Add tests for pwqual modules and plugin ordering

Create a test module for the pwqual interface, and script to exercise
the built-in and test modules through kadmin.local.  Also create a
test harness to display the order of pwqual modules for the current
configuration, and use it to test the plugin module ordering
guarantees.

ticket: 7665

1 files changed, 81 insertions, 0 deletions

diff --git a/src/tests/t_pwqual.py b/src/tests/t_pwqual.py
new file mode 100644
index 0000000000..b3a16980a3
--- /dev/null
+++ b/src/tests/t_pwqual.py
@@ -0,0 +1,81 @@
+#!/usr/bin/python
+from k5test import *
+
+plugin = os.path.join(buildtop, "plugins", "pwqual", "test", "pwqual_test.so")
+
+dictfile = os.path.join(os.getcwd(), 'testdir', 'dict')
+
+pconf = {'plugins': {'pwqual': {'module': 'combo:' + plugin}}}
+dconf = {'realms': {'$realm': {'dict_file': dictfile}}}
+realm = K5Realm(krb5_conf=pconf, kdc_conf=dconf, create_user=False,
+                create_host=False)
+
+# Write a short dictionary file.
+f = open(dictfile, 'w')
+f.write('birds\nbees\napples\noranges\n')
+f.close()
+
+realm.run_kadminl('addpol pol')
+
+# The built-in "empty" module rejects empty passwords even without a policy.
+out = realm.run_kadminl('addprinc -pw "" p1')
+if 'Empty passwords are not allowed' not in out:
+    fail('Expected error not seen for empty password')
+
+# The built-in "dict" module rejects dictionary words, but only with a policy.
+out = realm.run_kadminl('addprinc -pw birds p2')
+if 'created.' not in out:
+    fail('Unexpected failure from dictionary password without policy')
+out = realm.run_kadminl('addprinc -pw birds -policy pol p3')
+if 'Password is in the password dictionary' not in out:
+    fail('Expected error not seen from dictionary password')
+
+# The built-in "princ" module rejects principal components, only with a policy.
+out = realm.run_kadminl('addprinc -pw p4 p4')
+if 'created.' not in out:
+    fail('Unexpected failure from principal component without policy')
+out = realm.run_kadminl('addprinc -pw p5 -policy pol p5')
+if 'Password may not match principal name' not in out:
+    fail('Expected error not seen from principal component')
+
+# The dynamic "combo" module rejects pairs of dictionary words.
+out = realm.run_kadminl('addprinc -pw birdsoranges p6')
+if 'Password may not be a pair of dictionary words' not in out:
+    fail('Expected error not seen from combo module')
+
+# These plugin ordering tests aren't specifically related to the
+# password quality interface, but are convenient to put here.
+
+def test_order(realm, testname, conf, expected):
+    conf = {'plugins': {'pwqual': conf}}
+    env = realm.special_env(testname, False, krb5_conf=conf)
+    out = realm.run(['./plugorder'], env=env)
+    if out.split() != expected:
+        fail('order test: ' + testname)
+
+realm.stop()
+realm = K5Realm(create_kdb=False)
+
+# Check the test harness with no special configuration.
+test_order(realm, 'noconf', {}, ['blt1', 'blt2', 'blt3'])
+
+# Test the basic order: dynamic modules, then built-in modules, each
+# in registration order.
+conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn2:' + plugin]}
+test_order(realm, 'basic', conf,
+           ['dyn3', 'dyn1', 'dyn2', 'blt1', 'blt2', 'blt3'])
+
+# Disabling modules should not affect the order of other modules.
+conf['disable'] = ['dyn1', 'blt3']
+test_order(realm, 'disable', conf, ['dyn3', 'dyn2', 'blt1', 'blt2'])
+
+# enable_only should reorder the modules, but can't resurrect disabled
+# modules or create ones from thin air.
+conf['enable_only'] = ['dyn2', 'blt3', 'blt2', 'dyn1', 'dyn3', 'xxx']
+test_order(realm, 'enable_only', conf, ['dyn2', 'blt2', 'dyn3'])
+
+# Duplicate modules should be pruned by preferring earlier entries.
+conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn3:' + plugin]}
+test_order(realm, 'duplicate', conf, ['dyn3', 'dyn1', 'blt1', 'blt2', 'blt3'])
+
+success('Password quality interface tests')