diff --git a/src/tests/system/tests/test_ipa_trusts.py b/src/tests/system/tests/test_ipa_trusts.py index 88de9bdf57..06aa4ad6a5 100644 --- a/src/tests/system/tests/test_ipa_trusts.py +++ b/src/tests/system/tests/test_ipa_trusts.py @@ -7,6 +7,7 @@ from __future__ import annotations import pytest +from sssd_test_framework.roles.client import Client from sssd_test_framework.roles.generic import GenericADProvider from sssd_test_framework.roles.ipa import IPA from sssd_test_framework.topology import KnownTopologyGroup @@ -60,3 +61,70 @@ def test_ipa_trusts__lookup_group_without_sid(ipa: IPA, trusted: GenericADProvid status = ipa.sssctl.domain_status(trusted.domain, online=True) assert "online status: offline" not in status.stdout.lower(), "AD domain went offline!" assert "online status: online" in status.stdout.lower(), "AD domain was not online!" + + +@pytest.mark.importance("critical") +@pytest.mark.topology(KnownTopologyGroup.IPATrust) +def test_ipa_trusts__authentication_with_default_settings(client: Client, ipa: IPA, trusted: GenericADProvider): + """ + :title: Authenticate IPA and trusted AD users with default settings + :setup: + 1. Create users + 2. Start SSSD + :steps: + 1. Authenticate users, one extra time using the fully qualified name for the ipa user + 2. Authenticate users using the wrong password + :expectedresults: + 1. Logins are successful + 2. Logins are unsuccessful + :customerscenario: False + """ + ipa_user = ipa.user("user1").add(password="Secret123").name + ipa_user_fqn = f"{ipa_user}@{ipa.domain}" + ad_user = trusted.user("user2").add(password="Secret123").name + ad_user_fqn = f"{ad_user}@{trusted.domain}" + + client.sssd.enable_responder("ssh") + client.sssd.start(clean=True) + + assert client.auth.ssh.password(ipa_user, "Secret123"), "User failed login!" + assert not client.auth.ssh.password(ipa_user, "bad_password"), "User logged in with an incorrect password!" + assert client.auth.ssh.password(ipa_user_fqn, "Secret123"), "User failed login!" + assert not client.auth.ssh.password(ipa_user_fqn, "bad_password"), "User logged in with an incorrect password!" + assert client.auth.ssh.password(ad_user_fqn, "Secret123"), "User failed login!" + assert not client.auth.ssh.password(ad_user_fqn, "bad_password"), "User logged in with an incorrect password!" + + +@pytest.mark.importance("high") +@pytest.mark.ticket(jira="RHEL-4984", gh=7635) +@pytest.mark.topology(KnownTopologyGroup.IPATrust) +def test_ipa_trusts__authentication_with_default_domain_suffix_set( + client: Client, ipa: IPA, trusted: GenericADProvider +): + """ + :title: Authenticate IPA and trusted AD users with default_domain_suffix set to AD + :setup: + 1. Create users + 2. Set 'default_domain_suffix' value to 'trusted_domain' + 3. Start SSSD + :steps: + 1. Authenticate users using their fully qualified name + 2. Authenticate users using the wrong password + :expectedresults: + 1. Logins are successful + 2. Logins are unsuccessful + :customerscenario: True + """ + ipa_user = ipa.user("user1").add(password="Secret123").name + ipa_user_fqn = f"{ipa_user}@{ipa.domain}" + ad_user = trusted.user("user2").add(password="Secret123").name + ad_user_fqn = f"{ad_user}@{trusted.domain}" + + client.sssd.enable_responder("ssh") + client.sssd.section("sssd")["default_domain_suffix"] = trusted.domain + client.sssd.start(clean=True) + + assert client.auth.ssh.password(ipa_user_fqn, "Secret123"), "User failed login!" + assert not client.auth.ssh.password(ipa_user_fqn, "bad_password"), "User logged in with an incorrect password!" + assert client.auth.ssh.password(ad_user_fqn, "Secret123"), "User failed login!" + assert not client.auth.ssh.password(ad_user_fqn, "bad_password"), "User logged in with an incorrect password!"