ipa otptoken-sync: return error when sync fails

[flo-renaud]

The command ipa otptoken-sync does not properly handle
errors happening during the synchronization step.

• Even if an error is detected (such as invalid password
  provided), the command exits with return code = 0. An
  error message is displayed but the exit code should be 1.

• When an invalid token is provided, the token is not
  synchronized but the error is not reported back to the
  ipa otptoken-sync command.

The first issue can be fixed by raising an exception when
the HTTP response contains an header with an error.
The second issue is fixed by returning LDAP_INVALID_CREDENTIALS
to ldap bind with the sync control if synchronization fails.

Fixes: https://pagure.io/freeipa/issue/9248

[rcritten]

Thanks for the patch, this looks very good. I just have one (pedantic) question.
With otp2/otp3/otp4 are you trying to make this values unambiguous with the otp1 in desynchronized_hotp ?
It took me a second to figure it out and it makes sense so that which value is used is clear, but then again otp1 should be out-of-scope of the test functions. I'm not asking for a change, just curious if I'm understanding your thought process.

[flo-renaud]

With otp2/otp3/otp4 are you trying to make this values unambiguous with the otp1 in desynchronized_hotp ?
It took me a second to figure it out and it makes sense so that which value is used is clear, but then again otp1 should be out-of-scope of the test functions. I'm not asking for a change, just curious if I'm understanding your thought process.

Yes, that's exactly my intent: keep track of the sequence for the generated token values.

[rcritten]

Ack, please remove the Temp commit

[flo-renaud]

Thanks for the review. Temp commit removed.

[rcritten]

master:

• f1b2d8a ipa otptoken-sync: return error when sync fails
• 59db0fa ipatests: add negative test for otptoken-sync