[autobackport: sssd-2-9-4] [autobackport: sssd-2-9] test: check is an2ln plugin is disabled or not

[sssd-bot]

This is an automatic backport of PR#8204 [autobackport: sssd-2-9] test: check is an2ln plugin is disabled or not to branch sssd-2-9-4, created by @sssd-bot.

Caution

@sssd-bot The patches did not apply cleanly. It is necessary to resolve conflicts before merging this pull request. Commits that introduced conflict are marked with CONFLICT!.

You can push changes to this pull request

git remote add sssd-bot git@github.com:sssd-bot/sssd.git
git fetch sssd-bot refs/heads/SSSD-sssd-backport-pr8204-to-sssd-2-9-4
git checkout SSSD-sssd-backport-pr8204-to-sssd-2-9-4
git push sssd-bot SSSD-sssd-backport-pr8204-to-sssd-2-9-4 --force

---

Original commits
91d564b - test: check is an2ln plugin is disabled or not

Backported commits

• aaa74bc - CONFLICT! test: check is an2ln plugin is disabled or not

Conflicting Files Information (check for deleted and re-added files)

• CONFLICT! test: check is an2ln plugin is disabled or not

On branch SSSD-sssd-backport-pr8204-to-sssd-2-9-4
You are currently cherry-picking commit 91d564baa.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   src/tests/system/tests/test_authentication.py

no changes added to commit (use "git add" and/or "git commit -a")

---

Original Pull Request Body

This is an automatic backport of PR#8145 test: check is an2ln plugin is disabled or not to branch sssd-2-9, created by @sumit-bose.

Caution

@sumit-bose The patches did not apply cleanly. It is necessary to resolve conflicts before merging this pull request. Commits that introduced conflict are marked with CONFLICT!.

You can push changes to this pull request

git remote add sssd-bot git@github.com:sssd-bot/sssd.git
git fetch sssd-bot refs/heads/SSSD-sssd-backport-pr8145-to-sssd-2-9
git checkout SSSD-sssd-backport-pr8145-to-sssd-2-9
git push sssd-bot SSSD-sssd-backport-pr8145-to-sssd-2-9 --force

---

Original commits
e95d3fe - test: check is an2ln plugin is disabled or not

Backported commits

• 23f9603 - CONFLICT! test: check is an2ln plugin is disabled or not

---

Original Pull Request Body

The Kerberos 'an2ln' localauth plugin should be disabled in AD and IPA environments where SSSD's localauth plugin can handle the mapping. In a plain Kerberos environment libkrb5 defaults should be used.

Please note, this test is expected to fail until #8136 is commited.

[gemini-code-assist]

Code Review

This pull request introduces merge conflicts in src/tests/system/tests/test_authentication.py, which must be resolved. The conflicts appear in the import statements and at the end of the file where new tests are added. I have provided suggestions to resolve these conflicts. Additionally, I've identified and corrected a bug in a regular expression pattern within the new test code.

[gemini-code-assist]

This file contains merge conflict markers (<<<<<<<, =======, >>>>>>>). These must be resolved before the pull request can be merged. It appears the intention was to add imports for re and cleandoc.

import re
from inspect import cleandoc

[gemini-code-assist]

This file contains merge conflict markers (<<<<<<<, =======, >>>>>>>) that must be resolved. It appears the HEAD branch had no changes here, while the incoming branch adds several new tests. The suggestion below accepts the incoming changes to resolve the conflict. I've also corrected a bug in the regular expression pattern on line 342, which was using a mix of raw and normal strings, causing it to be invalid.

@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@pytest.mark.parametrize("method", ["ssh", "su"])
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
@pytest.mark.importance("critical")
@pytest.mark.require(
    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
    "SSSD was built without support for running under non-root",
)
def test_authentication__user_login_with_modified_pam_stack_provider_is_offline(
    client: Client, provider: GenericProvider, method: str, sssd_service_user: str
):
    """
    :title: Authenticate with modified PAM when the provider is offline
    :setup:
        1. Create user
        2. Configure SSSD with "cache_credentials = true" and "krb5_store_password_if_offline = true" and
            "offline_credentials_expiration = 0"
        3. Back up /etc/pam.d/system-auth and /etc/pam.d/password-auth files
        4. Modify PAM configuration files /etc/pam.d/system-auth, and /etc/pam.d/password-auth so that pam_sss.so
           is using the 'use_first_pass' option and allow another PAM module ask for the password
        5 Start SSSD
    :steps:
        1. Login as user
        2. Offline, login as user
        3. Offline, login as user with bad password
    :expectedresults:
        1. User can log in
        2. User can log in
        3. User cannot log in
    :customerscenario: True
    """
    user = "user1"
    correct_password = "Secret123"
    wrong_password = "Wrong123"

    provider.user(user).add(password=correct_password)

    client.sssd.domain["cache_credentials"] = "True"
    client.sssd.domain["krb5_store_password_if_offline"] = "True"
    client.sssd.pam["offline_credentials_expiration"] = "0"

    client.host.conn.exec(["authselect", "apply-changes", "--backup=mybackup"])

    custom_pam_stack = """
    auth		required	pam_env.so
    auth		sufficient	pam_unix.so try_first_pass likeauth nullok
    auth		required	pam_sss.so forward_pass use_first_pass
    account		sufficient	pam_unix.so
    account		required	pam_sss.so forward_pass
    password	sufficient	pam_unix.so sha512 shadow
    password	required	pam_krb5.so minimum_uid=1000
    session		required	pam_limits.so
    session		required	pam_mkhomedir.so umask=0077
    session		required	pam_env.so
    session		required	pam_unix.so
    session		optional	pam_sss.so forward_pass\n
    """
    client.fs.write("/etc/pam.d/system-auth", cleandoc(custom_pam_stack))
    client.fs.write("/etc/pam.d/password-auth", cleandoc(custom_pam_stack))

    client.sssd.start(service_user=sssd_service_user)

    try:

        assert client.auth.parametrize(method).password(user, correct_password), "User failed login!"

        client.firewall.outbound.reject_host(provider)

        # There might be active connections that are not terminated by creating firewall rule.
        # We need to terminate it by forcing SSSD offline.
        client.sssd.bring_offline()

        assert client.auth.parametrize(method).password(user, correct_password), "User failed login!"
        assert not client.auth.parametrize(method).password(
            user, wrong_password
        ), "User logged in with an incorrect_password password!"

    finally:
        client.host.conn.exec(["authselect", "backup-restore", "mybackup"])


@pytest.mark.importance("critical")
@pytest.mark.topology(KnownTopology.IPA)
@pytest.mark.topology(KnownTopology.Samba)
@pytest.mark.topology(KnownTopology.AD)
def test_disable_an2ln(client: Client, provider: GenericProvider):
    """
    :title: Check localauth plugin config file (IPA/AD version)
    :setup:
        1. Create user
    :steps:
        1. Login as user
        2. Run klist
        3. Read localauth plugin config file
    :expectedresults:
        1. User can log in
        2. Kerberos TGT is available
        3. localauth plugin config file is present and has expected content
    :customerscenario: False
    """
    provider.user("tuser").add()

    pattern = (
        r"\[plugins\]\n localauth = {\n  disable = an2ln\n"
        r"  module = sssd:/.*/sssd/modules/sssd_krb5_localauth_plugin.so\n }"
    )

    client.fs.rm("/var/lib/sss/pubconf/krb5.include.d/localauth_plugin")
    client.sssd.start()

    with client.ssh("tuser", "Secret123") as ssh:
        with client.auth.kerberos(ssh) as krb:
            result = krb.klist()
            assert f"krbtgt/{provider.realm}@{provider.realm}" in result.stdout

    try:
        out = client.fs.read("/var/lib/sss/pubconf/krb5.include.d/localauth_plugin")
    except Exception as e:
        assert False, f"Reading plugin config file caused exception: {e}"

    assert re.match(pattern, out), "Content of plugin config file does not match"


@pytest.mark.importance("high")
@pytest.mark.topology(KnownTopology.LDAP)
def test_ensure_localauth_plugin_is_not_configured(client: Client, provider: GenericProvider, kdc: KDC):
    """
    :title: Check localauth plugin config file (LDAP with Kerberos version)
    :setup:
        1. Create user in LDAP and KDC
        2. Setup SSSD to use Kerberos authentication
    :steps:
        1. Login as user
        2. Run klist
        3. Read localauth plugin config file
    :expectedresults:
        1. User can log in
        2. Kerberos TGT is available
        3. localauth plugin config file is not present
    :customerscenario: False
    """
    provider.user("tuser").add()
    kdc.principal("tuser").add()

    client.sssd.common.krb5_auth(kdc)

    client.fs.rm("/var/lib/sss/pubconf/krb5.include.d/localauth_plugin")
    client.sssd.start()

    with client.ssh("tuser", "Secret123") as ssh:
        with client.auth.kerberos(ssh) as krb:
            result = krb.klist()
            assert f"krbtgt/{kdc.realm}@{kdc.realm}" in result.stdout

    with pytest.raises(Exception):
        client.fs.read("/var/lib/sss/pubconf/krb5.include.d/localauth_plugin")

[sssd-bot]

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

---

🟢 CodeQL (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-8) (success)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.