BEGIN EXCERPT from 8182ebc6c3ca636276fc277186cfbff4ea9cf5c6 to have user_add

in ipatests/pytest_ipa/integration/tasks.py to be able to apply the patch set.

commit 8182ebc6c3ca636276fc277186cfbff4ea9cf5c6

Author: Sergey Orlov <sorlov@redhat.com>

Date:   Wed Nov 7 11:23:05 2018 +0100

    ipatests: add test for ipa-restore in multi-master configuration

    Test ensures that after ipa-restore on the master, the replica can be

    re-synchronized and a new replica can be created.

    https://pagure.io/freeipa/issue/7455

    Reviewed-By: Christian Heimes <cheimes@redhat.com>

    Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>

diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py

index 814141b83..90da8fa62 100644

--- a/ipatests/pytest_ipa/integration/tasks.py

+++ b/ipatests/pytest_ipa/integration/tasks.py

@@ -1555,3 +1561,11 @@ def strip_cert_header(pem):

         return s.group(1)

     else:

         return pem

+

+

+def user_add(host, login):

+    host.run_command([

+        "ipa", "user-add", login,

+        "--first", "test",

+        "--last", "user"

+    ])

END EXCERPT

From 5e6cb0ca034c711fe81fcfe7c651c5af3c65aa40 Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Dec 07 2018 15:06:13 +0000

Subject: Resolve user/group names in idoverride*-find

ipa idoverrideuser-find and ...group-find have an --anchor argument. The

anchor argument used to support only anchor UUIDs like

':IPA:domain:UUID' or ':SID:S-sid'. The find commands now detect regular

user or group names and translate them to anchors.

Fixes: https://pagure.io/freeipa/issue/6594

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py

index 3252982..5213486 100644

--- a/ipaserver/plugins/idviews.py

+++ b/ipaserver/plugins/idviews.py

@@ -766,6 +766,40 @@ class baseidoverride(LDAPObject):

                     error=_('Default Trust View cannot contain IPA users')

                     )

+    def filter_for_anchor(self, ldap, filter, options, obj_type):

+        """Modify filter to support user and group names

+

+        Allow users to pass in an IPA user/group name and resolve it to an

+        anchor name.

+

+        :param ldap: ldap connection

+        :param filter: pre_callback filter

+        :param options: option dict

+        :param obj_type: 'user' or 'group'

+        :return: modified or same filter

+        """

+        anchor = options.get('ipaanchoruuid', None)

+        # return original filter if anchor is absent or correct

+        if anchor is None or ANCHOR_REGEX.match(anchor):

+            return filter

+        try:

+            resolved_anchor = resolve_object_to_anchor(

+                ldap, obj_type, anchor,

+                options.get('fallback_to_ldap', False)

+            )

+        except (errors.NotFound, errors.ValidationError):

+            # anchor cannot be resolved, let it pass through

+            return filter

+        else:

+            return ldap.make_filter(

+                {

+                    'objectClass': self.object_class,

+                    'ipaanchoruuid': resolved_anchor,

+                },

+                rules=ldap.MATCH_ALL

+            )

+

+

 class baseidoverride_add(LDAPCreate):

     __doc__ = _('Add a new ID override.')

     msg_summary = _('Added ID override "%(value)s"')

@@ -1128,6 +1162,15 @@ class idoverrideuser_find(baseidoverride_find):

     msg_summary = ngettext('%(count)d User ID override matched',

                            '%(count)d User ID overrides matched', 0)

+    def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args,

+                     **options):

+        result = super(idoverrideuser_find, self).pre_callback(

+            ldap, filter, attrs_list, base_dn, scope, *args, **options

+        )

+        filter, base_dn, scope = result

+        filter = self.obj.filter_for_anchor(ldap, filter, options, 'user')

+        return filter, base_dn, scope

+

     def post_callback(self, ldap, entries, truncated, *args, **options):

         truncated = super(idoverrideuser_find, self).post_callback(

             ldap, entries, truncated, *args, **options)

@@ -1173,6 +1216,15 @@ class idoverridegroup_find(baseidoverride_find):

     msg_summary = ngettext('%(count)d Group ID override matched',

                            '%(count)d Group ID overrides matched', 0)

+    def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args,

+                     **options):

+        result = super(idoverridegroup_find, self).pre_callback(

+            ldap, filter, attrs_list, base_dn, scope, *args, **options

+        )

+        filter, base_dn, scope = result

+        filter = self.obj.filter_for_anchor(ldap, filter, options, 'group')

+        return filter, base_dn, scope

+

 @register()

 class idoverridegroup_show(baseidoverride_show):

From 11b06d24a94c5e92a0275df759bc81f0fc81d802 Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Dec 07 2018 15:06:13 +0000

Subject: Add integration tests for idviews

Add several tests to verify new anchor override and general idview

override functionality.

Fixes: https://pagure.io/freeipa/issue/6594

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py

index 36178e8..3548f2b 100644

--- a/ipatests/pytest_ipa/integration/tasks.py

+++ b/ipatests/pytest_ipa/integration/tasks.py

@@ -1576,9 +1576,19 @@ def strip_cert_header(pem):

         return pem

-def user_add(host, login):

-    host.run_command([

+def user_add(host, login, first='test', last='user', extra_args=()):

+    cmd = [

         "ipa", "user-add", login,

-        "--first", "test",

-        "--last", "user"

-    ])

+        "--first", first,

+        "--last", last

+    ]

+    cmd.extend(extra_args)

+    return host.run_command(cmd)

+

+

+def group_add(host, groupname, extra_args=()):

+    cmd = [

+        "ipa", "group-add", groupname,

+    ]

+    cmd.extend(extra_args)

+    return host.run_command(cmd)

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py

index 9a8f379..6ede4d0 100644

--- a/ipatests/test_integration/test_idviews.py

+++ b/ipatests/test_integration/test_idviews.py

@@ -165,6 +165,7 @@ class TestRulesWithServicePrincipals(IntegrationTest):

     topology = 'star'

     num_replicas = 0

+    num_clients = 0

     service_certprofile = 'caIPAserviceCert'

     caacl = 'test_caacl'

     keytab = "replica.keytab"

@@ -238,3 +239,133 @@ EOF

                                          raiseonerr=False)

         assert(result.returncode == 0), (

             'Failed to add a cert to custom certprofile')

+

+

+class TestIDViews(IntegrationTest):

+    topology = 'star'

+    num_replicas = 0

+    num_clients = 1

+

+    user1 = 'testuser1'

+    user1_uid = 10001

+    user1_gid = 10001

+    user1_uid_override = 5001

+    user1_gid_override = 6001

+

+    user2 = 'testuser2'

+    user2_uid = 10002

+    user2_gid = 10002

+

+    group1 = 'testgroup1'

+    group1_gid = 11001

+    group1_gid_override = 7001

+

+    idview = 'testview'

+

+    @classmethod

+    def install(cls, mh):

+        super(TestIDViews, cls).install(mh)

+        master = cls.master

+        client = cls.clients[0]

+        tasks.kinit_admin(master)

+

+        tasks.user_add(

+            master, cls.user1, first='Test1',

+            extra_args=[

+                '--uid', str(cls.user1_uid),

+                '--gidnumber', str(cls.user1_gid),

+            ]

+        )

+        tasks.user_add(

+            master, cls.user2, first='Test2',

+            extra_args=[

+                '--uid', str(cls.user2_uid),

+                '--gidnumber', str(cls.user2_gid),

+            ]

+        )

+        tasks.group_add(

+            master, cls.group1, extra_args=['--gid', str(cls.group1_gid)]

+        )

+

+        master.run_command(['ipa', 'idview-add', cls.idview])

+

+        # add overrides for user1 and its default user group

+        master.run_command([

+            'ipa', 'idoverrideuser-add', cls.idview, cls.user1,

+            '--uid', str(cls.user1_uid_override),

+            '--gid', str(cls.user1_gid_override),

+            '--homedir', '/special-home/{}'.format(cls.user1),

+            '--shell', '/bin/special'

+        ])

+        master.run_command([

+            'ipa', 'idoverridegroup-add', cls.idview, cls.group1,

+            '--gid', str(cls.group1_gid_override),

+        ])

+

+        # ID view overrides don't work on IPA masters

+        master.run_command([

+            'ipa', 'idview-apply', cls.idview,

+            '--hosts', client.hostname

+        ])

+        # finally restart SSSD to materialize idviews

+        client.run_command(['systemctl', 'restart', 'sssd.service'])

+

+    def test_useroverride(self):

+        result = self.clients[0].run_command(['id', self.user1])

+        assert 'uid={}'.format(self.user1_uid_override) in result.stdout_text

+        assert 'gid={}'.format(self.user1_gid_override) in result.stdout_text

+

+        result = self.clients[0].run_command(

+            ['getent', 'passwd', str(self.user1_uid_override)]

+        )

+        expected = '{}:*:{}:{}'.format(

+            self.user1, self.user1_uid_override, self.user1_gid_override

+        )

+        assert expected in result.stdout_text

+

+        result = self.master.run_command(['id', self.user1])

+        assert 'uid={}'.format(self.user1_uid) in result.stdout_text

+        assert 'gid={}'.format(self.user1_gid) in result.stdout_text

+

+    def test_useroverride_original_uid(self):

+        # It's still possible to request the user with its original UID. In

+        # this case the getent command returns the user with override uid.

+        result = self.clients[0].run_command(

+            ['getent', 'passwd', str(self.user1_uid)]

+        )

+        expected = '{}:*:{}:{}'.format(

+            self.user1, self.user1_uid_override, self.user1_gid_override

+        )

+        assert expected in result.stdout_text

+

+    def test_anchor_username(self):

+        result = self.master.run_command([

+            'ipa', 'idoverrideuser-find', self.idview, '--anchor', self.user1

+        ])

+        expected = "Anchor to override: {}".format(self.user1)

+        assert expected in result.stdout_text

+

+    def test_groupoverride(self):

+        result = self.clients[0].run_command(['getent', 'group', self.group1])

+        assert ':{}:'.format(self.group1_gid_override) in result.stdout_text

+

+        result = self.master.run_command(['getent', 'group', self.group1])

+        assert ':{}:'.format(self.group1_gid) in result.stdout_text

+

+    def test_groupoverride_system_objects(self):

+        # group override for user group should fail

+        result = self.master.run_command(

+            ['ipa', 'idoverridegroup-add', self.idview, self.user1,

+             '--gid', str(self.user1_gid_override)],

+            raiseonerr=False

+        )

+        assert result.returncode == 1

+        assert "cannot be overridden" in result.stderr_text

+

+    def test_anchor_groupname(self):

+        result = self.master.run_command([

+            'ipa', 'idoverridegroup-find', self.idview,

+            '--anchor', self.group1

+        ])

+        expected = "Anchor to override: {}".format(self.group1)

+        assert expected in result.stdout_text

ONLY APPLYING TO ipatests/prci_definitions/nightly_rawhide.yaml, other

files are not available or compatible

From e86498ea2f8259118025e622cc5f1cf2c26f2757 Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Dec 07 2018 15:06:13 +0000

Subject: Run idviews integration tests in nightly

See: https://pagure.io/freeipa/issue/6594

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

#diff --git a/ipatests/prci_definitions/nightly_f28.yaml b/ipatests/prci_definitions/nightly_f28.yaml

#index 8462c14..ac792f1 100644

#--- a/ipatests/prci_definitions/nightly_f28.yaml

#+++ b/ipatests/prci_definitions/nightly_f28.yaml

#@@ -195,6 +195,18 @@ jobs:

#         timeout: 10800

#         topology: *master_1repl

# 

#+  fedora-28/test_idviews:

#+    requires: [fedora-28/build]

#+    priority: 50

#+    job:

#+      class: RunPytest

#+      args:

#+        build_url: '{fedora-28/build_url}'

#+        test_suite: test_integration/test_idviews.py::TestIDViews

#+        template: *ci-master-f28

#+        timeout: 3600

#+        topology: *master_1repl_1client

#+

#   fedora-28/test_caless_TestServerInstall:

#     requires: [fedora-28/build]

#     priority: 50

#diff --git a/ipatests/prci_definitions/nightly_master.yaml b/ipatests/prci_definitions/nightly_master.yaml

#index 3f2b346..953a60e 100644

#--- a/ipatests/prci_definitions/nightly_master.yaml

#+++ b/ipatests/prci_definitions/nightly_master.yaml

#@@ -195,6 +195,18 @@ jobs:

#         timeout: 10800

#         topology: *master_1repl

# 

#+  fedora-28/test_idviews:

#+    requires: [fedora-29/build]

#+    priority: 50

#+    job:

#+      class: RunPytest

#+      args:

#+        build_url: '{fedora-29/build_url}'

#+        test_suite: test_integration/test_idviews.py::TestIDViews

#+        template: *ci-master-f29

#+        timeout: 3600

#+        topology: *master_1repl_1client

#+

#   fedora-29/test_caless_TestServerInstall:

#     requires: [fedora-29/build]

#     priority: 50

diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml

index bdc34d2..e74e5f6 100644

--- a/ipatests/prci_definitions/nightly_rawhide.yaml

+++ b/ipatests/prci_definitions/nightly_rawhide.yaml

@@ -195,6 +195,18 @@ jobs:

         timeout: 10800

         topology: *master_1repl

+  fedora-28/test_idviews:

+    requires: [fedora-rawhide/build]

+    priority: 50

+    job:

+      class: RunPytest

+      args:

+        build_url: '{fedora-rawhide/build_url}'

+        test_suite: test_integration/test_idviews.py::TestIDViews

+        template: *ci-master-frawhide

+        timeout: 3600

+        topology: *master_1repl_1client

+

   fedora-rawhide/test_caless_TestServerInstall:

     requires: [fedora-rawhide/build]

     priority: 50