#50917 Issue: 50860 - Port Password Policy test cases from TET to python3 series of bugs Port final
Closed a year ago by spichugi. Opened 2 years ago by aborah.
aborah/389-ds-base series_final  into  master

@@ -0,0 +1,618 @@ 

+ """

+ # --- BEGIN COPYRIGHT BLOCK ---

+ # Copyright (C) 2020 Red Hat, Inc.

+ # All rights reserved.

+ #

+ # License: GPL (version 3 or any later version).

+ # See LICENSE for details.

+ # --- END COPYRIGHT BLOCK ---

+ """

+ 

+ import os

+ import pytest

+ from lib389.topologies import topology_st as topo

+ from lib389.idm.user import UserAccounts, UserAccount

+ from lib389._constants import DEFAULT_SUFFIX, DN_DM

+ from lib389.config import Config

+ from lib389.idm.domain import Domain

+ from lib389.idm.group import UniqueGroups, UniqueGroup

+ from lib389.idm.organizationalunit import OrganizationalUnits, OrganizationalUnit

+ from lib389.pwpolicy import PwPolicyManager

+ import time

+ import ldap

+ 

+ pytestmark = pytest.mark.tier1

+ 

+ 

+ def _create_user(topo, uid, ou):

+     user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=ou).create(properties={

+         'uid': uid,

+         'cn': uid,

+         'sn': uid,

+         'mail': f'{uid}@example.com',

+         'homeDirectory': f'/home/{uid}',

+         'uidNumber': '1000',

+         'gidNumber': '1000'

+     })

+     return user

+ 

+ 

+ def change_pwp_parameter(topo, pwp, operation, to_do):

+     """

+     Will change password policy parameter

+     """

+     pwp1 = PwPolicyManager(topo.standalone)

+     user = pwp1.get_pwpolicy_entry(f'{pwp},{DEFAULT_SUFFIX}')

+     user.replace(operation, to_do)

+ 

+ 

+ def _create_pwp(topo, instance):

+     """

+     Will  create pwp

+     """

+     policy_props = {}

+     pwp = PwPolicyManager(topo.standalone)

+     pwadm_locpol = pwp.create_subtree_policy(instance, policy_props)

+     for attribute, value in [

+         ('passwordexp', 'off'),

+         ('passwordchange', 'off'),

+         ('passwordmustchange', 'off'),

+         ('passwordchecksyntax', 'off'),

+         ('passwordinhistory', '6'),

+         ('passwordhistory', 'off'),

+         ('passwordlockout', 'off'),

+         ('passwordlockoutduration', '3600'),

+         ('passwordmaxage', '8640000'),

+         ('passwordmaxfailure', '3'),

+         ('passwordminage', '0'),

+         ('passwordminlength', '6'),

+         ('passwordresetfailurecount', '600'),

+         ('passwordunlock', 'on'),

+         ('passwordStorageScheme', 'CLEAR'),

+         ('passwordwarning', '86400')

+     ]:

+         pwadm_locpol.add(attribute, value)

+     return pwadm_locpol

+ 

+ 

+ def change_password_of_user(topo, user_password_new_pass_list, pass_to_change):

+     """

+     Will change password with self binding.

+     """

+     for user, password, new_pass in user_password_new_pass_list:

+         real_user = UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}')

+         conn = real_user.bind(password)

+         UserAccount(conn, pass_to_change).replace('userpassword', new_pass)

+ 

+ 

+ @pytest.fixture(scope="function")

+ def _add_user(request, topo):

+     for uid, ou_ou in [('pwadm_user_1', None), ('pwadm_user_2', 'ou=People')]:

+         _create_user(topo, uid, ou_ou)

+     for uid, ou_ou in [('pwadm_admin_2', 'ou=People'),

+                        ('pwadm_admin_3', 'ou=People'),

+                        ('pwadm_admin_4', 'ou=People')]:

+         user = _create_user(topo, uid, ou_ou)

+         user.replace('userpassword', 'Secret123')

+ 

+     def fin():

+         for user1 in UserAccounts(topo.standalone, DEFAULT_SUFFIX).list():

+             user1.delete()

+         for user1 in UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None).list():

+             user1.delete()

+     request.addfinalizer(fin)

+ 

+ 

+ @pytest.mark.bz1044164

+ def test_local_password_policy(topo, _add_user):

+     """Regression test for bz1044164 part 1.

+ 

+     :id: d6f4a7fa-473b-11ea-8766-8c16451d917b

+     :setup: Standalone

+     :steps:

+         1. Add a User as Password Admin

+         2. Create a password admin user entry

+         3. Add an aci to allow this user all rights

+         4. Configure password admin

+         5. Create local password policy and enable passwordmustchange

+         6. Add another generic user but do not include the password (userpassword)

+         7. Use admin user to perform a password update on generic user

+         8. We don't need this ACI anymore. Delete it

+     :expected results:

+         1. Success

+         2. Success

+         3. Success

+         4. Success

+         5. Success

+         6. Success

+         7. Success

+         8. Success

+     """

+     # Add a User as Password Admin

+     # Create a password admin user entry

+     user = _create_user(topo, 'pwadm_admin_1', None)

+     user.replace('userpassword', 'Secret123')

+     domian = Domain(topo.standalone, DEFAULT_SUFFIX)

+     # Add an aci to allow this user all rights

+     domian.set("aci", f'(targetattr ="userpassword")'

+                       f'(version 3.0;acl "Allow password admin to write user '

+                       f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')

+     # Configure password admin

+     # Create local password policy and enable passwordmustchange

+     Config(topo.standalone).replace_many(

+         ('passwordAdminDN', user.dn),

+         ('passwordMustChange', 'off'),

+         ('nsslapd-pwpolicy-local', 'on'))

+     # Add another generic user but do not include the password (userpassword)

+     # Use admin user to perform a password update on generic user

+     real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')

+     conn = real_user.bind('Secret123')

+     UserAccount(conn, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}').replace('userpassword', 'hello')

+     # We don't need this ACI anymore. Delete it

+     domian.remove("aci", f'(targetattr ="userpassword")'

+                          f'(version 3.0;acl "Allow password admin to write user '

+                          f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')

+ 

+ 

+ @pytest.mark.bz1118006

+ def test_passwordexpirationtime_attribute(topo, _add_user):

+     """Regression test for bz1118006.

+ 

+     :id: 867472d2-473c-11ea-b583-8c16451d917b

+     :setup: Standalone

+     :steps:

+         1. Check that the passwordExpirationTime attribute is set to the epoch date

+     :expected results:

+         1. Success

+     """

+     Config(topo.standalone).replace('passwordMustChange', 'on')

+     epoch_date = "19700101000000Z"

+     time.sleep(1)

+     user = UserAccount(topo.standalone, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}')

+     user.replace('userpassword', 'Secret123')

+     time.sleep(1)

+     # Check that the passwordExpirationTime attribute is set to the epoch date

+     assert user.get_attr_val_utf8('passwordExpirationTime') == epoch_date

+     Config(topo.standalone).replace('passwordMustChange', 'off')

+     time.sleep(1)

+ 

+ 

+ @pytest.mark.bz1118007

+ @pytest.mark.bz1044164

+ def test_admin_group_to_modify_password(topo, _add_user):

+     """Regression test for bz1044164 part 2.

+ 

+     :id: 12e09446-52da-11ea-aa11-8c16451d917b

+     :setup: Standalone

+     :steps:

+         1. Create unique members of admin group

+         2. Create admin group with unique members

+         3. Edit ACIs for admin group

+         4. Add group as password admin

+         5. Test password admin group to modify password of another admin user

+         6. Use admin user to perform a password update on Directory Manager user

+         7. Test password admin group for local password policy

+         8. Add top level container

+         9. Add user

+         10. Create local policy configuration entry

+         11. Adding admin group for local policy

+         12. Change user's password by admin user. Break the local policy rule

+         13. Test password admin group for global password policy

+         14. Add top level container

+         15. Change user's password by admin user. Break the global policy rule

+         16. Add new user in password admin group

+         17. Modify ordinary user's password

+         18. Modify user DN using modrdn of a user in password admin group

+         19. Test assigning invalid value to password admin attribute

+         20. Try to add more than one Password Admin attribute to config file

+         21. Use admin group setup from previous testcases, but delete ACI from that

+         22. Try to change user's password by admin user

+         23. Restore ACI

+         24. Edit ACIs for admin group

+         25. Delete a user from password admin group

+         26. Change users password by ex-admin user

+         27. Remove group from password admin configuration

+         28. Change admins

+         29. Change user's password by ex-admin user

+         30. Change admin user's password by ex-admin user

+     :expected results:

+         1. Success

+         2. Success

+         3. Success

+         4. Success

+         5. Success

+         6. Fail(ldap.INSUFFICIENT_ACCESS)

+         7. Success

+         8. Success

+         9. Success

+         10. Success

+         11. Success

+         12. Success

+         13. Success

+         14. Success

+         15. Success

+         16. Success

+         17. Success

+         18. Success

+         19. Fail

+         20. Fail

+         21. Success

+         22. Success

+         23. Success

+         24. Success

+         25. Success

+         26. Success

+         27. Success

+         29. Fail

+         30. Fail

+     """

+     # create unique members of admin group

+     admin_grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX).create(properties={

+         'cn': 'pwadm_group_adm',

+         'description': 'pwadm_group_adm',

+         'uniqueMember': [f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}',

+                          f'uid=pwadm_admin_3,ou=People,{DEFAULT_SUFFIX}']

+     })

+     # Edit ACIs for admin group

+     Domain(topo.standalone,

+            f"ou=People,{DEFAULT_SUFFIX}").set('aci', f'(targetattr ="userpassword")'

+                                                      f'(version 3.0;acl "Allow passwords admin to write user '

+                                                      f'passwords";allow (write)(groupdn = "ldap:///{admin_grp.dn}");)')

+     # Add group as password admin

+     Config(topo.standalone).replace('passwordAdminDN', admin_grp.dn)

+     # Test password admin group to modify password of another admin user

+     change_password_of_user(topo, [

+         ('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')],

+                             f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}')

+     # Use admin user to perform a password update on Directory Manager user

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):

+         change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')],

+                                 f'{DN_DM},{DEFAULT_SUFFIX}')

+     # Add top level container

+     ou = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).create(properties={'ou': 'pwadm_locpol'})

+     # Change user's password by admin user. Break the global policy rule

+     # Add new user in password admin group

+     user = _create_user(topo, 'pwadm_locpol_user', 'ou=pwadm_locpol')

+     user.replace('userpassword', 'Secret123')

+     # Create local policy configuration entry

+     _create_pwp(topo, ou.dn)

+     # Set parameter for pwp

+     for para_meter, op_op in [

+         ('passwordLockout', 'on'),

+         ('passwordMaxFailure', '4'),

+         ('passwordLockoutDuration', '10'),

+         ('passwordResetFailureCount', '100'),

+         ('passwordMinLength', '8'),

+         ('passwordAdminDN', f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')]:

+         change_pwp_parameter(topo, 'ou=pwadm_locpol', para_meter, op_op)

+     # Set ACI

+     OrganizationalUnit(topo.standalone,

+                        ou.dn).set('aci',

+                                   f'(targetattr ="userpassword")'

+                                   f'(version 3.0;acl "Allow passwords admin to write user '

+                                   f'passwords";allow (write)'

+                                   f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')

+     # Change password with new admin

+     change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], user.dn)

+     # Set global parameter

+     Config(topo.standalone).replace_many(

+         ('passwordTrackUpdateTime', 'on'),

+         ('passwordGraceLimit', '4'),

+         ('passwordHistory', 'on'),

+         ('passwordInHistory', '4'))

+     # Test password admin group for global password policy

+     change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')],

+                             f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')

+     # Adding admin group for local policy

+     grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')

+     grp.add('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}')

+     # Modify ordinary user's password

+     change_password_of_user(topo, [('uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret')],

+                             f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')

+     # Modify user DN using modrdn of a user in password admin group

+     UserAccount(topo.standalone, f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}').rename('uid=pwadm_admin_4_new')

+     # Remove admin

+     grp.remove('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}')

+     # Add Admin

+     grp.add('uniqueMember', f'uid=pwadm_admin_4_new,ou=People,{DEFAULT_SUFFIX}')

+     # Test the group pwp again

+     with pytest.raises(ldap.INVALID_CREDENTIALS):

+         change_password_of_user(topo, [(f'uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret1')],

+                                 f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')

+     change_password_of_user(topo, [(f'uid=pwadm_admin_4_new,ou=People', 'Secret123', 'Secret1')],

+                             f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')

+     with pytest.raises(ldap.INVALID_SYNTAX):

+         Config(topo.standalone).replace('passwordAdminDN', "Invalid")

+     # Test assigning invalid value to password admin attribute

+     # Try to add more than one Password Admin attribute to config file

+     with pytest.raises(ldap.OBJECT_CLASS_VIOLATION):

+         Config(topo.standalone).replace('passwordAdminDN',

+                                         [f'uid=pwadm_admin_2,ou=people,{DEFAULT_SUFFIX}',

+                                          f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}'])

+     # Use admin group setup from previous, but delete ACI from that

+     people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}")

+     people.remove('aci',

+                   f'(targetattr ="userpassword")(version 3.0;acl '

+                   f'"Allow passwords admin to write user '

+                   f'passwords";allow (write)'

+                   f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')

+     # Try to change user's password by admin user

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):

+         change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')],

+                                 f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')

+     # Restore ACI

+     people.set('aci',

+                f'(targetattr ="userpassword")(version 3.0;acl '

+                f'"Allow passwords admin to write user '

+                f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')

+     # Edit ACIs for admin group

+     people.add('aci',

+                f'(targetattr ="userpassword")(version 3.0;acl '

+                f'"Allow passwords admin to add user '

+                f'passwords";allow (add)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')

+     UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}').replace('userpassword', 'Secret')

+     real_user = UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}')

+     conn = real_user.bind('Secret')

+     # Test new aci

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):

+         UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={

+             'uid': 'ok',

+             'cn': 'ok',

+             'sn': 'ok',

+             'uidNumber': '1000',

+             'gidNumber': 'ok',

+             'homeDirectory': '/home/ok'})

+     UserAccounts(topo.standalone, DEFAULT_SUFFIX).list()

+     real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}')

+     conn = real_user.bind('Secret123')

+     # Test new aci which has new rights

+     for uid, cn, password in [

+         ('pwadm_user_3', 'pwadm_user_1', 'U2VjcmV0MTIzCg=='),

+         ('pwadm_user_4', 'pwadm_user_2', 'U2VjcmV0MTIzCg==')]:

+         UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={

+             'uid': uid,

+             'cn': cn,

+             'sn': cn,

+             'uidNumber': '1000',

+             'gidNumber': '1001',

+             'homeDirectory': f'/home/{uid}',

+             'userpassword': password})

+     # Remove ACI

+     Domain(topo.standalone,

+            f"ou=People,{DEFAULT_SUFFIX}").remove('aci',

+                                                  f'(targetattr ="userpassword")'

+                                                  f'(version 3.0;acl '

+                                                  f'"Allow passwords admin to add user '

+                                                  f'passwords";allow '

+                                                  f'(add)(groupdn = '

+                                                  f'"ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')

+     # Delete a user from password admin group

+     grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')

+     grp.remove('uniqueMember', f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}')

+     # Change users password by ex-admin user

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):

+         change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Secret')],

+                                 f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')

+     # Set aci for only user

+     people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}")

+     people.remove('aci',

+                   f'(targetattr ="userpassword")(version 3.0;acl '

+                   f'"Allow passwords admin to write user '

+                   f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')

+     people.set('aci',

+                f'(targetattr ="userpassword")(version 3.0;acl "Allow passwords admin '

+                f'to write user passwords";allow (write)(groupdn = "ldap:///uid=pwadm_admin_1,{DEFAULT_SUFFIX}");)')

+     # Remove group from password admin configuration

+     Config(topo.standalone).replace('passwordAdminDN', f"uid=pwadm_admin_1,{DEFAULT_SUFFIX}")

+     # Change user's password by ex-admin user

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):

+         change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')],

+                                 f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):

+         change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')],

+                                 f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')

+ 

+ 

+ @pytest.mark.bz834060

+ def test_password_max_failure_should_lockout_password(topo):

+     """Regression test for bz834060.

+ 

+     :id: f2064efa-52d9-11ea-8037-8c16451d917b

+     :setup: Standalone

+     :steps:

+         1. passwordMaxFailure should lockout password one sooner

+         2. Setting passwordLockout to \"on\"

+         3. Set maximum number of login tries to 3

+         4. Turn off passwordLegacyPolicy

+         5. Turn off local password policy, so that global is applied

+     :expected results:

+         1. Success

+         2. Success

+         3. Success

+         4. Success

+         5. Success

+     """

+     config = Config(topo.standalone)

+     config.replace_many(

+         ('passwordLockout', 'on'),

+         ('passwordMaxFailure', '3'),

+         ('passwordLegacyPolicy', 'off'),

+         ('nsslapd-pwpolicy-local', 'off'))

+     user = _create_user(topo, 'tuser', 'ou=people')

+     user.replace('userpassword', 'password')

+     for _ in range(2):

+         with pytest.raises(ldap.INVALID_CREDENTIALS):

+             user.bind('Invalid')

+     with pytest.raises(ldap.CONSTRAINT_VIOLATION):

+         user.bind("Invalid")

+     config.replace('nsslapd-pwpolicy-local', 'on')

+ 

+ 

+ @pytest.mark.bz834063

+ def test_pwd_update_time_attribute(topo):

+     """Regression test for bz834063

+ 

+     :id: ec2b1d4e-52d9-11ea-b13e-8c16451d917b

+     :setup: Standalone

+     :steps:

+         1. Add the attribute passwordTrackUpdateTime to cn=config

+         2. Add a test entry while passwordTrackUpdateTime is on

+         3. Check if new attribute pwdUpdateTime added automatically after changing the pwd

+         4. Modify User pwd

+         5. check for the pwdupdatetime attribute added to the test entry as passwordTrackUpdateTime is on

+         6. Set passwordTrackUpdateTime to OFF and modify test entry's pwd

+         7. Check passwordUpdateTime should not be changed

+         8. Record last pwdUpdateTime before changing the password

+         9. Modify Pwd

+         10. Set passwordTrackUpdateTime to ON and modify test entry's pwd,

+         check passwordUpdateTime should be changed

+         11. Try setting Invalid value for passwordTrackUpdateTime

+         12. Try setting Invalid value for pwdupdatetime

+     :expected results:

+         1. Success

+         2. Success

+         3. Success

+         4. Success

+         5. Success

+         6. Success

+         7. Success

+         8. Success

+         9. Success

+         10. Success

+         11. Fail

+         12. Fail

+     """

+     config = Config(topo.standalone)

+     # Add the attribute passwordTrackUpdateTime to cn=config

+     config.replace('passwordTrackUpdateTime', 'on')

+     # Add a test entry while passwordTrackUpdateTime is on

+     user = _create_user(topo, 'test_bz834063', None)

+     user.set('userpassword', 'Unknown')

+     # Modify User pwd

+     user.replace('userpassword', 'Unknown1')

+     # Check if new attribute pwdUpdateTime added automatically after changing the pwd

+     assert user.get_attr_val_utf8('pwdUpdateTime')

+     # Set passwordTrackUpdateTime to OFF and modify test entry's pwd

+     config.replace('passwordTrackUpdateTime', 'off')

+     # Record last pwdUpdateTime before changing the password

+     update_time = user.get_attr_val_utf8('pwdUpdateTime')

+     time.sleep(1)

+     user.replace('userpassword', 'Unknown')

+     # Check passwordUpdateTime should not be changed

+     update_time_again = user.get_attr_val_utf8('pwdUpdateTime')

+     assert update_time == update_time_again

+     # Set passwordTrackUpdateTime to ON and modify test entry's pwd,

+     # check passwordUpdateTime should be changed

+     time.sleep(1)

+     config.replace('passwordTrackUpdateTime', 'on')

+     user.replace('userpassword', 'Unknown')

+     time.sleep(1)

+     update_time_1 = user.get_attr_val_utf8('pwdUpdateTime')

+     assert update_time_again != update_time_1

+     with pytest.raises(ldap.OPERATIONS_ERROR):

+         config.replace('passwordTrackUpdateTime', "invalid")

+     with pytest.raises(ldap.UNWILLING_TO_PERFORM):

+         config.replace('pwdupdatetime', 'Invalid')

+ 

+ 

+ def test_password_track_update_time(topo):

+     """passwordTrackUpdateTime stops working with subtree password policies

+ 

+     :id: e5d3e4c6-52d9-11ea-a65e-8c16451d917b

+     :setup: Standalone

+     :steps:

+         1. Add users

+         2. Create local policy configuration entry for subsuffix

+         3. Enable passwordTrackUpdateTime to local policy configuration entry

+         4. Check that attribute passwordUpdate was added to entries

+         5. check for the pwdupdatetime attribute added to the test entry as passwordTrackUpdateTime is on

+         6. Set passwordTrackUpdateTime to OFF and modify test entry's pwd,

+         check passwordUpdateTime should not be changed

+         7. Record last pwdUpdateTime before changing the password

+         8. Modify Pwd

+         9. Check current pwdUpdateTime

+         10. Set passwordTrackUpdateTime to ON and modify test entry's pwd,

+         check passwordUpdateTime should be changed

+     :expected results:

+         1. Success

+         2. Success

+         3. Success

+         4. Success

+         5. Success

+         6. Success

+         7. Success

+         8. Success

+         9. Success

+         10. Success

+     """

+     # Add users

+     user1 = _create_user(topo, 'trac478_user1', None)

+     user2 = _create_user(topo, 'trac478_user2', None)

+     # Create local policy configuration entry for subsuffix

+     pwp_for_sufix = _create_pwp(topo, DEFAULT_SUFFIX)

+     pwp_for_user2 = _create_pwp(topo, user2.dn)

+     # Enable passwordTrackUpdateTime to local policy configuration entry

+     for instance in [pwp_for_user2, pwp_for_sufix]:

+         instance.replace('passwordTrackUpdateTime', 'on')

+     # Check that attribute passwordUpdate was added to entries

+     # check for the pwdupdatetime attribute added to the test entry as passwordTrackUpdateTime is on

+     for user in [user1, user2]:

+         user.replace('userpassword', 'pwd')

+         time.sleep(1)

+         assert user.get_attr_val_utf8('pwdUpdateTime')

+     # Set passwordTrackUpdateTime to OFF and modify test entry's pwd,

+     # check passwordUpdateTime should not be changed

+     pwp_for_sufix.replace('passwordTrackUpdateTime', 'off')

+     # Record last pwdUpdateTime before changing the password

+     last_login_time_user1 = user1.get_attr_val_utf8('pwdUpdateTime')

+     last_login_time_user2 = user2.get_attr_val_utf8('pwdUpdateTime')

+     time.sleep(1)

+     # Modify Pwd

+     user1.replace('userpassword', 'pwd1')

+     # Check current pwdUpdateTime

+     last_login_time_user1_last = user1.get_attr_val_utf8('pwdUpdateTime')

+     assert last_login_time_user1 == last_login_time_user1_last

+     # Set passwordTrackUpdateTime to ON and modify test entry's pwd,

+     #  check passwordUpdateTime should be changed

+     pwp_for_user2.replace('passwordTrackUpdateTime', 'off')

+     time.sleep(1)

+     user2.replace('userpassword', 'pwd1')

+     last_login_time_user2_last = user2.get_attr_val_utf8('pwdUpdateTime')

+     assert last_login_time_user1 == last_login_time_user1_last

+     assert last_login_time_user2 == last_login_time_user2_last

+     pwp_for_sufix.replace('passwordTrackUpdateTime', 'on')

+     user1.replace('userpassword', 'pwd1')

+     time.sleep(1)

+     last_login_time_user1_last = user1.get_attr_val_utf8('pwdUpdateTime')

+     assert last_login_time_user1 != last_login_time_user1_last

+     pwp_for_user2.replace('passwordTrackUpdateTime', 'on')

+     time.sleep(1)

+     user2.replace('userpassword', 'pwd1')

+     time.sleep(1)

+     last_login_time_user2_last = user2.get_attr_val_utf8('pwdUpdateTime')

+     assert last_login_time_user2 != last_login_time_user2_last

+ 

+ 

+ @pytest.mark.bz834063

+ def test_signal_11(topo):

+     """ns-slapd instance crashed with signal 11 SIGSEGV

+ 

+     :id: d757b9ae-52d9-11ea-802f-8c16451d917b

+     :setup: Standalone

+     :steps:

+         1. Adding new user

+         2. Modifying user passwod of uid=bz973583

+     :expected results:

+         1. Success

+         2. Success

+     """

+     user = _create_user(topo, 'bz973583', None)

+     user.set('userpassword', 'Secret123')

+     user.remove('userpassword', 'Secret123')

+     user.set('userpassword', 'new')

+     assert topo.standalone.status()

+ 

+ 

+ if __name__ == "__main__":

+     CURRENT_FILE = os.path.realpath(__file__)

+     pytest.main("-s -v %s" % CURRENT_FILE) 

\ No newline at end of file

@@ -1,134 +0,0 @@ 

- """

- # --- BEGIN COPYRIGHT BLOCK ---

- # Copyright (C) 2020 Red Hat, Inc.

- # All rights reserved.

- #

- # License: GPL (version 3 or any later version).

- # See LICENSE for details.

- # --- END COPYRIGHT BLOCK ---

- """

- 

- import os

- import pytest

- from lib389.topologies import topology_st as topo

- from lib389.idm.user import UserAccounts, UserAccount

- from lib389._constants import DEFAULT_SUFFIX

- from lib389.pwpolicy import PwPolicyManager

- from lib389.config import Config

- from lib389.idm.domain import Domain

- import time

- 

- pytestmark = pytest.mark.tier1

- 

- 

- def _create_user(topo, uid, ou):

-     user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=ou).create(properties={

-         'uid': uid,

-         'cn': uid,

-         'sn': uid,

-         'mail': f'{uid}@example.com',

-         'homeDirectory': f'/home/{uid}',

-         'uidNumber': '1000',

-         'gidNumber': '1000'

-     })

-     return user

- 

- 

- def change_pwp_parameter(topo, pwp, operation, to_do):

-     pwp1 = PwPolicyManager(topo.standalone)

-     user = pwp1.get_pwpolicy_entry(f'{pwp},{DEFAULT_SUFFIX}')

-     user.replace(operation, to_do)

- 

- 

- def change_password_of_user(topo, user_password_new_pass_list, pass_to_change):

-     """

-     Will change password with self binding.

-     """

-     for user, password, new_pass in user_password_new_pass_list:

-         real_user = UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}')

-         conn = real_user.bind(password)

-         UserAccount(conn, pass_to_change).replace('userpassword', new_pass)

- 

- 

- @pytest.mark.bug1044164

- def test_local_password_policy(topo):

-     """Regression test for bug1044164 part 1.

- 

-     :id: d6f4a7fa-473b-11ea-8766-8c16451d917b

-     :setup: Standalone

-     :steps:

-         1. Add a User as Password Admin

-         2. Create a password admin user entry

-         3. Add an aci to allow this user all rights

-         4. Configure password admin

-         5. Create local password policy and enable passwordmustchange

-     :expected results:

-         1. Success

-         2. Success

-         3. Success

-         4. Success

-         5. Success

-     """

-     user = _create_user(topo, 'pwadm_admin_1', None)

-     user.replace('userpassword', 'Secret123')

-     Domain(topo.standalone, DEFAULT_SUFFIX).set("aci",

-                                                 f'(targetattr ="userpassword")(version 3.0;acl '

-                                                 f'"Allow password admin to write user '

-                                                 f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')

-     Config(topo.standalone).replace_many(

-         ('passwordAdminDN', user.dn),

-         ('passwordMustChange', 'off'),

-         ('nsslapd-pwpolicy-local', 'on'))

- 

- 

- @pytest.mark.bug1044164

- def test_admin_user_to_perform_password_update(topo):

-     """Regression test for bug1044164 part 2.

- 

-     :id: 374fadc0-473c-11ea-9291-8c16451d917b

-     :setup: Standalone

-     :steps:

-         1. Add another generic user but do not include the password (userpassword)

-         2. Use admin user to perform a password update on generic user

-         3. We don't need this ACI anymore. Delete it

-     :expected results:

-         1. Success

-         2. Success

-         3. Success

-     """

-     for uid, ou_ou in [('pwadm_user_1', None), ('pwadm_user_2', 'ou=People')]:

-         _create_user(topo, uid, ou_ou)

-     real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')

-     conn = real_user.bind('Secret123')

-     UserAccount(conn, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}').replace('userpassword', 'hello')

-     Domain(topo.standalone, DEFAULT_SUFFIX).remove('aci',

-                                                    '(targetattr ="userpassword")(version 3.0;acl '

-                                                    '"Allow password admin to write user '

-                                                    'passwords";allow (write)'

-                                                    '(userdn = "ldap:///uid=pwadm_admin_1,dc=example,dc=com");)')

- 

- 

- @pytest.mark.bug1118006

- def test_passwordexpirationtime_attribute(topo):

-     """Regression test for bug1118006.

- 

-     :id: 867472d2-473c-11ea-b583-8c16451d917b

-     :setup: Standalone

-     :steps:

-         1. Check that the passwordExpirationTime attribute is set to the epoch date

-     :expected results:

-         1. Success

-     """

-     Config(topo.standalone).replace('passwordMustChange', 'on')

-     epoch_date = "19700101000000Z"

-     time.sleep(1)

-     UserAccount(topo.standalone, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}').replace('userpassword', 'Secret123')

-     time.sleep(1)

-     assert UserAccount(topo.standalone, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}').get_attr_val_utf8('passwordExpirationTime') == epoch_date

-     Config(topo.standalone).replace('passwordMustChange', 'off')

-     time.sleep(1)

- 

- 

- if __name__ == "__main__":

-     CURRENT_FILE = os.path.realpath(__file__)

-     pytest.main("-s -v %s" % CURRENT_FILE) 

\ No newline at end of file

Bug Description: Port Password Policy test cases from TET to python3 series of bugs final

Relates: https://pagure.io/389-ds-base/issue/50690

Author: aborah

Reviewed by: ???

rebased onto 4cd22113e0ec18e89982ce20f608bd5d135d5dd5

2 years ago

rebased onto 2c9657fc141a57edf30aeae24467a080f046225e

2 years ago

rebased onto ded6769

2 years ago

Pull-Request has been merged by vashirov

2 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3970

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi

a year ago