diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-01-08 19:57:41 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-01-09 15:35:44 -0500 |
commit | 2ca2166dbeb374a06d4dc92c9bb93c24133b916d (patch) | |
tree | aa68ed10f3dedfa9737b83f1d825c2191e13aebb /src/tests/t_policy.py | |
parent | c50c0318397cc41d559763bef693da78ad642c6b (diff) | |
download | krb5-2ca2166dbeb374a06d4dc92c9bb93c24133b916d.tar.gz krb5-2ca2166dbeb374a06d4dc92c9bb93c24133b916d.tar.xz krb5-2ca2166dbeb374a06d4dc92c9bb93c24133b916d.zip |
Test more policy features
Add tests to t_policy.py for password quality enforcement, password
history (apart from the existing #7099 regression test), and for
references to nonexistent policies.
Diffstat (limited to 'src/tests/t_policy.py')
-rw-r--r-- | src/tests/t_policy.py | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py index 63e3e0f141..f4cb4b4d74 100644 --- a/src/tests/t_policy.py +++ b/src/tests/t_policy.py @@ -4,6 +4,79 @@ import re realm = K5Realm(create_host=False) +# Test password quality enforcement. +realm.run_kadminl('addpol -minlength 6 -minclasses 2 pwpol') +realm.run_kadminl('addprinc -randkey -policy pwpol pwuser') +out = realm.run_kadminl('cpw -pw sh0rt pwuser') +if 'Password is too short' not in out: + fail('short password') +out = realm.run_kadminl('cpw -pw longenough pwuser') +if 'Password does not contain enough character classes' not in out: + fail('insufficient character classes') +out = realm.run_kadminl('cpw -pw l0ngenough pwuser') +if ' changed.' not in out: + fail('acceptable password') + +# Test some password history enforcement. Even with no history value, +# the current password should be denied. +out = realm.run_kadminl('cpw -pw l0ngenough pwuser') +if 'Cannot reuse password' not in out: + fail('reuse of current password') +realm.run_kadminl('modpol -history 2 pwpol') +realm.run_kadminl('cpw -pw an0therpw pwuser') +out = realm.run_kadminl('cpw -pw l0ngenough pwuser') +if 'Cannot reuse password' not in out: + fail('reuse of old password') +realm.run_kadminl('cpw -pw 3rdpassword pwuser') +out = realm.run_kadminl('cpw -pw l0ngenough pwuser') +if ' changed.' not in out: + fail('reuse of third-oldest password with history 2') + +# Test references to nonexistent policies. +out = realm.run_kadminl('addprinc -randkey -policy newpol newuser') +if ('WARNING: policy "newpol" does not exist' not in out or + ' created.' not in out): + fail('creation with nonexistent policy') +out = realm.run_kadminl('getprinc newuser') +if 'Policy: newpol [does not exist]\n' not in out: + fail('getprinc output for principal referencing nonexistent policy') +out = realm.run_kadminl('modprinc -policy newpol pwuser') +if ('WARNING: policy "newpol" does not exist' not in out or + ' modified.' not in out): + fail('modification to nonexistent policy') +# pwuser should allow reuse of the current password since newpol doesn't exist. +out = realm.run_kadminl('cpw -pw 3rdpassword pwuser') +if ' changed.' not in out: + fail('reuse of current password with nonexistent policy') + +# Create newpol and verify that it is enforced. +realm.run_kadminl('addpol -minlength 3 newpol') +out = realm.run_kadminl('getprinc pwuser') +if 'Policy: newpol\n' not in out: + fail('getprinc after creating policy (pwuser)') +out = realm.run_kadminl('cpw -pw aa pwuser') +if 'Password is too short' not in out: + fail('short password after creating policy (pwuser)') +out = realm.run_kadminl('cpw -pw 3rdpassword pwuser') +if 'Cannot reuse password' not in out: + fail('reuse of current password after creating policy') + +out = realm.run_kadminl('getprinc newuser') +if 'Policy: newpol\n' not in out: + fail('getprinc after creating policy (newuser)') +out = realm.run_kadminl('cpw -pw aa newuser') +if 'Password is too short' not in out: + fail('short password after creating policy (newuser)') + +# Delete the policy and verify that it is no longer enforced. +realm.run_kadminl('delpol -force newpol') +out = realm.run_kadminl('getpol newpol') +if 'Policy does not exist' not in out: + fail('deletion of referenced policy') +out = realm.run_kadminl('cpw -pw aa pwuser') +if ' changed.' not in out: + fail('short password after deleting policy') + # Test basic password lockout support. realm.run_kadminl('addpol -maxfailure 2 -failurecountinterval 5m lockout') @@ -27,6 +100,10 @@ if 'Clients credentials have been revoked while getting initial credentials' \ output = realm.run_kadminl('modprinc -unlock user') realm.kinit(realm.user_princ, password('user')) +# Make sure a nonexistent policy reference doesn't prevent authentication. +realm.run_kadminl('delpol -force lockout') +realm.kinit(realm.user_princ, password('user')) + # Regression test for issue #7099: databases created prior to krb5 1.3 have # multiple history keys, and kadmin prior to 1.7 didn't necessarily use the # first one to create history entries. |