IPA HBAC test cases

[madhuriupadhye]

A comprehensive set of IPA HBAC (Host-Based Access Control)
test cases to validate HBAC rule creation, modification,
conflict resolution, and access permission enforcement.
The tests cover scenarios including user and group-based
access, nested groups, service and host-specific rules,
category-based access, and authorization priority resolution.

[justin-stephenson]

Please also check system test failure in PRCI

FAILED tests/test_ipa.py::test_ipa__validate_hbac_rule_check_access_sshd_service (ipa) - sssd_test_framework.misc.errors.ExpectScriptError: Unexpected end of file

[danlavu]

I think this can be parameterize? The category_all tests?

[madhuriupadhye]

I tried but code looks complicated, please check

[danlavu]

I was thinking something like this.

@pytest.parametrize("hbac", ["user", "host", "service"])
@pytest.mark.importance("medium")
@pytest.mark.topology(KnownTopology.IPA)
def test_ipa__hbac_service_category_all(client: Client, ipa: IPA, hbac: str):
    users = ["user1", "user2"]
    for user in users:
        ipa.user(user).add()
    ipa.hbac("allow_all").disable()
    ipa_rule = (ipa.hbac(f"user1_all_{hbac}_access"))

    if hbac == "user":
        ipa_rule.create(description="Allow user1 access to all services", usercat="all", users="user1", hosts="client.test")
    elif hbac == "host":
        ipa_rule.create(description = "Allow user1 access to all services", hostcat = "all", users = "user1",
                        hosts = "client.test")
    elif hbac == "service":
        ipa_rule.create(description="Allow user1 access to all services", servicecat="all", users="user1", hosts="client.test")

    client.sssd.restart()
    assert client.auth.ssh.password("user1", "Secret123"), "user1 SSH should succeed!"
    assert not client.auth.ssh.password("user2", "Secret123"), "user2 SSH should be denied!"

    if hbac == "user":
        ipa_rule.modify(servicecat="")
    elif hbac == "host":
        ipa_rule.modify(hostcat = "")
    elif hbac == "service":
        ipa_rule.modify(servicecat = "")

    client.sssd.restart()
    assert not client.auth.ssh.password("user1", "Secret123"), "user1 SSH should be denied!"
    assert not client.auth.ssh.password("user2", "Secret123"), "user2 SSH should be denied!"

[madhuriupadhye]

updated, please check

[danlavu]

I don't like conflicting tests, it's unclear to me. Reading the test cases, the long and different variable names are confusing. Things, dev_group is a nested group, qa_group is a nested group, if we name them nested_group1 and nested_group2 there is no misaking what those groups are.

[danlavu]

I know a lot has been going on with this PR, so I'm going to put everything in this comment. I think most of these things are oversights. Still, we need to follow these guidelines.

1. Setup steps, contain everything before the first test step. Test step is the first thing that is related to the actual scenario. With access control, it's logging in. i.e. line 995, Restart is part of step 1, should be in setup.

2. Separate the code with a blank line, following the setup, steps and results

1: add users
2. Disable hbac rule
3. create hbac rule

* blank line * blank line etc etc

[danlavu]

1. Move the restart SSSD to the setup steps, per the comments.
2. Fix the services test.

Any other docstring comments are just things to consider.

[danlavu]

These look great, thank you

[sssd-bot]

The pull request was accepted by @madhuriupadhye with the following PR CI status:

---

🟢 CodeFactor (success)
🟢 CodeQL (success)
🟡 osh-diff-scan:fedora-rawhide-x86_64:upstream (in_progress)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-41-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🔴 ci / intgcheck (centos-10) (failure)
🔴 ci / intgcheck (fedora-41) (failure)
🔴 ci / intgcheck (fedora-42) (failure)
🟢 ci / intgcheck (fedora-43) (success)
🔴 ci / intgcheck (fedora-44) (failure)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-41) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🟡 ci / system (fedora-44) (in_progress)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.