Commit bed247a3 authored by Tim Beale's avatar Tim Beale Committed by Mathieu Parent

CVE-2018-16857 tests: Sanity-check password lockout works with default values

Sanity-check that when we use the default lockOutObservationWindow that
user lockout actually works.

The easiest way to do this is to reuse the _test_login_lockout()
test-case, but stop at the point where we wait for the lockout duration
to expire (because we don't want the test to wait 30 mins).

This highlights a problem currently where the default values don't work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683Signed-off-by: default avatarTim Beale <timbeale@catalyst.net.nz>
Reviewed-by: default avatarAndrew Bartlett <abartlet@samba.org>
parent 6563b5bf
samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_krb5\(ad_dc_ntvfs\)
samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_ntlm\(ad_dc_ntvfs\)
samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_ntlm\(ad_dc_ntvfs\)
samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_krb5\(ad_dc_ntvfs\)
......@@ -1415,6 +1415,36 @@ userPassword: """ + userpass + """
self._testing_add_user(lockout4ntlm_creds,
lockOutObservationWindow=self.lockout_observation_window)
class PasswordTestsWithDefaults(PasswordTests):
def setUp(self):
# The tests in this class do not sleep, so we can use the default
# timeout windows here
self.account_lockout_duration = 30 * 60
self.lockout_observation_window = 30 * 60
super(PasswordTestsWithDefaults, self).setUp()
# sanity-check that user lockout works with the default settings (we just
# check the user is locked out - we don't wait for the lockout to expire)
def test_login_lockout_krb5(self):
self._test_login_lockout(self.lockout1krb5_creds,
wait_lockout_duration=False)
def test_login_lockout_ntlm(self):
self._test_login_lockout(self.lockout1ntlm_creds,
wait_lockout_duration=False)
# Repeat the login lockout tests using PSOs
def test_pso_login_lockout_krb5(self):
"""Check the PSO lockout settings get applied to the user correctly"""
self.use_pso_lockout_settings(self.lockout1krb5_creds)
self._test_login_lockout(self.lockout1krb5_creds,
wait_lockout_duration=False)
def test_pso_login_lockout_ntlm(self):
"""Check the PSO lockout settings get applied to the user correctly"""
self.use_pso_lockout_settings(self.lockout1ntlm_creds)
self._test_login_lockout(self.lockout1ntlm_creds,
wait_lockout_duration=False)
host_url = "ldap://%s" % host
......
......@@ -365,7 +365,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """
def tearDown(self):
super(BasePasswordTestCase, self).tearDown()
def _test_login_lockout(self, creds):
def _test_login_lockout(self, creds, wait_lockout_duration=True):
username = creds.get_username()
userpass = creds.get_password()
userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
......@@ -563,6 +563,10 @@ lockoutThreshold: """ + str(lockoutThreshold) + """
userAccountControl=dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
# if we're just checking the user gets locked out, we can stop here
if not wait_lockout_duration:
return
# wait for the lockout to end
time.sleep(self.account_lockout_duration + 1)
print(self.account_lockout_duration + 1)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment