diff options
author | Bob Campbell <bobcampbell@catalyst.net.nz> | 2016-06-13 15:42:46 +1200 |
---|---|---|
committer | Garming Sam <garming@samba.org> | 2016-07-05 00:00:14 +0200 |
commit | ef0cbc556017b1ac3a6893add54890ff03670233 (patch) | |
tree | 3f19957f1a0dcdb1666849f1c0b5e5f19a42c35a | |
parent | 878fa6ef7de420ed7f28e95113bb76bf50879553 (diff) | |
download | samba-ef0cbc556017b1ac3a6893add54890ff03670233.tar.gz |
selftest: add check password script test
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | python/samba/tests/samba_tool/user_check_password_script.py | 97 | ||||
-rwxr-xr-x | selftest/selftest.pl | 1 | ||||
-rwxr-xr-x | selftest/target/Samba4.pm | 6 | ||||
-rwxr-xr-x | source4/selftest/tests.py | 1 |
4 files changed, 104 insertions, 1 deletions
diff --git a/python/samba/tests/samba_tool/user_check_password_script.py b/python/samba/tests/samba_tool/user_check_password_script.py new file mode 100644 index 00000000000..5d4fbaec233 --- /dev/null +++ b/python/samba/tests/samba_tool/user_check_password_script.py @@ -0,0 +1,97 @@ +# Unix SMB/CIFS implementation. +# Copyright (C) Sean Dague <sdague@linux.vnet.ibm.com> 2011 +# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2016 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import os +import time +import ldb +from samba.tests.samba_tool.base import SambaToolCmdTest +from samba import ( + nttime2unix, + dsdb + ) + +class UserCheckPwdTestCase(SambaToolCmdTest): + """Tests for samba-tool user subcommands""" + users = [] + samdb = None + + def setUp(self): + super(UserCheckPwdTestCase, self).setUp() + self.samdb = self.getSamDB("-H", "ldap://%s" % os.environ["DC_SERVER"], + "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"])) + self.old_min_pwd_age = self.samdb.get_minPwdAge() + self.samdb.set_minPwdAge("0") + + def tearDown(self): + super(UserCheckPwdTestCase, self).tearDown() + self.samdb.set_minPwdAge(self.old_min_pwd_age) + + def test_checkpassword(self): + # Add + user = self._randomUser() + bad_password = os.environ["UNACCEPTABLE_PASSWORD"] + good_password = bad_password[:-1] + + (result, out, err) = self.runsubcmd("user", "add", user["name"], bad_password, + "-H", "ldap://%s" % os.environ["DC_SERVER"], + "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"])) + self.assertCmdFail(result, "Should fail adding a user with bad password.") + (result, out, err) = self.runsubcmd("user", "delete", user["name"], + "-H", "ldap://%s" % os.environ["DC_SERVER"], + "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"])) + self.assertCmdSuccess(result, "Should delete user with bad password.") + + (result, out, err) = self.runsubcmd("user", "add", user["name"], good_password, + "-H", "ldap://%s" % os.environ["DC_SERVER"], + "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"])) + self.assertCmdSuccess(result, "Should succeed adding a user with good password.") + + # Set password + (result, out, err) = self.runsubcmd("user", "setpassword", user["name"], + "--newpassword=%s" % bad_password, + "-H", "ldap://%s" % os.environ["DC_SERVER"], + "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"])) + self.assertCmdFail(result, "Should fail setting a user's password to a bad one.") + + (result, out, err) = self.runsubcmd("user", "setpassword", user["name"], + "--newpassword=%s" % good_password, + "-H", "ldap://%s" % os.environ["DC_SERVER"], + "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"])) + self.assertCmdSuccess(result, "Should succeed setting a user's password to a good one.") + + # Password= + + (result, out, err) = self.runsubcmd("user", "password", + "--newpassword=%s" % bad_password, + "--ipaddress", os.environ["DC_SERVER_IP"], + "-U%s%%%s" % (user["name"], good_password)) + self.assertCmdFail(result, "A user setting their own password to a bad one should fail.") + + (result, out, err) = self.runsubcmd("user", "password", + "--newpassword=%s" % good_password + 'XYZ', + "--ipaddress", os.environ["DC_SERVER_IP"], + "-U%s%%%s" % (user["name"], good_password)) + self.assertCmdSuccess(result, "A user setting their own password to a good one should succeed.") + + def _randomUser(self, base={}): + """create a user with random attribute values, you can specify base attributes""" + user = { + "name": self.randomName(), + } + user.update(base) + return user diff --git a/selftest/selftest.pl b/selftest/selftest.pl index 528aa9c7d47..1ab932bb5e1 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -836,6 +836,7 @@ my @exported_envvars = ( "DNS_FORWARDER1", "DNS_FORWARDER2", "RESOLV_CONF", + "UNACCEPTABLE_PASSWORD", # nss_wrapper "NSS_WRAPPER_PASSWD", diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 693e62305c7..731ad1f7db6 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1761,6 +1761,9 @@ sub provision_chgdcpass($$) print "PROVISIONING CHGDCPASS...\n"; my $extra_provision_options = undef; + # This environment disallows the use of this password + # (and also removes the default AD complexity checks) + my $unacceptable_password = "widk3Dsle32jxdBdskldsk55klASKQ"; push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ"); my $ret = $self->provision($prefix, "domain controller", @@ -1771,7 +1774,7 @@ sub provision_chgdcpass($$) "chgDCpass1", undef, undef, - "", + "check password script = sed -e '/$unacceptable_password/{;q1}; /$unacceptable_password/!{q0}'\n", "", $extra_provision_options); unless (defined $ret) { @@ -1797,6 +1800,7 @@ sub provision_chgdcpass($$) $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; $ret->{DC_USERNAME} = $ret->{USERNAME}; $ret->{DC_PASSWORD} = $ret->{PASSWORD}; + $ret->{UNACCEPTABLE_PASSWORD} = $unacceptable_password; return $ret; } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 52d08137c8b..f3fe5546831 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -556,6 +556,7 @@ planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.gpo") planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.processes") planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.user") +planpythontestsuite("chgdcpass:local", "samba.tests.samba_tool.user_check_password_script") planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.group") planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.ntacl") |