mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 15:13:50 -06:00
Add a unit test for libpwquality-based password policy
- with all policies disabled passwords are not evaluated - the pwpolicy minimum overrides the existing IPA minimum - max character repeats - max character sequences (12345) - palindrome - dictionary check - user name in the password check https://pagure.io/freeipa/issue/6964 https://pagure.io/freeipa/issue/5948 https://pagure.io/freeipa/issue/2445 https://pagure.io/freeipa/issue/298 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
parent
c4cca53e88
commit
46d0096218
1
.gitignore
vendored
1
.gitignore
vendored
@ -94,6 +94,7 @@ freeipa2-dev-doc
|
||||
/po/test_locale/xh_ZA/LC_MESSAGES/ipa.mo
|
||||
|
||||
/util/t_pwd
|
||||
/util/t_policy
|
||||
|
||||
/init/ipa_memcached
|
||||
/init/systemd/ipa-custodia.service
|
||||
|
94
util/t_policy.c
Normal file
94
util/t_policy.c
Normal file
@ -0,0 +1,94 @@
|
||||
/*
|
||||
* Copyright (C) 2020 FreeIPA Contributors see COPYING for license
|
||||
*/
|
||||
#ifndef _GNU_SOURCE
|
||||
#define _GNU_SOURCE
|
||||
#endif
|
||||
|
||||
#include <assert.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "ipa_pwd.h"
|
||||
|
||||
static void
|
||||
set_policy(struct ipapwd_policy *policy,
|
||||
int min_pwd_length, int min_diff_chars, int max_repeat,
|
||||
int max_sequence, int max_class_repeat, int dict_check,
|
||||
int user_check)
|
||||
|
||||
{
|
||||
/* defaults for things we aren't testing */
|
||||
policy->min_pwd_life = 0;
|
||||
policy->max_pwd_life = 0;
|
||||
policy->history_length = 0;
|
||||
|
||||
/* Note: min password length in libpwqualty is hardcoded at 6 */
|
||||
policy->min_pwd_length = min_pwd_length;
|
||||
policy->min_complexity = min_diff_chars;
|
||||
policy->max_repeat = max_repeat;
|
||||
policy->max_sequence = max_sequence;
|
||||
policy->max_classrepeat = max_class_repeat;
|
||||
policy->dictcheck = dict_check;
|
||||
policy->usercheck = user_check;
|
||||
}
|
||||
|
||||
int main(int argc, const char *argv[]) {
|
||||
(void) argc;
|
||||
(void) argv;
|
||||
|
||||
struct ipapwd_policy policy = {0};
|
||||
|
||||
/* No policy applied */
|
||||
set_policy(&policy, 0, 0, 0, 0, 0, 0, 0);
|
||||
assert(ipapwd_check_policy(&policy, "Secret123", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
||||
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
||||
assert(ipapwd_check_policy(&policy, "abcddcba", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
||||
|
||||
/* Check that with no policy the IPA minimum is in force */
|
||||
assert(ipapwd_check_policy(&policy, "abc", NULL, 3, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
||||
|
||||
/* Max repeats of 1 */
|
||||
set_policy(&policy, 0, 0, 1, 0, 0, 0, 0);
|
||||
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_CONSECUTIVE);
|
||||
assert(ipapwd_check_policy(&policy, "Assembly", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_CONSECUTIVE);
|
||||
|
||||
/* Minimum length lower than libpwquality allows (6) */
|
||||
assert(ipapwd_check_policy(&policy, "abc", NULL, 3, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_TOO_SHORT);
|
||||
|
||||
/* Max repeats of 2 */
|
||||
set_policy(&policy, 0, 0, 2, 0, 0, 0, 0);
|
||||
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
||||
assert(ipapwd_check_policy(&policy, "Assembly", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
||||
assert(ipapwd_check_policy(&policy, "permisssive", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_CONSECUTIVE);
|
||||
|
||||
/* Max sequence of 1 */
|
||||
set_policy(&policy, 0, 0, 0, 1, 0, 0, 0);
|
||||
assert(ipapwd_check_policy(&policy, "abacab", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_SEQUENCE);
|
||||
assert(ipapwd_check_policy(&policy, "AbacAb", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_SEQUENCE);
|
||||
|
||||
/* Max sequence of 2 */
|
||||
set_policy(&policy, 0, 0, 0, 2, 0, 0, 0);
|
||||
assert(ipapwd_check_policy(&policy, "AbacAb", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
||||
assert(ipapwd_check_policy(&policy, "abacabc", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_SEQUENCE);
|
||||
|
||||
/* Palindrone */
|
||||
set_policy(&policy, 0, 0, 0, 0, 0, 0, 0); /* Note there is no policy */
|
||||
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
||||
assert(ipapwd_check_policy(&policy, "abccba", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
||||
set_policy(&policy, 0, 0, 3, 0, 0, 0, 0); /* Set anything */
|
||||
assert(ipapwd_check_policy(&policy, "abccba", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_PALINDROME);
|
||||
|
||||
/* Dictionary check */
|
||||
set_policy(&policy, 0, 0, 0, 0, 0, 1, 0);
|
||||
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_DICT_WORD);
|
||||
assert(ipapwd_check_policy(&policy, "Secret123", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_DICT_WORD);
|
||||
|
||||
/* User check */
|
||||
assert(ipapwd_check_policy(&policy, "userPDQ123", "user", 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
||||
set_policy(&policy, 0, 0, 0, 0, 0, 0, 1);
|
||||
assert(ipapwd_check_policy(&policy, "userPDQ123", "user", 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_USER);
|
||||
|
||||
return 0;
|
||||
}
|
Loading…
Reference in New Issue
Block a user