Jump to: navigation, search

V4/Sudo Integration

Name: V4/Sudo Integration
Ticket: #3358
Target version: 4.0.0
Author: Tbabej
Incomplete.png Pending review
Last updated: 2016-04-25 by Alich

As FreeIPA 4 brings usability improvements to IPA-sudo integration (the IPA-sudo integration is done automatically in ipa-client-install, see V4 Minor Enhancements), it also brings a brand new integration test for this popular feature.

Test Plan

Test case: Common Sudo Integration test steps

Autotest

{{{autotest}}}

Setup

  1. Add testing users. On the server, run:
     $ ipa user-add testuser1 --first Test --last User1 
     $ ipa user-add testuser2 --first Test --last User2 
  2. Add the testing groups. On the server, run:
     $ ipa group-add testgroup1 --desc testgroup1 
     $ ipa group-add testgroup2 --desc testgroup2 
  3. Add members of the testing groups. On the server, run:
     $ ipa group-add-member testgroup1 --users testuser1 
     $ ipa group-add-member testgroup2 --users testuser2 
  4. Add the testing hostgroup. On the server, run:
     ipa hostgroup-add testhostgroup --desc "Contains client"
  5. Add the client.ipa.test to the testing hostgroup. On the server, run:
     ipa hostgroup-add-member testhostgroup --hosts client.ipa.test

Actions

  1. No actions.

Expected results

  1. All setup steps completed successfully.

Test case: Options testing

Autotest

{{{autotest}}}

Setup

  1. See common Sudo Integration test steps.

Actions

  1. Set the !authenticate option. On the server, run:
    $ ipa sudorule-add-option testrule --sudooption '!authenticate'
  2. See the list of the allowed commands for testuser1. On the client, run:
     # su -c 'sudo -l' testuser1 
  3. See the list of the allowed commands for testuser2. On the client, run:
     # su -c 'sudo -l' testuser2 

Expected results

  1. Rule was successfully modified.
  2. The testuser1 can use sudo without password.
  3. The testuser2 can use sudo without password.

Test case: WHO testing

Autotest

{{{autotest}}}

Setup

  1. See common Sudo Integration test steps.

Actions

  1. Configure the rule to not apply for any user. On the server, run:
    $ ipa sudorule-mod testrule --usercat=
  2. Restrict the testrule to the testuser1. On the server, run:
    $ ipa sudorule-add-user testrule --users testuser1
  3. See the list of the allowed commands for testuser1. On the client, run:
     # su -c 'sudo -l' testuser1 
  4. See the list of the allowed commands for testuser2. On the client, run:
     # su -c 'sudo -l' testuser2 
  5. Remove the restriction of testrule to the testuser1. On the server, run:
    $ ipa sudorule-remove-user testrule --users testuser1
  6. Restrict the testrule to the members of testgroup2 . On the server, run:
    $ ipa sudorule-add-user testrule --groups testgroup2
  7. See the list of the allowed commands for testuser1. On the client, run:
     # su -c 'sudo -l' testuser1 
  8. See the list of the allowed commands for testuser2. On the client, run:
     # su -c 'sudo -l' testuser2 

Expected results

  1. Rule was successfully modified.
  2. Rule was successfully modified.
  3. The testuser1 can run any command using sudo.
  4. The testuser2 can run no commands using sudo.
  5. Rule was successfully modified.
  6. The testuser1 can run no commands using sudo.
  7. The testuser2 can run any command using sudo.

Test case: HOST testing

Autotest

{{{autotest}}}

Setup

  1. See common Sudo Integration test steps.

Actions

  1. Configure the rule to not apply on any host. On the server, run:
    $ ipa sudorule-mod testrule --hostcat=
  2. Restrict the testrule to the server.ipa.test host. On the server, run:
    $ ipa sudorule-add-host testrule --hosts server.ipa.test
  3. See the list of the allowed commands for testuser1. On the client, run:
     # su -c 'sudo -l' testuser1 
  4. Remove the restriction of testrule to the server.ipa.test host. On the server, run:
    $ ipa sudorule-remove-host testrule --hosts server.ipa.test
  5. Restrict the testrule to the client.ipa.test host. On the server, run:
    $ ipa sudorule-add-host testrule --hosts client.ipa.test
  6. See the list of the allowed commands for testuser1. On the client, run:
     # su -c 'sudo -l' testuser1 
  7. Remove the restriction of testrule to the client.ipa.test host. On the server, run:
    $ ipa sudorule-remove-host testrule --hosts server.ipa.test
  8. Restrict the testrule to the hosts in hostgroup testhostgroup. On the server, run:
    $ ipa sudorule-add-host testrule --hostgroups testhostgroup
  9. See the list of the allowed commands for testuser1. On the client, run:
     # su -c 'sudo -l' testuser1 
  10. Remove the restriction of testrule to the hostgroup testhostgroup. On the server, run:
    $ ipa sudorule-remove-host testrule --hostgroups testhostgroup

Expected results

  1. Rule was successfully modified.
  2. Rule was successfully modified.
  3. The testuser1 can run no commands using sudo on the client.
  4. Rule was successfully modified.
  5. Rule was successfully modified.
  6. The testuser1 can run any commands using sudo on the client.
  7. Rule was successfully modified.
  8. Rule was successfully modified.
  9. The testuser1 can run any commands using sudo on the client.
  10. Rule was successfully modified.

Test case: ALLOW testing

Autotest

{{{autotest}}}

Setup

  1. See common Sudo Integration test steps.

Actions

  1. Configure the rule to not allow all commands. On the server, run:
    $ ipa sudorule-mod testrule --cmdcat=
  2. Restrict the testrule to allow only /usr/bin/yum command. On the server, run:
    $ ipa sudorule-add-allow-command testrule --sudocmds /usr/bin/yum
  3. See the list of the allowed commands for testuser1. On the client, run:
     # su -c 'sudo -l' testuser1 
  4. Restrict the testrule to allow commands from readers command group in addition to /usr/bin/yum command. On the server, run:
    $ ipa sudorule-add-allow-command testrule --sudocmdgroups readers
  5. See the list of the allowed commands for testuser1. On the client, run:
     # su -c 'sudo -l' testuser1 
  6. Reconfigure the testrule not to allow /usr/bin/yum command anymore. On the server, run:
    $ ipa sudorule-remove-allow-command testrule --sudocmds /usr/bin/yum
  7. Reconfigure the testrule not to allow commands from readers command group anymore. On the server, run:
    $ ipa sudorule-remove-allow-command testrule --sudocmdgroups readers

Expected results

  1. Rule was successfully modified.
  2. Rule was successfully modified.
  3. The testuser1 can run only /usr/bin/yum command using sudo.
  4. Rule was successfully modified.
  5. The testuser1 can run only /usr/bin/yum command and commands from readers command group.
  6. Rule was successfully modified.
  7. Rule was successfully modified.

Test case: AS WHOM testing

Autotest

{{{autotest}}}

Setup

  1. See common Sudo Integration test steps.

Actions

  1. Configure the rule to not allow running commands as any user and any group. On the server, run:
    $ ipa sudorule-mod testrule --runasusercat= --runasgroupcat=
  2. Restrict the testrule to allow only running commands as testuser2 user. On the server, run:
    $ ipa sudorule-add-runasuser testrule --users testuser2
  3. See the list of the allowed commands for testuser1. On the client, run:
     # su -c 'sudo -ll' testuser1 
  4. Remove the restriction of the testrule to allow only running commands as testuser2 user. On the server, run:
    $ ipa sudorule-remove-runasuser testrule --users testuser2
  5. Restrict the testrule to allow only running commands as user that are members of testgroup2. On the server, run:
    $ ipa sudorule-add-runasuser testrule --groups testgroup2
  6. See the list of the allowed commands for testuser1. On the client, run:
     # su -c 'sudo -ll' testuser1 
  7. Remove the restriction of the testrule to allow only running commands as user that are members of testgroup2. On the server, run:
    $ ipa sudorule-remove-runasuser testrule --groups testgroup2
  8. Restrict the testrule to allow only running commands as testgroup2 group. On the server, run:
    $ ipa sudorule-add-runasgroup testrule --groups testgroup2
  9. See the list of the allowed commands for testuser1. On the client, run:
     # su -c 'sudo -ll' testuser1 
  10. Remove the restriction of the testrule to allow only running commands as testgroup2. On the server, run:
    $ ipa sudorule-remove-runasgroup testrule --groups testgroup2

Expected results

  1. Rule was successfully modified.
  2. Rule was successfully modified.
  3. The testuser1 can run commands as testuser2 only. The testuser1 can run commands as no group.
  4. Rule was successfully modified.
  5. Rule was successfully modified.
  6. The testuser1 can run commands as testuser2 only. The testuser1 can run commands as no group.
  7. Rule was successfully modified.
  8. Rule was successfully modified.
  9. The testuser1 can run commands as testgroup2 only. The testuser1 can run commands as no user.
  10. Rule was successfully modified.