-
Notifications
You must be signed in to change notification settings - Fork 252
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Dan Lavu
committed
Nov 20, 2024
1 parent
fb91349
commit 2fb6789
Showing
32 changed files
with
2,543 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| Notes | ||
| ===== | ||
|
|
||
| process | ||
| ======= | ||
| Look at all the existing test cases, and determine the following | ||
| 1. Is this test case already covered | ||
| 2. If not, do we need to cover this? | ||
| 3. If yes, is it in the right category? | ||
| 4. Can we combine, parametrized the test? | ||
| 5. If yes, add it to the skeleton for QE review with one docstring, :title: | ||
| 6. Define what kind of test it is, integration, sanity or system (no marker) | ||
| 7. After QE review, proceed with the test plan and all steps, setup, steps and expected results for DEV review. | ||
|
|
||
|
|
||
|
|
||
| test_access_control.py | ||
| ====================== | ||
| * parametrize the search attributes, allowing ad and ldap filters be one test | ||
| * parametrize fully qualified names, maybe extend the function to check both? | ||
|
|
||
|
|
||
| test_authentication.py | ||
| ====================== | ||
| * feature, add generic provider password/security policy configuration | ||
| ** remove test overlap from test_ldap.py | ||
|
|
||
|
|
||
| test_cache.py | ||
| ============= | ||
| * ldap provider test, the discussion of the single run generic provider | ||
|
|
||
|
|
||
| test_ad.py | ||
| ========== | ||
| ** create sssd common configuration for LDAP/KRB5 | ||
|
|
||
|
|
||
| test_ad_servers.py | ||
| ====================== | ||
| * multidomain topology (parent, child, tree) | ||
| * primary, secondary ad topology (ad sites) | ||
| * multidomain topology with two child domains (parent, child, child) | ||
| * multidomain topology with a grandchild domain (parent, child, grandchild) | ||
| * multiforest topology with two separate forests and no trust, client configuration contains two keytabs | ||
| * add topology_controller to join the child and tree domain | ||
| ** all of these topologies are high resource with few tests cases, this is low priority | ||
|
|
||
| test_memcache.py | ||
| ================ | ||
| * single provider, no value testing against multiple providers | ||
| * this can be parametrized, I think it'll be easier to parametrized the stop, because the assertions for users and groups are so different. | ||
|
|
||
|
|
||
| test_identity.py | ||
| ================ | ||
| * There are a lot of test cases, that I think we should split the tests into test_identity_client.py which will contain lookup tests that checks something on the client. Where test_identity.py will be tests that modify the directory or object. | ||
|
|
||
|
|
||
| test_identity_client.py | ||
| ======================= | ||
| * extending test_identity.py, where test_identity.py setup contains changes in the provider. | ||
| This file contains setup with the client. | ||
|
|
||
|
|
||
| test_python_sss.py | ||
| ================== | ||
| * test_pynsss_nss_idmap.py doesn't seem like it really belongs here. | ||
|
|
||
|
|
||
| test_ldap.py | ||
| ============ | ||
| * generic provider covers rfc2307 tests and are rfc2307bis tests are cloned here | ||
| * parametrized SSL and StartTLS | ||
| * parameterize getent.passwd[name, uid]: | ||
|
|
||
|
|
||
| test_files.py | ||
| ============= | ||
| * I think we should drop most of these tests except the ones that checks the data that is extracted from /etc/passwd, homedir, gecos | ||
| * Dropping the modifying value entry tests, cache tests, override tests | ||
|
|
||
|
|
||
| test_proxy.py - merge with test_files.py? | ||
| ============= | ||
| * All of these tests can apply to the files provider, while files provider is being removed, is it worth it to parameterized these providers, if builtwith("files-provider") will re-run the test using that provider? | ||
| ** the coverage should be identical | ||
|
|
||
|
|
||
| test_autofs | ||
| ============ | ||
| * feature, add the ability to create samba shares as well | ||
| * do we want to test file access and assert ownership in these tests? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,146 @@ | ||
| """ | ||
| SSSD Access Control Tests | ||
| Tests pertaining to user, group and host access control providers and or filters. Some of the providers will be | ||
| in their own python file. | ||
| * Simple access-control provider | ||
| * LDAP and AD access filter | ||
| * Kerberos access provider (k5login): test_kerberos.py | ||
| * Group Policy Objects (GPO) access control: test_gpo.py | ||
| :requirement: access control | ||
| """ | ||
|
|
||
| from __future__ import annotations | ||
|
|
||
| import pytest | ||
|
|
||
| """ | ||
| ?:needs review | ||
| p:pushed | ||
| +:approved | ||
| -:drop | ||
| b:blocked | ||
| -> move | ||
| intg | ||
| ==== | ||
| multihost | ||
| ========= | ||
| # test_ns_account_lock.py | ||
| ?:test_user_inactivated_locked | ||
| ?:test_inactive_managed_roles | ||
| ?:test_inactivated_filtered_roles | ||
| ?:test_nested_role_inactivated | ||
| # test_access_control.py | ||
| test_001_simple_allow_user_to_user1 -> test_access_control.py | ||
| ?:test_002_too_much_logging_from_sssd_be -> test_access_controlpy | ||
| ?:test_003_simple_allow_user_to_dollar_symbol | ||
| ?:test_simple_allow_user_to_invalid_user | ||
| ?:test_simple_deny_user_to_user1 | ||
| ?:test_simple_deny_user_to_invalid_user | ||
| ?:test_simple_allow_groups_top_nested | ||
| ?:test_simple_deny_groups_top_nested | ||
| ?:test_simple_allow_groups_invalid_group | ||
| ?:test_simple_deny_groups_invalid_grp | ||
| ?:test_permit_all_users | ||
| ?:test_deny_all_users | ||
| ?:test_dont_fail_auth_with_allow_rules | ||
| notes | ||
| ===== | ||
| * parametrize the search attributes, allowing ad and ldap filters be one test | ||
| * parametrize fully qualified names | ||
| """ | ||
|
|
||
|
|
||
| def test_access_control__disabled_user_cannot_login(): | ||
| """ | ||
| :title: Disabled user account is denied access | ||
| TODO: sssd_framework, add enable/disable user account functionality to all role user classes | ||
| """ | ||
| pass | ||
|
|
||
|
|
||
| @pytest.mark.parametrize("name", ["name", "fully_qualified_name"]) | ||
| def test_access_control__simple_filter_users(name: str): | ||
| """ | ||
| :title: User access is managed by the simple access filter parameter | ||
| """ | ||
| pass | ||
|
|
||
|
|
||
| @pytest.mark.parametrize("name", ["name", "fully_qualified_name"]) | ||
| def test_access_control__simple_filter_groups(name: str): | ||
| """ | ||
| :title: User is a member of a group that is managed by the simple access filter | ||
| """ | ||
| pass | ||
|
|
||
|
|
||
| @pytest.mark.parametrize("name", ["name", "fully_qualified_name"]) | ||
| def test_access_control__simple_filter_nested_groups(name: str): | ||
| """ | ||
| :title: User is a member of a nested group that is managed by the simple access filter | ||
| """ | ||
| pass | ||
|
|
||
|
|
||
| @pytest.mark.sanity | ||
| @pytest.mark.parametrize("users", [("user1 user2", False), ("user1, user2", True)]) | ||
| def test_access_control__simple_filter_valid_strings_in_users_field_work(users: str): | ||
| """ | ||
| :title: Check possible valid or invalid permutations when users are in the value | ||
| """ | ||
| pass | ||
|
|
||
|
|
||
| @pytest.mark.sanity | ||
| @pytest.mark.parametrize("groups", [("group1 group2", False), ("group1, group2", True)]) | ||
| def test_access_control__simple_filter_valid_strings_in_group_field_work(groups: str): | ||
| """ | ||
| :title: Check possible valid or invalid permutations when groups are in the value | ||
| """ | ||
| pass | ||
|
|
||
|
|
||
| def test_access_control__simple_filter_implicitly_deny_users_and_groups(): | ||
| """ | ||
| :title: Users and groups with no access are implicitly denied | ||
| """ | ||
| pass | ||
|
|
||
|
|
||
| @pytest.mark.parametrize("attr", [("samAccountName", "ad"), ("cn", "ldap"), ("dn", "")]) | ||
| def test_access_control__ldap_filter_searches_a_single_user_attribute(attr: tuple): | ||
| """ | ||
| :title: Access control filter uses one attribute | ||
| """ | ||
| pass | ||
|
|
||
|
|
||
| @pytest.mark.parametrize("attr", [("samAccountName", "ad"), ("cn", "ldap"), ("dn", "")]) | ||
| def test_access_control__ldap_filter_searches_group_members(attr: tuple): | ||
| """ | ||
| :title: Access control filter searches by group membership | ||
| """ | ||
| pass | ||
|
|
||
|
|
||
| @pytest.mark.parametrize("attr", [("samAccountName", "ad"), ("cn", "ldap"), ("dn", "")]) | ||
| def test_access_control__ldap_filter_query_contains_conditions_and_or(attr: tuple): | ||
| """ | ||
| :title: Access control filters contains conditionals | ||
| """ | ||
| pass | ||
|
|
||
|
|
||
| @pytest.mark.parametrize("attr", [("samAccountName", "ad"), ("cn", "ldap"), ("dn", "")]) | ||
| def test_access_control__ldap_filter_query_contains_arithmetic_operators(attr: tuple): | ||
| """ | ||
| :title: Access control filters contain arithmetic operators | ||
| """ | ||
| pass |
Oops, something went wrong.