From 2908f800d91c4049a98b23dd51eaf3a8dc35a787 Mon Sep 17 00:00:00 2001 From: George Pantelakis Date: Tue, 7 Apr 2026 16:08:53 +0200 Subject: [PATCH 1/3] Fix test_certs.py::test_wrong_issuer_cert with the new SCAutolib version --- Sanity/test_certs.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/Sanity/test_certs.py b/Sanity/test_certs.py index f2ffb48..236c619 100644 --- a/Sanity/test_certs.py +++ b/Sanity/test_certs.py @@ -29,21 +29,21 @@ def test_wrong_issuer_cert(local_user, sssd_db, user_shell, tmp_path): - User can login with a password """ - sssd_db.backup() - sssd_db.path.unlink() - - run(['mkdir', tmp_path.joinpath("ca")]) - BaseCA.factory(path=tmp_path.joinpath("ca"), create=True) - run(['restorecon', "-v", "/etc/sssd/pki/sssd_auth_ca_db.pem"]) - with Authselect(): with local_user.card(insert=True): + sssd_db.backup() + sssd_db.path.unlink() + + run(['mkdir', tmp_path.joinpath("ca")]) + BaseCA.factory(path=tmp_path.joinpath("ca"), create=True) + run(['restorecon', "-v", "/etc/sssd/pki/sssd_auth_ca_db.pem"]) + cmd = f'su {local_user.username} -c "whoami"' user_shell.sendline(cmd) user_shell.expect_exact(f"Password:") user_shell.sendline(local_user.password) user_shell.expect_exact(local_user.username) - sssd_db.restore() - run(['rm', "-rf", tmp_path.joinpath("ca")]) - run(['restorecon', "-v", "/etc/sssd/pki/sssd_auth_ca_db.pem"]) + sssd_db.restore() + run(['rm', "-rf", tmp_path.joinpath("ca")]) + run(['restorecon', "-v", "/etc/sssd/pki/sssd_auth_ca_db.pem"]) From 86796f0c49e5071c54737ea3880733c797f3a302 Mon Sep 17 00:00:00 2001 From: George Pantelakis Date: Thu, 9 Apr 2026 10:29:31 +0200 Subject: [PATCH 2/3] test_smart_card_detection.py::test_pam_services_config split in 2 tests to avoid racing conditions --- Sanity/test_smart_card_detection.py | 42 ++++++++++++++--------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/Sanity/test_smart_card_detection.py b/Sanity/test_smart_card_detection.py index b2c7614..cacb81d 100644 --- a/Sanity/test_smart_card_detection.py +++ b/Sanity/test_smart_card_detection.py @@ -1,3 +1,5 @@ +import pytest + def test_modutil_token_info(local_user, root_shell): """Check that p11-kit module shows smart card information with modutil command""" @@ -8,38 +10,36 @@ def test_modutil_token_info(local_user, root_shell): root_shell.sendline(cmd) root_shell.expect_exact(uri) - -def test_pam_services_config(local_user, root_shell, sssd): +@pytest.mark.parametrize("service,should_pass", [ + ("-su", False), + ("+pam_cert_service", True) +]) +def test_pam_services_config( + local_user, root_shell, sssd, service, should_pass +): """Test verifies that sssd configuration option pam_p11_allowed_services works as expected for smart card authentication. GitHub issue: https://github.com/SSSD/sssd/issues/3967""" with open("/etc/pam.d/pam_cert_service", "w") as f: f.write("auth\trequired\tpam_sss.so require_cert_auth\n") - with sssd(section="pam", key="pam_p11_allowed_services", value="-su") as sssd_conf: + with sssd(section="pam", key="pam_p11_allowed_services", value=service) as sssd_conf: with local_user.card(insert=False) as sc: cmd = "sssctl user-checks -a auth -s pam_cert_service " \ f"{local_user.username}" root_shell.sendline(cmd) - fail = f"pam_authenticate for user [{local_user.username}]: " \ - "Authentication service cannot retrieve authentication info" root_shell.expect_exact("Please insert smart card") sc.insert() - root_shell.expect_exact("Please (re)insert (different) Smartcard") - root_shell.sendline() - root_shell.expect_exact(fail) - sc.remove() - - sssd_conf(section="pam", - key="pam_p11_allowed_services", - value="+pam_cert_service") - - root_shell.sendline(cmd) - root_shell.expect_exact("Please insert smart card") - sc.insert() - root_shell.expect_exact(f"PIN for {local_user.username}:") - root_shell.sendline(local_user.pin) - root_shell.expect_exact(f"pam_authenticate for user " - f"[{local_user.username}]: Success") + if should_pass: + root_shell.expect_exact(f"PIN for {local_user.username}:") + root_shell.sendline(local_user.pin) + root_shell.expect_exact(f"pam_authenticate for user " + f"[{local_user.username}]: Success") + else: + fail = f"pam_authenticate for user [{local_user.username}]: " \ + "Authentication service cannot retrieve authentication info" + root_shell.expect_exact("Please (re)insert (different) Smartcard") + root_shell.sendline() + root_shell.expect_exact(fail) def test_physical_card_detection(local_user, root_shell): From 0fa9dd5103468454f1d3e3299a6b45e5ef7ff2c9 Mon Sep 17 00:00:00 2001 From: George Pantelakis Date: Thu, 9 Apr 2026 10:30:37 +0200 Subject: [PATCH 3/3] test_ttylogin.py::test_login_sc_required: CA config happens in __enter__ funtion --- Sanity/test_ttylogin.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Sanity/test_ttylogin.py b/Sanity/test_ttylogin.py index 0f920da..6a71e86 100644 --- a/Sanity/test_ttylogin.py +++ b/Sanity/test_ttylogin.py @@ -253,10 +253,10 @@ def test_login_sc_required(user, lock_on_removal): - User is successfully logged in """ with Authselect(required=True, lock_on_removal=lock_on_removal): - login_shell = login_shell_factory(user.username) - login_shell.expect("Please insert smart card") - - with user.card(insert=True): + with user.card as sc: + login_shell = login_shell_factory(user.username) + login_shell.expect("Please insert smart card") + sc.insert() login_shell.expect(f"PIN for {user.username}:") login_shell.sendline(user.pin) login_shell.expect(user.username)