From 25a4acf3ad5964eacddbcb83ddf9f84432968918 Mon Sep 17 00:00:00 2001 From: Anuja More Date: Thu, 22 Jul 2021 14:55:50 +0530 Subject: [PATCH] ipatests: Test for OTP when the LDAP connection timed out. Test to verify that when the idle timeout is exceeded (30s idle, 60s sleep) then the ipa-otpd process should exit without error. Related : https://pagure.io/freeipa/issue/6587 Signed-off-by: Anuja More Reviewed-By: Mohammad Rizwan Reviewed-By: Rob Crittenden --- ipatests/test_integration/test_otp.py | 56 +++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py index b2e65af1b..fd55898ca 100644 --- a/ipatests/test_integration/test_otp.py +++ b/ipatests/test_integration/test_otp.py @@ -20,6 +20,7 @@ from cryptography.hazmat.primitives.twofactor.totp import TOTP from ipatests.test_integration.base import IntegrationTest from ipaplatform.paths import paths from ipatests.pytest_ipa.integration import tasks +from ipapython.dn import DN PASSWORD = "DummyPassword123" @@ -309,3 +310,58 @@ class TestOTPToken(IntegrationTest): master.run_command(['ipa', 'user-del', USER2]) self.master.run_command(['semanage', 'login', '-D']) sssd_conf_backup.restore() + + @pytest.fixture + def setup_otp_nsslapd(self): + # setting nsslapd-idletimeout + new_limit = 30 + conn = self.master.ldap_connect() + dn = DN(('cn', 'config')) + entry = conn.get_entry(dn) # pylint: disable=no-member + orig_limit = entry.single_value.get('nsslapd-idletimeout') + ldap_query = textwrap.dedent(""" + dn: cn=config + changetype: modify + replace: nsslapd-idletimeout + nsslapd-idletimeout: {limit} + """) + tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit)) + # Be sure no services are running and failed units + self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False) + check_services = self.master.run_command( + ['systemctl', 'list-units', '--state=failed'] + ) + assert "0 loaded units listed" in check_services.stdout_text + assert "ipa-otpd" not in check_services.stdout_text + yield + # cleanup + tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit)) + + def test_check_otpd_after_idle_timeout(self, setup_otp_nsslapd): + """Test for OTP when the LDAP connection timed out. + + Test for : https://pagure.io/freeipa/issue/6587 + + ipa-otpd was exiting with failure when LDAP connection timed out. + Test to verify that when the nsslapd-idletimeout is exceeded (30s idle, + 60s sleep) then the ipa-otpd process should exit without error. + """ + since = time.strftime('%H:%M:%S') + tasks.kinit_admin(self.master) + otpuid, totp = add_otptoken(self.master, USER, otptype="totp") + try: + # kinit with OTP auth + otpvalue = totp.generate(int(time.time())).decode("ascii") + kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue) + time.sleep(60) + failed_services = self.master.run_command( + ['systemctl', 'list-units', '--state=failed'] + ) + assert "ipa-otpd" not in failed_services.stdout_text + cmd_jornalctl = self.master.run_command( + ['journalctl', '--since={}'.format(since)] + ) + regex = r".*ipa-otpd@.*\sSucceeded" + assert re.search(regex, cmd_jornalctl.stdout_text) + finally: + del_otptoken(self.master, otpuid) -- 2.31.1