From 34c9a94f798eb9e4392a9568692fffd37fc02267 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Mon, 30 May 2016 13:33:41 +1000
Subject: [PATCH] Ticket 48855 - Add basic pwdPolicy tests

Bug Description:  There were no password policy tests in the features section.

Fix Description:  Add the initial test that checks for password syntax enforcment

https://fedorahosted.org/389/ticket/48855

Author: wibrown

Review by: ???
---
 .../tests/suites/password/pwdPolicy_test.py        | 115 ++++++++++++++++-----
 1 file changed, 92 insertions(+), 23 deletions(-)

diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_test.py
index 9ceb62c..653d033 100644
--- a/dirsrvtests/tests/suites/password/pwdPolicy_test.py
+++ b/dirsrvtests/tests/suites/password/pwdPolicy_test.py
@@ -21,23 +21,38 @@ from lib389.tasks import *
 logging.getLogger(__name__).setLevel(logging.DEBUG)
 log = logging.getLogger(__name__)
 
-installation1_prefix = None
+from lib389.config import RSA, Encryption, Config
+
+DEBUGGING = False
+
+USER_DN = 'uid=user,ou=People,%s' % DEFAULT_SUFFIX
+
+if DEBUGGING:
+    logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+    logging.getLogger(__name__).setLevel(logging.INFO)
+
+
+log = logging.getLogger(__name__)
 
 
 class TopologyStandalone(object):
+    """The DS Topology Class"""
     def __init__(self, standalone):
+        """Init"""
         standalone.open()
         self.standalone = standalone
 
 
 @pytest.fixture(scope="module")
 def topology(request):
-    global installation1_prefix
-    if installation1_prefix:
-        args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+    """Create DS Deployment"""
 
     # Creating standalone instance ...
-    standalone = DirSrv(verbose=False)
+    if DEBUGGING:
+        standalone = DirSrv(verbose=True)
+    else:
+        standalone = DirSrv(verbose=False)
     args_instance[SER_HOST] = HOST_STANDALONE
     args_instance[SER_PORT] = PORT_STANDALONE
     args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
@@ -50,33 +65,87 @@ def topology(request):
     standalone.create()
     standalone.open()
 
+    # Deploy certs
+    # This is a trick. The nss db that ships with DS is broken
+    for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):
+        try:
+            os.remove("%s/%s" % (topology.standalone.confdir, f ))
+        except:
+            pass
+
+    assert(standalone.nss_ssl.reinit() is True)
+    assert(standalone.nss_ssl.create_rsa_ca() is True)
+    assert(standalone.nss_ssl.create_rsa_key_and_cert() is True)
+
+    # Say that we accept the cert
+    # Connect again!
+
+    # Enable the SSL options
+    standalone.rsa.create()
+    standalone.rsa.set('nsSSLPersonalitySSL', 'Server-Cert')
+    standalone.rsa.set('nsSSLToken', 'internal (software)')
+    standalone.rsa.set('nsSSLActivation', 'on')
+
+    standalone.config.set('nsslapd-secureport', PORT_STANDALONE2)
+    standalone.config.set('nsslapd-security', 'on')
+
+    standalone.restart()
+
+
+    def fin():
+        """If we are debugging just stop the instances, otherwise remove
+        them
+        """
+        if DEBUGGING:
+            standalone.stop()
+        else:
+            standalone.delete()
+
+    request.addfinalizer(fin)
+
     # Clear out the tmp dir
     standalone.clearTmpDir(__file__)
 
     return TopologyStandalone(standalone)
 
+def _create_user(inst):
+    inst.add_s(Entry((
+                USER_DN, {
+                    'objectClass': 'top account simplesecurityobject'.split(),
+                     'uid': 'user',
+                     'userpassword': 'password'
+                })))
+
 
-def test_pwdPolicy_init(topology):
+def test_pwdPolicy_constraint(topology):
     '''
-    Init the test suite (if necessary)
+    Password policy test: Ensure that on a password change, the policy is
+    enforced correctly.
     '''
-    return
 
-
-def test_pwdPolicy_final(topology):
-    topology.standalone.delete()
-    log.info('Password Policy test suite PASSED')
-
-
-def run_isolated():
-    global installation1_prefix
-    installation1_prefix = None
-
-    topo = topology(True)
-    test_pwdPolicy_init(topo)
-    test_pwdPolicy_final(topo)
+    # Create a user
+    _create_user(topology.standalone)
+    # Set the password policy globally
+    topology.standalone.config.set('passwordMinLength', '10')
+    topology.standalone.config.set('passwordMinDigits', '2')
+    topology.standalone.config.set('passwordCheckSyntax', 'on')
+    topology.standalone.config.set('nsslapd-pwpolicy-local', 'off')
+    # Now open a new ldap connection with TLS
+    userconn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE))
+    userconn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap. OPT_X_TLS_NEVER )
+    userconn.start_tls_s()
+    userconn.simple_bind_s(USER_DN, 'password')
+    # This should have an exception!
+    try:
+        userconn.passwd_s(USER_DN, 'password', 'password1')
+        assert(False)
+    except ldap.CONSTRAINT_VIOLATION:
+        assert(True)
+    # Change the password to something invalid!
 
 
 if __name__ == '__main__':
-    run_isolated()
-
+    # Run isolated
+    # -s for DEBUG mode
+    CURRENT_FILE = os.path.realpath(__file__)
+    pytest.main("-s %s" % CURRENT_FILE)
-- 
2.5.5