ipatests: Test that password reset unlocks users too

The basic idea is: * add a user with a password * kinit with a bad password for the user until lockout * on another server administratively reset the password * wait for replication to finish * kinit on the original server again and the user should be able to kinit again meaning the lockout was removed https://pagure.io/freeipa/issue/8551 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-10-21 20:50:50 -04:00
parent 3ab3578b36
commit ca6fc689ba
2 changed files with 45 additions and 2 deletions
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -935,9 +935,14 @@ def disconnect_replica(master, replica, domain_level=None,
                            ])


+def kinit_user(host, user, password, raiseonerr=True):
+    return host.run_command(['kinit', user], raiseonerr=raiseonerr,
+                            stdin_text=password)
+
+
 def kinit_admin(host, raiseonerr=True):
-    return host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
-                            stdin_text=host.config.admin_password)
+    return kinit_user(host, 'admin', host.config.admin_password,
+                      raiseonerr=raiseonerr)


 def uninstall_master(host, ignore_topology_disconnect=True,
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -129,6 +129,7 @@ class TestIPACommand(IntegrationTest):
    tested without having to fire up a full server to run one command.
    """
    topology = 'line'
+    num_replicas = 1

    @pytest.fixture
    def pwpolicy_global(self):
@@ -1318,3 +1319,40 @@ class TestIPACommand(IntegrationTest):
        assert len(pkispawnlog) > 1024
        assert "DEBUG" in pkispawnlog
        assert "INFO" in pkispawnlog
+
+    def test_reset_password_unlock(self):
+        """
+        Test that when a user is also unlocked when their password
+        is administratively reset.
+        """
+        user = 'tuser'
+        original_passwd = 'Secret123'
+        new_passwd = 'newPasswd123'
+        bad_passwd = 'foo'
+
+        tasks.kinit_admin(self.master)
+        tasks.user_add(self.master, user, password=original_passwd)
+        tasks.kinit_user(
+            self.master, user,
+            '{0}\n{1}\n{1}\n'.format(original_passwd, new_passwd)
+        )
+
+        # Lock out the user on master
+        for _i in range(0, 7):
+            tasks.kinit_user(self.master, user, bad_passwd, raiseonerr=False)
+
+        tasks.kinit_admin(self.replicas[0])
+        # Administrative reset on a different server
+        self.replicas[0].run_command(
+            ['ipa', 'passwd', user],
+            stdin_text='{0}\n{0}\n'.format(original_passwd)
+        )
+
+        ldap = self.master.ldap_connect()
+        tasks.wait_for_replication(ldap)
+
+        # The user can log in again
+        tasks.kinit_user(
+            self.master, user,
+            '{0}\n{1}\n{1}\n'.format(original_passwd, new_passwd)
+        )