Skip to content

Add GDM Smartcard tests #8216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
spoore1 wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add GDM Smartcard tests #8216

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
77536bb
Tests: Add GDM Smartcard tests
spoore1 Nov 20, 2025
d53f6d9
Tests: gdm passkey fixes for timing issues in c10s
spoore1 Dec 13, 2025
3f276c2
Tests: rename and update test_gdm to xidp
spoore1 Dec 13, 2025
f8399a4
TEMP: DELETE BEFORE MERGING requirements
spoore1 Dec 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/tests/system/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,5 @@ git+https://github.com/next-actions/pytest-mh
git+https://github.com/next-actions/pytest-ticket
git+https://github.com/next-actions/pytest-tier
git+https://github.com/next-actions/pytest-output
git+https://github.com/SSSD/sssd-test-framework
#git+https://github.com/SSSD/sssd-test-framework
git+https://github.com/spoore1/sssd-test-framework@gdm_updates
104 changes: 50 additions & 54 deletions src/tests/system/tests/test_gdm_passkey.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@

from __future__ import annotations

import time

import pytest
from sssd_test_framework.roles.client import Client
from sssd_test_framework.roles.generic import GenericProvider
Expand All @@ -17,20 +15,29 @@


def client_setup_for_passkey(client, provider: IPA | LDAP | GenericProvider, pin: str | int | None = None):
"""
Setup SSSD and virtual passkey for authentication testing

:param client: Client role for SSSD and vfido setup
:type client: Client
:param provider: Provider role to determine some settings
:type provider: IPA | LDAP | GenericProvider
:param pin: passkey PIN. If None, disable in vfido, else set PIN
:type pin: str | int | None
"""
# Configure SSSD
client.authselect.select("sssd", ["with-mkhomedir", "with-smartcard", "with-switchable-auth"])
client.sssd.import_domain(provider.domain, provider)
client.sssd.config.remove_section("domain/test")
client.sssd.default_domain = provider.domain
client.sssd.pam["pam_json_services"] = "gdm-switchable-auth"
client.sssd.pam["passkey_child_timeout"] = "30"

if provider.name.lower() != "ldap":
client.sssd.pam["pam_cert_auth"] = "True"
else:
client.sssd.domain["local_auth_policy"] = "enable:passkey"

client.sssd.start()

# Start virtual passkey service
client.vfido.reset()
if pin is not None:
Expand All @@ -40,6 +47,8 @@ def client_setup_for_passkey(client, provider: IPA | LDAP | GenericProvider, pin
client.vfido.pin_disable()
client.vfido.start()

client.sssd.start()


@pytest.mark.builtwith(client=["gdm", "passkey", "vfido"])
@pytest.mark.topology(KnownTopology.BareIPA)
Expand All @@ -48,10 +57,9 @@ def test_gdm__passkey_login_with_pin(client: Client, ipa: IPA):
:title: Login via GDM using passkey with PIN
:setup:
1. Configure SSSD for gdm-switchable-auth and pam_cert_auth
2. Start SSSD
3. Start virtual passkey service
4. Add user to IPA and set auth_type to passkey
5. Register passkey with IPA user
2. Start virtual passkey service
3. Add user to IPA and set auth_type to passkey
4. Register passkey with IPA user
:steps:
1. Login through GDM using Passkey with PIN
:expectedresults:
Expand All @@ -76,6 +84,7 @@ def test_gdm__passkey_login_with_pin(client: Client, ipa: IPA):
client.gdm.kb_send("tab")
client.gdm.click_on("Security key PIN")
client.gdm.kb_write(pin)
client.gdm.assert_text("Touch security key")
client.vfido.touch()
client.gdm.wait_for_login(client)
assert client.gdm.check_home_screen(), "User unable to login or see home screen"
Expand All @@ -88,11 +97,10 @@ def test_gdm__passkey_login_no_pin(client: Client, ipa: IPA):
:title: Login via GDM using passkey with no PIN set
:setup:
1. Configure SSSD for gdm-switchable-auth and pam_cert_auth
2. Start SSSD
3. Start virtual passkey service with PIN disabled
4. Add user to IPA and set auth_type to passkey
5. Allow authentication without PIN for IPA users
6. Register passkey with IPA user
2. Start virtual passkey service with PIN disabled
3. Add user to IPA and set auth_type to passkey
4. Allow authentication without PIN for IPA users
5. Register passkey with IPA user
:steps:
1. Login through GDM using Passkey without PIN
:expectedresults:
Expand All @@ -119,7 +127,6 @@ def test_gdm__passkey_login_no_pin(client: Client, ipa: IPA):
client.gdm.kb_send("tab")
client.gdm.click_on("Security key PIN")
client.gdm.kb_send("enter")
client.gdm.kb_send("tab")
client.gdm.assert_text("Touch security key")
client.vfido.touch()
client.gdm.wait_for_login(client)
Expand All @@ -137,10 +144,9 @@ def test_gdm__passkey_login_with_password(client: Client, ipa: IPA):

:setup:
1. Configure SSSD for gdm-switchable-auth and pam_cert_auth
2. Start SSSD
3. Start virtual passkey service
4. Add user to IPA and set auth_type to passkey and password
6. Register passkey with IPA user
2. Start virtual passkey service
3. Add user to IPA and set auth_type to passkey and password
4. Register passkey with IPA user
:steps:
1. Login through GDM using Password
:expectedresults:
Expand Down Expand Up @@ -171,7 +177,6 @@ def test_gdm__passkey_login_with_password(client: Client, ipa: IPA):
client.gdm.click_on("Password")
client.gdm.kb_write(password)
client.gdm.wait_for_login(client)

assert client.gdm.check_home_screen(), "User unable to login or see home screen"


Expand All @@ -183,11 +188,10 @@ def test_gdm__passkey_login_with_multiple_keys(client: Client, ipa: IPA):

:setup:
1. Configure SSSD for gdm-switchable-auth and pam_cert_auth
2. Start SSSD
3. Start virtual passkey service
4. Add user to IPA and set auth_type to passkey
5. Register passkey with IPA user
6. Register another passkey with IPA user on same device
2. Start virtual passkey service
3. Add user to IPA and set auth_type to passkey
4. Register passkey with IPA user
5. Register another passkey with IPA user on same device
:steps:
1. Login through GDM using Passkey with PIN
:expectedresults:
Expand All @@ -203,13 +207,9 @@ def test_gdm__passkey_login_with_multiple_keys(client: Client, ipa: IPA):
# Add IPA User
ipa.user(testuser).add(user_auth_type="passkey")

time.sleep(1)

# Register passkey with IPA User
ipa.user(testuser).passkey_add_register(client=client, pin=pin, virt_type="vfido")

time.sleep(1)

# Register passkey with IPA User again to get second key
ipa.user(testuser).passkey_add_register(client=client, pin=pin, virt_type="vfido")

Expand All @@ -219,6 +219,7 @@ def test_gdm__passkey_login_with_multiple_keys(client: Client, ipa: IPA):
client.gdm.kb_send("tab")
client.gdm.click_on("Security key PIN")
client.gdm.kb_write(pin)
client.gdm.assert_text("Touch security key")
client.vfido.touch()
client.gdm.wait_for_login(client)
assert client.gdm.check_home_screen(), "User unable to login or see home screen"
Expand All @@ -231,11 +232,10 @@ def test_gdm__passkey_login_remove_passkey_mapping(client: Client, ipa: IPA):
:title: Login via GDM fails when passkey mapping removed from user
:setup:
1. Configure SSSD for gdm-switchable-auth and pam_cert_auth
2. Start SSSD
3. Start virtual passkey service
4. Add user to IPA and set auth_type to passkey
5. Register passkey with IPA user
6. Remove user passkey mapping from IPA
2. Start virtual passkey service
3. Add user to IPA and set auth_type to passkey
4. Register passkey with IPA user
5. Remove user passkey mapping from IPA
:steps:
1. Login through GDM using Passkey with PIN
:expectedresults:
Expand Down Expand Up @@ -274,12 +274,11 @@ def test_gdm__passkey_login_with_unregistered_mapping(client: Client, ipa: IPA):
:title: Login via GDM fails with unregistered passkey mapping
:setup:
1. Configure SSSD for gdm-switchable-auth and pam_cert_auth
2. Start SSSD
3. Start virtual passkey service
4. Add user to IPA and set auth_type to passkey
5. Register passkey with IPA user
6. Remove user passkey mapping from IPA
7. Add bad passkey mapping to user in IPA
2. Start virtual passkey service
3. Add user to IPA and set auth_type to passkey
4. Register passkey with IPA user
5. Remove user passkey mapping from IPA
6. Add bad passkey mapping to user in IPA
:steps:
1. Login through GDM using Passkey with PIN
:expectedresults:
Expand All @@ -303,8 +302,6 @@ def test_gdm__passkey_login_with_unregistered_mapping(client: Client, ipa: IPA):
# Register passkey with IPA User
ipa.user(testuser).passkey_add_register(client=client, pin=pin, virt_type="vfido")

pytest.set_trace()

# Remove passkey mapping
result = ipa.user(testuser).get(["ipapasskey"])
if result is not None:
Expand All @@ -321,8 +318,6 @@ def test_gdm__passkey_login_with_unregistered_mapping(client: Client, ipa: IPA):
client.gdm.kb_send("tab")
client.gdm.click_on("Security key PIN")
client.gdm.kb_write(pin)

client.gdm.kb_send("tab")
assert client.gdm.assert_text("Security key PIN"), "User was not prompted again for PIN as expected!"


Expand All @@ -333,10 +328,9 @@ def test_gdm__passkey_local_with_pin(client: Client, ldap: LDAP):
:title: Login via GDM using passkey with PIN with a local setup
:setup:
1. Configure SSSD for gdm-switchable-auth and pam_cert_auth
2. Start SSSD
3. Start virtual passkey service
4. Add user to IPA and set auth_type to passkey
5. Register passkey with IPA user
2. Start virtual passkey service
3. Add user to IPA and set auth_type to passkey
4. Register passkey with IPA user
:steps:
1. Login through GDM using Passkey with PIN
:expectedresults:
Expand Down Expand Up @@ -364,9 +358,9 @@ def test_gdm__passkey_local_with_pin(client: Client, ldap: LDAP):
client.gdm.kb_send("tab")
client.gdm.click_on("Security key PIN")
client.gdm.kb_write(pin)
client.gdm.assert_text("Touch security key")
client.vfido.touch()
client.gdm.wait_for_login(client)

assert client.gdm.check_home_screen(), "User unable to login or see home screen"


Expand All @@ -378,11 +372,12 @@ def test_gdm__passkey_local_no_pin(client: Client, ldap: LDAP):
:title: Login via GDM using passkey with no PIN set with a local setup
:setup:
1. Configure SSSD for gdm-switchable-auth
2. Start SSSD
3. Start virtual passkey service
4. Add user to LDAP
5. Register passkey with sssctl for LDAP user
6. Add passkey mapping to LDAP user
2. Configure SSSD passkey user_verification to False
3. Restart SSSD
4. Start virtual passkey service
5. Add user to LDAP
6. Register passkey with sssctl for LDAP user
7. Add passkey mapping to LDAP user
:steps:
1. Login through GDM using Passkey with PIN
:expectedresults:
Expand All @@ -393,6 +388,8 @@ def test_gdm__passkey_local_no_pin(client: Client, ldap: LDAP):

# Configure SSSD and vfido
client_setup_for_passkey(client, ldap, pin=None)
client.sssd.sssd["passkey_verification"] = "user_verification=false"
client.sssd.restart()

# Add IPA User
ldap.user(testuser).add()
Expand All @@ -409,7 +406,6 @@ def test_gdm__passkey_local_no_pin(client: Client, ldap: LDAP):
client.gdm.kb_send("tab")
client.gdm.click_on("Security key PIN")
client.gdm.kb_send("enter")
client.gdm.kb_send("tab")
client.gdm.assert_text("Touch security key")
client.vfido.touch()
client.gdm.wait_for_login(client)
Expand Down
Loading