|
 |
b3b562 |
From 1bfea5967bb909e1b1bdc3267368e1465f7c9345 Mon Sep 17 00:00:00 2001
|
|
|
b3b562 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
b3b562 |
Date: Wed, 28 Sep 2022 12:45:52 +0200
|
|
|
b3b562 |
Subject: [PATCH] ipatests: add negative test for otptoken-sync
|
|
|
b3b562 |
|
|
|
b3b562 |
Scenario: call ipa otptoken-sync with
|
|
|
b3b562 |
- an invalid password
|
|
|
b3b562 |
- an invalid first token (containing non-digits)
|
|
|
b3b562 |
- an invalid sequence of tokens
|
|
|
b3b562 |
|
|
|
b3b562 |
The test expects a return code = 1.
|
|
|
b3b562 |
|
|
|
b3b562 |
Related: https://pagure.io/freeipa/issue/9248
|
|
|
b3b562 |
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
b3b562 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
b3b562 |
---
|
|
|
b3b562 |
ipatests/test_integration/test_otp.py | 77 +++++++++++++++++++++++++++
|
|
|
b3b562 |
1 file changed, 77 insertions(+)
|
|
|
b3b562 |
|
|
|
b3b562 |
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
|
|
b3b562 |
index 036b8d12c7e8d872204a31fa6b7ed0e151bed86b..32b41b79ad8bf44a298b28c259351d5a71a7e9ea 100644
|
|
|
b3b562 |
--- a/ipatests/test_integration/test_otp.py
|
|
|
b3b562 |
+++ b/ipatests/test_integration/test_otp.py
|
|
|
b3b562 |
@@ -184,6 +184,83 @@ class TestOTPToken(IntegrationTest):
|
|
|
b3b562 |
|
|
|
b3b562 |
del_otptoken(master, otpuid)
|
|
|
b3b562 |
|
|
|
b3b562 |
+ @pytest.fixture
|
|
|
b3b562 |
+ def desynchronized_hotp(self):
|
|
|
b3b562 |
+ """ Create an hotp token for user """
|
|
|
b3b562 |
+ tasks.kinit_admin(self.master)
|
|
|
b3b562 |
+ otpuid, hotp = add_otptoken(self.master, USER, otptype="hotp")
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ # skipping too many OTP fails
|
|
|
b3b562 |
+ otp1 = hotp.generate(10).decode("ascii")
|
|
|
b3b562 |
+ kinit_otp(self.master, USER, password=PASSWORD, otp=otp1, success=False)
|
|
|
b3b562 |
+ # Now the token is desynchronized
|
|
|
b3b562 |
+ yield (otpuid, hotp)
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ del_otptoken(self.master, otpuid)
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ def test_otptoken_sync_incorrect_password(self, desynchronized_hotp):
|
|
|
b3b562 |
+ """ Test if sync fails when incorrect password is provided """
|
|
|
b3b562 |
+ otpuid, hotp = desynchronized_hotp
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ otp2 = hotp.generate(20).decode("ascii")
|
|
|
b3b562 |
+ otp3 = hotp.generate(21).decode("ascii")
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ # Try to sync with a wrong password
|
|
|
b3b562 |
+ result = self.master.run_command(
|
|
|
b3b562 |
+ ["ipa", "otptoken-sync", "--user", USER, otpuid],
|
|
|
b3b562 |
+ stdin_text=f"invalidpwd\n{otp2}\n{otp3}\n", raiseonerr=False
|
|
|
b3b562 |
+ )
|
|
|
b3b562 |
+ assert result.returncode == 1
|
|
|
b3b562 |
+ assert "Invalid Credentials!" in result.stderr_text
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ # Now sync with the right values
|
|
|
b3b562 |
+ self.master.run_command(
|
|
|
b3b562 |
+ ["ipa", "otptoken-sync", "--user", USER, otpuid],
|
|
|
b3b562 |
+ stdin_text=f"{PASSWORD}\n{otp2}\n{otp3}\n"
|
|
|
b3b562 |
+ )
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ def test_otptoken_sync_incorrect_first_value(self, desynchronized_hotp):
|
|
|
b3b562 |
+ """ Test if sync fails when incorrect 1st token value is provided """
|
|
|
b3b562 |
+ otpuid, hotp = desynchronized_hotp
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ otp2 = "12345a"
|
|
|
b3b562 |
+ otp3 = hotp.generate(20).decode("ascii")
|
|
|
b3b562 |
+ otp4 = hotp.generate(21).decode("ascii")
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ # Try to sync with a wrong first value (contains non-digit)
|
|
|
b3b562 |
+ result = self.master.run_command(
|
|
|
b3b562 |
+ ["ipa", "otptoken-sync", "--user", USER, otpuid],
|
|
|
b3b562 |
+ stdin_text=f"{PASSWORD}\n{otp2}\n{otp3}\n", raiseonerr=False
|
|
|
b3b562 |
+ )
|
|
|
b3b562 |
+ assert result.returncode == 1
|
|
|
b3b562 |
+ assert "Invalid Credentials!" in result.stderr_text
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ # Now sync with the right values
|
|
|
b3b562 |
+ self.master.run_command(
|
|
|
b3b562 |
+ ["ipa", "otptoken-sync", "--user", USER, otpuid],
|
|
|
b3b562 |
+ stdin_text=f"{PASSWORD}\n{otp3}\n{otp4}\n"
|
|
|
b3b562 |
+ )
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ def test_otptoken_sync_incorrect_second_value(self, desynchronized_hotp):
|
|
|
b3b562 |
+ """ Test if sync fails when incorrect 2nd token value is provided """
|
|
|
b3b562 |
+ otpuid, hotp = desynchronized_hotp
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ otp2 = hotp.generate(20).decode("ascii")
|
|
|
b3b562 |
+ otp3 = hotp.generate(21).decode("ascii")
|
|
|
b3b562 |
+ # Try to sync with wrong order
|
|
|
b3b562 |
+ result = self.master.run_command(
|
|
|
b3b562 |
+ ["ipa", "otptoken-sync", "--user", USER, otpuid],
|
|
|
b3b562 |
+ stdin_text=f"{PASSWORD}\n{otp3}\n{otp2}\n", raiseonerr=False
|
|
|
b3b562 |
+ )
|
|
|
b3b562 |
+ assert result.returncode == 1
|
|
|
b3b562 |
+ assert "Invalid Credentials!" in result.stderr_text
|
|
|
b3b562 |
+
|
|
|
b3b562 |
+ # Now sync with the right order
|
|
|
b3b562 |
+ self.master.run_command(
|
|
|
b3b562 |
+ ["ipa", "otptoken-sync", "--user", USER, otpuid],
|
|
|
b3b562 |
+ stdin_text=f"{PASSWORD}\n{otp2}\n{otp3}\n"
|
|
|
b3b562 |
+ )
|
|
|
b3b562 |
+
|
|
|
b3b562 |
def test_totp(self):
|
|
|
b3b562 |
master = self.master
|
|
|
b3b562 |
|
|
|
b3b562 |
--
|
|
|
b3b562 |
2.37.3
|
|
|
b3b562 |
|