From c24137e22e2359a1fa470a71aae153c609ea4c3b Mon Sep 17 00:00:00 2001
From: Michal Reznik <mreznik@redhat.com>
Date: Sep 12 2018 14:22:27 +0000
Subject: tests: sssd_ssh fd leaks when user cert converted into SSH key


https://pagure.io/freeipa/issue/7687

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

---

diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index bc59e75..2a3c5f5 100644
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -1475,3 +1475,4 @@ def generate_ssh_keypair():
     public_key_str = public_key.decode('utf-8')
 
     return (private_key_str, public_key_str)
+
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index dbe1ebe..8062593 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -11,6 +11,7 @@ import os
 import logging
 import ssl
 from tempfile import NamedTemporaryFile
+from itertools import chain, repeat
 import textwrap
 import time
 import paramiko
@@ -20,6 +21,7 @@ from ipaplatform.paths import paths
 
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_ipa.integration import tasks
+from ipatests.pytest_ipa.integration.create_external_ca import ExternalCA
 
 logger = logging.getLogger(__name__)
 
@@ -327,3 +329,49 @@ class TestIPACommand(IntegrationTest):
 
         # cleanup
         self.master.run_command(['ipa', 'user-del', test_user])
+
+    def test_ssh_leak(self):
+        """
+        Integration test for https://pagure.io/SSSD/sssd/issue/3794
+        """
+
+        def count_pipes():
+
+            res = self.master.run_command(['pidof', 'sssd_ssh'])
+            pid = res.stdout_text.strip()
+            proc_path = '/proc/{}/fd'.format(pid)
+            res = self.master.run_command(['ls', '-la', proc_path])
+            fds_text = res.stdout_text.strip()
+            return sum((1 for _ in re.finditer(r'pipe', fds_text)))
+
+        test_user = 'test-ssh'
+
+        tasks.kinit_admin(self.master)
+        self.master.run_command(['ipa', 'user-add', test_user,
+                                 '--first=tester', '--last=tester'])
+
+        certs = []
+
+        # we are ok with whatever certificate for this test
+        external_ca = ExternalCA()
+        for _dummy in range(3):
+            cert = external_ca.create_ca()
+            cert = tasks.strip_cert_header(cert.decode('utf-8'))
+            certs.append('"{}"'.format(cert))
+
+        cert_args = list(
+            chain.from_iterable(list(zip(repeat('--certificate'), certs))))
+        cmd = 'ipa user-add-cert {} {}'.format(test_user, ' '.join(cert_args))
+        self.master.run_command(cmd)
+
+        tasks.clear_sssd_cache(self.master)
+
+        num_of_pipes = count_pipes()
+
+        for _dummy in range(3):
+            self.master.run_command([paths.SSS_SSH_AUTHORIZEDKEYS, test_user])
+            current_num_of_pipes = count_pipes()
+            assert current_num_of_pipes == num_of_pipes
+
+        # cleanup
+        self.master.run_command(['ipa', 'user-del', test_user])