Closed billdodd closed 3 years ago
mraineri
commented
3 years ago Maybe we need to create a "test" account we allow to get locked for these types of tests. Once the test account is locked, we can use the administrator account being used to run the test to go in and unlock it.
Another option would be to see if we can modify the lockout threshold for the duration of the test, but it's possible some implementations make this a read-only property.
billdodd
commented
3 years ago The tool does this (uses newly created test accounts for resource manipulation and invalid login testing). In the situation I encountered, the problem wasn't that the account got locked; it was that the service blocked all access from the client's IP address for a period of time.
After I fix the bugs I mentioned, the client IP address blocking should no longer be triggered.
mraineri
commented
3 years ago Ah, I see. More complicated than I assumed!
Some Redfish services will detect too many invalid login attempts and block incoming access to the offending client for some period of time. The Protocol-Validator does a very minimal set of intentional bad authentication requests to test protocol specified behavior.
I discovered this behavior recently started being triggered for one of the services I normally test against. After looking into it, I discovered a couple of bugs that were causing some unintentional bad authentication requests.