mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
46d0096218
- with all policies disabled passwords are not evaluated - the pwpolicy minimum overrides the existing IPA minimum - max character repeats - max character sequences (12345) - palindrome - dictionary check - user name in the password check https://pagure.io/freeipa/issue/6964 https://pagure.io/freeipa/issue/5948 https://pagure.io/freeipa/issue/2445 https://pagure.io/freeipa/issue/298 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
95 lines
4.0 KiB
C
95 lines
4.0 KiB
C
/*
|
|
* Copyright (C) 2020 FreeIPA Contributors see COPYING for license
|
|
*/
|
|
#ifndef _GNU_SOURCE
|
|
#define _GNU_SOURCE
|
|
#endif
|
|
|
|
#include <assert.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
|
|
#include "ipa_pwd.h"
|
|
|
|
static void
|
|
set_policy(struct ipapwd_policy *policy,
|
|
int min_pwd_length, int min_diff_chars, int max_repeat,
|
|
int max_sequence, int max_class_repeat, int dict_check,
|
|
int user_check)
|
|
|
|
{
|
|
/* defaults for things we aren't testing */
|
|
policy->min_pwd_life = 0;
|
|
policy->max_pwd_life = 0;
|
|
policy->history_length = 0;
|
|
|
|
/* Note: min password length in libpwqualty is hardcoded at 6 */
|
|
policy->min_pwd_length = min_pwd_length;
|
|
policy->min_complexity = min_diff_chars;
|
|
policy->max_repeat = max_repeat;
|
|
policy->max_sequence = max_sequence;
|
|
policy->max_classrepeat = max_class_repeat;
|
|
policy->dictcheck = dict_check;
|
|
policy->usercheck = user_check;
|
|
}
|
|
|
|
int main(int argc, const char *argv[]) {
|
|
(void) argc;
|
|
(void) argv;
|
|
|
|
struct ipapwd_policy policy = {0};
|
|
|
|
/* No policy applied */
|
|
set_policy(&policy, 0, 0, 0, 0, 0, 0, 0);
|
|
assert(ipapwd_check_policy(&policy, "Secret123", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
|
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
|
assert(ipapwd_check_policy(&policy, "abcddcba", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
|
|
|
/* Check that with no policy the IPA minimum is in force */
|
|
assert(ipapwd_check_policy(&policy, "abc", NULL, 3, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
|
|
|
/* Max repeats of 1 */
|
|
set_policy(&policy, 0, 0, 1, 0, 0, 0, 0);
|
|
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_CONSECUTIVE);
|
|
assert(ipapwd_check_policy(&policy, "Assembly", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_CONSECUTIVE);
|
|
|
|
/* Minimum length lower than libpwquality allows (6) */
|
|
assert(ipapwd_check_policy(&policy, "abc", NULL, 3, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_TOO_SHORT);
|
|
|
|
/* Max repeats of 2 */
|
|
set_policy(&policy, 0, 0, 2, 0, 0, 0, 0);
|
|
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
|
assert(ipapwd_check_policy(&policy, "Assembly", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
|
assert(ipapwd_check_policy(&policy, "permisssive", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_CONSECUTIVE);
|
|
|
|
/* Max sequence of 1 */
|
|
set_policy(&policy, 0, 0, 0, 1, 0, 0, 0);
|
|
assert(ipapwd_check_policy(&policy, "abacab", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_SEQUENCE);
|
|
assert(ipapwd_check_policy(&policy, "AbacAb", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_SEQUENCE);
|
|
|
|
/* Max sequence of 2 */
|
|
set_policy(&policy, 0, 0, 0, 2, 0, 0, 0);
|
|
assert(ipapwd_check_policy(&policy, "AbacAb", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
|
assert(ipapwd_check_policy(&policy, "abacabc", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_SEQUENCE);
|
|
|
|
/* Palindrone */
|
|
set_policy(&policy, 0, 0, 0, 0, 0, 0, 0); /* Note there is no policy */
|
|
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
|
assert(ipapwd_check_policy(&policy, "abccba", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
|
set_policy(&policy, 0, 0, 3, 0, 0, 0, 0); /* Set anything */
|
|
assert(ipapwd_check_policy(&policy, "abccba", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_PALINDROME);
|
|
|
|
/* Dictionary check */
|
|
set_policy(&policy, 0, 0, 0, 0, 0, 1, 0);
|
|
assert(ipapwd_check_policy(&policy, "password", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_DICT_WORD);
|
|
assert(ipapwd_check_policy(&policy, "Secret123", NULL, 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_DICT_WORD);
|
|
|
|
/* User check */
|
|
assert(ipapwd_check_policy(&policy, "userPDQ123", "user", 0, 0, 0, 0, NULL) == IPAPWD_POLICY_OK);
|
|
set_policy(&policy, 0, 0, 0, 0, 0, 0, 1);
|
|
assert(ipapwd_check_policy(&policy, "userPDQ123", "user", 0, 0, 0, 0, NULL) == IPAPWD_POLICY_PWD_USER);
|
|
|
|
return 0;
|
|
}
|