feature: Implement provider interface in client role

Allow Client to be used as provider by implementing user, group,
sudorule interfaces.
Implement LocalSudoRule class.
Extend BareClient with BareClientTopologyController that
setups local domain using either files-provider or proxy files.

Author: jakub-vavra-cz

sssd_test_framework/roles/client.py

@@ -10,7 +10,7 @@
 from ..utils.automount import AutomountUtils
 from ..utils.gdm import GDM
 from ..utils.ldb import LDBUtils
-from ..utils.local_users import LocalUsersUtils
+from ..utils.local_users import LocalUsersUtils, LocalUser, LocalGroup, LocalSudoRule
 from ..utils.realmd import RealmUtils
 from ..utils.sbus import DBUSDestination, DBUSKnownBus
 from ..utils.smartcard import SmartCardUtils
@@ -156,3 +156,34 @@ def sss_ssh_authorizedkeys(self, *args: str) -> ProcessResult:
         :rtype: ProcessResult
         """
         return self.host.conn.exec(["sss_ssh_authorizedkeys", *args], raise_on_error=False)
+
+    def user(self, name: str) -> LocalUser:
+        """
+        Get user object.
+
+        :param name: User name.
+        :type name: str
+        :return: New user object.
+        :rtype: LocalUser
+        """
+        return LocalUser(self.local, name)
+
+    def group(self, name: str) -> LocalGroup:
+        """
+        Get group object.
+        :param name: Group name.
+        :type name: str
+        :return: New group object.
+        :rtype: LocalGroup
+        """
+        return LocalGroup(self.local, name)
+
+    def sudorule(self, name: str) -> LocalSudoRule:
+        """
+        Get sudo rule object.
+        :param name: Sudo rule name.
+        :type name: str
+        :return: New sudo rule object.
+        :rtype: LocalSudoRule
+        """
+        return LocalSudoRule(self.local, name)

sssd_test_framework/topology.py

@@ -10,6 +10,7 @@
 from .config import SSSDTopologyMark
 from .topology_controllers import (
     ADTopologyController,
+    BareClientTopologyController,
     ClientTopologyController,
     GDMTopologyController,
     IPATopologyController,
@@ -45,7 +46,7 @@ def test_ldap(client: Client, ldap: LDAP):
     BareClient = SSSDTopologyMark(
         name="bare_client",
         topology=Topology(TopologyDomain("sssd", client=1)),
-        controller=ClientTopologyController(),
+        controller=BareClientTopologyController(),
         fixtures=dict(client="sssd.client[0]", provider="sssd.client[0]"),
     )
     """

sssd_test_framework/topology_controllers.py

@@ -10,8 +10,11 @@
 from .hosts.keycloak import KeycloakHost
 from .hosts.samba import SambaHost
 from .misc.ssh import retry_command
+from .utils.authselect import AuthselectUtils
+from .utils.sssd import SSSDUtils
 
 __all__ = [
+    "BareClientTopologyController",
     "LDAPTopologyController",
     "IPATopologyController",
     "ADTopologyController",
@@ -58,6 +61,22 @@ class ClientTopologyController(ProvisionedBackupTopologyController):
     pass
 
 
+class BareClientTopologyController(BackupTopologyController[SSSDMultihostConfig]):
+    """
+    Bare Client Topology Controller.
+    """
+
+    def topology_setup(self, client: ClientHost) -> None:
+        sssd = SSSDUtils(client, client.fs, client.svc, AuthselectUtils(client), load_config=False)
+        if client.features["files-provider"]:
+            # Use sssd with files provider when available
+            sssd.sssd["enable_files_domain"] = "true"
+        else:
+            # Use sssd with proxy-files provider
+            sssd.common.local()
+        sssd.start()
+
+
 class LDAPTopologyController(ProvisionedBackupTopologyController):
     """
     LDAP Topology Controller.

sssd_test_framework/utils/local_users.py

@@ -1,6 +1,7 @@
 "Managing local users and groups."
 
 from __future__ import annotations
+from typing import Any
 
 import jc
 from pytest_mh import MultihostHost, MultihostUtility
@@ -12,6 +13,7 @@
     "LocalGroup",
     "LocalUser",
     "LocalUsersUtils",
+    "LocalSudoRule",
 ]
 
 
@@ -35,6 +37,7 @@ def __init__(self, host: MultihostHost, fs: LinuxFileSystem) -> None:
         self.fs: LinuxFileSystem = fs
         self._users: list[str] = []
         self._groups: list[str] = []
+        self._sudorules: list[LocalSudoRule] = []
 
     def teardown(self) -> None:
         """
@@ -53,6 +56,9 @@ def teardown(self) -> None:
         if cmd:
             self.host.conn.run("set -e\n\n" + cmd)
 
+        for rule in self._sudorules:
+            rule.delete()
+
         super().teardown()
 
     def user(self, name: str) -> LocalUser:
@@ -421,3 +427,157 @@ def remove_members(self, members: list[LocalUser]) -> LocalGroup:
         self.util.host.conn.run("set -ex\n" + cmd, log_level=ProcessLogLevel.Error)
 
         return self
+
+
+class LocalSudoRule(object):
+    """
+    Local sudo rule management.
+    """
+
+    def __init__(self, util: LocalUsersUtils, name: str) -> None:
+        """
+        :param util: LocalUsersUtils util object.
+        :param name: Sudo rule name.
+        :type name: str
+        """
+        self.name = name
+        self.util = util
+        self.__rule: dict[str, Any] = dict()
+        self.filename: str | None = None
+
+    def add(
+        self,
+        *,
+        user: str | LocalUser | LocalGroup | list[str | LocalUser | LocalGroup] | None = None,
+        host: str | list[str] | None = None,
+        command: str | list[str] | None = None,
+        option: str | list[str] | None = None,
+        runasuser: str | LocalUser | LocalGroup | list[str | LocalUser | LocalGroup] | None = None,
+        runasgroup: str | LocalGroup | list[str | LocalGroup] | None = None,
+        order: int | None = None,
+        nopasswd: bool | None = None,
+    ) -> LocalSudoRule:
+        """
+        Create new sudo rule.
+
+        :param user: sudoUser attribute, defaults to None
+        :type user: str | LocalUser | LocalGroup | list[str | LocalUser | LocalGroup] | None, optional
+        :param host: sudoHost attribute, defaults to None
+        :type host: str | list[str] | None, optional
+        :param command: sudoCommand attribute, defaults to None
+        :type command: str | list[str] | None, optional
+        :param option: sudoOption attribute, defaults to None
+        :type option: str | list[str] | None, optional
+        :param runasuser: sudoRunAsUser attribute, defaults to None
+        :type runasuser: str | LocalUser | list[str | LocalUser] | None, optional
+        :param runasgroup: sudoRunAsGroup attribute, defaults to None
+        :type runasgroup: str | LocalGroup | list[str  |  LocalGroup] | None, optional
+        :param order: sudoOrder attribute, defaults to None
+        :type order: int | None, optional
+        :param nopasswd: If true, no authentication is required (NOPASSWD), defaults to None (no change)
+        :type nopasswd: bool | None, optional
+        :return: _description_
+        :rtype: LocalSudoRule
+        """
+        orderstr = f"{order:02d}" if order else str(len(self.util._sudorules))
+        self.filename = f"{orderstr}_{self.name}"
+        # Remember arguments so we can use them in modify if needed
+        self.__rule = dict(
+            user=user,
+            host=host,
+            command=command,
+            option=option,
+            runasuser=runasuser,
+            runasgroup=runasgroup,
+            order=order,
+            nopasswd=nopasswd,
+        )
+        run_as_str = ""
+        if runasuser or runasgroup:
+            run_as_str += "("
+            if runasuser:
+                if isinstance(runasuser, list):
+                    runasuser_str = ", ".join(runasuser)
+                else:
+                    runasuser_str = runasuser
+                run_as_str += f"{runasuser_str}"
+            if runasgroup:
+                if isinstance(runasgroup, list):
+                    runasgroup_str = ", ".join(runasgroup)
+                else:
+                    runasgroup_str = runasgroup
+                run_as_str += f":{runasgroup_str}"
+            run_as_str += ")"
+        if isinstance(user, list):
+            user_str = ", ".join(user)
+        else:
+            user_str = user if user else ""
+        if isinstance(host, list):
+            host_str = ", ".join(host)
+        else:
+            host_str = f"{host}=" if host else "="
+        tagspec_str = ""
+        if nopasswd:
+            tagspec_str = "NOPASSWD:"
+        if isinstance(command, list):
+            command_str = ", ".join(command)
+        else:
+            command_str = command if command else ""
+        rule_str = f"{user_str} {host_str}{run_as_str} {tagspec_str} {command_str} \n"
+        self.util.fs.write(f"/etc/sudoers.d/{self.filename}", rule_str)
+        self.util._sudorules.append(self)
+        return self
+
+    def modify(
+        self,
+        *,
+        user: str | LocalUser | LocalGroup | list[str | LocalUser | LocalGroup] | None = None,
+        host: str | list[str] | None = None,
+        command: str | list[str] | None = None,
+        option: str | list[str] | None = None,
+        runasuser: str | LocalUser | LocalGroup | list[str | LocalUser | LocalGroup] | None = None,
+        runasgroup: str | LocalGroup | list[str | LocalGroup] | None = None,
+        order: int | None = None,
+        nopasswd: bool | None = None,
+    ) -> LocalSudoRule:
+        """
+        Modify existing Local sudo rule.
+
+        :param user: sudoUser attribute, defaults to None
+        :type user: str | LocalUser | LocalGroup | list[str | LocalUser | LocalGroup] | None, optional
+        :param host: sudoHost attribute, defaults to None
+        :type host: str | list[str] | None, optional
+        :param command: sudoCommand attribute, defaults to None
+        :type command: str | list[str] | None, optional
+        :param option: sudoOption attribute, defaults to None
+        :type option: str | list[str] | None, optional
+        :param runasuser: sudoRunAsUser attribute, defaults to None
+        :type runasuser: str | LocalUser | LocalGroup | list[str | LocalUser | LocalGroup] | None, optional
+        :param runasgroup: sudoRunAsGroup attribute, defaults to None
+        :type runasgroup: str | LocalGroup | list[str | LocalGroup] | None, optional
+        :param order: sudoOrder attribute, defaults to None
+        :type order: int | None, optional
+        :param nopasswd: If true, no authentication is required (NOPASSWD), defaults to None (no change)
+        :type nopasswd: bool | None, optional
+        :return: _description_
+        :rtype: LocalSudoRule
+        """
+        self.delete()
+        self.add(
+            user=user if user is not None else self.__rule.get("user", None),
+            host=host if host is not None else self.__rule.get("host", None),
+            command=command if command is not None else self.__rule.get("command", None),
+            option=option if option is not None else self.__rule.get("option", None),
+            runasuser=runasuser if runasuser is not None else self.__rule.get("runasuser", None),
+            runasgroup=runasgroup if runasgroup is not None else self.__rule.get("runasgroup", None),
+            order=order if order is not None else self.__rule.get("order", None),
+            nopasswd=nopasswd if nopasswd is not None else self.__rule.get("nopasswd", None),
+        )
+        return self
+
+    def delete(self) -> None:
+        """
+        Delete local sudo rule.
+        """
+        self.util.fs.rm(f"/etc/sudoers.d/{self.filename}")
+        self.util._sudorules.remove(self)