Tests: Test transformation of bash-ldap-id-ldap-auth netgroup

Test transformation of bash-ldap-id-ldap-auth netgroup
SSSD · Oct 18, 2024 · 82e0485 · 82e0485
1 parent 263cb2e
commit 82e0485
Showing 1 changed file with 217 additions and 1 deletion.
diff --git a/src/tests/system/tests/test_netgroups.py b/src/tests/system/tests/test_netgroups.py
@@ -6,10 +6,26 @@
 
 from __future__ import annotations
 
+import time
+
 import pytest
 from sssd_test_framework.roles.client import Client
 from sssd_test_framework.roles.generic import GenericProvider
-from sssd_test_framework.topology import KnownTopologyGroup
+from sssd_test_framework.roles.ldap import LDAP
+from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup
+
+
+def create_users(ldap: LDAP):
+    """
+    Creates users/groups needed for this test script.
+    """
+    ou_people = ldap.ou("People").add()
+    ou_group = ldap.ou("groups").add()
+    ldap.ou("Netgroup").add()
+
+    for id in [9000, 9001, 9002, 9003, 9004, 9005, 9006, 9007, 9008, 9009, 9010]:
+        ldap.user(f"ng{id}", basedn=ou_people).add()
+        ldap.user(f"ng{id}", basedn=ou_group).add()
 
 
 @pytest.mark.importance("medium")
@@ -108,3 +124,203 @@ def test_netgroups__add_remove_netgroup_member(client: Client, provider: Generic
     assert len(result.members) == 1
     assert "(-, user-1)" not in result.members
     assert "(-, user-2)" in result.members
+
+
+@pytest.mark.importance("low")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_netgroup__netgroup_nisnetgrouptriple(client: Client, ldap: LDAP):
+    """
+    :title: Netgroup with nisNetgroupTriple
+    :setup:
+        1. Create users, groups and start sssd.
+    :steps:
+        1. Check nisNetgroupTriple contains members as added in the test.
+    :expectedresults:
+        1. NisNetgroupTriple should contain members as added in the test.
+    :customerscenario: False
+    """
+    ou = ldap.ou("Netgroup")
+    create_users(ldap)
+
+    qa_users = ldap.netgroup("QAUsers", basedn=ou).add()
+    qa_users.add_member(host="testhost1", user="ng9000", domain="ldap.test")
+
+    client.sssd.start()
+
+    assert "(testhost1, ng9000, ldap.test)" in client.tools.getent.netgroup("QAUsers").members
+
+
+@pytest.mark.importance("low")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_netgroup__membernisnetgroup(client: Client, ldap: LDAP):
+    """
+    :title: Add more complex LDAP netgroup structure by nesting one netgroup within another.
+    :setup:
+        1. Create users, groups and start sssd.
+    :steps:
+        1. Check that (testhost5, ng9005, ldap.test) is present as a direct member of "DEVUsers".
+        2. Check that (testhost1, ng9000, ldap.test) is also present,
+            even though this tuple was added to "QAUsers", not "DEVUsers".
+            This confirms that the nested group membership is working correctly
+            (since "QAUsers" is nested within "DEVUsers").
+    :expectedresults:
+        1. (testhost5, ng9005, ldap.test) is present as a direct member of "DEVUsers".
+        2. (testhost1, ng9000, ldap.test) is present as a direct member of "DEVUsers".
+    """
+    ou = ldap.ou("Netgroup")
+    create_users(ldap)
+
+    qa_users = ldap.netgroup("QAUsers", basedn=ou).add()
+    qa_users.add_member(host="testhost1", user="ng9000", domain="ldap.test")
+
+    dev_users = ldap.netgroup("DEVUsers", basedn=ou).add()
+    dev_users.add_member(host="testhost5", user="ng9005", domain="ldap.test")
+    ldap.ldap.modify(dev_users.dn, add={"memberNisNetgroup": "QAUsers"})
+
+    client.sssd.start()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(testhost5, ng9005, ldap.test)" in member
+    assert "(testhost1, ng9000, ldap.test)" in member
+
+
+@pytest.mark.importance("low")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_netgroup__add_dn_membernisnetgroup(client: Client, ldap: LDAP):
+    """
+    :title: Adding dn to memberNisNetgroup
+    :setup:
+        1. Create users, groups and start sssd.
+    :steps:
+        1. Check that the tuple (testhost5, ng9005, ldap.test) is present as a direct member of "DEVUsers".
+        2. Check that the tuple (testhost1, ng9000, ldap.test) is also present.
+            Since "QAUsers" is now referenced as part of "DEVUsers", its members
+            (like ng9000 on testhost1) are inherited by "DEVUsers".
+    :expectedresults:
+        1. Tuple (testhost5, ng9005, ldap.test) is present as a direct member of "DEVUsers".
+        2. Tuple (testhost1, ng9000, ldap.test) is also present.
+    :customerscenario: False
+    """
+    ou = ldap.ou("Netgroup")
+    create_users(ldap)
+
+    qa_users = ldap.netgroup("QAUsers", basedn=ou).add()
+    qa_users.add_member(host="testhost1", user="ng9000", domain="ldap.test")
+
+    dev_users = ldap.netgroup("DEVUsers", basedn=ou).add()
+    dev_users.add_member(host="testhost5", user="ng9005", domain="ldap.test")
+    ldap.ldap.modify(dev_users.dn, replace={"memberNisNetgroup": qa_users.dn})
+
+    client.sssd.dom("test")["entry_cache_timeout"] = "60"
+    client.sssd.start()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(testhost5, ng9005, ldap.test)" in member
+    assert "(testhost1, ng9000, ldap.test)" in member
+
+
+@pytest.mark.importance("low")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_netgroup__different_syntax(client: Client, ldap: LDAP):
+    """
+    :title: Using different syntax for nisNetgroupTriple
+    :setup:
+        1. Create users, groups and start sssd.
+    :steps:
+        1. Check that the user ng9006 appears in the group members list, represented as the tuple (-,ng9006,).
+    :expectedresults:
+        1. The user ng9006 appears in the group members list
+    :customerscenario: False
+    """
+    ou = ldap.ou("Netgroup")
+    create_users(ldap)
+
+    qa_users = ldap.netgroup("QAUsers", basedn=ou).add()
+    qa_users.add_member(host="testhost1", user="ng9000", domain="ldap.test")
+
+    dev_users = ldap.netgroup("DEVUsers", basedn=ou).add()
+    dev_users.add_member(host="testhost5", user="ng9005", domain="ldap.test")
+    dev_users.add_member(user="ng9006")
+
+    client.sssd.dom("test")["entry_cache_timeout"] = "60"
+    client.sssd.start()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(-,ng9006,)" in member
+
+
+@pytest.mark.importance("low")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_netgroup__host_and_domain(client: Client, ldap: LDAP):
+    """
+    :title: A scenario where an LDAP netgroup contains a member that
+        only has a host and domain specified, but no associated user.
+    :setup:
+        1.  Check that the tuple (samplehost, -, samplehost.domain.com) is part of the group
+    :expectedresults:
+        1. The tuple (samplehost, -, samplehost.domain.com) is part of the group
+    :customerscenario: False
+    """
+    ou = ldap.ou("Netgroup")
+    create_users(ldap)
+
+    qa_users = ldap.netgroup("QAUsers", basedn=ou).add()
+    qa_users.add_member(host="testhost1", user="ng9000", domain="ldap.test")
+
+    dev_users = ldap.netgroup("DEVUsers", basedn=ou).add()
+    dev_users.add_member(host="testhost5", user="ng9005", domain="ldap.test")
+    dev_users.add_member(host="samplehost", domain="samplehost.domain.com")
+
+    client.sssd.dom("test")["entry_cache_timeout"] = "60"
+    client.sssd.start()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(samplehost,-,samplehost.domain.com)" in member
+
+
+@pytest.mark.importance("low")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_netgroup__with_nested_loop(client: Client, ldap: LDAP):
+    """
+    :title: Create and manages nested LDAP netgroups and tests their behavior
+        through several scenarios involving caching, membership queries, and restarts of the SSSD service.
+    :setup:
+        1. Create users, groups and start sssd.
+    :steps:
+        1. Retrieves all members of the "DEVUsers" group using the getent netgroup tool.
+        2. Check for ng9000: Verifies that ng9000 (from QAUsers) is also part of "DEVUsers".
+        3. Checks if a user random (who is not in any netgroup) is part of "DEVUsers".
+        4. After the SSSD restart, it retrieves the members of "DEVUsers" again to ensure they are still intact.
+    :expectedresults:
+        1. All members of the "DEVUsers" group be there
+        2. ng9000 (from QAUsers) is also part of "DEVUsers"
+        3. random (who is not in any netgroup) is not part of "DEVUsers".
+        4. All members of the "DEVUsers" group be there
+    """
+    ou = ldap.ou("Netgroup")
+    create_users(ldap)
+
+    qa_users = ldap.netgroup("QAUsers", basedn=ou).add()
+    qa_users.add_member(host="testhost1", user="ng9000", domain="ldap.test")
+
+    dev_users = ldap.netgroup("DEVUsers", basedn=ou).add()
+    ldap.ldap.modify(dev_users.dn, add={"memberNisNetgroup": qa_users.dn})
+    dev_users.add_member(host="testhost5", user="ng9005", domain="ldap.test")
+    dev_users.add_member(user="ng9006")
+
+    ldap.ldap.modify(qa_users.dn, add={"memberNisNetgroup": dev_users.dn})
+
+    client.sssd.dom("test")["entry_cache_timeout"] = "60"
+    client.sssd.start()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(testhost1,ng9000,ldap.test)" in member
+    assert "(-,ng9006,)" in member
+    assert "(testhost5,ng9005,ldap.test)" in member
+
+    client.sssd.restart()
+
+    member = client.tools.getent.netgroup("DEVUsers").members
+    assert "(testhost1,ng9000,ldap.test)" in member
+    assert "(-,ng9006,)" in member
+    assert "(testhost5,ng9005,ldap.test)" in member