Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor IPA users and groups, make the data structure make sense #16536

Merged
merged 2 commits into from
Nov 5, 2024
+44 −36
Merged

Refactor IPA users and groups, make the data structure make sense #16536

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fb2f379
Refactor IPA users and groups, make the data structure make sense
lhellebr Sep 30, 2024
97f6951
Use admin for the test, admin is in both groups
lhellebr Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions conf/ipa.yaml.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ IPA:
OTP_USER: otp_user
TIME_BASED_SECRET: # update the time based token secret
DISABLED_IPA_USER: disabled_user
GROUP_USERS:
- satadmin_01
- satuser_01
USERS:
USER: satuser_01
ADMIN: satadmin_01
GROUPS:
- satadmins
- satusers
USERS: satusers
ADMINS: satadmin
KEYTAB_URL:
2 changes: 1 addition & 1 deletion pytest_fixtures/component/satellite_auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ def ipa_data():
'ldap_hostname': settings.ipa.hostname,
'time_based_secret': settings.ipa.time_based_secret,
'disabled_user_ipa': settings.ipa.disabled_ipa_user,
'group_users': settings.ipa.group_users,
'users': settings.ipa.users,
'groups': settings.ipa.groups,
}

Expand Down
6 changes: 5 additions & 1 deletion robottelo/config/validators.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,8 +170,12 @@
'ipa.user',
'ipa.otp_user',
'ipa.disabled_ipa_user',
'ipa.group_users',
'ipa.users',
'ipa.users.user',
'ipa.users.admin',
'ipa.groups',
'ipa.groups.users',
'ipa.groups.admins',
'ipa.keytab_url',
'ipa.time_based_secret',
must_exist=True,
Expand Down
2 changes: 1 addition & 1 deletion robottelo/hosts.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2540,7 +2540,7 @@ def __init__(self, sat_obj, **kwargs):
'base_dn': settings.ipa.basedn,
'disabled_user_ipa': settings.ipa.disabled_ipa_user,
'group_base_dn': settings.ipa.grpbasedn,
'group_users': settings.ipa.group_users,
'users': settings.ipa.users,
'groups': settings.ipa.groups,
'ipa_otp_username': settings.ipa.otp_user,
'ldap_user_cn': settings.ipa.username,
Expand Down
60 changes: 32 additions & 28 deletions tests/foreman/ui/test_ldap_authentication.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,16 +103,6 @@ def rhsso_groups_teardown(default_sso_host):
default_sso_host.delete_rhsso_group(group_name)


@pytest.fixture
def multigroup_setting_cleanup(default_ipa_host):
"""Adding and removing the user to/from ipa group"""
sat_users = settings.ipa.groups
idm_users = settings.ipa.group_users
default_ipa_host.add_user_to_usergroup(idm_users[1], sat_users[0])
yield
default_ipa_host.remove_user_from_usergroup(idm_users[1], sat_users[0])
Comment on lines -111 to -113
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it required now to add satuser_01 in the satadmin group? If not, would you mind describing why?

Copy link
Contributor Author

@lhellebr lhellebr Oct 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

User satadmin is in satusers group, that is stable and doesn't need to be done everytime. I don't see why satuser should be in satadmins.
Although you made me realise that one of the users in tests should actually be satadmin for the test to cover what it should cover, so thanks for this question!
Also, I will rerun PRT.



@pytest.fixture
def ipa_add_user(default_ipa_host):
"""Create an IPA user and delete it"""
Expand Down Expand Up @@ -1163,7 +1153,13 @@ def test_login_failure_if_internal_user_exist(

@pytest.mark.tier2
def test_userlist_with_external_admin(
session, auth_source_ipa, ldap_tear_down, groups_teardown, target_sat
session,
auth_source_ipa,
ldap_tear_down,
groups_teardown,
target_sat,
module_org,
module_location,
):
"""All the external users should be displayed to all LDAP admins (internal and external).

Expand All @@ -1190,8 +1186,10 @@ def test_userlist_with_external_admin(
into Satellite as a local or remote admin.
"""
# step 1, 2, 3 are already done from IDM and gather the data from settings
sat_admins, sat_users = settings.ipa.groups
idm_admin, idm_user = settings.ipa.group_users
idm_groups_users = settings.ipa.groups.users
idm_groups_admins = settings.ipa.groups.admins
idm_users_user = settings.ipa.users.user
idm_users_admin = settings.ipa.users.admin

auth_source_name = f'LDAP-{auth_source_ipa.name}'
user_permissions = {'Katello::ActivationKey': PERMISSIONS['Katello::ActivationKey']}
Expand All @@ -1202,32 +1200,40 @@ def test_userlist_with_external_admin(
{
'usergroup.name': 'sat_users',
'roles.resources.assigned': [katello_role.name],
'external_groups.name': sat_users,
'external_groups.name': idm_groups_users,
'external_groups.auth_source': auth_source_name,
}
)
session.usergroup.create(
{
'usergroup.name': 'sat_admins',
'roles.admin': True,
'external_groups.name': sat_admins,
'external_groups.name': idm_groups_admins,
'external_groups.auth_source': auth_source_name,
}
)
with target_sat.ui_session(user=idm_user, password=settings.server.ssh_password) as ldapsession:
assert idm_user in ldapsession.task.read_all()['current_user']
# create AK to read a current user in the next session
ak_name = gen_string('alpha')
session.activationkey.create({'name': ak_name})
with target_sat.ui_session(user=idm_users_user, password=settings.ipa.password) as ldapsession:
current_user = ldapsession.activationkey.read(ak_name, 'current_user')['current_user']
assert idm_users_user in current_user

# verify the users count with local admin and remote/external admin
with (
target_sat.ui_session(
user=idm_admin, password=settings.server.ssh_password
user=idm_users_admin, password=settings.ipa.password
) as remote_admin_session,
target_sat.ui_session(
user=settings.server.admin_username, password=settings.server.admin_password
) as local_admin_session,
):
assert local_admin_session.user.search(idm_user)[0]['Username'] == idm_user
assert remote_admin_session.user.search(idm_user)[0]['Username'] == idm_user
local_admin_session.organization.select(module_org.name)
local_admin_session.location.select(module_location.name)
remote_admin_session.organization.select(module_org.name)
remote_admin_session.location.select(module_location.name)
assert local_admin_session.user.search(idm_users_user)[0]['Username'] == idm_users_user
assert remote_admin_session.user.search(idm_users_user)[0]['Username'] == idm_users_user


@pytest.mark.tier2
Expand Down Expand Up @@ -1284,7 +1290,6 @@ def test_positive_group_sync_open_ldap_authsource(
def test_verify_group_permissions(
session,
auth_source_ipa,
multigroup_setting_cleanup,
groups_teardown,
ldap_tear_down,
target_sat,
Expand All @@ -1303,8 +1308,9 @@ def test_verify_group_permissions(

:expectedresults: Group with higher permission is applied on the user
"""
sat_users = settings.ipa.groups
idm_users = settings.ipa.group_users
idm_groups_users = settings.ipa.groups.users
idm_groups_admins = settings.ipa.groups.admins
idm_users_user = settings.ipa.users.user
auth_source_name = f'LDAP-{auth_source_ipa.name}'
user_permissions = {None: ['access_dashboard']}
katello_role = target_sat.api.Role().create()
Expand All @@ -1314,22 +1320,20 @@ def test_verify_group_permissions(
{
'usergroup.name': 'sat_users',
'roles.resources.assigned': [katello_role.name],
'external_groups.name': sat_users[0],
'external_groups.name': idm_groups_admins,
'external_groups.auth_source': auth_source_name,
}
)
session.usergroup.create(
{
'usergroup.name': 'sat_admins',
'roles.admin': True,
'external_groups.name': sat_users[1],
'external_groups.name': idm_groups_users,
'external_groups.auth_source': auth_source_name,
}
)
location_name = gen_string('alpha')
with target_sat.ui_session(
user=idm_users[1], password=settings.server.ssh_password
) as ldapsession:
with target_sat.ui_session(user=idm_users_user, password=settings.ipa.password) as ldapsession:
ldapsession.location.create({'name': location_name})
location = target_sat.api.Location().search(query={'search': f'name="{location_name}"'})[0]
assert location.name == location_name
Expand Down
Loading