Skip to content

Sudo ipv4 ipv6 mask tests#33

Draft
shridhargadekar wants to merge 2 commits into
RedHat-SP-Security:masterfrom
shridhargadekar:sudo-ipv4-ipv6-mask-tests
Draft

Sudo ipv4 ipv6 mask tests#33
shridhargadekar wants to merge 2 commits into
RedHat-SP-Security:masterfrom
shridhargadekar:sudo-ipv4-ipv6-mask-tests

Conversation

@shridhargadekar

@shridhargadekar shridhargadekar commented May 22, 2026
edited by sourcery-ai Bot
Loading

Copy link
Copy Markdown
Collaborator

Summary by Sourcery

Extend sudo test coverage for IP-based host matching across IPv4/IPv6 and native LDAP configurations.

New Features:

  • Add parametrized tests verifying sudo access is allowed when client IPv4/IPv6 addresses and CIDR masks match sudoHost rules using SSSD.
  • Add parametrized tests verifying sudo access is denied when client IPv4/IPv6 addresses and CIDR masks do not match sudoHost rules using SSSD.
  • Add native LDAP sudo tests to validate allow and deny behavior based on matching and non-matching IPv4/IPv6 addresses and CIDR masks without SSSD.

Tests:

  • Broaden duplicate sudo user test to cover multiple users and ensure sudo rule lists are not mangled.

jakub-vavra-cz and others added 2 commits May 15, 2026 18:10
@jakub-vavra-cz @shridhargadekar
Add initial python tests taken from sssd
a3c38e6
@shridhargadekar
Add tests for IPv4/IPv6 with CIDR mask in sudoHost
e5abb89 
- test_sudo__host_ipv4_ipv6_with_mask_allowed:
   allowed access when client IP matches sudoHost
   (IPv4 with mask,
   IPv6, IPv6 with mask)
- test_sudo__host_ipv4_ipv6_with_mask_denied:
   Tests denied access when client IP doesn't match sudoHost

Each test is parameterized to cover 3 scenarios (6 total test runs).
Tests verify that sudoHost works correctly with IPv4/IPv6 addresses and CIDR notation.

Signed-off-by: shridhargadekar <shridhar.always@gmail.com>
@sourcery-ai

sourcery-ai Bot commented May 22, 2026

Copy link
Copy Markdown

Reviewer's Guide

Extends sudo-related pytest coverage by broadening an existing duplicate-user test and adding new scenarios that validate sudoHost matching for IPv4/IPv6 addresses and CIDR masks both via SSSD and via native LDAP sudoers integration, including positive and negative cases and appropriate environment setup/teardown.

File-Level Changes

Change Details Files
Broaden duplicate sudo user test to cover multiple users and ensure sudo list and run work consistently for each.
  • Add additional test users user-2 and user-3 to the setup.
  • Update sudo rule to include multiple forms of user principals, including a domain-qualified entry.
  • Replace single-user sudo list/run assertions with a loop over all three users to verify behavior is not affected by multiple entries.
 pytest/tests/test_sudo.py
Add tests to verify sudoHost IPv4/IPv6 address and CIDR mask matching when using SSSD.
  • Introduce parametrized test that configures client IP addresses (IPv4 and IPv6, with and without masks) on loopback and asserts sudo access is allowed when IP matches sudoHost.
  • Introduce complementary parametrized test that sets non-matching client IPs and asserts sudo list and command execution are denied.
  • Ensure each test adds and removes temporary IP addresses on the client in a try/finally block to avoid side effects.
 pytest/tests/test_sudo.py
Add tests for sudoHost IPv4/IPv6 matching and CIDR masks when using sudo native LDAP instead of SSSD.
  • Introduce parametrized test that configures the client’s real interface IPs as needed, creates a local user, sets an LDAP sudo rule with host-based conditions, and verifies sudo commands succeed when IP matches using sudo-ldap.conf and nsswitch configuration.
  • Introduce complementary parametrized test that configures non-matching IP ranges and asserts sudo commands are denied under native LDAP sudoers resolution.
  • Implement setup and cleanup of local user accounts, IPv6 addresses on eth0, and /etc/sudo-ldap.conf plus nsswitch.conf modifications within try/finally blocks to keep the system state clean.
 pytest/tests/test_sudo.py
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shridhargadekar @jakub-vavra-cz