tests: adding client ipa trust authentication tests

SSSD · Dec 20, 2024 · c885fae · c885fae
1 parent b7d4a80
commit c885fae
Showing 1 changed file with 66 additions and 0 deletions.
diff --git a/src/tests/system/tests/test_ipa_trusts.py b/src/tests/system/tests/test_ipa_trusts.py
@@ -7,6 +7,7 @@
 from __future__ import annotations
 
 import pytest
+from sssd_test_framework.roles.client import Client
 from sssd_test_framework.roles.generic import GenericADProvider
 from sssd_test_framework.roles.ipa import IPA
 from sssd_test_framework.topology import KnownTopologyGroup
@@ -60,3 +61,68 @@ def test_ipa_trusts__lookup_group_without_sid(ipa: IPA, trusted: GenericADProvid
     status = ipa.sssctl.domain_status(trusted.domain, online=True)
     assert "online status: offline" not in status.stdout.lower(), "AD domain went offline!"
     assert "online status: online" in status.stdout.lower(), "AD domain was not online!"
+
+
+@pytest.mark.importance("critical")
+@pytest.mark.topology(KnownTopologyGroup.IPATrust)
+def test_ipa_trusts__authentication_with_default_settings(client: Client, ipa: IPA, trusted: GenericADProvider):
+    """
+    :title: Authenticate IPA and trusted AD users with default settings
+    :setup:
+        1. Create users
+        2. Start SSSD
+    :steps:
+        1. Authenticate users, one extra time using the fully qualified name for the ipa user
+        2. Authenticate users using the wrong password
+    :expectedresults:
+        1. Logins are successful
+        2. Logins are unsuccessful
+    :customerscenario: False
+    """
+    ipa_user = ipa.user("user1").add()
+    ipa_user_fqn = f"{ipa_user.name}@{ipa.domain}"
+    ad_user_fqn = f"{trusted.user('user2').add().name}@{trusted.domain}"
+
+    client.sssd.restart(clean=True)
+
+    assert client.auth.ssh.password(ipa_user.name, "Secret123"), "User failed login!"
+    assert not client.auth.ssh.password(ipa_user.name, "bad_password"), "User logged in with an incorrect password!"
+    assert client.auth.ssh.password(ipa_user_fqn, "Secret123"), "User failed login!"
+    assert not client.auth.ssh.password(ipa_user_fqn, "bad_password"), "User logged in with an incorrect password!"
+    assert client.auth.ssh.password(ad_user_fqn, "Secret123"), "User failed login!"
+    assert not client.auth.ssh.password(ad_user_fqn, "bad_password"), "User logged in with an incorrect password!"
+
+
+@pytest.mark.importance("high")
+@pytest.mark.ticket(jira="RHEL-4984", gh=7635)
+@pytest.mark.topology(KnownTopologyGroup.IPATrust)
+def test_ipa_trusts__authentication_with_default_domain_suffix_set(
+    client: Client, ipa: IPA, trusted: GenericADProvider
+):
+    """
+    :title: Authenticate IPA and trusted AD users with default_domain_suffix set to AD
+    :setup:
+        1. Create users
+        2. Set 'default_domain_suffix' value to 'ipa_domain'
+        3. Start SSSD
+    :steps:
+        1. Authenticate users, one extra time using the fully qualified name for the ipa user
+        2. Authenticate users using the wrong password
+    :expectedresults:
+        1. Logins are successful
+        2. Logins are unsuccessful
+    :customerscenario: True
+    """
+    ipa_user = ipa.user("user1").add()
+    ipa_user_fqn = f"{ipa_user.name}@{ipa.domain}"
+    ad_user_fqn = f"{trusted.user('user2').add().name}@{trusted.domain}"
+
+    client.sssd.section("sssd")["default_domain_suffix"] = ipa.domain
+    client.sssd.restart(clean=True)
+
+    assert client.auth.ssh.password(ipa_user.name, "Secret123"), "User failed login!"
+    assert not client.auth.ssh.password(ipa_user.name, "bad_password"), "User logged in with an incorrect password!"
+    assert client.auth.ssh.password(ipa_user_fqn, "Secret123"), "User failed login!"
+    assert not client.auth.ssh.password(ipa_user_fqn, "bad_password"), "User logged in with an incorrect password!"
+    assert client.auth.ssh.password(ad_user_fqn, "Secret123"), "User failed login!"
+    assert not client.auth.ssh.password(ad_user_fqn, "bad_password"), "User logged in with an incorrect password!"