From ee96c129a6034d02245a41c58fa3398c12c9ee75 Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Date: Thu, 11 Jul 2024 18:14:52 +0530 Subject: [PATCH] ipatests: Verify that SIDgen task continue even if it fails to assign sid related: https://pagure.io/freeipa/issue/9618 Signed-off-by: Mohammad Rizwan Reviewed-By: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- ipatests/test_integration/test_commands.py | 73 +++++++++++++++++++++- 1 file changed, 71 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index f6f1c979a751a300f09358c044fbfb34539d188e..fd34defe5b12f06ed7c16350cb90933ce9bcd72e 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -1267,7 +1267,7 @@ class TestIPACommand(IntegrationTest): def get_dirsrv_id(self): serverid = realm_to_serverid(self.master.domain.realm) - return("dirsrv@%s.service" % serverid) + return ("dirsrv@%s.service" % serverid) def test_ipa_nis_manage_enable(self): """ @@ -1769,7 +1769,7 @@ class TestIPACommandWithoutReplica(IntegrationTest): api.bootstrap_with_global_options(context='server') api.finalize() api.Backend.ldap2.connect() - + api.Command["group_add"]("testgroup1", external=True) api.Command["group_add"]("testgroup2", external=False) result1 = api.Command["group_show"]("testgroup1", all=True)["result"] # noqa: E501 @@ -1814,6 +1814,75 @@ class TestIPACommandWithoutReplica(IntegrationTest): '/tmp/reproducer2_code.py']) assert "missing attribute" not in result.stdout_text + def test_sidgen_task_continue_on_error(self): + """Verify that SIDgen task continue even if it fails to assign sid + scenario: + - add a user with no uid (it will be auto-assigned inside + the range) + - add a user with uid 2000 + - add a user with no uid (it will be auto-assigned inside + the range) + - edit the first and 3rd users, remove the objectclass + ipaNTUserAttrs and the attribute ipaNTSecurityIdentifier + - run the sidgen task + - verify that user1 and user3 have a ipaNTSecurityIdentifier + - verify that old error message is not seen in dirsrv error log + - verify that new error message is seen in dirsrv error log + + related: https://pagure.io/freeipa/issue/9618 + """ + test_user1 = 'test_user1' + test_user2 = 'test_user2' + test_user2000 = 'test_user2000' + base_dn = str(self.master.domain.basedn) + old_err_msg = 'Cannot add SID to existing entry' + new_err_msg = r'Finished with [0-9]+ failures, please check the log' + + tasks.kinit_admin(self.master) + tasks.user_add(self.master, test_user1) + self.master.run_command( + ['ipa', 'user-add', test_user2000, + '--first', 'test', '--last', 'user', + '--uid', '2000'] + ) + tasks.user_add(self.master, test_user2) + + for user in (test_user1, test_user2): + entry_ldif = textwrap.dedent(""" + dn: uid={user},cn=users,cn=accounts,{base_dn} + changetype: modify + delete: ipaNTSecurityIdentifier + - + delete: objectclass + objectclass: ipaNTUserAttrs + """).format( + user=user, + base_dn=base_dn) + tasks.ldapmodify_dm(self.master, entry_ldif) + + # run sidgen task + self.master.run_command( + ['ipa', 'config-mod', '--add-sids', '--enable-sid'] + ) + + # ensure that sidgen have added the attr removed above + for user in (test_user1, test_user2): + result = tasks.ldapsearch_dm( + self.master, + 'uid={user},cn=users,cn=accounts,{base_dn}'.format( + user=user, base_dn=base_dn), + ['ipaNTSecurityIdentifier'] + ) + assert 'ipaNTSecurityIdentifier' in result.stdout_text + + dashed_domain = self.master.domain.realm.replace(".", '-') + dirsrv_error_log = self.master.get_file_contents( + paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % (dashed_domain), + encoding='utf-8' + ) + assert old_err_msg not in dirsrv_error_log + assert re.search(new_err_msg, dirsrv_error_log) + class TestIPAautomount(IntegrationTest): @classmethod -- 2.45.2