ipatests: Test that password reset unlocks users too

The basic idea is: * add a user with a password * kinit with a bad password for the user until lockout * on another server administratively reset the password * wait for replication to finish * kinit on the original server again and the user should be able to kinit again meaning the lockout was removed https://pagure.io/freeipa/issue/8551 Signed-off-by: Rob Crittenden <[email protected]> Reviewed-By: Alexander Bokovoy <[email protected]>
progier389 · Nov 11, 2020 · ca6fc68 · ca6fc68
1 parent 3ab3578
commit ca6fc68
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
@@ -935,9 +935,14 @@ def disconnect_replica(master, replica, domain_level=None,
                             ])
 
 
+def kinit_user(host, user, password, raiseonerr=True):
+    return host.run_command(['kinit', user], raiseonerr=raiseonerr,
+                            stdin_text=password)
+
+
 def kinit_admin(host, raiseonerr=True):
-    return host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
-                            stdin_text=host.config.admin_password)
+    return kinit_user(host, 'admin', host.config.admin_password,
+                      raiseonerr=raiseonerr)
 
 
 def uninstall_master(host, ignore_topology_disconnect=True,

diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
@@ -129,6 +129,7 @@ class TestIPACommand(IntegrationTest):
     tested without having to fire up a full server to run one command.
     """
     topology = 'line'
+    num_replicas = 1
 
     @pytest.fixture
     def pwpolicy_global(self):
@@ -1318,3 +1319,40 @@ def test_pkispawn_log_is_present(self):
         assert len(pkispawnlog) > 1024
         assert "DEBUG" in pkispawnlog
         assert "INFO" in pkispawnlog
+
+    def test_reset_password_unlock(self):
+        """
+        Test that when a user is also unlocked when their password
+        is administratively reset.
+        """
+        user = 'tuser'
+        original_passwd = 'Secret123'
+        new_passwd = 'newPasswd123'
+        bad_passwd = 'foo'
+
+        tasks.kinit_admin(self.master)
+        tasks.user_add(self.master, user, password=original_passwd)
+        tasks.kinit_user(
+            self.master, user,
+            '{0}\n{1}\n{1}\n'.format(original_passwd, new_passwd)
+        )
+
+        # Lock out the user on master
+        for _i in range(0, 7):
+            tasks.kinit_user(self.master, user, bad_passwd, raiseonerr=False)
+
+        tasks.kinit_admin(self.replicas[0])
+        # Administrative reset on a different server
+        self.replicas[0].run_command(
+            ['ipa', 'passwd', user],
+            stdin_text='{0}\n{0}\n'.format(original_passwd)
+        )
+
+        ldap = self.master.ldap_connect()
+        tasks.wait_for_replication(ldap)
+
+        # The user can log in again
+        tasks.kinit_user(
+            self.master, user,
+            '{0}\n{1}\n{1}\n'.format(original_passwd, new_passwd)
+        )