diff --git a/src/tests/system/tests/test_netgroups.py b/src/tests/system/tests/test_netgroups.py index ad74f085b4..28534ea53f 100644 --- a/src/tests/system/tests/test_netgroups.py +++ b/src/tests/system/tests/test_netgroups.py @@ -6,6 +6,8 @@ from __future__ import annotations +import time + import pytest from sssd_test_framework.roles.ad import AD from sssd_test_framework.roles.client import Client @@ -241,3 +243,121 @@ def test_netgroup__lookup_nested_groups_with_host_and_domain_values_present( result = client.tools.getent.netgroup("nested_group") assert result is not None assert expected in result.members + + +@pytest.mark.importance("low") +@pytest.mark.ticket(bz=802207) +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_netgroup__fully_qualified_names(client: Client, provider: GenericProvider): + """ + :title: Netgroups with fully qualified names resolves and contains the members + :setup: + 1. Configure SSSD domain to use fully qualified names + 2. Create user "user-1" + 3. A netgroup named "ng-1" is created, "user-1" is added to this netgroup + :steps: + 1. Verify the existence and membership of the netgroup "ng-1" + :expectedresults: + 1. SSSD should return netgroup "ng-1" and members of the netgroup + :customerscenario: True + """ + client.sssd.dom("test")["use_fully_qualified_names"] = "true" + user = provider.user("user-1").add() + provider.netgroup("ng-1").add().add_member(user=user) + client.sssd.start() + + result = client.tools.getent.netgroup("ng-1") + assert result is not None and result.name == "ng-1", "'ng-1' Netgroup name did not match '{result.name}'" + assert len(result.members) == 1, "'ng-1' contains more than 1 member!" + assert "(-, user-1)" in result.members, "'ng-1' members did not match the expected ones!" + + +@pytest.mark.importance("low") +@pytest.mark.ticket(bz=678410) +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_netgroup__entry_negative_timeout(client: Client, provider: GenericProvider): + """ + :title: SSSD should respect entry_negative_timeout value and should not return deleted users after + this timeout has expired + :setup: + 1. Create user with password + 2. Set entry_negative_timeout to 1 second + :steps: + 1. Check user is present and can be used for authentication + 2. Delete the user + 3. Ensure user exists in SSSD cache immediately after deletion + 4. Try ssh authentication for deleted user + 5. Check after entry_negative_timeout user is no longer present in SSSD cache + :expectedresults: + 1. User can be used for authentication + 2. User is deleted + 3. User exists in SSSD cache immediately after deletion + 4. Fail ssh authentication for deleted user + 5. After entry_negative_timeout user is no longer present in SSSD cache + :customerscenario: True + """ + client.sssd.dom("test")["entry_negative_timeout"] = "1" + user = provider.user("user1").add(password="Secret123") + client.sssd.start() + + assert client.tools.id(user.name) is not None, "'{user.name}' was not returned!" + client.auth.ssh.password("user1", "Secret123") + + user.delete() + assert client.tools.id(user.name) is not None, "'{user.name}' was not returned!" + + assert not client.auth.ssh.password("user1", "Secret123"), "Authentication was success!" + + time.sleep(2) + assert client.tools.id(user.name) is None, "User is still present in SSSD cache!" + + +@pytest.mark.importance("low") +@pytest.mark.ticket(bz=645449) +@pytest.mark.topology(KnownTopology.LDAP) +@pytest.mark.topology(KnownTopology.AD) +@pytest.mark.topology(KnownTopology.Samba) +def test_netgroup__uid_gt_2147483647(client: Client, provider: GenericProvider): + """ + :title: SSSD resolves users and groups with id greater than 2147483647 (Integer.MAX_VALUE) + :setup: + 1. Users are added with large uid values + 2. Groups are added with large gid values + :steps: + 1. Check that SSSD resolves users and groups + :expectedresults: + 1. Users and groups are resolved + :customerscenario: True + """ + if not isinstance(provider, (LDAP, Samba, AD)): + raise ValueError("For ipa, 'uid': can be at most 2147483647") + + client.sssd.start() + + for name, uid in [ + ("bigusera", 2147483646), + ("biguserb", 2147483647), + ("biguserc", 2147483648), + ("biguserd", 2147483649), + ("bigusere", 3147483649), + ("biguserf", 4147483649), + ]: + provider.user(name).add(uid=uid, gid=uid, password="Secret123") + for name, uid in [ + ("biggroup1", 2147483646), + ("biggroup2", 2147483647), + ("biggroup3", 2147483648), + ("biggroup4", 2147483649), + ("biggroup5", 3147483649), + ("biggroup6", 4147483649), + ]: + provider.group(name).add(gid=uid) + + for username in ["bigusera", "biguserb", "biguserc", "biguserd", "bigusere", "biguserf"]: + result = client.tools.getent.passwd(username) + assert result is not None, "'{result}' is empty!" + assert result.name == username, "User name does not matched!" + for grpname in ["biggroup1", "biggroup2", "biggroup3", "biggroup4", "biggroup5", "biggroup6"]: + result = client.tools.getent.group(grpname) + assert result is not None, "'{result}' is empty!" + assert result.name == grpname, "Group name does not matched!"