From bbe436d012638fe9205f08b5a66e948fbbba1fd3 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Thu, 9 Oct 2025 12:50:09 +0100
Subject: [PATCH] ITS#10313 Add a chaining test

---
 tests/scripts/test080-hotp | 222 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 216 insertions(+), 6 deletions(-)

diff --git a/tests/scripts/test080-hotp b/tests/scripts/test080-hotp
index c75e42ec3b..d146817e3d 100755
--- a/tests/scripts/test080-hotp
+++ b/tests/scripts/test080-hotp
@@ -41,6 +41,8 @@ TOKEN_10=409144
 TOKEN_SHA512_11=17544155
 TOKEN_SHA512_12=48953477
 TOKEN_SHA512_13=94485071
+TOKEN_SHA512_14=72871903
+TOKEN_SHA512_15=93883960
 
 mkdir -p $TESTDIR $DBDIR1
 
@@ -67,6 +69,7 @@ if test $WAIT != 0 ; then
     echo PID $PID
     read foo
 fi
+PROVIDERPID="$PID"
 KILLPIDS="$PID"
 
 sleep $SLEEP0
@@ -132,7 +135,7 @@ RC=$?
 if test $RC != 49 ; then
     echo "ldapwhoami should have failed ($RC)!"
     test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi
 
 echo "\ta valid and expected token..."
@@ -162,7 +165,7 @@ RC=$?
 if test $RC != 49 ; then
     echo "ldapwhoami should have failed ($RC)!"
     test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi
 
 echo "\tanother account sharing the same token..."
@@ -182,7 +185,7 @@ RC=$?
 if test $RC != 49 ; then
     echo "ldapwhoami should have failed ($RC)!"
     test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi
 
 echo "\tright token, wrong password..."
@@ -192,7 +195,7 @@ RC=$?
 if test $RC != 49 ; then
     echo "ldapwhoami should have failed ($RC)!"
     test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi
 
 echo "\tmaking sure previous token has been retired too..."
@@ -202,7 +205,7 @@ RC=$?
 if test $RC != 49 ; then
     echo "ldapwhoami should have failed ($RC)!"
     test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi
 
 echo "\tthe first token we tested that's just become valid..."
@@ -239,7 +242,7 @@ RC=$?
 if test $RC != 49 ; then
     echo "ldapwhoami should have failed ($RC)!"
     test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi
 
 echo "\ta valid and expected token..."
@@ -275,6 +278,213 @@ if test $RC != 0 ; then
 	exit $RC
 fi
 
+if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno"  ; then 
+echo ""
+echo "Setting up OTP state forwarding test..."
+
+mkdir $DBDIR2
+sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2
+echo "Starting slapd consumer on TCP/IP port $PORT2..."
+$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 &
+CONSUMERPID=$!
+if test $WAIT != 0 ; then
+    echo CONSUMERPID $CONSUMERPID
+    read foo
+fi
+KILLPIDS="$KILLPIDS $CONSUMERPID"
+
+echo "Configuring syncprov on provider..."
+if [ "$SYNCPROV" = syncprovmod ]; then
+	$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
+dn: cn=module,cn=config
+objectclass: olcModuleList
+cn: module
+olcModulePath: $TESTWD/../servers/slapd/overlays
+olcModuleLoad: syncprov.la
+
+EOF
+	RC=$?
+	if test $RC != 0 ; then
+		echo "ldapadd failed for moduleLoad ($RC)!"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit $RC
+	fi
+fi
+
+$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
+dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: {1}syncprov
+
+EOF
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapadd failed for provider database config ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting 5 seconds for slapd to start..."
+	sleep 5
+done
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Configuring syncrepl on consumer..."
+if [ "$BACKLDAP" = ldapmod ]; then
+	$LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
+dn: cn=module,cn=config
+objectclass: olcModuleList
+cn: module
+olcModulePath: $TESTWD/../servers/slapd/back-ldap
+olcModuleLoad: back_ldap.la
+
+EOF
+	RC=$?
+	if test $RC != 0 ; then
+		echo "ldapadd failed for moduleLoad ($RC)!"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit $RC
+	fi
+fi
+$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
+dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcChainConfig
+olcOverlay: {0}chain
+
+dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
+changetype: add
+objectClass: olcLDAPConfig
+objectClass: olcChainDatabase
+olcDBURI: $URI1
+olcDbIDAssertBind: bindmethod=simple
+  binddn="cn=manager,dc=example,dc=com"
+  credentials=secret
+  mode=self
+
+dn: olcDatabase={1}$BACKEND,cn=config
+changetype: modify
+add: olcSyncrepl
+olcSyncrepl: rid=1
+  provider=$URI1
+  binddn="cn=manager,dc=example,dc=com"
+  bindmethod=simple
+  credentials=secret
+  searchbase="dc=example,dc=com"
+  type=refreshAndPersist
+  retry="3 5 300 5"
+-
+add: olcUpdateref
+olcUpdateref: $URI1
+-
+
+EOF
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+if [ "$OTP" = otpmod ]; then
+$LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF \
+    >> $TESTOUT 2>&1 <<EOMOD
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: $TESTWD/../servers/slapd/overlays
+olcModuleLoad: otp.la
+EOMOD
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapmodify failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+fi
+
+echo "Loading test otp configuration..."
+$LDAPMODIFY -v -D cn=config -H $URI2 -y $CONFIGPWF \
+    >> $TESTOUT 2>&1 <<EOMOD
+dn: olcOverlay={0}otp,olcDatabase={1}$BACKEND,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+EOMOD
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapmodify failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo "Waiting for consumer to sync..."
+sleep $SLEEP1
+
+echo "Consumer+chaining tests:"
+
+echo "\tconsumer accepts a new token..."
+$LDAPWHOAMI -D "$BABSDN" -H $URI2 -w "bjensen$TOKEN_SHA512_14" \
+    >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapwhoami failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo "\ta used up token reached the provider..."
+$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_14" \
+    >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 49 ; then
+    echo "ldapwhoami should have failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit 1
+fi
+
+echo "Checking token status..."
+$LDAPCOMPARE -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+    "ou=Information Technology Division,ou=People,dc=example,dc=com" \
+    oathHOTPCounter:14 \
+    >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 6 ; then
+	echo "ldapcompare failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+echo "Stopping provider..."
+kill -HUP $PROVIDERPID
+wait $PROVIDERPID
+KILLPIDS="$CONSUMERPID"
+
+echo "Testing that successful chaining is mandatory..."
+$LDAPWHOAMI -D "$BABSDN" -H $URI2 -w "bjensen$TOKEN_SHA512_15" \
+    >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 49 ; then
+    echo "ldapwhoami should have failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit 1
+fi
+
+fi
+
 test $KILLSERVERS != no && kill -HUP $KILLPIDS
 
 LDIF=$DATADIR/otp/test001-out.ldif
-- 
2.47.3