Tree - rpms/ipa-healthcheck - CentOS Git server

rpms / ipa-healthcheck

Blame SOURCES/0003-Use-trust-find-and-trustdomain-find-to-identify-all-.patch

Blob History Raw

		e6a568	`From 886153da7dd1ca1f5d37dd9c1e2141850b7177b2 Mon Sep 17 00:00:00 2001`
		e6a568	`From: Rob Crittenden <rcritten@redhat.com>`
		e6a568	`Date: Tue, 17 Nov 2020 20:37:52 -0500`
		e6a568	`Subject: [PATCH] Use trust-find and trustdomain-find to identify all AD trusts`
		e6a568
		e6a568	`Not all AD domains are visible to trust-find. For each trust`
		e6a568	`iterate over trustdomain-find <domain> to find the complete`
		e6a568	`list of domains.`
		e6a568
		e6a568	`Signed-off-by: Rob Crittenden <rcritten@redhat.com>`
		e6a568	`---`
		e6a568	`src/ipahealthcheck/ipa/trust.py \| 20 +++--`
		e6a568	`tests/test_ipa_trust.py \| 155 ++++++++++++++++++++------------`
		e6a568	`2 files changed, 108 insertions(+), 67 deletions(-)`
		e6a568
		e6a568	`diff --git a/src/ipahealthcheck/ipa/trust.py b/src/ipahealthcheck/ipa/trust.py`
		e6a568	`index 0abe5cd..00971c4 100644`
		e6a568	`--- a/src/ipahealthcheck/ipa/trust.py`
		e6a568	`+++ b/src/ipahealthcheck/ipa/trust.py`
		e6a568	`@@ -42,16 +42,18 @@ def get_trust_domains():`
		e6a568
		e6a568	`Each entry is a dictionary representating an AD domain.`
		e6a568	`"""`
		e6a568	`- result = api.Command.trust_find()`
		e6a568	`- results = result['result']`
		e6a568	`trust_domains = []`
		e6a568	`- for result in results:`
		e6a568	`- if result.get('trusttype')[0] == 'Active Directory domain':`
		e6a568	`- domain = dict()`
		e6a568	`- domain['domain'] = result.get('cn')[0]`
		e6a568	`- domain['domainsid'] = result.get('ipanttrusteddomainsid')[0]`
		e6a568	`- domain['netbios'] = result.get('ipantflatname')[0]`
		e6a568	`- trust_domains.append(domain)`
		e6a568	`+ trusts = api.Command.trust_find(pkey_only=True, raw=True)`
		e6a568	`+ for trust in trusts['result']:`
		e6a568	`+ for cn in trust.get('cn'):`
		e6a568	`+ trustdomains = api.Command.trustdomain_find(cn, raw=True)`
		e6a568	`+ for trustdomain in trustdomains['result']:`
		e6a568	`+ domain = dict()`
		e6a568	`+ domain['domain'] = trustdomain.get('cn')[0]`
		e6a568	`+ domain['domainsid'] = trustdomain.get(`
		e6a568	`+ 'ipanttrusteddomainsid')[0]`
		e6a568	`+ domain['netbios'] = trustdomain.get('ipantflatname')[0]`
		e6a568	`+ trust_domains.append(domain)`
		e6a568	`return trust_domains`
		e6a568
		e6a568
		e6a568	`diff --git a/tests/test_ipa_trust.py b/tests/test_ipa_trust.py`
		e6a568	`index 3c4b947..f3a9f27 100644`
		e6a568	`--- a/tests/test_ipa_trust.py`
		e6a568	`+++ b/tests/test_ipa_trust.py`
		e6a568	`@@ -72,6 +72,56 @@ class mock_ldap_conn:`
		e6a568	`return tuple()`
		e6a568
		e6a568
		e6a568	`+#`
		e6a568	`+# Construct a setup with two direct trusts and one sub domain`
		e6a568	`+#`
		e6a568	`+def trust_find():`
		e6a568	`+ return [{`
		e6a568	`+ 'result': [`
		e6a568	`+ {`
		e6a568	`+ 'cn': ['ad.example'],`
		e6a568	`+ },`
		e6a568	`+ {`
		e6a568	`+ 'cn': ['child.example'],`
		e6a568	`+ },`
		e6a568	`+ ]`
		e6a568	`+ }]`
		e6a568	`+`
		e6a568	`+`
		e6a568	`+def trustdomain_find():`
		e6a568	`+ return [`
		e6a568	`+ {`
		e6a568	`+ "result": [`
		e6a568	`+ {`
		e6a568	`+ "cn": ["ad.example"],`
		e6a568	`+ "ipantflatname": ["ADROOT"],`
		e6a568	`+ "ipanttrusteddomainsid": ["S-1-5-21-abc"],`
		e6a568	`+ "ipanttrusttype": ["2"],`
		e6a568	`+ "ipanttrustattributes": ["8"],`
		e6a568	`+ },`
		e6a568	`+ {`
		e6a568	`+ "cn": ["child.ad.example"],`
		e6a568	`+ "ipantflatname": ["CHILD.ADROOT"],`
		e6a568	`+ "ipanttrusteddomainsid": ["S-1-5-22-def"],`
		e6a568	`+ "ipanttrusttype": ["2"],`
		e6a568	`+ "ipanttrustattributes": ["1"],`
		e6a568	`+ },`
		e6a568	`+ ],`
		e6a568	`+ },`
		e6a568	`+ {`
		e6a568	`+ "result": [`
		e6a568	`+ {`
		e6a568	`+ "cn": ["child.example"],`
		e6a568	`+ "ipantflatname": ["CHILD"],`
		e6a568	`+ "ipanttrusteddomainsid": ["S-1-5-21-ghi"],`
		e6a568	`+ "ipanttrusttype": ["2"],`
		e6a568	`+ "ipanttrustattributes": ["8"],`
		e6a568	`+ },`
		e6a568	`+ ],`
		e6a568	`+ },`
		e6a568	`+ ]`
		e6a568	`+`
		e6a568	`+`
		e6a568	`class SSSDDomain:`
		e6a568	`def __init__(self, return_ipa_server_mode=True, provider='ipa'):`
		e6a568	`self.return_ipa_server_mode = return_ipa_server_mode`
		e6a568	`@@ -246,31 +296,17 @@ class TestTrustDomains(BaseTest):`
		e6a568	`dlresult.returncode = 0`
		e6a568	`dlresult.error_log = ''`
		e6a568	`dlresult.output = 'implicit_files\nipa.example\nad.example\n' \`
		e6a568	`- 'child.example\n'`
		e6a568	`+ 'child.ad.example\nchild.example\n'`
		e6a568	`olresult = namedtuple('run', ['returncode', 'error_log'])`
		e6a568	`olresult.returncode = 0`
		e6a568	`olresult.error_log = ''`
		e6a568	`olresult.output = 'Online status: Online\n\n'`
		e6a568
		e6a568	`- mock_run.side_effect = [dlresult, olresult, olresult]`
		e6a568	`+ mock_run.side_effect = [dlresult, olresult, olresult, olresult]`
		e6a568
		e6a568	`# get_trust_domains()`
		e6a568	`- m_api.Command.trust_find.side_effect = [{`
		e6a568	`- 'result': [`
		e6a568	`- {`
		e6a568	`- 'cn': ['ad.example'],`
		e6a568	`- 'ipantflatname': ['ADROOT'],`
		e6a568	`- 'ipanttrusteddomainsid': ['S-1-5-21-abc'],`
		e6a568	`- 'trusttype': ['Active Directory domain'],`
		e6a568	`- },`
		e6a568	`- {`
		e6a568	`- 'cn': ['child.example'],`
		e6a568	`- 'ipantflatname': ['ADROOT'],`
		e6a568	`- 'ipanttrusteddomainsid': ['S-1-5-21-def'],`
		e6a568	`- 'trusttype': ['Active Directory domain'],`
		e6a568	`- },`
		e6a568	`- ]`
		e6a568	`- }]`
		e6a568	`+ m_api.Command.trust_find.side_effect = trust_find()`
		e6a568	`+ m_api.Command.trustdomain_find.side_effect = trustdomain_find()`
		e6a568
		e6a568	`framework = object()`
		e6a568	`registry.initialize(framework, config.Config)`
		e6a568	`@@ -279,15 +315,17 @@ class TestTrustDomains(BaseTest):`
		e6a568
		e6a568	`self.results = capture_results(f)`
		e6a568
		e6a568	`- assert len(self.results) == 3`
		e6a568	`+ assert len(self.results) == 4`
		e6a568
		e6a568	`result = self.results.results[0]`
		e6a568	`assert result.result == constants.SUCCESS`
		e6a568	`assert result.source == 'ipahealthcheck.ipa.trust'`
		e6a568	`assert result.check == 'IPATrustDomainsCheck'`
		e6a568	`assert result.kw.get('key') == 'domain-list'`
		e6a568	`- assert result.kw.get('trust_domains') == 'ad.example, child.example'`
		e6a568	`- assert result.kw.get('sssd_domains') == 'ad.example, child.example'`
		e6a568	`+ assert result.kw.get('trust_domains') == \`
		e6a568	`+ 'ad.example, child.ad.example, child.example'`
		e6a568	`+ assert result.kw.get('sssd_domains') == \`
		e6a568	`+ 'ad.example, child.ad.example, child.example'`
		e6a568
		e6a568	`result = self.results.results[1]`
		e6a568	`assert result.result == constants.SUCCESS`
		e6a568	`@@ -301,6 +339,13 @@ class TestTrustDomains(BaseTest):`
		e6a568	`assert result.source == 'ipahealthcheck.ipa.trust'`
		e6a568	`assert result.check == 'IPATrustDomainsCheck'`
		e6a568	`assert result.kw.get('key') == 'domain-status'`
		e6a568	`+ assert result.kw.get('domain') == 'child.ad.example'`
		e6a568	`+`
		e6a568	`+ result = self.results.results[3]`
		e6a568	`+ assert result.result == constants.SUCCESS`
		e6a568	`+ assert result.source == 'ipahealthcheck.ipa.trust'`
		e6a568	`+ assert result.check == 'IPATrustDomainsCheck'`
		e6a568	`+ assert result.kw.get('key') == 'domain-status'`
		e6a568	`assert result.kw.get('domain') == 'child.example'`
		e6a568
		e6a568	`@patch('ipapython.ipautil.run')`
		e6a568	`@@ -319,22 +364,8 @@ class TestTrustDomains(BaseTest):`
		e6a568	`mock_run.side_effect = [dlresult, olresult, olresult]`
		e6a568
		e6a568	`# get_trust_domains()`
		e6a568	`- m_api.Command.trust_find.side_effect = [{`
		e6a568	`- 'result': [`
		e6a568	`- {`
		e6a568	`- 'cn': ['ad.example'],`
		e6a568	`- 'ipantflatname': ['ADROOT'],`
		e6a568	`- 'ipanttrusteddomainsid': ['S-1-5-21-abc'],`
		e6a568	`- 'trusttype': ['Active Directory domain'],`
		e6a568	`- },`
		e6a568	`- {`
		e6a568	`- 'cn': ['child.example'],`
		e6a568	`- 'ipantflatname': ['ADROOT'],`
		e6a568	`- 'ipanttrusteddomainsid': ['S-1-5-21-def'],`
		e6a568	`- 'trusttype': ['Active Directory domain'],`
		e6a568	`- },`
		e6a568	`- ]`
		e6a568	`- }]`
		e6a568	`+ m_api.Command.trust_find.side_effect = trust_find()`
		e6a568	`+ m_api.Command.trustdomain_find.side_effect = trustdomain_find()`
		e6a568
		e6a568	`framework = object()`
		e6a568	`registry.initialize(framework, config.Config)`
		e6a568	`@@ -350,7 +381,8 @@ class TestTrustDomains(BaseTest):`
		e6a568	`assert result.source == 'ipahealthcheck.ipa.trust'`
		e6a568	`assert result.check == 'IPATrustDomainsCheck'`
		e6a568	`assert result.kw.get('key') == 'domain-list'`
		e6a568	`- assert result.kw.get('trust_domains') == 'ad.example, child.example'`
		e6a568	`+ assert result.kw.get('trust_domains') == \`
		e6a568	`+ 'ad.example, child.ad.example, child.example'`
		e6a568	`assert result.kw.get('sssd_domains') == 'child.example'`
		e6a568
		e6a568	`result = self.results.results[1]`
		e6a568	`@@ -428,29 +460,16 @@ class TestTrustCatalog(BaseTest):`
		e6a568	`ds2result.output = 'Active servers:\nAD Global Catalog: ' \`
		e6a568	`'root-dc.ad.vm\nAD Domain Controller: root-dc.ad.vm\n' \`
		e6a568
		e6a568	`- mock_run.side_effect = [dsresult, ds2result]`
		e6a568	`+ mock_run.side_effect = [dsresult, ds2result, ds2result]`
		e6a568	`mock_getnamebysid.side_effect = [`
		e6a568	`{'S-1-5-21-abc-500': {'name': 'admin@ad.example', 'type': 3}},`
		e6a568	`+ {'S-1-5-21-ghi-500': {'name': 'admin@child.ad.example', 'type': 3}},`
		e6a568	`{'S-1-5-21-def-500': {'name': 'admin@child.example', 'type': 3}}`
		e6a568	`]`
		e6a568
		e6a568	`# get_trust_domains()`
		e6a568	`- m_api.Command.trust_find.side_effect = [{`
		e6a568	`- 'result': [`
		e6a568	`- {`
		e6a568	`- 'cn': ['ad.example'],`
		e6a568	`- 'ipantflatname': ['ADROOT'],`
		e6a568	`- 'ipanttrusteddomainsid': ['S-1-5-21-abc'],`
		e6a568	`- 'trusttype': ['Active Directory domain'],`
		e6a568	`- },`
		e6a568	`- {`
		e6a568	`- 'cn': ['child.example'],`
		e6a568	`- 'ipantflatname': ['ADROOT'],`
		e6a568	`- 'ipanttrusteddomainsid': ['S-1-5-21-def'],`
		e6a568	`- 'trusttype': ['Active Directory domain'],`
		e6a568	`- },`
		e6a568	`- ]`
		e6a568	`- }]`
		e6a568	`+ m_api.Command.trust_find.side_effect = trust_find()`
		e6a568	`+ m_api.Command.trustdomain_find.side_effect = trustdomain_find()`
		e6a568
		e6a568	`framework = object()`
		e6a568	`registry.initialize(framework, config.Config)`
		e6a568	`@@ -459,7 +478,7 @@ class TestTrustCatalog(BaseTest):`
		e6a568
		e6a568	`self.results = capture_results(f)`
		e6a568
		e6a568	`- assert len(self.results) == 6`
		e6a568	`+ assert len(self.results) == 9`
		e6a568
		e6a568	`result = self.results.results[0]`
		e6a568	`assert result.result == constants.SUCCESS`
		e6a568	`@@ -487,20 +506,40 @@ class TestTrustCatalog(BaseTest):`
		e6a568	`assert result.source == 'ipahealthcheck.ipa.trust'`
		e6a568	`assert result.check == 'IPATrustCatalogCheck'`
		e6a568	`assert result.kw.get('key') == 'Domain Security Identifier'`
		e6a568	`- assert result.kw.get('sid') == 'S-1-5-21-def'`
		e6a568	`+ assert result.kw.get('sid') == 'S-1-5-22-def'`
		e6a568
		e6a568	`result = self.results.results[4]`
		e6a568	`assert result.result == constants.SUCCESS`
		e6a568	`assert result.source == 'ipahealthcheck.ipa.trust'`
		e6a568	`assert result.check == 'IPATrustCatalogCheck'`
		e6a568	`assert result.kw.get('key') == 'AD Global Catalog'`
		e6a568	`- assert result.kw.get('domain') == 'child.example'`
		e6a568	`+ assert result.kw.get('domain') == 'child.ad.example'`
		e6a568
		e6a568	`result = self.results.results[5]`
		e6a568	`assert result.result == constants.SUCCESS`
		e6a568	`assert result.source == 'ipahealthcheck.ipa.trust'`
		e6a568	`assert result.check == 'IPATrustCatalogCheck'`
		e6a568	`assert result.kw.get('key') == 'AD Domain Controller'`
		e6a568	`+`
		e6a568	`+ result = self.results.results[6]`
		e6a568	`+ assert result.result == constants.SUCCESS`
		e6a568	`+ assert result.source == 'ipahealthcheck.ipa.trust'`
		e6a568	`+ assert result.check == 'IPATrustCatalogCheck'`
		e6a568	`+ assert result.kw.get('key') == 'Domain Security Identifier'`
		e6a568	`+ assert result.kw.get('sid') == 'S-1-5-21-ghi'`
		e6a568	`+`
		e6a568	`+ result = self.results.results[7]`
		e6a568	`+ assert result.result == constants.SUCCESS`
		e6a568	`+ assert result.source == 'ipahealthcheck.ipa.trust'`
		e6a568	`+ assert result.check == 'IPATrustCatalogCheck'`
		e6a568	`+ assert result.kw.get('key') == 'AD Global Catalog'`
		e6a568	`+ assert result.kw.get('domain') == 'child.example'`
		e6a568	`+`
		e6a568	`+ result = self.results.results[8]`
		e6a568	`+ assert result.result == constants.SUCCESS`
		e6a568	`+ assert result.source == 'ipahealthcheck.ipa.trust'`
		e6a568	`+ assert result.check == 'IPATrustCatalogCheck'`
		e6a568	`+ assert result.kw.get('key') == 'AD Domain Controller'`
		e6a568	`assert result.kw.get('domain') == 'child.example'`
		e6a568
		e6a568
		e6a568	`--`
		e6a568	`2.25.4`
		e6a568

rpms / ipa-healthcheck

Source Code

Blame SOURCES/0003-Use-trust-find-and-trustdomain-find-to-identify-all-.patch