From ad55cbb62c0d1c610421fc5cfb69a86eb90d5550 Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Thu, 6 Apr 2017 16:21:53 +1200 Subject: [PATCH] password_lockout: Move lockoutObservationWindow tests from setUp These should not belong in the setUp, and should be a separate test. Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett --- source4/dsdb/tests/python/password_lockout.py | 25 +++++++++++ .../tests/python/password_lockout_base.py | 45 +++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py index 2e345d9db71..c843e37cb84 100755 --- a/source4/dsdb/tests/python/password_lockout.py +++ b/source4/dsdb/tests/python/password_lockout.py @@ -973,6 +973,31 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """ def test_multiple_logon_ntlm(self): self._test_multiple_logon(self.lockout1ntlm_creds) + def test_lockout_observation_window(self): + lockout3krb5_creds = self.insta_creds(self.template_creds, + username="lockout3krb5", + userpass="thatsAcomplPASS0", + kerberos_state=MUST_USE_KERBEROS) + self._testing_add_user(lockout3krb5_creds) + + lockout4krb5_creds = self.insta_creds(self.template_creds, + username="lockout4krb5", + userpass="thatsAcomplPASS0", + kerberos_state=MUST_USE_KERBEROS) + self._testing_add_user(lockout4krb5_creds, + lockOutObservationWindow=self.lockout_observation_window) + + lockout3ntlm_creds = self.insta_creds(self.template_creds, + username="lockout3ntlm", + userpass="thatsAcomplPASS0", + kerberos_state=DONT_USE_KERBEROS) + self._testing_add_user(lockout3ntlm_creds) + lockout4ntlm_creds = self.insta_creds(self.template_creds, + username="lockout4ntlm", + userpass="thatsAcomplPASS0", + kerberos_state=DONT_USE_KERBEROS) + self._testing_add_user(lockout4ntlm_creds, + lockOutObservationWindow=self.lockout_observation_window) host_url = "ldap://%s" % host diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py index 1b149799d3f..514a5aa5771 100644 --- a/source4/dsdb/tests/python/password_lockout_base.py +++ b/source4/dsdb/tests/python/password_lockout_base.py @@ -195,6 +195,51 @@ class BasePasswordTestCase(samba.tests.TestCase): userpass = creds.get_password() userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) + delete_force(self.ldb, userdn) + self.ldb.add({ + "dn": userdn, + "objectclass": "user", + "sAMAccountName": username}) + + self.addCleanup(delete_force, self.ldb, userdn) + + # Sets the initial user password with a "special" password change + # I think that this internally is a password set operation and it can + # only be performed by someone which has password set privileges on the + # account (at least in s4 we do handle it like that). + self.ldb.modify_ldif(""" +dn: """ + userdn + """ +changetype: modify +delete: userPassword +add: userPassword +userPassword: """ + userpass + """ +""") + # Enables the user account + self.ldb.enable_account("(sAMAccountName=%s)" % username) + + use_kerberos = creds.get_kerberos_state() + fail_creds = self.insta_creds(self.template_creds, + username=username, + userpass=userpass+"X", + kerberos_state=use_kerberos) + + # Fail once to get a badPasswordTime + try: + ldb = SamDB(url=self.host_url, credentials=fail_creds, lp=self.lp) + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_INVALID_CREDENTIALS) + + # Succeed to reset everything to 0 + ldb = SamDB(url=self.host_url, credentials=creds, lp=self.lp) + + return ldb + + def _testing_add_user(self, creds, lockOutObservationWindow=0): + username = creds.get_username() + userpass = creds.get_password() + userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) + use_kerberos = creds.get_kerberos_state() if use_kerberos == MUST_USE_KERBEROS: logoncount_relation = 'greater'