IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-13 01:31:56 -06:00
Code Issues Packages Projects Releases Wiki Activity

CI tests: use old schema when testing hostmask-based sudo rules

Browse Source 
Newer versions of sssd use native IPA schema to process sudo rules.
However, this schema currently has no support for hostmask-based rules
and causes some sudo CI tests to fail. We have to temporarily set
sssd.conf to use ou=sudoers,$SUFFIX as a sudo rule search base when
executing them.

https://fedorahosted.org/freeipa/ticket/5625

Reviewed-By: Tomas Babej <tbabej@redhat.com>
This commit is contained in:
Martin Babinsky 2016-02-17 16:55:56 +01:00 committed by Tomas Babej
parent a14d687493
commit 94a836dd46
2 changed files with 69 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
ipatests/test_integration/tasks.py
View File

@ -24,10 +24,12 @@ import textwrap
import re
import collections
import itertools
import tempfile
import time
import dns
from ldif import LDIFWriter
from SSSDConfig import SSSDConfig
from six import StringIO
from ipapython import ipautil
@ -591,6 +593,47 @@ def setup_sssd_debugging(host):
clear_sssd_cache(host)
def modify_sssd_conf(host, domain, mod_dict, provider='ipa',
provider_subtype=None):
"""
modify options in a single domain section of host's sssd.conf
:param host: multihost.Host object
:param domain: domain section name to modify
:param mod_dict: dictionary of options which will be passed to
SSSDDomain.set_option(). To remove an option specify its value as
None
:param provider: provider backend to set. Defaults to ipa
:param provider_subtype: backend subtype (e.g. id or sudo), will be added
to the domain config if not present
"""
try:
temp_config_file = tempfile.mkstemp()[1]
current_config = host.transport.get_file_contents(paths.SSSD_CONF)
with open(temp_config_file, 'wb') as f:
f.write(current_config)
sssd_config = SSSDConfig()
sssd_config.import_config(temp_config_file)
sssd_domain = sssd_config.get_domain(domain)
if provider_subtype is not None:
sssd_domain.add_provider(provider, provider_subtype)
for m in mod_dict:
sssd_domain.set_option(m, mod_dict[m])
sssd_config.save_domain(sssd_domain)
new_config = sssd_config.dump(sssd_config.opts).encode('utf-8')
host.transport.put_file_contents(paths.SSSD_CONF, new_config)
finally:
try:
os.remove(temp_config_file)
except OSError:
pass
def clear_sssd_cache(host):
"""
Clears SSSD cache by removing the cache files. Restarts SSSD.

27
ipatests/test_integration/test_sudo.py
View File

@ -20,7 +20,7 @@
import pytest
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.tasks import clear_sssd_cache
from ipatests.test_integration.tasks import clear_sssd_cache, modify_sssd_conf
from ipatests.test_integration import util
@ -287,6 +287,19 @@ class TestSudo(IntegrationTest):
'testrule',
'--hostmask', full_ip])
# SSSD >= 1.13.3-3 uses native IPA schema instead of compat entries to
# pull in sudoers. Since native schema does not (yet) support
# hostmasks, we need to point ldap_sudo_search_base to the old schema
domain = self.client.domain
modify_sssd_conf(
self.client,
domain.name,
{
'ldap_sudo_search_base': 'ou=sudoers,{}'.format(domain.basedn)
},
provider_subtype='sudo'
)
def test_sudo_rule_restricted_to_one_hostmask(self):
if self.__class__.skip_hostmask_based:
raise pytest.skip("Hostmask could not be detected")
@ -328,6 +341,18 @@ class TestSudo(IntegrationTest):
'testrule',
'--hostmask', '%s/32' % ip])
# reset ldap_sudo_search_base back to the default value, the old
# schema is not needed for the upcoming tests
domain = self.client.domain
modify_sssd_conf(
self.client,
domain.name,
{
'ldap_sudo_search_base': None
},
provider_subtype='sudo'
)
def test_sudo_rule_restricted_to_one_command_setup(self):
# Reset testrule configuration
self.reset_rule_categories()