Add simple automated tests for account lockout support

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24269 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 49 insertions, 0 deletions

diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index df2c808..1cf25f1 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -63,6 +63,7 @@ kdb_check: kdc.conf krb5.conf
 check-pytests::
 	$(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS)
 
 clean::
 	$(RM) kdc.conf
diff --git a/src/tests/t_lockout.py b/src/tests/t_lockout.py
new file mode 100644
index 0000000..3d08fbc
--- /dev/null
+++ b/src/tests/t_lockout.py
@@ -0,0 +1,48 @@
+# Copyright (C) 2010 by the Massachusetts Institute of Technology.
+# All rights reserved.
+
+# Export of this software from the United States of America may
+#   require a specific license from the United States Government.
+#   It is the responsibility of any person or organization contemplating
+#   export to obtain such a license before exporting.
+#
+# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+# distribute this software and its documentation for any purpose and
+# without fee is hereby granted, provided that the above copyright
+# notice appear in all copies and that both that copyright notice and
+# this permission notice appear in supporting documentation, and that
+# the name of M.I.T. not be used in advertising or publicity pertaining
+# to distribution of the software without specific, written prior
+# permission.  Furthermore if you modify this software you must label
+# your software as modified software and not distribute it in such a
+# fashion that it might be confused with the original M.I.T. software.
+# M.I.T. makes no representations about the suitability of
+# this software for any purpose.  It is provided "as is" without express
+# or implied warranty.
+
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(create_host=False)
+
+realm.run_kadminl('addpol -maxfailure 2 -failurecountinterval 5m lockout')
+realm.run_kadminl('modprinc +requires_preauth -policy lockout user')
+
+# kinit twice with the wrong password.
+output = realm.run_as_client([kinit, realm.user_princ], input='wrong\n',
+                             expected_code=1)
+if 'Password incorrect while getting initial credentials' not in output:
+    fail('Expected error message not seen in kinit output')
+output = realm.run_as_client([kinit, realm.user_princ], input='wrong\n',
+                             expected_code=1)
+if 'Password incorrect while getting initial credentials' not in output:
+    fail('Expected error message not seen in kinit output')
+
+# Now the account should be locked out.
+output = realm.run_as_client([kinit, realm.user_princ], expected_code=1)
+if 'Clients credentials have been revoked while getting initial credentials' \
+        not in output:
+    fail('Expected lockout error message not seen in kinit output')
+
+success('Account lockout.')
+