From a85f64d2c4fa2718748a205d4ae0ebab47513199 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Mon, 8 Jan 2018 11:34:02 -0500 Subject: [PATCH] Ticket 49524 - Password policy: minimum token length fails when the token length is equal to attribute length Bug Description: The token checking breaks when the password is the exact value of the entry attribute. Fix Description: Remove the "equal" part of the string comparisons. https://pagure.io/389-ds-base/issue/49524 Reviewed by: firstyear & spichugi(Thanks!!) (cherry picked from commit 790be09fc434d394239bf2486d01f212b36cf0e3) --- .../tests/suites/password/pwdPolicy_token_test.py | 75 ++++++++++++++++++++++ ldap/servers/slapd/pw.c | 2 +- ldap/servers/slapd/utf8.c | 2 +- 3 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 dirsrvtests/tests/suites/password/pwdPolicy_token_test.py diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py new file mode 100644 index 000000000..7a4de9c85 --- /dev/null +++ b/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py @@ -0,0 +1,75 @@ +import logging +import pytest +import os +import time +import ldap +from lib389._constants import * +from lib389.idm.user import UserAccounts +from lib389.topologies import topology_st as topo + +DEBUGGING = os.getenv("DEBUGGING", default=False) +if DEBUGGING: + logging.getLogger(__name__).setLevel(logging.DEBUG) +else: + logging.getLogger(__name__).setLevel(logging.INFO) +log = logging.getLogger(__name__) + +USER_DN = 'uid=Test_user1,ou=People,dc=example,dc=com' +TOKEN = 'test_user1' + +user_properties = { + 'uid': 'Test_user1', + 'cn': 'test_user1', + 'sn': 'test_user1', + 'uidNumber': '1001', + 'gidNumber': '2001', + 'userpassword': PASSWORD, + 'description': 'userdesc', + 'homeDirectory': '/home/{}'.format('test_user')} + + +def pwd_setup(topo): + topo.standalone.config.replace_many(('passwordCheckSyntax', 'on'), + ('passwordMinLength', '4'), + ('passwordMinCategories', '1')) + users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) + return users.create(properties=user_properties) + + +def test_token_lengths(topo): + """Test that password token length is enforced for various lengths including + the same length as the attribute being checked by the policy. + + :id: dae9d916-2a03-4707-b454-9e901d295b13 + :setup: Standalone instance + :steps: + 1. Test token length rejects password of the same length as rdn value + :expectedresults: + 1. Passwords are rejected + """ + user = pwd_setup(topo) + for length in ['4', '6', '10']: + topo.standalone.simple_bind_s(DN_DM, PASSWORD) + topo.standalone.config.set('passwordMinTokenLength', length) + topo.standalone.simple_bind_s(USER_DN, PASSWORD) + time.sleep(1) + + try: + passwd = TOKEN[:int(length)] + log.info("Testing password len {} token ({})".format(length, passwd)) + user.replace('userpassword', passwd) + log.fatal('Password incorrectly allowed!') + assert False + except ldap.CONSTRAINT_VIOLATION as e: + log.info('Password correctly rejected: ' + str(e)) + except ldap.LDAPError as e: + log.fatal('Unexpected failure ' + str(e)) + assert False + + +if __name__ == '__main__': + # Run isolated + # -s for DEBUG mode + CURRENT_FILE = os.path.realpath(__file__) + pytest.main("-s %s" % CURRENT_FILE) + diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c index e625962e8..0cf795b41 100644 --- a/ldap/servers/slapd/pw.c +++ b/ldap/servers/slapd/pw.c @@ -1465,7 +1465,7 @@ check_trivial_words(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char * sp = slapi_ch_strdup(slapi_value_get_string(valp)); ep = sp + strlen(sp); ep = ldap_utf8prevn(sp, ep, toklen); - if (!ep || (sp >= ep)) { + if (!ep || (sp > ep)) { slapi_ch_free_string(&sp); continue; } diff --git a/ldap/servers/slapd/utf8.c b/ldap/servers/slapd/utf8.c index b0667c636..4538625b3 100644 --- a/ldap/servers/slapd/utf8.c +++ b/ldap/servers/slapd/utf8.c @@ -152,7 +152,7 @@ ldap_utf8prevn(char *s, char *from, int n) } for (; n > 0; --n) { prev = ldap_utf8prev(prev); - if ((prev <= s) && (n > 0)) { + if ((n > 0) && (prev < s)) { return NULL; } } -- 2.13.6