diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-06-14 15:28:06 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-06-27 02:00:51 -0400 |
commit | a6debff894e8b24f72675beea9ee4438bd2e8902 (patch) | |
tree | 107576bc515e51ca8d4dd7c9d2bf761368b57eaa /src/tests/t_pwqual.py | |
parent | a6765ca3fa82fa9ac8045fb583d168c542b19585 (diff) | |
download | krb5-a6debff894e8b24f72675beea9ee4438bd2e8902.tar.gz krb5-a6debff894e8b24f72675beea9ee4438bd2e8902.tar.xz krb5-a6debff894e8b24f72675beea9ee4438bd2e8902.zip |
Add tests for pwqual modules and plugin ordering
Create a test module for the pwqual interface, and script to exercise
the built-in and test modules through kadmin.local. Also create a
test harness to display the order of pwqual modules for the current
configuration, and use it to test the plugin module ordering
guarantees.
ticket: 7665
Diffstat (limited to 'src/tests/t_pwqual.py')
-rw-r--r-- | src/tests/t_pwqual.py | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/src/tests/t_pwqual.py b/src/tests/t_pwqual.py new file mode 100644 index 0000000000..b3a16980a3 --- /dev/null +++ b/src/tests/t_pwqual.py @@ -0,0 +1,81 @@ +#!/usr/bin/python +from k5test import * + +plugin = os.path.join(buildtop, "plugins", "pwqual", "test", "pwqual_test.so") + +dictfile = os.path.join(os.getcwd(), 'testdir', 'dict') + +pconf = {'plugins': {'pwqual': {'module': 'combo:' + plugin}}} +dconf = {'realms': {'$realm': {'dict_file': dictfile}}} +realm = K5Realm(krb5_conf=pconf, kdc_conf=dconf, create_user=False, + create_host=False) + +# Write a short dictionary file. +f = open(dictfile, 'w') +f.write('birds\nbees\napples\noranges\n') +f.close() + +realm.run_kadminl('addpol pol') + +# The built-in "empty" module rejects empty passwords even without a policy. +out = realm.run_kadminl('addprinc -pw "" p1') +if 'Empty passwords are not allowed' not in out: + fail('Expected error not seen for empty password') + +# The built-in "dict" module rejects dictionary words, but only with a policy. +out = realm.run_kadminl('addprinc -pw birds p2') +if 'created.' not in out: + fail('Unexpected failure from dictionary password without policy') +out = realm.run_kadminl('addprinc -pw birds -policy pol p3') +if 'Password is in the password dictionary' not in out: + fail('Expected error not seen from dictionary password') + +# The built-in "princ" module rejects principal components, only with a policy. +out = realm.run_kadminl('addprinc -pw p4 p4') +if 'created.' not in out: + fail('Unexpected failure from principal component without policy') +out = realm.run_kadminl('addprinc -pw p5 -policy pol p5') +if 'Password may not match principal name' not in out: + fail('Expected error not seen from principal component') + +# The dynamic "combo" module rejects pairs of dictionary words. +out = realm.run_kadminl('addprinc -pw birdsoranges p6') +if 'Password may not be a pair of dictionary words' not in out: + fail('Expected error not seen from combo module') + +# These plugin ordering tests aren't specifically related to the +# password quality interface, but are convenient to put here. + +def test_order(realm, testname, conf, expected): + conf = {'plugins': {'pwqual': conf}} + env = realm.special_env(testname, False, krb5_conf=conf) + out = realm.run(['./plugorder'], env=env) + if out.split() != expected: + fail('order test: ' + testname) + +realm.stop() +realm = K5Realm(create_kdb=False) + +# Check the test harness with no special configuration. +test_order(realm, 'noconf', {}, ['blt1', 'blt2', 'blt3']) + +# Test the basic order: dynamic modules, then built-in modules, each +# in registration order. +conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn2:' + plugin]} +test_order(realm, 'basic', conf, + ['dyn3', 'dyn1', 'dyn2', 'blt1', 'blt2', 'blt3']) + +# Disabling modules should not affect the order of other modules. +conf['disable'] = ['dyn1', 'blt3'] +test_order(realm, 'disable', conf, ['dyn3', 'dyn2', 'blt1', 'blt2']) + +# enable_only should reorder the modules, but can't resurrect disabled +# modules or create ones from thin air. +conf['enable_only'] = ['dyn2', 'blt3', 'blt2', 'dyn1', 'dyn3', 'xxx'] +test_order(realm, 'enable_only', conf, ['dyn2', 'blt2', 'dyn3']) + +# Duplicate modules should be pruned by preferring earlier entries. +conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn3:' + plugin]} +test_order(realm, 'duplicate', conf, ['dyn3', 'dyn1', 'blt1', 'blt2', 'blt3']) + +success('Password quality interface tests') |