SYSTEM TESTS: run core set of tests against SSSD

running in two modes: under 'root' and under 'sssd' user
(where supported)

src/tests/system/tests/test_authentication.py

@@ -13,7 +13,12 @@
 
 @pytest.mark.topology(KnownTopologyGroup.AnyProvider)
 @pytest.mark.parametrize("method", ["su", "ssh"])
-def test_authentication__login(client: Client, provider: GenericProvider, method: str):
+@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
+@pytest.mark.require(
+    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
+    "SSSD was built without support for running under non-root"
+)
+def test_authentication__login(client: Client, provider: GenericProvider, method: str, sssd_service_user: str):
     """
     :title: ssh/su login
     :setup:
@@ -30,6 +35,7 @@ def test_authentication__login(client: Client, provider: GenericProvider, method
     """
     provider.user("user1").add(password="Secret123")
 
+    client.sssd.set_service_user(sssd_service_user)
     client.sssd.start()
 
     assert client.auth.parametrize(method).password("user1", "Secret123"), "login with correct password failed"
@@ -38,7 +44,12 @@ def test_authentication__login(client: Client, provider: GenericProvider, method
 
 @pytest.mark.topology(KnownTopologyGroup.AnyProvider)
 @pytest.mark.parametrize("method", ["su", "ssh"])
-def test_authentication__offline_login(client: Client, provider: GenericProvider, method: str):
+@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
+@pytest.mark.require(
+    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
+    "SSSD was built without support for running under non-root"
+)
+def test_authentication__offline_login(client: Client, provider: GenericProvider, method: str, sssd_service_user: str):
     """
     :title: Offline ssh/su login
     :setup:
@@ -67,6 +78,7 @@ def test_authentication__offline_login(client: Client, provider: GenericProvider
     wrong = "Wrong123"
     provider.user(user).add(password=correct)
 
+    client.sssd.set_service_user(sssd_service_user)
     client.sssd.domain["cache_credentials"] = "True"
     client.sssd.domain["krb5_store_password_if_offline"] = "True"
     client.sssd.pam["offline_credentials_expiration"] = "0"

src/tests/system/tests/test_autofs.py

@@ -17,7 +17,12 @@
 @pytest.mark.ticket(gh=6739)
 @pytest.mark.parametrize("cache_first", [False, True])
 @pytest.mark.topology(KnownTopologyGroup.AnyProvider)
-def test_autofs__cache_first(client: Client, nfs: NFS, provider: GenericProvider, cache_first: bool):
+@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
+@pytest.mark.require(
+    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
+    "SSSD was built without support for running under non-root"
+)
+def test_autofs__cache_first(client: Client, nfs: NFS, provider: GenericProvider, cache_first: bool, sssd_service_user: str):
     """
     :title: Autofs works correctly with any cache_first value
     :setup:
@@ -45,6 +50,7 @@ def test_autofs__cache_first(client: Client, nfs: NFS, provider: GenericProvider
     key = auto_export.key("export").add(info=nfs_export)
 
     # Start SSSD
+    client.sssd.set_service_user(sssd_service_user)
     client.sssd.common.autofs()
     client.sssd.autofs["cache_first"] = str(cache_first)
     client.sssd.start()

src/tests/system/tests/test_identity.py

@@ -14,7 +14,12 @@
 
 @pytest.mark.importance("critical")
 @pytest.mark.topology(KnownTopologyGroup.AnyProvider)
-def test_identity__lookup_username_with_id(client: Client, provider: GenericProvider):
+@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
+@pytest.mark.require(
+    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
+    "SSSD was built without support for running under non-root"
+)
+def test_identity__lookup_username_with_id(client: Client, provider: GenericProvider, sssd_service_user: str):
     """
     :title: Resolve user by name with id
     :setup:
@@ -35,6 +40,7 @@ def test_identity__lookup_username_with_id(client: Client, provider: GenericProv
     for user, id in ids:
         provider.user(user).add(uid=id, gid=id + 500)
 
+    client.sssd.set_service_user(sssd_service_user)
     client.sssd.domain["ldap_id_mapping"] = "false"
     client.sssd.start()
 
@@ -47,7 +53,12 @@ def test_identity__lookup_username_with_id(client: Client, provider: GenericProv
 
 @pytest.mark.importance("critical")
 @pytest.mark.topology(KnownTopologyGroup.AnyProvider)
-def test_identity__lookup_uid_with_id(client: Client, provider: GenericProvider):
+@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
+@pytest.mark.require(
+    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
+    "SSSD was built without support for running under non-root"
+)
+def test_identity__lookup_uid_with_id(client: Client, provider: GenericProvider, sssd_service_user: str):
     """
     :title: Resolve user by uid with id
     :setup:
@@ -68,6 +79,7 @@ def test_identity__lookup_uid_with_id(client: Client, provider: GenericProvider)
     for user, id in ids:
         provider.user(user).add(uid=id, gid=id + 500)
 
+    client.sssd.set_service_user(sssd_service_user)
     client.sssd.domain["ldap_id_mapping"] = "false"
     client.sssd.start()
 
@@ -228,7 +240,12 @@ def test_identity__lookup_user_by_group_with_getent(client: Client, provider: Ge
 
 @pytest.mark.importance("critical")
 @pytest.mark.topology(KnownTopologyGroup.AnyProvider)
-def test_identity__lookup_group_membership_by_username_with_id(client: Client, provider: GenericProvider):
+@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
+@pytest.mark.require(
+    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
+    "SSSD was built without support for running under non-root"
+)
+def test_identity__lookup_group_membership_by_username_with_id(client: Client, provider: GenericProvider, sssd_service_user: str):
     """
     :title: Check membership of user by group name with id
     :setup:
@@ -251,6 +268,7 @@ def test_identity__lookup_group_membership_by_username_with_id(client: Client, p
 
     provider.group("group1").add().add_members([u1, u2, u3])
 
+    client.sssd.set_service_user(sssd_service_user)
     client.sssd.start()
 
     for name, groups in users:

src/tests/system/tests/test_ldap.py

@@ -18,7 +18,12 @@
 @pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"])
 @pytest.mark.parametrize("use_ppolicy", ["true", "false"])
 @pytest.mark.topology(KnownTopology.LDAP)
-def test_ldap__change_password(client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str):
+@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
+@pytest.mark.require(
+    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
+    "SSSD was built without support for running under non-root"
+)
+def test_ldap__change_password(client: Client, ldap: LDAP, modify_mode: str, use_ppolicy: str, sssd_service_user: str):
     """
     :title: Change password with "ldap_pwmodify_mode" set to @modify_mode
     :setup:
@@ -45,6 +50,7 @@ def test_ldap__change_password(client: Client, ldap: LDAP, modify_mode: str, use
     ldap.user(user).add(password=old_pass)
     ldap.aci.add('(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)')
 
+    client.sssd.set_service_user(sssd_service_user)
     client.sssd.domain["ldap_pwmodify_mode"] = modify_mode
     client.sssd.domain["ldap_use_ppolicy"] = use_ppolicy
     client.sssd.start()

src/tests/system/tests/test_sudo.py

@@ -22,7 +22,12 @@
 @pytest.mark.importance("critical")
 @pytest.mark.authorization
 @pytest.mark.topology(KnownTopologyGroup.AnyProvider)
-def test_sudo__user_allowed(client: Client, provider: GenericProvider):
+@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
+@pytest.mark.require(
+    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
+    "SSSD was built without support for running under non-root"
+)
+def test_sudo__user_allowed(client: Client, provider: GenericProvider, sssd_service_user: str):
     """
     :title: One user is allowed to run command, other user is not
     :setup:
@@ -47,6 +52,7 @@ def test_sudo__user_allowed(client: Client, provider: GenericProvider):
     provider.user("user-2").add()
     provider.sudorule("test").add(user=u, host="ALL", command="/bin/ls")
 
+    client.sssd.set_service_user(sssd_service_user)
     client.sssd.common.sudo()
     client.sssd.start()
 
@@ -155,7 +161,12 @@ def test_sudo__case_sensitive_false(client: Client, provider: GenericProvider):
 @pytest.mark.importance("critical")
 @pytest.mark.authorization
 @pytest.mark.topology(KnownTopologyGroup.AnyProvider)
-def test_sudo__rules_refresh(client: Client, provider: GenericProvider):
+@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
+@pytest.mark.require(
+    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
+    "SSSD was built without support for running under non-root"
+)
+def test_sudo__rules_refresh(client: Client, provider: GenericProvider, sssd_service_user: str):
     """
     :title: Sudo rules refresh works
     :setup:
@@ -179,6 +190,7 @@ def test_sudo__rules_refresh(client: Client, provider: GenericProvider):
     u = provider.user("user-1").add()
     r = provider.sudorule("test").add(user=u, host="ALL", command="/bin/ls")
 
+    client.sssd.set_service_user(sssd_service_user)
     client.sssd.common.sudo()
     client.sssd.domain["entry_cache_sudo_timeout"] = "2"
     client.sssd.start()
@@ -495,7 +507,12 @@ def is_smart_skipped(line: str) -> bool:
 @pytest.mark.authorization
 @pytest.mark.ticket(bz=1294670, gh=3969)
 @pytest.mark.topology(KnownTopologyGroup.AnyProvider)
-def test_sudo__local_users_negative_cache(client: Client, provider: LDAP):
+@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
+@pytest.mark.require(
+    lambda client, sssd_service_user: ((sssd_service_user == "root") or client.features["non-privileged"]),
+    "SSSD was built without support for running under non-root"
+)
+def test_sudo__local_users_negative_cache(client: Client, provider: LDAP, sssd_service_user: str):
     """
     :title: Sudo responder hits negative cache for local users
     :setup:
@@ -522,6 +539,7 @@ def test_sudo__local_users_negative_cache(client: Client, provider: LDAP):
     client.local.user("user-1").add()
     client.fs.write("/etc/sudoers.d/test", "user-1 ALL=(ALL) NOPASSWD:ALL")
 
+    client.sssd.set_service_user(sssd_service_user)
     client.sssd.common.sudo()
     client.sssd.nss.update(
         entry_negative_timeout="0",  # disable standard negative cache to make sure we hit the local user case