Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tests: authentication, adding override_homedir tests #7682

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions src/tests/system/tests/test_ad.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
"""
SSSD Active Directory (AD) Test Cases

:requirement: ad
"""

from __future__ import annotations

import pytest
from sssd_test_framework.roles.ad import AD
from sssd_test_framework.roles.client import Client
from sssd_test_framework.topology import KnownTopology


@pytest.mark.topology(KnownTopology.AD)
@pytest.mark.ticket(gh=7174)
@pytest.mark.parametrize("method", ["su", "ssh"])
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
danlavu marked this conversation as resolved.
Show resolved Hide resolved
@pytest.mark.importance("critical")
danlavu marked this conversation as resolved.
Show resolved Hide resolved
@pytest.mark.require(
lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
"SSSD was built without support for running under non-root",
)
def test_authentication__using_the_users_email_address(client: Client, ad: AD, method: str, sssd_service_user: str):
"""
:title: Login using the user's email address
:description:
Testing the feature to login using an email address instead of the userid. The username used,
must match one of the user's LDAP attribute values, "EmailAddress". The login should be
case-insensitive and permit special characters.
:setup:
1. Add AD users with different email addresses
2. Start SSSD
:steps:
1. Authenticate users using their email address and in different cases
:expectedresults:
1. Authentication is successful using the email address and is case-insensitive
:customerscenario: False
"""
ad.user("user-1").add(password="Secret123", email=f"user-1@{ad.host.domain}")
ad.user("user-2").add(password="Secret123", email="[email protected]")
ad.user("user_3").add(password="Secret123", email="[email protected]")

client.sssd.start(service_user=sssd_service_user)

assert client.auth.parametrize(method).password(
f"user-1@{ad.host.domain}", "Secret123"
), f"User user-1@{ad.host.domain} failed login!"
assert client.auth.parametrize(method).password(
"[email protected]", "Secret123"
), "User [email protected] failed login!"
assert client.auth.parametrize(method).password(
"[email protected]", "Secret123"
), "User [email protected] failed login!"
126 changes: 66 additions & 60 deletions src/tests/system/tests/test_authentication.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,23 +7,16 @@
from __future__ import annotations

import pytest
from sssd_test_framework.roles.ad import AD
from sssd_test_framework.roles.client import Client
from sssd_test_framework.roles.generic import GenericProvider
from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup
from sssd_test_framework.roles.ldap import LDAP
from sssd_test_framework.topology import KnownTopologyGroup


@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.parametrize("method", ["su", "ssh"])
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
@pytest.mark.importance("critical")
@pytest.mark.require(
lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
"SSSD was built without support for running under non-root",
)
def test_authentication__with_default_settings(
client: Client, provider: GenericProvider, method: str, sssd_service_user: str
):
def test_authentication__with_default_settings(client: Client, provider: GenericProvider, method: str):
"""
:title: Authenticate with default settings
:setup:
Expand All @@ -39,24 +32,79 @@ def test_authentication__with_default_settings(
"""
provider.user("user1").add(password="Secret123")

client.sssd.start(service_user=sssd_service_user)
client.sssd.start()

assert client.auth.parametrize(method).password("user1", "Secret123"), "User failed login!"
assert not client.auth.parametrize(method).password(
"user1", "NOTSecret123"
), "User logged in with an invalid password!"


@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.parametrize(
"home_key",
["user", "uid", "fqn", "domain", "first_char", "upn", "default", "lowercase", "substring", "literal%"],
)
@pytest.mark.importance("medium")
def test_authentication__with_overriding_home_directory(client: Client, provider: GenericProvider, home_key: str):
"""
:title: Override the user's home directory
:description:
For simplicity, the home directory is set to '/home/user1' because some providers homedirs are different.
:setup:
1. Create user and set home directory to '/home/user1'
2. Configure SSSD with 'override_homedir' home_key value and restart SSSD
3. Get entry for 'user1'
:steps:
1. Login as 'user1' and check working directory
:expectedresults:
1. Login is successful and working directory matches the expected value
:customerscenario: False
"""
provider.user("user1").add(password="Secret123", home="/home/user1")
client.sssd.common.mkhomedir(clean=True)
client.sssd.start()

user = client.tools.getent.passwd("user1")
assert user is not None

home_map: dict[str, list[str]] = {
"user": ["/home/%u", f"/home/{user.name}"],
"uid": ["/home/%U", f"/home/{user.uid}"],
"fqn": ["/home/%f", f"/home/{user.name}@{client.sssd.default_domain}"],
"domain": ["/home/%d/%u", f"/home/{client.sssd.default_domain}/{user.name}"],
"first_char": ["/home/%l", f"/home/{str(user.name)[0]}"],
"upn": ["/home/%P", f"/home/{user.name}@{provider.domain.upper()}"],
"default": ["%o", f"{user.home}"],
"lowercase": ["%h", f"{str(user.home).lower()}"],
"substring": ["%H/%u", f"/home/homedir/{user.name}"],
"literal%": ["/home/%%/%u", f"/home/%/{user.name}"],
}

if home_key == "upn" and isinstance(provider, LDAP):
pytest.skip("Skipping provider, userPrincipal attribute is not set!")

if home_key == "domain":
client.fs.mkdir_p(f"/home/{client.sssd.default_domain}")

home_fmt, home_exp = home_map[home_key]
client.sssd.domain["homedir_substring"] = "/home/homedir"
client.sssd.domain["override_homedir"] = home_fmt
client.sssd.start(clean=True)

with client.ssh("user1", "Secret123") as ssh:
result = ssh.run("pwd").stdout
assert result is not None, "Getting path failed!"
assert result == home_exp, f"Current path {result} is not {home_exp}!"


@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.parametrize("method", ["su", "ssh"])
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
@pytest.mark.importance("critical")
@pytest.mark.require(
lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
"SSSD was built without support for running under non-root",
)
def test_authentication__default_settings_when_the_provider_is_offline(
client: Client, provider: GenericProvider, method: str, sssd_service_user: str
client: Client,
provider: GenericProvider,
method: str,
):
"""
:title: Authenticate with default settings when the provider is offline
Expand All @@ -83,7 +131,7 @@ def test_authentication__default_settings_when_the_provider_is_offline(
client.sssd.domain["cache_credentials"] = "True"
client.sssd.domain["krb5_store_password_if_offline"] = "True"
client.sssd.pam["offline_credentials_expiration"] = "0"
client.sssd.start(service_user=sssd_service_user)
client.sssd.start()

assert client.auth.parametrize(method).password(user, correct), "User failed login!"

Expand All @@ -95,45 +143,3 @@ def test_authentication__default_settings_when_the_provider_is_offline(

assert client.auth.parametrize(method).password(user, correct), "User failed login!"
assert not client.auth.parametrize(method).password(user, wrong), "User logged in with an incorrect password!"


@pytest.mark.topology(KnownTopology.AD)
@pytest.mark.ticket(gh=7174)
@pytest.mark.parametrize("method", ["su", "ssh"])
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
@pytest.mark.importance("critical")
@pytest.mark.require(
lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
"SSSD was built without support for running under non-root",
)
def test_authentication__using_the_users_email_address(client: Client, ad: AD, method: str, sssd_service_user: str):
"""
:title: Login using the user's email address
:description:
Testing the feature to login using an email address instead of the userid. The username used,
must match one of the user's LDAP attribute values, "EmailAddress". The login should be
case-insensitive and permit special characters.
:setup:
1. Add AD users with different email addresses
2. Start SSSD
:steps:
1. Authenticate users using their email address and in different cases
:expectedresults:
1. Authentication is successful using the email address and is case-insensitive
:customerscenario: False
"""
ad.user("user-1").add(password="Secret123", email=f"user-1@{ad.host.domain}")
ad.user("user-2").add(password="Secret123", email="[email protected]")
ad.user("user_3").add(password="Secret123", email="[email protected]")

client.sssd.start(service_user=sssd_service_user)

assert client.auth.parametrize(method).password(
f"user-1@{ad.host.domain}", "Secret123"
), f"User user-1@{ad.host.domain} failed login!"
assert client.auth.parametrize(method).password(
"[email protected]", "Secret123"
), "User [email protected] failed login!"
assert client.auth.parametrize(method).password(
"[email protected]", "Secret123"
), "User [email protected] failed login!"
Loading