[Pytest] Port AD id mapping tests to the new framework #7171
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reviewed-by: Shridhar Gadekar <[email protected]> (cherry picked from commit 54903c0)
Sssd tests seems to be failing with current ssh module without any reason. Reviewed-by: Jakub Vávra <[email protected]> Reviewed-by: Scott Poore <[email protected]> (cherry picked from commit 34dba5a)
If a user's password is expired while changing the LDAP password SSSD tries to change the password even if the initial bind of the user failed due to exhausted grace logins. With this patch the change password request will be aborted if the bind fails indicating that there are no grace logins left. Resolves: #6768 Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Pavel Březina <[email protected]> (cherry picked from commit d99aa97)
To determine which GPOs apply to the host running SSSD the full DN of the host object in AD is needed. To fine this object we use the NetBIOS name of the host which is stored in AD in the sAMAccountName attribute. Using other attributes, e.g. if ldap_user_name is set to a different attribute, will most probably cause a failure since those attributes are not managed as expected for host object. As a result sAMAccountName should be hardcoded here to avoid issues. Resolves: #6766 Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit 67c11c2)
This field is not used anywhere. Instead, we use value from struct cache_req. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit 8b014bf)
During the first iteration where the provider was not yet contacted, we set state->dp_success to false and if the record was not found we returned ERR_OFFLINE instead of ENOENT which causes the cache_req to continue and search the provider. Resolves: #6739 Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit 32f5782)
Example workflow: - SSSD client is enrolled into AD domain (Token-Groups are enabled) - `id $user` is executed - initgroups() is called for this user - during processing of initgroups() sssd_be obtains a list of group SIDs user is a member of, and then partially resolves those groups and adds it to the local cache as "incomplete" (i.e. 'expired') - as a next step `id` calls getgrnam() for every group in initgroups() list - since groups are saved into the cache as "incomplete" (technically - "expired") this again results in LDAP search of this group. But if `ignore_group_members = true` this search doesn't provide new information. "Incomplete" groups could be used instead. Reviewed-by: Pavel Březina <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit 2fd5374)
Test suite pam-srv-tests accepts a test name as the last argument to just run that test. However, this was failing because a pointer to the name is retrieved but the poptContext is freed immediately after, making pointer invalid. The poptContext is now released after using the pointer. Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit ca7c9f6)
When using extra attributes, an attribute could be listed twice and SSSD will try to add it twice to the cache. To handle this situation, each instance will be added to a single attribute with multiple values, but duplicated values will be dropped. This is done by calling `sysdb_attrs_add_val_safe()` instead of `sysdb_attrs_add_val()`. Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit dc508f0)
Similar to string_in_list() but instead of taking a NULL-terminated list it take a list and its size. Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit 1b45f29)
Old function add_strings_lists() copies any duplicate value. New function add_strings_lists_ex() take an argument to decide whether to discard duplicate values. add_strings_lists() is now a wrapper on add_strings_lists_ex(). Both function now take a const char *** instead of char ** as output parameter. An existing test was adapted and an new one added. Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit 2b8fed5)
Both functions do the same thing, so it is useless to have them both. attr_in_list() has, however, a more descriptive name for its use in this module, so we'll keep it as an inlined wrapper. Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit de258f0)
The extra attributes are concatenated to other required attributes for some operations. In some cases the attribute list ends up having duplicate attributes, either because accidentally the user added it twice to the ldap_user_extra_attrs list, or one or more of those attributes are also in the required list. Removing the duplicates each time the lists are concatenated increases the concatenation time. And this is done every time. So we try to concatenate the attribute lists at start up, filtering duplicates, and use that list. To do that, we consider the two cases where the list concatenation is done. In one of the cases, the added attributes are a subset of the other list. So we factorized this list to add the common attributes to the list at start up. Only the non-common attributes are added while serving a request. The complete list is now stored in the `full_attribute_list` field. An existing test suite was adapted to this new situation as it now needs to initialize the new field. Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit b504159)
(Korean) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/
(Ukrainian) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/uk/
(Georgian) currently translated at 8.1% (58 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ka/
(Korean) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/
(Turkish) currently translated at 98.7% (705 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/tr/
(Polish) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/pl/
(Russian) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ru/
(French) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/fr/
(Japanese) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ja/
(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/zh_CN/
…verride
Add automation of BZ2096183.
verifies:
#6671
Signed-off-by: Madhuri Upadhye <[email protected]>
Reviewed-by: Alejandro López <[email protected]>
Reviewed-by: Jakub Vávra <[email protected]>
(cherry picked from commit 377ec31)
…n sssd.conf the cross-forest query stop working When adding attributes ldap_user_extra_attrs with mail value in sssd.conf the cross-forest query stop working Automation of BZ2170720 Verifies: #6759 Signed-off-by: Madhuri Upadhye <[email protected]> Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Jakub Vávra <[email protected]> (cherry picked from commit 57499ff)
Using new authentication module for ssh login instead of existing one Reviewed-by: Anuj Borah <[email protected]> (cherry picked from commit 0171bcb)
Fix alltest tier1_3 tests with new ssh module Reviewed-by: Shridhar Gadekar <[email protected]> (cherry picked from commit 5674120)
Fix IPA tire1_2 tests Reviewed-by: Jakub Vávra <[email protected]> (cherry picked from commit 7f94e5c)
Add a pytest plugin to remove / duplicate test log from console and put it into a stand-alone per-test log files. Reviewed-by: Scott Poore <[email protected]> (cherry picked from commit 9d6caae)
Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit d3a2bd0)
Reviewed-by: Dan Lavu <[email protected]> Reviewed-by: Iker Pedrosa <[email protected]> (cherry picked from commit ea7de58)
Test cases are as follows:
7. Check offline authentication of a user with LDAP, IPA, AD and Samba
8. Fetch user from cache for LDAP, IPA, AD and Samba server
9. Check authentication of user when multiple keys added for same user with
LDAP, IPA, AD and Samba server.
10. Check authentication of user when same key added for multiple user with
LDAP, IPA, AD and Samba server.
Signed-off-by: Madhuri Upadhye <[email protected]>
Reviewed-by: Iker Pedrosa <[email protected]>
Reviewed-by: Justin Stephenson <[email protected]>
Reviewed-by: Scott Poore <[email protected]>
(cherry picked from commit 173f311)
In AD, a user from a domain can be a member of a group that is from a child of the domain. The old code did not account for this and created a cache object with incorrect DNs when ldap_use_tokengoups is set to False. This patch looks up the correct domain before saving group and membership attributes. Resolves: #7084 Reviewed-by: Dan Lavu <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit 830a2e3)
Reviewed-by: Andre Boscatto <[email protected]> (cherry picked from commit 4cdb417)
Resolves: #5708 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit 9b73614)
With this patch the group-memberships of the client running SSSD are included in the evaluation of the security filtering. Similar as in AD the host object is more or less handled as a user object which allows to skip some code dedicated to computers only. Resolves: #5708 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit c02e09a)
The related calls are not needed anymore. Resolves: #5708 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit ff23e7e)
This patch adds a new parameter set_non_posix to the user and group lookup calls. Currently the domain type is used to determine if the search should be restricted to POSIX objects or not. The new option allows to drop this restriction explicitly to look up non-POSIX objects. Resolves: #5708 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit 5f63d9b)
When we are evaluating GPO the SID of user's primary group is not returned in the list. This patch converts the value of origPrimaryGroupGidNumber attribute back to SID and that SID is added to the list of SIDs before evaluating the GPO rules. Reviewed-by: Dan Lavu <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit ecb0c63)
Reviewed-by: Dan Lavu <[email protected]> (cherry picked from commit 90eca38)
Error: remote username contains invalid characters Reviewed-by: Madhuri Upadhye <[email protected]> (cherry picked from commit 2308766)
Reviewed-by: Dan Lavu <[email protected]> Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit c6d216fb74108d798f9ef5b804c87b3654ab1c30)
minor edit Reviewed-by: Anuj Borah <[email protected]> (cherry picked from commit 2b222dd)
Reviewed-by: Shridhar Gadekar <[email protected]> (cherry picked from commit 684d18b)
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v3...v4) Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit 3922f4d)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v2...v3) Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit f5f5d83)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v3...v4) Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit 35ef26b)
While introducing the local_auth_policy option a quite specific use-case was not covered correctly. If there are multiple matching certificates on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard mode was used for login, i.e. there is no user name given and the user has to be derived from the certificate used for login, authentication failed. The main reason for the failure is that in this case the Smartcard interaction and the user mapping has to be done first to determine the user before local_auth_policy is evaluated. As a result when checking if the authentication can be finished the request was in an unexpected state because the indicator for local Smartcard authentication was not enabled. Resolves: #7109 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Scott Poore <[email protected]> (cherry picked from commit 44ec3e4)
```
/shared/workspace/sssd/src/providers/krb5/krb5_child.c: In function _create_empty_cred_:
/shared/workspace/sssd/src/providers/krb5/krb5_child.c:1317:26: error: _calloc_ sizes specified with _sizeof_ in the earlier argument and not in the later argument [-Werror=calloc-transposed-args]
1317 | cred = calloc(sizeof(krb5_creds), 1);
| ^~~~~~~~~~
/shared/workspace/sssd/src/providers/krb5/krb5_child.c:1317:26: note: earlier argument should specify number of elements, later size of each element
```
Reviewed-by: Alexey Tikhonov <[email protected]>
(cherry picked from commit 7076c5b)
Resolves: #7136 Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit b312417)
Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit 2fa6ec2)
Fix "PytestUnknownMarkWarning: Unknown pytest.mark.converted - is this a typo?" Reviewed-by: Scott Poore <[email protected]> (cherry picked from commit ef581c9)
Resolve "OSError: File '/var/log/sssd/sssd_kcm.log' could not be read" ba catching and handling this exception as well. Reviewed-by: Shridhar Gadekar <[email protected]> (cherry picked from commit 9985032)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Port the following tests [https://github.com/SSSD/sssd/blob/master/src/tests/multihost/ad/test_idmap.py] to the new framework.
Jira issue: https://issues.redhat.com/browse/SSSD-6883