def test_maxsequence(self, reset_pwpolicy): self.set_pwpolicy(maxsequence=3) # good passwords for password in ('Password123', 'Passwordabc'): self.reset_password(self.master) self.kinit_as_user(self.master, PASSWORD, password) self.reset_password(self.master) tasks.ldappasswd_user_change(USER, PASSWORD, password, self.master) self.reset_password(self.master) # bad passwords for password in ('Password1234', 'Passwordabcde'): result = self.kinit_as_user(self.master, PASSWORD, password, raiseonerr=False) assert result.returncode == 1 result = tasks.ldappasswd_user_change(USER, PASSWORD, password, self.master, raiseonerr=False) assert result.returncode == 1 assert 'Password contains a monotonic sequence' in \ result.stdout_text
def test_dm_change_user_pwd_history_issue7181(self, pwpolicy_global): """ Test that password policy is not applied with Directory Manager. The minimum lifetime of the password is set to 1 hour. Confirm that the user cannot re-change their password immediately but the DM can. """ user = '******' original_passwd = 'Secret123' new_passwd = 'newPasswd123' master = self.master # reset minimum life to 1 hour. self.master.run_command( ["ipa", "pwpolicy-mod", "--minlife=1"], ) try: tasks.ldappasswd_user_change(user, original_passwd, new_passwd, master) except CalledProcessError as e: if e.returncode != 1: raise else: pytest.fail("Password change violating policy did not fail") # DM should be able to change any password regardless of policy try: tasks.ldappasswd_user_change(user, new_passwd, original_passwd, master, use_dirman=True) except CalledProcessError: pytest.fail("Password change failed when it should not")
def test_maxrepeat(self, reset_pwpolicy): self.set_pwpolicy(maxrepeat=2) # good passwords for password in ('Secret123', 'Password'): self.reset_password(self.master) self.kinit_as_user(self.master, PASSWORD, password) self.reset_password(self.master) tasks.ldappasswd_user_change(USER, PASSWORD, password, self.master) self.reset_password(self.master) # bad passwords for password in ('Secret1111', 'passsword'): result = self.kinit_as_user(self.master, PASSWORD, password, raiseonerr=False) assert result.returncode == 1 result = tasks.ldappasswd_user_change(USER, PASSWORD, password, self.master, raiseonerr=False) assert result.returncode == 1 assert 'Password has too many consecutive characters' in \ result.stdout_text
def test_minclasses(self, reset_pwpolicy): self.set_pwpolicy(minclasses=2) for password in ('password', 'bookends'): result = self.kinit_as_user(self.master, PASSWORD, password, raiseonerr=False) assert result.returncode == 1 assert 'Password does not contain enough character' in \ result.stdout_text result = tasks.ldappasswd_user_change(USER, PASSWORD, password, self.master, raiseonerr=False) assert result.returncode == 1 assert 'Password is too simple' in \ result.stdout_text # test with valid password for valid in ('Password', 'password1', 'password!'): self.kinit_as_user(self.master, PASSWORD, valid) self.reset_password(self.master) self.set_pwpolicy(minclasses=3) for password in ('password1', 'Bookends'): result = self.kinit_as_user(self.master, PASSWORD, password, raiseonerr=False) assert result.returncode == 1 assert 'Password does not contain enough character' in \ result.stdout_text result = tasks.ldappasswd_user_change(USER, PASSWORD, password, self.master, raiseonerr=False) assert result.returncode == 1 assert 'Password is too simple' in \ result.stdout_text # test with valid password for valid in ('Passw0rd', 'password1!', 'Password!'): self.kinit_as_user(self.master, PASSWORD, valid) self.reset_password(self.master)
def test_ipauser_authentication_with_nonposix_trust(self): ipauser = u'tuser' original_passwd = 'Secret123' new_passwd = 'userPasswd123' # create an ipauser for this test self.master.run_command(['ipa', 'user-add', ipauser, '--first=Test', '--last=User', '--password'], stdin_text=original_passwd) # change password for the user to be able to kinit tasks.ldappasswd_user_change(ipauser, original_passwd, new_passwd, self.master) # try to kinit as ipauser self.master.run_command([ 'kinit', '-E', '{0}@{1}'.format(ipauser, self.master.domain.name)], stdin_text=new_passwd)
def test_ipauser_authentication_with_nonposix_trust(self): ipauser = u'tuser' original_passwd = 'Secret123' new_passwd = 'userPasswd123' # create an ipauser for this test self.master.run_command(['ipa', 'user-add', ipauser, '--first=Test', '--last=User', '--password'], stdin_text=original_passwd) # change password for the user to be able to kinit tasks.ldappasswd_user_change(ipauser, original_passwd, new_passwd, self.master) # try to kinit as ipauser self.master.run_command([ 'kinit', '-E', '{0}@{1}'.format(ipauser, self.master.domain.name)], stdin_text=new_passwd)
def test_dictcheck(self, reset_pwpolicy): self.set_pwpolicy(dictcheck=True) for password in ('password', 'bookends', 'BaLtim0re'): result = self.kinit_as_user(self.master, PASSWORD, password, raiseonerr=False) assert result.returncode == 1 result = tasks.ldappasswd_user_change(USER, PASSWORD, password, self.master, raiseonerr=False) assert result.returncode == 1 assert 'Password is based on a dictionary word' in \ result.stdout_text # test with valid password self.kinit_as_user(self.master, PASSWORD, 'bamOncyftAv0')
def test_usercheck(self, reset_pwpolicy): self.set_pwpolicy(usercheck=True) for password in ('tuserpass', 'passoftuser'): result = self.kinit_as_user(self.master, PASSWORD, password, raiseonerr=False) assert result.returncode == 1 result = tasks.ldappasswd_user_change(USER, PASSWORD, password, self.master, raiseonerr=False) assert result.returncode == 1 assert 'Password contains username' in \ result.stdout_text # test with valid password self.kinit_as_user(self.master, PASSWORD, 'bamOncyftAv0')
def test_change_user_pwd_history_issue7181(self, pwpolicy_global): """ Test that password history for a normal IPA user is honored. """ user = '******' original_passwd = 'Secret123' new_passwd = 'userPasswd123' master = self.master tasks.user_add(master, user, password=original_passwd) tasks.ldappasswd_user_change(user, original_passwd, new_passwd, master) tasks.ldappasswd_user_change(user, new_passwd, original_passwd, master) try: tasks.ldappasswd_user_change(user, original_passwd, new_passwd, master) except CalledProcessError as e: if e.returncode != 1: raise else: pytest.fail("Password change violating policy did not fail")