krb5 commit: Add tests for pwqual modules and plugin ordering

Greg Hudson ghudson at MIT.EDU
Thu Jun 27 02:01:25 EDT 2013


https://github.com/krb5/krb5/commit/a6debff894e8b24f72675beea9ee4438bd2e8902
commit a6debff894e8b24f72675beea9ee4438bd2e8902
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Jun 14 15:28:06 2013 -0400

    Add tests for pwqual modules and plugin ordering
    
    Create a test module for the pwqual interface, and script to exercise
    the built-in and test modules through kadmin.local.  Also create a
    test harness to display the order of pwqual modules for the current
    configuration, and use it to test the plugin module ordering
    guarantees.
    
    ticket: 7665

 src/Makefile.in                             |    1 +
 src/configure.in                            |    1 +
 src/plugins/pwqual/test/Makefile.in         |   21 +++
 src/plugins/pwqual/test/deps                |   16 ++
 src/plugins/pwqual/test/main.c              |  219 +++++++++++++++++++++++++++
 src/plugins/pwqual/test/pwqual_test.exports |    4 +
 src/tests/Makefile.in                       |   13 +-
 src/tests/deps                              |   19 +++
 src/tests/plugorder.c                       |   95 ++++++++++++
 src/tests/t_pwqual.py                       |   81 ++++++++++
 10 files changed, 466 insertions(+), 4 deletions(-)

diff --git a/src/Makefile.in b/src/Makefile.in
index cea7dda..ab8edbd 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -11,6 +11,7 @@ SUBDIRS=util include lib \
 	@sam2_plugin@ \
 	plugins/kadm5_hook/test \
 	plugins/localauth/test \
+	plugins/pwqual/test \
 	plugins/kdb/db2 \
 	@ldap_plugin_dir@ \
 	plugins/preauth/pkinit \
diff --git a/src/configure.in b/src/configure.in
index 4e49046..02955bb 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1360,6 +1360,7 @@ dnl	ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
 	plugins/locate/python
 	plugins/localauth/test
 	plugins/kadm5_hook/test
+	plugins/pwqual/test
 	plugins/kdb/db2
 	plugins/kdb/db2/libdb2
 	plugins/kdb/db2/libdb2/hash
diff --git a/src/plugins/pwqual/test/Makefile.in b/src/plugins/pwqual/test/Makefile.in
new file mode 100644
index 0000000..d8717b3
--- /dev/null
+++ b/src/plugins/pwqual/test/Makefile.in
@@ -0,0 +1,21 @@
+mydir=plugins$(S)pwqual$(S)test
+BUILDTOP=$(REL)..$(S)..$(S)..
+
+LIBBASE=pwqual_test
+LIBMAJOR=0
+LIBMINOR=0
+RELDIR=../plugins/pwqual/test
+# Depends on libkrb5
+SHLIB_EXPDEPS= $(KRB5_DEPLIB)
+SHLIB_EXPLIBS= $(KRB5_LIB)
+
+STLIBOBJS=main.o
+
+SRCS= $(srcdir)/main.c
+
+all-unix:: all-libs
+install-unix::
+clean-unix:: clean-libs clean-libobjs
+
+ at libnover_frag@
+ at libobj_frag@
diff --git a/src/plugins/pwqual/test/deps b/src/plugins/pwqual/test/deps
new file mode 100644
index 0000000..85372e0
--- /dev/null
+++ b/src/plugins/pwqual/test/deps
@@ -0,0 +1,16 @@
+#
+# Generated makefile dependencies follow.
+#
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
+  $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+  $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
+  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/krb5/pwqual_plugin.h main.c
diff --git a/src/plugins/pwqual/test/main.c b/src/plugins/pwqual/test/main.c
new file mode 100644
index 0000000..b05048b
--- /dev/null
+++ b/src/plugins/pwqual/test/main.c
@@ -0,0 +1,219 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* plugins/pwqual/test/main.c - test module for password quality interface */
+/*
+ * Copyright (C) 2010,2013 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This file implements a module named "combo" which tests whether a password
+ * matches a pair of words in the dictionary.  It also implements several dummy
+ * modules named "dyn1", "dyn2", and "dyn3" which are used for ordering tests.
+ */
+
+#include <k5-platform.h>
+#include <krb5/pwqual_plugin.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+typedef struct combo_moddata_st {
+    const char **word_list;     /* list of word pointers */
+    char *word_block;           /* actual word data */
+} *combo_moddata;
+
+static krb5_error_code
+init_dict(combo_moddata dict, const char *dict_file)
+{
+    int fd;
+    size_t count, len, i;
+    char *p, *t;
+    struct stat sb;
+
+    /* Read the dictionary file into memory in one blob. */
+    if (dict_file == NULL)
+        return 0;
+    fd = open(dict_file, O_RDONLY);
+    if (fd == -1)
+        return (errno == ENOENT) ? 0 : errno;
+    if (fstat(fd, &sb) == -1) {
+        close(fd);
+        return errno;
+    }
+    dict->word_block = malloc(sb.st_size + 1);
+    if (dict->word_block == NULL)
+        return ENOMEM;
+    if (read(fd, dict->word_block, sb.st_size) != sb.st_size)
+        return errno;
+    close(fd);
+    dict->word_block[sb.st_size] = '\0';
+
+    /* Decompose the blob into newline-separated words. */
+    p = dict->word_block;
+    len = sb.st_size;
+    while (len > 0 && (t = memchr(p, '\n', len)) != NULL) {
+        *t = '\0';
+        len -= t - p + 1;
+        p = t + 1;
+        count++;
+    }
+    dict->word_list = calloc(count + 1, sizeof(char *));
+    if (dict->word_list == NULL)
+        return ENOMEM;
+    p = dict->word_block;
+    for (i = 0; i < count; i++) {
+        dict->word_list[i] = p;
+        p += strlen(p) + 1;
+    }
+    return 0;
+}
+
+static void
+destroy_dict(combo_moddata dict)
+{
+    if (dict == NULL)
+        return;
+    free(dict->word_list);
+    free(dict->word_block);
+    free(dict);
+}
+
+static krb5_error_code
+combo_open(krb5_context context, const char *dict_file,
+           krb5_pwqual_moddata *data)
+{
+    krb5_error_code ret;
+    combo_moddata dict;
+
+    *data = NULL;
+
+    /* Allocate and initialize a dictionary structure. */
+    dict = malloc(sizeof(*dict));
+    if (dict == NULL)
+        return ENOMEM;
+    dict->word_list = NULL;
+    dict->word_block = NULL;
+
+    /* Fill in the dictionary structure with data from dict_file. */
+    ret = init_dict(dict, dict_file);
+    if (ret != 0) {
+        destroy_dict(dict);
+        return ret;
+    }
+
+    *data = (krb5_pwqual_moddata)dict;
+    return 0;
+}
+
+static krb5_error_code
+combo_check(krb5_context context, krb5_pwqual_moddata data,
+            const char *password, const char *policy_name,
+            krb5_principal princ, const char **languages)
+{
+    combo_moddata dict = (combo_moddata)data;
+    const char *remainder, **word1, **word2;
+
+    if (dict->word_list == NULL)
+        return 0;
+
+    for (word1 = dict->word_list; *word1 != NULL; word1++) {
+        if (strncasecmp(password, *word1, strlen(*word1)) != 0)
+            continue;
+        remainder = password + strlen(*word1);
+        for (word2 = dict->word_list; *word2 != NULL; word2++) {
+            if (strcasecmp(remainder, *word2) == 0) {
+                krb5_set_error_message(context, KADM5_PASS_Q_DICT,
+                                       "Password may not be a pair of "
+                                       "dictionary words");
+                return KADM5_PASS_Q_DICT;
+            }
+        }
+    }
+
+    return 0;
+}
+
+static void
+combo_close(krb5_context context, krb5_pwqual_moddata data)
+{
+    destroy_dict((combo_moddata)data);
+}
+
+krb5_error_code
+pwqual_combo_initvt(krb5_context context, int maj_ver, int min_ver,
+                    krb5_plugin_vtable vtable);
+krb5_error_code
+pwqual_dyn1_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable);
+krb5_error_code
+pwqual_dyn2_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable);
+krb5_error_code
+pwqual_dyn3_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable);
+
+krb5_error_code
+pwqual_combo_initvt(krb5_context context, int maj_ver, int min_ver,
+                    krb5_plugin_vtable vtable)
+{
+    krb5_pwqual_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    vt = (krb5_pwqual_vtable)vtable;
+    vt->name = "combo";
+    vt->open = combo_open;
+    vt->check = combo_check;
+    vt->close = combo_close;
+    return 0;
+}
+
+krb5_error_code
+pwqual_dyn1_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable)
+{
+    ((krb5_pwqual_vtable)vtable)->name = "dyn1";
+    return 0;
+}
+
+krb5_error_code
+pwqual_dyn2_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable)
+{
+    ((krb5_pwqual_vtable)vtable)->name = "dyn2";
+    return 0;
+}
+
+krb5_error_code
+pwqual_dyn3_initvt(krb5_context context, int maj_ver, int min_ver,
+                   krb5_plugin_vtable vtable)
+{
+    ((krb5_pwqual_vtable)vtable)->name = "dyn3";
+    return 0;
+}
diff --git a/src/plugins/pwqual/test/pwqual_test.exports b/src/plugins/pwqual/test/pwqual_test.exports
new file mode 100644
index 0000000..8a5638c
--- /dev/null
+++ b/src/plugins/pwqual/test/pwqual_test.exports
@@ -0,0 +1,4 @@
+pwqual_combo_initvt
+pwqual_dyn1_initvt
+pwqual_dyn2_initvt
+pwqual_dyn3_initvt
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 91f312e..c5536c3 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -5,8 +5,8 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
 
 RUN_SETUP = @KRB5_RUN_ENV@ KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf
 
-OBJS= gcred.o hist.o kdbtest.o t_init_creds.o t_localauth.o
-EXTRADEPSRCS= gcred.c hist.c kdbtest.c t_init_creds.c t_localauth.c
+OBJS= gcred.o hist.o kdbtest.o plugorder.o t_init_creds.o t_localauth.o
+EXTRADEPSRCS= gcred.c hist.c kdbtest.c plugorder.c t_init_creds.c t_localauth.c
 
 TEST_DB = ./testdb
 TEST_REALM = FOO.TEST.REALM
@@ -28,6 +28,9 @@ kdbtest: kdbtest.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o $@ kdbtest.o $(KDB5_LIBS) $(KADMSRV_LIBS) \
 		$(KRB5_BASE_LIBS)
 
+plugorder: plugorder.o $(KRB5_BASE_DEPLIBS)
+	$(CC_LINK) -o $@ plugorder.o $(KRB5_BASE_LIBS)
+
 t_init_creds: t_init_creds.o $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o $@ t_init_creds.o $(KRB5_BASE_LIBS)
 
@@ -76,7 +79,7 @@ kdb_check: kdc.conf krb5.conf
 	$(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
 	$(RM) $(TEST_DB)* stash_file
 
-check-pytests:: gcred hist kdbtest t_init_creds t_localauth
+check-pytests:: gcred hist kdbtest plugorder t_init_creds t_localauth
 	$(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
@@ -86,6 +89,7 @@ check-pytests:: gcred hist kdbtest t_init_creds t_localauth
 	$(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_pwqual.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kdb_locking.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
@@ -104,5 +108,6 @@ check-pytests:: gcred hist kdbtest t_init_creds t_localauth
 	$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
 
 clean::
-	$(RM) gcred hist kdbtest krb5.conf kdc.conf t_init_creds t_localauth
+	$(RM) gcred hist kdbtest plugorder t_init_creds t_localauth
+	$(RM) krb5.conf kdc.conf
 	$(RM) -rf kdc_realm/sandbox ldap
diff --git a/src/tests/deps b/src/tests/deps
index b50d0df..50e1e7b 100644
--- a/src/tests/deps
+++ b/src/tests/deps
@@ -40,6 +40,25 @@ $(OUTPRE)kdbtest.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
   $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
   $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \
   $(top_srcdir)/include/krb5.h kdbtest.c
+$(OUTPRE)plugorder.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
+  $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+  $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
+  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/krb5/pwqual_plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h plugorder.c
 $(OUTPRE)t_init_creds.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
   $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h t_init_creds.c
 $(OUTPRE)t_localauth.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
diff --git a/src/tests/plugorder.c b/src/tests/plugorder.c
new file mode 100644
index 0000000..e13d210
--- /dev/null
+++ b/src/tests/plugorder.c
@@ -0,0 +1,95 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/plugorder.c - Test harness to display the order of loaded plugins */
+/*
+ * Copyright (C) 2013 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This file registers a few dummy built-in pwqual modules, then prints out the
+ * order of pwqual modules returned by k5_plugin_load_all.  The choice of the
+ * pwqual interface is mostly arbitrary; it is an interface which libkrb5
+ * itself doesn't use, for which we have a test module.
+ */
+
+#include "k5-int.h"
+#include <krb5/pwqual_plugin.h>
+
+static krb5_context ctx;
+
+static void
+check(krb5_error_code code)
+{
+    const char *errmsg;
+
+    if (code) {
+        errmsg = krb5_get_error_message(ctx, code);
+        fprintf(stderr, "%s\n", errmsg);
+        krb5_free_error_message(ctx, errmsg);
+        exit(1);
+    }
+}
+
+static krb5_error_code
+blt1(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable)
+{
+    ((krb5_pwqual_vtable)vtable)->name = "blt1";
+    return 0;
+}
+
+static krb5_error_code
+blt2(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable)
+{
+    ((krb5_pwqual_vtable)vtable)->name = "blt2";
+    return 0;
+}
+
+static krb5_error_code
+blt3(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable)
+{
+    ((krb5_pwqual_vtable)vtable)->name = "blt3";
+    return 0;
+}
+
+int
+main()
+{
+    krb5_plugin_initvt_fn *modules = NULL, *mod;
+    struct krb5_pwqual_vtable_st vt;
+
+    check(krb5_init_context(&ctx));
+    check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt1", blt1));
+    check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt2", blt2));
+    check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt3", blt3));
+    check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &modules));
+    for (mod = modules; *mod != NULL; mod++) {
+        check((*mod)(ctx, 1, 1, (krb5_plugin_vtable)&vt));
+        printf("%s\n", vt.name);
+    }
+    return 0;
+}
diff --git a/src/tests/t_pwqual.py b/src/tests/t_pwqual.py
new file mode 100644
index 0000000..b3a1698
--- /dev/null
+++ b/src/tests/t_pwqual.py
@@ -0,0 +1,81 @@
+#!/usr/bin/python
+from k5test import *
+
+plugin = os.path.join(buildtop, "plugins", "pwqual", "test", "pwqual_test.so")
+
+dictfile = os.path.join(os.getcwd(), 'testdir', 'dict')
+
+pconf = {'plugins': {'pwqual': {'module': 'combo:' + plugin}}}
+dconf = {'realms': {'$realm': {'dict_file': dictfile}}}
+realm = K5Realm(krb5_conf=pconf, kdc_conf=dconf, create_user=False,
+                create_host=False)
+
+# Write a short dictionary file.
+f = open(dictfile, 'w')
+f.write('birds\nbees\napples\noranges\n')
+f.close()
+
+realm.run_kadminl('addpol pol')
+
+# The built-in "empty" module rejects empty passwords even without a policy.
+out = realm.run_kadminl('addprinc -pw "" p1')
+if 'Empty passwords are not allowed' not in out:
+    fail('Expected error not seen for empty password')
+
+# The built-in "dict" module rejects dictionary words, but only with a policy.
+out = realm.run_kadminl('addprinc -pw birds p2')
+if 'created.' not in out:
+    fail('Unexpected failure from dictionary password without policy')
+out = realm.run_kadminl('addprinc -pw birds -policy pol p3')
+if 'Password is in the password dictionary' not in out:
+    fail('Expected error not seen from dictionary password')
+
+# The built-in "princ" module rejects principal components, only with a policy.
+out = realm.run_kadminl('addprinc -pw p4 p4')
+if 'created.' not in out:
+    fail('Unexpected failure from principal component without policy')
+out = realm.run_kadminl('addprinc -pw p5 -policy pol p5')
+if 'Password may not match principal name' not in out:
+    fail('Expected error not seen from principal component')
+
+# The dynamic "combo" module rejects pairs of dictionary words.
+out = realm.run_kadminl('addprinc -pw birdsoranges p6')
+if 'Password may not be a pair of dictionary words' not in out:
+    fail('Expected error not seen from combo module')
+
+# These plugin ordering tests aren't specifically related to the
+# password quality interface, but are convenient to put here.
+
+def test_order(realm, testname, conf, expected):
+    conf = {'plugins': {'pwqual': conf}}
+    env = realm.special_env(testname, False, krb5_conf=conf)
+    out = realm.run(['./plugorder'], env=env)
+    if out.split() != expected:
+        fail('order test: ' + testname)
+
+realm.stop()
+realm = K5Realm(create_kdb=False)
+
+# Check the test harness with no special configuration.
+test_order(realm, 'noconf', {}, ['blt1', 'blt2', 'blt3'])
+
+# Test the basic order: dynamic modules, then built-in modules, each
+# in registration order.
+conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn2:' + plugin]}
+test_order(realm, 'basic', conf,
+           ['dyn3', 'dyn1', 'dyn2', 'blt1', 'blt2', 'blt3'])
+
+# Disabling modules should not affect the order of other modules.
+conf['disable'] = ['dyn1', 'blt3']
+test_order(realm, 'disable', conf, ['dyn3', 'dyn2', 'blt1', 'blt2'])
+
+# enable_only should reorder the modules, but can't resurrect disabled
+# modules or create ones from thin air.
+conf['enable_only'] = ['dyn2', 'blt3', 'blt2', 'dyn1', 'dyn3', 'xxx']
+test_order(realm, 'enable_only', conf, ['dyn2', 'blt2', 'dyn3'])
+
+# Duplicate modules should be pruned by preferring earlier entries.
+conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn3:' + plugin]}
+test_order(realm, 'duplicate', conf, ['dyn3', 'dyn1', 'blt1', 'blt2', 'blt3'])
+
+success('Password quality interface tests')


More information about the cvs-krb5 mailing list