selftest: add check password script test

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

4 files changed, 104 insertions, 1 deletions

diff --git a/python/samba/tests/samba_tool/user_check_password_script.py b/python/samba/tests/samba_tool/user_check_password_script.py
new file mode 100644
index 00000000000..5d4fbaec233
--- /dev/null
+++ b/python/samba/tests/samba_tool/user_check_password_script.py
@@ -0,0 +1,97 @@
+# Unix SMB/CIFS implementation.
+# Copyright (C) Sean Dague <sdague@linux.vnet.ibm.com> 2011
+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2016
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import time
+import ldb
+from samba.tests.samba_tool.base import SambaToolCmdTest
+from samba import (
+        nttime2unix,
+        dsdb
+        )
+
+class UserCheckPwdTestCase(SambaToolCmdTest):
+    """Tests for samba-tool user subcommands"""
+    users = []
+    samdb = None
+
+    def setUp(self):
+        super(UserCheckPwdTestCase, self).setUp()
+        self.samdb = self.getSamDB("-H", "ldap://%s" % os.environ["DC_SERVER"],
+            "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
+        self.old_min_pwd_age = self.samdb.get_minPwdAge()
+        self.samdb.set_minPwdAge("0")
+
+    def tearDown(self):
+        super(UserCheckPwdTestCase, self).tearDown()
+        self.samdb.set_minPwdAge(self.old_min_pwd_age)
+
+    def test_checkpassword(self):
+        # Add
+        user = self._randomUser()
+        bad_password = os.environ["UNACCEPTABLE_PASSWORD"]
+        good_password = bad_password[:-1]
+
+        (result, out, err) = self.runsubcmd("user", "add", user["name"], bad_password,
+                                            "-H", "ldap://%s" % os.environ["DC_SERVER"],
+                                            "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
+        self.assertCmdFail(result, "Should fail adding a user with bad password.")
+        (result, out, err) = self.runsubcmd("user", "delete", user["name"],
+                                            "-H", "ldap://%s" % os.environ["DC_SERVER"],
+                                            "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
+        self.assertCmdSuccess(result, "Should delete user with bad password.")
+
+        (result, out, err) = self.runsubcmd("user", "add", user["name"], good_password,
+                                            "-H", "ldap://%s" % os.environ["DC_SERVER"],
+                                            "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
+        self.assertCmdSuccess(result, "Should succeed adding a user with good password.")
+
+        # Set password
+        (result, out, err) = self.runsubcmd("user", "setpassword", user["name"],
+                                            "--newpassword=%s" % bad_password,
+                                            "-H", "ldap://%s" % os.environ["DC_SERVER"],
+                                            "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
+        self.assertCmdFail(result, "Should fail setting a user's password to a bad one.")
+
+        (result, out, err) = self.runsubcmd("user", "setpassword", user["name"],
+                                            "--newpassword=%s" % good_password,
+                                            "-H", "ldap://%s" % os.environ["DC_SERVER"],
+                                            "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
+        self.assertCmdSuccess(result, "Should succeed setting a user's password to a good one.")
+
+        # Password=
+
+        (result, out, err) = self.runsubcmd("user", "password",
+                                            "--newpassword=%s" % bad_password,
+                                            "--ipaddress", os.environ["DC_SERVER_IP"],
+                                            "-U%s%%%s" % (user["name"], good_password))
+        self.assertCmdFail(result, "A user setting their own password to a bad one should fail.")
+
+        (result, out, err) = self.runsubcmd("user", "password",
+                                            "--newpassword=%s" % good_password + 'XYZ',
+                                            "--ipaddress", os.environ["DC_SERVER_IP"],
+                                            "-U%s%%%s" % (user["name"], good_password))
+        self.assertCmdSuccess(result, "A user setting their own password to a good one should succeed.")
+
+    def _randomUser(self, base={}):
+        """create a user with random attribute values, you can specify base attributes"""
+        user = {
+            "name": self.randomName(),
+        }
+        user.update(base)
+        return user
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 528aa9c7d47..1ab932bb5e1 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -836,6 +836,7 @@ my @exported_envvars = (
 	"DNS_FORWARDER1",
 	"DNS_FORWARDER2",
 	"RESOLV_CONF",
+	"UNACCEPTABLE_PASSWORD",
 
 	# nss_wrapper
 	"NSS_WRAPPER_PASSWD",
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 693e62305c7..731ad1f7db6 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1761,6 +1761,9 @@ sub provision_chgdcpass($$)
 
 	print "PROVISIONING CHGDCPASS...\n";
 	my $extra_provision_options = undef;
+	# This environment disallows the use of this password
+	# (and also removes the default AD complexity checks)
+	my $unacceptable_password = "widk3Dsle32jxdBdskldsk55klASKQ";
 	push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
 	my $ret = $self->provision($prefix,
 				   "domain controller",
@@ -1771,7 +1774,7 @@ sub provision_chgdcpass($$)
 				   "chgDCpass1",
 				   undef,
 				   undef,
-				   "",
+				   "check password script = sed -e '/$unacceptable_password/{;q1}; /$unacceptable_password/!{q0}'\n",
 				   "",
 				   $extra_provision_options);
 	unless (defined $ret) {
@@ -1797,6 +1800,7 @@ sub provision_chgdcpass($$)
 	$ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
 	$ret->{DC_USERNAME} = $ret->{USERNAME};
 	$ret->{DC_PASSWORD} = $ret->{PASSWORD};
+	$ret->{UNACCEPTABLE_PASSWORD} = $unacceptable_password;
 
 	return $ret;
 }
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 52d08137c8b..f3fe5546831 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -556,6 +556,7 @@ planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.gpo")
 
 planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.processes")
 planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.user")
+planpythontestsuite("chgdcpass:local", "samba.tests.samba_tool.user_check_password_script")
 planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.group")
 planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.ntacl")