From: Adrian Vovk <adrianvovk@gmail.com>
Date: Tue, 5 Mar 2024 17:25:42 +0000 (-0500)
Subject: TEST-46-HOMED: Disable auth rate-limiting
X-Git-Tag: v256-rc1~434^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F31552%2Fhead;p=thirdparty%2Fsystemd.git

TEST-46-HOMED: Disable auth rate-limiting

Rate limiting authentication attempts in the test can cause somewhat
sporadic test failures: adding a test case might suddenly cause future
test cases to fail because of too many authentication attempts too
quickly

We're not trying to test the rate-limiting, we're trying to test the
functionality of homed. So we effectively disable rate-limiting on all
the home areas we create
---

diff --git a/test/units/testsuite-46.sh b/test/units/testsuite-46.sh
index f8275106405..b20b39d762b 100755
--- a/test/units/testsuite-46.sh
+++ b/test/units/testsuite-46.sh
@@ -42,13 +42,16 @@ mount -t tmpfs tmpfs /home -o size=290M
 
 # we enable --luks-discard= since we run our tests in a tight VM, hence don't
 # needlessly pressure for storage. We also set the cheapest KDF, since we don't
-# want to waste CI CPU cycles on it.
+# want to waste CI CPU cycles on it. We also effectively disable rate-limiting on
+# the user by allowing 1000 logins per second
 NEWPASSWORD=xEhErW0ndafV4s homectl create test-user \
            --disk-size=min \
            --luks-discard=yes \
            --image-path=/home/test-user.home \
            --luks-pbkdf-type=pbkdf2 \
-           --luks-pbkdf-time-cost=1ms
+           --luks-pbkdf-time-cost=1ms \
+           --rate-limit-interval=1s \
+           --rate-limit-burst=1000
 inspect test-user
 
 PASSWORD=xEhErW0ndafV4s homectl authenticate test-user
@@ -168,7 +171,9 @@ if ! systemd-detect-virt -cq ; then
            --luks-discard=yes \
            --image-path=/home/test-user2.home \
            --luks-pbkdf-type=pbkdf2 \
-           --luks-pbkdf-time-cost=1ms
+           --luks-pbkdf-time-cost=1ms \
+           --rate-limit-interval=1s \
+           --rate-limit-burst=1000
     inspect test-user2
 
     # activate second user
@@ -198,7 +203,9 @@ PASSWORD=xEhErW0ndafV4s homectl with test-user -- test ! -f /home/test-user/xyz
 (! PASSWORD=xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz)
 PASSWORD=xEhErW0ndafV4s homectl with test-user -- touch /home/test-user/xyz
 PASSWORD=xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz
-# CAREFUL adding more `homectl with` tests here. Auth can get rate-limited and cause the tests to fail.
+PASSWORD=xEhErW0ndafV4s homectl with test-user -- rm /home/test-user/xyz
+PASSWORD=xEhErW0ndafV4s homectl with test-user -- test ! -f /home/test-user/xyz
+(! PASSWORD=xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz)
 
 wait_for_state test-user inactive
 homectl remove test-user
@@ -231,6 +238,7 @@ dd if=/dev/urandom of=/tmp/external-toobig bs=1M count=65
 NEWPASSWORD=EMJuc3zQaMibJo homectl create blob-user \
            --disk-size=min --luks-discard=yes \
            --luks-pbkdf-type=pbkdf2 --luks-pbkdf-time-cost=1ms \
+           --rate-limit-interval=1s --rate-limit-burst=1000 \
            --uid=12345 \
            --blob=/tmp/blob1
 inspect blob-user
@@ -511,6 +519,8 @@ if command -v ssh &>/dev/null && command -v sshd &>/dev/null && ! [[ -v ASAN_OPT
                        --luks-discard=yes \
                        --luks-pbkdf-type=pbkdf2 \
                        --luks-pbkdf-time-cost=1ms \
+                       --rate-limit-interval=1s \
+                       --rate-limit-burst=1000 \
                        --enforce-password-policy=no \
                        --ssh-authorized-keys=@/tmp/homed.id_ecdsa.pub \
                        --stop-delay=0 \