Use the Kerberos context to set the error message

[kerberos/krb5-strength.git] / tests / heimdal / external-t

#!/usr/bin/perl
#
# Test suite for basic Heimdal external strength checking functionality.
#
# Written by Russ Allbery <rra@stanford.edu>
# Copyright 2009, 2012, 2013
#     The Board of Trustees of the Leland Stanford Junior University
#
# See LICENSE for licensing terms.

use 5.006;
use strict;
use warnings;

use lib "$ENV{SOURCE}/tap/perl";

use File::Copy qw(copy);
use Test::RRA qw(use_prereq);
use Test::RRA::Automake qw(test_file_path);

use_prereq('File::Slurp');
use_prereq('IPC::Run', 'run');
use_prereq('JSON');
use_prereq('Test::More', '0.87_01');

# Run the newly-built heimdal-strength command to check a password and reports
# the results using Test::More.  This uses the standard protocol for Heimdal
# external password strength checking programs.
#
# $test_ref - Reference to hash of test parameters
#   name      - The name of the test case
#   principal - The principal changing its password
#   password  - The new password
#   status    - If present, the exit status (otherwise, it should be 0)
#   error     - If present, the expected rejection error
#
# Returns: undef
#  Throws: Text exception on failure to run the test program
sub check_password {
    my ($test_ref) = @_;

    # Build the input to the strength checking program.
    my $in = "principal: $test_ref->{principal}\n";
    $in .= "new-password: $test_ref->{password}\n";
    $in .= "end\n";

    # Find the newly-built password checking program.
    my $program = test_file_path('../external/heimdal-strength');

    # Run the password strength checker.
    my $out;
    my $err;
    run([$program, $test_ref->{principal}], \$in, \$out, \$err);
    my $status = ($? >> 8);
    chomp($out, $err);

    # Check the results.  If there is an error in the password, it should come
    # on standard error; otherwise, standard output should be APPROVED.  If
    # there is a non-zero exit status, we expect the error on standard error
    # and use that field to check for system errors.
    is($status, $test_ref->{status} || 0, "$test_ref->{name} (status)");
    if (defined($test_ref->{error})) {
        is($err, $test_ref->{error}, '...error message');
        is($out, q{}, '...no output');
    } else {
        is($err, q{},        '...no errors');
        is($out, "APPROVED", '...approved');
    }
    return;
}

# Create a new krb5.conf file that includes password dictionary configuration
# so that subsequent invocations of heimdal-strength can find the testing
# dictionary.
#
# Returns: Path to the new krb5.conf file
#  Throws: Text exception if the new krb5.conf file cannot be created
sub create_krb5_conf {
    my $old    = test_file_path('data/krb5.conf');
    my $tmpdir = $ENV{BUILD} ? "$ENV{BUILD}/tmp" : 'tests/tmp';
    my $new    = "$tmpdir/krb5.conf";

    # Create a temporary directory for the new file.
    if (!-d $tmpdir) {
        mkdir($tmpdir, 0777) or die "Cannot create $tmpdir: $!\n";
    }

    # Start with the testing krb5.conf file shipped in the package.
    copy($old, $new) or die "Cannot copy $old to $new: $!\n";

    # Append the local configuration.
    my $datadir = $ENV{BUILD} ? "$ENV{BUILD}/data" : 'tests/data';
    open(my $config, '>>', $new) or die "Cannot append to $new: $!\n";
    print {$config} <<"__END__"

[appdefaults]
    krb5-strength = {
        password_dictionary = $datadir/dictionary
    }
__END__
      or die "Cannot append to $new: $!\n";
    close($config) or die "Cannot append to $new: $!\n";

    # Return the path to the new file.
    return $new;
}

# Load a password test cases and return them as a list.
#
# $file - The path to the file containing the test data in JSON
#
# Returns: List of anonymous hashes representing password test cases
#  Throws: Text exception on failure to load the test data
sub load_password_tests {
    my ($file) = @_;

    # Load the test file data into memory.
    my $testdata = read_file($file);

    # Decode the JSON into Perl objects and return them.
    my $json = JSON->new->utf8;
    return $json->decode($testdata);
}

# Load the password tests from JSON.
my $tests = load_password_tests(test_file_path('data/cracklib.json'));

# We can now calculate our plan: three tests for each password test, with an
# extra set for testing behavior when password_dictionary is not configured.
plan(tests => (scalar(@{$tests}) + 1) * 3);

# Find our initial test krb5.conf file.
local $ENV{KRB5_CONFIG} = test_file_path('data/krb5.conf');

# Run a test with no Kerberos password dictionary configuration and check that
# we get the correct error message.
my $error = 'Cannot initialize strength checking: password_dictionary not'
  . ' configured in krb5.conf';
my $test = {
    name      => 'no dictionary configured',
    principal => 'test@EXAMPLE.COM',
    password  => 'password',
    status    => 1,
    error     => $error,
};
check_password($test);

# Install the krb5.conf file with a configuration pointing to the test
# dictionary.
local $ENV{KRB5_CONFIG} = create_krb5_conf();

# Run the password tests from JSON.
for my $test (@{$tests}) {
    check_password($test);
}

# Clean up our temporary krb5.conf file on any exit.
END {
    my $tmpdir = $ENV{BUILD} ? "$ENV{BUILD}/tmp" : 'tests/tmp';
    my $config = "$tmpdir/krb5.conf";
    if (-f $config) {
        unlink($config) or warn "Cannot remove $config\n";
        rmdir($tmpdir);
    }
}