From 0d15eb78d4178bea6057e4d32b234c592ca80fa7 Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sorlov@redhat.com>
Date: Wed, 5 Jun 2019 11:16:37 +0200
Subject: [PATCH] ipatests: add test for sudo with runAsUser and domain
 resolution order.

Running commands with sudo as specific user should succeed
when sudo rule has ipasudorunas field defined with value of that user
and domain-resolution-order is defined in ipa config.

Relates to https://pagure.io/SSSD/sssd/issue/3957

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipatests/test_integration/test_sudo.py | 37 ++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/ipatests/test_integration/test_sudo.py b/ipatests/test_integration/test_sudo.py
index 661e22f3c..eb651ad3a 100644
--- a/ipatests/test_integration/test_sudo.py
+++ b/ipatests/test_integration/test_sudo.py
@@ -713,3 +713,40 @@ class TestSudo(IntegrationTest):
                                           '--groups', 'testgroup2'],
                                           raiseonerr=False)
         assert result.returncode != 0
+
+    def test_domain_resolution_order(self):
+        """Test sudo with runAsUser and domain resolution order.
+
+        Regression test for bug https://pagure.io/SSSD/sssd/issue/3957.
+        Running commands with sudo as specific user should succeed
+        when sudo rule has ipasudorunas field defined with value of that user
+        and domain-resolution-order is defined in ipa config.
+        """
+        self.master.run_command(
+            ['ipa', 'config-mod', '--domain-resolution-order',
+             self.domain.name])  # pylint: disable=no-member
+        try:
+            # prepare the sudo rule: set only one user for ipasudorunas
+            self.reset_rule_categories()
+            self.master.run_command(
+                ['ipa', 'sudorule-mod', 'testrule',
+                 '--runasgroupcat=', '--runasusercat='],
+                raiseonerr=False
+            )
+            self.master.run_command(
+                ['ipa', 'sudorule-add-runasuser', 'testrule',
+                 '--users', 'testuser2'])
+
+            # check that testuser1 is allowed to run commands as testuser2
+            # according to listing of allowed commands
+            result = self.list_sudo_commands('testuser1')
+            expected_rule = ('(testuser2@%s) NOPASSWD: ALL'
+                             % self.domain.name)  # pylint: disable=no-member
+            assert expected_rule in result.stdout_text
+
+            # check that testuser1 can actually run commands as testuser2
+            self.client.run_command(
+                ['su', 'testuser1', '-c', 'sudo -u testuser2 true'])
+        finally:
+            self.master.run_command(
+                ['ipa', 'config-mod', '--domain-resolution-order='])