From 80ccac79b9d123e158a5ba60f9853611d0854188 Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sorlov@redhat.com>
Date: Wed, 17 Feb 2021 16:48:33 +0100
Subject: [PATCH] ipatests: test Samba mount with NTLM authentication

Related to https://pagure.io/freeipa/issue/8636

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipatests/pytest_ipa/integration/__init__.py | 17 ++++++
 ipatests/test_integration/test_smb.py       | 63 +++++++++++++++++++++
 2 files changed, 80 insertions(+)

diff --git a/ipatests/pytest_ipa/integration/__init__.py b/ipatests/pytest_ipa/integration/__init__.py
index 55291ae8b..f62b667bd 100644
--- a/ipatests/pytest_ipa/integration/__init__.py
+++ b/ipatests/pytest_ipa/integration/__init__.py
@@ -28,12 +28,14 @@ import os
 import tempfile
 import shutil
 import re
+import functools
 
 import pytest
 from pytest_multihost import make_multihost_fixture
 
 from ipapython import ipautil
 from ipaplatform.paths import paths
+from . import fips
 from .config import Config
 from .env_config import get_global_config
 from . import tasks
@@ -478,3 +480,18 @@ def del_compat_attrs(cls):
         del cls.ad_subdomains
         del cls.ad_treedomains
     del cls.ad_domains
+
+
+def skip_if_fips(reason='Not supported in FIPS mode', host='master'):
+    if callable(reason):
+        raise TypeError('Invalid decorator usage, add "()"')
+
+    def decorator(test_method):
+        @functools.wraps(test_method)
+        def wrapper(instance, *args, **kwargs):
+            if fips.is_fips_enabled(getattr(instance, host)):
+                pytest.skip(reason)
+            else:
+                test_method(instance, *args, **kwargs)
+        return wrapper
+    return decorator
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 37725ab15..749a96325 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -19,6 +19,7 @@ from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_ipa.integration import tasks
 from ipaplatform.osinfo import osinfo
 from ipaplatform.paths import paths
+from ipatests.pytest_ipa.integration import skip_if_fips
 
 
 def wait_smbd_functional(host):
@@ -378,6 +379,68 @@ class TestSMB(IntegrationTest):
         finally:
             self.cleanup_mount(mountpoint)
 
+    def check_repeated_smb_mount(self, options):
+        mountpoint = '/mnt/smb'
+        unc = '//{}/homes'.format(self.smbserver.hostname)
+        test_file = 'ntlm_test'
+        test_file_server_path = '/home/{}/{}'.format(self.ipa_user1, test_file)
+        test_file_client_path = '{}/{}'.format(mountpoint, test_file)
+
+        self.smbclient.run_command(['mkdir', '-p', mountpoint])
+        self.smbserver.put_file_contents(test_file_server_path, '')
+        try:
+            for i in [1, 2]:
+                res = self.smbclient.run_command([
+                    'mount', '-t', 'cifs', unc, mountpoint, '-o', options],
+                    raiseonerr=False)
+                assert res.returncode == 0, (
+                    'Mount failed at iteration {}. Output: {}'
+                    .format(i, res.stdout_text + res.stderr_text))
+                assert self.smbclient.transport.file_exists(
+                    test_file_client_path)
+                self.smbclient.run_command(['umount', mountpoint])
+        finally:
+            self.cleanup_mount(mountpoint)
+            self.smbserver.run_command(['rm', '-f', test_file_server_path])
+
+    @skip_if_fips()
+    def test_ntlm_authentication_with_auto_domain(self):
+        """Repeatedly try to authenticate with username and password with
+        automatic domain discovery.
+
+        This is a regression test for https://pagure.io/freeipa/issue/8636
+        """
+        tasks.kdestroy_all(self.smbclient)
+
+        mount_options = 'user={user},pass={password},domainauto'.format(
+            user=self.ipa_user1,
+            password=self.ipa_user1_password
+        )
+
+        self.check_repeated_smb_mount(mount_options)
+
+    @skip_if_fips()
+    def test_ntlm_authentication_with_upn_with_lowercase_domain(self):
+        tasks.kdestroy_all(self.smbclient)
+
+        mount_options = 'user={user}@{domain},pass={password}'.format(
+            user=self.ipa_user1,
+            password=self.ipa_user1_password,
+            domain=self.master.domain.name.lower()
+        )
+        self.check_repeated_smb_mount(mount_options)
+
+    @skip_if_fips()
+    def test_ntlm_authentication_with_upn_with_uppercase_domain(self):
+        tasks.kdestroy_all(self.smbclient)
+
+        mount_options = 'user={user}@{domain},pass={password}'.format(
+            user=self.ipa_user1,
+            password=self.ipa_user1_password,
+            domain=self.master.domain.name.upper()
+        )
+        self.check_repeated_smb_mount(mount_options)
+
     def test_uninstall_samba(self):
         self.smbserver.run_command(['ipa-client-samba', '--uninstall', '-U'])
         res = self.smbserver.run_command(
-- 
2.29.2