|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
import re
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm = K5Realm(create_host=False, start_kadmind=True)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test password quality enforcement.
|
|
Packit |
fd8b60 |
mark('password quality')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', '-minlength', '6', '-minclasses', '2', 'pwpol'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'pwpol', 'pwuser'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Password is too short')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Password does not contain enough character classes')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test some password history enforcement. Even with no history value,
|
|
Packit |
fd8b60 |
# the current password should be denied.
|
|
Packit |
fd8b60 |
mark('password history')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Cannot reuse password')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modpol', '-history', '2', 'pwpol'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'an0therpw', 'pwuser'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Cannot reuse password')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test references to nonexistent policies.
|
|
Packit |
fd8b60 |
mark('nonexistent policy references')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'newpol', 'newuser'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'newuser'],
|
|
Packit |
fd8b60 |
expected_msg='Policy: newpol [does not exist]\n')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-policy', 'newpol', 'pwuser'])
|
|
Packit |
fd8b60 |
# pwuser should allow reuse of the current password since newpol doesn't exist.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
|
|
Packit |
fd8b60 |
# Regression test for #8427 (min_life check with nonexistent policy).
|
|
Packit |
fd8b60 |
realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', 'cpw', '-pw',
|
|
Packit |
fd8b60 |
'3rdpassword', 'pwuser'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create newpol and verify that it is enforced.
|
|
Packit |
fd8b60 |
mark('create referenced policy')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', '-minlength', '3', 'newpol'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'pwuser'], expected_msg='Policy: newpol\n')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Password is too short')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Cannot reuse password')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'newuser'], expected_msg='Policy: newpol\n')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Password is too short')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Delete the policy and verify that it is no longer enforced.
|
|
Packit |
fd8b60 |
mark('delete referenced policy')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delpol', 'newpol'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getpol', 'newpol'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Policy does not exist')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test basic password lockout support.
|
|
Packit |
fd8b60 |
mark('password lockout')
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
for realm in multidb_realms(create_host=False):
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', '-maxfailure', '2', '-failurecountinterval',
|
|
Packit |
fd8b60 |
'5m', 'lockout'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '+requires_preauth', '-policy', 'lockout',
|
|
Packit |
fd8b60 |
'user'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# kinit twice with the wrong password.
|
|
Packit |
fd8b60 |
msg = 'Password incorrect while getting initial credentials'
|
|
Packit |
fd8b60 |
realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg=msg)
|
|
Packit |
fd8b60 |
realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Now the account should be locked out.
|
|
Packit |
fd8b60 |
msg = 'credentials have been revoked while getting initial credentials'
|
|
Packit |
fd8b60 |
realm.run([kinit, realm.user_princ], expected_code=1, expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Check that modprinc -unlock allows a further attempt.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-unlock', 'user'])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Make sure a nonexistent policy reference doesn't prevent authentication.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delpol', 'lockout'])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Regression test for issue #7099: databases created prior to krb5 1.3 have
|
|
Packit |
fd8b60 |
# multiple history keys, and kadmin prior to 1.7 didn't necessarily use the
|
|
Packit |
fd8b60 |
# first one to create history entries.
|
|
Packit |
fd8b60 |
mark('#7099 regression test')
|
|
Packit |
fd8b60 |
realm = K5Realm(start_kdc=False)
|
|
Packit |
fd8b60 |
# Create a history principal with two keys.
|
|
Packit |
fd8b60 |
realm.run(['./hist', 'make'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', '-history', '2', 'pol'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-policy', 'pol', 'user'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'pw2', 'user'])
|
|
Packit |
fd8b60 |
# Swap the keys, simulating older kadmin having chosen the second entry.
|
|
Packit |
fd8b60 |
realm.run(['./hist', 'swap'])
|
|
Packit |
fd8b60 |
# Make sure we can read the history entry.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Cannot reuse password')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test key/salt constraints.
|
|
Packit |
fd8b60 |
mark('allowedkeysalts')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}}
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Add policy.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', '-allowedkeysalts', 'aes256-cts', 'ak'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test with one-enctype allowed_keysalts.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-policy', 'ak', 'server'])
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes128-cts', 'server'],
|
|
Packit |
fd8b60 |
expected_code=1)
|
|
Packit |
fd8b60 |
if not 'Invalid key/salt tuples' in out:
|
|
Packit |
fd8b60 |
fail('allowed_keysalts policy not applied properly')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Now test a multi-enctype allowed_keysalts. Test that subsets are allowed,
|
|
Packit |
fd8b60 |
# the the complete set is allowed, that order doesn't matter, and that
|
|
Packit |
fd8b60 |
# enctypes outside the set are not allowed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test modpol.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modpol', '-allowedkeysalts', 'aes256-cts,rc4-hmac', 'ak'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getpol', 'ak'],
|
|
Packit |
fd8b60 |
expected_msg='Allowed key/salt types: aes256-cts,rc4-hmac')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test subsets and full set.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac', 'server'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,rc4-hmac', 'server'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts', 'server'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Check that the order we got is the one from the policy.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', '-terse', 'server'],
|
|
Packit |
fd8b60 |
expected_msg='2\t1\t6\t18\t0\t1\t6\t23\t0')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test partially intersecting sets.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts', 'server'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='Invalid key/salt tuples')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts,aes128-cts',
|
|
Packit |
fd8b60 |
'server'], expected_code=1, expected_msg='Invalid key/salt tuples')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test reset of allowedkeysalts.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modpol', '-allowedkeysalts', '-', 'ak'])
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'getpol', 'ak'])
|
|
Packit |
fd8b60 |
if 'Allowed key/salt types' in out:
|
|
Packit |
fd8b60 |
fail('failed to clear allowedkeysalts')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes128-cts', 'server'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('Policy tests')
|