sssd_test_framework.utils.local_users

Managing local users and groups.

Classes

`LocalGroup`(util, name)	Management of local groups.
`LocalNetgroup`(util, name)	Local netgroup management via `/etc/netgroup`.
`LocalNetgroupMember`(*[, host, user, group, ...])	Local netgroup member (NIS triple and/or nested netgroup).
`LocalSudoAlias`(util, name, kind)	Local sudoers alias (`User_Alias`, `Runas_Alias`, `Host_Alias`, or `Cmnd_Alias`).
`LocalSudoRule`(util, name)	Local sudo rule management (`/etc/sudoers.d/` drop-ins).
`LocalUser`(util, name)	Management of local users.
`LocalUsersUtils`(args, *kwargs)	Management of local users and groups.

class sssd_test_framework.utils.local_users.LocalGroup(util: LocalUsersUtils, name: str)

Bases: GenericGroup

Management of local groups.

LocalGroup is a GenericGroup for static typing. Membership changes only accept LocalUser and LocalGroup; directory principals are not valid members of /etc/group.

Parameters:

util (LocalUsersUtils) – LocalUsersUtils utility object.
name (str) – Group name.

property name: str: Group name.

add(*, gid: int | None = None, description: str | None = None) → LocalGroup

Create new local group.

Parameters:

gid (int | None, optional) – Group id, defaults to None.
description (str | None, optional) – Not stored for pure local groups (present for GenericGroup API compatibility).

Returns:

Self.

Return type:

LocalGroup

modify(*, gid: int | None = None, description: str | None = None) → LocalGroup

Modify existing local group.

Parameters that are not set are ignored.

Parameters:

gid (int | None, optional) – Group id, defaults to None.
description (str | None, optional) – Not stored for pure local groups (present for GenericGroup API compatibility).

Returns:

Self.

Return type:

LocalGroup

delete() → None: Delete the group.

get(attrs: list[str] | None = None, *, opattrs: bool = False) → dict[str, list[str]] | None

Get group attributes.

Parameters:

attrs (list[str] | None, optional) – If set, only requested attributes are returned, defaults to None.
opattrs (bool, optional) – Ignored (LDAP-only); present for GenericGroup API compatibility.

Returns:

Dictionary with attribute name as a key.

Return type:

dict[str, list[str]] | None

add_member(member: GenericUser | GenericGroup | str) → LocalGroup

Add group member.

Parameters:: member (GroupMemberField) – User or group to add as a member.
Returns:: Self.
Return type:: LocalGroup

add_members(members: list[GenericUser | GenericGroup | str]) → LocalGroup

Add multiple group members.

Parameters:: members (list[GroupMemberField]) – List of users or groups to add as members.
Returns:: Self.
Return type:: LocalGroup

remove_member(member: GenericUser | GenericGroup | str) → LocalGroup

Remove group member.

Parameters:: member (GroupMemberField) – User or group to remove from the group.
Returns:: Self.
Return type:: LocalGroup

remove_members(members: list[GenericUser | GenericGroup | str]) → LocalGroup

Remove multiple group members.

Parameters:: members (list[GroupMemberField]) – List of users or groups to remove from the group.
Returns:: Self.
Return type:: LocalGroup

class sssd_test_framework.utils.local_users.LocalUser(util: LocalUsersUtils, name: str)

Bases: GenericUser

Management of local users.

LocalUser is a GenericUser for static typing; passkey-related methods are not supported on local /etc/passwd users.

Parameters:

util (LocalUsersUtils) – LocalUsersUtils utility object.
name (str) – User name.

property name: str: User name.

Create new local user.

Parameters:

uid (int | None, optional) – User id, defaults to None.
gid (int | None, optional) – Primary group id, defaults to None.
password (str, optional) – Password, defaults to ‘Secret123’ (use empty string to skip passwd).
home (str | None, optional) – Home directory, defaults to None.
gecos (str | None, optional) – GECOS, defaults to None.
shell (str | None, optional) – Login shell, defaults to None.
email (str | None, optional) – Not applied to local users (present for GenericUser API compatibility).

Returns:

Self.

Return type:

LocalUser

Modify existing local user.

Parameters that are not set are ignored.

Parameters:

uid (int | None, optional) – User id, defaults to None.
gid (int | None, optional) – Primary group id, defaults to None.
home (str | None, optional) – Home directory, defaults to None.
gecos (str | None, optional) – GECOS, defaults to None.
shell (str | None, optional) – Login shell, defaults to None.
email (str | None, optional) – Not applied to local users (present for GenericUser API compatibility).

Returns:

Self.

Return type:

LocalUser

reset(password: str | None = 'Secret123') → LocalUser

Reset user password.

Parameters:: password (str, optional) – Password, defaults to ‘Secret123’
Returns:: Self.
Return type:: LocalUser

expire(expiration: str | None = '19700101000000') → LocalUser

Set user password expiration date and time (via chage -E).

Parameters:: expiration (str | None, optional) – Date and time for user password expiration, defaults to 19700101000000
Returns:: Self.
Return type:: LocalUser

password_change_at_logon(**kwargs) → LocalUser

Force user to change password next logon (chage -d 0 and password reset).

Returns:: Self.
Return type:: LocalUser

passkey_add(passkey_mapping: str) → LocalUser

Add passkey mapping to the user.

Raises:: NotImplementedError – Not supported for local users.

passkey_remove(passkey_mapping: str) → LocalUser

Remove passkey mapping from the user.

Raises:: NotImplementedError – Not supported for local users.

delete() → None: Delete the user.

get(attrs: list[str] | None = None, *, opattrs: bool = False) → dict[str, list[str]] | None

Get user attributes.

Parameters:

attrs (list[str] | None, optional) – If set, only requested attributes are returned, defaults to None.
opattrs (bool, optional) – Ignored (LDAP-only); present for GenericUser API compatibility.

Returns:

Dictionary with attribute name as a key.

Return type:

dict[str, list[str]] | None

class sssd_test_framework.utils.local_users.LocalUsersUtils(*args, **kwargs)

Bases: MultihostUtility[MultihostHost]

Management of local users and groups.

Note

All changes are automatically reverted when a test is finished.

Parameters:

host (MultihostHost) – Remote host instance.
client (Client | None) – Client role that owns this utility.

teardown() → None

Remove local changes made through this utility.

Deletes added users and groups, removes sudo rules and sudoers aliases created under /etc/sudoers.d/, and relies on the filesystem helper’s backup/restore for /etc/netgroup and other backed-up paths.

user(name: str) → LocalUser

Get user object.

Example usage

@pytest.mark.topology(KnownTopology.Client)
def test_example(client: Client):
    # Create user
    client.local.user('user-1').add(uid=10001)

    # Call `id user-1` and assert the result
    result = client.tools.id('user-1')
    assert result is not None
    assert result.user.name == 'user-1'
    assert result.user.id == 10001
    assert result.group.name == 'user-1'
    assert result.group.id == 10001

Parameters:: name (str) – User name.
Returns:: New user object.
Return type:: LocalUser

group(name: str) → LocalGroup

Get group object.

Example usage

@pytest.mark.topology(KnownTopology.Client)
def test_example(client: Client):
    # Create user
    user = client.local.user('user-1').add(uid=10001)

    # Create secondary group and add user as a member
    client.local.group('group-1').add().add_member(user)

    # Call `id user-1` and assert the result
    result = client.tools.id('user-1')
    assert result is not None
    assert result.user.name == 'user-1'
    assert result.user.id == 10001
    assert result.group.name == 'user-1'
    assert result.group.id == 10001
    assert result.memberof('group-1')

Parameters:: name (str) – Group name.
Returns:: New group object.
Return type:: LocalGroup

netgroup(name: str) → LocalNetgroup

Get a local netgroup object.

Example usage

@pytest.mark.topology(KnownTopology.Client)
def test_example(client: Client):
    ng = client.local.netgroup("ng-1").add()
    ng.add_member(user=client.local.user("u1"))

    result = client.tools.getent.netgroup("ng-1")
    assert result is not None

Parameters:: name (str) – Netgroup name.
Returns:: Netgroup helper.
Return type:: LocalNetgroup

sudoalias(name: str, kind: Literal['user', 'runas', 'host', 'command']) → LocalSudoAlias

Get a sudoers alias object.

Alias names must match sudoers rules: start with an uppercase letter and contain only uppercase letters, digits, and underscores. Define aliases before rules that reference them (e.g. write alias files first, or use lower order values than dependent rules).

Example usage

@pytest.mark.topology(KnownTopology.Client)
def test_example(client: Client):
    admins = client.local.sudoalias("ADMINS", "user")
    admins.add([client.local.user("u1"), client.local.group("g1")])

    client.local.sudorule("r1").add(user=admins, host="ALL", command="/bin/ls")

Parameters:

name (str) – Alias name (e.g. ADMINS).
kind (LocalSudoAliasKind) – user → User_Alias, runas → Runas_Alias, host → Host_Alias, command → Cmnd_Alias.

Returns:

Sudo alias helper.

Return type:

LocalSudoAlias

sudorule(name: str) → LocalSudoRule

Get a local sudoers rule object.

Parameters:: name (str) – Rule basename (used in the generated filename under /etc/sudoers.d/).
Returns:: Sudo rule helper.
Return type:: LocalSudoRule

class sssd_test_framework.utils.local_users.LocalNetgroup(util: LocalUsersUtils, name: str)

Bases: GenericNetgroup

Local netgroup management via /etc/netgroup.

LocalNetgroup is a GenericNetgroup for static typing. Only LocalNetgroupMember instances are supported in add_members() and remove_members() (not arbitrary GenericNetgroupMember subclasses from other backends).

Parameters:

util (LocalUsersUtils) – LocalUsersUtils utility object.
name (str) – Netgroup name.

property name: str: Netgroup name.

add() → LocalNetgroup

Create a new netgroup entry.

Returns:: Self.
Return type:: LocalNetgroup
Raises:: ValueError for duplicate names.

get(attrs: list[str] | None = None, *, opattrs: bool = False) → dict[str, list[str]] | None

Get netgroup data from getent netgroup (reflecting /etc/netgroup).

Keys include cn (netgroup name) and nisNetgroupTriple (member tokens).

Parameters:: opattrs (bool, optional) – Ignored (LDAP-only); present for GenericNetgroup API compatibility.

Add a netgroup member.

Returns:: Self.
Return type:: LocalNetgroup

add_members(members: list[GenericNetgroupMember]) → LocalNetgroup

Add multiple netgroup members.

Duplicate member strings are not allowed in /etc/netgroup: each line must be unique. Members are compared by LocalNetgroupMember.to_member_string(); if that string is already in this netgroup or appears more than once in members, later duplicates are skipped (nothing is appended for them).

Parameters:: members (list[GenericNetgroupMember]) – Netgroup members (must be LocalNetgroupMember).
Returns:: Self.
Return type:: LocalNetgroup

Remove a netgroup member.

Returns:: Self.
Return type:: LocalNetgroup

remove_members(members: list[GenericNetgroupMember]) → LocalNetgroup

Remove netgroup members.

Parameters:: members (list[GenericNetgroupMember]) – Members to remove (must be LocalNetgroupMember).
Returns:: Self.
Return type:: LocalNetgroup

delete() → None: Remove this netgroup from /etc/netgroup.

Bases: GenericNetgroupMember

Local netgroup member (NIS triple and/or nested netgroup).

Parameters:

host (str | None, optional) – Host part of the triple, defaults to None.
user (GenericUser | str | None, optional) – User part of the triple, defaults to None.
group (LocalGroup | str | None, optional) – Not supported for local netgroups.
hostgroup (str | None, optional) – Not supported for local netgroups.
ng (GenericNetgroup | str | None, optional) – Nested netgroup, defaults to None.

:raises ValueError for unsupported member kinds.

group: str | None: Netgroup group (not supported locally).

hostgroup: str | None: Netgroup hostgroup (not supported locally).

to_member_string() → str

Format this member for /etc/netgroup.

Returns:: Triple or nested netgroup name.
Return type:: str

class sssd_test_framework.utils.local_users.LocalSudoAlias(util: LocalUsersUtils, name: str, kind: Literal['user', 'runas', 'host', 'command'])

Bases: object

Local sudoers alias (User_Alias, Runas_Alias, Host_Alias, or Cmnd_Alias).

Parameters:

util (LocalUsersUtils) – LocalUsersUtils utility object.
name (str) – Alias name (uppercase; see sudoers(5)).
kind (LocalSudoAliasKind) – Which alias type to write.

filename: str | None

alias_str: str | None

Write the alias line to /etc/sudoers.d/.

Parameters:

members (str | LocalUser | LocalGroup | list[str | LocalUser | LocalGroup]) – One or more users/groups (for user / runas), hostnames (for host), or commands (for command).
order (int | None, optional) – Optional ordering prefix for the drop-in file name (lower sorts first).

Returns:

Self.

Return type:

LocalSudoAlias

After delete(), filename is unset and a new name is chosen here; see the class docstring.

Replace alias members (and optionally the file order prefix).

Parameters:

members (str | LocalUser | LocalGroup | list[str | LocalUser | LocalGroup] | None, optional) – New member list, defaults to None (keep previous).
order (int | None, optional) – Optional ordering prefix for the drop-in file name.

Returns:

Self.

Return type:

LocalSudoAlias

delete() → None

Remove this alias drop-in file.

Clears the stored file name so a later add() picks a new path; see the class docstring.

class sssd_test_framework.utils.local_users.LocalSudoRule(util: LocalUsersUtils, name: str)

Bases: GenericSudoRule

Local sudo rule management (/etc/sudoers.d/ drop-ins).

See GenericSudoRule for parameter meanings. ProtocolName values (including LocalSudoAlias) are emitted as bare sudoers names.

Parameters:

util – LocalUsersUtils util object.
name (str) – Sudo rule name.

default_user: str = 'ALL'

default_host: str = 'ALL'

default_command: str = 'ALL'

util: LocalUsersUtils

filename: str | None

rule_str: str | None

property name: str: Sudo rule name.

get(attrs: list[str] | None = None, *, opattrs: bool = False) → dict[str, list[str]] | None

Return rule text as attributes (cn, sudoRule).

If rule_str is unset, reads the drop-in file when filename is set.

Parameters:: opattrs (bool, optional) – Ignored (LDAP-only); present for GenericSudoRule API compatibility.

Create new sudo rule.

Parameters:

user (SudoRuleUserField, optional) – sudoUser attribute, defaults to ALL.
host (SudoRuleHostField, optional) – sudoHost attribute, defaults to ALL.
command (SudoRuleCommandField, optional) – sudoCommand attribute, defaults to ALL.
option (str | list[str] | None, optional) – sudoOption attribute, defaults to None.
runasuser (SudoRuleRunAsUserField, optional) – sudoRunAsUser attribute, defaults to None.
runasgroup (SudoRuleRunAsGroupField, optional) – sudoRunAsGroup attribute, defaults to None.
order (int | None, optional) – sudoOrder attribute, defaults to None.
nopasswd (bool | None, optional) – If true, no authentication is required (NOPASSWD), defaults to None (no change)

Returns:

New sudo rule object.

Return type:

LocalSudoRule

Modify existing local sudo rule.

Parameters set to None keep the previous values.

Parameters:

user (SudoRuleUserField, optional) – sudoUser attribute, defaults to None.
host (SudoRuleHostField, optional) – sudoHost attribute, defaults to None.
command (SudoRuleCommandField, optional) – sudoCommand attribute, defaults to None.
option (str | list[str] | None, optional) – sudoOption attribute, defaults to None.
runasuser (SudoRuleRunAsUserField, optional) – sudoRunAsUser attribute, defaults to None.
runasgroup (SudoRuleRunAsGroupField, optional) – sudoRunAsGroup attribute, defaults to None.
order (int | None, optional) – sudoOrder attribute, defaults to None.
nopasswd (bool | None, optional) – If true, no authentication is required (NOPASSWD), defaults to None (no change).

Returns:

Self.

Return type:

LocalSudoRule

delete() → None: Delete local sudo rule.