IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 00:41:25 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipatests: add test for sudo with runAsUser and domain resolution order.

Browse Source 
Running commands with sudo as specific user should succeed
when sudo rule has ipasudorunas field defined with value of that user
and domain-resolution-order is defined in ipa config.

Relates to https://pagure.io/SSSD/sssd/issue/3957

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Sergey Orlov 2019-06-05 11:16:37 +02:00
parent d2c929270c
commit 0d15eb78d4
No known key found for this signature in database
GPG Key ID: ADF8C90EDD04503D
1 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
ipatests/test_integration/test_sudo.py
View File

@ -713,3 +713,40 @@ class TestSudo(IntegrationTest):
'--groups', 'testgroup2'], '--groups', 'testgroup2'],
raiseonerr=False) raiseonerr=False)
assert result.returncode != 0 assert result.returncode != 0
def test_domain_resolution_order(self):
"""Test sudo with runAsUser and domain resolution order.
Regression test for bug https://pagure.io/SSSD/sssd/issue/3957.
Running commands with sudo as specific user should succeed
when sudo rule has ipasudorunas field defined with value of that user
and domain-resolution-order is defined in ipa config.
"""
self.master.run_command(
['ipa', 'config-mod', '--domain-resolution-order',
self.domain.name]) # pylint: disable=no-member
try:
# prepare the sudo rule: set only one user for ipasudorunas
self.reset_rule_categories()
self.master.run_command(
['ipa', 'sudorule-mod', 'testrule',
'--runasgroupcat=', '--runasusercat='],
raiseonerr=False
)
self.master.run_command(
['ipa', 'sudorule-add-runasuser', 'testrule',
'--users', 'testuser2'])
# check that testuser1 is allowed to run commands as testuser2
# according to listing of allowed commands
result = self.list_sudo_commands('testuser1')
expected_rule = ('(testuser2@%s) NOPASSWD: ALL'
% self.domain.name) # pylint: disable=no-member
assert expected_rule in result.stdout_text
# check that testuser1 can actually run commands as testuser2
self.client.run_command(
['su', 'testuser1', '-c', 'sudo -u testuser2 true'])
finally:
self.master.run_command(
['ipa', 'config-mod', '--domain-resolution-order='])