From 25a4acf3ad5964eacddbcb83ddf9f84432968918 Mon Sep 17 00:00:00 2001

From: Anuja More <amore@redhat.com>

Date: Thu, 22 Jul 2021 14:55:50 +0530

Subject: [PATCH] ipatests: Test for OTP when the LDAP connection timed out.

Test to verify that when the idle timeout is exceeded (30s idle,

60s sleep) then the ipa-otpd process should exit without error.

Related : https://pagure.io/freeipa/issue/6587

Signed-off-by: Anuja More <amore@redhat.com>

Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipatests/test_integration/test_otp.py | 56 +++++++++++++++++++++++++++

 1 file changed, 56 insertions(+)

diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py

index b2e65af1b..fd55898ca 100644

--- a/ipatests/test_integration/test_otp.py

+++ b/ipatests/test_integration/test_otp.py

@@ -20,6 +20,7 @@ from cryptography.hazmat.primitives.twofactor.totp import TOTP

 from ipatests.test_integration.base import IntegrationTest

 from ipaplatform.paths import paths

 from ipatests.pytest_ipa.integration import tasks

+from ipapython.dn import DN

 PASSWORD = "DummyPassword123"

@@ -309,3 +310,58 @@ class TestOTPToken(IntegrationTest):

             master.run_command(['ipa', 'user-del', USER2])

             self.master.run_command(['semanage', 'login', '-D'])

             sssd_conf_backup.restore()

+

+    @pytest.fixture

+    def setup_otp_nsslapd(self):

+        # setting nsslapd-idletimeout

+        new_limit = 30

+        conn = self.master.ldap_connect()

+        dn = DN(('cn', 'config'))

+        entry = conn.get_entry(dn)  # pylint: disable=no-member

+        orig_limit = entry.single_value.get('nsslapd-idletimeout')

+        ldap_query = textwrap.dedent("""

+            dn: cn=config

+            changetype: modify

+            replace: nsslapd-idletimeout

+            nsslapd-idletimeout: {limit}

+        """)

+        tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit))

+        # Be sure no services are running and failed units

+        self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)

+        check_services = self.master.run_command(

+            ['systemctl', 'list-units', '--state=failed']

+        )

+        assert "0 loaded units listed" in check_services.stdout_text

+        assert "ipa-otpd" not in check_services.stdout_text

+        yield

+        # cleanup

+        tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit))

+

+    def test_check_otpd_after_idle_timeout(self, setup_otp_nsslapd):

+        """Test for OTP when the LDAP connection timed out.

+

+        Test for : https://pagure.io/freeipa/issue/6587

+

+        ipa-otpd was exiting with failure when LDAP connection timed out.

+        Test to verify that when the nsslapd-idletimeout is exceeded (30s idle,

+        60s sleep) then the ipa-otpd process should exit without error.

+        """

+        since = time.strftime('%H:%M:%S')

+        tasks.kinit_admin(self.master)

+        otpuid, totp = add_otptoken(self.master, USER, otptype="totp")

+        try:

+            # kinit with OTP auth

+            otpvalue = totp.generate(int(time.time())).decode("ascii")

+            kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)

+            time.sleep(60)

+            failed_services = self.master.run_command(

+                ['systemctl', 'list-units', '--state=failed']

+            )

+            assert "ipa-otpd" not in failed_services.stdout_text

+            cmd_jornalctl = self.master.run_command(

+                ['journalctl', '--since={}'.format(since)]

+            )

+            regex = r".*ipa-otpd@.*\sSucceeded"

+            assert re.search(regex, cmd_jornalctl.stdout_text)

+        finally:

+            del_otptoken(self.master, otpuid)

-- 

2.31.1