Consolidate policy tests into t_policy.py

Create a combined script for policy-related tests, and fold in the
existing lockout, password history, and allowed-keysalts tests.

4 files changed, 48 insertions, 77 deletions

diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 1eac9e66d..354f12c56 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -71,11 +71,10 @@ check-pytests:: hist kdbtest
 	$(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS)
-	$(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kdb_locking.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
-	$(RUNPYTEST) $(srcdir)/t_allowed_keysalts.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_renprinc.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_ccache.py $(PYTESTFLAGS)
@@ -85,7 +84,6 @@ check-pytests:: hist kdbtest
 	$(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS)
-	$(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kadmin_acl.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kdb.py $(PYTESTFLAGS)
 #	$(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS)
diff --git a/src/tests/t_lockout.py b/src/tests/t_lockout.py
deleted file mode 100644
index 8da8c5748..000000000
--- a/src/tests/t_lockout.py
+++ /dev/null
@@ -1,50 +0,0 @@
-# Copyright (C) 2010 by the Massachusetts Institute of Technology.
-# All rights reserved.
-
-# Export of this software from the United States of America may
-#   require a specific license from the United States Government.
-#   It is the responsibility of any person or organization contemplating
-#   export to obtain such a license before exporting.
-#
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission.  Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose.  It is provided "as is" without express
-# or implied warranty.
-
-#!/usr/bin/python
-from k5test import *
-
-realm = K5Realm(create_host=False)
-
-realm.run_kadminl('addpol -maxfailure 2 -failurecountinterval 5m lockout')
-realm.run_kadminl('modprinc +requires_preauth -policy lockout user')
-
-# kinit twice with the wrong password.
-output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
-if 'Password incorrect while getting initial credentials' not in output:
-    fail('Expected error message not seen in kinit output')
-output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
-if 'Password incorrect while getting initial credentials' not in output:
-    fail('Expected error message not seen in kinit output')
-
-# Now the account should be locked out.
-output = realm.run([kinit, realm.user_princ], expected_code=1)
-if 'Clients credentials have been revoked while getting initial credentials' \
-        not in output:
-    fail('Expected lockout error message not seen in kinit output')
-
-# Check that modprinc -unlock allows a further attempt.
-output = realm.run_kadminl('modprinc -unlock user')
-realm.kinit(realm.user_princ, password('user'))
-
-success('Account lockout')
-
diff --git a/src/tests/t_allowed_keysalts.py b/src/tests/t_policy.py
index e7b7833ed..63e3e0f14 100644
--- a/src/tests/t_allowed_keysalts.py
+++ b/src/tests/t_policy.py
@@ -2,8 +2,53 @@
 from k5test import *
 import re
 
-krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}}
+realm = K5Realm(create_host=False)
+
+# Test basic password lockout support.
+
+realm.run_kadminl('addpol -maxfailure 2 -failurecountinterval 5m lockout')
+realm.run_kadminl('modprinc +requires_preauth -policy lockout user')
+
+# kinit twice with the wrong password.
+output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
+if 'Password incorrect while getting initial credentials' not in output:
+    fail('Expected error message not seen in kinit output')
+output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
+if 'Password incorrect while getting initial credentials' not in output:
+    fail('Expected error message not seen in kinit output')
+
+# Now the account should be locked out.
+output = realm.run([kinit, realm.user_princ], expected_code=1)
+if 'Clients credentials have been revoked while getting initial credentials' \
+        not in output:
+    fail('Expected lockout error message not seen in kinit output')
+
+# Check that modprinc -unlock allows a further attempt.
+output = realm.run_kadminl('modprinc -unlock user')
+realm.kinit(realm.user_princ, password('user'))
+
+# Regression test for issue #7099: databases created prior to krb5 1.3 have
+# multiple history keys, and kadmin prior to 1.7 didn't necessarily use the
+# first one to create history entries.
 
+realm.stop()
+realm = K5Realm(start_kdc=False)
+# Create a history principal with two keys.
+realm.run(['./hist', 'make'])
+realm.run_kadminl('addpol -history 2 pol')
+realm.run_kadminl('modprinc -policy pol user')
+realm.run_kadminl('cpw -pw pw2 user')
+# Swap the keys, simulating older kadmin having chosen the second entry.
+realm.run(['./hist', 'swap'])
+# Make sure we can read the history entry.
+output = realm.run_kadminl('cpw -pw %s user' % password('user'))
+if 'Cannot reuse password' not in output:
+    fail('Expected error not seen in output')
+
+# Test key/salt constraints.
+
+realm.stop()
+krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}}
 realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False)
 
 # Add policy.
@@ -87,6 +132,4 @@ if 'Invalid key/salt tuples' in output:
     fail('key change rejected that should have been permitted')
 realm.run_kadminl('getprinc server')
 
-realm.stop()
-
-success('allowed_keysalts')
+success('Policy tests')
diff --git a/src/tests/t_pwhist.py b/src/tests/t_pwhist.py
deleted file mode 100644
index 3d8c7c1b2..000000000
--- a/src/tests/t_pwhist.py
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/usr/bin/python
-from k5test import *
-
-# Regression test for issue #7099: databases created prior to krb5 1.3 have
-# multiple history keys, and kadmin prior to 1.7 didn't necessarily use the
-# first one to create history entries.
-realm = K5Realm(start_kdc=False)
-# Create a history principal with two keys.
-realm.run(['./hist', 'make'])
-realm.run_kadminl('addpol -history 2 pol')
-realm.run_kadminl('modprinc -policy pol user')
-realm.run_kadminl('cpw -pw pw2 user')
-# Swap the keys, simulating older kadmin having chosen the second entry.
-realm.run(['./hist', 'swap'])
-# Make sure we can read the history entry.
-output = realm.run_kadminl('cpw -pw %s user' % password('user'))
-if 'Cannot reuse password' not in output:
-    fail('Expected error not seen in output')
-
-success('Password history tests')