Tests: Test trasformation SSSD does not crash in nss responder after …

…netgroup timeout when backend is offline

SSSD does not crash in nss responder after netgroup timeout when backend is offline

src/tests/system/tests/test_netgroups.py

@@ -6,10 +6,13 @@
 
 from __future__ import annotations
 
+import time
+
 import pytest
 from sssd_test_framework.roles.ad import AD
 from sssd_test_framework.roles.client import Client
 from sssd_test_framework.roles.generic import GenericProvider
+from sssd_test_framework.roles.ipa import IPA
 from sssd_test_framework.roles.ldap import LDAP
 from sssd_test_framework.roles.samba import Samba
 from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup
@@ -309,3 +312,119 @@ def test_netgroup__uid_gt_2147483647(client: Client, provider: GenericProvider):
         result = client.tools.getent.group(grpname)
         assert result is not None, f"getent group for group '{grpname}' is empty!"
         assert result.name == grpname, f"Group name '{grpname}' did not match result '{result.name}'!"
+
+
+@pytest.mark.importance("low")
+@pytest.mark.ticket(bz=1576852)
+@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
+def test_netgroup__nss_responder(client: Client, provider: GenericProvider):
+    """
+    :title: SSSD does not crash in nss responder after netgroup timeout when backend is offline
+    :setup:
+        1. A user (user-1) and a netgroup (ng-1) are created, and the user is added as a member of the netgroup
+        2. SSSD is restarted with a clean configuration to ensure no stale data is present
+    :steps:
+        1. Depending on the type of provider (AD, IPA, Samba, or LDAP), the script updates the SSSD configuration
+            with an incorrect server URI (e.g., typo.dc.hostname)
+        2. SSSD is restarted again to apply the new configuration
+        3. Checks the status of the SSSD domain to ensure it is offline due to the misconfigured server
+        4. Capture the process ID (PID) of the sssd_nss process
+        5. Try to retrieve the netgroup information again, expecting it to fail since the SSSD domain is offline
+        6. Verify that the SSSD processes (sssd, sssd_be, sssd_nss, sssd_pam) are still running and that the
+            sssd_nss process ID has not changed, indicating that SSSD has not crashed or restarted unexpectedly
+    :expectedresults:
+        1. SSSD configured with incorrect server backend
+        2. SSSD restarted
+        3. SSSD Offline
+        4. Pid of sssd_nss captured
+        5. Netgroup info cant be retrieve
+        6. SSSD not crashed
+    :customerscenario: True
+    """
+    user = provider.user("user-1").add()
+    netgroup = provider.netgroup("ng-1").add().add_member(user=user)
+    client.sssd.restart(clean=True)
+
+    result = client.tools.getent.netgroup(netgroup.name)
+    assert result is not None
+    assert result.members[0].user == "user-1"
+
+    hostname = client.host.hostname
+    if isinstance(provider, (AD)):
+        bad_ldap_uri = "typo.dc.%s" % hostname
+        client.sssd.dom("test").update(ad_server=bad_ldap_uri)
+
+    if isinstance(provider, (IPA)):
+        bad_ldap_uri = "typo.master.%s" % hostname
+        client.sssd.dom("test").update(ipa_server=bad_ldap_uri)
+
+    if isinstance(provider, (Samba)):
+        bad_ldap_uri = "typo.dc.%s" % hostname
+        client.sssd.dom("test").update(ad_server=bad_ldap_uri)
+
+    if isinstance(provider, (LDAP)):
+        bad_ldap_uri = "ldaps://typo.%s" % hostname
+        client.sssd.dom("test").update(ldap_uri=bad_ldap_uri)
+
+    client.sssd.restart(clean=True)
+
+    # Check backend status
+    assert "Offline" in client.host.conn.run("sssctl domain-status test -o").stdout
+
+    pid_nss = "pidof sssd_nss"
+    pid_nss1 = client.host.conn.run(pid_nss).stdout
+
+    # request for netgroup
+    assert not client.tools.getent.netgroup(netgroup.name)
+
+    sssd_proc = ["sssd", "sssd_be", "sssd_nss", "sssd_pam"]
+    for proc in sssd_proc:
+        pgrep = "pgrep %s" % proc
+        client.host.conn.run(pgrep)
+
+    pid_nss2 = client.host.conn.run(pid_nss).stdout
+    assert pid_nss1 == pid_nss2
+
+
+@pytest.mark.importance("low")
+@pytest.mark.ticket(bz=1779486)
+@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
+def test_netgroup__background_refresh(client: Client, provider: GenericProvider):
+    """
+    :title: Verify Netgroup Membership Updates in SSSD Cache After User Addition and Cache Expiry
+    :setup:
+        1. Update SSSD configuration
+        2. Restart SSSD
+        3. Create a user and netgroup
+        4. A second user is created and added to the netgroup
+    :steps:
+        1. The getent command is used to retrieve the netgroup information and user is member of the netgroup
+        2. Wait for 30 seconds to allow the cache to expire and be refreshed
+        3. The ldbsearch command is used to query the SSSD cache database (cache_test.ldb)
+            to verify that second user is now part of the netgroup in the cache
+    :expectedresults:
+        1. Retrieves the netgroup information and user is member of the netgroup
+        2. Successfully wait
+        3. Second user is now part of the netgroup in the cache
+    :customerscenario: True
+    """
+    client.sssd.dom("test").update(entry_cache_timeout="10", refresh_expired_interval="5")
+    client.sssd.restart(clean=True)
+    user = provider.user("user-1").add()
+    netgroup = provider.netgroup("ng-1").add().add_member(user=user)
+
+    result = client.tools.getent.netgroup(netgroup.name)
+    assert result is not None
+    assert result.members[0].user == "user-1"
+
+    user2 = provider.user("user-2").add()
+    netgroup.add_member(user=user2.name)
+
+    time.sleep(30)
+
+    assert (
+        user2.name
+        in client.host.conn.run(
+            "ldbsearch -H /var/lib/sss/db/cache_test.ldb " "-b cn=Netgroups,cn=test,cn=sysdb"
+        ).stdout
+    )