Test for removing a subgroup

Problem description:
Removing an IPA sub-group should NOT remove the members
from indirect parent that also belong to other subgroups

The test:
A user and three groups are created groupa,groupb,groupc
'groupc' should be a child of 'groupb' so that you have groupa->groupb->groupc

user is direct member of 'groupa' and as a result member of 'groupb'
and 'groupc'. Now when one adds a direct membership to 'groupb' nothing will
change.

If one removes the direct membership to 'groupb' again,
nothing should change as well

Pagure Link: https://pagure.io/SSSD/sssd/issue/3636

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Sumedh Sidhaye 2020-04-15 22:10:39 +05:30 committed by Florence Blanc-Renaud
parent f3e1171564
commit 47bddf4f45

View File

@ -9,6 +9,7 @@ from __future__ import absolute_import
import time
from contextlib import contextmanager
import re
import os
import pytest
import subprocess
@ -16,6 +17,7 @@ import textwrap
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration.tasks import clear_sssd_cache
from ipatests.util import xfail_context
from ipaplatform.tasks import tasks as platform_tasks
from ipaplatform.osinfo import osinfo
@ -403,3 +405,178 @@ class TestSSSDWithAdTrust(IntegrationTest):
assert 'no such user' in res.stderr_text
# verify the user can be retrieved after re-enabling trustdomain
self.master.run_command(['id', user])
class TestNestedMembers(IntegrationTest):
num_clients = 1
username = "testuser001"
userpasswd = 'Secret123'
@classmethod
def install(cls, mh):
tasks.install_master(cls.master)
tasks.install_client(cls.master, cls.clients[0])
@pytest.fixture
def nested_group_setup(self, tmpdir):
"""Setup and Clean up groups and user created"""
master = self.master
client = self.clients[0]
# add a user and set password
tasks.create_active_user(master, self.username, self.userpasswd)
tasks.kinit_admin(master)
privkey, pubkey = tasks.generate_ssh_keypair()
with open(os.path.join(
tmpdir, 'ssh_priv_key'), 'w') as fp:
fp.write(privkey)
master.run_command([
'ipa', 'user-mod', self.username, '--ssh', "{}".format(pubkey)
])
master.put_file_contents('/tmp/user_ssh_priv_key', privkey)
master.run_command(['chmod', '600', '/tmp/user_ssh_priv_key'])
# add group groupa
cmd_output = master.run_command(['ipa', 'group-add', 'groupa'])
assert 'Added group "groupa"' in cmd_output.stdout_text
# add group groupb
cmd_output = master.run_command(['ipa', 'group-add', 'groupb'])
assert 'Added group "groupb"' in cmd_output.stdout_text
# add group groupc
cmd_output = master.run_command(['ipa', 'group-add', 'groupc'])
assert 'Added group "groupc"' in cmd_output.stdout_text
client.put_file_contents('/tmp/user_ssh_priv_key',
privkey)
client.run_command(['chmod', '600', '/tmp/user_ssh_priv_key'])
yield
# test cleanup
for group in ['groupa', 'groupb', 'groupc']:
self.master.run_command(['ipa', 'group-del', group, '--continue'])
self.master.run_command(['ipa', 'user-del', self.username,
'--no-preserve', '--continue'])
tasks.kdestroy_all(self.master)
tasks.kdestroy_all(self.clients[0])
def test_nested_group_members(self, tmpdir, nested_group_setup):
"""Nested group memberships should be honoured
"groupc" should be a child of "groupb"
so that parent child relationship is as follows:
"groupa"->"groupb"->"groupc"
testuser001 is direct member of "groupa" and as a result
member of "groupb" and "groupc"".
Now if one adds a direct membership to "groupb"
nothing will change.
Now if one removes the direct membership to "groupb"
nothing should change, the memberships should be honored
Linked Issue: https://pagure.io/SSSD/sssd/issue/3636
"""
master = self.master
client = self.clients[0]
# add group members
cmd_output = master.run_command(['ipa', 'group-add-member',
'groupb', '--groups', 'groupa'])
assert 'Group name: groupb' in cmd_output.stdout_text
assert 'Member groups: groupa' in cmd_output.stdout_text
assert 'Number of members added 1' in cmd_output.stdout_text
cmd_output = master.run_command(['ipa', 'group-add-member',
'groupc', '--groups', 'groupb'])
assert 'Group name: groupc' in cmd_output.stdout_text
assert 'Member groups: groupb' in cmd_output.stdout_text
assert 'Indirect Member groups: groupa' in cmd_output.stdout_text
# add user to group 'groupa'
cmd_output = master.run_command(['ipa', 'group-add-member',
'groupa', '--users', self.username])
assert 'Group name: groupa' in cmd_output.stdout_text
assert_str = 'Member users: {}'.format(self.username)
assert assert_str in cmd_output.stdout_text
assert 'Member of groups: groupb' in cmd_output.stdout_text
assert 'Indirect Member of group: groupc' in cmd_output.stdout_text
# clear sssd_cache
clear_sssd_cache(master)
# user lookup
# at this point, testuser001 has the following group memberships
# Member of groups: groupa, ipausers
# Indirect Member of group: groupb, groupc
cmd_output = master.run_command(['ipa', 'user-show', self.username])
assert 'groupa' in cmd_output.stdout_text
assert 'ipausers' in cmd_output.stdout_text
assert 'groupb' in cmd_output.stdout_text
assert 'groupc' in cmd_output.stdout_text
clear_sssd_cache(client)
cmd = ['ssh', '-i', '/tmp/user_ssh_priv_key',
'-q', '{}@{}'.format(self.username, client.hostname),
'groups']
cmd_output = master.run_command(cmd)
assert self.username in cmd_output.stdout_text
assert 'groupa' in cmd_output.stdout_text
assert 'groupb' in cmd_output.stdout_text
assert 'groupc' in cmd_output.stdout_text
# add member
cmd_output = master.run_command(['ipa', 'group-add-member',
'groupb', '--users', self.username])
assert 'Group name: groupb' in cmd_output.stdout_text
assert_str = 'Member users: {}'.format(self.username)
assert assert_str in cmd_output.stdout_text
assert 'Member groups: groupa' in cmd_output.stdout_text
assert 'Member of groups: groupc' in cmd_output.stdout_text
assert 'Number of members added 1' in cmd_output.stdout_text
# now check ssh on the client
clear_sssd_cache(client)
# after adding testuser001 to b group
# testuser001 will have the following memberships
# Member of groups: groupa, ipausers, groupb
# Indirect Member of group: groupc
cmd = ['ssh', '-i', '/tmp/user_ssh_priv_key',
'-q', '{}@{}'.format(self.username, client.hostname),
'groups']
cmd_output = client.run_command(cmd)
assert self.username in cmd_output.stdout_text
assert 'groupa' in cmd_output.stdout_text
assert 'groupb' in cmd_output.stdout_text
assert 'groupc' in cmd_output.stdout_text
# now back to server to remove member
cmd_output = master.run_command(['ipa', 'group-remove-member',
'groupb', '--users', self.username])
assert_str = 'Indirect Member users: {}'.format(self.username)
assert 'Group name: groupb' in cmd_output.stdout_text
assert 'Member groups: groupa' in cmd_output.stdout_text
assert 'Member of groups: groupc' in cmd_output.stdout_text
assert assert_str in cmd_output.stdout_text
assert 'Number of members removed 1' in cmd_output.stdout_text
clear_sssd_cache(master)
# now check ssh on the client again
# after removing testuser001 from b group
# testuser001 will have the following memberships
# Member of groups: groupa, ipausers
# Indirect Member of group: groupb, groupc
clear_sssd_cache(client)
cmd = ['ssh', '-i', '/tmp/user_ssh_priv_key',
'-q', '{}@{}'.format(self.username, client.hostname),
'groups']
cmd_output = client.run_command(cmd)
assert self.username in cmd_output.stdout_text
assert 'groupa' in cmd_output.stdout_text
assert 'groupb' in cmd_output.stdout_text
assert 'groupc' in cmd_output.stdout_text