1from k5test import * 2 3plugin = os.path.join(buildtop, "plugins", "pwqual", "test", "pwqual_test.so") 4 5dictfile = os.path.join(os.getcwd(), 'testdir', 'dict') 6 7pconf = {'plugins': {'pwqual': {'module': 'combo:' + plugin}}} 8dconf = {'realms': {'$realm': {'dict_file': dictfile}}} 9realm = K5Realm(krb5_conf=pconf, kdc_conf=dconf, create_user=False, 10 create_host=False) 11 12# Write a short dictionary file. 13f = open(dictfile, 'w') 14f.write('birds\nbees\napples\noranges\n') 15f.close() 16 17realm.run([kadminl, 'addpol', 'pol']) 18 19mark('pwqual modules') 20 21# The built-in "empty" module rejects empty passwords even without a policy. 22realm.run([kadminl, 'addprinc', '-pw', '', 'p1'], expected_code=1, 23 expected_msg='Empty passwords are not allowed') 24 25# The built-in "dict" module rejects dictionary words, but only with a policy. 26realm.run([kadminl, 'addprinc', '-pw', 'birds', 'p2']) 27realm.run([kadminl, 'addprinc', '-pw', 'birds', '-policy', 'pol', 'p3'], 28 expected_code=1, 29 expected_msg='Password is in the password dictionary') 30 31# The built-in "princ" module rejects principal components, only with a policy. 32realm.run([kadminl, 'addprinc', '-pw', 'p4', 'p4']) 33realm.run([kadminl, 'addprinc', '-pw', 'p5', '-policy', 'pol', 'p5'], 34 expected_code=1, 35 expected_msg='Password may not match principal name') 36 37# The dynamic "combo" module rejects pairs of dictionary words. 38realm.run([kadminl, 'addprinc', '-pw', 'birdsoranges', 'p6'], expected_code=1, 39 expected_msg='Password may not be a pair of dictionary words') 40 41# These plugin ordering tests aren't specifically related to the 42# password quality interface, but are convenient to put here. 43 44mark('plugin module order') 45 46def test_order(realm, testname, conf, expected): 47 conf = {'plugins': {'pwqual': conf}} 48 env = realm.special_env(testname, False, krb5_conf=conf) 49 out = realm.run(['./plugorder'], env=env) 50 if out.split() != expected: 51 fail('order test: ' + testname) 52 53realm.stop() 54realm = K5Realm(create_kdb=False) 55 56# Check the test harness with no special configuration. 57test_order(realm, 'noconf', {}, ['blt1', 'blt2', 'blt3']) 58 59# Test the basic order: dynamic modules, then built-in modules, each 60# in registration order. 61conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn2:' + plugin]} 62test_order(realm, 'basic', conf, 63 ['dyn3', 'dyn1', 'dyn2', 'blt1', 'blt2', 'blt3']) 64 65# Disabling modules should not affect the order of other modules. 66conf['disable'] = ['dyn1', 'blt3'] 67test_order(realm, 'disable', conf, ['dyn3', 'dyn2', 'blt1', 'blt2']) 68 69# enable_only should reorder the modules, but can't resurrect disabled 70# modules or create ones from thin air. 71conf['enable_only'] = ['dyn2', 'blt3', 'blt2', 'dyn1', 'dyn3', 'xxx'] 72test_order(realm, 'enable_only', conf, ['dyn2', 'blt2', 'dyn3']) 73 74# Duplicate modules should be pruned by preferring earlier entries. 75conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn3:' + plugin]} 76test_order(realm, 'duplicate', conf, ['dyn3', 'dyn1', 'blt1', 'blt2', 'blt3']) 77 78success('Password quality interface tests') 79