Tests: Adding GDM Passkey tests

[spoore1]

No description provided.

[gemini-code-assist]

Code Review

This pull request adds a comprehensive suite of system tests for GDM Passkey login functionality. The tests cover various scenarios, including login with PIN, without PIN, with password fallback, multiple keys, and handling of unregistered or removed passkeys.

My review has identified a few critical and high-severity issues that should be addressed:

• A pytest.set_trace() call needs to be removed.
• The use of time.sleep() should be replaced with more robust polling mechanisms to avoid flaky tests.
• Fragile shell commands for parsing ipa output should be replaced with more stable API calls.
• There's an incorrect usage of assert with a custom assertion method, which could lead to misleading test failures.

Overall, this is a valuable addition for ensuring the quality of the GDM Passkey feature. Addressing these points will improve the reliability and maintainability of the new tests.

[ikerexxe]

Some minor comments inline

[ikerexxe]

By the way, CI failures are related to your changes so review them as well

[justin-stephenson]

Hi @spoore1 would it be possible for you to add a GDM Passkey test with local (non-IPA) auth?

$ sssctl passkey-exec --register --username=alice --domain=ldap.test

Then on the ldap container 

$ vim user.ldif
# alice, ldap.test
# replace passkey data below
dn: uid=alice,dc=ldap,dc=test
mail: alice@ldap.test
uid: alice
givenName: Alice
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: inetuser
objectClass: passkeyUser
sn: Moreau
cn: Alice Moreau
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/alice
loginShell: /bin/bash
gecos: alice
passkey: passkey:zSidKsavt3TudFuW9Hl4oEzif6SzPenk4LuWjQmUZB8USfhJW5NfA7faOOr9Z
 tarevL0GwKL9oytC7yPVIIPGg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+J5jOEO7E6qMa
 LA8n1oyYKVG3w0af+mrXAjybl3qdLEsSBCsk9SyuqXMbK1xnrBCyL5bgIX6ONeULx86YkP05w==

$ ldapadd -D "cn=Directory Manager" -w Secret123 -H ldap://localhost -x -f user.ldif


And on the client with `local_auth_policy = enable:passkey` set

 # su - alice@ldap.test

[ikerexxe]

What does the test_gdm_doc.py file do? Is it some sort of extra documentation?

Apart from that I left several comments inline

[spoore1]

What does the test_gdm_doc.py file do? Is it some sort of extra documentation?

Apart from that I left several comments inline

Sorry about the confusion here. It seems I ran a git add . instead of the specific file I was updating and brought in some extra files/notes I didn't intend to include here. I've removed them again from the commit now.

[jakub-vavra-cz]

sss mhc.yaml comment

[madhuriupadhye]

Looks good to me; I plan to test this in IDM-CI.

[ikerexxe]

LGTM! Thank you for your hard work getting passkey tests for this feature

[jakub-vavra-cz]

LGTM

[justin-stephenson]

Ack, thank you.

[alexey-tikhonov]

@spoore1, does this depend on product patches / PRs, that were not merged yet?

[alexey-tikhonov]

C10S CI is red due to known issue:

ERROR tests/test_feature.py::test_feature__presence[Fedora-39-0-2-9-passkey-True]
...
cat: \'/tmp/tmp.UDjJVryOAU/audit/audit.log*\': No such file or directory\n') [single exception in TeardownExceptionGroup]

[sssd-bot]

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

---

🟢 CodeFactor (success)
🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-41-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-41) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / prepare (success)
🔴 ci / system (centos-10) (failure)
🟢 ci / system (fedora-41) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🟢 ci / system (fedora-44) (success)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.