def test_maxsequence(self, reset_pwpolicy):
self.set_pwpolicy(maxsequence=3)
# good passwords
for password in ('Password123', 'Passwordabc'):
self.reset_password(self.master)
self.kinit_as_user(self.master, PASSWORD, password)
self.reset_password(self.master)
tasks.ldappasswd_user_change(USER, PASSWORD, password, self.master)
self.reset_password(self.master)
# bad passwords
for password in ('Password1234', 'Passwordabcde'):
result = self.kinit_as_user(self.master,
PASSWORD,
password,
raiseonerr=False)
assert result.returncode == 1
result = tasks.ldappasswd_user_change(USER,
PASSWORD,
password,
self.master,
raiseonerr=False)
assert result.returncode == 1
assert 'Password contains a monotonic sequence' in \
result.stdout_text
def test_dm_change_user_pwd_history_issue7181(self, pwpolicy_global):
"""
Test that password policy is not applied with Directory Manager.
The minimum lifetime of the password is set to 1 hour. Confirm
that the user cannot re-change their password immediately but
the DM can.
"""
user = '******'
original_passwd = 'Secret123'
new_passwd = 'newPasswd123'
master = self.master
# reset minimum life to 1 hour.
self.master.run_command(
["ipa", "pwpolicy-mod", "--minlife=1"],
)
try:
tasks.ldappasswd_user_change(user, original_passwd,
new_passwd, master)
except CalledProcessError as e:
if e.returncode != 1:
raise
else:
pytest.fail("Password change violating policy did not fail")
# DM should be able to change any password regardless of policy
try:
tasks.ldappasswd_user_change(user, new_passwd,
original_passwd, master,
use_dirman=True)
except CalledProcessError:
pytest.fail("Password change failed when it should not")
def test_maxrepeat(self, reset_pwpolicy):
self.set_pwpolicy(maxrepeat=2)
# good passwords
for password in ('Secret123', 'Password'):
self.reset_password(self.master)
self.kinit_as_user(self.master, PASSWORD, password)
self.reset_password(self.master)
tasks.ldappasswd_user_change(USER, PASSWORD, password, self.master)
self.reset_password(self.master)
# bad passwords
for password in ('Secret1111', 'passsword'):
result = self.kinit_as_user(self.master,
PASSWORD,
password,
raiseonerr=False)
assert result.returncode == 1
result = tasks.ldappasswd_user_change(USER,
PASSWORD,
password,
self.master,
raiseonerr=False)
assert result.returncode == 1
assert 'Password has too many consecutive characters' in \
result.stdout_text
def test_minclasses(self, reset_pwpolicy):
self.set_pwpolicy(minclasses=2)
for password in ('password', 'bookends'):
result = self.kinit_as_user(self.master,
PASSWORD,
password,
raiseonerr=False)
assert result.returncode == 1
assert 'Password does not contain enough character' in \
result.stdout_text
result = tasks.ldappasswd_user_change(USER,
PASSWORD,
password,
self.master,
raiseonerr=False)
assert result.returncode == 1
assert 'Password is too simple' in \
result.stdout_text
# test with valid password
for valid in ('Password', 'password1', 'password!'):
self.kinit_as_user(self.master, PASSWORD, valid)
self.reset_password(self.master)
self.set_pwpolicy(minclasses=3)
for password in ('password1', 'Bookends'):
result = self.kinit_as_user(self.master,
PASSWORD,
password,
raiseonerr=False)
assert result.returncode == 1
assert 'Password does not contain enough character' in \
result.stdout_text
result = tasks.ldappasswd_user_change(USER,
PASSWORD,
password,
self.master,
raiseonerr=False)
assert result.returncode == 1
assert 'Password is too simple' in \
result.stdout_text
# test with valid password
for valid in ('Passw0rd', 'password1!', 'Password!'):
self.kinit_as_user(self.master, PASSWORD, valid)
self.reset_password(self.master)
def test_ipauser_authentication_with_nonposix_trust(self):
ipauser = u'tuser'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
# create an ipauser for this test
self.master.run_command(['ipa', 'user-add', ipauser, '--first=Test',
'--last=User', '--password'],
stdin_text=original_passwd)
# change password for the user to be able to kinit
tasks.ldappasswd_user_change(ipauser, original_passwd, new_passwd,
self.master)
# try to kinit as ipauser
self.master.run_command([
'kinit', '-E', '{0}@{1}'.format(ipauser, self.master.domain.name)],
stdin_text=new_passwd)
def test_ipauser_authentication_with_nonposix_trust(self):
ipauser = u'tuser'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
# create an ipauser for this test
self.master.run_command(['ipa', 'user-add', ipauser, '--first=Test',
'--last=User', '--password'],
stdin_text=original_passwd)
# change password for the user to be able to kinit
tasks.ldappasswd_user_change(ipauser, original_passwd, new_passwd,
self.master)
# try to kinit as ipauser
self.master.run_command([
'kinit', '-E', '{0}@{1}'.format(ipauser, self.master.domain.name)],
stdin_text=new_passwd)
def test_dictcheck(self, reset_pwpolicy):
self.set_pwpolicy(dictcheck=True)
for password in ('password', 'bookends', 'BaLtim0re'):
result = self.kinit_as_user(self.master,
PASSWORD,
password,
raiseonerr=False)
assert result.returncode == 1
result = tasks.ldappasswd_user_change(USER,
PASSWORD,
password,
self.master,
raiseonerr=False)
assert result.returncode == 1
assert 'Password is based on a dictionary word' in \
result.stdout_text
# test with valid password
self.kinit_as_user(self.master, PASSWORD, 'bamOncyftAv0')
def test_usercheck(self, reset_pwpolicy):
self.set_pwpolicy(usercheck=True)
for password in ('tuserpass', 'passoftuser'):
result = self.kinit_as_user(self.master,
PASSWORD,
password,
raiseonerr=False)
assert result.returncode == 1
result = tasks.ldappasswd_user_change(USER,
PASSWORD,
password,
self.master,
raiseonerr=False)
assert result.returncode == 1
assert 'Password contains username' in \
result.stdout_text
# test with valid password
self.kinit_as_user(self.master, PASSWORD, 'bamOncyftAv0')
def test_change_user_pwd_history_issue7181(self, pwpolicy_global):
"""
Test that password history for a normal IPA user is honored.
"""
user = '******'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
master = self.master
tasks.user_add(master, user, password=original_passwd)
tasks.ldappasswd_user_change(user, original_passwd, new_passwd, master)
tasks.ldappasswd_user_change(user, new_passwd, original_passwd, master)
try:
tasks.ldappasswd_user_change(user, original_passwd, new_passwd,
master)
except CalledProcessError as e:
if e.returncode != 1:
raise
else:
pytest.fail("Password change violating policy did not fail")
