2 * Test for the MIT Kerberos shared module API.
4 * Written by Russ Allbery <rra@stanford.edu>
6 * The Board of Trustees of the Leland Stanford Junior University
8 * See LICENSE for licensing terms.
12 #include <portable/kadmin.h>
13 #include <portable/krb5.h>
14 #include <portable/system.h>
18 #ifdef HAVE_KRB5_PWQUAL_PLUGIN_H
19 # include <krb5/pwqual_plugin.h>
22 #include <tests/tap/basic.h>
23 #include <tests/tap/kerberos.h>
24 #include <tests/tap/process.h>
25 #include <tests/tap/string.h>
26 #include <util/macros.h>
29 * The password test data, generated from the JSON source. Defines an arrays
30 * named cdb_tests, cracklib_tests, and principal_tests.
32 #include <tests/data/passwords/cdb.c>
33 #include <tests/data/passwords/class.c>
34 #include <tests/data/passwords/cracklib.c>
35 #include <tests/data/passwords/length.c>
36 #include <tests/data/passwords/principal.c>
39 #ifndef HAVE_KRB5_PWQUAL_PLUGIN_H
41 * If we're not building with MIT Kerberos, we can't run this test and much of
42 * the test won't even compile. Replace this test with a small program that
43 * just calls skip_all.
48 skip_all("not built against MIT libraries");
54 /* The public symbol that we load and call to get the vtable. */
55 typedef krb5_error_code pwqual_strength_initvt(krb5_context, int, int,
60 * Loads the Heimdal password change plugin and tests that its metadata is
61 * correct. Returns a pointer to the kadm5_pw_policy_verifier struct or bails
62 * on failure to load the plugin.
64 static krb5_pwqual_vtable
65 load_plugin(krb5_context ctx)
70 krb5_pwqual_vtable vtable = NULL;
71 krb5_error_code (*init)(krb5_context, int, int, krb5_plugin_vtable);
73 /* Load the module. */
74 path = test_file_path("../plugin/.libs/strength.so");
76 bail("cannot find plugin");
77 handle = dlopen(path, RTLD_NOW);
79 bail("cannot dlopen %s: %s", path, dlerror());
80 test_file_path_free(path);
82 /* Find the entry point function. */
83 init = dlsym(handle, "pwqual_strength_initvt");
85 bail("cannot get pwqual_strength_initvt symbol: %s", dlerror());
87 /* Test for correct results when requesting the wrong API version. */
88 code = init(ctx, 2, 0, (krb5_plugin_vtable) vtable);
89 is_int(code, KRB5_PLUGIN_VER_NOTSUPP,
90 "Correct status for bad major API version");
92 /* Call that function properly to get the vtable. */
93 vtable = bmalloc(sizeof(*vtable));
94 code = init(ctx, 1, 1, (krb5_plugin_vtable) vtable);
96 bail_krb5(ctx, code, "cannot obtain module vtable");
98 /* Check that all of the vtable entries are present. */
99 if (vtable->open == NULL || vtable->check == NULL || vtable->close == NULL)
100 bail("missing function in module vtable");
102 /* Verify the metadata. */
103 is_string("krb5-strength", vtable->name, "Module name");
105 /* Return the vtable. */
111 * Given a Kerberos context, the dispatch table, the module data, and a test
112 * case, call out to the password strength checking module and check the
116 is_password_test(krb5_context ctx, const krb5_pwqual_vtable vtable,
117 krb5_pwqual_moddata data, const struct password_test *test)
119 krb5_principal princ;
120 krb5_error_code code;
123 /* Translate the principal into a krb5_principal. */
124 code = krb5_parse_name(ctx, test->principal, &princ);
126 bail_krb5(ctx, code, "cannot parse principal %s", test->principal);
128 /* Call the verifier. */
129 code = vtable->check(ctx, data, test->password, NULL, princ, NULL);
131 /* Check the results against the test data. */
132 is_int(test->code, code, "%s (status)", test->name);
134 is_string(test->error, NULL, "%s (error)", test->name);
136 error = krb5_get_error_message(ctx, code);
137 is_string(test->error, error, "%s (error)", test->name);
138 krb5_free_error_message(ctx, error);
141 /* Free the parsed principal. */
142 krb5_free_principal(ctx, princ);
149 char *path, *dictionary, *krb5_config, *krb5_config_empty, *tmpdir;
150 char *setup_argv[10];
154 krb5_pwqual_vtable vtable;
155 krb5_pwqual_moddata data;
156 krb5_error_code code;
159 * Calculate how many tests we have. There are two tests for the module
160 * metadata, five more tests for initializing the plugin, and two tests per
163 * We run all the CrackLib tests twice, once with an explicit dictionary
164 * path and once from krb5.conf configuration. We run the principal tests
165 * with both CrackLib and CDB configurations.
167 count = 2 * ARRAY_SIZE(cracklib_tests);
168 count += ARRAY_SIZE(cdb_tests);
169 count += ARRAY_SIZE(class_tests);
170 count += ARRAY_SIZE(length_tests);
171 count += 2 * ARRAY_SIZE(principal_tests);
172 plan(2 + 5 + count * 2);
174 /* Start with the krb5.conf that contains no dictionary configuration. */
175 path = test_file_path("data/krb5.conf");
177 bail("cannot find data/krb5.conf in the test suite");
178 basprintf(&krb5_config_empty, "KRB5_CONFIG=%s", path);
179 putenv(krb5_config_empty);
181 /* Obtain a Kerberos context with that krb5.conf file. */
182 code = krb5_init_context(&ctx);
184 bail_krb5(ctx, code, "cannot initialize Kerberos context");
186 /* Load the plugin. */
187 vtable = load_plugin(ctx);
189 /* Initialize the plugin with a CrackLib dictionary. */
190 build = getenv("BUILD");
192 bail("BUILD not set in the environment");
193 basprintf(&dictionary, "%s/data/dictionary", build);
194 code = vtable->open(ctx, dictionary, &data);
195 is_int(0, code, "Plugin initialization (explicit dictionary)");
197 bail("cannot continue after plugin initialization failure");
199 /* Now, run all of the tests, with principal tests. */
200 for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++)
201 is_password_test(ctx, vtable, data, &cracklib_tests[i]);
202 for (i = 0; i < ARRAY_SIZE(principal_tests); i++)
203 is_password_test(ctx, vtable, data, &principal_tests[i]);
205 /* Close that initialization of the plugin and destroy that context. */
206 vtable->close(ctx, data);
207 krb5_free_context(ctx);
210 /* Set up our krb5.conf with the dictionary configuration. */
211 tmpdir = test_tmpdir();
212 setup_argv[0] = test_file_path("data/make-krb5-conf");
213 if (setup_argv[0] == NULL)
214 bail("cannot find data/make-krb5-conf in the test suite");
215 setup_argv[1] = path;
216 setup_argv[2] = tmpdir;
217 setup_argv[3] = (char *) "password_dictionary";
218 setup_argv[4] = dictionary;
219 setup_argv[5] = NULL;
220 run_setup((const char **) setup_argv);
222 /* Point KRB5_CONFIG at the newly-generated krb5.conf file. */
223 basprintf(&krb5_config, "KRB5_CONFIG=%s/krb5.conf", tmpdir);
225 free(krb5_config_empty);
227 /* Obtain a new Kerberos context with that krb5.conf file. */
228 krb5_free_context(ctx);
229 code = krb5_init_context(&ctx);
231 bail_krb5(ctx, code, "cannot initialize Kerberos context");
233 /* Run all of the tests again. No need to re-run principal tests. */
234 code = vtable->open(ctx, NULL, &data);
235 is_int(0, code, "Plugin initialization (krb5.conf dictionary)");
237 bail("cannot continue after plugin initialization failure");
238 for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++)
239 is_password_test(ctx, vtable, data, &cracklib_tests[i]);
240 vtable->close(ctx, data);
242 /* Add character class configuration to krb5.conf. */
243 setup_argv[5] = (char *) "require_ascii_printable";
244 setup_argv[6] = (char *) "true";
245 setup_argv[7] = (char *) "require_non_letter";
246 setup_argv[8] = (char *) "true";
247 setup_argv[9] = NULL;
248 run_setup((const char **) setup_argv);
250 /* Obtain a new Kerberos context with that krb5.conf file. */
251 krb5_free_context(ctx);
252 code = krb5_init_context(&ctx);
254 bail_krb5(ctx, code, "cannot initialize Kerberos context");
256 /* Run all the character class tests. */
257 code = vtable->open(ctx, NULL, &data);
258 is_int(0, code, "Plugin initialization (character class)");
260 bail("cannot continue after plugin initialization failure");
261 for (i = 0; i < ARRAY_SIZE(class_tests); i++)
262 is_password_test(ctx, vtable, data, &class_tests[i]);
263 vtable->close(ctx, data);
266 * Add length restrictions and remove the dictionary. This should only do
267 * length checks without any dictionary checks.
269 setup_argv[3] = (char *) "minimum_length";
270 setup_argv[4] = (char *) "12";
271 setup_argv[5] = NULL;
272 run_setup((const char **) setup_argv);
274 /* Obtain a new Kerberos context with that krb5.conf file. */
275 krb5_free_context(ctx);
276 code = krb5_init_context(&ctx);
278 bail_krb5(ctx, code, "cannot initialize Kerberos context");
280 /* Run all of the length tests. */
281 code = vtable->open(ctx, NULL, &data);
282 is_int(0, code, "Plugin initialization (length)");
284 bail("cannot continue after plugin initialization failure");
285 for (i = 0; i < ARRAY_SIZE(length_tests); i++)
286 is_password_test(ctx, vtable, data, &length_tests[i]);
287 vtable->close(ctx, data);
291 /* If built with CDB, set up krb5.conf to use a CDB dictionary instead. */
293 dictionary = test_file_path("data/wordlist.cdb");
294 if (dictionary == NULL)
295 bail("cannot find data/wordlist.cdb in the test suite");
296 setup_argv[3] = (char *) "password_dictionary_cdb";
297 setup_argv[4] = dictionary;
298 setup_argv[5] = NULL;
299 run_setup((const char **) setup_argv);
300 test_file_path_free(setup_argv[0]);
301 test_file_path_free(path);
303 /* Obtain a new Kerberos context with that krb5.conf file. */
304 krb5_free_context(ctx);
305 code = krb5_init_context(&ctx);
307 bail_krb5(ctx, code, "cannot initialize Kerberos context");
309 /* Run the CDB and principal tests. */
310 code = vtable->open(ctx, NULL, &data);
311 is_int(0, code, "Plugin initialization (CDB dictionary)");
313 bail("cannot continue after plugin initialization failure");
314 for (i = 0; i < ARRAY_SIZE(cdb_tests); i++)
315 is_password_test(ctx, vtable, data, &cdb_tests[i]);
316 for (i = 0; i < ARRAY_SIZE(principal_tests); i++)
317 is_password_test(ctx, vtable, data, &principal_tests[i]);
318 vtable->close(ctx, data);
320 #else /* !HAVE_CDB */
322 /* Otherwise, mark the CDB tests as skipped. */
323 count = ARRAY_SIZE(cdb_tests) + ARRAY_SIZE(principal_tests);
324 skip_block(count * 2 + 1, "not built with CDB support");
326 #endif /* !HAVE_CDB */
328 /* Manually clean up after the results of make-krb5-conf. */
329 basprintf(&path, "%s/krb5.conf", tmpdir);
332 test_tmpdir_free(tmpdir);
334 /* Keep valgrind clean by freeing all memory. */
335 test_file_path_free(dictionary);
336 krb5_free_context(ctx);
338 putenv((char *) "KRB5_CONFIG=");
343 #endif /* HAVE_KRB5_PWQUAL_PLUGIN_H */