[Freeipa-devel] [PATCH 0081] Add initial tests for OTP

[Nathaniel McCallum]

On Fri, 2014-11-21 at 08:49 +0100, Martin Kosek wrote:
> On 11/20/2014 05:13 PM, Nathaniel McCallum wrote:
> > This tests the general workflow for OTP including most possible
> > token combinations. This includes 5872 tests. Further optimization
> > is possible to reduce the number of duplicate tests run.
> 
> Good job! Yup, heavy optimization will be needed later.
> 
> > Things not yet tested:
> > * ipa-kdb
> 
> Here you would just call kinit instead if LDAP BIND, right?

"just" :)

Mostly yes. Special care will be needed around FAST, password changes
and not stomping on the admin ticket for running the tests.

> > * ipa-otpd
> 
> How would ipa-otpd tested? Wouldn't it be tested if simple kinit is made
> instead of direct LDAP BIND?

Yes. If desired, it could also be tested directly by sending RADIUS
packets.

> > * otptoken-sync
> 
> Petr1 can help to provide a Web UI test for this area. Or alternatively for the
> test we could use the LDAP extended operation directly, right?

If we can't just call api.Command['otptoken_sync'], we can just do the
special bind. It isn't too hard, I just wanted to get patches public.

> > * RADIUS proxy
> > * token self-management
> > * type specific attributes
> 
> +1
> 
> What about password changes with OTP, can it be also covered?

That is included in ipa-kdb, but yes. :)

> Also, note that the freeipa-tests would suddenly grow a python-pyotp
> dependency, this should be considered.

I'm probably going to change this to python-cryptography since we now
have it in Fedora. I hear IPA will grow a python-cryptography dependency
anyway.

Nathaniel