Tests: LDAP+KRB5 krb_misc tests#8655
Conversation
madhuriupadhye
requested review from
aplopez,
danlavu and
spoore1
and removed request for
danlavu
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds three new system tests to the SSSD test suite, covering authentication scenarios with unresolvable kpasswd, handling of setuid(-1) helper processes, and password changes via SSH. The review feedback highlights the need to explicitly set the SSSD debug level to ensure logs are captured correctly for assertions, suggests reordering log checks to ensure they run even if authentication fails, and recommends adding a sleep delay to avoid race conditions when reading log files.
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
While I think some of the gemini review comments are worth at least taking note of, this backport to sssd-2-13 looks good to me.
|
The pull request was accepted by @alexey-tikhonov with the following PR CI status: 🟢 rpm-build:centos-stream-10-x86_64:upstream (success) There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging. |
|
|
||
|
|
||
| @pytest.mark.importance("high") | ||
| @pytest.mark.authentication |
There was a problem hiding this comment.
Don't use the marker; we should get rid of them.
| @pytest.mark.authentication | ||
| @pytest.mark.ticket(bz=847039) | ||
| @pytest.mark.topology(KnownTopology.LDAP_KRB5) | ||
| def test_ldap_krb5__auth_succeeds_when_kpasswd_unresolvable(client: Client, provider: GenericProvider, kdc: KDC): |
There was a problem hiding this comment.
Let us use similar language to the other authentication test cases.
test_ldap_krb5__user_can_login_when_kpasswd_cannot_be_resolved()
|
|
||
| BZ 847039: login works when krb5_kpasswd is unresolvable (kpasswd not needed for auth) | ||
|
|
||
| :setup: |
There was a problem hiding this comment.
We can assume that all the ldap_krb5 bits. Let's generalize the language.
- Add user
- Configure SSSD with an invalid value for 'krb5_passwd' and start SSSD
Is the change in the parameter value important? I'm not sure because it hasn't cached the user yet. I would find out if steps 3 and 4 are important.
| 3. Set krb5_kpasswd to an unresolvable hostname | ||
| 4. Restart SSSD and clear cache | ||
| :steps: | ||
| 1. Run id for puser1 so NSS resolution goes through SSSD before SSH login |
There was a problem hiding this comment.
Are you sure this is correct? And not to populate the cache? I'd double-check, but also simply the language.
There was a problem hiding this comment.
updated, please check.
| 2. Authenticate puser1 with SSH password | ||
| :expectedresults: | ||
| 1. id succeeds for puser1 | ||
| 2. SSH password authentication succeeds despite unresolvable kpasswd |
| """ | ||
| :title: Auth succeeds when krb5_kpasswd is unresolvable | ||
|
|
||
| BZ 847039: login works when krb5_kpasswd is unresolvable (kpasswd not needed for auth) |
There was a problem hiding this comment.
We don't need the bz in the title, it's a marker already!
| 2. SSH password authentication succeeds despite unresolvable kpasswd | ||
| :customerscenario: True | ||
| """ | ||
| provider.user("puser1").add(uid=50001, gid=50001, password="12345678") |
There was a problem hiding this comment.
the uid and gid should automatically generate, and the password should default to 'Secret123'
| kdc.principal("puser1").add(password="12345678") | ||
|
|
||
| client.sssd.common.krb5_auth(kdc) | ||
| client.sssd.domain["krb5_realm"] = kdc.realm |
There was a problem hiding this comment.
The default krb5_provider code configures krb5_realm and krb5_server, so these parameters can be dropped.
def krb_provider(self, backend: KDC | GenericProvider) -> None:
"""
Set auth_provider to krb5 and populate krb5 options.
This method sets ``auth_provider=krb5`` and configures
``krb5_realm``, ``krb5_server``, and ``krb5_kpasswd`` based on
the provided backend (KDC, IPA, or AD).
:param backend: Backend role object (KDC, IPA, or AD).
:type backend: KDC | GenericProvider
"""
host = backend.host
if not isinstance(host, BaseDomainHost):
raise TypeError(f"Expected BaseDomainHost, got {type(host)}")
host.client.setdefault("auth_provider", "krb5")
host.client.setdefault("krb5_realm", host.realm)
host.client.setdefault("krb5_server", host.hostname)
host.client.setdefault("krb5_kpasswd", host.hostname)
|
|
||
| assert client.auth.ssh.password("puser1", "12345678"), "Auth failed when krb5_kpasswd is unresolvable!" | ||
|
|
||
|
|
There was a problem hiding this comment.
Go ahead and apply everything above to the following two test cases.
madhuriupadhye
force-pushed
the
bp_ldap_krb
branch
from
ad6573f to
a2bbc56
Compare
Ported following test case: - kpasswd: BZ 847039: login works when krb5_kpasswd is unresolvable (kpasswd not needed for auth). - high UID: BZ 798655: auth and logs stay clean with a setuid(-2) helper process running. - password change: GH 677: SSH passwd with chpass_provider=krb5 logs initial auth in krb5_child.log. Backporting of SSSD#8612 Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com>
madhuriupadhye
force-pushed
the
bp_ldap_krb
branch
from
a2bbc56 to
478c06d
Compare
6 participants
Ported following test case:
Backporting of #8612