def test_pwdReset_by_user_DM(topology_st, create_user): """Test new password policy attribute "pwdReset" :id: 232bc7dc-8cb6-11eb-9791-98fa9ba19b65 :customerscenario: True :setup: 1. Standalone instance 2. Add a new user with a password :steps: 1. Enable passwordMustChange 2. Bind as the user and change the password 3. Check that the pwdReset attribute is set to TRUE 4. Bind as the Directory manager and attempt to change the pwdReset to FALSE 5. Check that pwdReset is NOT SET to FALSE :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success """ # Reset user's password our_user = UserAccount(topology_st.standalone, TEST_USER_DN) log.info('Set password policy passwordMustChange on') topology_st.standalone.config.replace('passwordMustChange', 'on') our_user.replace('userpassword', PASSWORD) time.sleep(5) # Check that pwdReset is TRUE assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE' log.info( 'Binding as the Directory manager and attempt to change the pwdReset to FALSE' ) topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) with pytest.raises(ldap.UNWILLING_TO_PERFORM): topology_st.standalone.config.replace('pwdReset', 'FALSE') log.info('Check that pwdReset is NOT SET to FALSE') assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE' log.info('Resetting password for {}'.format(TEST_USER_PWD)) our_user.reset_password(TEST_USER_PWD)
def test_global_tpr_delayValidFrom_2(topology_st, test_user, request): """Test global TPR policy : passwordTPRDelayValidFrom Test that a TPR password is valid after reset time + passwordTPRDelayValidFrom :id: 8fa9f6f7-9be2-47c0-bf92-d9fe78ddbc34 :customerscenario: False :setup: Standalone instance :steps: 1. Enable passwordMustChange 2. Set passwordTPRDelayValidFrom=6s 3. Create a account user 5. Reset the password 6. Wait for passwordTPRDelayValidFrom=6s 7. Bind with valid password, reset password to allow further searches 8. Check bound user can search attribute ('uid') :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success """ ValidFrom = 6 # Set password policy config, passwordMaxFailure being higher than # passwordTPRMaxUse so that TPR is enforced first topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) topology_st.standalone.config.replace('passwordMustChange', 'on') topology_st.standalone.config.replace('passwordTPRDelayValidFrom', str(ValidFrom)) time.sleep(.5) # Reset user's password our_user = UserAccount(topology_st.standalone, TEST_USER_DN) our_user.replace('userpassword', PASSWORD) # give time to update the pwp attributes in the entry time.sleep(.5) # Check that pwdReset is TRUE topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE' # Check that pwdTPRReset is TRUE assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE' now = time.mktime(time.gmtime()) log.info("compare pwdTPRValidFrom (%s) vs now (%s)" % (our_user.get_attr_val_utf8('pwdTPRValidFrom'), time.gmtime())) assert (gentime_to_posix_time( our_user.get_attr_val_utf8('pwdTPRValidFrom'))) >= (now + ValidFrom - 2) # wait for pwdTPRValidFrom time.sleep(ValidFrom + 1) # Bind as user with valid password, reset the password # and do simple search our_user.rebind(PASSWORD) our_user.reset_password(TEST_USER_PWD) our_user.rebind(TEST_USER_PWD) assert our_user.get_attr_val_utf8('uid') def fin(): topology_st.standalone.restart() # Reset password policy config topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) topology_st.standalone.config.replace('passwordMustChange', 'off') # Reset user's password our_user.replace('userpassword', TEST_USER_PWD) request.addfinalizer(fin)
def test_global_tpr_maxuse_3(topology_st, test_user, request): """Test global TPR policy : passwordTPRMaxUse Test that after less than passwordTPRMaxUse failures to bind A bind with valid password is successfull but passwordMustChange does not allow to do a search. Changing the password allows to do a search :id: 7fd0301a-781e-4db8-a4bd-7b44e0f04bb6 :customerscenario: False :setup: Standalone instance :steps: 1. Enable passwordMustChange 2. Set passwordTPRMaxUse=5 3. Set passwordMaxFailure to a higher value to not disturb the test 4. Bind with a wrong password less then passwordTPRMaxUse times and check INVALID_CREDENTIALS 5. Bind with the valid password and check SRCH fail (ldap.UNWILLING_TO_PERFORM) because of passwordMustChange 6. check passwordTPRRetryCount reset to 0 7. Bindd with valid password and reset the password 8. Check we can bind again and SRCH succeeds 9. Reset password policy configuration :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success 9. Success """ try_tpr_failure = 5 # Set password policy config, passwordMaxFailure being higher than # passwordTPRMaxUse so that TPR is enforced first topology_st.standalone.config.replace('passwordMustChange', 'on') topology_st.standalone.config.replace('passwordMaxFailure', str(try_tpr_failure + 20)) topology_st.standalone.config.replace('passwordTPRMaxUse', str(try_tpr_failure)) time.sleep(.5) # Reset user's password our_user = UserAccount(topology_st.standalone, TEST_USER_DN) our_user.replace('userpassword', PASSWORD) # give time to update the pwp attributes in the entry time.sleep(.5) # Do less than passwordTPRMaxUse failing bind try_tpr_failure = try_tpr_failure - 2 for i in range(try_tpr_failure): # Bind as user with a wrong password with pytest.raises(ldap.INVALID_CREDENTIALS): our_user.rebind('wrong password') time.sleep(.5) # Check that pwdReset is TRUE topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) #assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE' # Check that pwdTPRReset is TRUE assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE' assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(i + 1) log.info( "%dth failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" % (i + 1, i + 1)) # Now the #failures has not reached passwordTPRMaxUse # Check that pwdReset is TRUE topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE' # Check that pwdTPRReset is TRUE assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE' assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(try_tpr_failure) log.info("last failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" % (try_tpr_failure)) # Bind as user with valid password our_user.rebind(PASSWORD) time.sleep(.5) # We can not do anything else that reset password users = UserAccounts(topology_st.standalone, OU_PEOPLE, rdn=None) with pytest.raises(ldap.UNWILLING_TO_PERFORM): user = users.get(TEST_USER_NAME) # Check that pwdReset is TRUE topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE' # Check that pwdTPRReset is FALSE assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE' assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str( try_tpr_failure + 1) # Now reset the password and check we can do fully use the account our_user.rebind(PASSWORD) our_user.reset_password(TEST_USER_PWD) # give time to update the pwp attributes in the entry time.sleep(.5) our_user.rebind(TEST_USER_PWD) time.sleep(.5) user = users.get(TEST_USER_NAME) def fin(): topology_st.standalone.restart() # Reset password policy config topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) topology_st.standalone.config.replace('passwordMustChange', 'off') # Reset user's password our_user.replace('userpassword', TEST_USER_PWD) request.addfinalizer(fin)
def test_global_tpr_delayExpireAt_2(topology_st, test_user, request): """Test global TPR policy : passwordTPRDelayExpireAt Test that a TPR password is valid before reset time + passwordTPRDelayExpireAt :id: 9df320de-ebf6-4ed0-a619-51b1a05a560c :customerscenario: False :setup: Standalone instance :steps: 1. Enable passwordMustChange 2. Set passwordTPRDelayExpireAt=6s 3. Create a account user 5. Reset the password 6. Wait for 1s 7. Bind with valid password should succeeds :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success """ ExpireAt = 6 # Set password policy config, passwordMaxFailure being higher than # passwordTPRMaxUse so that TPR is enforced first topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) topology_st.standalone.config.replace('passwordMustChange', 'on') topology_st.standalone.config.replace('passwordTPRMaxUse', str(-1)) topology_st.standalone.config.replace('passwordTPRDelayValidFrom', str(-1)) topology_st.standalone.config.replace('passwordTPRDelayExpireAt', str(ExpireAt)) time.sleep(.5) # Reset user's password our_user = UserAccount(topology_st.standalone, TEST_USER_DN) our_user.replace('userpassword', PASSWORD) # give time to update the pwp attributes in the entry time.sleep(.5) # Check that pwdReset is TRUE topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE' # Check that pwdTPRReset is TRUE assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE' now = time.mktime(time.gmtime()) log.info("compare pwdTPRExpireAt (%s) vs now (%s)" % (our_user.get_attr_val_utf8('pwdTPRExpireAt'), time.gmtime())) assert (gentime_to_posix_time( our_user.get_attr_val_utf8('pwdTPRExpireAt'))) >= (now + ExpireAt - 2) # wait for 1s time.sleep(1) # Bind as user with valid password, reset the password # and do simple search our_user.rebind(PASSWORD) our_user.reset_password(TEST_USER_PWD) time.sleep(.5) our_user.rebind(TEST_USER_PWD) assert our_user.get_attr_val_utf8('uid') def fin(): topology_st.standalone.restart() # Reset password policy config topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) topology_st.standalone.config.replace('passwordMustChange', 'off') # Reset user's password our_user.replace('userpassword', TEST_USER_PWD) request.addfinalizer(fin)