From: Greg Hudson Date: Tue, 8 Jan 2013 20:32:39 +0000 (-0500) Subject: Consolidate policy tests into t_policy.py X-Git-Tag: krb5-1.12-alpha1~362 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c50c0318397cc41d559763bef693da78ad642c6b;p=thirdparty%2Fkrb5.git Consolidate policy tests into t_policy.py Create a combined script for policy-related tests, and fold in the existing lockout, password history, and allowed-keysalts tests. --- diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 1eac9e66d1..354f12c569 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -71,11 +71,10 @@ check-pytests:: hist kdbtest $(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kdb_locking.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_allowed_keysalts.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_renprinc.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_ccache.py $(PYTESTFLAGS) @@ -85,7 +84,6 @@ check-pytests:: hist kdbtest $(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadmin_acl.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kdb.py $(PYTESTFLAGS) # $(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS) diff --git a/src/tests/t_lockout.py b/src/tests/t_lockout.py deleted file mode 100644 index 8da8c57481..0000000000 --- a/src/tests/t_lockout.py +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright (C) 2010 by the Massachusetts Institute of Technology. -# All rights reserved. - -# Export of this software from the United States of America may -# require a specific license from the United States Government. -# It is the responsibility of any person or organization contemplating -# export to obtain such a license before exporting. -# -# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -# distribute this software and its documentation for any purpose and -# without fee is hereby granted, provided that the above copyright -# notice appear in all copies and that both that copyright notice and -# this permission notice appear in supporting documentation, and that -# the name of M.I.T. not be used in advertising or publicity pertaining -# to distribution of the software without specific, written prior -# permission. Furthermore if you modify this software you must label -# your software as modified software and not distribute it in such a -# fashion that it might be confused with the original M.I.T. software. -# M.I.T. makes no representations about the suitability of -# this software for any purpose. It is provided "as is" without express -# or implied warranty. - -#!/usr/bin/python -from k5test import * - -realm = K5Realm(create_host=False) - -realm.run_kadminl('addpol -maxfailure 2 -failurecountinterval 5m lockout') -realm.run_kadminl('modprinc +requires_preauth -policy lockout user') - -# kinit twice with the wrong password. -output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) -if 'Password incorrect while getting initial credentials' not in output: - fail('Expected error message not seen in kinit output') -output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) -if 'Password incorrect while getting initial credentials' not in output: - fail('Expected error message not seen in kinit output') - -# Now the account should be locked out. -output = realm.run([kinit, realm.user_princ], expected_code=1) -if 'Clients credentials have been revoked while getting initial credentials' \ - not in output: - fail('Expected lockout error message not seen in kinit output') - -# Check that modprinc -unlock allows a further attempt. -output = realm.run_kadminl('modprinc -unlock user') -realm.kinit(realm.user_princ, password('user')) - -success('Account lockout') - diff --git a/src/tests/t_allowed_keysalts.py b/src/tests/t_policy.py similarity index 66% rename from src/tests/t_allowed_keysalts.py rename to src/tests/t_policy.py index e7b7833ed3..63e3e0f141 100644 --- a/src/tests/t_allowed_keysalts.py +++ b/src/tests/t_policy.py @@ -2,8 +2,53 @@ from k5test import * import re -krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}} +realm = K5Realm(create_host=False) + +# Test basic password lockout support. + +realm.run_kadminl('addpol -maxfailure 2 -failurecountinterval 5m lockout') +realm.run_kadminl('modprinc +requires_preauth -policy lockout user') + +# kinit twice with the wrong password. +output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) +if 'Password incorrect while getting initial credentials' not in output: + fail('Expected error message not seen in kinit output') +output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) +if 'Password incorrect while getting initial credentials' not in output: + fail('Expected error message not seen in kinit output') + +# Now the account should be locked out. +output = realm.run([kinit, realm.user_princ], expected_code=1) +if 'Clients credentials have been revoked while getting initial credentials' \ + not in output: + fail('Expected lockout error message not seen in kinit output') + +# Check that modprinc -unlock allows a further attempt. +output = realm.run_kadminl('modprinc -unlock user') +realm.kinit(realm.user_princ, password('user')) + +# Regression test for issue #7099: databases created prior to krb5 1.3 have +# multiple history keys, and kadmin prior to 1.7 didn't necessarily use the +# first one to create history entries. +realm.stop() +realm = K5Realm(start_kdc=False) +# Create a history principal with two keys. +realm.run(['./hist', 'make']) +realm.run_kadminl('addpol -history 2 pol') +realm.run_kadminl('modprinc -policy pol user') +realm.run_kadminl('cpw -pw pw2 user') +# Swap the keys, simulating older kadmin having chosen the second entry. +realm.run(['./hist', 'swap']) +# Make sure we can read the history entry. +output = realm.run_kadminl('cpw -pw %s user' % password('user')) +if 'Cannot reuse password' not in output: + fail('Expected error not seen in output') + +# Test key/salt constraints. + +realm.stop() +krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}} realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False) # Add policy. @@ -87,6 +132,4 @@ if 'Invalid key/salt tuples' in output: fail('key change rejected that should have been permitted') realm.run_kadminl('getprinc server') -realm.stop() - -success('allowed_keysalts') +success('Policy tests') diff --git a/src/tests/t_pwhist.py b/src/tests/t_pwhist.py deleted file mode 100644 index 3d8c7c1b23..0000000000 --- a/src/tests/t_pwhist.py +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/python -from k5test import * - -# Regression test for issue #7099: databases created prior to krb5 1.3 have -# multiple history keys, and kadmin prior to 1.7 didn't necessarily use the -# first one to create history entries. -realm = K5Realm(start_kdc=False) -# Create a history principal with two keys. -realm.run(['./hist', 'make']) -realm.run_kadminl('addpol -history 2 pol') -realm.run_kadminl('modprinc -policy pol user') -realm.run_kadminl('cpw -pw pw2 user') -# Swap the keys, simulating older kadmin having chosen the second entry. -realm.run(['./hist', 'swap']) -# Make sure we can read the history entry. -output = realm.run_kadminl('cpw -pw %s user' % password('user')) -if 'Cannot reuse password' not in output: - fail('Expected error not seen in output') - -success('Password history tests')