Add split/move basic tests to standalone suite

jakub-vavra-cz · jakub-vavra-cz · commit cfccb80e1996 · 2025-12-02T09:25:53.000+01:00
Add new tests for basic sudo functionality.
Move/refactor basic tests from test_sudo suite.
diff --git a/pytest/tests/test_basic.py b/pytest/tests/test_basic.py
@@ -0,0 +1,296 @@
+"""
+SUDO Responder Tests.
+
+:requirement: sudo
+"""
+
+from __future__ import annotations
+
+from sssd_test_framework.roles.ad import AD
+from sssd_test_framework.roles.client import Client
+from sssd_test_framework.roles.generic import GenericProvider
+from sssd_test_framework.topology import KnownTopology
+
+import pytest
+
+
+@pytest.mark.importance("critical")
+@pytest.mark.topology(KnownTopology.BareAD)
+@pytest.mark.topology(KnownTopology.BareIPA)
+@pytest.mark.topology(KnownTopology.BareLDAP)
+@pytest.mark.topology(KnownTopology.BareClient)
+def test_basic__single_user(client: Client, provider: GenericProvider):
+    """
+    :title: One user is allowed to run command, other user is not
+    :setup:
+        1. Create users "user-1" and "user-2"
+        2. Create sudorule to allow "user-1" run "/bin/ls on all hosts
+        3. Enable SSSD sudo responder and start SSSD
+    :steps:
+        1. List sudo rules for "user-1"
+        2. Run "sudo /bin/ls root" as user-1
+        3. List sudo rules for "user-2"
+        4. Run "sudo /bin/ls root" as user-2
+    :expectedresults:
+        1. User is able to run /bin/ls as root
+        2. Command is successful
+        3. User is not able to run /bin/ls as root
+        4. Command failed
+    :customerscenario: False
+    """
+    if isinstance(provider, Client):
+        client.sssd.common.local()
+        client.sssd.common.sudo()
+        client.sssd.start()
+    u = provider.user("user-1").add()
+    provider.user("user-2").add()
+    provider.sudorule("test").add(user=u, host="ALL", command="/bin/ls")
+
+    assert client.auth.sudo.list("user-1", "Secret123", expected=["(root) /bin/ls"]), "Sudo list failed!"
+    assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command failed!"
+
+    assert not client.auth.sudo.list("user-2", "Secret123"), "Sudo list successful!"
+    assert not client.auth.sudo.run("user-2", "Secret123", command="/bin/ls /root"), "Sudo command successful!"
+
+
+@pytest.mark.importance("critical")
+@pytest.mark.topology(KnownTopology.BareAD)
+@pytest.mark.topology(KnownTopology.BareIPA)
+@pytest.mark.topology(KnownTopology.BareLDAP)
+@pytest.mark.topology(KnownTopology.BareClient)
+def test_basic__multiple_users(client: Client, provider: GenericProvider):
+    """
+    :title: User fro list are allowed to run a command
+    :setup:
+        1. Create users "user-1", "user-2" and "user-deny"
+        2. Create sudorule to allow "user-1" and "user-2" run "/bin/ls on all hosts
+        3. Enable SSSD sudo responder and start SSSD
+    :steps:
+        1. Run "sudo /bin/ls root" as user-1
+        2. Run "sudo /bin/ls root" as user-2
+        3. Run "sudo /bin/ls root" as user-deny
+    :expectedresults:
+        1. User "user-1" is able to run /bin/ls as root
+        2. User "user-2" is able to run /bin/ls as root
+        3. User  "user-demy" is not able to run /bin/ls as root
+    :customerscenario: False
+    """
+    if isinstance(provider, Client):
+        client.sssd.common.local()
+        client.sssd.common.sudo()
+        client.sssd.start()
+    provider.user("user-1").add()
+    provider.user("user-2").add()
+    provider.user("user-deny").add()
+    provider.sudorule("userlist").add(user=["user-1", "user-2"], host="ALL", command="/bin/ls")
+
+    assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command failed!"
+    assert client.auth.sudo.run("user-2", "Secret123", command="/bin/ls /root"), "Sudo command failed!"
+    assert not client.auth.sudo.run("user-deny", "Secret123", command="/bin/ls /root"), "Sudo command passed!"
+
+
+@pytest.mark.importance("critical")
+@pytest.mark.ticket(bz=1372440, gh=4236)
+@pytest.mark.contains_workaround_for(gh=4483)
+@pytest.mark.topology(KnownTopology.BareAD)
+@pytest.mark.topology(KnownTopology.BareIPA)
+@pytest.mark.topology(KnownTopology.BareLDAP)
+@pytest.mark.topology(KnownTopology.BareClient)
+def test_basic__user_is_group(client: Client, provider: GenericProvider):
+    """
+    :title: POSIX groups can be set in sudoUser attribute
+    :setup:
+        1. Create user "user-1"
+        2. Create group "group-1" with "user-1" as a member
+        3. Create sudorule to allow "group-1" run "/bin/ls on all hosts
+        4. Enable SSSD sudo responder
+        5. Start SSSD
+    :steps:
+        1. List sudo rules for "user-1"
+        2. Run "sudo /bin/ls" as "user-1"
+    :expectedresults:
+        1. User is able to run only /bin/ls
+        2. Command is successful
+    :customerscenario: False
+    """
+    if isinstance(provider, Client):
+        client.sssd.common.local()
+        client.sssd.common.sudo()
+        client.sssd.start()
+    u = provider.user("user-1").add()
+    g = provider.group("group-1").add().add_member(u)
+    provider.sudorule("test").add(user=g, host="ALL", command="/bin/ls")
+
+    client.sssd.common.sudo()
+    client.sssd.start()
+
+    # Until https://github.com/SSSD/sssd/issues/4483 is resolved
+    # Running 'id user-1' will resolve SIDs into group names
+    if isinstance(provider, AD):
+        client.tools.id("user-1")
+
+    assert client.auth.sudo.list("user-1", "Secret123", expected=["(root) /bin/ls"]), "Sudo list failed!"
+    assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command successful!"
+
+
+@pytest.mark.importance("critical")
+@pytest.mark.contains_workaround_for(gh=4483)
+@pytest.mark.topology(KnownTopology.BareAD)
+@pytest.mark.topology(KnownTopology.BareIPA)
+@pytest.mark.topology(KnownTopology.BareLDAP)
+@pytest.mark.topology(KnownTopology.BareClient)
+def test_basic__user_is_groups(client: Client, provider: GenericProvider):
+    """
+    :title: Multiple POSIX groups can be set in sudoUser attribute
+    :setup:
+        1. Create users "user-1", "user-2" and "user-deny"
+        2. Create group "group-1" with "user-1" as a member
+        3. Create group "group-2" with "user-2" as a member
+        3. Create sudorule to allow "group-1", "group-2" run "/bin/ls on all hosts
+        4. Enable SSSD sudo responder and start SSSD
+    :steps:
+        1. Run "sudo /bin/ls" as "user-1"
+        2. Run "sudo /bin/ls" as "user-2"
+        2. Run "sudo /bin/ls" as "user-deny"
+    :expectedresults:
+        1. User "user-1" is able to run /bin/ls
+        2. User "user-2" is able to run /bin/ls
+        2. User "user-deny" is not able to run /bin/ls
+    :customerscenario: False
+    """
+    if isinstance(provider, Client):
+        client.sssd.common.local()
+        client.sssd.common.sudo()
+        client.sssd.start()
+    u1 = provider.user("user-1").add()
+    g1 = provider.group("group-1").add().add_member(u1)
+    u2 = provider.user("user-2").add()
+    g2 = provider.group("group-2").add().add_member(u2)
+    provider.user("user-deny").add()
+    provider.sudorule("test").add(user=[g1, g2], host="ALL", command="/bin/ls")
+
+    # Until https://github.com/SSSD/sssd/issues/4483 is resolved
+    # Running 'id user-1' will resolve SIDs into group names
+    if isinstance(provider, AD):
+        client.tools.id("user-1")
+        client.tools.id("user-2")
+
+    assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command successful!"
+    assert client.auth.sudo.run("user-2", "Secret123", command="/bin/ls /root"), "Sudo command successful!"
+    assert not client.auth.sudo.run("user-deny", "Secret123", command="/bin/ls /root"), "Sudo command passed!"
+
+
+@pytest.mark.importance("critical")
+@pytest.mark.contains_workaround_for(gh=4483)
+@pytest.mark.topology(KnownTopology.BareAD)
+@pytest.mark.topology(KnownTopology.BareIPA)
+@pytest.mark.topology(KnownTopology.BareLDAP)
+@pytest.mark.topology(KnownTopology.BareClient)
+def test_basic__user_and_group(client: Client, provider: GenericProvider):
+    """
+    :title: POSIX groups and users can be mixed in user
+    :setup:
+        1. Create user "user-1" and "user-2"
+        2. Create group "group-1" with "user-1" as a member
+        3. Create sudorule to allow "group-1" and "user-2" run "/bin/ls on all hosts
+        4. Enable SSSD sudo responder and start SSSD
+    :steps:
+        1. Run "sudo /bin/ls" as "user-1"
+        2. Run "sudo /bin/ls" as "user-2"
+    :expectedresults:
+        1. User "user-1" is able to run only /bin/ls
+        2. User "user-2" is able to run only /bin/ls
+    :customerscenario: False
+    """
+    if isinstance(provider, Client):
+        client.sssd.common.local()
+        client.sssd.common.sudo()
+        client.sssd.start()
+    u1 = provider.user("user-1").add()
+    u2 = provider.user("user-2").add()
+    g = provider.group("group-1").add().add_member(u1)
+    provider.sudorule("test").add(user=[g, u2], host="ALL", command="/bin/ls")
+
+    # Until https://github.com/SSSD/sssd/issues/4483 is resolved
+    # Running 'id user-1' will resolve SIDs into group names
+    if isinstance(provider, AD):
+        client.tools.id("user-1")
+
+    assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command successful!"
+    assert client.auth.sudo.run("user-2", "Secret123", command="/bin/ls /root"), "Sudo command successful!"
+
+
+@pytest.mark.importance("critical")
+@pytest.mark.contains_workaround_for(gh=4483)
+@pytest.mark.topology(KnownTopology.BareAD)
+@pytest.mark.topology(KnownTopology.BareIPA)
+@pytest.mark.topology(KnownTopology.BareLDAP)
+@pytest.mark.topology(KnownTopology.BareClient)
+def test_basic__multiple_commands(client: Client, provider: GenericProvider):
+    """
+    :title: Multiple commands can be set in sudo rule
+    :setup:
+        1. Create user "user-1"
+        2. Create sudorule to allow "user-1" run "/bin/ls and /bin/df
+        3. Enable SSSD sudo responder and start SSSD
+    :steps:
+        1. Run "sudo /bin/ls" as "user-1"
+        2. Run "sudo /bin/df" as "user-1"
+    :expectedresults:
+        1. User "user-1" is able to run /bin/ls
+        2. User "user-1" is able to run /bin/df
+    :customerscenario: False
+    """
+    if isinstance(provider, Client):
+        client.sssd.common.local()
+        client.sssd.common.sudo()
+        client.sssd.start()
+    u = provider.user("user-1").add()
+
+    provider.sudorule("test").add(user=u, host="ALL", command=["/bin/ls", "/bin/df"])
+
+    # Until https://github.com/SSSD/sssd/issues/4483 is resolved
+    # Running 'id user-1' will resolve SIDs into group names
+    if isinstance(provider, AD):
+        client.tools.id("user-1")
+
+    assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command successful!"
+    assert client.auth.sudo.run("user-1", "Secret123", command="/bin/df"), "Sudo command successful!"
+
+
+@pytest.mark.importance("critical")
+@pytest.mark.contains_workaround_for(gh=4483)
+@pytest.mark.topology(KnownTopology.BareAD)
+@pytest.mark.topology(KnownTopology.BareIPA)
+@pytest.mark.topology(KnownTopology.BareLDAP)
+@pytest.mark.topology(KnownTopology.BareClient)
+def test_basic__blacklisted_command(client: Client, provider: GenericProvider):
+    """
+    :title: Excluded command can be set in sudo rule
+    :setup:
+        1. Create user "user-1"
+        2. Create sudorule to allow "user-1" run ALL excluding /bin/df
+        3. Enable SSSD sudo responder and start SSSD
+    :steps:
+        1. Run "sudo /bin/ls" as "user-1"
+        2. Run "sudo /bin/df" as "user-1"
+    :expectedresults:
+        1. User "user-1" is able to run /bin/ls
+        2. User "user-1" is not able to run /bin/df
+    :customerscenario: False
+    """
+    if isinstance(provider, Client):
+        client.sssd.common.local()
+        client.sssd.common.sudo()
+        client.sssd.start()
+    u = provider.user("user-1").add()
+
+    provider.sudorule("test").add(user=u, host="ALL", command=["ALL", "!/bin/df"])
+
+    # Until https://github.com/SSSD/sssd/issues/4483 is resolved
+    # Running 'id user-1' will resolve SIDs into group names
+    if isinstance(provider, AD):
+        client.tools.id("user-1")
+
+    assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command successful!"
+    assert not client.auth.sudo.run("user-1", "Secret123", command="/bin/df"), "Sudo command successful!"
diff --git a/pytest/tests/test_sudo.py b/pytest/tests/test_sudo.py
@@ -10,7 +10,6 @@
 import time
 from datetime import datetime, timedelta
 
-from sssd_test_framework.roles.ad import AD
 from sssd_test_framework.roles.client import Client
 from sssd_test_framework.roles.generic import GenericADProvider, GenericProvider
 from sssd_test_framework.roles.ldap import LDAP
@@ -19,48 +18,6 @@
 import pytest
 
 
-@pytest.mark.importance("critical")
-@pytest.mark.topology(KnownTopology.BareAD)
-@pytest.mark.topology(KnownTopology.BareIPA)
-@pytest.mark.topology(KnownTopology.BareLDAP)
-@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
-@pytest.mark.require(
-    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
-    "SSSD was built without support for running under non-root",
-)
-def test_sudo__user_allowed(client: Client, provider: GenericProvider, sssd_service_user: str):
-    """
-    :title: One user is allowed to run command, other user is not
-    :setup:
-        1. Create users "user-1" and "user-2"
-        2. Create sudorule to allow "user-1" run "/bin/ls on all hosts
-        3. Enable SSSD sudo responder and start SSSD
-    :steps:
-        1. List sudo rules for "user-1"
-        2. Run "sudo /bin/ls root" as user-1
-        3. List sudo rules for "user-2"
-        4. Run "sudo /bin/ls root" as user-2
-    :expectedresults:
-        1. User is able to run /bin/ls as root
-        2. Command is successful
-        3. User is not able to run /bin/ls as root
-        4. Command failed
-    :customerscenario: False
-    """
-    u = provider.user("user-1").add()
-    provider.user("user-2").add()
-    provider.sudorule("test").add(user=u, host="ALL", command="/bin/ls")
-
-    client.sssd.common.sudo()
-    client.sssd.start(service_user=sssd_service_user)
-
-    assert client.auth.sudo.list("user-1", "Secret123", expected=["(root) /bin/ls"]), "Sudo list failed!"
-    assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command failed!"
-
-    assert not client.auth.sudo.list("user-2", "Secret123"), "Sudo list successful!"
-    assert not client.auth.sudo.run("user-2", "Secret123", command="/bin/ls /root"), "Sudo command successful!"
-
-
 @pytest.mark.importance("critical")
 @pytest.mark.topology(KnownTopology.BareAD)
 @pytest.mark.topology(KnownTopology.BareLDAP)
@@ -186,44 +143,6 @@ def test_sudo__rules_refresh(client: Client, provider: GenericProvider, sssd_ser
     assert client.auth.sudo.list("user-1", "Secret123", expected=["(root) /bin/less"]), "Sudo command failed!"
 
 
-@pytest.mark.importance("critical")
-@pytest.mark.ticket(bz=1372440, gh=4236)
-@pytest.mark.contains_workaround_for(gh=4483)
-@pytest.mark.topology(KnownTopology.BareAD)
-@pytest.mark.topology(KnownTopology.BareIPA)
-@pytest.mark.topology(KnownTopology.BareLDAP)
-def test_sudo__user_is_group(client: Client, provider: GenericProvider):
-    """
-    :title: POSIX groups can be set in sudoUser attribute
-    :setup:
-        1. Create user "user-1"
-        2. Create group "group-1" with "user-1" as a member
-        3. Create sudorule to allow "group-1" run "/bin/ls on all hosts
-        4. Enable SSSD sudo responder
-        5. Start SSSD
-    :steps:
-        1. List sudo rules for "user-1"
-        2. Run "sudo /bin/ls" as "user-1"
-    :expectedresults:
-        1. User is able to run only /bin/ls
-        2. Command is successful
-    :customerscenario: False
-    """
-    u = provider.user("user-1").add()
-    g = provider.group("group-1").add().add_member(u)
-    provider.sudorule("test").add(user=g, host="ALL", command="/bin/ls")
-
-    client.sssd.common.sudo()
-    client.sssd.start()
-
-    # Until https://github.com/SSSD/sssd/issues/4483 is resolved
-    # Running 'id user-1' will resolve SIDs into group names
-    if isinstance(provider, AD):
-        client.tools.id("user-1")
-
-    assert client.auth.sudo.list("user-1", "Secret123", expected=["(root) /bin/ls"]), "Sudo list failed!"
-
-
 @pytest.mark.importance("critical")
 @pytest.mark.ticket(bz=1826272, gh=5119)
 @pytest.mark.topology(KnownTopology.BareAD)
