Skip tests that require the stronger rule configuration in the
embedded CrackLib when built against system CrackLib. This avoids
test failures when built with system CrackLib.
copies of passwords before freeing memory. This reduces the lifetime
of passwords in memory.
copies of passwords before freeing memory. This reduces the lifetime
of passwords in memory.
+ Skip tests that require the stronger rule configuration in the
+ embedded CrackLib when built against system CrackLib. This avoids
+ test failures when built with system CrackLib.
+
Rework the check-valgrind target to use the new C TAP Harness valgrind
support and automatically check the valgrind log files for errors at
the end of the test suite.
Rework the check-valgrind target to use the new C TAP Harness valgrind
support and automatically check the valgrind log files for errors at
the end of the test suite.
AS_IF([test x"$rra_system_cracklib" = xyes],
[RRA_LIB_CRACKLIB_SWITCH
AC_CHECK_HEADERS([crack.h])
AS_IF([test x"$rra_system_cracklib" = xyes],
[RRA_LIB_CRACKLIB_SWITCH
AC_CHECK_HEADERS([crack.h])
- RRA_LIB_CRACKLIB_RESTORE])
+ RRA_LIB_CRACKLIB_RESTORE
+ AC_DEFINE([HAVE_SYSTEM_CRACKLIB], 1,
+ [Define if using the system CrackLib.])])
RRA_LIB_KRB5
RRA_LIB_KRB5_SWITCH
AC_CHECK_HEADERS([krb5/pwqual_plugin.h], [], [], [RRA_INCLUDES_KRB5])
RRA_LIB_KRB5
RRA_LIB_KRB5_SWITCH
AC_CHECK_HEADERS([krb5/pwqual_plugin.h], [], [], [RRA_INCLUDES_KRB5])
"principal": "test@EXAMPLE.ORG",
"password": "stanfordstanford",
"code": "KADM5_PASS_Q_GENERIC",
"principal": "test@EXAMPLE.ORG",
"password": "stanfordstanford",
"code": "KADM5_PASS_Q_GENERIC",
- "error": "it is based on a (duplicated) dictionary word"
+ "error": "it is based on a (duplicated) dictionary word",
+ "skip_for_system_cracklib": true
},
{
"name": "in dictionary (reversed)",
"principal": "test@EXAMPLE.ORG",
"password": "enabrettib",
"code": "KADM5_PASS_Q_GENERIC",
},
{
"name": "in dictionary (reversed)",
"principal": "test@EXAMPLE.ORG",
"password": "enabrettib",
"code": "KADM5_PASS_Q_GENERIC",
- "error": "it is based on a (reversed) dictionary word"
+ "error": "it is based on a (reversed) dictionary word",
+ "skip_for_system_cracklib": true
},
{
"name": "seven characters",
"principal": "test@EXAMPLE.ORG",
"password": "dfareas",
"code": "KADM5_PASS_Q_GENERIC",
},
{
"name": "seven characters",
"principal": "test@EXAMPLE.ORG",
"password": "dfareas",
"code": "KADM5_PASS_Q_GENERIC",
- "error": "it is too short"
+ "error": "it is too short",
+ "skip_for_system_cracklib": true
},
{
"name": "four characters",
},
{
"name": "four characters",
END_HEADER
# The list of attributes, in order, whose values go into the C struct.
END_HEADER
# The list of attributes, in order, whose values go into the C struct.
-Readonly my @ATTRIBUTES => qw(name principal password code error);
+Readonly my @ATTRIBUTES => qw(
+ name principal password code error skip_for_system_cracklib
+);
# A hash of attributes that should be put in the C struct as they literally
# appear in the JSON, rather than as strings. (In other words, attributes
# A hash of attributes that should be put in the C struct as they literally
# appear in the JSON, rather than as strings. (In other words, attributes
-# that are numbers or C constants.) Only the keys are of interest.
-Readonly my %IS_LITERAL_ATTRIBUTE => (code => 1);
+# that are numbers, booleans, or C constants.) Only the keys are of interest.
+Readonly my %IS_LITERAL_ATTRIBUTE => (
+ code => 1,
+ skip_for_system_cracklib => 1
+);
##############################################################################
# Functions
##############################################################################
# Functions
const char *name;
const char *principal;
const char *password;
const char *name;
const char *principal;
const char *password;
+ bool skip_for_system_cracklib;
krb5_error_code code;
const char *error;
};
krb5_error_code code;
const char *error;
};
* out by make-c-data. It's included by the test data files.
*
* Written by Russ Allbery <eagle@eyrie.org>
* out by make-c-data. It's included by the test data files.
*
* Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
* Copyright 2013
* The Board of Trustees of the Leland Stanford Junior University
*
* Copyright 2013
* The Board of Trustees of the Leland Stanford Junior University
*
#include <config.h>
#include <portable/kadmin.h>
#include <portable/krb5.h>
#include <config.h>
#include <portable/kadmin.h>
#include <portable/krb5.h>
+#include <portable/stdbool.h>
struct password_test {
const char *name;
struct password_test {
const char *name;
const char *password;
krb5_error_code code;
const char *error;
const char *password;
krb5_error_code code;
const char *error;
+ bool skip_for_system_cracklib;
};
#endif /* !TESTS_DATA_PASSWORD_TESTS_H */
};
#endif /* !TESTS_DATA_PASSWORD_TESTS_H */
run_setup((const char **) setup_argv);
/* Now, run all of the tests. */
run_setup((const char **) setup_argv);
/* Now, run all of the tests. */
- for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++)
+ for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) {
+# ifdef HAVE_SYSTEM_CRACKLIB
+ if (cracklib_tests[i].skip_for_system_cracklib) {
+ skip_block(2, "not built with embedded CrackLib");
+ continue;
+ }
+# endif
is_password_test(verifier, &cracklib_tests[i]);
is_password_test(verifier, &cracklib_tests[i]);
/*
* Add length restrictions and a maximum length for CrackLib. This should
/*
* Add length restrictions and a maximum length for CrackLib. This should
is_password_test(ctx, vtable, data, &principal_tests[i]);
# ifdef HAVE_CRACKLIB
is_password_test(ctx, vtable, data, &principal_tests[i]);
# ifdef HAVE_CRACKLIB
- /* Run the CrackLib tests if CrackLib is available, otherwise skip them. */
- for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++)
+ /*
+ * Run the CrackLib tests if CrackLib is available, otherwise skip them.
+ * If built with the system CrackLib, skip tests that are marked as only
+ * working with the tougher rules of our embedded CrackLib.
+ */
+ for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) {
+# ifdef HAVE_SYSTEM_CRACKLIB
+ if (cracklib_tests[i].skip_for_system_cracklib) {
+ skip_block(2, "not built with embedded CrackLib");
+ continue;
+ }
+# endif
is_password_test(ctx, vtable, data, &cracklib_tests[i]);
is_password_test(ctx, vtable, data, &cracklib_tests[i]);
# else
count = ARRAY_SIZE(cracklib_tests);
skip_block(count * 2, "not built with CrackLib support");
# else
count = ARRAY_SIZE(cracklib_tests);
skip_block(count * 2, "not built with CrackLib support");
is_int(0, code, "Plugin initialization (krb5.conf dictionary)");
if (code != 0)
bail("cannot continue after plugin initialization failure");
is_int(0, code, "Plugin initialization (krb5.conf dictionary)");
if (code != 0)
bail("cannot continue after plugin initialization failure");
- for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++)
+ for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) {
+# ifdef HAVE_SYSTEM_CRACKLIB
+ if (cracklib_tests[i].skip_for_system_cracklib) {
+ skip_block(2, "not built with embedded CrackLib");
+ continue;
+ }
+# endif
is_password_test(ctx, vtable, data, &cracklib_tests[i]);
is_password_test(ctx, vtable, data, &cracklib_tests[i]);
vtable->close(ctx, data);
/*
vtable->close(ctx, data);
/*
-# Load the password tests from JSON.
+# Load the password tests from JSON, removing the CrackLib tests that may fail
+# if we were built with the system CrackLib. We don't have an easy way of
+# knowing which CrackLib heimdal-strength was linked against, so we have to
+# ignore them unconditionally. The separate plugin tests will exercise that
+# code.
my %tests;
for my $type (qw(cdb classes cracklib length letter principal sqlite)) {
my $tests = load_password_tests("$type.json");
my %tests;
for my $type (qw(cdb classes cracklib length letter principal sqlite)) {
my $tests = load_password_tests("$type.json");
+ if ($type eq 'cracklib') {
+ my @tests = grep { !$_->{skip_for_system_cracklib} } @{$tests};
+ $tests = [@tests];
+ }
$tests{$type} = $tests;
}
$tests{$type} = $tests;
}