Tree - rpms/ipa-healthcheck - CentOS Git server

rpms / ipa-healthcheck

Blame SOURCES/0003-Use-trust-find-and-trustdomain-find-to-identify-all-.patch

Blob History Raw

		58cdda	`From 886153da7dd1ca1f5d37dd9c1e2141850b7177b2 Mon Sep 17 00:00:00 2001`
		58cdda	`From: Rob Crittenden <rcritten@redhat.com>`
		58cdda	`Date: Tue, 17 Nov 2020 20:37:52 -0500`
		58cdda	`Subject: [PATCH] Use trust-find and trustdomain-find to identify all AD trusts`
		58cdda
		58cdda	`Not all AD domains are visible to trust-find. For each trust`
		58cdda	`iterate over trustdomain-find <domain> to find the complete`
		58cdda	`list of domains.`
		58cdda
		58cdda	`Signed-off-by: Rob Crittenden <rcritten@redhat.com>`
		58cdda	`---`
		58cdda	`src/ipahealthcheck/ipa/trust.py \| 20 +++--`
		58cdda	`tests/test_ipa_trust.py \| 155 ++++++++++++++++++++------------`
		58cdda	`2 files changed, 108 insertions(+), 67 deletions(-)`
		58cdda
		58cdda	`diff --git a/src/ipahealthcheck/ipa/trust.py b/src/ipahealthcheck/ipa/trust.py`
		58cdda	`index 0abe5cd..00971c4 100644`
		58cdda	`--- a/src/ipahealthcheck/ipa/trust.py`
		58cdda	`+++ b/src/ipahealthcheck/ipa/trust.py`
		58cdda	`@@ -42,16 +42,18 @@ def get_trust_domains():`
		58cdda
		58cdda	`Each entry is a dictionary representating an AD domain.`
		58cdda	`"""`
		58cdda	`- result = api.Command.trust_find()`
		58cdda	`- results = result['result']`
		58cdda	`trust_domains = []`
		58cdda	`- for result in results:`
		58cdda	`- if result.get('trusttype')[0] == 'Active Directory domain':`
		58cdda	`- domain = dict()`
		58cdda	`- domain['domain'] = result.get('cn')[0]`
		58cdda	`- domain['domainsid'] = result.get('ipanttrusteddomainsid')[0]`
		58cdda	`- domain['netbios'] = result.get('ipantflatname')[0]`
		58cdda	`- trust_domains.append(domain)`
		58cdda	`+ trusts = api.Command.trust_find(pkey_only=True, raw=True)`
		58cdda	`+ for trust in trusts['result']:`
		58cdda	`+ for cn in trust.get('cn'):`
		58cdda	`+ trustdomains = api.Command.trustdomain_find(cn, raw=True)`
		58cdda	`+ for trustdomain in trustdomains['result']:`
		58cdda	`+ domain = dict()`
		58cdda	`+ domain['domain'] = trustdomain.get('cn')[0]`
		58cdda	`+ domain['domainsid'] = trustdomain.get(`
		58cdda	`+ 'ipanttrusteddomainsid')[0]`
		58cdda	`+ domain['netbios'] = trustdomain.get('ipantflatname')[0]`
		58cdda	`+ trust_domains.append(domain)`
		58cdda	`return trust_domains`
		58cdda
		58cdda
		58cdda	`diff --git a/tests/test_ipa_trust.py b/tests/test_ipa_trust.py`
		58cdda	`index 3c4b947..f3a9f27 100644`
		58cdda	`--- a/tests/test_ipa_trust.py`
		58cdda	`+++ b/tests/test_ipa_trust.py`
		58cdda	`@@ -72,6 +72,56 @@ class mock_ldap_conn:`
		58cdda	`return tuple()`
		58cdda
		58cdda
		58cdda	`+#`
		58cdda	`+# Construct a setup with two direct trusts and one sub domain`
		58cdda	`+#`
		58cdda	`+def trust_find():`
		58cdda	`+ return [{`
		58cdda	`+ 'result': [`
		58cdda	`+ {`
		58cdda	`+ 'cn': ['ad.example'],`
		58cdda	`+ },`
		58cdda	`+ {`
		58cdda	`+ 'cn': ['child.example'],`
		58cdda	`+ },`
		58cdda	`+ ]`
		58cdda	`+ }]`
		58cdda	`+`
		58cdda	`+`
		58cdda	`+def trustdomain_find():`
		58cdda	`+ return [`
		58cdda	`+ {`
		58cdda	`+ "result": [`
		58cdda	`+ {`
		58cdda	`+ "cn": ["ad.example"],`
		58cdda	`+ "ipantflatname": ["ADROOT"],`
		58cdda	`+ "ipanttrusteddomainsid": ["S-1-5-21-abc"],`
		58cdda	`+ "ipanttrusttype": ["2"],`
		58cdda	`+ "ipanttrustattributes": ["8"],`
		58cdda	`+ },`
		58cdda	`+ {`
		58cdda	`+ "cn": ["child.ad.example"],`
		58cdda	`+ "ipantflatname": ["CHILD.ADROOT"],`
		58cdda	`+ "ipanttrusteddomainsid": ["S-1-5-22-def"],`
		58cdda	`+ "ipanttrusttype": ["2"],`
		58cdda	`+ "ipanttrustattributes": ["1"],`
		58cdda	`+ },`
		58cdda	`+ ],`
		58cdda	`+ },`
		58cdda	`+ {`
		58cdda	`+ "result": [`
		58cdda	`+ {`
		58cdda	`+ "cn": ["child.example"],`
		58cdda	`+ "ipantflatname": ["CHILD"],`
		58cdda	`+ "ipanttrusteddomainsid": ["S-1-5-21-ghi"],`
		58cdda	`+ "ipanttrusttype": ["2"],`
		58cdda	`+ "ipanttrustattributes": ["8"],`
		58cdda	`+ },`
		58cdda	`+ ],`
		58cdda	`+ },`
		58cdda	`+ ]`
		58cdda	`+`
		58cdda	`+`
		58cdda	`class SSSDDomain:`
		58cdda	`def __init__(self, return_ipa_server_mode=True, provider='ipa'):`
		58cdda	`self.return_ipa_server_mode = return_ipa_server_mode`
		58cdda	`@@ -246,31 +296,17 @@ class TestTrustDomains(BaseTest):`
		58cdda	`dlresult.returncode = 0`
		58cdda	`dlresult.error_log = ''`
		58cdda	`dlresult.output = 'implicit_files\nipa.example\nad.example\n' \`
		58cdda	`- 'child.example\n'`
		58cdda	`+ 'child.ad.example\nchild.example\n'`
		58cdda	`olresult = namedtuple('run', ['returncode', 'error_log'])`
		58cdda	`olresult.returncode = 0`
		58cdda	`olresult.error_log = ''`
		58cdda	`olresult.output = 'Online status: Online\n\n'`
		58cdda
		58cdda	`- mock_run.side_effect = [dlresult, olresult, olresult]`
		58cdda	`+ mock_run.side_effect = [dlresult, olresult, olresult, olresult]`
		58cdda
		58cdda	`# get_trust_domains()`
		58cdda	`- m_api.Command.trust_find.side_effect = [{`
		58cdda	`- 'result': [`
		58cdda	`- {`
		58cdda	`- 'cn': ['ad.example'],`
		58cdda	`- 'ipantflatname': ['ADROOT'],`
		58cdda	`- 'ipanttrusteddomainsid': ['S-1-5-21-abc'],`
		58cdda	`- 'trusttype': ['Active Directory domain'],`
		58cdda	`- },`
		58cdda	`- {`
		58cdda	`- 'cn': ['child.example'],`
		58cdda	`- 'ipantflatname': ['ADROOT'],`
		58cdda	`- 'ipanttrusteddomainsid': ['S-1-5-21-def'],`
		58cdda	`- 'trusttype': ['Active Directory domain'],`
		58cdda	`- },`
		58cdda	`- ]`
		58cdda	`- }]`
		58cdda	`+ m_api.Command.trust_find.side_effect = trust_find()`
		58cdda	`+ m_api.Command.trustdomain_find.side_effect = trustdomain_find()`
		58cdda
		58cdda	`framework = object()`
		58cdda	`registry.initialize(framework, config.Config)`
		58cdda	`@@ -279,15 +315,17 @@ class TestTrustDomains(BaseTest):`
		58cdda
		58cdda	`self.results = capture_results(f)`
		58cdda
		58cdda	`- assert len(self.results) == 3`
		58cdda	`+ assert len(self.results) == 4`
		58cdda
		58cdda	`result = self.results.results[0]`
		58cdda	`assert result.result == constants.SUCCESS`
		58cdda	`assert result.source == 'ipahealthcheck.ipa.trust'`
		58cdda	`assert result.check == 'IPATrustDomainsCheck'`
		58cdda	`assert result.kw.get('key') == 'domain-list'`
		58cdda	`- assert result.kw.get('trust_domains') == 'ad.example, child.example'`
		58cdda	`- assert result.kw.get('sssd_domains') == 'ad.example, child.example'`
		58cdda	`+ assert result.kw.get('trust_domains') == \`
		58cdda	`+ 'ad.example, child.ad.example, child.example'`
		58cdda	`+ assert result.kw.get('sssd_domains') == \`
		58cdda	`+ 'ad.example, child.ad.example, child.example'`
		58cdda
		58cdda	`result = self.results.results[1]`
		58cdda	`assert result.result == constants.SUCCESS`
		58cdda	`@@ -301,6 +339,13 @@ class TestTrustDomains(BaseTest):`
		58cdda	`assert result.source == 'ipahealthcheck.ipa.trust'`
		58cdda	`assert result.check == 'IPATrustDomainsCheck'`
		58cdda	`assert result.kw.get('key') == 'domain-status'`
		58cdda	`+ assert result.kw.get('domain') == 'child.ad.example'`
		58cdda	`+`
		58cdda	`+ result = self.results.results[3]`
		58cdda	`+ assert result.result == constants.SUCCESS`
		58cdda	`+ assert result.source == 'ipahealthcheck.ipa.trust'`
		58cdda	`+ assert result.check == 'IPATrustDomainsCheck'`
		58cdda	`+ assert result.kw.get('key') == 'domain-status'`
		58cdda	`assert result.kw.get('domain') == 'child.example'`
		58cdda
		58cdda	`@patch('ipapython.ipautil.run')`
		58cdda	`@@ -319,22 +364,8 @@ class TestTrustDomains(BaseTest):`
		58cdda	`mock_run.side_effect = [dlresult, olresult, olresult]`
		58cdda
		58cdda	`# get_trust_domains()`
		58cdda	`- m_api.Command.trust_find.side_effect = [{`
		58cdda	`- 'result': [`
		58cdda	`- {`
		58cdda	`- 'cn': ['ad.example'],`
		58cdda	`- 'ipantflatname': ['ADROOT'],`
		58cdda	`- 'ipanttrusteddomainsid': ['S-1-5-21-abc'],`
		58cdda	`- 'trusttype': ['Active Directory domain'],`
		58cdda	`- },`
		58cdda	`- {`
		58cdda	`- 'cn': ['child.example'],`
		58cdda	`- 'ipantflatname': ['ADROOT'],`
		58cdda	`- 'ipanttrusteddomainsid': ['S-1-5-21-def'],`
		58cdda	`- 'trusttype': ['Active Directory domain'],`
		58cdda	`- },`
		58cdda	`- ]`
		58cdda	`- }]`
		58cdda	`+ m_api.Command.trust_find.side_effect = trust_find()`
		58cdda	`+ m_api.Command.trustdomain_find.side_effect = trustdomain_find()`
		58cdda
		58cdda	`framework = object()`
		58cdda	`registry.initialize(framework, config.Config)`
		58cdda	`@@ -350,7 +381,8 @@ class TestTrustDomains(BaseTest):`
		58cdda	`assert result.source == 'ipahealthcheck.ipa.trust'`
		58cdda	`assert result.check == 'IPATrustDomainsCheck'`
		58cdda	`assert result.kw.get('key') == 'domain-list'`
		58cdda	`- assert result.kw.get('trust_domains') == 'ad.example, child.example'`
		58cdda	`+ assert result.kw.get('trust_domains') == \`
		58cdda	`+ 'ad.example, child.ad.example, child.example'`
		58cdda	`assert result.kw.get('sssd_domains') == 'child.example'`
		58cdda
		58cdda	`result = self.results.results[1]`
		58cdda	`@@ -428,29 +460,16 @@ class TestTrustCatalog(BaseTest):`
		58cdda	`ds2result.output = 'Active servers:\nAD Global Catalog: ' \`
		58cdda	`'root-dc.ad.vm\nAD Domain Controller: root-dc.ad.vm\n' \`
		58cdda
		58cdda	`- mock_run.side_effect = [dsresult, ds2result]`
		58cdda	`+ mock_run.side_effect = [dsresult, ds2result, ds2result]`
		58cdda	`mock_getnamebysid.side_effect = [`
		58cdda	`{'S-1-5-21-abc-500': {'name': 'admin@ad.example', 'type': 3}},`
		58cdda	`+ {'S-1-5-21-ghi-500': {'name': 'admin@child.ad.example', 'type': 3}},`
		58cdda	`{'S-1-5-21-def-500': {'name': 'admin@child.example', 'type': 3}}`
		58cdda	`]`
		58cdda
		58cdda	`# get_trust_domains()`
		58cdda	`- m_api.Command.trust_find.side_effect = [{`
		58cdda	`- 'result': [`
		58cdda	`- {`
		58cdda	`- 'cn': ['ad.example'],`
		58cdda	`- 'ipantflatname': ['ADROOT'],`
		58cdda	`- 'ipanttrusteddomainsid': ['S-1-5-21-abc'],`
		58cdda	`- 'trusttype': ['Active Directory domain'],`
		58cdda	`- },`
		58cdda	`- {`
		58cdda	`- 'cn': ['child.example'],`
		58cdda	`- 'ipantflatname': ['ADROOT'],`
		58cdda	`- 'ipanttrusteddomainsid': ['S-1-5-21-def'],`
		58cdda	`- 'trusttype': ['Active Directory domain'],`
		58cdda	`- },`
		58cdda	`- ]`
		58cdda	`- }]`
		58cdda	`+ m_api.Command.trust_find.side_effect = trust_find()`
		58cdda	`+ m_api.Command.trustdomain_find.side_effect = trustdomain_find()`
		58cdda
		58cdda	`framework = object()`
		58cdda	`registry.initialize(framework, config.Config)`
		58cdda	`@@ -459,7 +478,7 @@ class TestTrustCatalog(BaseTest):`
		58cdda
		58cdda	`self.results = capture_results(f)`
		58cdda
		58cdda	`- assert len(self.results) == 6`
		58cdda	`+ assert len(self.results) == 9`
		58cdda
		58cdda	`result = self.results.results[0]`
		58cdda	`assert result.result == constants.SUCCESS`
		58cdda	`@@ -487,20 +506,40 @@ class TestTrustCatalog(BaseTest):`
		58cdda	`assert result.source == 'ipahealthcheck.ipa.trust'`
		58cdda	`assert result.check == 'IPATrustCatalogCheck'`
		58cdda	`assert result.kw.get('key') == 'Domain Security Identifier'`
		58cdda	`- assert result.kw.get('sid') == 'S-1-5-21-def'`
		58cdda	`+ assert result.kw.get('sid') == 'S-1-5-22-def'`
		58cdda
		58cdda	`result = self.results.results[4]`
		58cdda	`assert result.result == constants.SUCCESS`
		58cdda	`assert result.source == 'ipahealthcheck.ipa.trust'`
		58cdda	`assert result.check == 'IPATrustCatalogCheck'`
		58cdda	`assert result.kw.get('key') == 'AD Global Catalog'`
		58cdda	`- assert result.kw.get('domain') == 'child.example'`
		58cdda	`+ assert result.kw.get('domain') == 'child.ad.example'`
		58cdda
		58cdda	`result = self.results.results[5]`
		58cdda	`assert result.result == constants.SUCCESS`
		58cdda	`assert result.source == 'ipahealthcheck.ipa.trust'`
		58cdda	`assert result.check == 'IPATrustCatalogCheck'`
		58cdda	`assert result.kw.get('key') == 'AD Domain Controller'`
		58cdda	`+`
		58cdda	`+ result = self.results.results[6]`
		58cdda	`+ assert result.result == constants.SUCCESS`
		58cdda	`+ assert result.source == 'ipahealthcheck.ipa.trust'`
		58cdda	`+ assert result.check == 'IPATrustCatalogCheck'`
		58cdda	`+ assert result.kw.get('key') == 'Domain Security Identifier'`
		58cdda	`+ assert result.kw.get('sid') == 'S-1-5-21-ghi'`
		58cdda	`+`
		58cdda	`+ result = self.results.results[7]`
		58cdda	`+ assert result.result == constants.SUCCESS`
		58cdda	`+ assert result.source == 'ipahealthcheck.ipa.trust'`
		58cdda	`+ assert result.check == 'IPATrustCatalogCheck'`
		58cdda	`+ assert result.kw.get('key') == 'AD Global Catalog'`
		58cdda	`+ assert result.kw.get('domain') == 'child.example'`
		58cdda	`+`
		58cdda	`+ result = self.results.results[8]`
		58cdda	`+ assert result.result == constants.SUCCESS`
		58cdda	`+ assert result.source == 'ipahealthcheck.ipa.trust'`
		58cdda	`+ assert result.check == 'IPATrustCatalogCheck'`
		58cdda	`+ assert result.kw.get('key') == 'AD Domain Controller'`
		58cdda	`assert result.kw.get('domain') == 'child.example'`
		58cdda
		58cdda
		58cdda	`--`
		58cdda	`2.25.4`
		58cdda

rpms / ipa-healthcheck

Source Code

Blame SOURCES/0003-Use-trust-find-and-trustdomain-find-to-identify-all-.patch