) +def test_memcache__invalidate_user_cache(clear: str): + """ + :title: Invalidate the user cache before and after stopping the service + """ + + +@pytest.mark.parametrize("clear", ["before", "after"]) +def test_memcache__invalidate_user_cache_for_several_users(clear: str): + """ + :title: Invalidate the user cache before and after stopping the service for several users + """ + + +@pytest.mark.parametrize("clear", ["before", "after"]) +def test_memcache__invalidate_group_cache(clear: str): + """ + :title: Invalidate the group cache before and after stopping the service + """ + + +@pytest.mark.parametrize("clear", ["before", "after"]) +def test_memcache__invalidate_group_cache_for_several_groups(clear: str): + """ + :title: Invalidate the group cache before and after stopping the service for several groups + """ + + +@pytest.mark.parametrize("clear", ["before", "after"]) +def test_memcache__invalidate_all_caches(clear: str): + """ + :title: Invalidate the all caches before and after stopping the service + """ + + +@pytest.mark.parametrize("cache", ["user", "group", "initgroup"]) +def test_memcache__user_cache_is_not_impacted_when_other_caches_are_disabled(cache: str): + """ + :title: The user cache functions properly when other cache types are enabled and disabled + """ + + +@pytest.mark.parametrize("cache", ["user", "group", "initgroup"]) +def test_memcache__group_cache_is_not_impacted_when_other_caches_are_disabled(cache: str): + """ + :title: The group cache functions properly when other cache types are enabled and disabled + """ + + +@pytest.mark.parametrize("cache", ["user", "group", "initgroup"]) +def test_memcache__initgroup_cache_is_not_impacted_when_other_caches_are_disabled(cache: str): + """ + :title: The init group cache functions properly when other cache types are enabled and disabled + """ + + @pytest.mark.importance("critical") @pytest.mark.cache @pytest.mark.topology(KnownTopologyGroup.AnyProvider) diff --git a/src/tests/system/tests/test_multiple_domains.py b/src/tests/system/tests/test_multiple_domains.py new file mode 100644 index 00000000000..75312f3b9ed --- /dev/null +++ b/src/tests/system/tests/test_multiple_domains.py @@ -0,0 +1,50 @@ +""" +SSSD Multiple Domain Tests. + +Tests pertaining SSSD configuration with more than one domain. + +:requirement: Multiple Domains +""" + +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +bash +==== + +# multiple_domains +?:Check config ldb filter users per domain for puser10 in proxy domain +?:Check config ldb filter users per domain for puser10 in ldap domain +?:getent for proxy does not return filterusers perdomain user proxy domain +?:getent for ldap does not return filterusers per domain user ldap domain +?:Mulitple Domain Configuration 1 Proxy LDAP and LOCAL +?:Users in Configured Ranges LDAP Proxy and LOCAL +?:Groups in Configuration Ranges LDAP Proxy and LOCAL +?:Attempt to Modify LDAP Domain User LDAP Proxy and LOCAL +?:Attempt to delete LDAP Domain User LDAP Proxy and LOCAL +?:Attempt to Modify LDAP Domain Group LDAP Proxy and LOCAL +?:Attempt to Delete LDAP Group LDAP Proxy and LOCAL +?:Attempt to Add LOCAL User to LDAP Domain Group LDAP Proxy and LOCAL +?:Multiple Domain Configuration 2 Native LDAP and LOCAL +?:Users in Configuration Ranges Native LDAP and LOCAL +?:Groups in Configured Ranges Native LDAP and LOCAL +?:Attempt to Modify LDAP Domain User Native LDAP and LOCAL +?:Attempt to Delete LDAP User Native LDAP and LOCAL +?:Attempt to Modify LDAP Domain Group Native LDAP and LOCAL +?:Attempt to Delete LDAP Domain Group Native LDAP and LOCAL +?:Attempt to Add LOCAL User to LDAP Domain Group Native LDAP and LOCAL +?:Multiple Domain Configuration 3 Two LOCAL Domains SSSD Should Fail to Start +?:Multiple Domain Configuration 4 Two Native LDAP Domains +?:Enumerate Users Two Native LDAP Domains +?:Enumerate Groups Two Native LDAP Domains +?:Multiple Domain Configuration 5 Two Native LDAP Domains Fully Qualified Names +?:Enumerate Users Two Native LDAP Domains Fully Qualified Names +?:Enumerate Groups Two Native LDAP Domains Fully Qualified Names +?:Invalid memberuid Two Native LDAP Domains Fully Qualified Names +?:User information not updated on login for secondary domains bz678593 +""" \ No newline at end of file diff --git a/src/tests/system/tests/test_netgroups.py b/src/tests/system/tests/test_netgroups.py index ad74f085b49..ba64005f6c7 100644 --- a/src/tests/system/tests/test_netgroups.py +++ b/src/tests/system/tests/test_netgroups.py @@ -1,5 +1,7 @@ """ -Netgroup tests. +SSSD Netgroup tests. + +All netgroup related tests, this will include searching, caching of netgroup objects. :requirement: netgroup """ @@ -15,6 +17,38 @@ from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +intg +==== +?:test_add_empty_netgroup +?:test_add_tripled_netgroup +?:test_add_mixed_netgroup +?:test_remove_step_by_step +?:test_removing_nested_netgroups +?:test_offline_netgroups +?:test_innetgr_with_threads + +bash +==== + +# ldap_id_ldap_auth +?:sssd returns empty netgroup at a second request for an non existing netgroup bz785888 +?:getent netgroup hangs when use fully qualified names set to TRUE bz802207 +?:ldap search base does not fully limit the Netgroup search base bz785908 + +multihost +========= + +""" + + @pytest.mark.importance("medium") @pytest.mark.cache @pytest.mark.ticket(gh=6652, bz=2162552) diff --git a/src/tests/system/tests/test_performance.py b/src/tests/system/tests/test_performance.py new file mode 100644 index 00000000000..49db761b891 --- /dev/null +++ b/src/tests/system/tests/test_performance.py @@ -0,0 +1,63 @@ +""" +SSSD Performance Tests. + +Tests pertaining SSSD performance + +:requirement: Performance +""" + +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +bash +==== + +# cache_performance +?:User login time statistics for member of 200 groups +?:User login time statistics for member of 500 groups +?:User login time statistics for member of 1000 groups +?:User login time statistics for member of 1500 groups +?:User login time statistics for member of 2000 groups +?:User login time statistics for member of 3000 groups +?:ID cmd time statistics for member of 200 groups +?:ID cmd time statistics for member of 500 groups +?:ID cmd time statistics for member of 1000 groups +?:ID cmd time statistics for member of 1500 groups +?:ID cmd time statistics for member of 2000 groups +?:ID cmd time statistics for member of 3000 groups +?:Group lookup stats with 200 users in a group +?:Group lookup stats with 500 users in a group +?:Group lookup stats with 1000 users in a group +?:Group lookup stats with 1500 users in a group +?:Group lookup stats with 2000 users in a group +?:Group lookup stats with 3000 users in a group +?:Time statistics for listing files owned by 200 users +?:Time statistics for listing files owned by 500 users +?:Time statistics for listing files owned by 1000 users +?:Time statistics for listing files owned by 1500 users +?:Time statistics for listing files owned by 2000 users +?:Time statistics for listing files owned by 3000 users +?:Verify user login time when 100 users attempt simultaneous login +?:Verify user login time when 200 users attempt simultaneous login +?:Verify user login time when 500 users attempt simultaneous login +?:Verify user login time when 1000 users attempt simultaneous login +?:Verify the existence Of Timestamp Cache +?:Verify ldb cache updates on user lookup +?:Expire user entries in cache and verify the updates +?:Refresh user entries after expiry and verify the cache updates +?:Expire entries in cache and run user auth +?:Set refresh expired interval to 40 and verify user record updates +?:Set use fully qualified names to true and verify cache updates +?:Set case sensitive to false and verify cache updates +?:Verify ldb cache updates on group lookup +?:Expire group record in cache and verify the updates +?:Refresh group record after expiry and verify the cache updates +?:Set refresh expired interval to 40 and verify Group record updates +?:Modify user attribute and verify cache updates +?:Delete an existing user and verify cache updates +""" \ No newline at end of file diff --git a/src/tests/system/tests/test_proxy.py b/src/tests/system/tests/test_proxy.py index 56718e2eacf..caa60f1e8d7 100644 --- a/src/tests/system/tests/test_proxy.py +++ b/src/tests/system/tests/test_proxy.py @@ -1,5 +1,7 @@ """ -Proxy Provider tests. +SSSD Proxy Provider tests. + +All proxy and files provider tests. :requirement: Proxy Provider """ @@ -12,6 +14,74 @@ from sssd_test_framework.topology import KnownTopology +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +notes +===== +* All of these tests can apply to the files provider, while files provider is +being removed, is it worth it to parameterized these providers, if +builtwith("files-provider") will re-run the test using that provider? + +intg +==== + +multihost +========= +# test_proxy.py +?:test_0001_1724717 +?:test_0003_update_removed_grp_membership +?:test_innetgr_threads + +# test_proxy_provider_krb_auth.py +?:test_proxy_lookup +?:test_expired_password +?:test_server_access + +# test_proxy_rfc2307bis.py +# dropping because rfc2307bis, i don't think it adds value - dlavu +-:test_lookup_user_group_netgroup +-:test_allow_groups_User_CS2_grp1 +-:test_allow_groups_user_cs2_grp1 +-:test_allow_groups_User_CS2 +-:test_allow_groups_user_cs2 +-:test_case_sensitive +-:test_simple_deny_users_user_cs2 +-:test_simple_deny_groups_user_cs2_grp1 + +# test_proxy_rfc2307.py +?:test_lookup_user_group +?:test_enumerate_users_groups +?:test_simple_deny_groups_user_cs1_grp1 +?:test_simple_deny_groups_user_cs_grp1 +?:test_simple_deny_users_user_CS1 +?:test_simple_deny_users_user_cs1 +?:test_bz1007381 +?:test_negative_cache +?:test_nested_group +?:test_fully_qualified_names +?:test_min_id_max_id +?:test_case_sensitive_false_lookup_user_group +?:test_case_sensitive_false_deny_users_user_cs1 +?:test_case_sensitive_false_deny_groups_user_cs1_grp1 +?:test_outgoing_ldaps +""" + + +@pytest.mark.parametrize("provider", ["files", "proxy"]) +@pytest.mark.builtwith("files-provider") +def test_proxy__root_user_is_ignored_on_lookups(provider: str): + """ + :title: The root user is always ignored on sss service lookups + TODO: + """ + + @pytest.mark.importance("low") @pytest.mark.topology(KnownTopology.LDAP) def test_proxy__lookup_and_authenticate_user_using_pam_ldap_and_nslcd(client: Client, ldap: LDAP): diff --git a/src/tests/system/tests/test_python_sss.py b/src/tests/system/tests/test_python_sss.py new file mode 100644 index 00000000000..7cbfccfeea6 --- /dev/null +++ b/src/tests/system/tests/test_python_sss.py @@ -0,0 +1,26 @@ +""" +Python SSS Tests + +:requirement: +""" + +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +intg +==== +# test_pynss_nss_idmap.py +?:test_user_operations +?:test_group_operations +?:test_case_insensitive +?:test_ignore_unreadable_references +?:test_no_ignore_unreadable_references + +multihost +========= +""" \ No newline at end of file diff --git a/src/tests/system/tests/test_resolver.py b/src/tests/system/tests/test_resolver.py new file mode 100644 index 00000000000..a35f8fb5951 --- /dev/null +++ b/src/tests/system/tests/test_resolver.py @@ -0,0 +1,23 @@ +""" +SSSD Resolver Tests + +:requirement: +""" + +""" +?:needs review +c:covered ++:todo +-:drop +-> move + +intg +==== +**test_resolver.py** +?:test_hostbyname +?:test_netbyname +?:test_netbyaddr + +multihost +========= +""" \ No newline at end of file diff --git a/src/tests/system/tests/test_responders.py b/src/tests/system/tests/test_responders.py new file mode 100644 index 00000000000..aafda386cad --- /dev/null +++ b/src/tests/system/tests/test_responders.py @@ -0,0 +1,76 @@ +""" +SSSD Tests + +:requirement: +""" + +""" +?:needs review +c:covered ++:todo +-:drop +-> move + +bash +==== +# domains_pam_option +?:Default behaviour of pam trusted users and pam public domains when domains equal LDAP +?:Set pam trusted users to user and pam public domains to none when domains equal LDAP +?:Set pam trusted users to user and pam public domains to all when domains equal LDAP +?:Set pam trusted users to user and pam public domains to none when domains equal LDAP KRB +?:Set pam public domains to none and authenticate krb5 domain user when domains equal LDAP +?:Set pam public domains to KRB5 when domains equal LDAP KRB +?:Use different pam service and auth against LDAP KRB5 domains +?:Set empty value to option domains in pam file +?:Remove option domains from pam service file +?:Verify KRB domain user password change when domains equal KRB5 +?:Verify KRB5 domain user password change when domains equal LDAP +?:Use untrusted user and verify domain user password change +?:Set pam trusted users to Unresolved user and verify sssd service status +?:Set pam trusted users to user ids and verify domain user auth +?:Set pam trusted users to Non existing user ids and verify sssd service status +?:Test case insensitive behaviour of domain names +?:Set domains to PROXY and verify domain user auth and password change +?:Set domains to PROXY and verify domain user auth with untrusted user +?:Use fully qualified names for domain users and verify auth when domains equal PROXY +?:Use fully qualified names for domain users and verify auth with untrusted user +?:Use fully qualified names for domain users and verify password change when domains equal PROXY +?:Test pam open session module with a trusted user +?:Test pam open session module with an untrusted user +?:Test pam close session module with a trusted user +?:Test pam close session module with an untrusted user +?:Test pam acct mgmt module with a trusted user +?:Test pam acct mgmt module with an untrusted user + + +intg +==== +# test_pac_responder.py +?:test_multithreaded_pac_client + +# test_pam_responder.py +?:test_preauth_indicator +?:test_password_prompting_config_global +?:test_password_prompting_config_srv +?:test_sc_auth_wrong_pin +?:test_sc_auth +?:test_sc_auth_two +?:test_sc_auth_two_missing_name +?:test_sc_proxy_password_fallback +?:test_sc_proxy_no_password_fallback +?:test_require_sc_auth +?:test_require_sc_auth_no_cert +?:test_try_sc_auth_no_map +?:test_try_sc_auth +?:test_try_sc_auth_root +?:test_sc_auth_missing_name +?:test_sc_auth_missing_name_whitespace +?:test_sc_auth_name_format +?:test_krb5_auth +?:test_krb5_auth_domains + +multihost +========= +# test_sssd_nss.py +?:test_avoid_interlocking_among_threads +""" \ No newline at end of file diff --git a/src/tests/system/tests/test_schema.py b/src/tests/system/tests/test_schema.py index 9c486df2d4f..4a782e5e45a 100644 --- a/src/tests/system/tests/test_schema.py +++ b/src/tests/system/tests/test_schema.py @@ -1,7 +1,7 @@ """ SSSD Schema Tests. -Tests related to directory schemas, formal definitions of LDAP objectClasses and attributes. +Tests related to directory schemas, differences in LDAP objectClasses, attributes and directory constraints. These tests are generic topology and will run against AD, Samba, IPA and LDAP. Specific topologies test may reside in their corresponding test file. diff --git a/src/tests/system/tests/test_services.py b/src/tests/system/tests/test_services.py new file mode 100644 index 00000000000..e0a836f9717 --- /dev/null +++ b/src/tests/system/tests/test_services.py @@ -0,0 +1,51 @@ +""" +SSSD Service/Daemon Tests + +All SSSD tests related to the service, init, files and processes. + +:requirement: +""" + +""" +?:needs review +c:covered ++:todo +-:drop +-> move + +bash +==== +# authorized_services/* +?:Granting SSH service access to user1 bz675284 +?:Denying SSH service access to user1 +?:Granting user2 to ftp service +?:Granting user2 to ftp service with pam_initgroups_scheme = no_session +?:Granting user2 to ftp service with UserStopDelaySec=0 +?:Adding ftp service to user1 +?:Deny ftp service to user1 +?:Granting access to all services +?:Denying access to all services +?:Granting su access to user1 +?:Modifying user1 to deny su access +?:Adding filter to ldap access order and user1 fits in the filter +?:Adding filter to ldap access order and user1 does not fit in the filter +?:Testing with a invalid service name in ldap +?:Set two identical services for same user one allow and one deny +?:Allow all service except su + + +intg +==== + +multihost +========= +# test_service.py +?:test_0001_bz1432010:SSSD ships a drop-in configuration snippet in /etc/systemd/system +?:test_0002_1736796:"default_domain_suffix" should not cause files domain entries to be qualified, this can break sudo access +?:test_0003_bz1713368: Add sssd-dbus package as a dependency of sssd-tools +?:test_0004_membership_with_files_provider: SSSD must be able to resolve membership involving root with files provider +?:test_0005_sssd_stops_monitoring: When the passwd or group files are replaced, sssd stops monitoring the file for inotify events, and no updates are triggered +?:test_0006_bz1909755: Suppress log message "[sssd] [service_signal_done] (0x0010): Unable to signal service [2]: No such file or directory" during logrote -> test_logging.py +?:test_0007_bz971435:Enhance sssd init script so that it would source a configuration +?:test_0008_bz1516266:detailed debug and system-log message if krb5_init_context failed -> test_logging.py +""" \ No newline at end of file diff --git a/src/tests/system/tests/test_sssctl.py b/src/tests/system/tests/test_sssctl.py index ed6221cc532..8260fd20dcd 100644 --- a/src/tests/system/tests/test_sssctl.py +++ b/src/tests/system/tests/test_sssctl.py @@ -17,6 +17,91 @@ from sssd_test_framework.topology import KnownTopology +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +notes +===== + +bash +==== +# sssctl.sh +?:sssctl config check +?:sssctl domain list +?:sssctl user checks +?:sssctl check cache for user +?:sssctl check cache for group +?:sssctl check cache for netgroup +?:sssctl backup and restore local data +?:sssctl truncating logs +?:sssctl output timezone and local timezone bz1356577 + + +intg +===== +# test_sssctl.py +test_user_show_basic_sanity +test_user_show_basic_fqname +test_user_show_basic_fqname_insensitive +test_group_show_basic_sanity +test_group_show_basic_fqname +test_group_show_basic_fqname_insensitive +test_netgroup_show +test_sssctl_snippets_only +test_sssctl_no_config +test_debug_level_sanity +test_debug_level_no_sssd + +multihost +========= +../../multihost/alltests/test_sssctl_analyzer.py +?:test_analyze_list +?:test_analyze_diff_log_location +?:test_analyze_pam_logs +?:test_analyze_tevent_id +?:test_analyze_parse_child_logs +?:test_non_root_privileged + +../../multihost/alltests/test_sssctl_ldap.py +?:test_0001_bz1638295 +?:test_0002_bz1638295 +?:test_0003_bz1638295 +?:test_0004_bz1638295 +?:test_0005_bz1638295 +?:test_0006_bz1638295 +?:test_0007_bz1638295 +?:test_0008_bz1761047 +?:test_0009_bz1751691 +?:test_0010_bz1628122 +?:test_0011_bz1406678 + +../../multihost/alltests/test_sssctl_local.py +?:test_0001_bz1640576 +?:test_0002_bz1599207 +?:test_0003_bz1661182 +""" + + +@pytest.mark.parametrize("section", ["pam", ["nss", "sssd"]]) +def test_sssctl__invalid_section_name(section: str): + """ + :title: The section name contains a typographical error and will be caught + + Covers + test_sssctl__check_invalid_pam_section + test_sssctl__check_invalid_nss_section + test_sssctl__check_invalid_sssd_section + + should we add [sudo] and other sections? + """ + pass + + @pytest.mark.importance("high") @pytest.mark.tools @pytest.mark.ticket(bz=2100789) diff --git a/src/tests/system/tests/test_sudo.py b/src/tests/system/tests/test_sudo.py index 4e0a6bd7512..686feb4847e 100644 --- a/src/tests/system/tests/test_sudo.py +++ b/src/tests/system/tests/test_sudo.py @@ -19,6 +19,56 @@ from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +bash +===== +?:sssd fails instead of skipping when a sudo ldap filter returns entries with multiple CN bz996020 +?:large number of sudo rules results in error bz1003567 +?:BZ995737 sudo backed by sssd ldap denies all access +?:Add fallback to sudoRunAs when sudoRunasUser is not defined bz1064928 bz1042922 +?:duplicate usernames with difference of upper and lower case bz1422183 +?:Information leak from sssd sudo responder +?:private pipe ownership when sssd is running as non root user +?:Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server +?:sysdb sudo search does not escape special characters bz1232130 bz1208507 +?:sssd sudo process segfaults bz1084532 +?:check defaults entry support +?:verify configuration option support +?:verify rule and smart refreshing mechanism +?:verify stress test smart refresh +?:verify rule host filtering +?:verify offline support +?:verify full refresh mechanism +?:verify attribute support +?:verify command attribute support +?:verify rule order handling + +intg +==== + +multihost +========= +# test_sudo.py +?:test_bz1294670 +?:test_timed_sudoers_entry +?:test_randomize_sudo_timeout +?:test_improve_refresh_timers_sudo_timeout + +# test_sudo.py +?:test_001_bz1380436 +?:test_002_bz1372440 +?:test_003_support_non_posix_group_in_sudorule +?:test_004_sudorule_with_short_username +""" + + @pytest.mark.importance("critical") @pytest.mark.topology(KnownTopologyGroup.AnyProvider) @pytest.mark.parametrize("sssd_service_user", ("root", "sssd")) diff --git a/src/tests/system/tests/test_tools.py b/src/tests/system/tests/test_tools.py index 05620e3255e..d29e0206256 100644 --- a/src/tests/system/tests/test_tools.py +++ b/src/tests/system/tests/test_tools.py @@ -23,6 +23,47 @@ from sssd_test_framework.topology import KnownTopology +""" +?:needs review +p:pushed ++:approved +-:drop +b:blocked +-> move + +bash +==== +# sss_obfuscate +?:sss obfuscate command requires a domain name +?:help option of sss obfuscate command +?:sss obfuscate ENTER enter password +?:sss obfuscate hyphen s option reading the password from stdin +?:non default input in sssd conf file +?:Hyphen d option the domain to use the password in +?:Domain already had ldap default authtok type as password +?:SSSD with multiple domains +?:sss obfuscate to a incorrect domain +?:sss obfuscate to nss domain special domain +?:Manually added a base64 encoded password +?:Setting cleartext password while authtok type is obfuscated +?:sss obfuscate for proxy providers +?:Resetting binddn password and updating obfuscated password +?:sss obfuscate command as normal non root user +?:sss obfuscate command as normal non root user with hyphen f option and user has permissions +?:One existing domain is the default domain +?:Renaming the above domain to NewLDAP +?:Using hyphen d to this default one domain named NewLDAP +?:Adding another domain as NewLDAP2 domain +?:Changing provider to proxy for NewLDAP domain +""" + + +def test_tools__sss_obfuscate_convert_text_password(): + """ + :title: Obfuscate a clear text password into a hash and connect to LDAP + """ + + @pytest.mark.importance("medium") @pytest.mark.ticket(bz=1661182) @pytest.mark.topology(KnownTopology.Client)