From 1bfea5967bb909e1b1bdc3267368e1465f7c9345 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Wed, 28 Sep 2022 12:45:52 +0200 Subject: [PATCH] ipatests: add negative test for otptoken-sync Scenario: call ipa otptoken-sync with - an invalid password - an invalid first token (containing non-digits) - an invalid sequence of tokens The test expects a return code = 1. Related: https://pagure.io/freeipa/issue/9248 Signed-off-by: Florence Blanc-Renaud Reviewed-By: Rob Crittenden --- ipatests/test_integration/test_otp.py | 77 +++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py index 036b8d12c7e8d872204a31fa6b7ed0e151bed86b..32b41b79ad8bf44a298b28c259351d5a71a7e9ea 100644 --- a/ipatests/test_integration/test_otp.py +++ b/ipatests/test_integration/test_otp.py @@ -184,6 +184,83 @@ class TestOTPToken(IntegrationTest): del_otptoken(master, otpuid) + @pytest.fixture + def desynchronized_hotp(self): + """ Create an hotp token for user """ + tasks.kinit_admin(self.master) + otpuid, hotp = add_otptoken(self.master, USER, otptype="hotp") + + # skipping too many OTP fails + otp1 = hotp.generate(10).decode("ascii") + kinit_otp(self.master, USER, password=PASSWORD, otp=otp1, success=False) + # Now the token is desynchronized + yield (otpuid, hotp) + + del_otptoken(self.master, otpuid) + + def test_otptoken_sync_incorrect_password(self, desynchronized_hotp): + """ Test if sync fails when incorrect password is provided """ + otpuid, hotp = desynchronized_hotp + + otp2 = hotp.generate(20).decode("ascii") + otp3 = hotp.generate(21).decode("ascii") + + # Try to sync with a wrong password + result = self.master.run_command( + ["ipa", "otptoken-sync", "--user", USER, otpuid], + stdin_text=f"invalidpwd\n{otp2}\n{otp3}\n", raiseonerr=False + ) + assert result.returncode == 1 + assert "Invalid Credentials!" in result.stderr_text + + # Now sync with the right values + self.master.run_command( + ["ipa", "otptoken-sync", "--user", USER, otpuid], + stdin_text=f"{PASSWORD}\n{otp2}\n{otp3}\n" + ) + + def test_otptoken_sync_incorrect_first_value(self, desynchronized_hotp): + """ Test if sync fails when incorrect 1st token value is provided """ + otpuid, hotp = desynchronized_hotp + + otp2 = "12345a" + otp3 = hotp.generate(20).decode("ascii") + otp4 = hotp.generate(21).decode("ascii") + + # Try to sync with a wrong first value (contains non-digit) + result = self.master.run_command( + ["ipa", "otptoken-sync", "--user", USER, otpuid], + stdin_text=f"{PASSWORD}\n{otp2}\n{otp3}\n", raiseonerr=False + ) + assert result.returncode == 1 + assert "Invalid Credentials!" in result.stderr_text + + # Now sync with the right values + self.master.run_command( + ["ipa", "otptoken-sync", "--user", USER, otpuid], + stdin_text=f"{PASSWORD}\n{otp3}\n{otp4}\n" + ) + + def test_otptoken_sync_incorrect_second_value(self, desynchronized_hotp): + """ Test if sync fails when incorrect 2nd token value is provided """ + otpuid, hotp = desynchronized_hotp + + otp2 = hotp.generate(20).decode("ascii") + otp3 = hotp.generate(21).decode("ascii") + # Try to sync with wrong order + result = self.master.run_command( + ["ipa", "otptoken-sync", "--user", USER, otpuid], + stdin_text=f"{PASSWORD}\n{otp3}\n{otp2}\n", raiseonerr=False + ) + assert result.returncode == 1 + assert "Invalid Credentials!" in result.stderr_text + + # Now sync with the right order + self.master.run_command( + ["ipa", "otptoken-sync", "--user", USER, otpuid], + stdin_text=f"{PASSWORD}\n{otp2}\n{otp3}\n" + ) + def test_totp(self): master = self.master -- 2.37.3