Tests: Fix integration sudo tests setup and checks

Adding 'defaults' sudorule to prevent requesting further user authentication. Adding checks that if a user should be rejected access, a proper error message is displayed. https://fedorahosted.org/freeipa/ticket/6262 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
author: Lenka Doudova <ldoudova@redhat.com> 2016-08-26 13:00:01 +0200
committer: Martin Basti <mbasti@redhat.com> 2016-09-14 12:49:02 +0200
commit: 7cac8392036bf6d6bbd74f5a781986dec21149d6 (patch)
tree: 0cd232d52468f0b53f10c8504a452db11c2cddcc /ipatests
parent: b0d40b80e8d9a4960296ce70d843ad987657696b (diff)
download: freeipa-7cac8392036bf6d6bbd74f5a781986dec21149d6.tar.gz
freeipa-7cac8392036bf6d6bbd74f5a781986dec21149d6.tar.xz
freeipa-7cac8392036bf6d6bbd74f5a781986dec21149d6.zip
1 files changed, 29 insertions, 2 deletions
diff --git a/ipatests/test_integration/test_sudo.py b/ipatests/test_integration/test_sudo.py
index 21267454d..a1676a28a 100644
--- a/ipatests/test_integration/test_sudo.py
+++ b/ipatests/test_integration/test_sudo.py
@@ -37,6 +37,8 @@ class TestSudo(IntegrationTest):
         super(TestSudo, cls).install(mh)
 
         cls.client = cls.clients[0]
+        cls.clientname = cls.client.run_command(
+            ['hostname', '-s']).stdout_text.strip()
 
         for i in range(1, 3):
             # Add 1. and 2. testing user
@@ -72,6 +74,13 @@ class TestSudo(IntegrationTest):
                                 '-G', 'localgroup',
                                 'localuser'])
 
+        # Create sudorule 'defaults' for not requiring authentication
+        cls.master.run_command(['ipa', 'sudorule-add', 'defaults'])
+        cls.master.run_command(['ipa', 'sudorule-add-option',
+                                'defaults',
+                                '--sudooption', "!authenticate"])
+
+
     @classmethod
     def uninstall(cls, mh):
         cls.client.run_command(['groupdel', 'localgroup'], raiseonerr=False)
@@ -81,8 +90,9 @@ class TestSudo(IntegrationTest):
     def list_sudo_commands(self, user, raiseonerr=False, verbose=False):
         clear_sssd_cache(self.client)
         list_flag = '-ll' if verbose else '-l'
-        return self.client.run_command('su -c "sudo %s" %s' % (list_flag, user),
-                                       raiseonerr=raiseonerr)
+        return self.client.run_command(
+            'su -c "sudo %s -n" %s' % (list_flag, user),
+            raiseonerr=raiseonerr)
 
     def reset_rule_categories(self, safe_delete=True):
         if safe_delete:
@@ -168,6 +178,16 @@ class TestSudo(IntegrationTest):
 
         result2 = self.list_sudo_commands("testuser2", raiseonerr=False)
         assert result2.returncode != 0
+        assert "Sorry, user testuser2 may not run sudo on {}.".format(
+            self.clientname) in result2.stderr_text
+
+    def test_sudo_rule_restricted_to_one_user_without_defaults_rule(self):
+        # Verify password is requested with the 'defaults' sudorule disabled
+        self.master.run_command(['ipa', 'sudorule-disable', 'defaults'])
+
+        result3 = self.list_sudo_commands("testuser2", raiseonerr=False)
+        assert result3.returncode != 0
+        assert "sudo: a password is required" in result3.stderr_text
 
     def test_setting_category_to_all_with_valid_entries_user(self):
         result = self.reset_rule_categories(safe_delete=False)
@@ -178,6 +198,7 @@ class TestSudo(IntegrationTest):
         self.master.run_command(['ipa', 'sudorule-remove-user',
                                  'testrule',
                                  '--users', 'testuser1'])
+        self.master.run_command(['ipa', 'sudorule-enable', 'defaults'])
 
     def test_sudo_rule_restricted_to_one_group_setup(self):
         # Add the testgroup2 to the rule
@@ -188,6 +209,8 @@ class TestSudo(IntegrationTest):
     def test_sudo_rule_restricted_to_one_group(self):
         result1 = self.list_sudo_commands("testuser1", raiseonerr=False)
         assert result1.returncode != 0
+        assert "Sorry, user testuser1 may not run sudo on {}.".format(
+            self.clientname) in result1.stderr_text
 
         result2 = self.list_sudo_commands("testuser2")
         assert "(ALL : ALL) NOPASSWD: ALL" in result2.stdout_text
@@ -219,6 +242,8 @@ class TestSudo(IntegrationTest):
     def test_sudo_rule_restricted_to_one_host_negative(self):
         result1 = self.list_sudo_commands("testuser1", raiseonerr=False)
         assert result1.returncode != 0
+        assert "Sorry, user testuser1 may not run sudo on {}.".format(
+            self.clientname) in result1.stderr_text
 
     def test_sudo_rule_restricted_to_one_host_negative_teardown(self):
         # Remove the master from the rule
@@ -333,6 +358,8 @@ class TestSudo(IntegrationTest):
     def test_sudo_rule_restricted_to_one_hostmask_negative(self):
         result1 = self.list_sudo_commands("testuser1")
         assert result1.returncode != 0
+        assert "Sorry, user testuser1 may not run sudo on {}.".format(
+            self.clientname) in result1.stderr_text
 
     def test_sudo_rule_restricted_to_one_hostmask_negative_teardown(self):
         # Remove the master's hostmask from the rule
author	Lenka Doudova <ldoudova@redhat.com>	2016-08-26 13:00:01 +0200
committer	Martin Basti <mbasti@redhat.com>	2016-09-14 12:49:02 +0200
commit	7cac8392036bf6d6bbd74f5a781986dec21149d6 (patch)
tree	0cd232d52468f0b53f10c8504a452db11c2cddcc /ipatests
parent	b0d40b80e8d9a4960296ce70d843ad987657696b (diff)
download	freeipa-7cac8392036bf6d6bbd74f5a781986dec21149d6.tar.gz freeipa-7cac8392036bf6d6bbd74f5a781986dec21149d6.tar.xz freeipa-7cac8392036bf6d6bbd74f5a781986dec21149d6.zip