From eab89c8e29d77922420f345ae0198425ad0ac937 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Thu, 8 Sep 2022 14:32:13 +1200 Subject: [PATCH] pytest/password_lockout: be less verbose by default leaving the carefully constructed verbosity there for whoever choses to switch it on. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- source4/dsdb/tests/python/password_lockout.py | 18 +++++------ .../tests/python/password_lockout_base.py | 30 +++++++++++-------- 2 files changed, 27 insertions(+), 21 deletions(-) diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py index 325c0cfdd01..1f7e1e1a487 100755 --- a/source4/dsdb/tests/python/password_lockout.py +++ b/source4/dsdb/tests/python/password_lockout.py @@ -195,11 +195,11 @@ userAccountControl: %d if use_kerberos == MUST_USE_KERBEROS: logoncount_relation = 'greater' lastlogon_relation = 'greater' - print("Performs a password cleartext change operation on 'userPassword' using Kerberos") + self.debug("Performs a password cleartext change operation on 'userPassword' using Kerberos") else: logoncount_relation = 'equal' lastlogon_relation = 'equal' - print("Performs a password cleartext change operation on 'userPassword' using NTLMSSP") + self.debug("Performs a password cleartext change operation on 'userPassword' using NTLMSSP") if initial_lastlogon_relation is not None: lastlogon_relation = initial_lastlogon_relation @@ -293,7 +293,7 @@ userPassword: thatsAcomplPASS2 msDSUserAccountControlComputed=0) badPasswordTime = int(res[0]["badPasswordTime"][0]) - print("two failed password change") + self.debug("two failed password change") # Wrong old password try: @@ -696,7 +696,7 @@ userPassword: thatsAcomplPASS2XYZ for i in range(lockout_threshold): badPwdCount = i + 1 try: - print("Trying bad password, attempt #%u" % badPwdCount) + self.debug("Trying bad password, attempt #%u" % badPwdCount) net.change_password(newpassword=new_password, username=creds.get_username(), oldpassword="bad-password") @@ -730,7 +730,7 @@ userPassword: thatsAcomplPASS2XYZ # good or a bad password now for password in (creds.get_password(), "bad-password"): try: - print("Trying password %s" % password) + self.debug("Trying password %s" % password) net.change_password(newpassword=new_password, username=creds.get_username(), oldpassword=password) @@ -930,7 +930,7 @@ userPassword: thatsAcomplPASS2XYZ with self.assertRaises( NTSTATUSError, msg='Invalid SAMR change_password accepted') as err: - print(f'Trying correct password, attempt #{i}') + self.debug(f'Trying correct password, attempt #{i}') net.change_password(newpassword=new_password, username=username, oldpassword=creds.get_password()) @@ -1024,7 +1024,7 @@ userPassword: {new_password} with self.assertRaises( NTSTATUSError, msg='Invalid SAMR set_password accepted') as err: - print(f'Trying correct password, attempt #{i}') + self.debug(f'Trying correct password, attempt #{i}') net.set_password(newpassword=new_password, account_name=username, domain_name=creds.get_domain()) @@ -1063,7 +1063,7 @@ class PasswordTestsWithSleep(PasswordTests): def _test_unicodePwd_lockout_with_clear_change(self, creds, other_ldb, initial_logoncount_relation=None): - print("Performs a password cleartext change operation on 'unicodePwd'") + self.debug("Performs a password cleartext change operation on 'unicodePwd'") username = creds.get_username() userpass = creds.get_password() userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) @@ -1180,7 +1180,7 @@ unicodePwd:: """ + base64.b64encode(new_utf16).decode('utf8') + """ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, msDSUserAccountControlComputed=0) - print("two failed password change") + self.debug("two failed password change") # Wrong old password try: diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py index 93371ef38f3..e4635bc7a86 100644 --- a/source4/dsdb/tests/python/password_lockout_base.py +++ b/source4/dsdb/tests/python/password_lockout_base.py @@ -20,6 +20,12 @@ import time class BasePasswordTestCase(PasswordTestCase): + if False: + debug = print + else: + def debug(self, *args, **kwargs): + pass + def _open_samr_user(self, res): self.assertTrue("objectSid" in res[0]) @@ -56,7 +62,7 @@ class BasePasswordTestCase(PasswordTestCase): msg="attr[%s]=%r on dn[%s]" % (name, res[0][name], res[0].dn)) - print("%s = '%s'" % (name, res[0][name][0])) + self.debug("%s = '%s'" % (name, res[0][name][0])) if mode == "present": return @@ -108,9 +114,9 @@ class BasePasswordTestCase(PasswordTestCase): effective_bad_password_count=None, msg=None, badPwdCountOnly=False): - print('-=' * 36) + self.debug('-=' * 36) if msg is not None: - print("\033[01;32m %s \033[00m\n" % msg) + self.debug("\033[01;32m %s \033[00m\n" % msg) attrs = [ "objectSid", "sAMAccountName", @@ -402,11 +408,11 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ if use_kerberos == MUST_USE_KERBEROS: logoncount_relation = 'greater' lastlogon_relation = 'greater' - print("Performs a lockout attempt against LDAP using Kerberos") + self.debug("Performs a lockout attempt against LDAP using Kerberos") else: logoncount_relation = 'equal' lastlogon_relation = 'equal' - print("Performs a lockout attempt against LDAP using NTLM") + self.debug("Performs a lockout attempt against LDAP using NTLM") # Change password on a connection as another user res = self._check_account(userdn, @@ -422,8 +428,8 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ lastLogon = int(res[0]["lastLogon"][0]) firstLogon = lastLogon lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0]) - print(firstLogon) - print(lastLogonTimestamp) + self.debug(firstLogon) + self.debug(lastLogonTimestamp) self.assertGreater(lastLogon, badPasswordTime) self.assertGreaterEqual(lastLogon, lastLogonTimestamp) @@ -507,7 +513,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ msDSUserAccountControlComputed=0) badPasswordTime = int(res[0]["badPasswordTime"][0]) - print("two failed password change") + self.debug("two failed password change") # The wrong password creds_lockout.set_password("thatsAcomplPASS1x") @@ -595,7 +601,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ # wait for the lockout to end time.sleep(self.account_lockout_duration + 1) - print(self.account_lockout_duration + 1) + self.debug(self.account_lockout_duration + 1) res = self._check_account(userdn, badPwdCount=3, effective_bad_password_count=0, @@ -730,11 +736,11 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ use_kerberos = creds.get_kerberos_state() if use_kerberos == MUST_USE_KERBEROS: - print("Testing multiple logon with Kerberos") + self.debug("Testing multiple logon with Kerberos") logoncount_relation = 'greater' lastlogon_relation = 'greater' else: - print("Testing multiple logon with NTLM") + self.debug("Testing multiple logon with NTLM") logoncount_relation = 'equal' lastlogon_relation = 'equal' @@ -753,7 +759,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ lastLogon = int(res[0]["lastLogon"][0]) lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0]) firstLogon = lastLogon - print("last logon is %d" % lastLogon) + self.debug("last logon is %d" % lastLogon) self.assertGreater(lastLogon, badPasswordTime) self.assertGreaterEqual(lastLogon, lastLogonTimestamp)