Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tests: adding client ipa trust authentication tests #7779

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

tests: adding client ipa trust authentication tests #7779

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions src/tests/system/tests/test_ipa_trusts.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
from __future__ import annotations

import pytest
from sssd_test_framework.roles.client import Client
from sssd_test_framework.roles.generic import GenericADProvider
from sssd_test_framework.roles.ipa import IPA
from sssd_test_framework.topology import KnownTopologyGroup
Expand Down Expand Up @@ -60,3 +61,62 @@ def test_ipa_trusts__lookup_group_without_sid(ipa: IPA, trusted: GenericADProvid
status = ipa.sssctl.domain_status(trusted.domain, online=True)
assert "online status: offline" not in status.stdout.lower(), "AD domain went offline!"
assert "online status: online" in status.stdout.lower(), "AD domain was not online!"


@pytest.mark.importance("critical")
@pytest.mark.topology(KnownTopologyGroup.IPATrust)
def test_ipa_trusts__authentication_with_default_settings(client: Client, trusted: GenericADProvider):
"""
:title: Authenticate IPA and trusted AD users with default settings
:setup:
1. Create trusted user
2. Start SSSD
:steps:
1. Authenticate user using their fully qualified name
2. Authenticate user using the wrong password
:expectedresults:
1. Login is successful
2. Login is unsuccessful
:customerscenario: False
"""
ad_user = trusted.user("user1").add(password="Secret123").name
ad_user_fqn = f"{ad_user}@{trusted.domain}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For ad, you can use ad_user_fqn = trusted.fqn("user2")

I added this fqn method to the IPA role here https://github.com/SSSD/sssd-test-framework/pull/119/files but it won't work until merged obviously


client.sssd.enable_responder("ssh")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this really needed?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me double-check: the other IPA trust tests are using the IPA host to do the lookups; IIRC, this wasn't enabled on the client.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but we should update the IPA config in the framework. It's because

services = nss, pam

client.sssd.start(clean=True)

assert client.auth.ssh.password(ad_user_fqn, "Secret123"), f"User {ad_user_fqn} failed login!"
assert not client.auth.ssh.password(
ad_user_fqn, "bad_password"
), f"User {ad_user_fqn} logged in with an incorrect password!"


@pytest.mark.importance("high")
@pytest.mark.ticket(jira="RHEL-4984", gh=7635)
@pytest.mark.topology(KnownTopologyGroup.IPATrust)
def test_ipa_trusts__authentication_with_default_domain_suffix_set(client: Client, trusted: GenericADProvider):
"""
:title: Authenticate IPA and trusted AD users with default_domain_suffix set to AD
:setup:
1. Create trusted user
2. Set 'default_domain_suffix' value to 'trusted_domain'
3. Start SSSD
:steps:
1. Authenticate user using their fully qualified name
2. Authenticate users using the wrong password
:expectedresults:
1. Logins are successful
2. Logins are unsuccessful
:customerscenario: True
"""
ad_user = trusted.user("user1").add(password="Secret123").name
ad_user_fqn = f"{ad_user}@{trusted.domain}"

client.sssd.enable_responder("ssh")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this really needed?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IPA was not doing that on RHEL 10 beta so we had this as a workaround. New IPA on 10.0 should include it but better to be safe.

client.sssd.section("sssd")["default_domain_suffix"] = trusted.domain
client.sssd.start(clean=True)

assert client.auth.ssh.password(ad_user_fqn, "Secret123"), f"User {ad_user_fqn} failed login!"
assert not client.auth.ssh.password(
ad_user_fqn, "bad_password"
), f"User {ad_user_fqn} logged in with an incorrect password!"
Loading