diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2017-06-05 16:10:55 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-09-01 20:26:45 +0200 |
commit | 6b3bab516355fdf4cc81e6da9d87ec3818ab190f (patch) | |
tree | 8fb272ba1af45101d095bf36b20aab78d2c7f7c1 /src/tests | |
parent | 0558f270b3fbb0780e2a94602d455022b89f5381 (diff) | |
download | sssd-6b3bab516355fdf4cc81e6da9d87ec3818ab190f.tar.gz sssd-6b3bab516355fdf4cc81e6da9d87ec3818ab190f.tar.xz sssd-6b3bab516355fdf4cc81e6da9d87ec3818ab190f.zip |
SECRETS: Add a new option to control per-UID limits
Adds a new option max_uid_secrets that allows to set a limit of secrets
for this particular client so that the user cannot starve other users.
Resolves:
https://pagure.io/SSSD/sssd/issue/3363
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Diffstat (limited to 'src/tests')
-rw-r--r-- | src/tests/intg/test_secrets.py | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py index bb94ffb47..957a0a8ff 100644 --- a/src/tests/intg/test_secrets.py +++ b/src/tests/intg/test_secrets.py @@ -499,3 +499,49 @@ def test_sec_quota(setup_for_secrets_quota, secrets_cli): # Don't allow storing more secrets after reaching the max # number of entries. run_quota_test(cli, 10, 2) + + +@pytest.fixture +def setup_for_uid_limit(request): + conf = unindent("""\ + [sssd] + domains = local + services = nss + + [domain/local] + id_provider = local + + [secrets] + + [secrets/secrets] + max_secrets = 10 + max_uid_secrets = 5 + """).format(**locals()) + + create_conf_fixture(request, conf) + create_sssd_secrets_fixture(request) + return None + + +def test_per_uid_limit(setup_for_uid_limit, secrets_cli): + """ + Test that per-UID limits are enforced even if the global limit would still + allow to store more secrets + """ + cli = secrets_cli + + # Don't allow storing more secrets after reaching the max + # number of entries. + MAX_UID_SECRETS = 5 + + sec_value = "value" + for i in range(MAX_UID_SECRETS): + cli.set_secret(str(i), sec_value) + + with pytest.raises(HTTPError) as err507: + cli.set_secret(str(MAX_UID_SECRETS), sec_value) + assert str(err507.value).startswith("507") + + # FIXME - at this point, it would be nice to test that another UID can + # still store secrets, but sadly socket_wrapper doesn't allow us to fake + # UIDs yet |