krb5 commit: Add tests for pwqual modules and plugin ordering
Greg Hudson
ghudson at MIT.EDU
Thu Jun 27 02:01:25 EDT 2013
https://github.com/krb5/krb5/commit/a6debff894e8b24f72675beea9ee4438bd2e8902
commit a6debff894e8b24f72675beea9ee4438bd2e8902
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Jun 14 15:28:06 2013 -0400
Add tests for pwqual modules and plugin ordering
Create a test module for the pwqual interface, and script to exercise
the built-in and test modules through kadmin.local. Also create a
test harness to display the order of pwqual modules for the current
configuration, and use it to test the plugin module ordering
guarantees.
ticket: 7665
src/Makefile.in | 1 +
src/configure.in | 1 +
src/plugins/pwqual/test/Makefile.in | 21 +++
src/plugins/pwqual/test/deps | 16 ++
src/plugins/pwqual/test/main.c | 219 +++++++++++++++++++++++++++
src/plugins/pwqual/test/pwqual_test.exports | 4 +
src/tests/Makefile.in | 13 +-
src/tests/deps | 19 +++
src/tests/plugorder.c | 95 ++++++++++++
src/tests/t_pwqual.py | 81 ++++++++++
10 files changed, 466 insertions(+), 4 deletions(-)
diff --git a/src/Makefile.in b/src/Makefile.in
index cea7dda..ab8edbd 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -11,6 +11,7 @@ SUBDIRS=util include lib \
@sam2_plugin@ \
plugins/kadm5_hook/test \
plugins/localauth/test \
+ plugins/pwqual/test \
plugins/kdb/db2 \
@ldap_plugin_dir@ \
plugins/preauth/pkinit \
diff --git a/src/configure.in b/src/configure.in
index 4e49046..02955bb 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1360,6 +1360,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
plugins/locate/python
plugins/localauth/test
plugins/kadm5_hook/test
+ plugins/pwqual/test
plugins/kdb/db2
plugins/kdb/db2/libdb2
plugins/kdb/db2/libdb2/hash
diff --git a/src/plugins/pwqual/test/Makefile.in b/src/plugins/pwqual/test/Makefile.in
new file mode 100644
index 0000000..d8717b3
--- /dev/null
+++ b/src/plugins/pwqual/test/Makefile.in
@@ -0,0 +1,21 @@
+mydir=plugins$(S)pwqual$(S)test
+BUILDTOP=$(REL)..$(S)..$(S)..
+
+LIBBASE=pwqual_test
+LIBMAJOR=0
+LIBMINOR=0
+RELDIR=../plugins/pwqual/test
+# Depends on libkrb5
+SHLIB_EXPDEPS= $(KRB5_DEPLIB)
+SHLIB_EXPLIBS= $(KRB5_LIB)
+
+STLIBOBJS=main.o
+
+SRCS= $(srcdir)/main.c
+
+all-unix:: all-libs
+install-unix::
+clean-unix:: clean-libs clean-libobjs
+
+ at libnover_frag@
+ at libobj_frag@
diff --git a/src/plugins/pwqual/test/deps b/src/plugins/pwqual/test/deps
new file mode 100644
index 0000000..85372e0
--- /dev/null
+++ b/src/plugins/pwqual/test/deps
@@ -0,0 +1,16 @@
+#
+# Generated makefile dependencies follow.
+#
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
+ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
+ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+ $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+ $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+ $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+ $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/krb5/pwqual_plugin.h main.c
diff --git a/src/plugins/pwqual/test/main.c b/src/plugins/pwqual/test/main.c
new file mode 100644
index 0000000..b05048b
--- /dev/null
+++ b/src/plugins/pwqual/test/main.c
@@ -0,0 +1,219 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* plugins/pwqual/test/main.c - test module for password quality interface */
+/*
+ * Copyright (C) 2010,2013 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This file implements a module named "combo" which tests whether a password
+ * matches a pair of words in the dictionary. It also implements several dummy
+ * modules named "dyn1", "dyn2", and "dyn3" which are used for ordering tests.
+ */
+
+#include <k5-platform.h>
+#include <krb5/pwqual_plugin.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+typedef struct combo_moddata_st {
+ const char **word_list; /* list of word pointers */
+ char *word_block; /* actual word data */
+} *combo_moddata;
+
+static krb5_error_code
+init_dict(combo_moddata dict, const char *dict_file)
+{
+ int fd;
+ size_t count, len, i;
+ char *p, *t;
+ struct stat sb;
+
+ /* Read the dictionary file into memory in one blob. */
+ if (dict_file == NULL)
+ return 0;
+ fd = open(dict_file, O_RDONLY);
+ if (fd == -1)
+ return (errno == ENOENT) ? 0 : errno;
+ if (fstat(fd, &sb) == -1) {
+ close(fd);
+ return errno;
+ }
+ dict->word_block = malloc(sb.st_size + 1);
+ if (dict->word_block == NULL)
+ return ENOMEM;
+ if (read(fd, dict->word_block, sb.st_size) != sb.st_size)
+ return errno;
+ close(fd);
+ dict->word_block[sb.st_size] = '\0';
+
+ /* Decompose the blob into newline-separated words. */
+ p = dict->word_block;
+ len = sb.st_size;
+ while (len > 0 && (t = memchr(p, '\n', len)) != NULL) {
+ *t = '\0';
+ len -= t - p + 1;
+ p = t + 1;
+ count++;
+ }
+ dict->word_list = calloc(count + 1, sizeof(char *));
+ if (dict->word_list == NULL)
+ return ENOMEM;
+ p = dict->word_block;
+ for (i = 0; i < count; i++) {
+ dict->word_list[i] = p;
+ p += strlen(p) + 1;
+ }
+ return 0;
+}
+
+static void
+destroy_dict(combo_moddata dict)
+{
+ if (dict == NULL)
+ return;
+ free(dict->word_list);
+ free(dict->word_block);
+ free(dict);
+}
+
+static krb5_error_code
+combo_open(krb5_context context, const char *dict_file,
+ krb5_pwqual_moddata *data)
+{
+ krb5_error_code ret;
+ combo_moddata dict;
+
+ *data = NULL;
+
+ /* Allocate and initialize a dictionary structure. */
+ dict = malloc(sizeof(*dict));
+ if (dict == NULL)
+ return ENOMEM;
+ dict->word_list = NULL;
+ dict->word_block = NULL;
+
+ /* Fill in the dictionary structure with data from dict_file. */
+ ret = init_dict(dict, dict_file);
+ if (ret != 0) {
+ destroy_dict(dict);
+ return ret;
+ }
+
+ *data = (krb5_pwqual_moddata)dict;
+ return 0;
+}
+
+static krb5_error_code
+combo_check(krb5_context context, krb5_pwqual_moddata data,
+ const char *password, const char *policy_name,
+ krb5_principal princ, const char **languages)
+{
+ combo_moddata dict = (combo_moddata)data;
+ const char *remainder, **word1, **word2;
+
+ if (dict->word_list == NULL)
+ return 0;
+
+ for (word1 = dict->word_list; *word1 != NULL; word1++) {
+ if (strncasecmp(password, *word1, strlen(*word1)) != 0)
+ continue;
+ remainder = password + strlen(*word1);
+ for (word2 = dict->word_list; *word2 != NULL; word2++) {
+ if (strcasecmp(remainder, *word2) == 0) {
+ krb5_set_error_message(context, KADM5_PASS_Q_DICT,
+ "Password may not be a pair of "
+ "dictionary words");
+ return KADM5_PASS_Q_DICT;
+ }
+ }
+ }
+
+ return 0;
+}
+
+static void
+combo_close(krb5_context context, krb5_pwqual_moddata data)
+{
+ destroy_dict((combo_moddata)data);
+}
+
+krb5_error_code
+pwqual_combo_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+krb5_error_code
+pwqual_dyn1_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+krb5_error_code
+pwqual_dyn2_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+krb5_error_code
+pwqual_dyn3_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+
+krb5_error_code
+pwqual_combo_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable)
+{
+ krb5_pwqual_vtable vt;
+
+ if (maj_ver != 1)
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ vt = (krb5_pwqual_vtable)vtable;
+ vt->name = "combo";
+ vt->open = combo_open;
+ vt->check = combo_check;
+ vt->close = combo_close;
+ return 0;
+}
+
+krb5_error_code
+pwqual_dyn1_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable)
+{
+ ((krb5_pwqual_vtable)vtable)->name = "dyn1";
+ return 0;
+}
+
+krb5_error_code
+pwqual_dyn2_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable)
+{
+ ((krb5_pwqual_vtable)vtable)->name = "dyn2";
+ return 0;
+}
+
+krb5_error_code
+pwqual_dyn3_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable)
+{
+ ((krb5_pwqual_vtable)vtable)->name = "dyn3";
+ return 0;
+}
diff --git a/src/plugins/pwqual/test/pwqual_test.exports b/src/plugins/pwqual/test/pwqual_test.exports
new file mode 100644
index 0000000..8a5638c
--- /dev/null
+++ b/src/plugins/pwqual/test/pwqual_test.exports
@@ -0,0 +1,4 @@
+pwqual_combo_initvt
+pwqual_dyn1_initvt
+pwqual_dyn2_initvt
+pwqual_dyn3_initvt
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 91f312e..c5536c3 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -5,8 +5,8 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
RUN_SETUP = @KRB5_RUN_ENV@ KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf
-OBJS= gcred.o hist.o kdbtest.o t_init_creds.o t_localauth.o
-EXTRADEPSRCS= gcred.c hist.c kdbtest.c t_init_creds.c t_localauth.c
+OBJS= gcred.o hist.o kdbtest.o plugorder.o t_init_creds.o t_localauth.o
+EXTRADEPSRCS= gcred.c hist.c kdbtest.c plugorder.c t_init_creds.c t_localauth.c
TEST_DB = ./testdb
TEST_REALM = FOO.TEST.REALM
@@ -28,6 +28,9 @@ kdbtest: kdbtest.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ kdbtest.o $(KDB5_LIBS) $(KADMSRV_LIBS) \
$(KRB5_BASE_LIBS)
+plugorder: plugorder.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ plugorder.o $(KRB5_BASE_LIBS)
+
t_init_creds: t_init_creds.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ t_init_creds.o $(KRB5_BASE_LIBS)
@@ -76,7 +79,7 @@ kdb_check: kdc.conf krb5.conf
$(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
$(RM) $(TEST_DB)* stash_file
-check-pytests:: gcred hist kdbtest t_init_creds t_localauth
+check-pytests:: gcred hist kdbtest plugorder t_init_creds t_localauth
$(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
@@ -86,6 +89,7 @@ check-pytests:: gcred hist kdbtest t_init_creds t_localauth
$(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_pwqual.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kdb_locking.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
@@ -104,5 +108,6 @@ check-pytests:: gcred hist kdbtest t_init_creds t_localauth
$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
clean::
- $(RM) gcred hist kdbtest krb5.conf kdc.conf t_init_creds t_localauth
+ $(RM) gcred hist kdbtest plugorder t_init_creds t_localauth
+ $(RM) krb5.conf kdc.conf
$(RM) -rf kdc_realm/sandbox ldap
diff --git a/src/tests/deps b/src/tests/deps
index b50d0df..50e1e7b 100644
--- a/src/tests/deps
+++ b/src/tests/deps
@@ -40,6 +40,25 @@ $(OUTPRE)kdbtest.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
$(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
$(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \
$(top_srcdir)/include/krb5.h kdbtest.c
+$(OUTPRE)plugorder.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
+ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
+ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+ $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+ $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+ $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+ $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+ $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/krb5/pwqual_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h plugorder.c
$(OUTPRE)t_init_creds.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
$(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h t_init_creds.c
$(OUTPRE)t_localauth.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
diff --git a/src/tests/plugorder.c b/src/tests/plugorder.c
new file mode 100644
index 0000000..e13d210
--- /dev/null
+++ b/src/tests/plugorder.c
@@ -0,0 +1,95 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/plugorder.c - Test harness to display the order of loaded plugins */
+/*
+ * Copyright (C) 2013 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This file registers a few dummy built-in pwqual modules, then prints out the
+ * order of pwqual modules returned by k5_plugin_load_all. The choice of the
+ * pwqual interface is mostly arbitrary; it is an interface which libkrb5
+ * itself doesn't use, for which we have a test module.
+ */
+
+#include "k5-int.h"
+#include <krb5/pwqual_plugin.h>
+
+static krb5_context ctx;
+
+static void
+check(krb5_error_code code)
+{
+ const char *errmsg;
+
+ if (code) {
+ errmsg = krb5_get_error_message(ctx, code);
+ fprintf(stderr, "%s\n", errmsg);
+ krb5_free_error_message(ctx, errmsg);
+ exit(1);
+ }
+}
+
+static krb5_error_code
+blt1(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable)
+{
+ ((krb5_pwqual_vtable)vtable)->name = "blt1";
+ return 0;
+}
+
+static krb5_error_code
+blt2(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable)
+{
+ ((krb5_pwqual_vtable)vtable)->name = "blt2";
+ return 0;
+}
+
+static krb5_error_code
+blt3(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable)
+{
+ ((krb5_pwqual_vtable)vtable)->name = "blt3";
+ return 0;
+}
+
+int
+main()
+{
+ krb5_plugin_initvt_fn *modules = NULL, *mod;
+ struct krb5_pwqual_vtable_st vt;
+
+ check(krb5_init_context(&ctx));
+ check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt1", blt1));
+ check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt2", blt2));
+ check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt3", blt3));
+ check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &modules));
+ for (mod = modules; *mod != NULL; mod++) {
+ check((*mod)(ctx, 1, 1, (krb5_plugin_vtable)&vt));
+ printf("%s\n", vt.name);
+ }
+ return 0;
+}
diff --git a/src/tests/t_pwqual.py b/src/tests/t_pwqual.py
new file mode 100644
index 0000000..b3a1698
--- /dev/null
+++ b/src/tests/t_pwqual.py
@@ -0,0 +1,81 @@
+#!/usr/bin/python
+from k5test import *
+
+plugin = os.path.join(buildtop, "plugins", "pwqual", "test", "pwqual_test.so")
+
+dictfile = os.path.join(os.getcwd(), 'testdir', 'dict')
+
+pconf = {'plugins': {'pwqual': {'module': 'combo:' + plugin}}}
+dconf = {'realms': {'$realm': {'dict_file': dictfile}}}
+realm = K5Realm(krb5_conf=pconf, kdc_conf=dconf, create_user=False,
+ create_host=False)
+
+# Write a short dictionary file.
+f = open(dictfile, 'w')
+f.write('birds\nbees\napples\noranges\n')
+f.close()
+
+realm.run_kadminl('addpol pol')
+
+# The built-in "empty" module rejects empty passwords even without a policy.
+out = realm.run_kadminl('addprinc -pw "" p1')
+if 'Empty passwords are not allowed' not in out:
+ fail('Expected error not seen for empty password')
+
+# The built-in "dict" module rejects dictionary words, but only with a policy.
+out = realm.run_kadminl('addprinc -pw birds p2')
+if 'created.' not in out:
+ fail('Unexpected failure from dictionary password without policy')
+out = realm.run_kadminl('addprinc -pw birds -policy pol p3')
+if 'Password is in the password dictionary' not in out:
+ fail('Expected error not seen from dictionary password')
+
+# The built-in "princ" module rejects principal components, only with a policy.
+out = realm.run_kadminl('addprinc -pw p4 p4')
+if 'created.' not in out:
+ fail('Unexpected failure from principal component without policy')
+out = realm.run_kadminl('addprinc -pw p5 -policy pol p5')
+if 'Password may not match principal name' not in out:
+ fail('Expected error not seen from principal component')
+
+# The dynamic "combo" module rejects pairs of dictionary words.
+out = realm.run_kadminl('addprinc -pw birdsoranges p6')
+if 'Password may not be a pair of dictionary words' not in out:
+ fail('Expected error not seen from combo module')
+
+# These plugin ordering tests aren't specifically related to the
+# password quality interface, but are convenient to put here.
+
+def test_order(realm, testname, conf, expected):
+ conf = {'plugins': {'pwqual': conf}}
+ env = realm.special_env(testname, False, krb5_conf=conf)
+ out = realm.run(['./plugorder'], env=env)
+ if out.split() != expected:
+ fail('order test: ' + testname)
+
+realm.stop()
+realm = K5Realm(create_kdb=False)
+
+# Check the test harness with no special configuration.
+test_order(realm, 'noconf', {}, ['blt1', 'blt2', 'blt3'])
+
+# Test the basic order: dynamic modules, then built-in modules, each
+# in registration order.
+conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn2:' + plugin]}
+test_order(realm, 'basic', conf,
+ ['dyn3', 'dyn1', 'dyn2', 'blt1', 'blt2', 'blt3'])
+
+# Disabling modules should not affect the order of other modules.
+conf['disable'] = ['dyn1', 'blt3']
+test_order(realm, 'disable', conf, ['dyn3', 'dyn2', 'blt1', 'blt2'])
+
+# enable_only should reorder the modules, but can't resurrect disabled
+# modules or create ones from thin air.
+conf['enable_only'] = ['dyn2', 'blt3', 'blt2', 'dyn1', 'dyn3', 'xxx']
+test_order(realm, 'enable_only', conf, ['dyn2', 'blt2', 'dyn3'])
+
+# Duplicate modules should be pruned by preferring earlier entries.
+conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn3:' + plugin]}
+test_order(realm, 'duplicate', conf, ['dyn3', 'dyn1', 'blt1', 'blt2', 'blt3'])
+
+success('Password quality interface tests')
More information about the cvs-krb5
mailing list