Testing passkey authentication

Passkey can be tested using passkey related methods from sssd_test_framework.utils.sssctl.SSSCTLUtils and sssd_test_framework.utils.authentication.SUAuthenticationUtils.passkey(). It requires umockdev in order to correctly mock the passkey hardware token and record and playback the communications that happens between SSSD and the token.

Three umockdev files are required to mock the device and playback the communication:

• device description (can be shared with all tests)

• ioctl description (can be shared with all tests)

• script of communication (mostly unique for each test)

You can store the files in data directories that are returned by sssd_test_framework.fixtures.moduledatadir() (device and ioctl) and sssd_test_framework.fixtures.testdatadir() (script, passkey mapping) fixtures.

Test examples

from __future__ import annotations

import pytest
from sssd_test_framework.roles.client import Client
from sssd_test_framework.roles.generic import GenericProvider
from sssd_test_framework.roles.ipa import IPA
from sssd_test_framework.topology import KnownTopology


@pytest.mark.tier(0)
@pytest.mark.topology(KnownTopology.Client)
def test_passkey__register__sssctl(client: Client, moduledatadir: str, testdatadir: str):
    """ Test registration of the passkey token with sssctl passkey-register"""
    mapping = client.sssctl.passkey_register(
        username="user1",
        domain="ldap.test",
        pin=123456,
        device=f"{moduledatadir}/umockdev.device",
        ioctl=f"{moduledatadir}/umockdev.ioctl",
        script=f"{testdatadir}/umockdev.script",
    )
    with open(f"{testdatadir}/passkey-mapping") as f:
        assert mapping == f.read().strip()


@pytest.mark.tier(0)
@pytest.mark.topology(KnownTopology.IPA)
def test_passkey__register__ipa(ipa: IPA, moduledatadir: str, testdatadir: str):
    """ Test registration of the passkey token with ipa user-add-passkey --register"""
    mapping = (
        ipa.user("user1")
        .add()
        .passkey_add_register(
            pin=123456,
            device=f"{moduledatadir}/umockdev.device",
            ioctl=f"{moduledatadir}/umockdev.ioctl",
            script=f"{testdatadir}/umockdev.script",
        )
    )

    with open(f"{testdatadir}/passkey-mapping") as f:
        assert mapping == f.read().strip()


@pytest.mark.tier(0)
@pytest.mark.topology(KnownTopology.LDAP)
@pytest.mark.topology(KnownTopology.IPA)
def test_passkey__su(client: Client, provider: GenericProvider, moduledatadir: str, testdatadir: str):
    """ Test passkey authentication with su"""
    suffix = type(provider).__name__.lower()

    with open(f"{testdatadir}/passkey-mapping.{suffix}") as f:
        provider.user("user1").add().passkey_add(f.read().strip())

    client.sssd.start()

    assert client.auth.su.passkey(
        username="user1",
        pin=123456,
        device=f"{moduledatadir}/umockdev.device",
        ioctl=f"{moduledatadir}/umockdev.ioctl",
        script=f"{testdatadir}/umockdev.script.{suffix}",
    )