CI tests: use old schema when testing hostmask-based sudo rules

Newer versions of sssd use native IPA schema to process sudo rules. However, this schema currently has no support for hostmask-based rules and causes some sudo CI tests to fail. We have to temporarily set sssd.conf to use ou=sudoers,$SUFFIX as a sudo rule search base when executing them. https://fedorahosted.org/freeipa/ticket/5625 Reviewed-By: Tomas Babej <tbabej@redhat.com>
author: Martin Babinsky <mbabinsk@redhat.com> 2016-02-17 16:55:56 +0100
committer: Tomas Babej <tbabej@redhat.com> 2016-02-25 13:37:16 +0100
commit: 94a836dd46e5e041443b7da03e4ce8a7a7aaa7e3 (patch)
tree: 10632945d6e6e1d090e3ea73ff4f46fc49ea2ee6 /ipatests/test_integration
parent: a14d68749397a52537594da890fb23e994dd04e2 (diff)
download: freeipa-94a836dd46e5e041443b7da03e4ce8a7a7aaa7e3.tar.gz
freeipa-94a836dd46e5e041443b7da03e4ce8a7a7aaa7e3.tar.xz
freeipa-94a836dd46e5e041443b7da03e4ce8a7a7aaa7e3.zip
2 files changed, 69 insertions, 1 deletions
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 60e9e8239..5477a3564 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -24,10 +24,12 @@ import textwrap
 import re
 import collections
 import itertools
+import tempfile
 import time
 
 import dns
 from ldif import LDIFWriter
+from SSSDConfig import SSSDConfig
 from six import StringIO
 
 from ipapython import ipautil
@@ -591,6 +593,47 @@ def setup_sssd_debugging(host):
     clear_sssd_cache(host)
 
 
+def modify_sssd_conf(host, domain, mod_dict, provider='ipa',
+                     provider_subtype=None):
+    """
+    modify options in a single domain section of host's sssd.conf
+    :param host: multihost.Host object
+    :param domain: domain section name to modify
+    :param mod_dict: dictionary of options which will be passed to
+        SSSDDomain.set_option(). To remove an option specify its value as
+        None
+    :param provider: provider backend to set. Defaults to ipa
+    :param provider_subtype: backend subtype (e.g. id or sudo), will be added
+        to the domain config if not present
+    """
+    try:
+        temp_config_file = tempfile.mkstemp()[1]
+        current_config = host.transport.get_file_contents(paths.SSSD_CONF)
+
+        with open(temp_config_file, 'wb') as f:
+            f.write(current_config)
+
+        sssd_config = SSSDConfig()
+        sssd_config.import_config(temp_config_file)
+        sssd_domain = sssd_config.get_domain(domain)
+
+        if provider_subtype is not None:
+            sssd_domain.add_provider(provider, provider_subtype)
+
+        for m in mod_dict:
+            sssd_domain.set_option(m, mod_dict[m])
+
+        sssd_config.save_domain(sssd_domain)
+
+        new_config = sssd_config.dump(sssd_config.opts).encode('utf-8')
+        host.transport.put_file_contents(paths.SSSD_CONF, new_config)
+    finally:
+        try:
+            os.remove(temp_config_file)
+        except OSError:
+            pass
+
+
 def clear_sssd_cache(host):
     """
     Clears SSSD cache by removing the cache files. Restarts SSSD.
diff --git a/ipatests/test_integration/test_sudo.py b/ipatests/test_integration/test_sudo.py
index b1f31556a..21267454d 100644
--- a/ipatests/test_integration/test_sudo.py
+++ b/ipatests/test_integration/test_sudo.py
@@ -20,7 +20,7 @@
 import pytest
 
 from ipatests.test_integration.base import IntegrationTest
-from ipatests.test_integration.tasks import clear_sssd_cache
+from ipatests.test_integration.tasks import clear_sssd_cache, modify_sssd_conf
 from ipatests.test_integration import util
 
 
@@ -287,6 +287,19 @@ class TestSudo(IntegrationTest):
                                  'testrule',
                                  '--hostmask', full_ip])
 
+        # SSSD >= 1.13.3-3 uses native IPA schema instead of compat entries to
+        # pull in sudoers. Since native schema does not (yet) support
+        # hostmasks, we need to point ldap_sudo_search_base to the old schema
+        domain = self.client.domain
+        modify_sssd_conf(
+            self.client,
+            domain.name,
+            {
+                'ldap_sudo_search_base': 'ou=sudoers,{}'.format(domain.basedn)
+            },
+            provider_subtype='sudo'
+        )
+
     def test_sudo_rule_restricted_to_one_hostmask(self):
         if self.__class__.skip_hostmask_based:
             raise pytest.skip("Hostmask could not be detected")
@@ -328,6 +341,18 @@ class TestSudo(IntegrationTest):
                                  'testrule',
                                  '--hostmask', '%s/32' % ip])
 
+        # reset ldap_sudo_search_base back to the default value, the old
+        # schema is not needed for the upcoming tests
+        domain = self.client.domain
+        modify_sssd_conf(
+            self.client,
+            domain.name,
+            {
+                'ldap_sudo_search_base': None
+            },
+            provider_subtype='sudo'
+        )
+
     def test_sudo_rule_restricted_to_one_command_setup(self):
         # Reset testrule configuration
         self.reset_rule_categories()
author	Martin Babinsky <mbabinsk@redhat.com>	2016-02-17 16:55:56 +0100
committer	Tomas Babej <tbabej@redhat.com>	2016-02-25 13:37:16 +0100
commit	94a836dd46e5e041443b7da03e4ce8a7a7aaa7e3 (patch)
tree	10632945d6e6e1d090e3ea73ff4f46fc49ea2ee6 /ipatests/test_integration
parent	a14d68749397a52537594da890fb23e994dd04e2 (diff)
download	freeipa-94a836dd46e5e041443b7da03e4ce8a7a7aaa7e3.tar.gz freeipa-94a836dd46e5e041443b7da03e4ce8a7a7aaa7e3.tar.xz freeipa-94a836dd46e5e041443b7da03e4ce8a7a7aaa7e3.zip