From 73ae4c77f38a7453fa166a01a683c6cd638f2746 Mon Sep 17 00:00:00 2001
From: François Cami <fcami@redhat.com>
Date: Jul 29 2020 11:53:52 +0000
Subject: ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH


Paramiko is not compatible with FIPS.
Migrate test_ssh_key_connection to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.

Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>

---

diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index e9c8bf6..e18a126 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -10,6 +10,7 @@ import re
 import os
 import logging
 import random
+import shlex
 import ssl
 from itertools import chain, repeat
 import textwrap
@@ -610,12 +611,8 @@ class TestIPACommand(IntegrationTest):
         """
         Integration test for https://pagure.io/SSSD/sssd/issue/3747
         """
-        if self.master.is_fips_mode:  # pylint: disable=no-member
-            pytest.skip("paramiko is not compatible with FIPS mode")
 
         test_user = 'test-ssh'
-        external_master_hostname = \
-            self.master.external_hostname
 
         pub_keys = []
 
@@ -625,37 +622,26 @@ class TestIPACommand(IntegrationTest):
             with open(os.path.join(
                     tmpdir, 'ssh_priv_{}'.format(i)), 'w') as fp:
                 fp.write(ssh_key_pair[0])
+                fp.write(os.linesep)
 
         tasks.kinit_admin(self.master)
         self.master.run_command(['ipa', 'user-add', test_user,
                                  '--first=tester', '--last=tester'])
 
         keys_opts = ' '.join(['--ssh "{}"'.format(k) for k in pub_keys])
-        cmd = 'ipa user-mod {} {}'.format(test_user, keys_opts)
-        self.master.run_command(cmd)
+        self.master.run_command(
+            shlex.split('ipa user-mod {} {}'.format(test_user, keys_opts))
+        )
 
         # connect with first SSH key
         first_priv_key_path = os.path.join(tmpdir, 'ssh_priv_1')
         # change private key permission to comply with SS rules
         os.chmod(first_priv_key_path, 0o600)
 
-        sshcon = paramiko.SSHClient()
-        sshcon.set_missing_host_key_policy(paramiko.AutoAddPolicy())
-
-        # first connection attempt is a workaround for
-        # https://pagure.io/SSSD/sssd/issue/3669
-        try:
-            sshcon.connect(external_master_hostname, username=test_user,
-                           key_filename=first_priv_key_path, timeout=1)
-        except (paramiko.AuthenticationException, paramiko.SSHException):
-            pass
-
-        try:
-            sshcon.connect(external_master_hostname, username=test_user,
-                           key_filename=first_priv_key_path, timeout=1)
-        except (paramiko.AuthenticationException,
-                paramiko.SSHException) as e:
-            pytest.fail('Authentication using SSH key not successful', e)
+        tasks.run_ssh_cmd(
+            to_host=self.master.external_hostname, username=test_user,
+            auth_method="key", private_key_path=first_priv_key_path
+        )
 
         journal_cmd = ['journalctl', '--since=today', '-u', 'sshd']
         result = self.master.run_command(journal_cmd)