-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipa otptoken-sync: return error when sync fails #6472
Conversation
The command ipa otptoken-sync does not properly handle errors happening during the synchronization step. - Even if an error is detected (such as invalid password provided), the command exits with return code = 0. An error message is displayed but the exit code should be 1. - When an invalid token is provided, the token is not synchronized but the error is not reported back to the ipa otptoken-sync command. The first issue can be fixed by raising an exception when the HTTP response contains an header with an error. The second issue is fixed by returning LDAP_INVALID_CREDENTIALS to ldap bind with the sync control if synchronization fails. Fixes: https://pagure.io/freeipa/issue/9248 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Scenario: call ipa otptoken-sync with - an invalid password - an invalid first token (containing non-digits) - an invalid sequence of tokens The test expects a return code = 1. Related: https://pagure.io/freeipa/issue/9248 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Thanks for the patch, this looks very good. I just have one (pedantic) question. |
Yes, that's exactly my intent: keep track of the sequence for the generated token values. |
Ack, please remove the Temp commit |
bc0e481
to
1237c7d
Compare
Thanks for the review. Temp commit removed. |
The command ipa otptoken-sync does not properly handle
errors happening during the synchronization step.
Even if an error is detected (such as invalid password
provided), the command exits with return code = 0. An
error message is displayed but the exit code should be 1.
When an invalid token is provided, the token is not
synchronized but the error is not reported back to the
ipa otptoken-sync command.
The first issue can be fixed by raising an exception when
the HTTP response contains an header with an error.
The second issue is fixed by returning LDAP_INVALID_CREDENTIALS
to ldap bind with the sync control if synchronization fails.
Fixes: https://pagure.io/freeipa/issue/9248