rpms/sssd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4c80037896
sssd/0017-INTG-Add-session-recording-tests.patch

1060 lines
37 KiB
Diff
Raw Normal View History

Backport few upstream patches/fixes (cherry picked from commit fa4807ec456a6e246d387bcadc4a1f237a3065b9) (cherry picked from commit 323dbdee02385eee933a04c0e86db88d00351f24) (cherry picked from commit 7e532024f07845d03735f64dbf10fcc285967722)
2017-09-01 18:52:07 +00:00
From 53a4219e2f51cd0443931aa931505bf0b4bf5a45 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Thu, 11 Aug 2016 14:18:38 +0300
Subject: [PATCH 17/93] INTG: Add session recording tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add basic tests for all base combinations of session recording
configuration options.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
contrib/ci/configure.sh | 1 +
src/tests/intg/Makefile.am | 2 +
src/tests/intg/config.py.m4 | 29 +-
src/tests/intg/test_session_recording.py | 961 +++++++++++++++++++++++++++++++
4 files changed, 979 insertions(+), 14 deletions(-)
create mode 100644 src/tests/intg/test_session_recording.py
diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh
index 9d18d0c187561a2dc3bc47d3e8913626e7ff3046..4a219da7577ea6aab5c8f14679b9e603c6c35be3 100644
--- a/contrib/ci/configure.sh
+++ b/contrib/ci/configure.sh
@@ -29,6 +29,7 @@ declare -a CONFIGURE_ARG_LIST=(
"--enable-ldb-version-check"
"--with-syslog=journald"
"--enable-systemtap"
+ "--with-session-recording-shell=/bin/false"
)
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 8566106e9017a8d3c9e7a3898a3a886e2966e346..abf6237fcf45d75bc7b9dba835e33413cf2a48da 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -18,6 +18,7 @@ dist_noinst_DATA = \
test_enumeration.py \
test_ldap.py \
test_memory_cache.py \
+ test_session_recording.py \
test_ts_cache.py \
test_netgroup.py \
secrets.py \
@@ -42,6 +43,7 @@ config.py: config.py.m4
-D "libexecpath=\`$(libexecdir)'" \
-D "runstatedir=\`$(runstatedir)'" \
-D "abs_builddir=\`$(abs_builddir)'" \
+ -D "session_recording_shell=\`$(session_recording_shell)'" \
$< > $@
root:
diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
index 841aae01f9f67f3a06656a580b84dfaa0a877c0f..bfbbf030fe5c6431ad3eec6c71d05e9138c82163 100644
--- a/src/tests/intg/config.py.m4
+++ b/src/tests/intg/config.py.m4
@@ -2,17 +2,18 @@
Build configuration variables.
"""
-PREFIX = "prefix"
-SYSCONFDIR = "sysconfdir"
-NSS_MODULE_DIR = PREFIX + "/lib"
-SSSDCONFDIR = SYSCONFDIR + "/sssd"
-CONF_PATH = SSSDCONFDIR + "/sssd.conf"
-DB_PATH = "dbpath"
-PID_PATH = "pidpath"
-PIDFILE_PATH = PID_PATH + "/sssd.pid"
-LOG_PATH = "logpath"
-MCACHE_PATH = "mcpath"
-SECDB_PATH = "secdbpath"
-LIBEXEC_PATH = "libexecpath"
-RUNSTATEDIR = "runstatedir"
-ABS_BUILDDIR = "abs_builddir"
+PREFIX = "prefix"
+SYSCONFDIR = "sysconfdir"
+NSS_MODULE_DIR = PREFIX + "/lib"
+SSSDCONFDIR = SYSCONFDIR + "/sssd"
+CONF_PATH = SSSDCONFDIR + "/sssd.conf"
+DB_PATH = "dbpath"
+PID_PATH = "pidpath"
+PIDFILE_PATH = PID_PATH + "/sssd.pid"
+LOG_PATH = "logpath"
+MCACHE_PATH = "mcpath"
+SECDB_PATH = "secdbpath"
+LIBEXEC_PATH = "libexecpath"
+RUNSTATEDIR = "runstatedir"
+ABS_BUILDDIR = "abs_builddir"
+SESSION_RECORDING_SHELL = "session_recording_shell"
diff --git a/src/tests/intg/test_session_recording.py b/src/tests/intg/test_session_recording.py
new file mode 100644
index 0000000000000000000000000000000000000000..56a056a156b5effe8b8afb7b5607cb60038eec4c
--- /dev/null
+++ b/src/tests/intg/test_session_recording.py
@@ -0,0 +1,961 @@
+#
+# Session Recording tests
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+import os
+import stat
+import ent
+import config
+import signal
+import subprocess
+import time
+import ldap
+import pytest
+import ds_openldap
+import ldap_ent
+from util import *
+
+LDAP_BASE_DN = "dc=example,dc=com"
+INTERACTIVE_TIMEOUT = 4
+
+
+def stop_sssd():
+ """Stop sssd"""
+ pid_file = open(config.PIDFILE_PATH, "r")
+ pid = int(pid_file.read())
+ os.kill(pid, signal.SIGTERM)
+ while True:
+ try:
+ os.kill(pid, signal.SIGCONT)
+ except:
+ break
+ time.sleep(1)
+
+
+def start_sssd():
+ """Start sssd"""
+ if subprocess.call(["sssd", "-D", "-f"]) != 0:
+ raise Exception("sssd start failed")
+
+
+def restart_sssd():
+ """Restart sssd"""
+ stop_sssd()
+ start_sssd()
+
+
+@pytest.fixture(scope="module")
+def ds_inst(request):
+ """LDAP server instance fixture"""
+ ds_inst = ds_openldap.DSOpenLDAP(
+ config.PREFIX, 10389, LDAP_BASE_DN,
+ "cn=admin", "Secret123"
+ )
+
+ try:
+ ds_inst.setup()
+ except:
+ ds_inst.teardown()
+ raise
+ request.addfinalizer(lambda: ds_inst.teardown())
+ return ds_inst
+
+
+@pytest.fixture(scope="module")
+def ldap_conn(request, ds_inst):
+ """LDAP server connection fixture"""
+ ldap_conn = ds_inst.bind()
+ ldap_conn.ds_inst = ds_inst
+ request.addfinalizer(lambda: ldap_conn.unbind_s())
+ return ldap_conn
+
+
+def create_ldap_entries(ldap_conn, ent_list=None):
+ """Add LDAP entries from ent_list"""
+ if ent_list is not None:
+ for entry in ent_list:
+ ldap_conn.add_s(entry[0], entry[1])
+
+
+def cleanup_ldap_entries(ldap_conn, ent_list=None):
+ """Remove LDAP entries added by create_ldap_entries"""
+ if ent_list is None:
+ for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"):
+ for entry in ldap_conn.search_s("ou=" + ou + "," +
+ ldap_conn.ds_inst.base_dn,
+ ldap.SCOPE_ONELEVEL,
+ attrlist=[]):
+ ldap_conn.delete_s(entry[0])
+ else:
+ for entry in ent_list:
+ ldap_conn.delete_s(entry[0])
+
+
+def create_ldap_cleanup(request, ldap_conn, ent_list=None):
+ """Add teardown for removing all user/group LDAP entries"""
+ request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list))
+
+
+def create_ldap_fixture(request, ldap_conn, ent_list=None):
+ """Add LDAP entries and add teardown for removing them"""
+ create_ldap_entries(ldap_conn, ent_list)
+ create_ldap_cleanup(request, ldap_conn, ent_list)
+
+
+SCHEMA_RFC2307 = "rfc2307"
+SCHEMA_RFC2307_BIS = "rfc2307bis"
+
+
+def format_basic_conf(ldap_conn, schema):
+ """
+ Format a basic SSSD configuration.
+
+ The files domain is defined but not enabled in order to avoid enumerating
+ users from the files domain that would otherwise by implicitly enabled.
+ """
+ schema_conf = "ldap_schema = " + schema + "\n"
+ if schema == SCHEMA_RFC2307_BIS:
+ schema_conf += "ldap_group_object_class = groupOfNames\n"
+ return unindent("""\
+ [sssd]
+ debug_level = 0xffff
+ domains = LDAP
+ services = nss, pam
+
+ [nss]
+ debug_level = 0xffff
+ memcache_timeout = 0
+
+ [pam]
+ debug_level = 0xffff
+
+ [domain/files]
+ id_provider = files
+
+ [domain/LDAP]
+ ldap_auth_disable_tls_never_use_in_production = true
+ debug_level = 0xffff
+ enumerate = true
+ {schema_conf}
+ id_provider = ldap
+ auth_provider = ldap
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
+ """).format(**locals())
+
+
+def create_conf_file(contents):
+ """Create sssd.conf with specified contents"""
+ conf = open(config.CONF_PATH, "w")
+ conf.write(contents)
+ conf.close()
+ os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR)
+
+
+def cleanup_conf_file():
+ """Remove sssd.conf, if it exists"""
+ if os.path.lexists(config.CONF_PATH):
+ os.unlink(config.CONF_PATH)
+
+
+def create_conf_cleanup(request):
+ """Add teardown for removing sssd.conf"""
+ request.addfinalizer(cleanup_conf_file)
+
+
+def create_conf_fixture(request, contents):
+ """
+ Create sssd.conf with specified contents and add teardown for removing it.
+ """
+ create_conf_file(contents)
+ create_conf_cleanup(request)
+
+
+def create_sssd_process():
+ """Start the SSSD process"""
+ if subprocess.call(["sssd", "-D", "-f"]) != 0:
+ raise Exception("sssd start failed")
+
+
+def cleanup_sssd_process():
+ """Stop the SSSD process and remove its state"""
+ try:
+ pid_file = open(config.PIDFILE_PATH, "r")
+ pid = int(pid_file.read())
+ os.kill(pid, signal.SIGTERM)
+ while True:
+ try:
+ os.kill(pid, signal.SIGCONT)
+ except:
+ break
+ time.sleep(1)
+ except:
+ pass
+ for path in os.listdir(config.DB_PATH):
+ os.unlink(config.DB_PATH + "/" + path)
+ for path in os.listdir(config.MCACHE_PATH):
+ os.unlink(config.MCACHE_PATH + "/" + path)
+
+
+def create_sssd_cleanup(request):
+ """Add teardown for stopping SSSD and removing its state"""
+ request.addfinalizer(cleanup_sssd_process)
+
+
+def create_sssd_fixture(request):
+ """Start SSSD and add teardown for stopping it and removing its state"""
+ create_sssd_process()
+ create_sssd_cleanup(request)
+
+
+@pytest.fixture
+def users_and_groups(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ ent_list.add_user("user1", 1001, 2001, loginShell="/bin/sh1")
+ ent_list.add_user("user2", 1002, 2002, loginShell="/bin/sh2")
+ ent_list.add_user("user3", 1003, 2003, loginShell="/bin/sh3")
+ # User without primary group
+ ent_list.add_user("user4", 1004, 2004, loginShell="/bin/sh4")
+ ent_list.add_group("group1", 2001)
+ ent_list.add_group("group2", 2002)
+ ent_list.add_group("group3", 2003)
+ ent_list.add_group("empty_group", 2010)
+ ent_list.add_group("one_user_group", 2011, ["user1"])
+ ent_list.add_group("two_user_group", 2012, ["user1", "user2"])
+ ent_list.add_group("three_user_group", 2013, ["user1", "user2", "user3"])
+ # Supplementary group for a user without primary group
+ ent_list.add_group("groupless_user_group", 2014, ["user4"])
+ create_ldap_fixture(request, ldap_conn, ent_list)
+
+
+@pytest.fixture
+def none(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "none".
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = none
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+
+def test_none(none):
+ """Test "none" scope"""
+ ent.assert_passwd(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell="/bin/sh1"),
+ dict(name="user2", uid=1002, shell="/bin/sh2"),
+ dict(name="user3", uid=1003, shell="/bin/sh3"),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
+
+
+@pytest.fixture
+def all(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "all".
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = all
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+
+def test_all_nam(all):
+ """Test "all" scope with getpwnam"""
+ ent.assert_each_passwd_by_name(dict(
+ user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ user2=dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ user3=dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ user4=dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
+ ))
+
+
+def test_all_uid(all):
+ """Test "all" scope with getpwuid"""
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ 1002:dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ 1003:dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ 1004:dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
+ })
+
+
+def test_all_ent(all):
+ """Test "all" scope with getpwent"""
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
+ )
+ )
+
+
+@pytest.fixture
+def some_empty(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", but no users or groups listed.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+
+def test_some_empty(some_empty):
+ """Test "some" scope with no users or groups"""
+ ent.assert_passwd(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell="/bin/sh1"),
+ dict(name="user2", uid=1002, shell="/bin/sh2"),
+ dict(name="user3", uid=1003, shell="/bin/sh3"),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
+
+
+@pytest.fixture
+def some_users(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", and some users listed.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ users = user1, user2
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+
+def test_some_users_nam(some_users):
+ """Test "some" scope with user list and getpwnam"""
+ ent.assert_each_passwd_by_name(dict(
+ user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ user2=dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ user3=dict(name="user3", uid=1003, shell="/bin/sh3"),
+ user4=dict(name="user4", uid=1004, shell="/bin/sh4"),
+ ))
+
+
+def test_some_users_uid(some_users):
+ """Test "some" scope with user list and getpwuid"""
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ 1002:dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ 1003:dict(name="user3", uid=1003, shell="/bin/sh3"),
+ 1004:dict(name="user4", uid=1004, shell="/bin/sh4"),
+ })
+
+
+def test_some_users_ent(some_users):
+ """Test "some" scope with user list and getpwent"""
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user3", uid=1003, shell="/bin/sh3"),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
+
+
+@pytest.fixture
+def some_users_overridden(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", specifying two users with
+ overridden names, but one listed with the original name.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ users = overridden_user1, user2
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ subprocess.check_call(["sss_override", "user-add", "user1",
+ "-n", "overridden_user1"])
+ subprocess.check_call(["sss_override", "user-add", "user2",
+ "-n", "overridden_user2"])
+ restart_sssd()
+
+
+def test_some_users_overridden_nam(some_users_overridden):
+ """
+ Test "some" scope with user list containing some
+ overridden users, requested with getpwnam.
+ """
+ ent.assert_each_passwd_by_name(dict(
+ overridden_user1=dict(name="overridden_user1", uid=1001,
+ shell=config.SESSION_RECORDING_SHELL),
+ overridden_user2=dict(name="overridden_user2", uid=1002,
+ shell="/bin/sh2"),
+ user3=dict(name="user3", uid=1003, shell="/bin/sh3"),
+ user4=dict(name="user4", uid=1004, shell="/bin/sh4"),
+ ))
+
+
+def test_some_users_overridden_uid(some_users_overridden):
+ """
+ Test "some" scope with user list containing some
+ overridden users, requested with getpwuid.
+ """
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="overridden_user1", uid=1001,
+ shell=config.SESSION_RECORDING_SHELL),
+ 1002:dict(name="overridden_user2", uid=1002,
+ shell="/bin/sh2"),
+ 1003:dict(name="user3", uid=1003, shell="/bin/sh3"),
+ 1004:dict(name="user4", uid=1004, shell="/bin/sh4"),
+ })
+
+
+def test_some_users_overridden_ent(some_users_overridden):
+ """
+ Test "some" scope with user list containing some
+ overridden users, requested with getpwent.
+ """
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="overridden_user1", uid=1001,
+ shell=config.SESSION_RECORDING_SHELL),
+ dict(name="overridden_user2", uid=1002,
+ shell="/bin/sh2"),
+ dict(name="user3", uid=1003, shell="/bin/sh3"),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
+
+
+@pytest.fixture
+def some_groups1(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", specifying a single-user supplementary group,
+ and a two-user supplementary group intersecting with the first one.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ groups = one_user_group, two_user_group
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+
+@pytest.fixture
+def some_groups2(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", specifying a three-user supplementary group.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ groups = three_user_group
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+
+@pytest.fixture
+def some_groups3(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", specifying a group with a user with
+ non-existent primary group.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ groups = groupless_user_group
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+
+@pytest.fixture
+def some_groups4(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", specifying two primary groups.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ groups = group1, group3
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+
+def test_some_groups1_nam(some_groups1):
+ """Test "some" scope with group list and getpwnam"""
+ ent.assert_each_passwd_by_name(dict(
+ user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ user2=dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ user3=dict(name="user3", uid=1003, shell="/bin/sh3"),
+ user4=dict(name="user4", uid=1004, shell="/bin/sh4"),
+ ))
+
+
+def test_some_groups1_uid(some_groups1):
+ """Test "some" scope with group list and getpwuid"""
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ 1002:dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ 1003:dict(name="user3", uid=1003, shell="/bin/sh3"),
+ 1004:dict(name="user4", uid=1004, shell="/bin/sh4"),
+ })
+
+
+def test_some_groups1_ent(some_groups1):
+ """Test "some" scope with group list and getpwent"""
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user3", uid=1003, shell="/bin/sh3"),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
+
+
+def test_some_groups2_nam(some_groups2):
+ """Test "some" scope with group list and getpwnam"""
+ ent.assert_each_passwd_by_name(dict(
+ user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ user2=dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ user3=dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ user4=dict(name="user4", uid=1004, shell="/bin/sh4"),
+ ))
+
+
+def test_some_groups2_uid(some_groups2):
+ """Test "some" scope with group list and getpwuid"""
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ 1002:dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ 1003:dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ 1004:dict(name="user4", uid=1004, shell="/bin/sh4"),
+ })
+
+
+def test_some_groups2_ent(some_groups2):
+ """Test "some" scope with group list and getpwent"""
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
+
+
+def test_some_groups3_nam(some_groups3):
+ """Test "some" scope with group list and getpwnam"""
+ ent.assert_each_passwd_by_name(dict(
+ user1=dict(name="user1", uid=1001, shell="/bin/sh1"),
+ user2=dict(name="user2", uid=1002, shell="/bin/sh2"),
+ user3=dict(name="user3", uid=1003, shell="/bin/sh3"),
+ user4=dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
+ ))
+
+
+def test_some_groups3_uid(some_groups3):
+ """Test "some" scope with group list and getpwuid"""
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="user1", uid=1001, shell="/bin/sh1"),
+ 1002:dict(name="user2", uid=1002, shell="/bin/sh2"),
+ 1003:dict(name="user3", uid=1003, shell="/bin/sh3"),
+ 1004:dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
+ })
+
+
+def test_some_groups3_ent(some_groups3):
+ """Test "some" scope with group list and getpwent"""
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell="/bin/sh1"),
+ dict(name="user2", uid=1002, shell="/bin/sh2"),
+ dict(name="user3", uid=1003, shell="/bin/sh3"),
+ dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL),
+ )
+ )
+
+
+def test_some_groups4_nam(some_groups4):
+ """Test "some" scope with group list and getpwnam"""
+ ent.assert_each_passwd_by_name(dict(
+ user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ user2=dict(name="user2", uid=1002, shell="/bin/sh2"),
+ user3=dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ user4=dict(name="user4", uid=1004, shell="/bin/sh4"),
+ ))
+
+
+def test_some_groups4_uid(some_groups4):
+ """Test "some" scope with group list and getpwuid"""
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ 1002:dict(name="user2", uid=1002, shell="/bin/sh2"),
+ 1003:dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ 1004:dict(name="user4", uid=1004, shell="/bin/sh4"),
+ })
+
+
+def test_some_groups4_ent(some_groups4):
+ """Test "some" scope with group list and getpwent"""
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user2", uid=1002, shell="/bin/sh2"),
+ dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
+
+
+@pytest.fixture
+def some_groups_overridden1(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", specifying two primary groups with
+ overridden names, but one listed with the original name.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ groups = overridden_group1, group2
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ subprocess.check_call(["sss_override", "group-add", "group1",
+ "-n", "overridden_group1"])
+ subprocess.check_call(["sss_override", "group-add", "group2",
+ "-n", "overridden_group2"])
+ restart_sssd()
+
+
+def test_some_groups_overridden1_nam(some_groups_overridden1):
+ """
+ Test "some" scope with group list containing some
+ overridden groups, and users requested with getpwnam.
+ """
+ ent.assert_each_passwd_by_name(dict(
+ user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ user2=dict(name="user2", uid=1002, shell="/bin/sh2"),
+ user3=dict(name="user3", uid=1003, shell="/bin/sh3"),
+ user4=dict(name="user4", uid=1004, shell="/bin/sh4"),
+ ))
+
+
+def test_some_groups_overridden1_uid(some_groups_overridden1):
+ """
+ Test "some" scope with group list containing some
+ overridden groups, and users requested with getpwuid.
+ """
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ 1002:dict(name="user2", uid=1002, shell="/bin/sh2"),
+ 1003:dict(name="user3", uid=1003, shell="/bin/sh3"),
+ 1004:dict(name="user4", uid=1004, shell="/bin/sh4"),
+ })
+
+
+def test_some_groups_overridden1_ent(some_groups_overridden1):
+ """
+ Test "some" scope with group list containing some
+ overridden groups, and users requested with getpwent.
+ """
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user2", uid=1002, shell="/bin/sh2"),
+ dict(name="user3", uid=1003, shell="/bin/sh3"),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
+
+
+@pytest.fixture
+def some_groups_overridden2(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", specifying two supplementary groups with
+ overridden names, but one listed with the original name.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ groups = one_user_group_overridden, two_user_group
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ subprocess.check_call(["sss_override", "group-add", "one_user_group",
+ "-n", "one_user_group_overridden"])
+ subprocess.check_call(["sss_override", "group-add", "two_user_group",
+ "-n", "two_user_group_overridden"])
+ restart_sssd()
+
+
+def test_some_groups_overridden2_nam(some_groups_overridden2):
+ """
+ Test "some" scope with group list containing some
+ overridden groups, and users requested with getpwnam.
+ """
+ ent.assert_each_passwd_by_name(dict(
+ user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ user2=dict(name="user2", uid=1002, shell="/bin/sh2"),
+ user3=dict(name="user3", uid=1003, shell="/bin/sh3"),
+ user4=dict(name="user4", uid=1004, shell="/bin/sh4"),
+ ))
+
+
+def test_some_groups_overridden2_uid(some_groups_overridden2):
+ """
+ Test "some" scope with group list containing some
+ overridden groups, and users requested with getpwuid.
+ """
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ 1002:dict(name="user2", uid=1002, shell="/bin/sh2"),
+ 1003:dict(name="user3", uid=1003, shell="/bin/sh3"),
+ 1004:dict(name="user4", uid=1004, shell="/bin/sh4"),
+ })
+
+
+def test_some_groups_overridden2_ent(some_groups_overridden2):
+ """
+ Test "some" scope with group list containing some
+ overridden groups, and users requested with getpwent.
+ """
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user2", uid=1002, shell="/bin/sh2"),
+ dict(name="user3", uid=1003, shell="/bin/sh3"),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
+
+
+@pytest.fixture
+def some_groups_overridden3(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", having two primary groups with
+ IDs swapped via overriding, but only one of them listed.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ groups = group2
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ subprocess.check_call(["sss_override", "group-add", "group1",
+ "-g", "2002"])
+ subprocess.check_call(["sss_override", "group-add", "group2",
+ "-g", "2001"])
+ restart_sssd()
+
+
+def test_some_groups_overridden3_nam(some_groups_overridden3):
+ """
+ Test "some" scope with group list containing some
+ overridden group, and users requested with getpwnam.
+ """
+ ent.assert_each_passwd_by_name(dict(
+ user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ user2=dict(name="user2", uid=1002, shell="/bin/sh2"),
+ user3=dict(name="user3", uid=1003, shell="/bin/sh3"),
+ user4=dict(name="user4", uid=1004, shell="/bin/sh4"),
+ ))
+
+
+def test_some_groups_overridden3_uid(some_groups_overridden3):
+ """
+ Test "some" scope with group list containing some
+ overridden group, and users requested with getpwuid.
+ """
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ 1002:dict(name="user2", uid=1002, shell="/bin/sh2"),
+ 1003:dict(name="user3", uid=1003, shell="/bin/sh3"),
+ 1004:dict(name="user4", uid=1004, shell="/bin/sh4"),
+ })
+
+
+def test_some_groups_overridden3_ent(some_groups_overridden3):
+ """
+ Test "some" scope with group list containing some
+ overridden group, and users requested with getpwent.
+ """
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user2", uid=1002, shell="/bin/sh2"),
+ dict(name="user3", uid=1003, shell="/bin/sh3"),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
+
+
+@pytest.fixture
+def some_groups_overridden4(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", two users with GIDs swapped via overridding,
+ and one of their primary groups listed.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ groups = group2
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ subprocess.check_call(["sss_override", "user-add", "user1",
+ "-g", "2002"])
+ subprocess.check_call(["sss_override", "user-add", "user2",
+ "-g", "2001"])
+ restart_sssd()
+
+
+def test_some_groups_overridden4_nam(some_groups_overridden3):
+ """
+ Test "some" scope with group list containing some
+ overridden group, and users requested with getpwnam.
+ """
+ ent.assert_each_passwd_by_name(dict(
+ user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ user2=dict(name="user2", uid=1002, shell="/bin/sh2"),
+ user3=dict(name="user3", uid=1003, shell="/bin/sh3"),
+ user4=dict(name="user4", uid=1004, shell="/bin/sh4"),
+ ))
+
+
+def test_some_groups_overridden4_uid(some_groups_overridden3):
+ """
+ Test "some" scope with group list containing some
+ overridden group, and users requested with getpwuid.
+ """
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ 1002:dict(name="user2", uid=1002, shell="/bin/sh2"),
+ 1003:dict(name="user3", uid=1003, shell="/bin/sh3"),
+ 1004:dict(name="user4", uid=1004, shell="/bin/sh4"),
+ })
+
+
+def test_some_groups_overridden4_ent(some_groups_overridden3):
+ """
+ Test "some" scope with group list containing some
+ overridden group, and users requested with getpwent.
+ """
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user2", uid=1002, shell="/bin/sh2"),
+ dict(name="user3", uid=1003, shell="/bin/sh3"),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
+
+
+@pytest.fixture
+def some_users_and_groups(request, ldap_conn, users_and_groups):
+ """
+ Fixture with scope "some", listing some users and groups.
+ """
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \
+ unindent("""\
+ [session_recording]
+ scope = some
+ users = user3
+ groups = one_user_group
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+
+def test_some_users_and_groups_nam(some_users_and_groups):
+ """
+ Test "some" scope with user and group lists and getpwnam.
+ """
+ ent.assert_each_passwd_by_name(dict(
+ user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ user2=dict(name="user2", uid=1002, shell="/bin/sh2"),
+ user3=dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ user4=dict(name="user4", uid=1004, shell="/bin/sh4"),
+ ))
+
+
+def test_some_users_and_groups_uid(some_users_and_groups):
+ """
+ Test "some" scope with user and group lists and getpwuid.
+ """
+ ent.assert_each_passwd_by_uid({
+ 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ 1002:dict(name="user2", uid=1002, shell="/bin/sh2"),
+ 1003:dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ 1004:dict(name="user4", uid=1004, shell="/bin/sh4"),
+ })
+
+
+def test_some_users_and_groups_ent(some_users_and_groups):
+ """
+ Test "some" scope with user and group lists and getpwent.
+ """
+ ent.assert_passwd_list(
+ ent.contains_only(
+ dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user2", uid=1002, shell="/bin/sh2"),
+ dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL),
+ dict(name="user4", uid=1004, shell="/bin/sh4"),
+ )
+ )
--
2.14.1
Reference in New Issue Copy Permalink