Add tests for pwqual modules and plugin ordering

Create a test module for the pwqual interface, and script to exercise
the built-in and test modules through kadmin.local.  Also create a
test harness to display the order of pwqual modules for the current
configuration, and use it to test the plugin module ordering
guarantees.

ticket: 7665

4 files changed, 260 insertions, 0 deletions

diff --git a/src/plugins/pwqual/test/Makefile.in b/src/plugins/pwqual/test/Makefile.in
new file mode 100644
index 0000000000..d8717b34ad
--- /dev/null
+++ b/src/plugins/pwqual/test/Makefile.in
@@ -0,0 +1,21 @@
+mydir=plugins$(S)pwqual$(S)test
+BUILDTOP=$(REL)..$(S)..$(S)..
+
+LIBBASE=pwqual_test
+LIBMAJOR=0
+LIBMINOR=0
+RELDIR=../plugins/pwqual/test
+# Depends on libkrb5
+SHLIB_EXPDEPS= $(KRB5_DEPLIB)
+SHLIB_EXPLIBS= $(KRB5_LIB)
+
+STLIBOBJS=main.o
+
+SRCS= $(srcdir)/main.c
+
+all-unix:: all-libs
+install-unix::
+clean-unix:: clean-libs clean-libobjs
+
+@libnover_frag@
+@libobj_frag@
diff --git a/src/plugins/pwqual/test/deps b/src/plugins/pwqual/test/deps
new file mode 100644
index 0000000000..85372e09fb
--- /dev/null
+++ b/src/plugins/pwqual/test/deps
@@ -0,0 +1,16 @@
+#
+# Generated makefile dependencies follow.
+#
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
+  $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+  $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
+  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/krb5/pwqual_plugin.h main.c
diff --git a/src/plugins/pwqual/test/main.c b/src/plugins/pwqual/test/main.c
new file mode 100644
index 0000000000..b05048b6dc
--- /dev/null
+++ b/src/plugins/pwqual/test/main.c
@@ -0,0 +1,219 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* plugins/pwqual/test/main.c - test module for password quality interface */
+/*
+ * Copyright (C) 2010,2013 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This file implements a module named "combo" which tests whether a password
+ * matches a pair of words in the dictionary.  It also implements several dummy
+ * modules named "dyn1", "dyn2", and "dyn3" which are used for ordering tests.
+ */
+
+#include <k5-platform.h>
+#include <krb5/pwqual_plugin.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+typedef struct combo_moddata_st {
+    const char **word_list;     /* list of word pointers */
+    char *word_block;           /* actual word data */
+} *combo_moddata;
+
+static krb5_error_code
+init_dict(combo_moddata dict, const char *dict_file)
+{
+    int fd;
+    size_t count, len, i;
+    char *p, *t;
+    struct stat sb;
+
+    /* Read the dictionary file into memory in one blob. */
+    if (dict_file == NULL)
+        return 0;
+    fd = open(dict_file, O_RDONLY);
+    if (fd == -1)
+        return (errno == ENOENT) ? 0 : errno;
+    if (fstat(fd, &sb) == -1) {
+        close(fd);
+        return errno;
+    }
+    dict->word_block = malloc(sb.st_size + 1);
+    if (dict->word_block == NULL)
+        return ENOMEM;
+    if (read(fd, dict->word_block, sb.st_size) != sb.st_size)
+        return errno;
+    close(fd);
+    dict->word_block[sb.st_size] = '\0';
+
+    /* Decompose the blob into newline-separated words. */
+    p = dict->word_block;
+    len = sb.st_size;
+    while (len > 0 && (t = memchr(p, '\n', len)) != NULL) {
+        *t = '\0';
+        len -= t - p + 1;
+        p = t + 1;
+        count++;
+    }
+    dict->word_list = calloc(count + 1, sizeof(char *));
+    if (dict->word_list == NULL)
+        return ENOMEM;
+    p = dict->word_block;
+    for (i = 0; i < count; i++) {
+        dict->word_list[i] = p;
+        p += strlen(p) + 1;
+    }
+    return 0;
+}
+
+static void
+destroy_dict(combo_moddata dict)
+{
+    if (dict == NULL)
+        return;
+    free(dict->word_list);
+    free(dict->word_block);
+    free(dict);
+}
+
+static krb5_error_code
+combo_open(krb5_context context, const char *dict_file,
+           krb5_pwqual_moddata *data)
+{
+    krb5_error_code ret;
+    combo_moddata dict;
+
+    *data = NULL;
+
+    /* Allocate and initialize a dictionary structure. */
+    dict = malloc(sizeof(*dict));
+    if (dict == NULL)
+        return ENOMEM;
+    dict->word_list = NULL;
+    dict->word_block = NULL;
+
+    /* Fill in the dictionary structure with data from dict_file. */
+    ret = init_dict(dict, dict_file);
+    if (ret != 0) {
+        destroy_dict(dict);
+        return ret;
+    }
+
+    *data = (krb5_pwqual_moddata)dict;
+    return 0;
+}
+
+static krb5_error_code
+combo_check(krb5_context context, krb5_pwqual_moddata data,
+            const char *password, const char *policy_name,
+            krb5_principal princ, const char **languages)
+{
+    combo_moddata dict = (combo_moddata)data;
+    const char *remainder, **word1, **word2;
+
+    if (dict->word_list == NULL)
+        return 0;
+
+    for (word1 = dict->word_list; *word1 != NULL; word1++) {
+        if (strncasecmp(password, *word1, strlen(*word1)) != 0)
+            continue;
+        remainder = password + strlen(*word1);
+        for (word2 = dict->word_list; *word2 != NULL; word2++) {
+            if (strcasecmp(remainder, *word2) == 0) {
+                krb5_set_error_message(context, KADM5_PASS_Q_DICT,
+                                       "Password may not be a pair of "
+                                       "dictionary words");
+                return KADM5_PASS_Q_DICT;
+            }
+        }
+    }
+
+    return 0;
+}
+
+static void
+combo_close(krb5_context context, krb5_pwqual_moddata data)
+{
+    destroy_dict((combo_moddata)data);
+}
+
+krb5_error_code
+pwqual_combo_initvt(krb5_context context, int maj_ver, int min_ver,
+                    krb5_plugin_vtable vtable);
+krb5_error_code
+pwqual_dyn1_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable);
+krb5_error_code
+pwqual_dyn2_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable);
+krb5_error_code
+pwqual_dyn3_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable);
+
+krb5_error_code
+pwqual_combo_initvt(krb5_context context, int maj_ver, int min_ver,
+                    krb5_plugin_vtable vtable)
+{
+    krb5_pwqual_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    vt = (krb5_pwqual_vtable)vtable;
+    vt->name = "combo";
+    vt->open = combo_open;
+    vt->check = combo_check;
+    vt->close = combo_close;
+    return 0;
+}
+
+krb5_error_code
+pwqual_dyn1_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable)
+{
+    ((krb5_pwqual_vtable)vtable)->name = "dyn1";
+    return 0;
+}
+
+krb5_error_code
+pwqual_dyn2_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable)
+{
+    ((krb5_pwqual_vtable)vtable)->name = "dyn2";
+    return 0;
+}
+
+krb5_error_code
+pwqual_dyn3_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable)
+{
+    ((krb5_pwqual_vtable)vtable)->name = "dyn3";
+    return 0;
+}
diff --git a/src/plugins/pwqual/test/pwqual_test.exports b/src/plugins/pwqual/test/pwqual_test.exports
new file mode 100644
index 0000000000..8a5638cec0
--- /dev/null
+++ b/src/plugins/pwqual/test/pwqual_test.exports
@@ -0,0 +1,4 @@
+pwqual_combo_initvt
+pwqual_dyn1_initvt
+pwqual_dyn2_initvt
+pwqual_dyn3_initvt