test: check is an2ln plugin is disabled or not

The Kerberos 'an2ln' localauth plugin should be disabled in AD and IPA
environments where SSSD's localauth plugin can handle the mapping. In a
plain Kerberos environment libkrb5 defaults should be used.

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Alejandro López <[email protected]>
(cherry picked from commit e95d3fe)

Author: sumit-bose

src/tests/system/tests/test_authentication.py

@@ -6,10 +6,14 @@
 
 from __future__ import annotations
 
+import re
+
 import pytest
 from sssd_test_framework.roles.client import Client
 from sssd_test_framework.roles.generic import GenericProvider
-from sssd_test_framework.topology import KnownTopologyGroup
+from sssd_test_framework.roles.kdc import KDC
+from sssd_test_framework.roles.ldap import LDAP
+from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup
 
 
 @pytest.mark.topology(KnownTopologyGroup.AnyProvider)
@@ -226,3 +230,80 @@ def test_authentication__user_login_when_the_provider_is_offline(
 
     assert client.auth.parametrize(method).password(user, correct), "User failed login!"
     assert not client.auth.parametrize(method).password(user, wrong), "User logged in with an incorrect password!"
+
+
+@pytest.mark.importance("critical")
+@pytest.mark.topology(KnownTopology.IPA)
+@pytest.mark.topology(KnownTopology.Samba)
+@pytest.mark.topology(KnownTopology.AD)
+def test_disable_an2ln(client: Client, provider: GenericProvider):
+    """
+    :title: Check localauth plugin config file (IPA/AD version)
+    :setup:
+        1. Create user
+    :steps:
+        1. Login as user
+        2. Run klist
+        3. Read localauth plugin config file
+    :expectedresults:
+        1. User can log in
+        2. Kerberos TGT is available
+        3. localauth plugin config file is present and has expected content
+    :customerscenario: False
+    """
+    provider.user("tuser").add()
+
+    pattern = (
+        r"\[plugins\]\n localauth = {\n  disable = an2ln\n"
+        "  module = sssd:/.*/sssd/modules/sssd_krb5_localauth_plugin.so\n }"
+    )
+
+    client.fs.rm("/var/lib/sss/pubconf/krb5.include.d/localauth_plugin")
+    client.sssd.start()
+
+    with client.ssh("tuser", "Secret123") as ssh:
+        with client.auth.kerberos(ssh) as krb:
+            result = krb.klist()
+            assert f"krbtgt/{provider.realm}@{provider.realm}" in result.stdout
+
+    try:
+        out = client.fs.read("/var/lib/sss/pubconf/krb5.include.d/localauth_plugin")
+    except Exception as e:
+        assert False, f"Reading plugin config file caused exception: {e}"
+
+    assert re.match(pattern, out), "Content of plugin config file does not match"
+
+
+@pytest.mark.importance("high")
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_ensure_localauth_plugin_is_not_configured(client: Client, provider: GenericProvider, kdc: KDC):
+    """
+    :title: Check localauth plugin config file (LDAP with Kerberos version)
+    :setup:
+        1. Create user in LDAP and KDC
+        2. Setup SSSD to use Kerberos authentication
+    :steps:
+        1. Login as user
+        2. Run klist
+        3. Read localauth plugin config file
+    :expectedresults:
+        1. User can log in
+        2. Kerberos TGT is available
+        3. localauth plugin config file is not present
+    :customerscenario: False
+    """
+    provider.user("tuser").add()
+    kdc.principal("tuser").add()
+
+    client.sssd.common.krb5_auth(kdc)
+
+    client.fs.rm("/var/lib/sss/pubconf/krb5.include.d/localauth_plugin")
+    client.sssd.start()
+
+    with client.ssh("tuser", "Secret123") as ssh:
+        with client.auth.kerberos(ssh) as krb:
+            result = krb.klist()
+            assert f"krbtgt/{kdc.realm}@{kdc.realm}" in result.stdout
+
+    with pytest.raises(Exception):
+        client.fs.read("/var/lib/sss/pubconf/krb5.include.d/localauth_plugin")