samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

283 lines

11 KiB

Python

Raw Normal View History

auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00			`# Unix SMB/CIFS implementation.`
			`# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017`
			`#`
			`# This program is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation; either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`#`

			`"""Tests for the Auth and AuthZ logging of password changes.`
			`"""`

			`import samba.tests`
			`from samba.samdb import SamDB`
			`from samba.auth import system_session`
			`import os`
			`import samba.tests.auth_log_base`
			`from samba.tests import delete_force`
			`from samba.net import Net`
			`import samba`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00			`from ldb import LdbError`
tests: Split out setUp code into separate function for reuse Any test that wants to change a password has to set the dSHeuristics and minPwdAge first in order for the password change to work. The code that does this is duplicated in several tests. This patch splits it out into a static method so that the code can be reused rather than duplicated. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> 2018-05-11 02:03:03 +03:00			`from samba.tests.password_test import PasswordCommon`
auth log: Add windows event codes Add a new "eventId" element to the Authorisation JSON log messages. This contains a Windows Event Code Id either: 4624 Successful logon 4625 Unsuccessful logon Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 00:20:28 +03:00			`from samba.dcerpc.windows_event_ids import (`
			`EVT_ID_SUCCESSFUL_LOGON,`
auth log: Add windows logon type codes Add a new "logonType" element to the Authorisation JSON log messages. This contains a Windows Logon Type, the supported logon types are: 2 Interactive 3 Network 8 NetworkCleartext Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 04:46:31 +03:00			`EVT_ID_UNSUCCESSFUL_LOGON,`
			`EVT_LOGON_NETWORK`
auth log: Add windows event codes Add a new "eventId" element to the Authorisation JSON log messages. This contains a Windows Event Code Id either: 4624 Successful logon 4625 Unsuccessful logon Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 00:20:28 +03:00			`)`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`USER_NAME = "authlogtestuser"`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`USER_PASS = samba.generate_random_password(32, 32)`

auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):`

			`def setUp(self):`
python: tests: update all super calls to python 3 style in tests Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Some python2 style super() calls remain due to being an actual, even if reasonable, behaviour change] 2023-11-28 06:38:22 +03:00			`super().setUp()`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`self.server_ip = os.environ["SERVER_IP"]`

			`host = "ldap://%s" % os.environ["SERVER"]`
			`self.ldb = SamDB(url=host,`
			`session_info=system_session(),`
			`credentials=self.get_credentials(),`
			`lp=self.get_loadparm())`

tests: Split out setUp code into separate function for reuse Any test that wants to change a password has to set the dSHeuristics and minPwdAge first in order for the password change to work. The code that does this is duplicated in several tests. This patch splits it out into a static method so that the code can be reused rather than duplicated. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> 2018-05-11 02:03:03 +03:00			`# permit password changes during this test`
			`PasswordCommon.allow_password_changes(self, self.ldb)`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`self.base_dn = self.ldb.domain_dn()`

			`# (Re)adds the test user USER_NAME with password USER_PASS`
			`delete_force(self.ldb, "cn=" + USER_NAME + ",cn=users," + self.base_dn)`
			`self.ldb.add({`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`"dn": "cn=" + USER_NAME + ",cn=users," + self.base_dn,`
			`"objectclass": "user",`
			`"sAMAccountName": USER_NAME,`
			`"userPassword": USER_PASS`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`})`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`# discard any auth log messages for the password setup`
tests/auth_log: Call discardMessages() on class This makes it clearer that discardMessages() operates on the class. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2023-05-25 03:16:32 +03:00			`type(self).discardMessages()`
python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls later gnutls that support GNUTLS_PBKDF2 currently fail, we need to conditionally switch test data to reflect use of 'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4' depending on whether GNUTLS_PBKDF2 is supported or not Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Oct 25 10:30:59 UTC 2022 on sn-devel-184 2022-10-21 19:14:44 +03:00
			`def _authDescription(self):`
crypto: Rely on GnuTLS 3.6.13 and gnutls_pbkdf2() This removes a lot of inline #ifdef and means this feature is always tested. We can do this as we have chosen GnuTLS 3.6.13 as the new minimum version. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 2022-10-26 23:57:06 +03:00			`return "samr_ChangePasswordUser4"`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`def test_admin_change_password(self):`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`def isLastExpectedMessage(msg):`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`return ((msg["type"] == "Authentication") and`
			`(msg["Authentication"]["status"] == "NT_STATUS_OK") and`
			`(msg["Authentication"]["serviceDescription"] ==`
			`"SAMR Password Change") and`
			`(msg["Authentication"]["authDescription"] ==`
python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls later gnutls that support GNUTLS_PBKDF2 currently fail, we need to conditionally switch test data to reflect use of 'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4' depending on whether GNUTLS_PBKDF2 is supported or not Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Oct 25 10:30:59 UTC 2022 on sn-devel-184 2022-10-21 19:14:44 +03:00			`self._authDescription()) and`
auth log: Add windows event codes Add a new "eventId" element to the Authorisation JSON log messages. This contains a Windows Event Code Id either: 4624 Successful logon 4625 Unsuccessful logon Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 00:20:28 +03:00			`(msg["Authentication"]["eventId"] ==`
auth log: Add windows logon type codes Add a new "logonType" element to the Authorisation JSON log messages. This contains a Windows Logon Type, the supported logon types are: 2 Interactive 3 Network 8 NetworkCleartext Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 04:46:31 +03:00			`EVT_ID_SUCCESSFUL_LOGON) and`
			`(msg["Authentication"]["logonType"] ==`
			`EVT_LOGON_NETWORK))`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`creds = self.insta_creds(template=self.get_credentials())`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`lp = self.get_loadparm()`
			`net = Net(creds, lp, server=self.server_ip)`
			`password = "newPassword!!42"`

PY3: net.change_password & net.set_password take string not bytes Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-11-28 17:06:54 +03:00			`net.change_password(newpassword=password,`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`username=USER_NAME,`
			`oldpassword=USER_PASS)`
tests/auto_log_pass_change.py: only care about the last expected message other than exact messages count The messages count could be different because of racing condition. And we should only care about the last expected one. Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett abartlet@samba.org Reviewed-by: Noel Power npower@samba.org 2019-03-07 06:10:27 +03:00			`self.assertTrue(self.waitForMessages(isLastExpectedMessage),`
			`"Did not receive the expected message")`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`def test_admin_change_password_new_password_fails_restriction(self):`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`def isLastExpectedMessage(msg):`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`return ((msg["type"] == "Authentication") and`
			`(msg["Authentication"]["status"] ==`
			`"NT_STATUS_PASSWORD_RESTRICTION") and`
			`(msg["Authentication"]["serviceDescription"] ==`
			`"SAMR Password Change") and`
			`(msg["Authentication"]["authDescription"] ==`
python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls later gnutls that support GNUTLS_PBKDF2 currently fail, we need to conditionally switch test data to reflect use of 'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4' depending on whether GNUTLS_PBKDF2 is supported or not Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Oct 25 10:30:59 UTC 2022 on sn-devel-184 2022-10-21 19:14:44 +03:00			`self._authDescription()) and`
auth log: Add windows event codes Add a new "eventId" element to the Authorisation JSON log messages. This contains a Windows Event Code Id either: 4624 Successful logon 4625 Unsuccessful logon Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 00:20:28 +03:00			`(msg["Authentication"]["eventId"] ==`
auth log: Add windows logon type codes Add a new "logonType" element to the Authorisation JSON log messages. This contains a Windows Logon Type, the supported logon types are: 2 Interactive 3 Network 8 NetworkCleartext Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 04:46:31 +03:00			`EVT_ID_UNSUCCESSFUL_LOGON) and`
			`(msg["Authentication"]["logonType"] ==`
			`EVT_LOGON_NETWORK))`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`creds = self.insta_creds(template=self.get_credentials())`

			`lp = self.get_loadparm()`
			`net = Net(creds, lp, server=self.server_ip)`
			`password = "newPassword"`

			`exception_thrown = False`
			`try:`
PY3: net.change_password & net.set_password take string not bytes Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-11-28 17:06:54 +03:00			`net.change_password(newpassword=password,`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`oldpassword=USER_PASS,`
			`username=USER_NAME)`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`except Exception:`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00			`exception_thrown = True`
pytests: heed assertEquals deprecation warning en-masse TestCase.assertEquals() is an alias for TestCase.assertEqual() and has been deprecated since Python 2.7. When we run our tests with in python developer mode (`PYTHONDEVMODE=1 make test`) we get 580 DeprecationWarnings about this. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org> 2020-02-07 01:02:38 +03:00			`self.assertEqual(True, exception_thrown,`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00			`"Expected exception not thrown")`
tests/auto_log_pass_change.py: only care about the last expected message other than exact messages count The messages count could be different because of racing condition. And we should only care about the last expected one. Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett abartlet@samba.org Reviewed-by: Noel Power npower@samba.org 2019-03-07 06:10:27 +03:00			`self.assertTrue(self.waitForMessages(isLastExpectedMessage),`
			`"Did not receive the expected message")`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`def test_admin_change_password_unknown_user(self):`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`def isLastExpectedMessage(msg):`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`return ((msg["type"] == "Authentication") and`
			`(msg["Authentication"]["status"] ==`
			`"NT_STATUS_NO_SUCH_USER") and`
			`(msg["Authentication"]["serviceDescription"] ==`
			`"SAMR Password Change") and`
			`(msg["Authentication"]["authDescription"] ==`
python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls later gnutls that support GNUTLS_PBKDF2 currently fail, we need to conditionally switch test data to reflect use of 'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4' depending on whether GNUTLS_PBKDF2 is supported or not Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Oct 25 10:30:59 UTC 2022 on sn-devel-184 2022-10-21 19:14:44 +03:00			`self._authDescription()) and`
auth log: Add windows event codes Add a new "eventId" element to the Authorisation JSON log messages. This contains a Windows Event Code Id either: 4624 Successful logon 4625 Unsuccessful logon Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 00:20:28 +03:00			`(msg["Authentication"]["eventId"] ==`
auth log: Add windows logon type codes Add a new "logonType" element to the Authorisation JSON log messages. This contains a Windows Logon Type, the supported logon types are: 2 Interactive 3 Network 8 NetworkCleartext Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 04:46:31 +03:00			`EVT_ID_UNSUCCESSFUL_LOGON) and`
			`(msg["Authentication"]["logonType"] ==`
			`EVT_LOGON_NETWORK))`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`creds = self.insta_creds(template=self.get_credentials())`

			`lp = self.get_loadparm()`
			`net = Net(creds, lp, server=self.server_ip)`
			`password = "newPassword!!42"`

			`exception_thrown = False`
			`try:`
PY3: net.change_password & net.set_password take string not bytes Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-11-28 17:06:54 +03:00			`net.change_password(newpassword=password,`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`oldpassword=USER_PASS,`
			`username="badUser")`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`except Exception:`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00			`exception_thrown = True`
pytests: heed assertEquals deprecation warning en-masse TestCase.assertEquals() is an alias for TestCase.assertEqual() and has been deprecated since Python 2.7. When we run our tests with in python developer mode (`PYTHONDEVMODE=1 make test`) we get 580 DeprecationWarnings about this. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org> 2020-02-07 01:02:38 +03:00			`self.assertEqual(True, exception_thrown,`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00			`"Expected exception not thrown")`

tests/auto_log_pass_change.py: only care about the last expected message other than exact messages count The messages count could be different because of racing condition. And we should only care about the last expected one. Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett abartlet@samba.org Reviewed-by: Noel Power npower@samba.org 2019-03-07 06:10:27 +03:00			`self.assertTrue(self.waitForMessages(isLastExpectedMessage),`
			`"Did not receive the expected message")`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`def test_admin_change_password_bad_original_password(self):`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`def isLastExpectedMessage(msg):`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`return ((msg["type"] == "Authentication") and`
			`(msg["Authentication"]["status"] ==`
			`"NT_STATUS_WRONG_PASSWORD") and`
			`(msg["Authentication"]["serviceDescription"] ==`
			`"SAMR Password Change") and`
			`(msg["Authentication"]["authDescription"] ==`
python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls later gnutls that support GNUTLS_PBKDF2 currently fail, we need to conditionally switch test data to reflect use of 'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4' depending on whether GNUTLS_PBKDF2 is supported or not Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Oct 25 10:30:59 UTC 2022 on sn-devel-184 2022-10-21 19:14:44 +03:00			`self._authDescription()) and`
auth log: Add windows event codes Add a new "eventId" element to the Authorisation JSON log messages. This contains a Windows Event Code Id either: 4624 Successful logon 4625 Unsuccessful logon Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 00:20:28 +03:00			`(msg["Authentication"]["eventId"] ==`
auth log: Add windows logon type codes Add a new "logonType" element to the Authorisation JSON log messages. This contains a Windows Logon Type, the supported logon types are: 2 Interactive 3 Network 8 NetworkCleartext Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 04:46:31 +03:00			`EVT_ID_UNSUCCESSFUL_LOGON) and`
			`(msg["Authentication"]["logonType"] ==`
			`EVT_LOGON_NETWORK))`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
			`creds = self.insta_creds(template=self.get_credentials())`

			`lp = self.get_loadparm()`
			`net = Net(creds, lp, server=self.server_ip)`
			`password = "newPassword!!42"`

			`exception_thrown = False`
			`try:`
PY3: net.change_password & net.set_password take string not bytes Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-11-28 17:06:54 +03:00			`net.change_password(newpassword=password,`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`oldpassword="badPassword",`
			`username=USER_NAME)`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`except Exception:`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00			`exception_thrown = True`
pytests: heed assertEquals deprecation warning en-masse TestCase.assertEquals() is an alias for TestCase.assertEqual() and has been deprecated since Python 2.7. When we run our tests with in python developer mode (`PYTHONDEVMODE=1 make test`) we get 580 DeprecationWarnings about this. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org> 2020-02-07 01:02:38 +03:00			`self.assertEqual(True, exception_thrown,`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00			`"Expected exception not thrown")`

tests/auto_log_pass_change.py: only care about the last expected message other than exact messages count The messages count could be different because of racing condition. And we should only care about the last expected one. Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett abartlet@samba.org Reviewed-by: Noel Power npower@samba.org 2019-03-07 06:10:27 +03:00			`self.assertTrue(self.waitForMessages(isLastExpectedMessage),`
			`"Did not receive the expected message")`
auth log tests: password change tests Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> 2017-03-20 23:59:45 +03:00
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00			`def test_ldap_change_password(self):`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`def isLastExpectedMessage(msg):`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`return ((msg["type"] == "Authentication") and`
			`(msg["Authentication"]["status"] == "NT_STATUS_OK") and`
			`(msg["Authentication"]["serviceDescription"] ==`
			`"LDAP Password Change") and`
			`(msg["Authentication"]["authDescription"] ==`
auth log: Add windows event codes Add a new "eventId" element to the Authorisation JSON log messages. This contains a Windows Event Code Id either: 4624 Successful logon 4625 Unsuccessful logon Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 00:20:28 +03:00			`"LDAP Modify") and`
			`(msg["Authentication"]["eventId"] ==`
auth log: Add windows logon type codes Add a new "logonType" element to the Authorisation JSON log messages. This contains a Windows Logon Type, the supported logon types are: 2 Interactive 3 Network 8 NetworkCleartext Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 04:46:31 +03:00			`EVT_ID_SUCCESSFUL_LOGON) and`
			`(msg["Authentication"]["logonType"] ==`
			`EVT_LOGON_NETWORK))`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00
			`new_password = samba.generate_random_password(32, 32)`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00			`self.ldb.modify_ldif(`
			`"dn: cn=" + USER_NAME + ",cn=users," + self.base_dn + "\n" +`
			`"changetype: modify\n" +`
			`"delete: userPassword\n" +`
			`"userPassword: " + USER_PASS + "\n" +`
			`"add: userPassword\n" +`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`"userPassword: " + new_password + "\n")`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00
tests/auto_log_pass_change.py: only care about the last expected message other than exact messages count The messages count could be different because of racing condition. And we should only care about the last expected one. Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett abartlet@samba.org Reviewed-by: Noel Power npower@samba.org 2019-03-07 06:10:27 +03:00			`self.assertTrue(self.waitForMessages(isLastExpectedMessage),`
			`"Did not receive the expected message")`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00
			`#`
tests/auth_log: Expect no messages when changing a non-existent user’s password These log messages come from setUp(), and the fact that we are getting them is merely a side-effect of the unreliability of discardMessages(). Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2023-05-26 07:00:50 +03:00			`# Currently this does not get logged, so we expect to see no messages.`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00			`#`
			`def test_ldap_change_password_bad_user(self):`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`def isLastExpectedMessage(msg):`
tests/auth_log_pass_change: Fix flapping test It appears that discardMessages() is still not entirely reliable. Ensure that we filter out any messages from the Administrator’s authentication. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 2023-06-20 01:11:50 +03:00			`msg_type = msg["type"]`

			`# Accept any message we receive, except for those produced while`
			`# the Administrator authenticates in setUp().`
			`return (msg_type != "Authentication" or (`
			`"Administrator" not in msg[msg_type]["clientAccount"])) and (`
			`msg_type != "Authorization" or (`
			`"Administrator" not in msg[msg_type]["account"]))`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`new_password = samba.generate_random_password(32, 32)`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00			`try:`
			`self.ldb.modify_ldif(`
			`"dn: cn=" + "badUser" + ",cn=users," + self.base_dn + "\n" +`
			`"changetype: modify\n" +`
			`"delete: userPassword\n" +`
			`"userPassword: " + USER_PASS + "\n" +`
			`"add: userPassword\n" +`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`"userPassword: " + new_password + "\n")`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00			`self.fail()`
samba python tests: convert 'except X, (tuple)' to 'except X as e' In addition to converting the except line another line is also added for each except to extract the tuple contents. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-02-23 17:32:17 +03:00			`except LdbError as e:`
			`(num, msg) = e.args`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00			`pass`

tests/auth_log: Expect no messages when changing a non-existent user’s password These log messages come from setUp(), and the fact that we are getting them is merely a side-effect of the unreliability of discardMessages(). Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2023-05-26 07:00:50 +03:00			`self.assertFalse(self.waitForMessages(isLastExpectedMessage),`
			`"Received unexpected messages")`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00
			`def test_ldap_change_password_bad_original_password(self):`
whitespace: auth_log_pass_change.py python conventions Signed-off-by: Garming Sam <garming@catalyst.net.nz> 2017-03-24 03:52:58 +03:00			`def isLastExpectedMessage(msg):`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`return ((msg["type"] == "Authentication") and`
			`(msg["Authentication"]["status"] ==`
			`"NT_STATUS_WRONG_PASSWORD") and`
			`(msg["Authentication"]["serviceDescription"] ==`
			`"LDAP Password Change") and`
			`(msg["Authentication"]["authDescription"] ==`
auth log: Add windows event codes Add a new "eventId" element to the Authorisation JSON log messages. This contains a Windows Event Code Id either: 4624 Successful logon 4625 Unsuccessful logon Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 00:20:28 +03:00			`"LDAP Modify") and`
			`(msg["Authentication"]["eventId"] ==`
auth log: Add windows logon type codes Add a new "logonType" element to the Authorisation JSON log messages. This contains a Windows Logon Type, the supported logon types are: 2 Interactive 3 Network 8 NetworkCleartext Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-12-13 04:46:31 +03:00			`EVT_ID_UNSUCCESSFUL_LOGON) and`
			`(msg["Authentication"]["logonType"] ==`
			`EVT_LOGON_NETWORK))`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00
			`new_password = samba.generate_random_password(32, 32)`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00			`try:`
			`self.ldb.modify_ldif(`
			`"dn: cn=" + USER_NAME + ",cn=users," + self.base_dn + "\n" +`
			`"changetype: modify\n" +`
			`"delete: userPassword\n" +`
			`"userPassword: " + "badPassword" + "\n" +`
			`"add: userPassword\n" +`
auth logging tests: Clean up flake8 warnings Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-04-30 01:35:25 +03:00			`"userPassword: " + new_password + "\n")`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00			`self.fail()`
samba python tests: convert 'except X, (tuple)' to 'except X as e' In addition to converting the except line another line is also added for each except to extract the tuple contents. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2018-02-23 17:32:17 +03:00			`except LdbError as e1:`
			`(num, msg) = e1.args`
dsdb: Add authentication audit logging for LDAP password change This ensures this particular vector is not forgotten Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2017-03-17 05:58:17 +03:00			`pass`

tests/auto_log_pass_change.py: only care about the last expected message other than exact messages count The messages count could be different because of racing condition. And we should only care about the last expected one. Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett abartlet@samba.org Reviewed-by: Noel Power npower@samba.org 2019-03-07 06:10:27 +03:00			`self.assertTrue(self.waitForMessages(isLastExpectedMessage),`
			`"Did not receive the expected message")`

283 lines 11 KiB Python Raw Normal View History Unescape Escape

283 lines

11 KiB

Python

Raw Normal View History