Hi everyone, Here is a patch set fixing some things in integration tests and adding more LDAP tests:

* Adding/removing a user/group/membership with rfc2307(bis) schema. * Filtering users/groups with rfc2307(bis) schema. * The effect of override_homedir option. * The effect of fallback_homedir option. * The effect of override_shell option. * The effect of shell_fallback option. * The effect of default_shell option. * The effect of vetoed_shells option. These are pretty basic, but I think they're good for the start. Suggestions for more tests are welcome :) NOTE: These still break test_memory_cache.py as seen in the attached log file. We need to figure out why and do something with it. Otherwise, the tests work fine. Nick

From d09a103901a6f86873f9510152c600a062e255ed Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov <Nikolai.Kondrashov(a)redhat.com&gt; Date: Tue, 29 Sep 2015 20:00:14 +0300 Subject: [PATCH 1/7] intg: Get base DN from LDAP connection object Don't use the global LDAP_BASE_DN in integration tests and fixtures, but instead take it from the LDAP connection object (ldap_conn) passed to them explicitly. This makes the tests and fixtures a bit more modular. --- src/tests/intg/ldap_test.py | 8 ++++---- src/tests/intg/test_memory_cache.py | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/tests/intg/ldap_test.py b/src/tests/intg/ldap_test.py index ea114dc..0287a28 100644 --- a/src/tests/intg/ldap_test.py +++ b/src/tests/intg/ldap_test.py @@ -105,7 +105,7 @@ def create_sssd_fixture(request): @pytest.fixture def sanity_rfc2307(request, ldap_conn): - ent_list = ldap_ent.List(LDAP_BASE_DN) + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user("user1", 1001, 2001) ent_list.add_user("user2", 1002, 2002) ent_list.add_user("user3", 1003, 2003) @@ -150,7 +150,7 @@ def sanity_rfc2307(request, ldap_conn): @pytest.fixture def simple_rfc2307(request, ldap_conn): - ent_list = ldap_ent.List(LDAP_BASE_DN) + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user('usr\\\\001', 181818, 181818) ent_list.add_group("group1", 181818) @@ -181,7 +181,7 @@ def simple_rfc2307(request, ldap_conn): @pytest.fixture def sanity_rfc2307_bis(request, ldap_conn): - ent_list = ldap_ent.List(LDAP_BASE_DN) + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user("user1", 1001, 2001) ent_list.add_user("user2", 1002, 2002) ent_list.add_user("user3", 1003, 2003) @@ -309,7 +309,7 @@ def test_sanity_rfc2307_bis(ldap_conn, sanity_rfc2307_bis): @pytest.fixture def refresh_after_cleanup_task(request, ldap_conn): - ent_list = ldap_ent.List(LDAP_BASE_DN) + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user("user1", 1001, 2001) ent_list.add_group_bis("group1", 2001, ["user1"]) diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py index 1f4ccb0..76d85fd 100644 --- a/src/tests/intg/test_memory_cache.py +++ b/src/tests/intg/test_memory_cache.py @@ -109,7 +109,7 @@ def create_sssd_fixture(request): def load_data_to_ldap(request, ldap_conn): - ent_list = ldap_ent.List(LDAP_BASE_DN) + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user("user1", 1001, 2001) ent_list.add_user("user2", 1002, 2002) ent_list.add_user("user3", 1003, 2003) -- 2.5.1

From 8eb90565998f43fdc6b9ea3564527620c862f7fb Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov <Nikolai.Kondrashov(a)redhat.com&gt; Date: Tue, 29 Sep 2015 20:13:04 +0300 Subject: [PATCH 2/7] intg: Remove _rfc2307 from function names Remove "_rfc2307" from integration test function names for brevity. --- src/tests/intg/ldap_test.py | 12 +++---- src/tests/intg/test_memory_cache.py | 70 ++++++++++++++++++------------------- 2 files changed, 41 insertions(+), 41 deletions(-) diff --git a/src/tests/intg/ldap_test.py b/src/tests/intg/ldap_test.py index 0287a28..e359ab4 100644 --- a/src/tests/intg/ldap_test.py +++ b/src/tests/intg/ldap_test.py @@ -104,7 +104,7 @@ def create_sssd_fixture(request): @pytest.fixture -def sanity_rfc2307(request, ldap_conn): +def sanity(request, ldap_conn): ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user("user1", 1001, 2001) ent_list.add_user("user2", 1002, 2002) @@ -149,7 +149,7 @@ def sanity_rfc2307(request, ldap_conn): @pytest.fixture -def simple_rfc2307(request, ldap_conn): +def simple(request, ldap_conn): ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user('usr\\\\001', 181818, 181818) ent_list.add_group("group1", 181818) @@ -180,7 +180,7 @@ def simple_rfc2307(request, ldap_conn): @pytest.fixture -def sanity_rfc2307_bis(request, ldap_conn): +def sanity_bis(request, ldap_conn): ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user("user1", 1001, 2001) ent_list.add_user("user2", 1002, 2002) @@ -238,14 +238,14 @@ def sanity_rfc2307_bis(request, ldap_conn): return None -def test_regression_ticket2163(ldap_conn, simple_rfc2307): +def test_regression_ticket2163(ldap_conn, simple): ent.assert_passwd_by_name( 'usr\\001', dict(name='usr\\001', passwd='*', uid=181818, gid=181818, gecos='181818', shell='/bin/bash')) -def test_sanity_rfc2307(ldap_conn, sanity_rfc2307): +def test_sanity(ldap_conn, sanity): passwd_pattern = ent.contains_only( dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', dir='/home/user1', shell='/bin/bash'), dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002', dir='/home/user2', shell='/bin/bash'), @@ -272,7 +272,7 @@ def test_sanity_rfc2307(ldap_conn, sanity_rfc2307): grp.getgrgid(1) -def test_sanity_rfc2307_bis(ldap_conn, sanity_rfc2307_bis): +def test_sanity_bis(ldap_conn, sanity_bis): passwd_pattern = ent.contains_only( dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', dir='/home/user1', shell='/bin/bash'), dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002', dir='/home/user2', shell='/bin/bash'), diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py index 76d85fd..1a98a53 100644 --- a/src/tests/intg/test_memory_cache.py +++ b/src/tests/intg/test_memory_cache.py @@ -131,7 +131,7 @@ def load_data_to_ldap(request, ldap_conn): @pytest.fixture -def sanity_rfc2307(request, ldap_conn): +def sanity(request, ldap_conn): load_data_to_ldap(request, ldap_conn) conf = unindent("""\ @@ -156,7 +156,7 @@ def sanity_rfc2307(request, ldap_conn): @pytest.fixture -def fqname_rfc2307(request, ldap_conn): +def fqname(request, ldap_conn): load_data_to_ldap(request, ldap_conn) conf = unindent("""\ @@ -182,7 +182,7 @@ def fqname_rfc2307(request, ldap_conn): @pytest.fixture -def fqname_case_insensitive_rfc2307(request, ldap_conn): +def fqname_case_insensitive(request, ldap_conn): load_data_to_ldap(request, ldap_conn) conf = unindent("""\ @@ -208,7 +208,7 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn): return None -def test_getpwnam(ldap_conn, sanity_rfc2307): +def test_getpwnam(ldap_conn, sanity): ent.assert_passwd_by_name( 'user1', dict(name='user1', passwd='*', uid=1001, gid=2001, @@ -291,13 +291,13 @@ def test_getpwnam(ldap_conn, sanity_rfc2307): gecos='1023', shell='/bin/bash')) -def test_getpwnam_with_mc(ldap_conn, sanity_rfc2307): - test_getpwnam(ldap_conn, sanity_rfc2307) +def test_getpwnam_with_mc(ldap_conn, sanity): + test_getpwnam(ldap_conn, sanity) stop_sssd() - test_getpwnam(ldap_conn, sanity_rfc2307) + test_getpwnam(ldap_conn, sanity) -def test_getgrnam_simple(ldap_conn, sanity_rfc2307): +def test_getgrnam_simple(ldap_conn, sanity): ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) @@ -317,13 +317,13 @@ def test_getgrnam_simple(ldap_conn, sanity_rfc2307): ent.assert_group_by_gid(2020, dict(name="group2x", gid=2020)) -def test_getgrnam_simple_with_mc(ldap_conn, sanity_rfc2307): - test_getgrnam_simple(ldap_conn, sanity_rfc2307) +def test_getgrnam_simple_with_mc(ldap_conn, sanity): + test_getgrnam_simple(ldap_conn, sanity) stop_sssd() - test_getgrnam_simple(ldap_conn, sanity_rfc2307) + test_getgrnam_simple(ldap_conn, sanity) -def test_getgrnam_membership(ldap_conn, sanity_rfc2307): +def test_getgrnam_membership(ldap_conn, sanity): ent.assert_group_by_name( "group1", dict(mem=ent.contains_only("user1", "user11", "user21"))) @@ -367,10 +367,10 @@ def test_getgrnam_membership(ldap_conn, sanity_rfc2307): dict(mem=ent.contains_only("user21", "user22", "user23"))) -def test_getgrnam_membership_with_mc(ldap_conn, sanity_rfc2307): - test_getgrnam_membership(ldap_conn, sanity_rfc2307) +def test_getgrnam_membership_with_mc(ldap_conn, sanity): + test_getgrnam_membership(ldap_conn, sanity) stop_sssd() - test_getgrnam_membership(ldap_conn, sanity_rfc2307) + test_getgrnam_membership(ldap_conn, sanity) def assert_user_gids_equal(user, expected_gids): @@ -385,7 +385,7 @@ def assert_user_gids_equal(user, expected_gids): ) -def test_initgroups(ldap_conn, sanity_rfc2307): +def test_initgroups(ldap_conn, sanity): assert_user_gids_equal('user1', [2000, 2001]) assert_user_gids_equal('user2', [2000, 2002]) assert_user_gids_equal('user3', [2000, 2003]) @@ -399,13 +399,13 @@ def test_initgroups(ldap_conn, sanity_rfc2307): assert_user_gids_equal('user23', [2020, 2003]) -def test_initgroups_with_mc(ldap_conn, sanity_rfc2307): - test_initgroups(ldap_conn, sanity_rfc2307) +def test_initgroups_with_mc(ldap_conn, sanity): + test_initgroups(ldap_conn, sanity) stop_sssd() - test_initgroups(ldap_conn, sanity_rfc2307) + test_initgroups(ldap_conn, sanity) -def test_initgroups_fqname_with_mc(ldap_conn, fqname_rfc2307): +def test_initgroups_fqname_with_mc(ldap_conn, fqname): assert_user_gids_equal('user1@LDAP', [2000, 2001]) stop_sssd() assert_user_gids_equal('user1@LDAP', [2000, 2001]) @@ -447,7 +447,7 @@ def assert_stored_last_initgroups(user1_case1, user1_case2, user1_case_last, def test_initgroups_case_insensitive_with_mc1(ldap_conn, - fqname_case_insensitive_rfc2307): + fqname_case_insensitive): user1_case1 = 'User1@LDAP' user1_case2 = 'uSer1@LDAP' user1_case_last = 'usEr1@LDAP' @@ -459,7 +459,7 @@ def test_initgroups_case_insensitive_with_mc1(ldap_conn, def test_initgroups_case_insensitive_with_mc2(ldap_conn, - fqname_case_insensitive_rfc2307): + fqname_case_insensitive): user1_case1 = 'usEr1@LDAP' user1_case2 = 'User1@LDAP' user1_case_last = 'uSer1@LDAP' @@ -471,7 +471,7 @@ def test_initgroups_case_insensitive_with_mc2(ldap_conn, def test_initgroups_case_insensitive_with_mc3(ldap_conn, - fqname_case_insensitive_rfc2307): + fqname_case_insensitive): user1_case1 = 'uSer1@LDAP' user1_case2 = 'usEr1@LDAP' user1_case_last = 'User1@LDAP' @@ -510,7 +510,7 @@ def run_simple_test_with_initgroups(): assert_initgroups_equal("user1", 2001, [2000, 2001]) -def test_invalidation_of_gids_after_initgroups(ldap_conn, sanity_rfc2307): +def test_invalidation_of_gids_after_initgroups(ldap_conn, sanity): # the sssd cache was empty and not all user's group were # resolved with getgr{nm,gid}. Therefore there is a change in @@ -549,7 +549,7 @@ def test_invalidation_of_gids_after_initgroups(ldap_conn, sanity_rfc2307): grp.getgrgid(gid) -def test_initgroups_without_change_in_membership(ldap_conn, sanity_rfc2307): +def test_initgroups_without_change_in_membership(ldap_conn, sanity): # the sssd cache was empty and not all user's group were # resolved with getgr{nm,gid}. Therefore there is a change in @@ -615,7 +615,7 @@ def assert_missing_mc_records_for_user1(): "User user1, errno:%d" % err -def test_invalidate_user_before_stop(ldap_conn, sanity_rfc2307): +def test_invalidate_user_before_stop(ldap_conn, sanity): # initialize cache with full ID (res, errno, _) = sssd_id.get_user_groups("user1") assert res == sssd_id.NssReturnCode.SUCCESS, \ @@ -628,7 +628,7 @@ def test_invalidate_user_before_stop(ldap_conn, sanity_rfc2307): assert_missing_mc_records_for_user1() -def test_invalidate_user_after_stop(ldap_conn, sanity_rfc2307): +def test_invalidate_user_after_stop(ldap_conn, sanity): # initialize cache with full ID (res, errno, _) = sssd_id.get_user_groups("user1") assert res == sssd_id.NssReturnCode.SUCCESS, \ @@ -641,7 +641,7 @@ def test_invalidate_user_after_stop(ldap_conn, sanity_rfc2307): assert_missing_mc_records_for_user1() -def test_invalidate_users_before_stop(ldap_conn, sanity_rfc2307): +def test_invalidate_users_before_stop(ldap_conn, sanity): # initialize cache with full ID (res, errno, _) = sssd_id.get_user_groups("user1") assert res == sssd_id.NssReturnCode.SUCCESS, \ @@ -654,7 +654,7 @@ def test_invalidate_users_before_stop(ldap_conn, sanity_rfc2307): assert_missing_mc_records_for_user1() -def test_invalidate_users_after_stop(ldap_conn, sanity_rfc2307): +def test_invalidate_users_after_stop(ldap_conn, sanity): # initialize cache with full ID (res, errno, _) = sssd_id.get_user_groups("user1") assert res == sssd_id.NssReturnCode.SUCCESS, \ @@ -667,7 +667,7 @@ def test_invalidate_users_after_stop(ldap_conn, sanity_rfc2307): assert_missing_mc_records_for_user1() -def test_invalidate_group_before_stop(ldap_conn, sanity_rfc2307): +def test_invalidate_group_before_stop(ldap_conn, sanity): # initialize cache with full ID (res, errno, _) = sssd_id.get_user_groups("user1") assert res == sssd_id.NssReturnCode.SUCCESS, \ @@ -680,7 +680,7 @@ def test_invalidate_group_before_stop(ldap_conn, sanity_rfc2307): assert_missing_mc_records_for_user1() -def test_invalidate_group_after_stop(ldap_conn, sanity_rfc2307): +def test_invalidate_group_after_stop(ldap_conn, sanity): # initialize cache with full ID (res, errno, _) = sssd_id.get_user_groups("user1") assert res == sssd_id.NssReturnCode.SUCCESS, \ @@ -693,7 +693,7 @@ def test_invalidate_group_after_stop(ldap_conn, sanity_rfc2307): assert_missing_mc_records_for_user1() -def test_invalidate_groups_before_stop(ldap_conn, sanity_rfc2307): +def test_invalidate_groups_before_stop(ldap_conn, sanity): # initialize cache with full ID (res, errno, _) = sssd_id.get_user_groups("user1") assert res == sssd_id.NssReturnCode.SUCCESS, \ @@ -706,7 +706,7 @@ def test_invalidate_groups_before_stop(ldap_conn, sanity_rfc2307): assert_missing_mc_records_for_user1() -def test_invalidate_groups_after_stop(ldap_conn, sanity_rfc2307): +def test_invalidate_groups_after_stop(ldap_conn, sanity): # initialize cache with full ID (res, errno, _) = sssd_id.get_user_groups("user1") assert res == sssd_id.NssReturnCode.SUCCESS, \ @@ -719,7 +719,7 @@ def test_invalidate_groups_after_stop(ldap_conn, sanity_rfc2307): assert_missing_mc_records_for_user1() -def test_invalidate_everything_before_stop(ldap_conn, sanity_rfc2307): +def test_invalidate_everything_before_stop(ldap_conn, sanity): # initialize cache with full ID (res, errno, _) = sssd_id.get_user_groups("user1") assert res == sssd_id.NssReturnCode.SUCCESS, \ @@ -732,7 +732,7 @@ def test_invalidate_everything_before_stop(ldap_conn, sanity_rfc2307): assert_missing_mc_records_for_user1() -def test_invalidate_everything_after_stop(ldap_conn, sanity_rfc2307): +def test_invalidate_everything_after_stop(ldap_conn, sanity): # initialize cache with full ID (res, errno, _) = sssd_id.get_user_groups("user1") assert res == sssd_id.NssReturnCode.SUCCESS, \ -- 2.5.1

From 866570e06f449981891cdc39d5c67cb677654d8e Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov <Nikolai.Kondrashov(a)redhat.com&gt; Date: Mon, 28 Sep 2015 16:12:48 +0300 Subject: [PATCH 3/7] intg: Add support for specifying all user attrs Support passing all user attributes to ldap_ent.py's user-creation functions, in integration tests. --- src/tests/intg/ldap_ent.py | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/src/tests/intg/ldap_ent.py b/src/tests/intg/ldap_ent.py index 30eed9d..0bac514 100644 --- a/src/tests/intg/ldap_ent.py +++ b/src/tests/intg/ldap_ent.py @@ -18,7 +18,7 @@ # -def user(base_dn, uid, uidNumber, gidNumber): +def user(base_dn, uid, uidNumber, gidNumber, **kwargs): """ Generate an RFC2307(bis) user add-modlist for passing to ldap.add* """ @@ -28,13 +28,23 @@ def user(base_dn, uid, uidNumber, gidNumber): "uid=" + uid + ",ou=Users," + base_dn, [ ('objectClass', ['top', 'inetOrgPerson', 'posixAccount']), - ('cn', [uidNumber]), - ('sn', ['User']), + ('cn', [kwargs['cn'] \ + if 'cn' in kwargs else \ + uidNumber]), + ('sn', [kwargs['sn'] \ + if 'sn' in kwargs else \ + 'User']), ('uidNumber', [uidNumber]), ('gidNumber', [gidNumber]), - ('userPassword', ['Password' + uidNumber]), - ('homeDirectory', ['/home/' + uid]), - ('loginShell', ['/bin/bash']), + ('userPassword', [kwargs['userPassword'] \ + if 'userPassword' in kwargs else \ + 'Password' + uidNumber]), + ('homeDirectory', [kwargs['homeDirectory'] \ + if 'homeDirectory' in kwargs else \ + '/home/' + uid]), + ('loginShell', [kwargs['loginShell'] \ + if 'loginShell' in kwargs else \ + '/bin/bash']), ] ) @@ -86,10 +96,10 @@ class List(list): self.base_dn = base_dn def add_user(self, uid, uidNumber, gidNumber, - base_dn=None): + base_dn=None, **kwargs): """Add an RFC2307(bis) user add-modlist.""" self.append(user(base_dn or self.base_dn, - uid, uidNumber, gidNumber)) + uid, uidNumber, gidNumber, **kwargs)) def add_group(self, cn, gidNumber, member_uids=[], base_dn=None): -- 2.5.1

From 496f11e16d2949f085f5cc1cf59bfa4fd80090bc Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov <Nikolai.Kondrashov(a)redhat.com&gt; Date: Tue, 29 Sep 2015 20:28:58 +0300 Subject: [PATCH 4/7] intg: Split LDAP test fixtures for flexibility Split ldap_test.py fixtures into several functions to allow for partial fixtures and direct use within tests. --- src/tests/intg/ldap_test.py | 113 ++++++++++++++++++++++++++++++++------------ 1 file changed, 83 insertions(+), 30 deletions(-) diff --git a/src/tests/intg/ldap_test.py b/src/tests/intg/ldap_test.py index e359ab4..d68a890 100644 --- a/src/tests/intg/ldap_test.py +++ b/src/tests/intg/ldap_test.py @@ -59,48 +59,101 @@ def ldap_conn(request, ds_inst): return ldap_conn -def create_ldap_fixture(request, ldap_conn, ent_list): - """Add LDAP entries and add teardown for removing them""" - for entry in ent_list: - ldap_conn.add_s(entry[0], entry[1]) - def teardown(): +def create_ldap_entries(ldap_conn, ent_list = None): + """Add LDAP entries from ent_list""" + if ent_list != None: + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + +def cleanup_ldap_entries(ldap_conn, ent_list = None): + """Remove LDAP entries added by create_ldap_entries""" + if ent_list == None: + for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): + for entry in ldap_conn.search_s("ou=" + ou + "," + + ldap_conn.ds_inst.base_dn, + ldap.SCOPE_ONELEVEL, + attrlist=[]): + ldap_conn.delete_s(entry[0]) + else: for entry in ent_list: ldap_conn.delete_s(entry[0]) - request.addfinalizer(teardown) -def create_conf_fixture(request, contents): - """Generate sssd.conf and add teardown for removing it""" +def create_ldap_cleanup(request, ldap_conn, ent_list = None): + """Add teardown for removing all user/group LDAP entries""" + request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) + + +def create_ldap_fixture(request, ldap_conn, ent_list = None): + """Add LDAP entries and add teardown for removing them""" + create_ldap_entries(ldap_conn, ent_list) + create_ldap_cleanup(request, ldap_conn, ent_list) + + +def create_conf_file(contents): + """Create sssd.conf with specified contents""" conf = open(config.CONF_PATH, "w") conf.write(contents) conf.close() os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) - request.addfinalizer(lambda: os.unlink(config.CONF_PATH)) -def create_sssd_fixture(request): - """Start sssd and add teardown for stopping it and removing state""" +def cleanup_conf_file(): + """Remove sssd.conf, if it exists""" + if os.path.lexists(config.CONF_PATH): + os.unlink(config.CONF_PATH) + + +def create_conf_cleanup(request): + """Add teardown for removing sssd.conf""" + request.addfinalizer(cleanup_conf_file) + + +def create_conf_fixture(request, contents): + """ + Create sssd.conf with specified contents and add teardown for removing it + """ + create_conf_file(contents) + create_conf_cleanup(request) + + +def create_sssd_process(): + """Start the SSSD process""" if subprocess.call(["sssd", "-D", "-f"]) != 0: raise Exception("sssd start failed") - def teardown(): - try: - pid_file = open(config.PIDFILE_PATH, "r") - pid = int(pid_file.read()) - os.kill(pid, signal.SIGTERM) - while True: - try: - os.kill(pid, signal.SIGCONT) - except: - break - time.sleep(1) - except: - pass - subprocess.call(["sss_cache", "-E"]) - for path in os.listdir(config.DB_PATH): - os.unlink(config.DB_PATH + "/" + path) - for path in os.listdir(config.MCACHE_PATH): - os.unlink(config.MCACHE_PATH + "/" + path) - request.addfinalizer(teardown) + + +def cleanup_sssd_process(): + """Stop the SSSD process and remove its state""" + try: + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + except: + pass + subprocess.call(["sss_cache", "-E"]) + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + +def create_sssd_cleanup(request): + """Add teardown for stopping SSSD and removing its state""" + request.addfinalizer(cleanup_sssd_process) + + +def create_sssd_fixture(request): + """Start SSSD and add teardown for stopping it and removing its state""" + create_sssd_process() + create_sssd_cleanup(request) @pytest.fixture -- 2.5.1

From f7b700da9e12b877cdb0d2eb24a3c0978c730ddb Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov <Nikolai.Kondrashov(a)redhat.com&gt; Date: Tue, 29 Sep 2015 20:46:06 +0300 Subject: [PATCH 5/7] intg: Reduce sssd.conf duplication in test_ldap.py Use a function to generate basic sssd.conf in test_ldap.py to reduce code duplication. --- src/tests/intg/ldap_test.py | 145 ++++++++++++++------------------------------ 1 file changed, 47 insertions(+), 98 deletions(-) diff --git a/src/tests/intg/ldap_test.py b/src/tests/intg/ldap_test.py index d68a890..a29f701 100644 --- a/src/tests/intg/ldap_test.py +++ b/src/tests/intg/ldap_test.py @@ -91,6 +91,42 @@ def create_ldap_fixture(request, ldap_conn, ent_list = None): create_ldap_cleanup(request, ldap_conn, ent_list) +def format_basic_conf(ldap_conn, bis, enum): + """Format a basic SSSD configuration""" + if bis: + schema_conf = unindent("""\ + ldap_schema = rfc2307bis + ldap_group_object_class = groupOfNames + """) + else: + schema_conf = unindent("""\ + ldap_schema = rfc2307 + """) + return unindent("""\ + [sssd] + debug_level = 0xffff + domains = LDAP + services = nss, pam + + [nss] + debug_level = 0xffff + memcache_timeout = 0 + + [pam] + debug_level = 0xffff + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + debug_level = 0xffff + enumerate = {enum} + {schema_conf} + id_provider = ldap + auth_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + """).format(**locals()) + + def create_conf_file(contents): """Create sssd.conf with specified contents""" conf = open(config.CONF_PATH, "w") @@ -172,31 +208,7 @@ def sanity(request, ldap_conn): ent_list.add_group("two_user_group", 2012, ["user1", "user2"]) create_ldap_fixture(request, ldap_conn, ent_list) - conf = unindent("""\ - [sssd] - debug_level = 0xffff - domains = LDAP - services = nss, pam - - [nss] - debug_level = 0xffff - memcache_timeout = 0 - - [pam] - debug_level = 0xffff - - [domain/LDAP] - ldap_auth_disable_tls_never_use_in_production = true - debug_level = 0xffff - enumerate = true - ldap_schema = rfc2307 - id_provider = ldap - auth_provider = ldap - sudo_provider = ldap - ldap_uri = {ldap_conn.ds_inst.ldap_url} - ldap_search_base = {ldap_conn.ds_inst.base_dn} - """).format(**locals()) - create_conf_fixture(request, conf) + create_conf_fixture(request, format_basic_conf(ldap_conn, False, True)) create_sssd_fixture(request) return None @@ -206,28 +218,8 @@ def simple(request, ldap_conn): ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ent_list.add_user('usr\\\\001', 181818, 181818) ent_list.add_group("group1", 181818) - create_ldap_fixture(request, ldap_conn, ent_list) - - conf = unindent("""\ - [sssd] - config_file_version = 2 - domains = LDAP - services = nss, pam - - [nss] - - [pam] - - [domain/LDAP] - ldap_auth_disable_tls_never_use_in_production = true - ldap_schema = rfc2307 - id_provider = ldap - auth_provider = ldap - ldap_uri = {ldap_conn.ds_inst.ldap_url} - ldap_search_base = {ldap_conn.ds_inst.base_dn} - """).format(**locals()) - create_conf_fixture(request, conf) + create_conf_fixture(request, format_basic_conf(ldap_conn, False, False)) create_sssd_fixture(request) return None @@ -260,33 +252,7 @@ def sanity_bis(request, ldap_conn): [], ["one_user_group1", "one_user_group2"]) create_ldap_fixture(request, ldap_conn, ent_list) - - conf = unindent("""\ - [sssd] - debug_level = 0xffff - domains = LDAP - services = nss, pam - - [nss] - debug_level = 0xffff - memcache_timeout = 0 - - [pam] - debug_level = 0xffff - - [domain/LDAP] - ldap_auth_disable_tls_never_use_in_production = true - debug_level = 0xffff - enumerate = true - ldap_schema = rfc2307bis - ldap_group_object_class = groupOfNames - id_provider = ldap - auth_provider = ldap - sudo_provider = ldap - ldap_uri = {ldap_conn.ds_inst.ldap_url} - ldap_search_base = {ldap_conn.ds_inst.base_dn} - """).format(**locals()) - create_conf_fixture(request, conf) + create_conf_fixture(request, format_basic_conf(ldap_conn, True, True)) create_sssd_fixture(request) return None @@ -370,31 +336,14 @@ def refresh_after_cleanup_task(request, ldap_conn): create_ldap_fixture(request, ldap_conn, ent_list) - conf = unindent("""\ - [sssd] - config_file_version = 2 - domains = LDAP - services = nss - - [nss] - memcache_timeout = 0 - - [domain/LDAP] - ldap_auth_disable_tls_never_use_in_production = true - debug_level = 0xffff - ldap_schema = rfc2307bis - ldap_group_object_class = groupOfNames - id_provider = ldap - auth_provider = ldap - sudo_provider = ldap - ldap_uri = {ldap_conn.ds_inst.ldap_url} - ldap_search_base = {ldap_conn.ds_inst.base_dn} - - entry_cache_user_timeout = 1 - entry_cache_group_timeout = 5000 - ldap_purge_cache_timeout = 3 - - """).format(**locals()) + conf = \ + format_basic_conf(ldap_conn, True, False) + \ + unindent(""" + [domain/LDAP] + entry_cache_user_timeout = 1 + entry_cache_group_timeout = 5000 + ldap_purge_cache_timeout = 3 + """).format(**locals()) create_conf_fixture(request, conf) create_sssd_fixture(request) return None -- 2.5.1

From e1feef5e13125301e0281de102f56b2301c5cc89 Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov <Nikolai.Kondrashov(a)redhat.com&gt; Date: Wed, 30 Sep 2015 14:13:22 +0300 Subject: [PATCH 6/7] intg: Fix RFC2307bis group member creation Fix creation of mixed user/group "member" attribute for RFC2307bis group entries in ldap_ent.py. --- src/tests/intg/ldap_ent.py | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/src/tests/intg/ldap_ent.py b/src/tests/intg/ldap_ent.py index 0bac514..1407349 100644 --- a/src/tests/intg/ldap_ent.py +++ b/src/tests/intg/ldap_ent.py @@ -72,20 +72,13 @@ def group_bis(base_dn, cn, gidNumber, member_uids=[], member_gids=[]): ('objectClass', ['top', 'extensibleObject', 'groupOfNames']), ('gidNumber', [gidNumber]) ] - if len(member_uids) > 0: - attr_list.append( - ('member', [ - "uid=" + uid + ",ou=Users," + base_dn for - uid in member_uids - ]) - ) - if len(member_gids) > 0: - attr_list.append( - ('member', [ - "cn=" + gid + ",ou=Groups," + base_dn for - gid in member_gids - ]) - ) + member_list = [] + for uid in member_uids: + member_list.append("uid=" + uid + ",ou=Users," + base_dn) + for gid in member_gids: + member_list.append("cn=" + gid + ",ou=Groups," + base_dn) + if len(member_list) > 0: + attr_list.append(('member', member_list)) return ("cn=" + cn + ",ou=Groups," + base_dn, attr_list) -- 2.5.1

From 72222b8fbc565de66874cfaa62ea0213ebf0f5a9 Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov <Nikolai.Kondrashov(a)redhat.com&gt; Date: Tue, 29 Sep 2015 21:18:18 +0300 Subject: [PATCH 7/7] intg: Add more LDAP tests Add a bunch of LDAP tests. * Adding/removing a user/group/membership with rfc2307(bis) schema. * Filtering users/groups with rfc2307(bis) schema. * The effect of override_homedir option. * The effect of fallback_homedir option. * The effect of override_shell option. * The effect of shell_fallback option. * The effect of default_shell option. * The effect of vetoed_shells option. --- src/tests/intg/ldap_test.py | 536 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 536 insertions(+) diff --git a/src/tests/intg/ldap_test.py b/src/tests/intg/ldap_test.py index a29f701..b20d648 100644 --- a/src/tests/intg/ldap_test.py +++ b/src/tests/intg/ldap_test.py @@ -127,6 +127,23 @@ def format_basic_conf(ldap_conn, bis, enum): """).format(**locals()) +def format_interactive_conf(ldap_conn, bis): + """Format an SSSD configuration with all caches refreshing in 4 seconds""" + return \ + format_basic_conf(ldap_conn, bis, True) + \ + unindent(""" + [nss] + memcache_timeout = 4 + enum_cache_timeout = 4 + entry_negative_timeout = 4 + + [domain/LDAP] + ldap_enumeration_refresh_timeout = 4 + ldap_purge_cache_timeout = 1 + entry_cache_timeout = 4 + """) + + def create_conf_file(contents): """Create sssd.conf with specified contents""" conf = open(config.CONF_PATH, "w") @@ -368,3 +385,522 @@ def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task): ent.assert_group_by_name( "group2", dict(mem=ent.contains_only("user1"))) + + +(a)pytest.fixture +def blank(request, ldap_conn): + """Create blank RFC2307 directory fixture with interactive SSSD conf""" + create_ldap_cleanup(request, ldap_conn) + create_conf_fixture(request, format_interactive_conf(ldap_conn, False)) + create_sssd_fixture(request) + + +(a)pytest.fixture +def blank_bis(request, ldap_conn): + """Create blank RFC2307bis directory fixture with interactive SSSD conf""" + create_ldap_cleanup(request, ldap_conn) + create_conf_fixture(request, format_interactive_conf(ldap_conn, True)) + create_sssd_fixture(request) + + +(a)pytest.fixture +def user_and_group(request, ldap_conn): + """ + Create an RFC2307 directory fixture with interactive SSSD conf, + one user and one group + """ + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user", 1001, 2000) + ent_list.add_group("group", 2001) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, format_interactive_conf(ldap_conn, False)) + create_sssd_fixture(request) + return None + + +(a)pytest.fixture +def user_and_groups_bis(request, ldap_conn): + """ + Create an RFC2307bis directory fixture with interactive SSSD conf, + one user and two groups + """ + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user", 1001, 2000) + ent_list.add_group_bis("group1", 2001) + ent_list.add_group_bis("group2", 2002) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, format_interactive_conf(ldap_conn, True)) + create_sssd_fixture(request) + return None + + +def test_add_remove_user(ldap_conn, blank): + """Test user addition and removal are reflected by SSSD""" + e = ldap_ent.user(ldap_conn.ds_inst.base_dn, "user", 1001, 2000) + time.sleep(2) + # Add the user + ent.assert_passwd(ent.contains_only()) + ldap_conn.add_s(*e) + ent.assert_passwd(ent.contains_only()) + time.sleep(4) + ent.assert_passwd(ent.contains_only(dict(name="user", uid=1001))) + # Remove the user + ldap_conn.delete_s(e[0]) + ent.assert_passwd(ent.contains_only(dict(name="user", uid=1001))) + time.sleep(4) + ent.assert_passwd(ent.contains_only()) + + +def test_add_remove_group(ldap_conn, blank): + """Test RFC2307 group addition and removal are reflected by SSSD""" + e = ldap_ent.group(ldap_conn.ds_inst.base_dn, "group", 2001) + time.sleep(2) + # Add the group + ent.assert_group(ent.contains_only()) + ldap_conn.add_s(*e) + ent.assert_group(ent.contains_only()) + time.sleep(4) + ent.assert_group(ent.contains_only(dict(name="group", gid=2001))) + # Remove the group + ldap_conn.delete_s(e[0]) + ent.assert_group(ent.contains_only(dict(name="group", gid=2001))) + time.sleep(4) + ent.assert_group(ent.contains_only()) + + +def test_add_remove_group_bis(ldap_conn, blank_bis): + """Test RFC2307bis group addition and removal are reflected by SSSD""" + e = ldap_ent.group_bis(ldap_conn.ds_inst.base_dn, "group", 2001) + time.sleep(2) + # Add the group + ent.assert_group(ent.contains_only()) + ldap_conn.add_s(*e) + ent.assert_group(ent.contains_only()) + time.sleep(4) + ent.assert_group(ent.contains_only(dict(name="group", gid=2001))) + # Remove the group + ldap_conn.delete_s(e[0]) + ent.assert_group(ent.contains_only(dict(name="group", gid=2001))) + time.sleep(4) + ent.assert_group(ent.contains_only()) + + +def test_add_remove_membership(ldap_conn, user_and_group): + """Test user membership addition and removal are reflected by SSSD""" + time.sleep(2) + # Add user to group + ent.assert_group_by_name("group", dict(mem = ent.contains_only())) + ldap_conn.modify_s("cn=group,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_REPLACE, "memberUid", "user")]) + ent.assert_group_by_name("group", dict(mem = ent.contains_only())) + time.sleep(4) + ent.assert_group_by_name("group", dict(mem = ent.contains_only("user"))) + # Remove user from group + ldap_conn.modify_s("cn=group,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_DELETE, "memberUid", None)]) + ent.assert_group_by_name("group", dict(mem = ent.contains_only("user"))) + time.sleep(4) + ent.assert_group_by_name("group", dict(mem = ent.contains_only())) + + +def test_add_remove_membership_bis(ldap_conn, user_and_groups_bis): + """ + Test user and group membership addition and removal are reflected by SSSD, + with RFC2307bis schema + """ + time.sleep(2) + # Add user to group1 + ent.assert_group_by_name("group1", dict(mem = ent.contains_only())) + ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_REPLACE, "member", + "uid=user,ou=Users," + ldap_conn.ds_inst.base_dn)]) + ent.assert_group_by_name("group1", dict(mem = ent.contains_only())) + time.sleep(4) + ent.assert_group_by_name("group1", dict(mem = ent.contains_only("user"))) + + # Add group1 to group2 + ldap_conn.modify_s("cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_REPLACE, "member", + "cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn)]) + ent.assert_group_by_name("group2", dict(mem = ent.contains_only())) + time.sleep(4) + ent.assert_group_by_name("group2", dict(mem = ent.contains_only("user"))) + + # Remove group1 from group2 + ldap_conn.modify_s("cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_DELETE, "member", None)]) + ent.assert_group_by_name("group2", dict(mem = ent.contains_only("user"))) + time.sleep(4) + ent.assert_group_by_name("group2", dict(mem = ent.contains_only())) + + # Remove user from group1 + ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_DELETE, "member", None)]) + ent.assert_group_by_name("group1", dict(mem = ent.contains_only("user"))) + time.sleep(4) + ent.assert_group_by_name("group1", dict(mem = ent.contains_only())) + + +(a)pytest.fixture +def blank(request, ldap_conn): + """Create blank RFC2307 directory fixture with interactive SSSD conf""" + create_ldap_cleanup(request, ldap_conn) + create_conf_fixture(request, format_interactive_conf(ldap_conn, False)) + create_sssd_fixture(request) + + +(a)pytest.fixture +def void_conf(request): + create_conf_cleanup(request) + + +(a)pytest.fixture +def void_sssd(request): + create_sssd_cleanup(request) + + +(a)pytest.fixture +def three_users_three_groups(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + ent_list.add_group("group1", 2001, ["user1"]) + ent_list.add_group("group2", 2002, ["user2"]) + ent_list.add_group("group3", 2003, ["user3"]) + create_ldap_fixture(request, ldap_conn, ent_list) + + +def test_filter_users(request, ldap_conn, three_users_three_groups, + void_conf, void_sssd): + """Test the effect of the "filter_users" option""" + all_users = frozenset([1, 2, 3]) + for filter_users_in_groups in [False, True]: + for filter_users in [frozenset([]), + frozenset([1]), + frozenset([1, 2]), + frozenset([1, 2, 3])]: + unfiltered_users = all_users - filter_users + filter_users_str = ",".join(map(lambda i: "user" + str(i), + filter_users)) + + conf = \ + format_basic_conf(ldap_conn, False, True) + \ + unindent(""" + [nss] + filter_users = {filter_users_str} + filter_users_in_groups = {filter_users_in_groups} + """).format(**locals()) + create_conf_file(conf) + create_sssd_process() + ent.assert_passwd( + ent.contains_only( + *map( + lambda i: \ + dict(name = "user" + str(i), uid = 1000 + i), + unfiltered_users + ) + ) + ) + ent.assert_group( + ent.contains_only( + *map( + lambda i: \ + dict( + name = "group" + str(i), + gid = 2000 + i, + mem = ent.contains_only() \ + if filter_users_in_groups and \ + i in filter_users else \ + ent.contains_only("user" + str(i)) + ), + all_users + ) + ) + ) + cleanup_sssd_process() + cleanup_conf_file() + + +def test_filter_groups(request, ldap_conn, three_users_three_groups, + void_conf, void_sssd): + """Test the effect of the "filter_groups" option with RFC2307 groups""" + all_groups = frozenset([1, 2, 3]) + for filter_groups in [frozenset([]), + frozenset([1]), + frozenset([1, 2]), + frozenset([1, 2, 3])]: + unfiltered_groups = all_groups - filter_groups + filter_groups_str = ",".join(map(lambda i: "group" + str(i), + filter_groups)) + + conf = \ + format_basic_conf(ldap_conn, False, True) + \ + unindent(""" + [nss] + filter_groups = {filter_groups_str} + """).format(**locals()) + create_conf_file(conf) + create_sssd_process() + ent.assert_group( + ent.contains_only( + *map( + lambda i: \ + dict( + name = "group" + str(i), + gid = 2000 + i, + mem = ent.contains_only("user" + str(i)) + ), + unfiltered_groups + ) + ) + ) + cleanup_sssd_process() + cleanup_conf_file() + + +(a)pytest.fixture +def three_users_three_groups_bis(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + ent_list.add_group_bis("group1", 2001, ["user1"]) + ent_list.add_group_bis("group2", 2002, ["user2"], ["group1"]) + ent_list.add_group_bis("group3", 2003, ["user3"], ["group2"]) + create_ldap_fixture(request, ldap_conn, ent_list) + + +def test_filter_groups_bis(request, ldap_conn, three_users_three_groups_bis, + void_conf, void_sssd): + """Test the effect of the "filter_groups" option with RFC2307bis groups""" + all_groups = frozenset([1, 2, 3]) + for filter_groups in [frozenset([]), + frozenset([1]), + frozenset([1, 2]), + frozenset([1, 2, 3])]: + unfiltered_groups = all_groups - filter_groups + filter_groups_str = ",".join(map(lambda i: "group" + str(i), + filter_groups)) + + conf = \ + format_basic_conf(ldap_conn, True, True) + \ + unindent(""" + [nss] + filter_groups = {filter_groups_str} + """).format(**locals()) + create_conf_file(conf) + create_sssd_process() + ent.assert_group( + ent.contains_only( + *map( + lambda i: \ + dict( + name = "group" + str(i), + gid = 2000 + i, + mem = ent.contains_only( + *map(lambda j: "user" + str(j), + range(1, i + 1))) + ), + unfiltered_groups + ) + ) + ) + cleanup_sssd_process() + cleanup_conf_file() + + +(a)pytest.fixture +def override_homedir(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_homedir_A", 1001, 2001, + homeDirectory = "/home/A") + ent_list.add_user("user_with_homedir_B", 1002, 2002, + homeDirectory = "/home/B") + ent_list.add_user("user_with_empty_homedir", 1003, 2003, + homeDirectory = "") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, False, True) + \ + unindent("""\ + [nss] + override_homedir = /home/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_override_homedir(override_homedir): + """Test the effect of the "override_homedir" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_homedir_A", uid=1001, dir="/home/B"), + dict(name="user_with_homedir_B", uid=1002, dir="/home/B"), + dict(name="user_with_empty_homedir", uid=1003, dir="/home/B") + ) + ) + + +(a)pytest.fixture +def fallback_homedir(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_homedir_A", 1001, 2001, + homeDirectory = "/home/A") + ent_list.add_user("user_with_homedir_B", 1002, 2002, + homeDirectory = "/home/B") + ent_list.add_user("user_with_empty_homedir", 1003, 2003, + homeDirectory = "") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, False, True) + \ + unindent("""\ + [nss] + fallback_homedir = /home/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_fallback_homedir(fallback_homedir): + """Test the effect of the "fallback_homedir" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_homedir_A", uid=1001, dir="/home/A"), + dict(name="user_with_homedir_B", uid=1002, dir="/home/B"), + dict(name="user_with_empty_homedir", uid=1003, dir="/home/B") + ) + ) + + +(a)pytest.fixture +def override_shell(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_shell_A", 1001, 2001, + loginShell = "/bin/A") + ent_list.add_user("user_with_shell_B", 1002, 2002, + loginShell = "/bin/B") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell = "") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, False, True) + \ + unindent("""\ + [nss] + override_shell = /bin/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_override_shell(override_shell): + """Test the effect of the "override_shell" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_shell_A", uid=1001, shell="/bin/B"), + dict(name="user_with_shell_B", uid=1002, shell="/bin/B"), + dict(name="user_with_empty_shell", uid=1003, shell="/bin/B") + ) + ) + + +(a)pytest.fixture +def shell_fallback(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell = "/bin/sh") + ent_list.add_user("user_with_not_installed_shell", 1002, 2002, + loginShell = "/bin/not_installed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell = "") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, False, True) + \ + unindent("""\ + [nss] + shell_fallback = /bin/fallback + allowed_shells = /bin/not_installed + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_shell_fallback(shell_fallback): + """Test the effect of the "shell_fallback" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_not_installed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, shell="") + ) + ) + + +(a)pytest.fixture +def default_shell(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell = "/bin/sh") + ent_list.add_user("user_with_not_installed_shell", 1002, 2002, + loginShell = "/bin/not_installed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell = "") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, False, True) + \ + unindent("""\ + [nss] + default_shell = /bin/default + allowed_shells = /bin/default, /bin/not_installed + shell_fallback = /bin/fallback + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_default_shell(default_shell): + """Test the effect of the "default_shell" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_not_installed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, + shell="/bin/default") + ) + ) + + +(a)pytest.fixture +def vetoed_shells(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell = "/bin/sh") + ent_list.add_user("user_with_vetoed_shell", 1002, 2002, + loginShell = "/bin/vetoed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell = "") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, False, True) + \ + unindent("""\ + [nss] + default_shell = /bin/default + vetoed_shells = /bin/vetoed + shell_fallback = /bin/fallback + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_vetoed_shells(vetoed_shells): + """Test the effect of the "vetoed_shells" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_vetoed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, + shell="/bin/default") + ) + ) -- 2.5.1

____________________________________________________________________________________________________________________________________________________ test_getpwnam_with_mc ____________________________________________________________________________________________________________________________________________________ Traceback (most recent call last): File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 297, in test_getpwnam_with_mc test_getpwnam(ldap_conn, sanity_rfc2307) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 215, in test_getpwnam gecos='1001', shell='/bin/bash')) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/ent.py", line 218, in assert_passwd_by_name assert False, err AssertionError: 'getpwnam(): name not found: user1' ________________________________________________________________________________________________________________________________________________ test_getgrnam_simple_with_mc _________________________________________________________________________________________________________________________________________________ Traceback (most recent call last): File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 323, in test_getgrnam_simple_with_mc test_getgrnam_simple(ldap_conn, sanity_rfc2307) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 301, in test_getgrnam_simple ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/ent.py", line 378, in assert_group_by_name assert False, err AssertionError: 'getgrnam(): name not found: group1' ______________________________________________________________________________________________________________________________________________ test_getgrnam_membership_with_mc _______________________________________________________________________________________________________________________________________________ Traceback (most recent call last): File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 373, in test_getgrnam_membership_with_mc test_getgrnam_membership(ldap_conn, sanity_rfc2307) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 329, in test_getgrnam_membership dict(mem=ent.contains_only("user1", "user11", "user21"))) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/ent.py", line 378, in assert_group_by_name assert False, err AssertionError: 'getgrnam(): name not found: group1' ___________________________________________________________________________________________________________________________________________________ test_initgroups_with_mc ___________________________________________________________________________________________________________________________________________________ Traceback (most recent call last): File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 405, in test_initgroups_with_mc test_initgroups(ldap_conn, sanity_rfc2307) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 389, in test_initgroups assert_user_gids_equal('user1', [2000, 2001]) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 377, in assert_user_gids_equal (res, errno, gids) = sssd_id.get_user_gids(user) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/sssd_id.py", line 91, in get_user_gids pwd_user = pwd.getpwnam(user) KeyError: 'getpwnam(): name not found: user1' _______________________________________________________________________________________________________________________________________________ test_initgroups_fqname_with_mc ________________________________________________________________________________________________________________________________________________ Traceback (most recent call last): File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 411, in test_initgroups_fqname_with_mc assert_user_gids_equal('user1@LDAP', [2000, 2001]) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 377, in assert_user_gids_equal (res, errno, gids) = sssd_id.get_user_gids(user) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/sssd_id.py", line 91, in get_user_gids pwd_user = pwd.getpwnam(user) KeyError: 'getpwnam(): name not found: user1@LDAP' _________________________________________________________________________________________________________________________________________ test_invalidation_of_gids_after_initgroups __________________________________________________________________________________________________________________________________________ Traceback (most recent call last): File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 526, in test_invalidation_of_gids_after_initgroups gecos='1001', shell='/bin/bash')) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/ent.py", line 218, in assert_passwd_by_name assert False, err AssertionError: 'getpwnam(): name not found: user1' ________________________________________________________________________________________________________________________________________ test_initgroups_without_change_in_membership _________________________________________________________________________________________________________________________________________ Traceback (most recent call last): File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 570, in test_initgroups_without_change_in_membership run_simple_test_with_initgroups() File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/test_memory_cache.py", line 489, in run_simple_test_with_initgroups gecos='1001', shell='/bin/bash')) File "/home/nkondras/projects/fedorahosted.org/sssd/src/tests/intg/ent.py", line 218, in assert_passwd_by_name assert False, err AssertionError: 'getpwnam(): name not found: user1'

_______________________________________________ sssd-devel mailing list sssd-devel(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

0002-intg-Add-more-LDAP-tests.patch From a2c75e045f8f341402a5c771489b462f18e27a39 Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov&lt;Nikolai.Kondrashov(a)redhat.com&gt; Date: Tue, 29 Sep 2015 21:18:18 +0300 Subject: [PATCH 2/3] intg: Add more LDAP tests Add a bunch of LDAP tests. * Adding/removing a user/group/membership with rfc2307(bis) schema. * Filtering users/groups with rfc2307(bis) schema. * The effect of override_homedir option. * The effect of fallback_homedir option. * The effect of override_shell option. * The effect of shell_fallback option. * The effect of default_shell option. * The effect of vetoed_shells option. --- src/tests/intg/ldap_test.py | 534 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 534 insertions(+) diff --git a/src/tests/intg/ldap_test.py b/src/tests/intg/ldap_test.py index 6a09b37..cca9431 100644 --- a/src/tests/intg/ldap_test.py +++ b/src/tests/intg/ldap_test.py @@ -125,6 +125,23 @@ def format_basic_conf(ldap_conn, schema, enum): """).format(**locals()) +def format_interactive_conf(ldap_conn, schema): + """Format an SSSD configuration with all caches refreshing in 4 seconds""" + return \ + format_basic_conf(ldap_conn, schema, enum=True) + \ + unindent(""" + [nss] + memcache_timeout = 4

+ enum_cache_timeout = 4 + entry_negative_timeout = 4

+ + [domain/LDAP] + ldap_enumeration_refresh_timeout = 4 + ldap_purge_cache_timeout = 1 + entry_cache_timeout = 4 + """) + + def create_conf_file(contents): """Create sssd.conf with specified contents""" conf = open(config.CONF_PATH, "w") @@ -387,3 +404,520 @@ def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task): ent.assert_group_by_name( "group2", dict(mem=ent.contains_only("user1"))) + + +(a)pytest.fixture +def blank_rfc2307(request, ldap_conn): + """Create blank RFC2307 directory fixture with interactive SSSD conf""" + create_ldap_cleanup(request, ldap_conn) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307)) + create_sssd_fixture(request) + + +(a)pytest.fixture +def blank_rfc2307_bis(request, ldap_conn): + """Create blank RFC2307bis directory fixture with interactive SSSD conf""" + create_ldap_cleanup(request, ldap_conn) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307_BIS)) + create_sssd_fixture(request) + + +(a)pytest.fixture +def user_and_group_rfc2307(request, ldap_conn): + """ + Create an RFC2307 directory fixture with interactive SSSD conf, + one user and one group + """ + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user", 1001, 2000) + ent_list.add_group("group", 2001) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307)) + create_sssd_fixture(request) + return None + + +(a)pytest.fixture +def user_and_groups_rfc2307_bis(request, ldap_conn): + """ + Create an RFC2307bis directory fixture with interactive SSSD conf, + one user and two groups + """ + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user", 1001, 2000) + ent_list.add_group_bis("group1", 2001) + ent_list.add_group_bis("group2", 2002) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307_BIS)) + create_sssd_fixture(request) + return None + + +def test_add_remove_user(ldap_conn, blank_rfc2307): + """Test user addition and removal are reflected by SSSD""" + e = ldap_ent.user(ldap_conn.ds_inst.base_dn, "user", 1001, 2000) + time.sleep(2)

+ # Add the user + ent.assert_passwd(ent.contains_only()) + ldap_conn.add_s(*e) + ent.assert_passwd(ent.contains_only())

+ time.sleep(4)

+ time.sleep(4)

+ time.sleep(4)

+ time.sleep(4)

+ time.sleep(4)

+ time.sleep(4)

+ time.sleep(4)

+ time.sleep(4)

+ time.sleep(4)

+ time.sleep(4)

+ time.sleep(4)

+ time.sleep(4)

+ """).format(**locals()) + create_conf_file(conf) + create_sssd_process() + ent.assert_passwd( + ent.contains_only( + *map( + lambda i: + dict(name="user" + str(i), uid=1000 + i), + unfiltered_users + ) + ) + ) + ent.assert_group( + ent.contains_only( + *map( + lambda i: + dict( + name="group" + str(i), + gid=2000 + i, + mem=ent.contains_only() + if filter_users_in_groups and i in filter_users + else ent.contains_only("user" + str(i)) + ), + all_users + ) + ) + ) + cleanup_sssd_process() + cleanup_conf_file() + + +def test_filter_groups_rfc2307(request, ldap_conn, + three_users_three_groups_rfc2307, + void_conf, void_sssd): + """Test the effect of the "filter_groups" option with RFC2307 groups""" + all_groups = frozenset([1, 2, 3]) + for filter_groups in [frozenset([]), + frozenset([1]), + frozenset([1, 2]), + frozenset([1, 2, 3])]: + unfiltered_groups = all_groups - filter_groups + filter_groups_str = ",".join(map(lambda i: "group" + str(i), + filter_groups)) + + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307, enum=True) + \ + unindent(""" + [nss] + filter_groups = {filter_groups_str}

+ """).format(**locals()) + create_conf_file(conf) + create_sssd_process() + ent.assert_group( + ent.contains_only( + *map( + lambda i: + dict( + name="group" + str(i), + gid=2000 + i, + mem=ent.contains_only("user" + str(i)) + ), + unfiltered_groups + ) + ) + ) + cleanup_sssd_process() + cleanup_conf_file() + + +(a)pytest.fixture +def three_users_three_groups_rfc2307_bis(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + ent_list.add_group_bis("group1", 2001, ["user1"]) + ent_list.add_group_bis("group2", 2002, ["user2"], ["group1"]) + ent_list.add_group_bis("group3", 2003, ["user3"], ["group2"]) + create_ldap_fixture(request, ldap_conn, ent_list) + + +def test_filter_groups_rfc2307_bis(request, ldap_conn, + three_users_three_groups_rfc2307_bis, + void_conf, void_sssd): + """Test the effect of the "filter_groups" option with RFC2307bis groups""" + all_groups = frozenset([1, 2, 3]) + for filter_groups in [frozenset([]), + frozenset([1]), + frozenset([1, 2]), + frozenset([1, 2, 3])]: + unfiltered_groups = all_groups - filter_groups + filter_groups_str = ",".join(map(lambda i: "group" + str(i), + filter_groups)) + + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, enum=True) + \ + unindent(""" + [nss] + filter_groups = {filter_groups_str}

+ """).format(**locals()) + create_conf_file(conf) + create_sssd_process() + ent.assert_group( + ent.contains_only( + *map( + lambda i: + dict( + name="group" + str(i), + gid=2000 + i, + mem=ent.contains_only( + *map(lambda j: "user" + str(j), + range(1, i + 1))) + ), + unfiltered_groups + ) + ) + ) + cleanup_sssd_process() + cleanup_conf_file() + + +(a)pytest.fixture +def override_homedir(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_homedir_A", 1001, 2001, + homeDirectory="/home/A") + ent_list.add_user("user_with_homedir_B", 1002, 2002, + homeDirectory="/home/B") + ent_list.add_user("user_with_empty_homedir", 1003, 2003, + homeDirectory="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307, enum=True) + \ + unindent("""\ + [nss] + override_homedir = /home/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_override_homedir(override_homedir): + """Test the effect of the "override_homedir" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_homedir_A", uid=1001, dir="/home/B"), + dict(name="user_with_homedir_B", uid=1002, dir="/home/B"), + dict(name="user_with_empty_homedir", uid=1003, dir="/home/B") + ) + ) + + +(a)pytest.fixture +def fallback_homedir(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_homedir_A", 1001, 2001, + homeDirectory="/home/A") + ent_list.add_user("user_with_homedir_B", 1002, 2002, + homeDirectory="/home/B") + ent_list.add_user("user_with_empty_homedir", 1003, 2003, + homeDirectory="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307, enum=True) + \ + unindent("""\ + [nss] + fallback_homedir = /home/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_fallback_homedir(fallback_homedir): + """Test the effect of the "fallback_homedir" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_homedir_A", uid=1001, dir="/home/A"), + dict(name="user_with_homedir_B", uid=1002, dir="/home/B"), + dict(name="user_with_empty_homedir", uid=1003, dir="/home/B") + ) + ) + + +(a)pytest.fixture +def override_shell(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_shell_A", 1001, 2001, + loginShell="/bin/A") + ent_list.add_user("user_with_shell_B", 1002, 2002, + loginShell="/bin/B") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307, enum=True) + \ + unindent("""\ + [nss] + override_shell = /bin/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_override_shell(override_shell): + """Test the effect of the "override_shell" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_shell_A", uid=1001, shell="/bin/B"), + dict(name="user_with_shell_B", uid=1002, shell="/bin/B"), + dict(name="user_with_empty_shell", uid=1003, shell="/bin/B") + ) + ) + + +(a)pytest.fixture +def shell_fallback(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell="/bin/sh") + ent_list.add_user("user_with_not_installed_shell", 1002, 2002, + loginShell="/bin/not_installed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307, enum=True) + \ + unindent("""\ + [nss] + shell_fallback = /bin/fallback + allowed_shells = /bin/not_installed + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_shell_fallback(shell_fallback): + """Test the effect of the "shell_fallback" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_not_installed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, shell="") + ) + ) + + +(a)pytest.fixture +def default_shell(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell="/bin/sh") + ent_list.add_user("user_with_not_installed_shell", 1002, 2002, + loginShell="/bin/not_installed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307, enum=True) + \ + unindent("""\ + [nss] + default_shell = /bin/default + allowed_shells = /bin/default, /bin/not_installed + shell_fallback = /bin/fallback + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_default_shell(default_shell): + """Test the effect of the "default_shell" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_not_installed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, + shell="/bin/default") + ) + ) + + +(a)pytest.fixture +def vetoed_shells(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell="/bin/sh") + ent_list.add_user("user_with_vetoed_shell", 1002, 2002, + loginShell="/bin/vetoed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307, enum=True) + \ + unindent("""\ + [nss] + default_shell = /bin/default + vetoed_shells = /bin/vetoed + shell_fallback = /bin/fallback + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_vetoed_shells(vetoed_shells): + """Test the effect of the "vetoed_shells" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_vetoed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, + shell="/bin/default") + ) + ) -- 2.6.1 0003-intg-Add-a-memcache-invalidation-failure-test.patch From 2c13856c9f650503b8eeb2d4446469548728804b Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov&lt;Nikolai.Kondrashov(a)redhat.com&gt; Date: Mon, 12 Oct 2015 16:17:46 +0300 Subject: [PATCH 3/3] intg: Add a memcache invalidation failure test Add a memcache invalidation failure integration test. It fails as is, and passes if ldap_enumeration_refresh_timeout in the first half is set to e.g. 30. The sss_nss_check_header function was observed to always return 0 for the second half of the test, when it was failing.

+ time.sleep(4)

+ time.sleep(4)

Hi Michal, Thanks a lot for the detailed review and testing! Please see my comments below. On 10/23/2015 02:54 PM, Michal Židek wrote: > Hi! > > There is one new pep8 error in the code: > ../src/tests/intg/ldap_test.py:819:37: E126 continuation line > over-indented for hanging indent Sure, will fix it. > For the memcache workaroud please do this change in the > code: > diff --git a/src/tests/intg/ldap_test.py b/src/tests/intg/ldap_test.py > index 8263d88..eb466ab 100644 > --- a/src/tests/intg/ldap_test.py > +++ b/src/tests/intg/ldap_test.py > @@ -194,8 +194,10 @@ def cleanup_sssd_process(): > subprocess.call(["sss_cache", "-E"]) > for path in os.listdir(config.DB_PATH): > os.unlink(config.DB_PATH + "/" + path) > - for path in os.listdir(config.MCACHE_PATH): > - os.unlink(config.MCACHE_PATH + "/" + path) > + # FIXME: Uncomment this when ticket #2726 is solved > + # https://fedorahosted.org/sssd/ticket/2726 > + # for path in os.listdir(config.MCACHE_PATH): > + # os.unlink(config.MCACHE_PATH + "/" + path) >> +def format_interactive_conf(ldap_conn, schema): >> + """Format an SSSD configuration with all caches refreshing in 4 >> seconds""" >> + return \ >> + format_basic_conf(ldap_conn, schema, enum=True) + \ >> + unindent(""" >> + [nss] >> + memcache_timeout = 4 > > It is better to set memcache timeout to zero outside tests > that are not dedicated to memcache. This will also probably > solve the membership tests failure that you saw when using the > workaround for the memcache tests failure. Hmm, perhaps. However, could you please explain why the membership tests fail? I noticed that they also fail if I simply don't run the group addition/removal tests before them, in addition to enabling the workaround. Also, they work if I put "run_shell" before each "assert" and immediately exit the spawned shells even without doing anything in them.

>> + enum_cache_timeout = 4 >> + entry_negative_timeout = 4 > > I would set negative cache timeout to zero as well, > see comments below. Replying below. >> +def test_add_remove_user(ldap_conn, blank_rfc2307): >> + """Test user addition and removal are reflected by SSSD""" >> + e = ldap_ent.user(ldap_conn.ds_inst.base_dn, "user", 1001, 2000) >> + time.sleep(2) > > What is the purpose of this timeout? It does not seem to be > necessary. You use it in all the other tests as well, so > I guess it had some meaning (but I tried to remove them and > tests passed for me without problems). This puts test actions and tests in the middle of the 4 second cache timeouts, so they are more reliable and time drift doesn't affect them that much. E.g.: 0 - sssd start 1 - 2 - add user, check it's not yet present 3 - 4 - cache expiry/purging 5 - 6 - check user added 7 - 8 - cache expiry/purging etc. IIRC, I got 400+ perfect runs before the first failure occurred with this - better than other schemes.

>> + # Add the user >> + ent.assert_passwd(ent.contains_only()) >> + ldap_conn.add_s(*e) >> + ent.assert_passwd(ent.contains_only()) > > I would avoid testing the negative cache outside tests > that are dedicated to negative cache. We had this same > pattern in our C code tests and it timed out when CI > was under heavy load. We can add dedicated tests > for negative cache in CI later with big enough timeout > to pass even under heavy load CI. > > So please, remove the negative cache testing from everywhere > in these tests. I'm OK with minimizing the tests and not exercising some caching mechanisms. I understand it will make tests more reliable. However, my intention was to test the full end-user functionality, what actually matters to users. Users don't really care about caches, they just want everything work fast and reliably. They just want their LDAP changes propagated. For that matter I only touch cache timeouts to make tests run in reasonable time. I don't disable them, because users will probably have them enabled as well. We can test all the cache mechanisms separately, but we will still have to test them working together. Can we do that? Can we have these particular tests do that? Or is it too hard/impossible? If we can do that, how would you like to see them? If not, I'll just disable memory cache and remove negative cache testing as you request. Or do I misunderstand the idea behind this?

>> + time.sleep(4) > > Instead of the number 4, could you use some global constant. You > could use the constant to generate the "interactive" config > file as well. If we later see some timeout issues related to > this, we can change it on one place. Yes, good idea, thank you. > Also I think that this > particular timeout will not be necessary if we stop testing the > negative cache, which will speed up the tests. OK, if we decide to disable negative tests, then I'll see if I can speed it up. >> + conf = \ >> + format_basic_conf(ldap_conn, SCHEMA_RFC2307, >> enum=True) + \ >> + unindent(""" >> + [nss] >> + filter_users = {filter_users_str} >> + filter_users_in_groups = {filter_users_in_groups} > > Instead of generating the conf files in nested for loops, it would be > better to split the test to multiple smaller tests where each has > different config file fixture (instad of void_conf and void_sssd). > This may seem like code duplication, but I believe it will result in > better readable code. I would really like to do that, but the problem is we will either need to copy-paste a ton of tests and fixtures, or use py.test's convoluted means of sharing parameters between fixtures and tests which will produce much more complicated code that this. At least this is my impression after researching that. Do you have any particular design for this in mind?

>> + conf = \ >> + format_basic_conf(ldap_conn, SCHEMA_RFC2307, enum=True) + \ >> + unindent(""" >> + [nss] >> + filter_groups = {filter_groups_str} > > Same as above, please do not generate the conf file inside the test, but > split it to multiple tests. Please see my comment right above. >> + conf = \ >> + format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, >> enum=True) + \ >> + unindent(""" >> + [nss] >> + filter_groups = {filter_groups_str} > > The same thing as above. > Please see my comment above. >> Add a memcache invalidation failure integration test. It fails as is, >> and passes if ldap_enumeration_refresh_timeout in the first half is set >> to e.g. 30. The sss_nss_check_header function was observed to always >> return 0 for the second half of the test, when it was failing. > > This test passes for me with the memcache workaround. I guess we do > not need it then. The reproducer for the failure can be achieved > by removing the workaround (which we will do once we fix the > root cause). Do you mean we should not merge it, remove it from the patchset? Or add it along with a workaround, so after we fix the failure and remove the workaround it stays on the lookout?

> Just for info, this is git diff with > changes I made when testing your patches: I see, thank you! Sincerely, Nick

On 11/03/2015 06:30 PM, Nikolai Kondrashov wrote: > Now, I think I got confused here. I'm not actually testing negative > cache, but > only the fact that the changes to LDAP don't appear before the caches > expire. > Since the negative cache timeout equals the timeout of positive caches, > there > are really no negative cache-specific tests. > > That said, I can still remove the tests you mention in your patch, if you > think we should remove them. However, just for the record, I didn't see any > issues with them. > > Another thing is, I couldn't make the tests work with those sleep(4)'s > removed > as you did in your patch up-thread. In fact all *add_remove* tests failed > except the add_remove_user_memcache_mix (delay results are not checked > there). > > The problem being, the assertions following these delays check > enumeration and > enumeration timeout is still 4 seconds, so we need to wait for it. For that > matter removing tests you mention doesn't have an impact on execution time. I see where the confusion comes from now. But the enumeration should not play a role here. You can think about enumeration as forced sysdb fill operation, but it is not necessary in order to grab user from LDAP. If the user is not found in the sysdb (and also not found in the negcache) SSSD grabs the user from LDAP even before the next enumeration.

> I'm not quite sure how you made it work. Was some other change omitted from > your patch accidentally? I'm talking about changes like this: I do not think I omitted something. Did you really set the negative_cache to 0 in sssd.conf?

> > def create_sssd_cleanup(request): > @@ -462,12 +464,9 @@ def user_and_groups_rfc2307_bis(request, ldap_conn): > def test_add_remove_user(ldap_conn, blank_rfc2307): > """Test user addition and removal are reflected by SSSD""" > e = ldap_ent.user(ldap_conn.ds_inst.base_dn, "user", 1001, 2000) > - time.sleep(2) > # Add the user > ent.assert_passwd(ent.contains_only()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Here you fill the negative cache. > ldap_conn.add_s(*e) > - ent.assert_passwd(ent.contains_only()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Here you are testing the negative cache. If there was no negcache hit, SSSD would grab the user from LDAP.

> - time.sleep(4) ^^^^^^^^^^^^^ So this sleep should not be necessary if the negcache is disabled. > ent.assert_passwd(ent.contains_only(dict(name="user", uid=1001))) > # Remove the user > ldap_conn.delete_s(e[0]) > > All in all, setting memcache_timeout to zero and commenting-out memcache > file > removal was enough to make *all* tests work fine. > That is good! If the patches do not work for you without the sleep()s you can send them with the sleep()s for now and I will take a look.