From: Russ Allbery Date: Sun, 17 May 2020 00:59:23 +0000 (-0700) Subject: Fix tests when built with system CrackLib X-Git-Tag: release/3.2~8 X-Git-Url: https://git.eyrie.org/?a=commitdiff_plain;h=068db18a1ee40f21a49a7331b231514ac209f09f;p=kerberos%2Fkrb5-strength.git Fix tests when built with system CrackLib Skip tests that require the stronger rule configuration in the embedded CrackLib when built against system CrackLib. This avoids test failures when built with system CrackLib. --- diff --git a/NEWS b/NEWS index bb06687..a57b84f 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,10 @@ krb5-strength 3.2 (unreleased) copies of passwords before freeing memory. This reduces the lifetime of passwords in memory. + Skip tests that require the stronger rule configuration in the + embedded CrackLib when built against system CrackLib. This avoids + test failures when built with system CrackLib. + Rework the check-valgrind target to use the new C TAP Harness valgrind support and automatically check the valgrind log files for errors at the end of the test suite. diff --git a/configure.ac b/configure.ac index 955bc57..ced8dab 100644 --- a/configure.ac +++ b/configure.ac @@ -41,7 +41,9 @@ RRA_LIB_CRACKLIB AS_IF([test x"$rra_system_cracklib" = xyes], [RRA_LIB_CRACKLIB_SWITCH AC_CHECK_HEADERS([crack.h]) - RRA_LIB_CRACKLIB_RESTORE]) + RRA_LIB_CRACKLIB_RESTORE + AC_DEFINE([HAVE_SYSTEM_CRACKLIB], 1, + [Define if using the system CrackLib.])]) RRA_LIB_KRB5 RRA_LIB_KRB5_SWITCH AC_CHECK_HEADERS([krb5/pwqual_plugin.h], [], [], [RRA_INCLUDES_KRB5]) diff --git a/tests/data/passwords/cracklib.json b/tests/data/passwords/cracklib.json index 037a70f..c88a843 100644 --- a/tests/data/passwords/cracklib.json +++ b/tests/data/passwords/cracklib.json @@ -24,21 +24,24 @@ "principal": "test@EXAMPLE.ORG", "password": "stanfordstanford", "code": "KADM5_PASS_Q_GENERIC", - "error": "it is based on a (duplicated) dictionary word" + "error": "it is based on a (duplicated) dictionary word", + "skip_for_system_cracklib": true }, { "name": "in dictionary (reversed)", "principal": "test@EXAMPLE.ORG", "password": "enabrettib", "code": "KADM5_PASS_Q_GENERIC", - "error": "it is based on a (reversed) dictionary word" + "error": "it is based on a (reversed) dictionary word", + "skip_for_system_cracklib": true }, { "name": "seven characters", "principal": "test@EXAMPLE.ORG", "password": "dfareas", "code": "KADM5_PASS_Q_GENERIC", - "error": "it is too short" + "error": "it is too short", + "skip_for_system_cracklib": true }, { "name": "four characters", diff --git a/tests/data/passwords/make-c-data b/tests/data/passwords/make-c-data index 55a2733..d525c0a 100755 --- a/tests/data/passwords/make-c-data +++ b/tests/data/passwords/make-c-data @@ -46,12 +46,17 @@ Readonly my $HEADER => <<'END_HEADER'; END_HEADER # The list of attributes, in order, whose values go into the C struct. -Readonly my @ATTRIBUTES => qw(name principal password code error); +Readonly my @ATTRIBUTES => qw( + name principal password code error skip_for_system_cracklib +); # A hash of attributes that should be put in the C struct as they literally # appear in the JSON, rather than as strings. (In other words, attributes -# that are numbers or C constants.) Only the keys are of interest. -Readonly my %IS_LITERAL_ATTRIBUTE => (code => 1); +# that are numbers, booleans, or C constants.) Only the keys are of interest. +Readonly my %IS_LITERAL_ATTRIBUTE => ( + code => 1, + skip_for_system_cracklib => 1 +); ############################################################################## # Functions @@ -181,6 +186,7 @@ struct is expected to have the following definition: const char *name; const char *principal; const char *password; + bool skip_for_system_cracklib; krb5_error_code code; const char *error; }; diff --git a/tests/data/passwords/tests.h b/tests/data/passwords/tests.h index b42bf37..f1ce2f9 100644 --- a/tests/data/passwords/tests.h +++ b/tests/data/passwords/tests.h @@ -5,6 +5,7 @@ * out by make-c-data. It's included by the test data files. * * Written by Russ Allbery + * Copyright 2020 Russ Allbery * Copyright 2013 * The Board of Trustees of the Leland Stanford Junior University * @@ -17,6 +18,7 @@ #include #include #include +#include struct password_test { const char *name; @@ -24,6 +26,7 @@ struct password_test { const char *password; krb5_error_code code; const char *error; + bool skip_for_system_cracklib; }; #endif /* !TESTS_DATA_PASSWORD_TESTS_H */ diff --git a/tests/plugin/heimdal-t.c b/tests/plugin/heimdal-t.c index fbabb6b..0c0afa5 100644 --- a/tests/plugin/heimdal-t.c +++ b/tests/plugin/heimdal-t.c @@ -196,8 +196,15 @@ main(void) run_setup((const char **) setup_argv); /* Now, run all of the tests. */ - for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) + for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) { +# ifdef HAVE_SYSTEM_CRACKLIB + if (cracklib_tests[i].skip_for_system_cracklib) { + skip_block(2, "not built with embedded CrackLib"); + continue; + } +# endif is_password_test(verifier, &cracklib_tests[i]); + } /* * Add length restrictions and a maximum length for CrackLib. This should diff --git a/tests/plugin/mit-t.c b/tests/plugin/mit-t.c index ebf885b..7abc5d8 100644 --- a/tests/plugin/mit-t.c +++ b/tests/plugin/mit-t.c @@ -207,9 +207,20 @@ main(void) is_password_test(ctx, vtable, data, &principal_tests[i]); # ifdef HAVE_CRACKLIB - /* Run the CrackLib tests if CrackLib is available, otherwise skip them. */ - for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) + /* + * Run the CrackLib tests if CrackLib is available, otherwise skip them. + * If built with the system CrackLib, skip tests that are marked as only + * working with the tougher rules of our embedded CrackLib. + */ + for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) { +# ifdef HAVE_SYSTEM_CRACKLIB + if (cracklib_tests[i].skip_for_system_cracklib) { + skip_block(2, "not built with embedded CrackLib"); + continue; + } +# endif is_password_test(ctx, vtable, data, &cracklib_tests[i]); + } # else count = ARRAY_SIZE(cracklib_tests); skip_block(count * 2, "not built with CrackLib support"); @@ -253,8 +264,15 @@ main(void) is_int(0, code, "Plugin initialization (krb5.conf dictionary)"); if (code != 0) bail("cannot continue after plugin initialization failure"); - for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) + for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) { +# ifdef HAVE_SYSTEM_CRACKLIB + if (cracklib_tests[i].skip_for_system_cracklib) { + skip_block(2, "not built with embedded CrackLib"); + continue; + } +# endif is_password_test(ctx, vtable, data, &cracklib_tests[i]); + } vtable->close(ctx, data); /* diff --git a/tests/tools/heimdal-strength-t b/tests/tools/heimdal-strength-t index 21f9430..5e7b1cb 100755 --- a/tests/tools/heimdal-strength-t +++ b/tests/tools/heimdal-strength-t @@ -296,10 +296,18 @@ sub test_require_classes_syntax { return; } -# Load the password tests from JSON. +# Load the password tests from JSON, removing the CrackLib tests that may fail +# if we were built with the system CrackLib. We don't have an easy way of +# knowing which CrackLib heimdal-strength was linked against, so we have to +# ignore them unconditionally. The separate plugin tests will exercise that +# code. my %tests; for my $type (qw(cdb classes cracklib length letter principal sqlite)) { my $tests = load_password_tests("$type.json"); + if ($type eq 'cracklib') { + my @tests = grep { !$_->{skip_for_system_cracklib} } @{$tests}; + $tests = [@tests]; + } $tests{$type} = $tests; }