|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
plugin = os.path.join(buildtop, "plugins", "pwqual", "test", "pwqual_test.so")
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
dictfile = os.path.join(os.getcwd(), 'testdir', 'dict')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
pconf = {'plugins': {'pwqual': {'module': 'combo:' + plugin}}}
|
|
Packit |
fd8b60 |
dconf = {'realms': {'$realm': {'dict_file': dictfile}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=pconf, kdc_conf=dconf, create_user=False,
|
|
Packit |
fd8b60 |
create_host=False)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Write a short dictionary file.
|
|
Packit |
fd8b60 |
f = open(dictfile, 'w')
|
|
Packit |
fd8b60 |
f.write('birds\nbees\napples\noranges\n')
|
|
Packit |
fd8b60 |
f.close()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', 'pol'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('pwqual modules')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# The built-in "empty" module rejects empty passwords even without a policy.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-pw', '', 'p1'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Empty passwords are not allowed')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# The built-in "dict" module rejects dictionary words, but only with a policy.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-pw', 'birds', 'p2'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-pw', 'birds', '-policy', 'pol', 'p3'],
|
|
Packit |
fd8b60 |
expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Password is in the password dictionary')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# The built-in "princ" module rejects principal components, only with a policy.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-pw', 'p4', 'p4'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-pw', 'p5', '-policy', 'pol', 'p5'],
|
|
Packit |
fd8b60 |
expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Password may not match principal name')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# The dynamic "combo" module rejects pairs of dictionary words.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-pw', 'birdsoranges', 'p6'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Password may not be a pair of dictionary words')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# These plugin ordering tests aren't specifically related to the
|
|
Packit |
fd8b60 |
# password quality interface, but are convenient to put here.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('plugin module order')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def test_order(realm, testname, conf, expected):
|
|
Packit |
fd8b60 |
conf = {'plugins': {'pwqual': conf}}
|
|
Packit |
fd8b60 |
env = realm.special_env(testname, False, krb5_conf=conf)
|
|
Packit |
fd8b60 |
out = realm.run(['./plugorder'], env=env)
|
|
Packit |
fd8b60 |
if out.split() != expected:
|
|
Packit |
fd8b60 |
fail('order test: ' + testname)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
realm = K5Realm(create_kdb=False)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Check the test harness with no special configuration.
|
|
Packit |
fd8b60 |
test_order(realm, 'noconf', {}, ['blt1', 'blt2', 'blt3'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test the basic order: dynamic modules, then built-in modules, each
|
|
Packit |
fd8b60 |
# in registration order.
|
|
Packit |
fd8b60 |
conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn2:' + plugin]}
|
|
Packit |
fd8b60 |
test_order(realm, 'basic', conf,
|
|
Packit |
fd8b60 |
['dyn3', 'dyn1', 'dyn2', 'blt1', 'blt2', 'blt3'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Disabling modules should not affect the order of other modules.
|
|
Packit |
fd8b60 |
conf['disable'] = ['dyn1', 'blt3']
|
|
Packit |
fd8b60 |
test_order(realm, 'disable', conf, ['dyn3', 'dyn2', 'blt1', 'blt2'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# enable_only should reorder the modules, but can't resurrect disabled
|
|
Packit |
fd8b60 |
# modules or create ones from thin air.
|
|
Packit |
fd8b60 |
conf['enable_only'] = ['dyn2', 'blt3', 'blt2', 'dyn1', 'dyn3', 'xxx']
|
|
Packit |
fd8b60 |
test_order(realm, 'enable_only', conf, ['dyn2', 'blt2', 'dyn3'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Duplicate modules should be pruned by preferring earlier entries.
|
|
Packit |
fd8b60 |
conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn3:' + plugin]}
|
|
Packit |
fd8b60 |
test_order(realm, 'duplicate', conf, ['dyn3', 'dyn1', 'blt1', 'blt2', 'blt3'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('Password quality interface tests')
|