freeipa/ipatests/test_integration/test_trust.py

# Authors:
#   Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2013  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import re

from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration import tasks
from ipatests.test_integration import util


class ADTrustBase(IntegrationTest):
    """Provides common checks for the AD trust integration testing."""

    topology = 'line'
    num_ad_domains = 1

    @classmethod
    def install(cls):
        super(ADTrustBase, cls).install()
        cls.ad = cls.ad_domains[0].ads[0]
        cls.install_adtrust()
        cls.check_sid_generation()
        cls.configure_dns_and_time()

    @classmethod
    def install_adtrust(cls):
        """Test adtrust support installation"""

        tasks.install_adtrust(cls.master)

    @classmethod
    def check_sid_generation(cls):
        """Test SID generation"""

        command = ['ipa', 'user-show', 'admin', '--all', '--raw']

        # TODO: remove duplicate definition and import from common module
        _sid_identifier_authority = '(0x[0-9a-f]{1,12}|[0-9]{1,10})'
        sid_regex = 'S-1-5-21-%(idauth)s-%(idauth)s-%(idauth)s'\
                    % dict(idauth=_sid_identifier_authority)
        stdout_re = re.escape('  ipaNTSecurityIdentifier: ') + sid_regex

        util.run_repeatedly(cls.master, command,
                            test=lambda x: re.search(stdout_re, x))

    @classmethod
    def configure_dns_and_time(cls):
        tasks.configure_dns_for_trust(cls.master, cls.ad)
        tasks.sync_time(cls.master, cls.ad)


class TestBasicADTrust(ADTrustBase):
    """Basic Integration test for Active Directory"""

    def test_establish_trust(self):
        """Tests establishing trust with Active Directory"""

        tasks.establish_trust_with_ad(self.master, self.ad,
            extra_args=['--range-type', 'ipa-ad-trust'])

    def test_range_properties_in_nonposix_trust(self):
        """Check the properties of the created range"""

        range_name = self.ad.domain.name.upper() + '_id_range'
        result = self.master.run_command(['ipa', 'idrange-show', range_name,
                                          '--all', '--raw'])

        iparangetype_regex = r'ipaRangeType: ipa-ad-trust'
        iparangesize_regex = r'ipaIDRangeSize: 200000'

        assert re.search(iparangetype_regex, result.stdout_text, re.IGNORECASE)
        assert re.search(iparangesize_regex, result.stdout_text, re.IGNORECASE)

    def test_user_gid_uid_resolution_in_nonposix_trust(self):
        """Check that user has SID-generated UID"""

        # Using domain name since it is lowercased realm name for AD domains
        testuser = 'testuser@%s' % self.ad.domain.name
        result = self.master.run_command(['getent', 'passwd', testuser])

        # This regex checks that Test User does not have UID 10042 nor belongs
        # to the group with GID 10047
        testuser_regex = "^testuser@%s:\*:(?!10042)(\d+):(?!10047)(\d+):"\
                         "Test User:/home/%s/testuser:/bin/sh$"\
                         % (re.escape(self.ad.domain.name),
                            re.escape(self.ad.domain.name))

        assert re.search(testuser_regex, result.stdout_text)

    def test_remove_nonposix_trust(self):
        tasks.remove_trust_with_ad(self.master, self.ad)
        tasks.clear_sssd_cache(self.master)


class TestPosixADTrust(ADTrustBase):
    """Integration test for Active Directory with POSIX support"""

    def test_establish_trust_with_posix_attributes(self):
        # Not specifying the --range-type directly, it should be detected
        tasks.establish_trust_with_ad(self.master, self.ad)

    def test_range_properties_in_posix_trust(self):
        # Check the properties of the created range

        range_name = self.ad.domain.name.upper() + '_id_range'

        result = self.master.run_command(['ipa', 'idrange-show', range_name,
                                          '--all', '--raw'])

        # Check the range type and size
        iparangetype_regex = r'ipaRangeType: ipa-ad-trust-posix'
        iparangesize_regex = r'ipaIDRangeSize: 200000'

        assert re.search(iparangetype_regex, result.stdout_text, re.IGNORECASE)
        assert re.search(iparangesize_regex, result.stdout_text, re.IGNORECASE)

    def test_user_uid_gid_resolution_in_posix_trust(self):
        # Check that user has AD-defined UID

        # Using domain name since it is lowercased realm name for AD domains
        testuser = 'testuser@%s' % self.ad.domain.name
        result = self.master.run_command(['getent', 'passwd', testuser])

        testuser_stdout = "testuser@%s:*:10042:10047:"\
                          "Test User:/home/%s/testuser:/bin/sh"\
                          % (self.ad.domain.name,
                             self.ad.domain.name)

        assert testuser_stdout in result.stdout_text

    def test_user_without_posix_attributes_not_visible(self):
        # Check that user has AD-defined UID

        # Using domain name since it is lowercased realm name for AD domains
        nonposixuser = 'nonposixuser@%s' % self.ad.domain.name
        result = self.master.run_command(['getent', 'passwd', nonposixuser],
                                         raiseonerr=False)

        # Getent exits with 2 for non-existent user
        assert result.returncode == 2

    def test_remove_trust_with_posix_attributes(self):
        tasks.remove_trust_with_ad(self.master, self.ad)
        tasks.clear_sssd_cache(self.master)


class TestEnforcedPosixADTrust(TestPosixADTrust):
    """
    This test is intented to copycat PosixADTrust, since enforcing the POSIX
    trust type should not make a difference.
    """

    def test_establish_trust_with_posix_attributes(self):
        tasks.establish_trust_with_ad(self.master, self.ad,
            extra_args=['--range-type', 'ipa-ad-trust-posix'])


class TestInvalidRangeTypes(ADTrustBase):
    """
    Tests invalid values being put into trust-add command.
    """

    def test_invalid_range_types(self):

        invalid_range_types = ['ipa-local',
                               'ipa-ad-winsync',
                               'ipa-ipa-trust',
                               'random-invalid',
                               're@ll%ybad12!']

        for range_type in invalid_range_types:
            tasks.kinit_admin(self.master)

            result = self.master.run_command(
                               ['ipa', 'trust-add',
                               '--type', 'ad', self.ad.domain.name,
                               '--admin', 'Administrator',
                               '--range-type', range_type,
                               '--password'],
                               raiseonerr=False,
                               stdin_text=self.master.config.ad_admin_password)

            # The trust-add command is supposed to fail
            assert result.returncode == 1
ipatests: Add AD integration test case Part of: https://fedorahosted.org/freeipa/ticket/3834 2013-10-14 09:37:55 -05:00			`# Authors:`
			`# Tomas Babej <tbabej@redhat.com>`
			`#`
			`# Copyright (C) 2013 Red Hat`
			`# see file 'COPYING' for use and warranty information`
			`#`
			`# This program is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`import re`

			`from ipatests.test_integration.base import IntegrationTest`
			`from ipatests.test_integration import tasks`
			`from ipatests.test_integration import util`


			`class ADTrustBase(IntegrationTest):`
			`"""Provides common checks for the AD trust integration testing."""`

			`topology = 'line'`
			`num_ad_domains = 1`

			`@classmethod`
			`def install(cls):`
			`super(ADTrustBase, cls).install()`
			`cls.ad = cls.ad_domains[0].ads[0]`
			`cls.install_adtrust()`
			`cls.check_sid_generation()`
			`cls.configure_dns_and_time()`

			`@classmethod`
			`def install_adtrust(cls):`
			`"""Test adtrust support installation"""`

			`tasks.install_adtrust(cls.master)`

			`@classmethod`
			`def check_sid_generation(cls):`
			`"""Test SID generation"""`

			`command = ['ipa', 'user-show', 'admin', '--all', '--raw']`

			`# TODO: remove duplicate definition and import from common module`
			`_sid_identifier_authority = '(0x[0-9a-f]{1,12}\|[0-9]{1,10})'`
			`sid_regex = 'S-1-5-21-%(idauth)s-%(idauth)s-%(idauth)s'\`
			`% dict(idauth=_sid_identifier_authority)`
			`stdout_re = re.escape(' ipaNTSecurityIdentifier: ') + sid_regex`

			`util.run_repeatedly(cls.master, command,`
			`test=lambda x: re.search(stdout_re, x))`

			`@classmethod`
			`def configure_dns_and_time(cls):`
			`tasks.configure_dns_for_trust(cls.master, cls.ad)`
			`tasks.sync_time(cls.master, cls.ad)`


			`class TestBasicADTrust(ADTrustBase):`
			`"""Basic Integration test for Active Directory"""`

			`def test_establish_trust(self):`
			`"""Tests establishing trust with Active Directory"""`

			`tasks.establish_trust_with_ad(self.master, self.ad,`
			`extra_args=['--range-type', 'ipa-ad-trust'])`

			`def test_range_properties_in_nonposix_trust(self):`
			`"""Check the properties of the created range"""`

			`range_name = self.ad.domain.name.upper() + '_id_range'`
			`result = self.master.run_command(['ipa', 'idrange-show', range_name,`
			`'--all', '--raw'])`
ipatests: Do not depend on the case of the attributes when testing ID ranges In test_trust.py, several tests did case sensitive search on the output of the ipa idrange-show command. This could cause false negatives. Part of: https://fedorahosted.org/freeipa/ticket/4267 Reviewed-By: Martin Kosek <mkosek@redhat.com> 2014-03-26 06:34:55 -05:00
			`iparangetype_regex = r'ipaRangeType: ipa-ad-trust'`
			`iparangesize_regex = r'ipaIDRangeSize: 200000'`

			`assert re.search(iparangetype_regex, result.stdout_text, re.IGNORECASE)`
			`assert re.search(iparangesize_regex, result.stdout_text, re.IGNORECASE)`
ipatests: Add AD integration test case Part of: https://fedorahosted.org/freeipa/ticket/3834 2013-10-14 09:37:55 -05:00
			`def test_user_gid_uid_resolution_in_nonposix_trust(self):`
			`"""Check that user has SID-generated UID"""`

ipatests: test_trust: use domain name instead of realm for user lookups 2013-11-01 07:59:16 -05:00			`# Using domain name since it is lowercased realm name for AD domains`
			`testuser = 'testuser@%s' % self.ad.domain.name`
ipatests: Add AD integration test case Part of: https://fedorahosted.org/freeipa/ticket/3834 2013-10-14 09:37:55 -05:00			`result = self.master.run_command(['getent', 'passwd', testuser])`

			`# This regex checks that Test User does not have UID 10042 nor belongs`
			`# to the group with GID 10047`
			`testuser_regex = "^testuser@%s:\*:(?!10042)(\d+):(?!10047)(\d+):"\`
ipatests: Change expected home directories returned by getent The hardcoded values for the home directories for the AD users did not properly scale up from the POSIX attrs only test scanario. When using POSIX attrs, the home dir is returned as whatever is set in the AD (/home/username by default). Without using POSIX attributes, the /home/domain/username form is taken by default. Refactor the tests to take this behaviour into account. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2014-02-05 07:56:19 -06:00			`"Test User:/home/%s/testuser:/bin/sh$"\`
			`% (re.escape(self.ad.domain.name),`
			`re.escape(self.ad.domain.name))`
ipatests: Add AD integration test case Part of: https://fedorahosted.org/freeipa/ticket/3834 2013-10-14 09:37:55 -05:00
			`assert re.search(testuser_regex, result.stdout_text)`

			`def test_remove_nonposix_trust(self):`
			`tasks.remove_trust_with_ad(self.master, self.ad)`
			`tasks.clear_sssd_cache(self.master)`


			`class TestPosixADTrust(ADTrustBase):`
			`"""Integration test for Active Directory with POSIX support"""`

			`def test_establish_trust_with_posix_attributes(self):`
			`# Not specifying the --range-type directly, it should be detected`
			`tasks.establish_trust_with_ad(self.master, self.ad)`

			`def test_range_properties_in_posix_trust(self):`
			`# Check the properties of the created range`

			`range_name = self.ad.domain.name.upper() + '_id_range'`

			`result = self.master.run_command(['ipa', 'idrange-show', range_name,`
			`'--all', '--raw'])`

			`# Check the range type and size`
ipatests: Do not depend on the case of the attributes when testing ID ranges In test_trust.py, several tests did case sensitive search on the output of the ipa idrange-show command. This could cause false negatives. Part of: https://fedorahosted.org/freeipa/ticket/4267 Reviewed-By: Martin Kosek <mkosek@redhat.com> 2014-03-26 06:34:55 -05:00			`iparangetype_regex = r'ipaRangeType: ipa-ad-trust-posix'`
			`iparangesize_regex = r'ipaIDRangeSize: 200000'`

			`assert re.search(iparangetype_regex, result.stdout_text, re.IGNORECASE)`
			`assert re.search(iparangesize_regex, result.stdout_text, re.IGNORECASE)`
ipatests: Add AD integration test case Part of: https://fedorahosted.org/freeipa/ticket/3834 2013-10-14 09:37:55 -05:00
			`def test_user_uid_gid_resolution_in_posix_trust(self):`
			`# Check that user has AD-defined UID`

ipatests: test_trust: use domain name instead of realm for user lookups 2013-11-01 07:59:16 -05:00			`# Using domain name since it is lowercased realm name for AD domains`
			`testuser = 'testuser@%s' % self.ad.domain.name`
ipatests: Add AD integration test case Part of: https://fedorahosted.org/freeipa/ticket/3834 2013-10-14 09:37:55 -05:00			`result = self.master.run_command(['getent', 'passwd', testuser])`

			`testuser_stdout = "testuser@%s:*:10042:10047:"\`
ipatests: test_trust: Change expected home directories for posix users Information from the AD about the home directories is not leveraged at all, but is generated from the username and domain. Fix the assumptions in the tests. Also changes 'Subdomain Test User' to 'Subdomaintest User' to be more consistent. https://fedorahosted.org/freeipa/ticket/4184 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2014-02-27 08:40:54 -06:00			`"Test User:/home/%s/testuser:/bin/sh"\`
			`% (self.ad.domain.name,`
			`self.ad.domain.name)`
ipatests: Add AD integration test case Part of: https://fedorahosted.org/freeipa/ticket/3834 2013-10-14 09:37:55 -05:00
			`assert testuser_stdout in result.stdout_text`

			`def test_user_without_posix_attributes_not_visible(self):`
			`# Check that user has AD-defined UID`

ipatests: test_trust: use domain name instead of realm for user lookups 2013-11-01 07:59:16 -05:00			`# Using domain name since it is lowercased realm name for AD domains`
			`nonposixuser = 'nonposixuser@%s' % self.ad.domain.name`
ipatests: Add AD integration test case Part of: https://fedorahosted.org/freeipa/ticket/3834 2013-10-14 09:37:55 -05:00			`result = self.master.run_command(['getent', 'passwd', nonposixuser],`
			`raiseonerr=False)`

			`# Getent exits with 2 for non-existent user`
			`assert result.returncode == 2`

			`def test_remove_trust_with_posix_attributes(self):`
			`tasks.remove_trust_with_ad(self.master, self.ad)`
			`tasks.clear_sssd_cache(self.master)`


			`class TestEnforcedPosixADTrust(TestPosixADTrust):`
			`"""`
			`This test is intented to copycat PosixADTrust, since enforcing the POSIX`
			`trust type should not make a difference.`
			`"""`

			`def test_establish_trust_with_posix_attributes(self):`
			`tasks.establish_trust_with_ad(self.master, self.ad,`
			`extra_args=['--range-type', 'ipa-ad-trust-posix'])`


			`class TestInvalidRangeTypes(ADTrustBase):`
			`"""`
			`Tests invalid values being put into trust-add command.`
			`"""`

			`def test_invalid_range_types(self):`

			`invalid_range_types = ['ipa-local',`
			`'ipa-ad-winsync',`
			`'ipa-ipa-trust',`
			`'random-invalid',`
			`'re@ll%ybad12!']`

			`for range_type in invalid_range_types:`
			`tasks.kinit_admin(self.master)`

			`result = self.master.run_command(`
			`['ipa', 'trust-add',`
			`'--type', 'ad', self.ad.domain.name,`
			`'--admin', 'Administrator',`
			`'--range-type', range_type,`
			`'--password'],`
			`raiseonerr=False,`
			`stdin_text=self.master.config.ad_admin_password)`

			`# The trust-add command is supposed to fail`
			`assert result.returncode == 1`