Skip to content

Add tests for IPv4/IPv6 with CIDR mask in sudoHost #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
shridhargadekar wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add tests for IPv4/IPv6 with CIDR mask in sudoHost #32

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions pytest/tests/test_sudo.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

from __future__ import annotations

import random
import re
import time
from datetime import datetime, timedelta
Expand Down Expand Up @@ -467,3 +468,69 @@ def test_sudo__defaults_set_no_auth_and_sudo_rule_has_mandatory_auth(client: Cli
assert client.auth.sudo.list("user-1", expected=["(root) PASSWD: ALL"]), "Sudo list failed!"
assert not client.auth.sudo.run("user-1", command="/bin/ls /root"), "Sudo command successful!"
assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command failed!"


@pytest.mark.importance("critical")
@pytest.mark.topology(KnownTopology.BareLDAP)
@pytest.mark.parametrize(
"is_ipv6,host_value,test_ip,should_match",
[
# IPv4 with CIDR mask - positive
(False, "192.168.10.0/26", "192.168.10.5", True),
# IPv4 with CIDR mask - negative
(False, "192.168.10.0/26", "192.168.20.5", False),
# IPv6 - positive
(True, "fd6d:8d64:af0c::8", "fd6d:8d64:af0c::8", True),
# IPv6 - negative
(True, "fd6d:8d64:af0c::8", "fd6d:8d64:af0c::9", False),
# IPv6 with CIDR mask - positive
(True, "fd6d:8d64:af0c::/72", "fd6d:8d64:af0c::8", True),
# IPv6 with CIDR mask - negative
(True, "fd6d:8d64:af0c::/72", "fd6d:8d64:af0d::8", False),
],
)
def test_sudo__host_ipv4_ipv6_with_mask(
client: Client, provider: LDAP, is_ipv6: bool, host_value: str, test_ip: str, should_match: bool
):
"""
:title: Sudo rule with IPv4/IPv6 addresses and CIDR masks in sudoHost
:description: Verifies sudo rules work correctly with IPv4/IPv6 addresses and CIDR notation in sudoHost
:setup:
1. Create dummy network interface with test IP address
2. Create user and sudorule with IP-based sudoHost
3. Enable SSSD sudo responder and start SSSD
:steps:
1. List sudo rules for "user-1"
2. Run "sudo /bin/ls /root" as user-1
:expectedresults:
1. When client IP matches sudoHost: user can list and execute sudo commands
2. When client IP doesn't match sudoHost: user cannot list or execute sudo commands
:customerscenario: True
"""
# Create dummy interface with test IP
dummy_name = f"dummy{random.randint(1000, 9999)}"
client.host.conn.run(f"ip link add {dummy_name} type dummy")
client.host.conn.run(f"ip link set {dummy_name} up")

if is_ipv6:
client.host.conn.run(f"ip -6 addr add {test_ip}/128 dev {dummy_name}")
else:
client.host.conn.run(f"ip addr add {test_ip}/32 dev {dummy_name}")

try:
provider.user("user-1").add()
provider.sudorule("allow-from-ip").add(user="user-1", host=host_value, command="ALL")

client.sssd.common.sudo()
client.sssd.start()

if should_match:
assert client.auth.sudo.list("user-1", "Secret123"), f"Sudo list failed for sudoHost={host_value}!"
assert client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command failed!"
else:
assert not client.auth.sudo.list("user-1", "Secret123"), "Sudo list succeeded when it should fail!"
assert not client.auth.sudo.run("user-1", "Secret123", command="/bin/ls /root"), "Sudo command succeeded!"

finally:
# Clean up dummy interface
client.host.conn.run(f"ip link delete {dummy_name}", raise_on_error=False)
Loading