CI tests: use old schema when testing hostmask-based sudo rules

Newer versions of sssd use native IPA schema to process sudo rules. However, this schema currently has no support for hostmask-based rules and causes some sudo CI tests to fail. We have to temporarily set sssd.conf to use ou=sudoers,$SUFFIX as a sudo rule search base when executing them. https://fedorahosted.org/freeipa/ticket/5625 Reviewed-By: Tomas Babej <tbabej@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-02-17 16:55:56 +01:00
parent a14d687493
commit 94a836dd46
2 changed files with 69 additions and 1 deletions
--- a/ipatests/test_integration/test_sudo.py
+++ b/ipatests/test_integration/test_sudo.py
@@ -20,7 +20,7 @@
 import pytest

 from ipatests.test_integration.base import IntegrationTest
-from ipatests.test_integration.tasks import clear_sssd_cache
+from ipatests.test_integration.tasks import clear_sssd_cache, modify_sssd_conf
 from ipatests.test_integration import util


@@ -287,6 +287,19 @@ class TestSudo(IntegrationTest):
                                 'testrule',
                                 '--hostmask', full_ip])

+        # SSSD >= 1.13.3-3 uses native IPA schema instead of compat entries to
+        # pull in sudoers. Since native schema does not (yet) support
+        # hostmasks, we need to point ldap_sudo_search_base to the old schema
+        domain = self.client.domain
+        modify_sssd_conf(
+            self.client,
+            domain.name,
+            {
+                'ldap_sudo_search_base': 'ou=sudoers,{}'.format(domain.basedn)
+            },
+            provider_subtype='sudo'
+        )
+
    def test_sudo_rule_restricted_to_one_hostmask(self):
        if self.__class__.skip_hostmask_based:
            raise pytest.skip("Hostmask could not be detected")
@@ -328,6 +341,18 @@ class TestSudo(IntegrationTest):
                                 'testrule',
                                 '--hostmask', '%s/32' % ip])

+        # reset ldap_sudo_search_base back to the default value, the old
+        # schema is not needed for the upcoming tests
+        domain = self.client.domain
+        modify_sssd_conf(
+            self.client,
+            domain.name,
+            {
+                'ldap_sudo_search_base': None
+            },
+            provider_subtype='sudo'
+        )
+
    def test_sudo_rule_restricted_to_one_command_setup(self):
        # Reset testrule configuration
        self.reset_rule_categories()