[autobackport: sssd-2-10] Tests:Added IPA Certificate Authority Tests

[sssd-bot]

This is an automatic backport of PR#8159 Tests:Added IPA Certificate Authority Tests to branch sssd-2-10, created by @krishnavema.

Please make sure this backport is correct.

Note

The commits were cherry-picked without conflicts.

You can push changes to this pull request

git remote add sssd-bot git@github.com:sssd-bot/sssd.git
git fetch sssd-bot refs/heads/SSSD-sssd-backport-pr8159-to-sssd-2-10
git checkout SSSD-sssd-backport-pr8159-to-sssd-2-10
git push sssd-bot SSSD-sssd-backport-pr8159-to-sssd-2-10

---

Original commits

• 7fb3721 - tests:Added IPA Certificate Authority Tests

Backported commits

• 2347852 - tests:Added IPA Certificate Authority Tests

---

Original Pull Request Body

The system should prompt the user for a PIN when attempting to authenticate via smart card. This ensures that the smart card is being used as the primary authentication method.

[gemini-code-assist]

Code Review

This pull request adds a new system test for smart card authentication with a nested su command. The changes look good overall, but I have a couple of suggestions to improve the robustness and security of the new test. Specifically, I'm pointing out a hardcoded PIN and the use of time.sleep(), which can lead to flaky tests.

[gemini-code-assist]

Using a fixed time.sleep(1) can lead to flaky tests. The test might fail if the service takes longer than 1 second to restart, or it might wait unnecessarily if the service restarts faster. It's more robust to poll for the service status in a loop with a timeout to ensure it's active before proceeding.

Suggested change

	time.sleep(1)
	for _ in range(10):
	result = client.host.conn.run("systemctl is-active virt_cacard.service")
	if result.rc == 0:
	break
	time.sleep(1)
	else:
	pytest.fail("virt_cacard.service did not become active in time.")

[gemini-code-assist]

Hardcoding the smartcard PIN '123456' directly in the test logic is a security risk and a bad practice, even in tests. It's better to define it as a constant at the module level (e.g., SMARTCARD_PIN = "123456") and use the constant here. This makes it easier to manage and change if needed, and improves code readability.

[spoore1]

Approving as is to match the original.

[sssd-bot]

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

---

🟢 CodeQL (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 Analyze (target) / All tests are successful (success)
🟢 Analyze (target) / cppcheck (success)
🟢 ci / All tests are successful (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 Static code analysis / All tests are successful (success)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.