Disabling gracelimit does not prevent LDAP binds

Originally the code treated 0 as disabled. This was changed during the review process to -1 but one remnant was missed effetively allowing gracelimit 0 to also mean disabled. Add explicit tests for testing with gracelimit = 0 and gracelimit = -1. Also remove some extranous "str(self.master.domain.basedn)" lines from some of the tests. Fixes: https://pagure.io/freeipa/issue/9206 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-07-21 09:28:46 -04:00
parent fc5de8216d
commit 4105fee2cf
2 changed files with 53 additions and 4 deletions
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
@@ -479,7 +479,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
        if (pwresponse_requested) {
            slapi_pwpolicy_make_response_control(pb, -1, grace_limit - grace_user_time , -1);
        }
-    } else if ((grace_limit > 0) && (grace_user_time >= grace_limit)) {
+    } else if (grace_user_time >= grace_limit) {
        LOG_TRACE("%s password is expired and out of grace limit\n", dn);
        errstr = "Password is expired.\n";
        ret = LDAP_INVALID_CREDENTIALS;
--- a/ipatests/test_integration/test_pwpolicy.py
+++ b/ipatests/test_integration/test_pwpolicy.py
@@ -36,7 +36,7 @@ class TestPWPolicy(IntegrationTest):
        cls.master.run_command(['ipa', 'group-add-member', POLICY,
                                '--users', USER])
        cls.master.run_command(['ipa', 'pwpolicy-add', POLICY,
-                                '--priority', '1'])
+                                '--priority', '1', '--gracelimit', '-1'])
        cls.master.run_command(['ipa', 'passwd', USER],
                               stdin_text='{password}\n{password}\n'.format(
                               password=PASSWORD
@@ -265,7 +265,6 @@ class TestPWPolicy(IntegrationTest):

    def test_graceperiod_expired(self):
        """Test the LDAP bind grace period"""
-        str(self.master.domain.basedn)
        dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
             user=USER, base_dn=str(self.master.domain.basedn))

@@ -308,7 +307,6 @@ class TestPWPolicy(IntegrationTest):

    def test_graceperiod_not_replicated(self):
        """Test that the grace period is reset on password reset"""
-        str(self.master.domain.basedn)
        dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
             user=USER, base_dn=str(self.master.domain.basedn))

@@ -341,3 +339,54 @@ class TestPWPolicy(IntegrationTest):
        )
        assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
        self.reset_password(self.master)
+
+    def test_graceperiod_zero(self):
+        """Test the LDAP bind with zero grace period"""
+        dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
+             user=USER, base_dn=str(self.master.domain.basedn))
+
+        self.master.run_command(
+            ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "0", ],
+        )
+
+        # Resetting the password will mark it as expired
+        self.reset_password(self.master)
+
+        # Now grace is done and binds should fail.
+        result = self.master.run_command(
+            ["ldapsearch", "-e", "ppolicy", "-D", dn,
+             "-w", PASSWORD, "-b", dn], raiseonerr=False
+        )
+        assert result.returncode == 49
+
+        assert 'Password is expired' in result.stderr_text
+        assert 'Password expired, 0 grace logins remain' in result.stderr_text
+
+    def test_graceperiod_disabled(self):
+        """Test the LDAP bind with grace period disabled (-1)"""
+        str(self.master.domain.basedn)
+        dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
+             user=USER, base_dn=str(self.master.domain.basedn))
+
+        # This can fail if gracelimit is already -1 so ignore it
+        self.master.run_command(
+            ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "-1",],
+            raiseonerr=False,
+        )
+
+        # Ensure the password is expired
+        self.reset_password(self.master)
+
+        result = self.kinit_as_user(self.master, PASSWORD, PASSWORD)
+
+        for _i in range(0, 10):
+            result = self.master.run_command(
+                ["ldapsearch", "-e", "ppolicy", "-D", dn,
+                 "-w", PASSWORD, "-b", dn]
+            )
+
+        # With graceperiod disabled it should not increment
+        result = tasks.ldapsearch_dm(
+            self.master, dn, ['passwordgraceusertime',],
+        )
+        assert 'passwordgraceusertime: 0' in result.stdout_text.lower()