Add a unit test for libpwquality-based password policy

- with all policies disabled passwords are not evaluated
- the pwpolicy minimum overrides the existing IPA minimum
- max character repeats
- max character sequences (12345)
- palindrome
- dictionary check
- user name in the password check

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Rob Crittenden 2020-09-24 15:42:45 -04:00
parent c4cca53e88
commit 46d0096218
2 changed files with 95 additions and 0 deletions

1
.gitignore vendored
View File

@ -94,6 +94,7 @@ freeipa2-dev-doc
/po/test_locale/xh_ZA/LC_MESSAGES/ipa.mo
/util/t_pwd
/util/t_policy
/init/ipa_memcached
/init/systemd/ipa-custodia.service

94
util/t_policy.c Normal file
View File

@ -0,0 +1,94 @@
/*
* Copyright (C) 2020 FreeIPA Contributors see COPYING for license
*/
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include "ipa_pwd.h"
static void
set_policy(struct ipapwd_policy *policy,
int min_pwd_length, int min_diff_chars, int max_repeat,
int max_sequence, int max_class_repeat, int dict_check,
int user_check)
{
/* defaults for things we aren't testing */
policy->min_pwd_life = 0;
policy->max_pwd_life = 0;
policy->history_length = 0;
/* Note: min password length in libpwqualty is hardcoded at 6 */
policy->min_pwd_length = min_pwd_length;
policy->min_complexity = min_diff_chars;
policy->max_repeat = max_repeat;
policy->max_sequence = max_sequence;
policy->max_classrepeat = max_class_repeat;
policy->dictcheck = dict_check;
policy->usercheck = user_check;
}
int main(int argc, const char *argv[]) {
(void) argc;
(void) argv;
struct ipapwd_policy policy = {0};
/* No policy applied */
set_policy(&policy, 0, 0, 0, 0, 0, 0, 0);
assert(ipapwd_check_policy(&policy, "Secret123", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
assert(ipapwd_check_policy(&policy, "abcddcba", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
/* Check that with no policy the IPA minimum is in force */
assert(ipapwd_check_policy(&policy, "abc", NULL, 3, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
/* Max repeats of 1 */
set_policy(&policy, 0, 0, 1, 0, 0, 0, 0);
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_CONSECUTIVE);
assert(ipapwd_check_policy(&policy, "Assembly", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_CONSECUTIVE);
/* Minimum length lower than libpwquality allows (6) */
assert(ipapwd_check_policy(&policy, "abc", NULL, 3, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_TOO_SHORT);
/* Max repeats of 2 */
set_policy(&policy, 0, 0, 2, 0, 0, 0, 0);
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
assert(ipapwd_check_policy(&policy, "Assembly", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
assert(ipapwd_check_policy(&policy, "permisssive", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_CONSECUTIVE);
/* Max sequence of 1 */
set_policy(&policy, 0, 0, 0, 1, 0, 0, 0);
assert(ipapwd_check_policy(&policy, "abacab", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_SEQUENCE);
assert(ipapwd_check_policy(&policy, "AbacAb", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_SEQUENCE);
/* Max sequence of 2 */
set_policy(&policy, 0, 0, 0, 2, 0, 0, 0);
assert(ipapwd_check_policy(&policy, "AbacAb", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
assert(ipapwd_check_policy(&policy, "abacabc", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_SEQUENCE);
/* Palindrone */
set_policy(&policy, 0, 0, 0, 0, 0, 0, 0); /* Note there is no policy */
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
assert(ipapwd_check_policy(&policy, "abccba", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
set_policy(&policy, 0, 0, 3, 0, 0, 0, 0); /* Set anything */
assert(ipapwd_check_policy(&policy, "abccba", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_PALINDROME);
/* Dictionary check */
set_policy(&policy, 0, 0, 0, 0, 0, 1, 0);
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_DICT_WORD);
assert(ipapwd_check_policy(&policy, "Secret123", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_DICT_WORD);
/* User check */
assert(ipapwd_check_policy(&policy, "userPDQ123", "user", 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
set_policy(&policy, 0, 0, 0, 0, 0, 0, 1);
assert(ipapwd_check_policy(&policy, "userPDQ123", "user", 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_USER);
return 0;
}