IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Tests: Fix integration sudo tests setup and checks

Browse Source 
Adding 'defaults' sudorule to prevent requesting further user authentication.
Adding checks that if a user should be rejected access, a proper error message
is displayed.

https://fedorahosted.org/freeipa/ticket/6262

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
This commit is contained in:
Lenka Doudova 2016-08-26 13:00:01 +02:00 committed by Martin Basti
parent 6755cbbc33
commit 32a6528dad
1 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
ipatests/test_integration/test_sudo.py
View File

@ -37,6 +37,8 @@ class TestSudo(IntegrationTest):
super(TestSudo, cls).install(mh) super(TestSudo, cls).install(mh)
cls.client = cls.clients[0] cls.client = cls.clients[0]
cls.clientname = cls.client.run_command(
['hostname', '-s']).stdout_text.strip()
for i in range(1, 3): for i in range(1, 3):
# Add 1. and 2. testing user # Add 1. and 2. testing user
@ -72,6 +74,13 @@ class TestSudo(IntegrationTest):
'-G', 'localgroup', '-G', 'localgroup',
'localuser']) 'localuser'])
# Create sudorule 'defaults' for not requiring authentication
cls.master.run_command(['ipa', 'sudorule-add', 'defaults'])
cls.master.run_command(['ipa', 'sudorule-add-option',
'defaults',
'--sudooption', "!authenticate"])
@classmethod @classmethod
def uninstall(cls, mh): def uninstall(cls, mh):
cls.client.run_command(['groupdel', 'localgroup'], raiseonerr=False) cls.client.run_command(['groupdel', 'localgroup'], raiseonerr=False)
@ -81,7 +90,8 @@ class TestSudo(IntegrationTest):
def list_sudo_commands(self, user, raiseonerr=False, verbose=False): def list_sudo_commands(self, user, raiseonerr=False, verbose=False):
clear_sssd_cache(self.client) clear_sssd_cache(self.client)
list_flag = '-ll' if verbose else '-l' list_flag = '-ll' if verbose else '-l'
return self.client.run_command('su -c "sudo %s" %s' % (list_flag, user), return self.client.run_command(
'su -c "sudo %s -n" %s' % (list_flag, user),
raiseonerr=raiseonerr) raiseonerr=raiseonerr)
def reset_rule_categories(self, safe_delete=True): def reset_rule_categories(self, safe_delete=True):
@ -168,6 +178,16 @@ class TestSudo(IntegrationTest):
result2 = self.list_sudo_commands("testuser2", raiseonerr=False) result2 = self.list_sudo_commands("testuser2", raiseonerr=False)
assert result2.returncode != 0 assert result2.returncode != 0
assert "Sorry, user testuser2 may not run sudo on {}.".format(
self.clientname) in result2.stderr_text
def test_sudo_rule_restricted_to_one_user_without_defaults_rule(self):
# Verify password is requested with the 'defaults' sudorule disabled
self.master.run_command(['ipa', 'sudorule-disable', 'defaults'])
result3 = self.list_sudo_commands("testuser2", raiseonerr=False)
assert result3.returncode != 0
assert "sudo: a password is required" in result3.stderr_text
def test_setting_category_to_all_with_valid_entries_user(self): def test_setting_category_to_all_with_valid_entries_user(self):
result = self.reset_rule_categories(safe_delete=False) result = self.reset_rule_categories(safe_delete=False)
@ -178,6 +198,7 @@ class TestSudo(IntegrationTest):
self.master.run_command(['ipa', 'sudorule-remove-user', self.master.run_command(['ipa', 'sudorule-remove-user',
'testrule', 'testrule',
'--users', 'testuser1']) '--users', 'testuser1'])
self.master.run_command(['ipa', 'sudorule-enable', 'defaults'])
def test_sudo_rule_restricted_to_one_group_setup(self): def test_sudo_rule_restricted_to_one_group_setup(self):
# Add the testgroup2 to the rule # Add the testgroup2 to the rule
@ -188,6 +209,8 @@ class TestSudo(IntegrationTest):
def test_sudo_rule_restricted_to_one_group(self): def test_sudo_rule_restricted_to_one_group(self):
result1 = self.list_sudo_commands("testuser1", raiseonerr=False) result1 = self.list_sudo_commands("testuser1", raiseonerr=False)
assert result1.returncode != 0 assert result1.returncode != 0
assert "Sorry, user testuser1 may not run sudo on {}.".format(
self.clientname) in result1.stderr_text
result2 = self.list_sudo_commands("testuser2") result2 = self.list_sudo_commands("testuser2")
assert "(ALL : ALL) NOPASSWD: ALL" in result2.stdout_text assert "(ALL : ALL) NOPASSWD: ALL" in result2.stdout_text
@ -219,6 +242,8 @@ class TestSudo(IntegrationTest):
def test_sudo_rule_restricted_to_one_host_negative(self): def test_sudo_rule_restricted_to_one_host_negative(self):
result1 = self.list_sudo_commands("testuser1", raiseonerr=False) result1 = self.list_sudo_commands("testuser1", raiseonerr=False)
assert result1.returncode != 0 assert result1.returncode != 0
assert "Sorry, user testuser1 may not run sudo on {}.".format(
self.clientname) in result1.stderr_text
def test_sudo_rule_restricted_to_one_host_negative_teardown(self): def test_sudo_rule_restricted_to_one_host_negative_teardown(self):
# Remove the master from the rule # Remove the master from the rule
@ -333,6 +358,8 @@ class TestSudo(IntegrationTest):
def test_sudo_rule_restricted_to_one_hostmask_negative(self): def test_sudo_rule_restricted_to_one_hostmask_negative(self):
result1 = self.list_sudo_commands("testuser1") result1 = self.list_sudo_commands("testuser1")
assert result1.returncode != 0 assert result1.returncode != 0
assert "Sorry, user testuser1 may not run sudo on {}.".format(
self.clientname) in result1.stderr_text
def test_sudo_rule_restricted_to_one_hostmask_negative_teardown(self): def test_sudo_rule_restricted_to_one_hostmask_negative_teardown(self):
# Remove the master's hostmask from the rule # Remove the master's hostmask from the rule