diff options
-rw-r--r-- | src/Makefile.in | 1 | ||||
-rw-r--r-- | src/configure.in | 1 | ||||
-rw-r--r-- | src/plugins/pwqual/test/Makefile.in | 21 | ||||
-rw-r--r-- | src/plugins/pwqual/test/deps | 16 | ||||
-rw-r--r-- | src/plugins/pwqual/test/main.c | 219 | ||||
-rw-r--r-- | src/plugins/pwqual/test/pwqual_test.exports | 4 | ||||
-rw-r--r-- | src/tests/Makefile.in | 13 | ||||
-rw-r--r-- | src/tests/deps | 19 | ||||
-rw-r--r-- | src/tests/plugorder.c | 95 | ||||
-rw-r--r-- | src/tests/t_pwqual.py | 81 |
10 files changed, 466 insertions, 4 deletions
diff --git a/src/Makefile.in b/src/Makefile.in index cea7dda..ab8edbd 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -11,6 +11,7 @@ SUBDIRS=util include lib \ @sam2_plugin@ \ plugins/kadm5_hook/test \ plugins/localauth/test \ + plugins/pwqual/test \ plugins/kdb/db2 \ @ldap_plugin_dir@ \ plugins/preauth/pkinit \ diff --git a/src/configure.in b/src/configure.in index 4e49046..02955bb 100644 --- a/src/configure.in +++ b/src/configure.in @@ -1360,6 +1360,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test plugins/locate/python plugins/localauth/test plugins/kadm5_hook/test + plugins/pwqual/test plugins/kdb/db2 plugins/kdb/db2/libdb2 plugins/kdb/db2/libdb2/hash diff --git a/src/plugins/pwqual/test/Makefile.in b/src/plugins/pwqual/test/Makefile.in new file mode 100644 index 0000000..d8717b3 --- /dev/null +++ b/src/plugins/pwqual/test/Makefile.in @@ -0,0 +1,21 @@ +mydir=plugins$(S)pwqual$(S)test +BUILDTOP=$(REL)..$(S)..$(S).. + +LIBBASE=pwqual_test +LIBMAJOR=0 +LIBMINOR=0 +RELDIR=../plugins/pwqual/test +# Depends on libkrb5 +SHLIB_EXPDEPS= $(KRB5_DEPLIB) +SHLIB_EXPLIBS= $(KRB5_LIB) + +STLIBOBJS=main.o + +SRCS= $(srcdir)/main.c + +all-unix:: all-libs +install-unix:: +clean-unix:: clean-libs clean-libobjs + +@libnover_frag@ +@libobj_frag@ diff --git a/src/plugins/pwqual/test/deps b/src/plugins/pwqual/test/deps new file mode 100644 index 0000000..85372e0 --- /dev/null +++ b/src/plugins/pwqual/test/deps @@ -0,0 +1,16 @@ +# +# Generated makefile dependencies follow. +# +main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/krb5/pwqual_plugin.h main.c diff --git a/src/plugins/pwqual/test/main.c b/src/plugins/pwqual/test/main.c new file mode 100644 index 0000000..b05048b --- /dev/null +++ b/src/plugins/pwqual/test/main.c @@ -0,0 +1,219 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/pwqual/test/main.c - test module for password quality interface */ +/* + * Copyright (C) 2010,2013 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This file implements a module named "combo" which tests whether a password + * matches a pair of words in the dictionary. It also implements several dummy + * modules named "dyn1", "dyn2", and "dyn3" which are used for ordering tests. + */ + +#include <k5-platform.h> +#include <krb5/pwqual_plugin.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <unistd.h> + +typedef struct combo_moddata_st { + const char **word_list; /* list of word pointers */ + char *word_block; /* actual word data */ +} *combo_moddata; + +static krb5_error_code +init_dict(combo_moddata dict, const char *dict_file) +{ + int fd; + size_t count, len, i; + char *p, *t; + struct stat sb; + + /* Read the dictionary file into memory in one blob. */ + if (dict_file == NULL) + return 0; + fd = open(dict_file, O_RDONLY); + if (fd == -1) + return (errno == ENOENT) ? 0 : errno; + if (fstat(fd, &sb) == -1) { + close(fd); + return errno; + } + dict->word_block = malloc(sb.st_size + 1); + if (dict->word_block == NULL) + return ENOMEM; + if (read(fd, dict->word_block, sb.st_size) != sb.st_size) + return errno; + close(fd); + dict->word_block[sb.st_size] = '\0'; + + /* Decompose the blob into newline-separated words. */ + p = dict->word_block; + len = sb.st_size; + while (len > 0 && (t = memchr(p, '\n', len)) != NULL) { + *t = '\0'; + len -= t - p + 1; + p = t + 1; + count++; + } + dict->word_list = calloc(count + 1, sizeof(char *)); + if (dict->word_list == NULL) + return ENOMEM; + p = dict->word_block; + for (i = 0; i < count; i++) { + dict->word_list[i] = p; + p += strlen(p) + 1; + } + return 0; +} + +static void +destroy_dict(combo_moddata dict) +{ + if (dict == NULL) + return; + free(dict->word_list); + free(dict->word_block); + free(dict); +} + +static krb5_error_code +combo_open(krb5_context context, const char *dict_file, + krb5_pwqual_moddata *data) +{ + krb5_error_code ret; + combo_moddata dict; + + *data = NULL; + + /* Allocate and initialize a dictionary structure. */ + dict = malloc(sizeof(*dict)); + if (dict == NULL) + return ENOMEM; + dict->word_list = NULL; + dict->word_block = NULL; + + /* Fill in the dictionary structure with data from dict_file. */ + ret = init_dict(dict, dict_file); + if (ret != 0) { + destroy_dict(dict); + return ret; + } + + *data = (krb5_pwqual_moddata)dict; + return 0; +} + +static krb5_error_code +combo_check(krb5_context context, krb5_pwqual_moddata data, + const char *password, const char *policy_name, + krb5_principal princ, const char **languages) +{ + combo_moddata dict = (combo_moddata)data; + const char *remainder, **word1, **word2; + + if (dict->word_list == NULL) + return 0; + + for (word1 = dict->word_list; *word1 != NULL; word1++) { + if (strncasecmp(password, *word1, strlen(*word1)) != 0) + continue; + remainder = password + strlen(*word1); + for (word2 = dict->word_list; *word2 != NULL; word2++) { + if (strcasecmp(remainder, *word2) == 0) { + krb5_set_error_message(context, KADM5_PASS_Q_DICT, + "Password may not be a pair of " + "dictionary words"); + return KADM5_PASS_Q_DICT; + } + } + } + + return 0; +} + +static void +combo_close(krb5_context context, krb5_pwqual_moddata data) +{ + destroy_dict((combo_moddata)data); +} + +krb5_error_code +pwqual_combo_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); +krb5_error_code +pwqual_dyn1_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); +krb5_error_code +pwqual_dyn2_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); +krb5_error_code +pwqual_dyn3_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); + +krb5_error_code +pwqual_combo_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + krb5_pwqual_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (krb5_pwqual_vtable)vtable; + vt->name = "combo"; + vt->open = combo_open; + vt->check = combo_check; + vt->close = combo_close; + return 0; +} + +krb5_error_code +pwqual_dyn1_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + ((krb5_pwqual_vtable)vtable)->name = "dyn1"; + return 0; +} + +krb5_error_code +pwqual_dyn2_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + ((krb5_pwqual_vtable)vtable)->name = "dyn2"; + return 0; +} + +krb5_error_code +pwqual_dyn3_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + ((krb5_pwqual_vtable)vtable)->name = "dyn3"; + return 0; +} diff --git a/src/plugins/pwqual/test/pwqual_test.exports b/src/plugins/pwqual/test/pwqual_test.exports new file mode 100644 index 0000000..8a5638c --- /dev/null +++ b/src/plugins/pwqual/test/pwqual_test.exports @@ -0,0 +1,4 @@ +pwqual_combo_initvt +pwqual_dyn1_initvt +pwqual_dyn2_initvt +pwqual_dyn3_initvt diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 91f312e..c5536c3 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -5,8 +5,8 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \ RUN_SETUP = @KRB5_RUN_ENV@ KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf -OBJS= gcred.o hist.o kdbtest.o t_init_creds.o t_localauth.o -EXTRADEPSRCS= gcred.c hist.c kdbtest.c t_init_creds.c t_localauth.c +OBJS= gcred.o hist.o kdbtest.o plugorder.o t_init_creds.o t_localauth.o +EXTRADEPSRCS= gcred.c hist.c kdbtest.c plugorder.c t_init_creds.c t_localauth.c TEST_DB = ./testdb TEST_REALM = FOO.TEST.REALM @@ -28,6 +28,9 @@ kdbtest: kdbtest.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o $@ kdbtest.o $(KDB5_LIBS) $(KADMSRV_LIBS) \ $(KRB5_BASE_LIBS) +plugorder: plugorder.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ plugorder.o $(KRB5_BASE_LIBS) + t_init_creds: t_init_creds.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o $@ t_init_creds.o $(KRB5_BASE_LIBS) @@ -76,7 +79,7 @@ kdb_check: kdc.conf krb5.conf $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f $(RM) $(TEST_DB)* stash_file -check-pytests:: gcred hist kdbtest t_init_creds t_localauth +check-pytests:: gcred hist kdbtest plugorder t_init_creds t_localauth $(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS) @@ -86,6 +89,7 @@ check-pytests:: gcred hist kdbtest t_init_creds t_localauth $(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_pwqual.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kdb_locking.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS) @@ -104,5 +108,6 @@ check-pytests:: gcred hist kdbtest t_init_creds t_localauth $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) clean:: - $(RM) gcred hist kdbtest krb5.conf kdc.conf t_init_creds t_localauth + $(RM) gcred hist kdbtest plugorder t_init_creds t_localauth + $(RM) krb5.conf kdc.conf $(RM) -rf kdc_realm/sandbox ldap diff --git a/src/tests/deps b/src/tests/deps index b50d0df..50e1e7b 100644 --- a/src/tests/deps +++ b/src/tests/deps @@ -40,6 +40,25 @@ $(OUTPRE)kdbtest.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \ $(top_srcdir)/include/krb5.h kdbtest.c +$(OUTPRE)plugorder.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/krb5/pwqual_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h plugorder.c $(OUTPRE)t_init_creds.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \ $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h t_init_creds.c $(OUTPRE)t_localauth.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \ diff --git a/src/tests/plugorder.c b/src/tests/plugorder.c new file mode 100644 index 0000000..e13d210 --- /dev/null +++ b/src/tests/plugorder.c @@ -0,0 +1,95 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/plugorder.c - Test harness to display the order of loaded plugins */ +/* + * Copyright (C) 2013 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This file registers a few dummy built-in pwqual modules, then prints out the + * order of pwqual modules returned by k5_plugin_load_all. The choice of the + * pwqual interface is mostly arbitrary; it is an interface which libkrb5 + * itself doesn't use, for which we have a test module. + */ + +#include "k5-int.h" +#include <krb5/pwqual_plugin.h> + +static krb5_context ctx; + +static void +check(krb5_error_code code) +{ + const char *errmsg; + + if (code) { + errmsg = krb5_get_error_message(ctx, code); + fprintf(stderr, "%s\n", errmsg); + krb5_free_error_message(ctx, errmsg); + exit(1); + } +} + +static krb5_error_code +blt1(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable) +{ + ((krb5_pwqual_vtable)vtable)->name = "blt1"; + return 0; +} + +static krb5_error_code +blt2(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable) +{ + ((krb5_pwqual_vtable)vtable)->name = "blt2"; + return 0; +} + +static krb5_error_code +blt3(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable) +{ + ((krb5_pwqual_vtable)vtable)->name = "blt3"; + return 0; +} + +int +main() +{ + krb5_plugin_initvt_fn *modules = NULL, *mod; + struct krb5_pwqual_vtable_st vt; + + check(krb5_init_context(&ctx)); + check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt1", blt1)); + check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt2", blt2)); + check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt3", blt3)); + check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &modules)); + for (mod = modules; *mod != NULL; mod++) { + check((*mod)(ctx, 1, 1, (krb5_plugin_vtable)&vt)); + printf("%s\n", vt.name); + } + return 0; +} diff --git a/src/tests/t_pwqual.py b/src/tests/t_pwqual.py new file mode 100644 index 0000000..b3a1698 --- /dev/null +++ b/src/tests/t_pwqual.py @@ -0,0 +1,81 @@ +#!/usr/bin/python +from k5test import * + +plugin = os.path.join(buildtop, "plugins", "pwqual", "test", "pwqual_test.so") + +dictfile = os.path.join(os.getcwd(), 'testdir', 'dict') + +pconf = {'plugins': {'pwqual': {'module': 'combo:' + plugin}}} +dconf = {'realms': {'$realm': {'dict_file': dictfile}}} +realm = K5Realm(krb5_conf=pconf, kdc_conf=dconf, create_user=False, + create_host=False) + +# Write a short dictionary file. +f = open(dictfile, 'w') +f.write('birds\nbees\napples\noranges\n') +f.close() + +realm.run_kadminl('addpol pol') + +# The built-in "empty" module rejects empty passwords even without a policy. +out = realm.run_kadminl('addprinc -pw "" p1') +if 'Empty passwords are not allowed' not in out: + fail('Expected error not seen for empty password') + +# The built-in "dict" module rejects dictionary words, but only with a policy. +out = realm.run_kadminl('addprinc -pw birds p2') +if 'created.' not in out: + fail('Unexpected failure from dictionary password without policy') +out = realm.run_kadminl('addprinc -pw birds -policy pol p3') +if 'Password is in the password dictionary' not in out: + fail('Expected error not seen from dictionary password') + +# The built-in "princ" module rejects principal components, only with a policy. +out = realm.run_kadminl('addprinc -pw p4 p4') +if 'created.' not in out: + fail('Unexpected failure from principal component without policy') +out = realm.run_kadminl('addprinc -pw p5 -policy pol p5') +if 'Password may not match principal name' not in out: + fail('Expected error not seen from principal component') + +# The dynamic "combo" module rejects pairs of dictionary words. +out = realm.run_kadminl('addprinc -pw birdsoranges p6') +if 'Password may not be a pair of dictionary words' not in out: + fail('Expected error not seen from combo module') + +# These plugin ordering tests aren't specifically related to the +# password quality interface, but are convenient to put here. + +def test_order(realm, testname, conf, expected): + conf = {'plugins': {'pwqual': conf}} + env = realm.special_env(testname, False, krb5_conf=conf) + out = realm.run(['./plugorder'], env=env) + if out.split() != expected: + fail('order test: ' + testname) + +realm.stop() +realm = K5Realm(create_kdb=False) + +# Check the test harness with no special configuration. +test_order(realm, 'noconf', {}, ['blt1', 'blt2', 'blt3']) + +# Test the basic order: dynamic modules, then built-in modules, each +# in registration order. +conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn2:' + plugin]} +test_order(realm, 'basic', conf, + ['dyn3', 'dyn1', 'dyn2', 'blt1', 'blt2', 'blt3']) + +# Disabling modules should not affect the order of other modules. +conf['disable'] = ['dyn1', 'blt3'] +test_order(realm, 'disable', conf, ['dyn3', 'dyn2', 'blt1', 'blt2']) + +# enable_only should reorder the modules, but can't resurrect disabled +# modules or create ones from thin air. +conf['enable_only'] = ['dyn2', 'blt3', 'blt2', 'dyn1', 'dyn3', 'xxx'] +test_order(realm, 'enable_only', conf, ['dyn2', 'blt2', 'dyn3']) + +# Duplicate modules should be pruned by preferring earlier entries. +conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn3:' + plugin]} +test_order(realm, 'duplicate', conf, ['dyn3', 'dyn1', 'blt1', 'blt2', 'blt3']) + +success('Password quality interface tests') |