Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces several enhancements to the SSSD test framework, primarily focusing on Kerberos-related testing utilities. It integrates new Kerberos keytab and authentication utilities into the client role, expands the capabilities for creating KDC principals with more specific options, and adds a robust method for changing user passwords via SSH, which is crucial for testing Kerberos password change flows. These changes collectively improve the framework's ability to simulate and test complex Kerberos authentication scenarios. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces changes for Kerberos-related testing utilities. The modifications to kdc.py to allow for more flexible principal creation and the additions to client.py are well-implemented. I've identified a small area for improvement in a new expect script within authentication.py to enhance its reliability.
| set timeout {DEFAULT_AUTHENTICATION_TIMEOUT} | ||
| spawn ssh -o StrictHostKeyChecking=no -l {user} {host} | ||
| expect -nocase "*password:" | ||
| send "{password}\r" | ||
| sleep 5 | ||
| send "passwd\r" | ||
| expect -nocase "*Current Password:" | ||
| send "{password}\r" | ||
| expect -nocase "New password:" | ||
| send "{new_password}\r" | ||
| expect -nocase "Retype new password:" | ||
| send "{retyped}\r" | ||
| expect -re "passwd: .+ updated successfully" | ||
| send "exit\r" | ||
| expect eof |
There was a problem hiding this comment.
Using a fixed sleep is unreliable and can lead to flaky tests. It's better to wait for the shell prompt after logging in before sending the passwd command. This ensures the session is ready for the next command and makes the test more robust. Please define and expect the shell prompt instead of using sleep 5.
set timeout {DEFAULT_AUTHENTICATION_TIMEOUT}
set prompt "\n.*\[#\$>\] $"
spawn ssh -o StrictHostKeyChecking=no -l {user} {host}
expect -nocase "*password:"
send "{password}\r"
expect -re $prompt
send "passwd\r"
expect -nocase "*Current Password:"
send "{password}\r"
expect -nocase "New password:"
send "{new_password}\r"
expect -nocase "Retype new password:"
send "{retyped}\r"
expect -re "passwd: .+ updated successfully"
send "exit\r"
expect eof
madhuriupadhye
force-pushed
the
krb_misc
branch
2 times, most recently
from
4248db6 to
b1d3713
Compare
Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com>
madhuriupadhye
force-pushed
the
krb_misc
branch
from
b1d3713 to
fb27c3a
Compare
danlavu
left a comment
danlavu
left a comment
There was a problem hiding this comment.
So, I looked at the tests, and I don't think it's important to do this on LDAP/KRB5. I suggest we convert the tests and use the IPA provider. Thoughts?
| *, | ||
| password: str | None = "Secret123", | ||
| requires_preauth: bool = False, | ||
| extra_options: str | None = None, |
There was a problem hiding this comment.
nitpick, we use args everywhere else. I would just use the same variable name.
| opts.append("+requires_preauth") | ||
| if extra_options: | ||
| opts.append(extra_options) | ||
| opts_str = " " + " ".join(opts) if opts else "" |
There was a problem hiding this comment.
Nitpick, I find this strange, for the leading space? I think it's more readable, add a space in the command on line 195, -randkey {opt_str} "{self.name}"
| raise ExpectScriptError(result.rc) | ||
|
|
||
| return result.rc == 0 | ||
|
|
There was a problem hiding this comment.
Why is it important that this is done via SSH?
Only BZ 773660 (clock skew) can use IPA — krb5_child runs the same way under IPA auth. BZ 869150 and BZ 805281 cannot — they require manual keytab manipulation (remove, replace), which breaks IPA enrollment. IPA owns its keytab and uses ipa_child instead of ldap_child, so the bug paths aren't exercised. |
Ack, understood. I'd like to better understand the case for passwd over SSH. If it's simply logging in via ssh, then issuing 'passwd', we should make it like the others. Because we have
make it
|
3 participants
No description provided.