Tests: Test transformation of bash-ldap-id-ldap-auth netgroup

Test transformation of bash-ldap-id-ldap-auth netgroup
SSSD · Oct 18, 2024 · f0c4c4e · f0c4c4e
1 parent 263cb2e
commit f0c4c4e
Showing 1 changed file with 208 additions and 1 deletion.
diff --git a/src/tests/system/tests/test_netgroups.py b/src/tests/system/tests/test_netgroups.py
@@ -9,7 +9,21 @@
 import pytest
 from sssd_test_framework.roles.client import Client
 from sssd_test_framework.roles.generic import GenericProvider
-from sssd_test_framework.topology import KnownTopologyGroup
+from sssd_test_framework.roles.ldap import LDAP
+from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup
+
+
+def create_users(ldap: LDAP):
+    """
+    Creates users/groups needed for this test script.
+    """
+    ou_people = ldap.ou("People").add()
+    ou_group = ldap.ou("groups").add()
+    ldap.ou("Netgroup").add()
+
+    for id in [9000, 9001, 9002, 9003, 9004, 9005, 9006, 9007, 9008, 9009, 9010]:
+        ldap.user(f"ng{id}", basedn=ou_people).add()
+        ldap.user(f"ng{id}", basedn=ou_group).add()
 
 
 @pytest.mark.importance("medium")
@@ -108,3 +122,196 @@ def test_netgroups__add_remove_netgroup_member(client: Client, provider: Generic
     assert len(result.members) == 1
     assert "(-, user-1)" not in result.members
     assert "(-, user-2)" in result.members
+
+
+@pytest.mark.importance("low")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_netgroup__membernisnetgroup(client: Client, ldap: LDAP):
+    """
+    :title: Add more complex LDAP netgroup structure by nesting one netgroup within another.
+    :setup:
+        1. Create users, groups
+        2. Create QAUsers Netgroup and Add Member
+        3. Create DEVUsers Netgroup and Add Member
+        4. Add QAUsers as a Member of DEVUsers
+        5. Start sssd
+    :steps:
+        1. Check that (testhost5, ng9005, ldap.test) is present as a direct member of "DEVUsers".
+        2. Check that (testhost1, ng9000, ldap.test) is also present,
+            even though this tuple was added to "QAUsers", not "DEVUsers".
+            This confirms that the nested group membership is working correctly
+            (since "QAUsers" is nested within "DEVUsers").
+    :expectedresults:
+        1. (testhost5, ng9005, ldap.test) is present as a direct member of "DEVUsers".
+        2. (testhost1, ng9000, ldap.test) is present as a direct member of "DEVUsers".
+    """
+    ou = ldap.ou("Netgroup")
+    create_users(ldap)
+
+    qa_users = ldap.netgroup("QAUsers", basedn=ou).add()
+    qa_users.add_member(host="testhost1", user="ng9000", domain="ldap.test")
+
+    dev_users = ldap.netgroup("DEVUsers", basedn=ou).add()
+    dev_users.add_member(host="testhost5", user="ng9005", domain="ldap.test")
+    ldap.ldap.modify(dev_users.dn, add={"memberNisNetgroup": "QAUsers"})
+
+    client.sssd.start()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(testhost5, ng9005, ldap.test)" in member
+    assert "(testhost1, ng9000, ldap.test)" in member
+
+
+@pytest.mark.importance("low")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_netgroup__add_dn_membernisnetgroup(client: Client, ldap: LDAP):
+    """
+    :title: Assert that SSSD processes 'memberNisNetgroup' attribute is the DN of a group.
+    :setup:
+        1. Create users, groups and start sssd.
+        2. Create a new netgroup called QAUsers and add a member (ng9000) to QAUsers
+        3. Create another netgroup named DEVUsers and add a member (ng9005) to DEVUsers
+        4. Modify the DEVUsers netgroup to replace its members with the members of QAUsers.
+        5. Start sssd
+    :steps:
+        1. Retrieve all members of the DEVUsers netgroup.
+        2. Confirm that the member directly added to DEVUsers is present.
+        3. Confirm that the member from QAUsers is now part of DEVUsers.
+    :expectedresults:
+        1. All members should be retrieved
+        2. Tuple (testhost5, ng9005, ldap.test) is present as a direct member of "DEVUsers".
+        3. Tuple (testhost1, ng9000, ldap.test) is also present.
+    :customerscenario: False
+    """
+    ou = ldap.ou("Netgroup")
+    create_users(ldap)
+
+    qa_users = ldap.netgroup("QAUsers", basedn=ou).add()
+    qa_users.add_member(host="testhost1", user="ng9000", domain="ldap.test")
+
+    dev_users = ldap.netgroup("DEVUsers", basedn=ou).add()
+    dev_users.add_member(host="testhost5", user="ng9005", domain="ldap.test")
+    ldap.ldap.modify(dev_users.dn, replace={"memberNisNetgroup": qa_users.dn})
+
+    client.sssd.start()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(testhost5, ng9005, ldap.test)" in member
+    assert "(testhost1, ng9000, ldap.test)" in member
+
+
+@pytest.mark.importance("low")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_netgroup__different_syntax(client: Client, ldap: LDAP):
+    """
+    :title: Using different syntax for nisNetgroupTriple
+    :setup:
+        1. Create users, groups
+        2. Create QAUsers Netgroup and Add Member
+        3. Create DEVUsers Netgroup and Add Members
+        4. Start sssd
+    :steps:
+        1. Check that the user ng9006 appears in the group members list, represented as the tuple (-,ng9006,).
+    :expectedresults:
+        1. The user ng9006 appears in the group members list
+    :customerscenario: False
+    """
+    ou = ldap.ou("Netgroup")
+    create_users(ldap)
+
+    qa_users = ldap.netgroup("QAUsers", basedn=ou).add()
+    qa_users.add_member(host="testhost1", user="ng9000", domain="ldap.test")
+
+    dev_users = ldap.netgroup("DEVUsers", basedn=ou).add()
+    dev_users.add_member(host="testhost5", user="ng9005", domain="ldap.test")
+    dev_users.add_member(user="ng9006")
+
+    client.sssd.start()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(-,ng9006,)" in member
+
+
+@pytest.mark.importance("low")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_netgroup__host_and_domain(client: Client, ldap: LDAP):
+    """
+    :title: A scenario where an LDAP netgroup contains a member that
+        only has a host and domain specified, but no associated user.
+    :setup:
+        1. Create users, groups.
+        2. Create QAUsers Netgroup and Add Member
+        3. Create DEVUsers Netgroup and Add Members
+        4. Start sssd
+    :steps:
+        1.  Check that the tuple (samplehost, -, samplehost.domain.com) is part of the group
+    :expectedresults:
+        1. The tuple (samplehost, -, samplehost.domain.com) is part of the group
+    :customerscenario: False
+    """
+    ou = ldap.ou("Netgroup")
+    create_users(ldap)
+
+    qa_users = ldap.netgroup("QAUsers", basedn=ou).add()
+    qa_users.add_member(host="testhost1", user="ng9000", domain="ldap.test")
+
+    dev_users = ldap.netgroup("DEVUsers", basedn=ou).add()
+    dev_users.add_member(host="testhost5", user="ng9005", domain="ldap.test")
+    dev_users.add_member(host="samplehost", domain="samplehost.domain.com")
+
+    client.sssd.start()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(samplehost,-,samplehost.domain.com)" in member
+
+
+@pytest.mark.importance("low")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_netgroup__with_nested_loop(client: Client, ldap: LDAP):
+    """
+    :title: Create and manages nested LDAP netgroups and tests their behavior
+        through several scenarios involving caching, membership queries, and restarts of the SSSD service.
+    :setup:
+        1. Create users, groups.
+        2. Create QAUsers Netgroup and Add Member
+        3. Create DEVUsers Netgroup and Add Nested Netgroup
+        4. Add Members to DEVUsers
+        5. Add Circular Netgroup Nesting
+        6. Start sssd
+    :steps:
+        1. Retrieves all members of the "DEVUsers" group using the getent netgroup tool.
+        2. Check for ng9000: Verifies that ng9000 (from QAUsers) is also part of "DEVUsers".
+        3. Checks if a user random (who is not in any netgroup) is part of "DEVUsers".
+        4. After the SSSD restart, it retrieves the members of "DEVUsers" again to ensure they are still intact.
+    :expectedresults:
+        1. All members of the "DEVUsers" group be there
+        2. ng9000 (from QAUsers) is also part of "DEVUsers"
+        3. random (who is not in any netgroup) is not part of "DEVUsers".
+        4. All members of the "DEVUsers" group be there
+    """
+    ou = ldap.ou("Netgroup")
+    create_users(ldap)
+
+    qa_users = ldap.netgroup("QAUsers", basedn=ou).add()
+    qa_users.add_member(host="testhost1", user="ng9000", domain="ldap.test")
+
+    dev_users = ldap.netgroup("DEVUsers", basedn=ou).add()
+    ldap.ldap.modify(dev_users.dn, add={"memberNisNetgroup": qa_users.dn})
+    dev_users.add_member(host="testhost5", user="ng9005", domain="ldap.test")
+    dev_users.add_member(user="ng9006")
+
+    ldap.ldap.modify(qa_users.dn, add={"memberNisNetgroup": dev_users.dn})
+
+    client.sssd.start()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(testhost1,ng9000,ldap.test)" in member
+    assert "(-,ng9006,)" in member
+    assert "(testhost5,ng9005,ldap.test)" in member
+
+    client.sssd.restart()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(testhost1,ng9000,ldap.test)" in member
+    assert "(-,ng9006,)" in member
+    assert "(testhost5,ng9005,ldap.test)" in member