mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
CI tests: use old schema when testing hostmask-based sudo rules
Newer versions of sssd use native IPA schema to process sudo rules. However, this schema currently has no support for hostmask-based rules and causes some sudo CI tests to fail. We have to temporarily set sssd.conf to use ou=sudoers,$SUFFIX as a sudo rule search base when executing them. https://fedorahosted.org/freeipa/ticket/5625 Reviewed-By: Tomas Babej <tbabej@redhat.com>
This commit is contained in:
Martin Babinsky
committed by
Tomas Babej
Tomas Babej
parent
a14d687493
commit
94a836dd46
@@ -24,10 +24,12 @@ import textwrap
|
|||||||
import re
|
import re
|
||||||
import collections
|
import collections
|
||||||
import itertools
|
import itertools
|
||||||
|
import tempfile
|
||||||
import time
|
import time
|
||||||
|
|
||||||
import dns
|
import dns
|
||||||
from ldif import LDIFWriter
|
from ldif import LDIFWriter
|
||||||
|
from SSSDConfig import SSSDConfig
|
||||||
from six import StringIO
|
from six import StringIO
|
||||||
|
|
||||||
from ipapython import ipautil
|
from ipapython import ipautil
|
||||||
@@ -591,6 +593,47 @@ def setup_sssd_debugging(host):
|
|||||||
clear_sssd_cache(host)
|
clear_sssd_cache(host)
|
||||||
|
|
||||||
|
|
||||||
|
def modify_sssd_conf(host, domain, mod_dict, provider='ipa',
|
||||||
|
provider_subtype=None):
|
||||||
|
"""
|
||||||
|
modify options in a single domain section of host's sssd.conf
|
||||||
|
:param host: multihost.Host object
|
||||||
|
:param domain: domain section name to modify
|
||||||
|
:param mod_dict: dictionary of options which will be passed to
|
||||||
|
SSSDDomain.set_option(). To remove an option specify its value as
|
||||||
|
None
|
||||||
|
:param provider: provider backend to set. Defaults to ipa
|
||||||
|
:param provider_subtype: backend subtype (e.g. id or sudo), will be added
|
||||||
|
to the domain config if not present
|
||||||
|
"""
|
||||||
|
try:
|
||||||
|
temp_config_file = tempfile.mkstemp()[1]
|
||||||
|
current_config = host.transport.get_file_contents(paths.SSSD_CONF)
|
||||||
|
|
||||||
|
with open(temp_config_file, 'wb') as f:
|
||||||
|
f.write(current_config)
|
||||||
|
|
||||||
|
sssd_config = SSSDConfig()
|
||||||
|
sssd_config.import_config(temp_config_file)
|
||||||
|
sssd_domain = sssd_config.get_domain(domain)
|
||||||
|
|
||||||
|
if provider_subtype is not None:
|
||||||
|
sssd_domain.add_provider(provider, provider_subtype)
|
||||||
|
|
||||||
|
for m in mod_dict:
|
||||||
|
sssd_domain.set_option(m, mod_dict[m])
|
||||||
|
|
||||||
|
sssd_config.save_domain(sssd_domain)
|
||||||
|
|
||||||
|
new_config = sssd_config.dump(sssd_config.opts).encode('utf-8')
|
||||||
|
host.transport.put_file_contents(paths.SSSD_CONF, new_config)
|
||||||
|
finally:
|
||||||
|
try:
|
||||||
|
os.remove(temp_config_file)
|
||||||
|
except OSError:
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
def clear_sssd_cache(host):
|
def clear_sssd_cache(host):
|
||||||
"""
|
"""
|
||||||
Clears SSSD cache by removing the cache files. Restarts SSSD.
|
Clears SSSD cache by removing the cache files. Restarts SSSD.
|
||||||
|
|||||||
@@ -20,7 +20,7 @@
|
|||||||
import pytest
|
import pytest
|
||||||
|
|
||||||
from ipatests.test_integration.base import IntegrationTest
|
from ipatests.test_integration.base import IntegrationTest
|
||||||
from ipatests.test_integration.tasks import clear_sssd_cache
|
from ipatests.test_integration.tasks import clear_sssd_cache, modify_sssd_conf
|
||||||
from ipatests.test_integration import util
|
from ipatests.test_integration import util
|
||||||
|
|
||||||
|
|
||||||
@@ -287,6 +287,19 @@ class TestSudo(IntegrationTest):
|
|||||||
'testrule',
|
'testrule',
|
||||||
'--hostmask', full_ip])
|
'--hostmask', full_ip])
|
||||||
|
|
||||||
|
# SSSD >= 1.13.3-3 uses native IPA schema instead of compat entries to
|
||||||
|
# pull in sudoers. Since native schema does not (yet) support
|
||||||
|
# hostmasks, we need to point ldap_sudo_search_base to the old schema
|
||||||
|
domain = self.client.domain
|
||||||
|
modify_sssd_conf(
|
||||||
|
self.client,
|
||||||
|
domain.name,
|
||||||
|
{
|
||||||
|
'ldap_sudo_search_base': 'ou=sudoers,{}'.format(domain.basedn)
|
||||||
|
},
|
||||||
|
provider_subtype='sudo'
|
||||||
|
)
|
||||||
|
|
||||||
def test_sudo_rule_restricted_to_one_hostmask(self):
|
def test_sudo_rule_restricted_to_one_hostmask(self):
|
||||||
if self.__class__.skip_hostmask_based:
|
if self.__class__.skip_hostmask_based:
|
||||||
raise pytest.skip("Hostmask could not be detected")
|
raise pytest.skip("Hostmask could not be detected")
|
||||||
@@ -328,6 +341,18 @@ class TestSudo(IntegrationTest):
|
|||||||
'testrule',
|
'testrule',
|
||||||
'--hostmask', '%s/32' % ip])
|
'--hostmask', '%s/32' % ip])
|
||||||
|
|
||||||
|
# reset ldap_sudo_search_base back to the default value, the old
|
||||||
|
# schema is not needed for the upcoming tests
|
||||||
|
domain = self.client.domain
|
||||||
|
modify_sssd_conf(
|
||||||
|
self.client,
|
||||||
|
domain.name,
|
||||||
|
{
|
||||||
|
'ldap_sudo_search_base': None
|
||||||
|
},
|
||||||
|
provider_subtype='sudo'
|
||||||
|
)
|
||||||
|
|
||||||
def test_sudo_rule_restricted_to_one_command_setup(self):
|
def test_sudo_rule_restricted_to_one_command_setup(self):
|
||||||
# Reset testrule configuration
|
# Reset testrule configuration
|
||||||
self.reset_rule_categories()
|
self.reset_rule_categories()
|
||||||
|
|||||||
Reference in New Issue
Block a user