From 3baae8d1bd0a0c4c707314524289e86e6ecbc0df Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mar 16 2022 14:21:52 +0000
Subject: test_otp: do not use paramiko unless it is really needed


paramiko cannot be used in FIPS mode. We have few tests that import
generic methods from test_otp (add_token/del_token) and those tests fail
in FIPS mode due to unconditional 'import paramiko'.

Instead, move 'import paramiko' to the ssh_2f() helper which is not used
in FIPS mode (the whole SSH 2FA test is skipped then).

Related: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>

---

diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index bec76d2..04bef46 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -5,7 +5,6 @@
 """
 import base64
 import logging
-import paramiko
 import pytest
 import re
 import time
@@ -102,6 +101,8 @@ def ssh_2f(hostname, username, answers_dict, port=22):
             logger.info(
                 "Answer to ssh prompt is: '%s'", answers_dict[prmpt_str])
         return resp
+
+    import paramiko
     trans = paramiko.Transport((hostname, port))
     trans.connect()
     trans.auth_interactive(username, answer_handler)