Skip to content

Commit

Permalink
tests: authentication, adding override_homedir tests
Browse files Browse the repository at this point in the history
* moving ad specific test out of authentication and to it's own file
  • Loading branch information
Dan Lavu committed Sep 24, 2024
1 parent 67ba42c commit d282f50
Show file tree
Hide file tree
Showing 2 changed files with 116 additions and 43 deletions.
54 changes: 54 additions & 0 deletions src/tests/system/tests/test_ad.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
"""
SSSD Active Directory (AD) Test Cases
:requirement: ad
"""

from __future__ import annotations

import pytest
from sssd_test_framework.roles.ad import AD
from sssd_test_framework.roles.client import Client
from sssd_test_framework.topology import KnownTopology


@pytest.mark.topology(KnownTopology.AD)
@pytest.mark.ticket(gh=7174)
@pytest.mark.parametrize("method", ["su", "ssh"])
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
@pytest.mark.importance("critical")
@pytest.mark.require(
lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
"SSSD was built without support for running under non-root",
)
def test_authentication__using_the_users_email_address(client: Client, ad: AD, method: str, sssd_service_user: str):
"""
:title: Login using the user's email address
:description:
Testing the feature to login using an email address instead of the userid. The username used,
must match one of the user's LDAP attribute values, "EmailAddress". The login should be
case-insensitive and permit special characters.
:setup:
1. Add AD users with different email addresses
2. Start SSSD
:steps:
1. Authenticate users using their email address and in different cases
:expectedresults:
1. Authentication is successful using the email address and is case-insensitive
:customerscenario: False
"""
ad.user("user-1").add(password="Secret123", email=f"user-1@{ad.host.domain}")
ad.user("user-2").add(password="Secret123", email="[email protected]")
ad.user("user_3").add(password="Secret123", email="[email protected]")

client.sssd.start(service_user=sssd_service_user)

assert client.auth.parametrize(method).password(
f"user-1@{ad.host.domain}", "Secret123"
), f"User user-1@{ad.host.domain} failed login!"
assert client.auth.parametrize(method).password(
"[email protected]", "Secret123"
), "User [email protected] failed login!"
assert client.auth.parametrize(method).password(
"[email protected]", "Secret123"
), "User [email protected] failed login!"
105 changes: 62 additions & 43 deletions src/tests/system/tests/test_authentication.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@
from sssd_test_framework.roles.ad import AD
from sssd_test_framework.roles.client import Client
from sssd_test_framework.roles.generic import GenericProvider
from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup
from sssd_test_framework.roles.ldap import LDAP
from sssd_test_framework.topology import KnownTopologyGroup


@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
Expand Down Expand Up @@ -47,6 +48,66 @@ def test_authentication__with_default_settings(
), "User logged in with an invalid password!"


@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.parametrize(
"sequence",
["user", "uid", "fqn", "domain", "first_letter", "principal", "original", "lower", "substring", "literal%"],
)
@pytest.mark.importance("critical")
def test_authentication__with_overriding_home_directory(client: Client, provider: GenericProvider, sequence: str):
"""
:title: Authenticate and override the user's home directory
:description:
For simplicity, the home directory is set to '/home/user1' because some providers paths are different.
:setup:
1. Backup the /home directory
2. Create user and set home directory to '/home/user1'
3. Start SSSD with mkhomedir configuration and lookup user
4. Configure SSSD with 'override_homedir' sequence value and restart SSSD
:steps:
1. Login as user and check working directory
:expectedresults:
1. Login is successful and working directory matches the expected value
:customerscenario: False
"""
client.fs.backup("/home")
provider.user("user1").add(password="Secret123", home="/home/user1")
client.sssd.common.mkhomedir()
client.sssd.start()

user = client.tools.getent.passwd("user1")
assert user is not None

# Sequence dictionary with configuration and expected values
_sequence: dict[str, list[str]] = {
"user": ["/home/%u", f"/home/{user.name}"],
"uid": ["/home/%U", f"/home/{user.uid}"],
"fqn": ["/home/%f", f"/home/{user.name}@{client.sssd.default_domain}"],
"domain": ["/home/%d/%u", f"/home/{client.sssd.default_domain}/{user.name}"],
"first_letter": ["/home/%l", f"/home/{str(user.name)[0]}"],
"principal": ["/home/%P", f"/home/{user.name}@{provider.domain.upper()}"],
"original": ["%o", f"{user.home}"],
"lower": ["%h", f"{user.home}"],
"substring": ["%H/%u", f"/home/homedir/{user.name}"],
"literal%": ["/home/%%/%u", f"/home/%/{user.name}"],
}

# Uses homedir_substring as part of the sequence
for k, v in _sequence.items():
if k == sequence:
if k == "principal" and (isinstance(provider, AD) or isinstance(provider, LDAP)):
pytest.skip("Skipping provider, userPrincipal attribute is not set!")
else:
client.sssd.domain["homedir_substring"] = "/home/homedir"
client.sssd.domain["override_homedir"] = v[0]
client.sssd.restart()

with client.ssh("user1", "Secret123") as ssh:
result = ssh.run("pwd").stdout
assert result is not None, "Getting path failed!"
assert result == v[1], f"Current path {result} is not {v[1]}!"


@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.parametrize("method", ["su", "ssh"])
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
Expand Down Expand Up @@ -95,45 +156,3 @@ def test_authentication__default_settings_when_the_provider_is_offline(

assert client.auth.parametrize(method).password(user, correct), "User failed login!"
assert not client.auth.parametrize(method).password(user, wrong), "User logged in with an incorrect password!"


@pytest.mark.topology(KnownTopology.AD)
@pytest.mark.ticket(gh=7174)
@pytest.mark.parametrize("method", ["su", "ssh"])
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
@pytest.mark.importance("critical")
@pytest.mark.require(
lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
"SSSD was built without support for running under non-root",
)
def test_authentication__using_the_users_email_address(client: Client, ad: AD, method: str, sssd_service_user: str):
"""
:title: Login using the user's email address
:description:
Testing the feature to login using an email address instead of the userid. The username used,
must match one of the user's LDAP attribute values, "EmailAddress". The login should be
case-insensitive and permit special characters.
:setup:
1. Add AD users with different email addresses
2. Start SSSD
:steps:
1. Authenticate users using their email address and in different cases
:expectedresults:
1. Authentication is successful using the email address and is case-insensitive
:customerscenario: False
"""
ad.user("user-1").add(password="Secret123", email=f"user-1@{ad.host.domain}")
ad.user("user-2").add(password="Secret123", email="[email protected]")
ad.user("user_3").add(password="Secret123", email="[email protected]")

client.sssd.start(service_user=sssd_service_user)

assert client.auth.parametrize(method).password(
f"user-1@{ad.host.domain}", "Secret123"
), f"User user-1@{ad.host.domain} failed login!"
assert client.auth.parametrize(method).password(
"[email protected]", "Secret123"
), "User [email protected] failed login!"
assert client.auth.parametrize(method).password(
"[email protected]", "Secret123"
), "User [email protected] failed login!"

0 comments on commit d282f50

Please sign in to comment.