From 2e70535f74e7d9dd76e728eca1119ce522fd138a Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Tue, 15 Mar 2022 11:39:46 +0200

Subject: [PATCH] test_krbtpolicy: skip SPAKE-related tests in FIPS mode

SPAKE is based on the crypto primitives which are not FIPS compliant

yet. This means that in FIPS mode use of 'hardened' authentication

indicator is not possible. Skip corresponding tests in FIPS mode.

Related: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Francisco Trivino <ftrivino@redhat.com>

---

 ipatests/test_integration/test_krbtpolicy.py | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py

index 9489fbc97b7836aecf491b57627f254d4849eb56..eae16247bdfb195c1d91209cf2d11eac4c25018f 100644

--- a/ipatests/test_integration/test_krbtpolicy.py

+++ b/ipatests/test_integration/test_krbtpolicy.py

@@ -105,6 +105,9 @@ class TestPWPolicy(IntegrationTest):

     def test_krbtpolicy_password_and_hardended(self):

         """Test a pwd and hardened kerberos ticket policy with 10min tickets"""

+        if self.master.is_fips_mode:

+            pytest.skip("SPAKE pre-auth is not compatible with FIPS mode")

+

         master = self.master

         master.run_command(['ipa', 'user-mod', USER1,

                             '--user-auth-type', 'password',

@@ -133,6 +136,9 @@ class TestPWPolicy(IntegrationTest):

     def test_krbtpolicy_hardended(self):

         """Test a hardened kerberos ticket policy with 30min tickets"""

+        if self.master.is_fips_mode:

+            pytest.skip("SPAKE pre-auth is not compatible with FIPS mode")

+

         master = self.master

         master.run_command(['ipa', 'user-mod', USER1,

                             '--user-auth-type', 'hardened'])

-- 

2.34.1