mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
tests: Add hostmask detection for sudo rules validating on hostmask
IPA sudo tests worked under the assumption that the clients that are executing the sudo commands have their IPs assigned within 255.255.255.0 hostmask. Removes this (invalid) assumption and adds a dynamic detection of the hostmask of the IPA client. https://fedorahosted.org/freeipa/ticket/5501 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Oleg Fayans <ofayans@redhat.com> Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
This commit is contained in:
parent
7c4ce9a098
commit
a02f83ff9c
@ -17,8 +17,11 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
import pytest
|
||||
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
from ipatests.test_integration.tasks import clear_sssd_cache
|
||||
from ipatests.test_integration import util
|
||||
|
||||
|
||||
class TestSudo(IntegrationTest):
|
||||
@ -269,13 +272,25 @@ class TestSudo(IntegrationTest):
|
||||
'--hostgroups', 'testhostgroup'])
|
||||
|
||||
def test_sudo_rule_restricted_to_one_hostmask_setup(self):
|
||||
# Add the client's /24 hostmask to the rule
|
||||
ip = self.client.ip
|
||||
# We need to detect the hostmask first
|
||||
full_ip = util.get_host_ip_with_hostmask(self.client)
|
||||
|
||||
# Make a note for the next test, which needs to be skipped
|
||||
# if hostmask detection failed
|
||||
self.__class__.skip_hostmask_based = False
|
||||
|
||||
if not full_ip:
|
||||
self.__class__.skip_hostmask_based = True
|
||||
raise pytest.skip("Hostmask could not be detected")
|
||||
|
||||
self.master.run_command(['ipa', '-n', 'sudorule-add-host',
|
||||
'testrule',
|
||||
'--hostmask', '%s/24' % ip])
|
||||
'--hostmask', full_ip])
|
||||
|
||||
def test_sudo_rule_restricted_to_one_hostmask(self):
|
||||
if self.__class__.skip_hostmask_based:
|
||||
raise pytest.skip("Hostmask could not be detected")
|
||||
|
||||
result1 = self.list_sudo_commands("testuser1")
|
||||
assert "(ALL : ALL) NOPASSWD: ALL" in result1.stdout_text
|
||||
|
||||
@ -284,11 +299,16 @@ class TestSudo(IntegrationTest):
|
||||
assert result.returncode != 0
|
||||
|
||||
def test_sudo_rule_restricted_to_one_hostmask_teardown(self):
|
||||
# Remove the client's /24 hostmask from the rule
|
||||
ip = self.client.ip
|
||||
if self.__class__.skip_hostmask_based:
|
||||
raise pytest.skip("Hostmask could not be detected")
|
||||
|
||||
# Detect the hostmask first to delete the hostmask based rule
|
||||
full_ip = util.get_host_ip_with_hostmask(self.client)
|
||||
|
||||
# Remove the client's hostmask from the rule
|
||||
self.master.run_command(['ipa', '-n', 'sudorule-remove-host',
|
||||
'testrule',
|
||||
'--hostmask', '%s/24' % ip])
|
||||
'--hostmask', full_ip])
|
||||
|
||||
def test_sudo_rule_restricted_to_one_hostmask_negative_setup(self):
|
||||
# Add the master's hostmask to the rule
|
||||
|
@ -18,6 +18,7 @@
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
import time
|
||||
import re
|
||||
|
||||
|
||||
def run_repeatedly(host, command, assert_zero_rc=True, test=None,
|
||||
@ -58,3 +59,19 @@ def run_repeatedly(host, command, assert_zero_rc=True, test=None,
|
||||
.format(cmd=' '.join(command),
|
||||
times=timeout / time_step,
|
||||
timeout=timeout))
|
||||
|
||||
|
||||
def get_host_ip_with_hostmask(host):
|
||||
"""
|
||||
Detects the IP of the host including the hostmask.
|
||||
|
||||
Returns None if the IP could not be detected.
|
||||
"""
|
||||
|
||||
ip = host.ip
|
||||
result = host.run_command(['ip', 'addr'])
|
||||
full_ip_regex = r'(?P<full_ip>%s/\d{1,2}) ' % re.escape(ip)
|
||||
match = re.search(full_ip_regex, result.stdout_text)
|
||||
|
||||
if match:
|
||||
return match.group('full_ip')
|
||||
|
Loading…
Reference in New Issue
Block a user