tests: add 'expo_force' tests

The new value for the ldap_pwmodify_mode option 'exop_force' is added to
existing test. A new test to illustrate the different behavior of 'exop'
and 'exop_force' is added.

src/tests/system/tests/test_ldap.py

@@ -12,11 +12,12 @@
 from sssd_test_framework.roles.client import Client
 from sssd_test_framework.roles.ldap import LDAP
 from sssd_test_framework.topology import KnownTopology
+from sssd_test_framework.misc.errors import ExpectScriptError
 
 
 @pytest.mark.ticket(bz=[795044, 1695574])
 @pytest.mark.importance("critical")
-@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"])
+@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify", "exop_force"])
 @pytest.mark.parametrize("use_ppolicy", ["true", "false"])
 @pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
 @pytest.mark.topology(KnownTopology.LDAP)
@@ -75,7 +76,7 @@ def test_ldap__password_change_using_ppolicy(
 
 @pytest.mark.ticket(bz=[795044, 1695574])
 @pytest.mark.importance("critical")
-@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"])
+@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify", "exop_force"])
 @pytest.mark.parametrize("use_ppolicy", ["true", "false"])
 @pytest.mark.topology(KnownTopology.LDAP)
 @pytest.mark.builtwith("ldap_use_ppolicy")
@@ -109,7 +110,7 @@ def test_ldap__password_change_new_passwords_do_not_match_using_ppolicy(
 
 @pytest.mark.ticket(bz=[795044, 1695574, 1795220])
 @pytest.mark.importance("critical")
-@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"])
+@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify", "exop_force"])
 @pytest.mark.parametrize("use_ppolicy", ["true", "false"])
 @pytest.mark.topology(KnownTopology.LDAP)
 @pytest.mark.builtwith("ldap_use_ppolicy")
@@ -152,7 +153,7 @@ def test_ldap__password_change_new_password_does_not_meet_complexity_requirement
 
 @pytest.mark.ticket(bz=[1695574, 1795220])
 @pytest.mark.importance("critical")
-@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"])
+@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify", "exop_force"])
 @pytest.mark.parametrize("use_ppolicy", ["true", "false"])
 @pytest.mark.topology(KnownTopology.LDAP)
 @pytest.mark.builtwith("ldap_use_ppolicy")
@@ -454,3 +455,55 @@ def test_ldap__lookup_and_authenticate_as_user_with_different_object_search_base
     assert result is not None, "User is not found!"
     assert result.name == user.name, "Username is not correct!"
     assert client.auth.ssh.password(user.name, "Secret123"), "User login failed!"
+
+@pytest.mark.ticket(jira="RHEL-55993")
+@pytest.mark.importance("critical")
+@pytest.mark.parametrize("modify_mode", ["exop", "exop_force"])
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_ldap__password_change_no_grace_logins_left(
+    client: Client, ldap: LDAP, modify_mode: str
+):
+    """
+    :title: Password change when no grace logins left
+    :setup:
+        1. Set "passwordExp" to "on"
+        2. Set "passwordMaxAge" to "1"
+        3. Set "passwordGraceLimit" to "0"
+        4. Add a user to LDAP
+        5. Wait until the password is expired
+        6. Set "ldap_pwmodify_mode"
+        7. Start SSSD
+    :steps:
+        1. Authenticate as the user with 'exop_force' set
+        1. Authenticate as the user with 'exop' set
+    :expectedresults:
+        1. With 'exop_force' expect a password change which will fail
+        2. With 'exop' expect just a failed login
+    :customerscenario: False
+    """
+    ldap.ldap.modify("cn=config", replace={"passwordExp": "on"})
+    ldap.ldap.modify("cn=config", replace={"passwordMaxAge": "1"})
+    ldap.ldap.modify("cn=config", replace={"passwordGraceLimit": "0"})
+    ldap.user("user1").add(password="Secret123")
+
+    # make sure the password is expired
+    time.sleep(3)
+
+    client.sssd.domain["ldap_pwmodify_mode"] = modify_mode
+    client.sssd.start()
+
+    match modify_mode:
+        case "exop_force":
+            raised = False
+            try:
+                assert not client.auth.ssh.password_expired(
+                    "user1", "Secret123", "red_32"
+                ), "Password should not have been able to be changed!"
+            except ExpectScriptError as e:
+                assert e.code == 202, "Unexpected error code"
+                raised = True
+            assert raised, "No expection raised"
+
+        case "exop":
+            assert not client.auth.ssh.password("user1", "Secret123"
+                ), "Login with exired password worked!"