diff options
| author | Tomas Babej <tbabej@redhat.com> | 2014-05-14 16:17:08 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-25 20:14:52 +0200 |
| commit | c50d190549ff56c35d2dac270f319d764c972113 (patch) | |
| tree | 0ea233e9e3622fc42ee97bfb2c0da1e84ef6360e /ipatests | |
| parent | d537da8b8a52dde18f4d07455fef8a4ef1c4ef04 (diff) | |
| download | freeipa-c50d190549ff56c35d2dac270f319d764c972113.tar.gz freeipa-c50d190549ff56c35d2dac270f319d764c972113.tar.xz freeipa-c50d190549ff56c35d2dac270f319d764c972113.zip | |
ipatests: test_sudo: Add coverage for external entries
Covers functionality of external entries for:
* users
* runAsUsers
* groups of RunAsUsers
* runAsGroups
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipatests')
| -rw-r--r-- | ipatests/test_integration/test_sudo.py | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/ipatests/test_integration/test_sudo.py b/ipatests/test_integration/test_sudo.py index 40fb68581..bd721fe01 100644 --- a/ipatests/test_integration/test_sudo.py +++ b/ipatests/test_integration/test_sudo.py @@ -62,6 +62,19 @@ class TestSudo(IntegrationTest): 'testhostgroup', '--hosts', cls.client.hostname]) + # Create local user and local group he's member of + cls.client.run_command(['groupadd', 'localgroup']) + cls.client.run_command(['useradd', + '-M', + '-G', 'localgroup', + 'localuser']) + + @classmethod + def teardown_class(cls): + cls.client.run_command(['groupdel', 'localgroup'], raiseonerr=False) + cls.client.run_command(['userdel', 'localuser'], raiseonerr=False) + super(TestSudo, cls).teardown_class() + def list_sudo_commands(self, user, raiseonerr=False, verbose=False): clear_sssd_cache(self.client) list_flag = '-ll' if verbose else '-l' @@ -159,12 +172,35 @@ class TestSudo(IntegrationTest): result2 = self.list_sudo_commands("testuser2") assert "(ALL) NOPASSWD: ALL" in result2.stdout_text + def test_setting_category_to_all_with_valid_entries_user_group(self): + result = self.reset_rule_categories() + assert result.returncode != 0 + def test_sudo_rule_restricted_to_one_group_teardown(self): # Remove the testgroup2 from the rule self.master.run_command(['ipa', 'sudorule-remove-user', 'testrule', '--groups', 'testgroup2']) + def test_sudo_rule_restricted_to_one_local_user_setup(self): + # Add the localuser to the rule + self.master.run_command(['ipa', 'sudorule-add-user', + 'testrule', + '--users', 'localuser']) + + def test_sudo_rule_restricted_to_one_local_user(self): + result1 = self.list_sudo_commands("localuser") + assert "(ALL) NOPASSWD: ALL" in result1.stdout_text + + result2 = self.list_sudo_commands("testuser1", raiseonerr=False) + assert result2.returncode != 0 + + def test_sudo_rule_restricted_to_one_local_user_teardown(self): + # Remove the testuser1 from the rule + self.master.run_command(['ipa', 'sudorule-remove-user', + 'testrule', + '--users', 'localuser']) + def test_sudo_rule_restricted_to_one_host_negative_setup(self): # Reset testrule configuration self.reset_rule_categories() @@ -333,6 +369,23 @@ class TestSudo(IntegrationTest): 'testrule', '--users', 'testuser2']) + def test_sudo_rule_restricted_to_running_as_single_local_user_setup(self): + # Allow running commands as testuser2 + self.master.run_command(['ipa', 'sudorule-add-runasuser', + 'testrule', + '--users', 'localuser']) + + def test_sudo_rule_restricted_to_running_as_single_local_user(self): + result1 = self.list_sudo_commands("testuser1", verbose=True) + assert "RunAsUsers: localuser" in result1.stdout_text + assert "RunAsGroups:" not in result1.stdout_text + + def test_sudo_rule_restricted_to_running_as_single_user_local_tear(self): + # Remove permission to run commands as testuser2 + self.master.run_command(['ipa', 'sudorule-remove-runasuser', + 'testrule', + '--users', 'localuser']) + def test_sudo_rule_restricted_to_running_as_users_from_group_setup(self): # Allow running commands as users from testgroup2 self.master.run_command(['ipa', 'sudorule-add-runasuser', @@ -350,6 +403,23 @@ class TestSudo(IntegrationTest): 'testrule', '--groups', 'testgroup2']) + def test_sudo_rule_restricted_to_run_as_users_from_local_group_setup(self): + # Allow running commands as users from localgroup + self.master.run_command(['ipa', 'sudorule-add-runasuser', + 'testrule', + '--groups', 'localgroup']) + + def test_sudo_rule_restricted_to_run_as_users_from_local_group(self): + result1 = self.list_sudo_commands("testuser1", verbose=True) + assert "RunAsUsers: %localgroup" in result1.stdout_text + assert "RunAsGroups:" not in result1.stdout_text + + def test_sudo_rule_restricted_to_run_as_users_from_local_group_tear(self): + # Remove permission to run commands as testuser2 + self.master.run_command(['ipa', 'sudorule-remove-runasuser', + 'testrule', + '--groups', 'localgroup']) + def test_sudo_rule_restricted_to_running_as_single_group_setup(self): # Allow running commands as testgroup2 self.master.run_command(['ipa', 'sudorule-add-runasgroup', @@ -367,5 +437,22 @@ class TestSudo(IntegrationTest): 'testrule', '--groups', 'testgroup2']) + def test_sudo_rule_restricted_to_running_as_single_local_group_setup(self): + # Allow running commands as testgroup2 + self.master.run_command(['ipa', 'sudorule-add-runasgroup', + 'testrule', + '--groups', 'localgroup']) + + def test_sudo_rule_restricted_to_running_as_single_local_group(self): + result1 = self.list_sudo_commands("testuser1", verbose=True) + assert "RunAsUsers:" not in result1.stdout_text + assert "RunAsGroups: localgroup" in result1.stdout_text + + def test_sudo_rule_restricted_to_running_as_single_local_group_tear(self): + # Remove permission to run commands as testgroup2 + self.master.run_command(['ipa', 'sudorule-remove-runasgroup', + 'testrule', + '--groups', 'localgroup']) + # Reset testrule configuration self.reset_rule_categories() |