1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
#!/usr/bin/python
from k5test import *
plugin = os.path.join(buildtop, "plugins", "pwqual", "test", "pwqual_test.so")
dictfile = os.path.join(os.getcwd(), 'testdir', 'dict')
pconf = {'plugins': {'pwqual': {'module': 'combo:' + plugin}}}
dconf = {'realms': {'$realm': {'dict_file': dictfile}}}
realm = K5Realm(krb5_conf=pconf, kdc_conf=dconf, create_user=False,
create_host=False)
# Write a short dictionary file.
f = open(dictfile, 'w')
f.write('birds\nbees\napples\noranges\n')
f.close()
realm.run_kadminl('addpol pol')
# The built-in "empty" module rejects empty passwords even without a policy.
out = realm.run_kadminl('addprinc -pw "" p1')
if 'Empty passwords are not allowed' not in out:
fail('Expected error not seen for empty password')
# The built-in "dict" module rejects dictionary words, but only with a policy.
out = realm.run_kadminl('addprinc -pw birds p2')
if 'created.' not in out:
fail('Unexpected failure from dictionary password without policy')
out = realm.run_kadminl('addprinc -pw birds -policy pol p3')
if 'Password is in the password dictionary' not in out:
fail('Expected error not seen from dictionary password')
# The built-in "princ" module rejects principal components, only with a policy.
out = realm.run_kadminl('addprinc -pw p4 p4')
if 'created.' not in out:
fail('Unexpected failure from principal component without policy')
out = realm.run_kadminl('addprinc -pw p5 -policy pol p5')
if 'Password may not match principal name' not in out:
fail('Expected error not seen from principal component')
# The dynamic "combo" module rejects pairs of dictionary words.
out = realm.run_kadminl('addprinc -pw birdsoranges p6')
if 'Password may not be a pair of dictionary words' not in out:
fail('Expected error not seen from combo module')
# These plugin ordering tests aren't specifically related to the
# password quality interface, but are convenient to put here.
def test_order(realm, testname, conf, expected):
conf = {'plugins': {'pwqual': conf}}
env = realm.special_env(testname, False, krb5_conf=conf)
out = realm.run(['./plugorder'], env=env)
if out.split() != expected:
fail('order test: ' + testname)
realm.stop()
realm = K5Realm(create_kdb=False)
# Check the test harness with no special configuration.
test_order(realm, 'noconf', {}, ['blt1', 'blt2', 'blt3'])
# Test the basic order: dynamic modules, then built-in modules, each
# in registration order.
conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn2:' + plugin]}
test_order(realm, 'basic', conf,
['dyn3', 'dyn1', 'dyn2', 'blt1', 'blt2', 'blt3'])
# Disabling modules should not affect the order of other modules.
conf['disable'] = ['dyn1', 'blt3']
test_order(realm, 'disable', conf, ['dyn3', 'dyn2', 'blt1', 'blt2'])
# enable_only should reorder the modules, but can't resurrect disabled
# modules or create ones from thin air.
conf['enable_only'] = ['dyn2', 'blt3', 'blt2', 'dyn1', 'dyn3', 'xxx']
test_order(realm, 'enable_only', conf, ['dyn2', 'blt2', 'dyn3'])
# Duplicate modules should be pruned by preferring earlier entries.
conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn3:' + plugin]}
test_order(realm, 'duplicate', conf, ['dyn3', 'dyn1', 'blt1', 'blt2', 'blt3'])
success('Password quality interface tests')
|