|
 |
96373c |
From a85f64d2c4fa2718748a205d4ae0ebab47513199 Mon Sep 17 00:00:00 2001
|
|
|
96373c |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
96373c |
Date: Mon, 8 Jan 2018 11:34:02 -0500
|
|
|
96373c |
Subject: [PATCH] Ticket 49524 - Password policy: minimum token length fails
|
|
|
96373c |
when the token length is equal to attribute length
|
|
|
96373c |
|
|
|
96373c |
Bug Description: The token checking breaks when the password is the
|
|
|
96373c |
exact value of the entry attribute.
|
|
|
96373c |
|
|
|
96373c |
Fix Description: Remove the "equal" part of the string comparisons.
|
|
|
96373c |
|
|
|
96373c |
https://pagure.io/389-ds-base/issue/49524
|
|
|
96373c |
|
|
|
96373c |
Reviewed by: firstyear & spichugi(Thanks!!)
|
|
|
96373c |
|
|
|
96373c |
(cherry picked from commit 790be09fc434d394239bf2486d01f212b36cf0e3)
|
|
|
96373c |
---
|
|
|
96373c |
.../tests/suites/password/pwdPolicy_token_test.py | 75 ++++++++++++++++++++++
|
|
|
96373c |
ldap/servers/slapd/pw.c | 2 +-
|
|
|
96373c |
ldap/servers/slapd/utf8.c | 2 +-
|
|
|
96373c |
3 files changed, 77 insertions(+), 2 deletions(-)
|
|
|
96373c |
create mode 100644 dirsrvtests/tests/suites/password/pwdPolicy_token_test.py
|
|
|
96373c |
|
|
|
96373c |
diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py
|
|
|
96373c |
new file mode 100644
|
|
|
96373c |
index 000000000..7a4de9c85
|
|
|
96373c |
--- /dev/null
|
|
|
96373c |
+++ b/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py
|
|
|
96373c |
@@ -0,0 +1,75 @@
|
|
|
96373c |
+import logging
|
|
|
96373c |
+import pytest
|
|
|
96373c |
+import os
|
|
|
96373c |
+import time
|
|
|
96373c |
+import ldap
|
|
|
96373c |
+from lib389._constants import *
|
|
|
96373c |
+from lib389.idm.user import UserAccounts
|
|
|
96373c |
+from lib389.topologies import topology_st as topo
|
|
|
96373c |
+
|
|
|
96373c |
+DEBUGGING = os.getenv("DEBUGGING", default=False)
|
|
|
96373c |
+if DEBUGGING:
|
|
|
96373c |
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
|
|
|
96373c |
+else:
|
|
|
96373c |
+ logging.getLogger(__name__).setLevel(logging.INFO)
|
|
|
96373c |
+log = logging.getLogger(__name__)
|
|
|
96373c |
+
|
|
|
96373c |
+USER_DN = 'uid=Test_user1,ou=People,dc=example,dc=com'
|
|
|
96373c |
+TOKEN = 'test_user1'
|
|
|
96373c |
+
|
|
|
96373c |
+user_properties = {
|
|
|
96373c |
+ 'uid': 'Test_user1',
|
|
|
96373c |
+ 'cn': 'test_user1',
|
|
|
96373c |
+ 'sn': 'test_user1',
|
|
|
96373c |
+ 'uidNumber': '1001',
|
|
|
96373c |
+ 'gidNumber': '2001',
|
|
|
96373c |
+ 'userpassword': PASSWORD,
|
|
|
96373c |
+ 'description': 'userdesc',
|
|
|
96373c |
+ 'homeDirectory': '/home/{}'.format('test_user')}
|
|
|
96373c |
+
|
|
|
96373c |
+
|
|
|
96373c |
+def pwd_setup(topo):
|
|
|
96373c |
+ topo.standalone.config.replace_many(('passwordCheckSyntax', 'on'),
|
|
|
96373c |
+ ('passwordMinLength', '4'),
|
|
|
96373c |
+ ('passwordMinCategories', '1'))
|
|
|
96373c |
+ users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
|
|
|
96373c |
+ return users.create(properties=user_properties)
|
|
|
96373c |
+
|
|
|
96373c |
+
|
|
|
96373c |
+def test_token_lengths(topo):
|
|
|
96373c |
+ """Test that password token length is enforced for various lengths including
|
|
|
96373c |
+ the same length as the attribute being checked by the policy.
|
|
|
96373c |
+
|
|
|
96373c |
+ :id: dae9d916-2a03-4707-b454-9e901d295b13
|
|
|
96373c |
+ :setup: Standalone instance
|
|
|
96373c |
+ :steps:
|
|
|
96373c |
+ 1. Test token length rejects password of the same length as rdn value
|
|
|
96373c |
+ :expectedresults:
|
|
|
96373c |
+ 1. Passwords are rejected
|
|
|
96373c |
+ """
|
|
|
96373c |
+ user = pwd_setup(topo)
|
|
|
96373c |
+ for length in ['4', '6', '10']:
|
|
|
96373c |
+ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
96373c |
+ topo.standalone.config.set('passwordMinTokenLength', length)
|
|
|
96373c |
+ topo.standalone.simple_bind_s(USER_DN, PASSWORD)
|
|
|
96373c |
+ time.sleep(1)
|
|
|
96373c |
+
|
|
|
96373c |
+ try:
|
|
|
96373c |
+ passwd = TOKEN[:int(length)]
|
|
|
96373c |
+ log.info("Testing password len {} token ({})".format(length, passwd))
|
|
|
96373c |
+ user.replace('userpassword', passwd)
|
|
|
96373c |
+ log.fatal('Password incorrectly allowed!')
|
|
|
96373c |
+ assert False
|
|
|
96373c |
+ except ldap.CONSTRAINT_VIOLATION as e:
|
|
|
96373c |
+ log.info('Password correctly rejected: ' + str(e))
|
|
|
96373c |
+ except ldap.LDAPError as e:
|
|
|
96373c |
+ log.fatal('Unexpected failure ' + str(e))
|
|
|
96373c |
+ assert False
|
|
|
96373c |
+
|
|
|
96373c |
+
|
|
|
96373c |
+if __name__ == '__main__':
|
|
|
96373c |
+ # Run isolated
|
|
|
96373c |
+ # -s for DEBUG mode
|
|
|
96373c |
+ CURRENT_FILE = os.path.realpath(__file__)
|
|
|
96373c |
+ pytest.main("-s %s" % CURRENT_FILE)
|
|
|
96373c |
+
|
|
|
96373c |
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
|
|
|
96373c |
index e625962e8..0cf795b41 100644
|
|
|
96373c |
--- a/ldap/servers/slapd/pw.c
|
|
|
96373c |
+++ b/ldap/servers/slapd/pw.c
|
|
|
96373c |
@@ -1465,7 +1465,7 @@ check_trivial_words(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char *
|
|
|
96373c |
sp = slapi_ch_strdup(slapi_value_get_string(valp));
|
|
|
96373c |
ep = sp + strlen(sp);
|
|
|
96373c |
ep = ldap_utf8prevn(sp, ep, toklen);
|
|
|
96373c |
- if (!ep || (sp >= ep)) {
|
|
|
96373c |
+ if (!ep || (sp > ep)) {
|
|
|
96373c |
slapi_ch_free_string(&sp);
|
|
|
96373c |
continue;
|
|
|
96373c |
}
|
|
|
96373c |
diff --git a/ldap/servers/slapd/utf8.c b/ldap/servers/slapd/utf8.c
|
|
|
96373c |
index b0667c636..4538625b3 100644
|
|
|
96373c |
--- a/ldap/servers/slapd/utf8.c
|
|
|
96373c |
+++ b/ldap/servers/slapd/utf8.c
|
|
|
96373c |
@@ -152,7 +152,7 @@ ldap_utf8prevn(char *s, char *from, int n)
|
|
|
96373c |
}
|
|
|
96373c |
for (; n > 0; --n) {
|
|
|
96373c |
prev = ldap_utf8prev(prev);
|
|
|
96373c |
- if ((prev <= s) && (n > 0)) {
|
|
|
96373c |
+ if ((n > 0) && (prev < s)) {
|
|
|
96373c |
return NULL;
|
|
|
96373c |
}
|
|
|
96373c |
}
|
|
|
96373c |
--
|
|
|
96373c |
2.13.6
|
|
|
96373c |
|