From 53a4219e2f51cd0443931aa931505bf0b4bf5a45 Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov Date: Thu, 11 Aug 2016 14:18:38 +0300 Subject: [PATCH 17/93] INTG: Add session recording tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add basic tests for all base combinations of session recording configuration options. Reviewed-by: Pavel Březina --- contrib/ci/configure.sh | 1 + src/tests/intg/Makefile.am | 2 + src/tests/intg/config.py.m4 | 29 +- src/tests/intg/test_session_recording.py | 961 +++++++++++++++++++++++++++++++ 4 files changed, 979 insertions(+), 14 deletions(-) create mode 100644 src/tests/intg/test_session_recording.py diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh index 9d18d0c187561a2dc3bc47d3e8913626e7ff3046..4a219da7577ea6aab5c8f14679b9e603c6c35be3 100644 --- a/contrib/ci/configure.sh +++ b/contrib/ci/configure.sh @@ -29,6 +29,7 @@ declare -a CONFIGURE_ARG_LIST=( "--enable-ldb-version-check" "--with-syslog=journald" "--enable-systemtap" + "--with-session-recording-shell=/bin/false" ) diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am index 8566106e9017a8d3c9e7a3898a3a886e2966e346..abf6237fcf45d75bc7b9dba835e33413cf2a48da 100644 --- a/src/tests/intg/Makefile.am +++ b/src/tests/intg/Makefile.am @@ -18,6 +18,7 @@ dist_noinst_DATA = \ test_enumeration.py \ test_ldap.py \ test_memory_cache.py \ + test_session_recording.py \ test_ts_cache.py \ test_netgroup.py \ secrets.py \ @@ -42,6 +43,7 @@ config.py: config.py.m4 -D "libexecpath=\`$(libexecdir)'" \ -D "runstatedir=\`$(runstatedir)'" \ -D "abs_builddir=\`$(abs_builddir)'" \ + -D "session_recording_shell=\`$(session_recording_shell)'" \ $< > $@ root: diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4 index 841aae01f9f67f3a06656a580b84dfaa0a877c0f..bfbbf030fe5c6431ad3eec6c71d05e9138c82163 100644 --- a/src/tests/intg/config.py.m4 +++ b/src/tests/intg/config.py.m4 @@ -2,17 +2,18 @@ Build configuration variables. """ -PREFIX = "prefix" -SYSCONFDIR = "sysconfdir" -NSS_MODULE_DIR = PREFIX + "/lib" -SSSDCONFDIR = SYSCONFDIR + "/sssd" -CONF_PATH = SSSDCONFDIR + "/sssd.conf" -DB_PATH = "dbpath" -PID_PATH = "pidpath" -PIDFILE_PATH = PID_PATH + "/sssd.pid" -LOG_PATH = "logpath" -MCACHE_PATH = "mcpath" -SECDB_PATH = "secdbpath" -LIBEXEC_PATH = "libexecpath" -RUNSTATEDIR = "runstatedir" -ABS_BUILDDIR = "abs_builddir" +PREFIX = "prefix" +SYSCONFDIR = "sysconfdir" +NSS_MODULE_DIR = PREFIX + "/lib" +SSSDCONFDIR = SYSCONFDIR + "/sssd" +CONF_PATH = SSSDCONFDIR + "/sssd.conf" +DB_PATH = "dbpath" +PID_PATH = "pidpath" +PIDFILE_PATH = PID_PATH + "/sssd.pid" +LOG_PATH = "logpath" +MCACHE_PATH = "mcpath" +SECDB_PATH = "secdbpath" +LIBEXEC_PATH = "libexecpath" +RUNSTATEDIR = "runstatedir" +ABS_BUILDDIR = "abs_builddir" +SESSION_RECORDING_SHELL = "session_recording_shell" diff --git a/src/tests/intg/test_session_recording.py b/src/tests/intg/test_session_recording.py new file mode 100644 index 0000000000000000000000000000000000000000..56a056a156b5effe8b8afb7b5607cb60038eec4c --- /dev/null +++ b/src/tests/intg/test_session_recording.py @@ -0,0 +1,961 @@ +# +# Session Recording tests +# +# Copyright (c) 2016 Red Hat, Inc. +# Author: Nikolai Kondrashov +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import stat +import ent +import config +import signal +import subprocess +import time +import ldap +import pytest +import ds_openldap +import ldap_ent +from util import * + +LDAP_BASE_DN = "dc=example,dc=com" +INTERACTIVE_TIMEOUT = 4 + + +def stop_sssd(): + """Stop sssd""" + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + + +def start_sssd(): + """Start sssd""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def restart_sssd(): + """Restart sssd""" + stop_sssd() + start_sssd() + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123" + ) + + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(lambda: ds_inst.teardown()) + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(lambda: ldap_conn.unbind_s()) + return ldap_conn + + +def create_ldap_entries(ldap_conn, ent_list=None): + """Add LDAP entries from ent_list""" + if ent_list is not None: + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + +def cleanup_ldap_entries(ldap_conn, ent_list=None): + """Remove LDAP entries added by create_ldap_entries""" + if ent_list is None: + for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): + for entry in ldap_conn.search_s("ou=" + ou + "," + + ldap_conn.ds_inst.base_dn, + ldap.SCOPE_ONELEVEL, + attrlist=[]): + ldap_conn.delete_s(entry[0]) + else: + for entry in ent_list: + ldap_conn.delete_s(entry[0]) + + +def create_ldap_cleanup(request, ldap_conn, ent_list=None): + """Add teardown for removing all user/group LDAP entries""" + request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) + + +def create_ldap_fixture(request, ldap_conn, ent_list=None): + """Add LDAP entries and add teardown for removing them""" + create_ldap_entries(ldap_conn, ent_list) + create_ldap_cleanup(request, ldap_conn, ent_list) + + +SCHEMA_RFC2307 = "rfc2307" +SCHEMA_RFC2307_BIS = "rfc2307bis" + + +def format_basic_conf(ldap_conn, schema): + """ + Format a basic SSSD configuration. + + The files domain is defined but not enabled in order to avoid enumerating + users from the files domain that would otherwise by implicitly enabled. + """ + schema_conf = "ldap_schema = " + schema + "\n" + if schema == SCHEMA_RFC2307_BIS: + schema_conf += "ldap_group_object_class = groupOfNames\n" + return unindent("""\ + [sssd] + debug_level = 0xffff + domains = LDAP + services = nss, pam + + [nss] + debug_level = 0xffff + memcache_timeout = 0 + + [pam] + debug_level = 0xffff + + [domain/files] + id_provider = files + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + debug_level = 0xffff + enumerate = true + {schema_conf} + id_provider = ldap + auth_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + """).format(**locals()) + + +def create_conf_file(contents): + """Create sssd.conf with specified contents""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + + +def cleanup_conf_file(): + """Remove sssd.conf, if it exists""" + if os.path.lexists(config.CONF_PATH): + os.unlink(config.CONF_PATH) + + +def create_conf_cleanup(request): + """Add teardown for removing sssd.conf""" + request.addfinalizer(cleanup_conf_file) + + +def create_conf_fixture(request, contents): + """ + Create sssd.conf with specified contents and add teardown for removing it. + """ + create_conf_file(contents) + create_conf_cleanup(request) + + +def create_sssd_process(): + """Start the SSSD process""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def cleanup_sssd_process(): + """Stop the SSSD process and remove its state""" + try: + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + +def create_sssd_cleanup(request): + """Add teardown for stopping SSSD and removing its state""" + request.addfinalizer(cleanup_sssd_process) + + +def create_sssd_fixture(request): + """Start SSSD and add teardown for stopping it and removing its state""" + create_sssd_process() + create_sssd_cleanup(request) + + +@pytest.fixture +def users_and_groups(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001, loginShell="/bin/sh1") + ent_list.add_user("user2", 1002, 2002, loginShell="/bin/sh2") + ent_list.add_user("user3", 1003, 2003, loginShell="/bin/sh3") + # User without primary group + ent_list.add_user("user4", 1004, 2004, loginShell="/bin/sh4") + ent_list.add_group("group1", 2001) + ent_list.add_group("group2", 2002) + ent_list.add_group("group3", 2003) + ent_list.add_group("empty_group", 2010) + ent_list.add_group("one_user_group", 2011, ["user1"]) + ent_list.add_group("two_user_group", 2012, ["user1", "user2"]) + ent_list.add_group("three_user_group", 2013, ["user1", "user2", "user3"]) + # Supplementary group for a user without primary group + ent_list.add_group("groupless_user_group", 2014, ["user4"]) + create_ldap_fixture(request, ldap_conn, ent_list) + + +@pytest.fixture +def none(request, ldap_conn, users_and_groups): + """ + Fixture with scope "none". + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = none + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_none(none): + """Test "none" scope""" + ent.assert_passwd( + ent.contains_only( + dict(name="user1", uid=1001, shell="/bin/sh1"), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def all(request, ldap_conn, users_and_groups): + """ + Fixture with scope "all". + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = all + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_all_nam(all): + """Test "all" scope with getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + user3=dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + user4=dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL), + )) + + +def test_all_uid(all): + """Test "all" scope with getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + 1002:dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + 1003:dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + 1004:dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL), + }) + + +def test_all_ent(all): + """Test "all" scope with getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL), + ) + ) + + +@pytest.fixture +def some_empty(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", but no users or groups listed. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_some_empty(some_empty): + """Test "some" scope with no users or groups""" + ent.assert_passwd( + ent.contains_only( + dict(name="user1", uid=1001, shell="/bin/sh1"), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_users(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", and some users listed. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + users = user1, user2 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_some_users_nam(some_users): + """Test "some" scope with user list and getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_users_uid(some_users): + """Test "some" scope with user list and getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + 1002:dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + 1003:dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004:dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_users_ent(some_users): + """Test "some" scope with user list and getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_users_overridden(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying two users with + overridden names, but one listed with the original name. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + users = overridden_user1, user2 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + subprocess.check_call(["sss_override", "user-add", "user1", + "-n", "overridden_user1"]) + subprocess.check_call(["sss_override", "user-add", "user2", + "-n", "overridden_user2"]) + restart_sssd() + + +def test_some_users_overridden_nam(some_users_overridden): + """ + Test "some" scope with user list containing some + overridden users, requested with getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + overridden_user1=dict(name="overridden_user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + overridden_user2=dict(name="overridden_user2", uid=1002, + shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_users_overridden_uid(some_users_overridden): + """ + Test "some" scope with user list containing some + overridden users, requested with getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001:dict(name="overridden_user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002:dict(name="overridden_user2", uid=1002, + shell="/bin/sh2"), + 1003:dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004:dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_users_overridden_ent(some_users_overridden): + """ + Test "some" scope with user list containing some + overridden users, requested with getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="overridden_user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + dict(name="overridden_user2", uid=1002, + shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_groups1(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying a single-user supplementary group, + and a two-user supplementary group intersecting with the first one. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = one_user_group, two_user_group + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +@pytest.fixture +def some_groups2(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying a three-user supplementary group. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = three_user_group + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +@pytest.fixture +def some_groups3(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying a group with a user with + non-existent primary group. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = groupless_user_group + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +@pytest.fixture +def some_groups4(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying two primary groups. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = group1, group3 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_some_groups1_nam(some_groups1): + """Test "some" scope with group list and getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups1_uid(some_groups1): + """Test "some" scope with group list and getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + 1002:dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + 1003:dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004:dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups1_ent(some_groups1): + """Test "some" scope with group list and getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +def test_some_groups2_nam(some_groups2): + """Test "some" scope with group list and getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + user3=dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups2_uid(some_groups2): + """Test "some" scope with group list and getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + 1002:dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + 1003:dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + 1004:dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups2_ent(some_groups2): + """Test "some" scope with group list and getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +def test_some_groups3_nam(some_groups3): + """Test "some" scope with group list and getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell="/bin/sh1"), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL), + )) + + +def test_some_groups3_uid(some_groups3): + """Test "some" scope with group list and getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001:dict(name="user1", uid=1001, shell="/bin/sh1"), + 1002:dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003:dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004:dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL), + }) + + +def test_some_groups3_ent(some_groups3): + """Test "some" scope with group list and getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell="/bin/sh1"), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL), + ) + ) + + +def test_some_groups4_nam(some_groups4): + """Test "some" scope with group list and getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups4_uid(some_groups4): + """Test "some" scope with group list and getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + 1002:dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003:dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + 1004:dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups4_ent(some_groups4): + """Test "some" scope with group list and getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_groups_overridden1(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying two primary groups with + overridden names, but one listed with the original name. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = overridden_group1, group2 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + subprocess.check_call(["sss_override", "group-add", "group1", + "-n", "overridden_group1"]) + subprocess.check_call(["sss_override", "group-add", "group2", + "-n", "overridden_group2"]) + restart_sssd() + + +def test_some_groups_overridden1_nam(some_groups_overridden1): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups_overridden1_uid(some_groups_overridden1): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + 1002:dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003:dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004:dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups_overridden1_ent(some_groups_overridden1): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_groups_overridden2(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying two supplementary groups with + overridden names, but one listed with the original name. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = one_user_group_overridden, two_user_group + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + subprocess.check_call(["sss_override", "group-add", "one_user_group", + "-n", "one_user_group_overridden"]) + subprocess.check_call(["sss_override", "group-add", "two_user_group", + "-n", "two_user_group_overridden"]) + restart_sssd() + + +def test_some_groups_overridden2_nam(some_groups_overridden2): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups_overridden2_uid(some_groups_overridden2): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + 1002:dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003:dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004:dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups_overridden2_ent(some_groups_overridden2): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_groups_overridden3(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", having two primary groups with + IDs swapped via overriding, but only one of them listed. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = group2 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + subprocess.check_call(["sss_override", "group-add", "group1", + "-g", "2002"]) + subprocess.check_call(["sss_override", "group-add", "group2", + "-g", "2001"]) + restart_sssd() + + +def test_some_groups_overridden3_nam(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups_overridden3_uid(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + 1002:dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003:dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004:dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups_overridden3_ent(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_groups_overridden4(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", two users with GIDs swapped via overridding, + and one of their primary groups listed. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = group2 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + subprocess.check_call(["sss_override", "user-add", "user1", + "-g", "2002"]) + subprocess.check_call(["sss_override", "user-add", "user2", + "-g", "2001"]) + restart_sssd() + + +def test_some_groups_overridden4_nam(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups_overridden4_uid(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + 1002:dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003:dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004:dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups_overridden4_ent(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_users_and_groups(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", listing some users and groups. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + users = user3 + groups = one_user_group + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_some_users_and_groups_nam(some_users_and_groups): + """ + Test "some" scope with user and group lists and getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_users_and_groups_uid(some_users_and_groups): + """ + Test "some" scope with user and group lists and getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001:dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + 1002:dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003:dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + 1004:dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_users_and_groups_ent(some_users_and_groups): + """ + Test "some" scope with user and group lists and getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) -- 2.14.1