Tests: Test transformation of bash-ldap-id-ldap-auth netgroup

[aborah-sudo]

Test transformation of bash-ldap-id-ldap-auth netgroup

[ikerexxe]

Why are you using a specially created function to run libc's group membership, when the framework already provides an automation to check this?

As an example test_netgroups__add_remove_netgroup_member uses client.tools.getent.netgroup("ng-2") to check the membership.

[danlavu]

Please reference current code for examples to better conform to the new coding standards. Let's pause any other PRs until this one meets the new guidelines.

[danlavu]

This is much better, but you resolved an issue that still needs to be resolved. These tests are specific to LDAP should go in test_ldap.py. Is there a reason why we cannot use the generic provider? We want to start using this for more coverage and reduce the amount of test cases.

Not related to this PR, here is an example of using one test to cover the same scenario for AD/IPA/LDAP/Samba, 12 lines of code instead of copying the test case. https://github.com/SSSD/sssd/blob/master/src/tests/system/tests/test_failover.py

I'll take a closer look later, all the checks need to be green before we merge, please resolve the ci failures, like the 'static code analysis' and the ci system tests.

[aborah-sudo]

This is much better, but you resolved an issue that still needs to be resolved. These tests are specific to LDAP should go in test_ldap.py. Is there a reason why we cannot use the generic provider? We want to start using this for more coverage and reduce the amount of test cases.

Not related to this PR, here is an example of using one test to cover the same scenario for AD/IPA/LDAP/Samba, 12 lines of code instead of copying the test case. https://github.com/SSSD/sssd/blob/master/src/tests/system/tests/test_failover.py

I'll take a closer look later, all the checks need to be green before we merge, please resolve the ci failures, like the 'static code analysis' and the ci system tests.

These are ldap specific tests. I have tries running them against GenericProvider but its failed . So moving them to _test_ldap.py

[aborah-sudo]

I have only done a cursory review but I believe there are several areas for improvement. First, you have created a function called create_users() that creates a set of users and groups, but then in the tests you only use a couple of users and groups. I think it would be better to create only the users and groups that are necessary, and also to do it in the test directly.

This function is helping me not repeat same line in different tests .

Second, as Dan mentioned, since the functionality is similar these tests look like they can be reused between providers. From what I see you have tried to use the GenericProvider, but it fails, have you tried to find out why?

As i said before this is LDAP compatible script .

(Pdb) ou = provider.ou("Netgroup")
*** AttributeError: 'IPA' object has no attribute 'ou'

Finally, the explanatory comments are somewhat poor and do not explain from a high level, something that a sysadmin or support engineer can understand, what is being tested. Example: Tuple (testhost5, ng9005, ldap.test) is present as a direct member of “DEVUsers”. Anyone with a minimal knowledge of Python understands this, but what does it really mean from the domain point of view? If I understand it correctly, you are trying to assert that user ng9005 is a member of group testhost5. Am I wrong? You probably don't need to look at the last part of the result (ldap.test), so I think you could use - instead.

Defiantly i will try to improve the doc part of the script .

[ikerexxe]

This function is helping me not repeat same line in different tests .

That function is creating a set of users and groups that you aren't using anywhere. That's my main concern.

As i said before this is LDAP compatible script .

(Pdb) ou = provider.ou("Netgroup") *** AttributeError: 'IPA' object has no attribute 'ou'

The GenericProvider already provides a way to add network groups without the need to consult the organization unit first. Take a look at the documentation to understand how to manage it. If you need additional examples you can also check test_netgroup.py.

Defiantly i will try to improve the doc part of the script .

Perfect!

[aborah-sudo]

This function is helping me not repeat same line in different tests .

That function is creating a set of users and groups that you aren't using anywhere. That's my main concern.

As i said before this is LDAP compatible script .
(Pdb) ou = provider.ou("Netgroup") *** AttributeError: 'IPA' object has no attribute 'ou'

The GenericProvider already provides a way to add network groups without the need to consult the organization unit first. Take a look at the documentation to understand how to manage it. If you need additional examples you can also check test_netgroup.py.

Its not about network groups its about ou. This script is for ldap provider not generic.

Defiantly i will try to improve the doc part of the script .

Perfect!

[ikerexxe]

I've consulted Sumit and although the netgroup functionality is provided, IPA's exposed interface is not the same as in LDAP or AD's environment. So I have an important question before I continue reviewing the code. Ultimately what do we want to test? Do we want to test that the high-level functionality works, or that the functionality of each provider works? According to the response, we can decide what to do with this PR.

[aborah-sudo]

I've consulted Sumit and although the netgroup functionality is provided, IPA's exposed interface is not the same as in LDAP or AD's environment. So I have an important question before I continue reviewing the code. Ultimately what do we want to test? Do we want to test that the high-level functionality works, or that the functionality of each provider works? According to the response, we can decide what to do with this PR.

The high-level functionality works

[ikerexxe]

Some minor comments added. I think there is not much time left to approve it.

[ikerexxe]

Why is this needed? Are you expecting some change may happen?

[aborah-sudo]

No, this is assertion to make sure everything works

[ikerexxe]

What do you mean by everything? What is the exact use case you are trying to test?

[aborah-sudo]

After sssd restart i want to make sure that Nesting netgroups works and i can remove that part if it does not make sense .

[ikerexxe]

IMO it doesn't. @danlavu what do you think? Does it make sense to check again the nesting groups after restarting sssd?