password_lockout: Move lockoutObservationWindow tests from setUp
authorGarming Sam <garming@catalyst.net.nz>
Thu, 6 Apr 2017 04:21:53 +0000 (16:21 +1200)
committerGarming Sam <garming@samba.org>
Thu, 13 Apr 2017 05:29:17 +0000 (07:29 +0200)
These should not belong in the setUp, and should be a separate test.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
source4/dsdb/tests/python/password_lockout.py
source4/dsdb/tests/python/password_lockout_base.py

index 2e345d9db710b043e55fc3802be6b0ae36702e1f..c843e37cb8477f49f8849c2e5fd01d3238d91e06 100755 (executable)
@@ -973,6 +973,31 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """
     def test_multiple_logon_ntlm(self):
         self._test_multiple_logon(self.lockout1ntlm_creds)
 
+    def test_lockout_observation_window(self):
+        lockout3krb5_creds = self.insta_creds(self.template_creds,
+                                              username="lockout3krb5",
+                                              userpass="thatsAcomplPASS0",
+                                              kerberos_state=MUST_USE_KERBEROS)
+        self._testing_add_user(lockout3krb5_creds)
+
+        lockout4krb5_creds = self.insta_creds(self.template_creds,
+                                              username="lockout4krb5",
+                                              userpass="thatsAcomplPASS0",
+                                              kerberos_state=MUST_USE_KERBEROS)
+        self._testing_add_user(lockout4krb5_creds,
+                               lockOutObservationWindow=self.lockout_observation_window)
+
+        lockout3ntlm_creds = self.insta_creds(self.template_creds,
+                                              username="lockout3ntlm",
+                                              userpass="thatsAcomplPASS0",
+                                              kerberos_state=DONT_USE_KERBEROS)
+        self._testing_add_user(lockout3ntlm_creds)
+        lockout4ntlm_creds = self.insta_creds(self.template_creds,
+                                              username="lockout4ntlm",
+                                              userpass="thatsAcomplPASS0",
+                                              kerberos_state=DONT_USE_KERBEROS)
+        self._testing_add_user(lockout4ntlm_creds,
+                               lockOutObservationWindow=self.lockout_observation_window)
 
 host_url = "ldap://%s" % host
 
index 1b149799d3f33b4efa7521433ae1a540042872b6..514a5aa57714d865f27e6fc5bf099868610feaed 100644 (file)
@@ -195,6 +195,51 @@ class BasePasswordTestCase(samba.tests.TestCase):
         userpass = creds.get_password()
         userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
 
+        delete_force(self.ldb, userdn)
+        self.ldb.add({
+             "dn": userdn,
+             "objectclass": "user",
+             "sAMAccountName": username})
+
+        self.addCleanup(delete_force, self.ldb, userdn)
+
+        # Sets the initial user password with a "special" password change
+        # I think that this internally is a password set operation and it can
+        # only be performed by someone which has password set privileges on the
+        # account (at least in s4 we do handle it like that).
+        self.ldb.modify_ldif("""
+dn: """ + userdn + """
+changetype: modify
+delete: userPassword
+add: userPassword
+userPassword: """ + userpass + """
+""")
+        # Enables the user account
+        self.ldb.enable_account("(sAMAccountName=%s)" % username)
+
+        use_kerberos = creds.get_kerberos_state()
+        fail_creds = self.insta_creds(self.template_creds,
+                                      username=username,
+                                      userpass=userpass+"X",
+                                      kerberos_state=use_kerberos)
+
+        # Fail once to get a badPasswordTime
+        try:
+            ldb = SamDB(url=self.host_url, credentials=fail_creds, lp=self.lp)
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_INVALID_CREDENTIALS)
+
+        # Succeed to reset everything to 0
+        ldb = SamDB(url=self.host_url, credentials=creds, lp=self.lp)
+
+        return ldb
+
+    def _testing_add_user(self, creds, lockOutObservationWindow=0):
+        username = creds.get_username()
+        userpass = creds.get_password()
+        userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
+
         use_kerberos = creds.get_kerberos_state()
         if use_kerberos == MUST_USE_KERBEROS:
             logoncount_relation = 'greater'