mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
password_lockout: Move more helper methods to a base class
This is so that we can import the login tests into the RODC-RWDC tests. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Garming Sam
Garming Sam
parent
cd7adbd022
commit
9b523f0137
@ -1769,336 +1769,6 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """
|
||||
self.lockout2ntlm_ldb,
|
||||
initial_logoncount_relation="equal")
|
||||
|
||||
def __test_login_lockout(self, creds):
|
||||
username = creds.get_username()
|
||||
userpass = creds.get_password()
|
||||
userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
|
||||
|
||||
use_kerberos = creds.get_kerberos_state()
|
||||
# This unlocks by waiting for account_lockout_duration
|
||||
if use_kerberos == MUST_USE_KERBEROS:
|
||||
logoncount_relation = 'greater'
|
||||
lastlogon_relation = 'greater'
|
||||
print "Performs a lockout attempt against LDAP using Kerberos"
|
||||
else:
|
||||
logoncount_relation = 'equal'
|
||||
lastlogon_relation = 'equal'
|
||||
print "Performs a lockout attempt against LDAP using NTLM"
|
||||
|
||||
# Change password on a connection as another user
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=0,
|
||||
badPasswordTime=("greater", 0),
|
||||
logonCount=(logoncount_relation, 0),
|
||||
lastLogon=("greater", 0),
|
||||
lastLogonTimestamp=("greater", 0),
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0)
|
||||
badPasswordTime = int(res[0]["badPasswordTime"][0])
|
||||
logonCount = int(res[0]["logonCount"][0])
|
||||
lastLogon = int(res[0]["lastLogon"][0])
|
||||
firstLogon = lastLogon
|
||||
lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0])
|
||||
print firstLogon
|
||||
print lastLogonTimestamp
|
||||
|
||||
|
||||
self.assertGreater(lastLogon, badPasswordTime)
|
||||
self.assertGreaterEqual(lastLogon, lastLogonTimestamp)
|
||||
|
||||
# Open a second LDB connection with the user credentials. Use the
|
||||
# command line credentials for informations like the domain, the realm
|
||||
# and the workstation.
|
||||
creds_lockout = self.insta_creds(creds)
|
||||
|
||||
# The wrong password
|
||||
creds_lockout.set_password("thatsAcomplPASS1x")
|
||||
|
||||
self.assertLoginFailure(host_url, creds_lockout, lp)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=1,
|
||||
badPasswordTime=("greater", badPasswordTime),
|
||||
logonCount=logonCount,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0,
|
||||
msg='lastlogontimestamp with wrong password')
|
||||
badPasswordTime = int(res[0]["badPasswordTime"][0])
|
||||
|
||||
# Correct old password
|
||||
creds_lockout.set_password(userpass)
|
||||
|
||||
ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
|
||||
|
||||
# lastLogonTimestamp should not change
|
||||
# lastLogon increases if badPwdCount is non-zero (!)
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=0,
|
||||
badPasswordTime=badPasswordTime,
|
||||
logonCount=(logoncount_relation, logonCount),
|
||||
lastLogon=('greater', lastLogon),
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0,
|
||||
msg='LLTimestamp is updated to lastlogon')
|
||||
|
||||
logonCount = int(res[0]["logonCount"][0])
|
||||
lastLogon = int(res[0]["lastLogon"][0])
|
||||
self.assertGreater(lastLogon, badPasswordTime)
|
||||
self.assertGreaterEqual(lastLogon, lastLogonTimestamp)
|
||||
|
||||
# The wrong password
|
||||
creds_lockout.set_password("thatsAcomplPASS1x")
|
||||
|
||||
self.assertLoginFailure(host_url, creds_lockout, lp)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=1,
|
||||
badPasswordTime=("greater", badPasswordTime),
|
||||
logonCount=logonCount,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0)
|
||||
badPasswordTime = int(res[0]["badPasswordTime"][0])
|
||||
|
||||
# The wrong password
|
||||
creds_lockout.set_password("thatsAcomplPASS1x")
|
||||
|
||||
try:
|
||||
ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
|
||||
self.fail()
|
||||
|
||||
except LdbError, (num, msg):
|
||||
self.assertEquals(num, ERR_INVALID_CREDENTIALS)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=2,
|
||||
badPasswordTime=("greater", badPasswordTime),
|
||||
logonCount=logonCount,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0)
|
||||
badPasswordTime = int(res[0]["badPasswordTime"][0])
|
||||
|
||||
print "two failed password change"
|
||||
|
||||
# The wrong password
|
||||
creds_lockout.set_password("thatsAcomplPASS1x")
|
||||
|
||||
try:
|
||||
ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
|
||||
self.fail()
|
||||
|
||||
except LdbError, (num, msg):
|
||||
self.assertEquals(num, ERR_INVALID_CREDENTIALS)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=3,
|
||||
badPasswordTime=("greater", badPasswordTime),
|
||||
logonCount=logonCount,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
lockoutTime=("greater", badPasswordTime),
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
|
||||
badPasswordTime = int(res[0]["badPasswordTime"][0])
|
||||
lockoutTime = int(res[0]["lockoutTime"][0])
|
||||
|
||||
# The wrong password
|
||||
creds_lockout.set_password("thatsAcomplPASS1x")
|
||||
try:
|
||||
ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
|
||||
self.fail()
|
||||
except LdbError, (num, msg):
|
||||
self.assertEquals(num, ERR_INVALID_CREDENTIALS)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=3,
|
||||
badPasswordTime=badPasswordTime,
|
||||
logonCount=logonCount,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
lockoutTime=lockoutTime,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
|
||||
|
||||
# The wrong password
|
||||
creds_lockout.set_password("thatsAcomplPASS1x")
|
||||
try:
|
||||
ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
|
||||
self.fail()
|
||||
except LdbError, (num, msg):
|
||||
self.assertEquals(num, ERR_INVALID_CREDENTIALS)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=3,
|
||||
badPasswordTime=badPasswordTime,
|
||||
logonCount=logonCount,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
lockoutTime=lockoutTime,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
|
||||
|
||||
# The correct password, but we are locked out
|
||||
creds_lockout.set_password(userpass)
|
||||
try:
|
||||
ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
|
||||
self.fail()
|
||||
except LdbError, (num, msg):
|
||||
self.assertEquals(num, ERR_INVALID_CREDENTIALS)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=3,
|
||||
badPasswordTime=badPasswordTime,
|
||||
logonCount=logonCount,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
lockoutTime=lockoutTime,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
|
||||
|
||||
# wait for the lockout to end
|
||||
time.sleep(self.account_lockout_duration + 1)
|
||||
print self.account_lockout_duration + 1
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=3, effective_bad_password_count=0,
|
||||
badPasswordTime=badPasswordTime,
|
||||
logonCount=logonCount,
|
||||
lockoutTime=lockoutTime,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0)
|
||||
|
||||
# The correct password after letting the timeout expire
|
||||
|
||||
creds_lockout.set_password(userpass)
|
||||
|
||||
creds_lockout2 = self.insta_creds(creds_lockout)
|
||||
|
||||
ldb_lockout = SamDB(url=host_url, credentials=creds_lockout2, lp=lp)
|
||||
time.sleep(3)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=0,
|
||||
badPasswordTime=badPasswordTime,
|
||||
logonCount=(logoncount_relation, logonCount),
|
||||
lastLogon=(lastlogon_relation, lastLogon),
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
lockoutTime=0,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0,
|
||||
msg="lastLogon is way off")
|
||||
|
||||
logonCount = int(res[0]["logonCount"][0])
|
||||
lastLogon = int(res[0]["lastLogon"][0])
|
||||
|
||||
# The wrong password
|
||||
creds_lockout.set_password("thatsAcomplPASS1x")
|
||||
try:
|
||||
ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
|
||||
self.fail()
|
||||
except LdbError, (num, msg):
|
||||
self.assertEquals(num, ERR_INVALID_CREDENTIALS)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=1,
|
||||
badPasswordTime=("greater", badPasswordTime),
|
||||
logonCount=logonCount,
|
||||
lockoutTime=0,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0)
|
||||
badPasswordTime = int(res[0]["badPasswordTime"][0])
|
||||
|
||||
# The wrong password
|
||||
creds_lockout.set_password("thatsAcomplPASS1x")
|
||||
try:
|
||||
ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
|
||||
self.fail()
|
||||
except LdbError, (num, msg):
|
||||
self.assertEquals(num, ERR_INVALID_CREDENTIALS)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=2,
|
||||
badPasswordTime=("greater", badPasswordTime),
|
||||
logonCount=logonCount,
|
||||
lockoutTime=0,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0)
|
||||
badPasswordTime = int(res[0]["badPasswordTime"][0])
|
||||
|
||||
time.sleep(self.lockout_observation_window + 1)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=2, effective_bad_password_count=0,
|
||||
badPasswordTime=badPasswordTime,
|
||||
logonCount=logonCount,
|
||||
lockoutTime=0,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0)
|
||||
|
||||
# The wrong password
|
||||
creds_lockout.set_password("thatsAcomplPASS1x")
|
||||
try:
|
||||
ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
|
||||
self.fail()
|
||||
except LdbError, (num, msg):
|
||||
self.assertEquals(num, ERR_INVALID_CREDENTIALS)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=1,
|
||||
badPasswordTime=("greater", badPasswordTime),
|
||||
logonCount=logonCount,
|
||||
lockoutTime=0,
|
||||
lastLogon=lastLogon,
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0)
|
||||
badPasswordTime = int(res[0]["badPasswordTime"][0])
|
||||
|
||||
# The correct password without letting the timeout expire
|
||||
creds_lockout.set_password(userpass)
|
||||
ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
|
||||
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=0,
|
||||
badPasswordTime=badPasswordTime,
|
||||
logonCount=(logoncount_relation, logonCount),
|
||||
lockoutTime=0,
|
||||
lastLogon=("greater", lastLogon),
|
||||
lastLogonTimestamp=lastLogonTimestamp,
|
||||
userAccountControl=
|
||||
dsdb.UF_NORMAL_ACCOUNT,
|
||||
msDSUserAccountControlComputed=0)
|
||||
|
||||
|
||||
def test_login_lockout_krb5(self):
|
||||
self._test_login_lockout(self.lockout1krb5_creds)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user