diff --git a/pytest/tests/test_sudo.py b/pytest/tests/test_sudo.py index 1e75ce6..5d21634 100644 --- a/pytest/tests/test_sudo.py +++ b/pytest/tests/test_sudo.py @@ -6,6 +6,7 @@ from __future__ import annotations +import random import re import time from datetime import datetime, timedelta @@ -467,3 +468,69 @@ def test_sudo__defaults_set_no_auth_and_sudo_rule_has_mandatory_auth(client: Cli assert client.auth.sudo.list("user-1", expected=["(root) PASSWD: ALL"]), "Sudo list failed!" assert not client.auth.sudo.run("user-1", command="/bin/ls /root"), "Sudo command successful!" assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command failed!" + + +@pytest.mark.importance("critical") +@pytest.mark.topology(KnownTopology.BareLDAP) +@pytest.mark.parametrize( + "is_ipv6,host_value,test_ip,should_match", + [ + # IPv4 with CIDR mask - positive + (False, "192.168.10.0/26", "192.168.10.5", True), + # IPv4 with CIDR mask - negative + (False, "192.168.10.0/26", "192.168.20.5", False), + # IPv6 - positive + (True, "fd6d:8d64:af0c::8", "fd6d:8d64:af0c::8", True), + # IPv6 - negative + (True, "fd6d:8d64:af0c::8", "fd6d:8d64:af0c::9", False), + # IPv6 with CIDR mask - positive + (True, "fd6d:8d64:af0c::/72", "fd6d:8d64:af0c::8", True), + # IPv6 with CIDR mask - negative + (True, "fd6d:8d64:af0c::/72", "fd6d:8d64:af0d::8", False), + ], +) +def test_sudo__host_ipv4_ipv6_with_mask( + client: Client, provider: LDAP, is_ipv6: bool, host_value: str, test_ip: str, should_match: bool +): + """ + :title: Sudo rule with IPv4/IPv6 addresses and CIDR masks in sudoHost + :description: Verifies sudo rules work correctly with IPv4/IPv6 addresses and CIDR notation in sudoHost + :setup: + 1. Create dummy network interface with test IP address + 2. Create user and sudorule with IP-based sudoHost + 3. Enable SSSD sudo responder and start SSSD + :steps: + 1. List sudo rules for "user-1" + 2. Run "sudo /bin/ls /root" as user-1 + :expectedresults: + 1. When client IP matches sudoHost: user can list and execute sudo commands + 2. When client IP doesn't match sudoHost: user cannot list or execute sudo commands + :customerscenario: True + """ + # Create dummy interface with test IP + dummy_name = f"dummy{random.randint(1000, 9999)}" + client.host.conn.run(f"ip link add {dummy_name} type dummy") + client.host.conn.run(f"ip link set {dummy_name} up") + + if is_ipv6: + client.host.conn.run(f"ip -6 addr add {test_ip}/128 dev {dummy_name}") + else: + client.host.conn.run(f"ip addr add {test_ip}/32 dev {dummy_name}") + + try: + provider.user("user-1").add() + provider.sudorule("allow-from-ip").add(user="user-1", host=host_value, command="ALL") + + client.sssd.common.sudo() + client.sssd.start() + + if should_match: + assert client.auth.sudo.list("user-1", "Secret123"), f"Sudo list failed for sudoHost={host_value}!" + assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command failed!" + else: + assert not client.auth.sudo.list("user-1", "Secret123"), "Sudo list succeeded when it should fail!" + assert not client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command succeeded!" + + finally: + # Clean up dummy interface + client.host.conn.run(f"ip link delete {dummy_name}", raise_on_error=False)