|
 |
7c7f29 |
From c8c5237c0dc6b5b1a0dc0b040bf2ca5058222141 Mon Sep 17 00:00:00 2001
|
|
|
7c7f29 |
From: Simon Pichugin <spichugi@redhat.com>
|
|
|
7c7f29 |
Date: Thu, 28 Jul 2016 11:53:47 +0200
|
|
|
7c7f29 |
Subject: [PATCH 25/29] Ticket 48943 - Add CI Test for the password test suite
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Description: Test that fine-grained pwdpolicy on the entry has a
|
|
|
7c7f29 |
priority over fine-grained pwdpolicy on the subtree the entry belongs
|
|
|
7c7f29 |
to. Use passwordChange attribute to verify that.
|
|
|
7c7f29 |
|
|
|
7c7f29 |
https://fedorahosted.org/389/ticket/48943
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Reviewed by: mreynolds (Thanks!)
|
|
|
7c7f29 |
|
|
|
7c7f29 |
(cherry picked from commit a20538f482089615ceff1947a3e237a87f31a781)
|
|
|
7c7f29 |
---
|
|
|
7c7f29 |
.../tests/suites/password/pwd_change_policytest.py | 240 +++++++++++++++++++++
|
|
|
7c7f29 |
1 file changed, 240 insertions(+)
|
|
|
7c7f29 |
create mode 100644 dirsrvtests/tests/suites/password/pwd_change_policytest.py
|
|
|
7c7f29 |
|
|
|
7c7f29 |
diff --git a/dirsrvtests/tests/suites/password/pwd_change_policytest.py b/dirsrvtests/tests/suites/password/pwd_change_policytest.py
|
|
|
7c7f29 |
new file mode 100644
|
|
|
7c7f29 |
index 0000000..1d48c65
|
|
|
7c7f29 |
--- /dev/null
|
|
|
7c7f29 |
+++ b/dirsrvtests/tests/suites/password/pwd_change_policytest.py
|
|
|
7c7f29 |
@@ -0,0 +1,240 @@
|
|
|
7c7f29 |
+import os
|
|
|
7c7f29 |
+import sys
|
|
|
7c7f29 |
+import time
|
|
|
7c7f29 |
+import subprocess
|
|
|
7c7f29 |
+import ldap
|
|
|
7c7f29 |
+import logging
|
|
|
7c7f29 |
+import pytest
|
|
|
7c7f29 |
+from lib389 import DirSrv, Entry, tools, tasks
|
|
|
7c7f29 |
+from lib389.tools import DirSrvTools
|
|
|
7c7f29 |
+from lib389._constants import *
|
|
|
7c7f29 |
+from lib389.properties import *
|
|
|
7c7f29 |
+from lib389.tasks import *
|
|
|
7c7f29 |
+from lib389.utils import *
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+DEBUGGING = False
|
|
|
7c7f29 |
+OU_PEOPLE = 'ou=people,{}'.format(DEFAULT_SUFFIX)
|
|
|
7c7f29 |
+TEST_USER_NAME = 'simplepaged_test'
|
|
|
7c7f29 |
+TEST_USER_DN = 'uid={},{}'.format(TEST_USER_NAME, OU_PEOPLE)
|
|
|
7c7f29 |
+TEST_USER_PWD = 'simplepaged_test'
|
|
|
7c7f29 |
+PW_POLICY_CONT_USER = 'cn="cn=nsPwPolicyEntry,uid=simplepaged_test,'\
|
|
|
7c7f29 |
+ 'ou=people,dc=example,dc=com",'\
|
|
|
7c7f29 |
+ 'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com'
|
|
|
7c7f29 |
+PW_POLICY_CONT_PEOPLE = 'cn="cn=nsPwPolicyEntry,'\
|
|
|
7c7f29 |
+ 'ou=people,dc=example,dc=com",'\
|
|
|
7c7f29 |
+ 'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com'
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+if DEBUGGING:
|
|
|
7c7f29 |
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
|
|
|
7c7f29 |
+else:
|
|
|
7c7f29 |
+ logging.getLogger(__name__).setLevel(logging.INFO)
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+log = logging.getLogger(__name__)
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+class TopologyStandalone(object):
|
|
|
7c7f29 |
+ """The DS Topology Class"""
|
|
|
7c7f29 |
+ def __init__(self, standalone):
|
|
|
7c7f29 |
+ """Init"""
|
|
|
7c7f29 |
+ standalone.open()
|
|
|
7c7f29 |
+ self.standalone = standalone
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+@pytest.fixture(scope="module")
|
|
|
7c7f29 |
+def topology(request):
|
|
|
7c7f29 |
+ """Create DS Deployment"""
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ # Creating standalone instance ...
|
|
|
7c7f29 |
+ if DEBUGGING:
|
|
|
7c7f29 |
+ standalone = DirSrv(verbose=True)
|
|
|
7c7f29 |
+ else:
|
|
|
7c7f29 |
+ standalone = DirSrv(verbose=False)
|
|
|
7c7f29 |
+ args_instance[SER_HOST] = HOST_STANDALONE
|
|
|
7c7f29 |
+ args_instance[SER_PORT] = PORT_STANDALONE
|
|
|
7c7f29 |
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
|
|
|
7c7f29 |
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
|
|
|
7c7f29 |
+ args_standalone = args_instance.copy()
|
|
|
7c7f29 |
+ standalone.allocate(args_standalone)
|
|
|
7c7f29 |
+ instance_standalone = standalone.exists()
|
|
|
7c7f29 |
+ if instance_standalone:
|
|
|
7c7f29 |
+ standalone.delete()
|
|
|
7c7f29 |
+ standalone.create()
|
|
|
7c7f29 |
+ standalone.open()
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ def fin():
|
|
|
7c7f29 |
+ """If we are debugging just stop the instances, otherwise remove
|
|
|
7c7f29 |
+ them
|
|
|
7c7f29 |
+ """
|
|
|
7c7f29 |
+ if DEBUGGING:
|
|
|
7c7f29 |
+ standalone.stop()
|
|
|
7c7f29 |
+ else:
|
|
|
7c7f29 |
+ standalone.delete()
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ request.addfinalizer(fin)
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ return TopologyStandalone(standalone)
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+@pytest.fixture(scope="module")
|
|
|
7c7f29 |
+def test_user(topology, request):
|
|
|
7c7f29 |
+ """User for binding operation"""
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ log.info('Adding user {}'.format(TEST_USER_DN))
|
|
|
7c7f29 |
+ try:
|
|
|
7c7f29 |
+ topology.standalone.add_s(Entry((TEST_USER_DN, {
|
|
|
7c7f29 |
+ 'objectclass': 'top person'.split(),
|
|
|
7c7f29 |
+ 'objectclass': 'organizationalPerson',
|
|
|
7c7f29 |
+ 'objectclass': 'inetorgperson',
|
|
|
7c7f29 |
+ 'cn': TEST_USER_NAME,
|
|
|
7c7f29 |
+ 'sn': TEST_USER_NAME,
|
|
|
7c7f29 |
+ 'userpassword': TEST_USER_PWD,
|
|
|
7c7f29 |
+ 'mail': '%s@redhat.com' % TEST_USER_NAME,
|
|
|
7c7f29 |
+ 'uid': TEST_USER_NAME
|
|
|
7c7f29 |
+ })))
|
|
|
7c7f29 |
+ except ldap.LDAPError as e:
|
|
|
7c7f29 |
+ log.error('Failed to add user (%s): error (%s)' % (TEST_USER_DN,
|
|
|
7c7f29 |
+ e.message['desc']))
|
|
|
7c7f29 |
+ raise e
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ def fin():
|
|
|
7c7f29 |
+ log.info('Deleting user {}'.format(TEST_USER_DN))
|
|
|
7c7f29 |
+ topology.standalone.delete_s(TEST_USER_DN)
|
|
|
7c7f29 |
+ request.addfinalizer(fin)
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+@pytest.fixture(scope="module")
|
|
|
7c7f29 |
+def password_policy(topology, test_user):
|
|
|
7c7f29 |
+ """Set up password policy for subtree and user"""
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ log.info('Enable fine-grained policy')
|
|
|
7c7f29 |
+ try:
|
|
|
7c7f29 |
+ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE,
|
|
|
7c7f29 |
+ 'nsslapd-pwpolicy-local',
|
|
|
7c7f29 |
+ 'on')])
|
|
|
7c7f29 |
+ except ldap.LDAPError as e:
|
|
|
7c7f29 |
+ log.error('Failed to set fine-grained policy: error {}'.format(
|
|
|
7c7f29 |
+ e.message['desc']))
|
|
|
7c7f29 |
+ raise e
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ log.info('Create password policy for subtree {}'.format(OU_PEOPLE))
|
|
|
7c7f29 |
+ try:
|
|
|
7c7f29 |
+ subprocess.call(['ns-newpwpolicy.pl', '-D', DN_DM, '-w', PASSWORD,
|
|
|
7c7f29 |
+ '-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE,
|
|
|
7c7f29 |
+ '-S', OU_PEOPLE, '-Z', SERVERID_STANDALONE])
|
|
|
7c7f29 |
+ except subprocess.CalledProcessError as e:
|
|
|
7c7f29 |
+ log.error('Failed to create pw policy policy for {}: error {}'.format(
|
|
|
7c7f29 |
+ OU_PEOPLE, e.message['desc']))
|
|
|
7c7f29 |
+ raise e
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ log.info('Add pwdpolicysubentry attribute to {}'.format(OU_PEOPLE))
|
|
|
7c7f29 |
+ try:
|
|
|
7c7f29 |
+ topology.standalone.modify_s(OU_PEOPLE, [(ldap.MOD_REPLACE,
|
|
|
7c7f29 |
+ 'pwdpolicysubentry',
|
|
|
7c7f29 |
+ PW_POLICY_CONT_PEOPLE)])
|
|
|
7c7f29 |
+ except ldap.LDAPError as e:
|
|
|
7c7f29 |
+ log.error('Failed to pwdpolicysubentry pw policy '\
|
|
|
7c7f29 |
+ 'policy for {}: error {}'.format(OU_PEOPLE,
|
|
|
7c7f29 |
+ e.message['desc']))
|
|
|
7c7f29 |
+ raise e
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ log.info('Create password policy for subtree {}'.format(TEST_USER_DN))
|
|
|
7c7f29 |
+ try:
|
|
|
7c7f29 |
+ subprocess.call(['ns-newpwpolicy.pl', '-D', DN_DM, '-w', PASSWORD,
|
|
|
7c7f29 |
+ '-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE,
|
|
|
7c7f29 |
+ '-U', TEST_USER_DN, '-Z', SERVERID_STANDALONE])
|
|
|
7c7f29 |
+ except subprocess.CalledProcessError as e:
|
|
|
7c7f29 |
+ log.error('Failed to create pw policy policy for {}: error {}'.format(
|
|
|
7c7f29 |
+ TEST_USER_DN, e.message['desc']))
|
|
|
7c7f29 |
+ raise e
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ log.info('Add pwdpolicysubentry attribute to {}'.format(TEST_USER_DN))
|
|
|
7c7f29 |
+ try:
|
|
|
7c7f29 |
+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE,
|
|
|
7c7f29 |
+ 'pwdpolicysubentry',
|
|
|
7c7f29 |
+ PW_POLICY_CONT_USER)])
|
|
|
7c7f29 |
+ except ldap.LDAPError as e:
|
|
|
7c7f29 |
+ log.error('Failed to pwdpolicysubentry pw policy '\
|
|
|
7c7f29 |
+ 'policy for {}: error {}'.format(TEST_USER_DN,
|
|
|
7c7f29 |
+ e.message['desc']))
|
|
|
7c7f29 |
+ raise e
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+@pytest.mark.parametrize('subtree_pwchange,user_pwchange,exception',
|
|
|
7c7f29 |
+ [('off', 'on', None), ('on', 'on', None),
|
|
|
7c7f29 |
+ ('on', 'off', ldap.UNWILLING_TO_PERFORM),
|
|
|
7c7f29 |
+ ('off', 'off', ldap.UNWILLING_TO_PERFORM)])
|
|
|
7c7f29 |
+def test_change_pwd(topology, test_user, password_policy,
|
|
|
7c7f29 |
+ subtree_pwchange, user_pwchange, exception):
|
|
|
7c7f29 |
+ """Verify that 'passwordChange' attr works as expected
|
|
|
7c7f29 |
+ User should have a priority over a subtree.
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ :Feature: Password policy
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ :Setup: Standalone instance, test user,
|
|
|
7c7f29 |
+ password policy entries for a user and a subtree
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ :Steps: 1. Set passwordChange on the user and the subtree
|
|
|
7c7f29 |
+ to various combinations
|
|
|
7c7f29 |
+ 2. Bind as test user
|
|
|
7c7f29 |
+ 3. Try to change password
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ :Assert: Subtree/User passwordChange - result
|
|
|
7c7f29 |
+ off/on, on/on - success
|
|
|
7c7f29 |
+ on/off, off/off - UNWILLING_TO_PERFORM
|
|
|
7c7f29 |
+ """
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ log.info('Set passwordChange to "{}" - {}'.format(subtree_pwchange,
|
|
|
7c7f29 |
+ PW_POLICY_CONT_PEOPLE))
|
|
|
7c7f29 |
+ try:
|
|
|
7c7f29 |
+ topology.standalone.modify_s(PW_POLICY_CONT_PEOPLE, [(ldap.MOD_REPLACE,
|
|
|
7c7f29 |
+ 'passwordChange',
|
|
|
7c7f29 |
+ subtree_pwchange)])
|
|
|
7c7f29 |
+ except ldap.LDAPError as e:
|
|
|
7c7f29 |
+ log.error('Failed to set passwordChange '\
|
|
|
7c7f29 |
+ 'policy for {}: error {}'.format(PW_POLICY_CONT_PEOPLE,
|
|
|
7c7f29 |
+ e.message['desc']))
|
|
|
7c7f29 |
+ raise e
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ log.info('Set passwordChange to "{}" - {}'.format(user_pwchange,
|
|
|
7c7f29 |
+ PW_POLICY_CONT_USER))
|
|
|
7c7f29 |
+ try:
|
|
|
7c7f29 |
+ topology.standalone.modify_s(PW_POLICY_CONT_USER, [(ldap.MOD_REPLACE,
|
|
|
7c7f29 |
+ 'passwordChange',
|
|
|
7c7f29 |
+ user_pwchange)])
|
|
|
7c7f29 |
+ except ldap.LDAPError as e:
|
|
|
7c7f29 |
+ log.error('Failed to set passwordChange '\
|
|
|
7c7f29 |
+ 'policy for {}: error {}'.format(PW_POLICY_CONT_USER,
|
|
|
7c7f29 |
+ e.message['desc']))
|
|
|
7c7f29 |
+ raise e
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+ try:
|
|
|
7c7f29 |
+ log.info('Bind as user and modify userPassword')
|
|
|
7c7f29 |
+ topology.standalone.simple_bind_s(TEST_USER_DN, TEST_USER_PWD)
|
|
|
7c7f29 |
+ if exception:
|
|
|
7c7f29 |
+ with pytest.raises(exception):
|
|
|
7c7f29 |
+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE,
|
|
|
7c7f29 |
+ 'userPassword',
|
|
|
7c7f29 |
+ 'new_pass')])
|
|
|
7c7f29 |
+ else:
|
|
|
7c7f29 |
+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE,
|
|
|
7c7f29 |
+ 'userPassword',
|
|
|
7c7f29 |
+ 'new_pass')])
|
|
|
7c7f29 |
+ except ldap.LDAPError as e:
|
|
|
7c7f29 |
+ log.error('Failed to change userpassword for {}: error {}'.format(
|
|
|
7c7f29 |
+ TEST_USER_DN, e.message['info']))
|
|
|
7c7f29 |
+ raise e
|
|
|
7c7f29 |
+ finally:
|
|
|
7c7f29 |
+ log.info('Bind as DM')
|
|
|
7c7f29 |
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
7c7f29 |
+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE,
|
|
|
7c7f29 |
+ 'userPassword',
|
|
|
7c7f29 |
+ TEST_USER_PWD)])
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+if __name__ == '__main__':
|
|
|
7c7f29 |
+ # Run isolated
|
|
|
7c7f29 |
+ # -s for DEBUG mode
|
|
|
7c7f29 |
+ CURRENT_FILE = os.path.realpath(__file__)
|
|
|
7c7f29 |
+ pytest.main("-s %s" % CURRENT_FILE)
|
|
|
7c7f29 |
--
|
|
|
7c7f29 |
2.4.11
|
|
|
7c7f29 |
|