You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ka...@apache.org on 2010/07/13 20:59:57 UTC
svn commit: r963824 - in
/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authn/ppolicy:
./ PasswordPolicyTest.java
Author: kayyagari
Date: Tue Jul 13 18:59:57 2010
New Revision: 963824
URL: http://svn.apache.org/viewvc?rev=963824&view=rev
Log:
o test case for pwdpolicy implementation
Added:
directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authn/ppolicy/
directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authn/ppolicy/PasswordPolicyTest.java
Added: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authn/ppolicy/PasswordPolicyTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authn/ppolicy/PasswordPolicyTest.java?rev=963824&view=auto
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authn/ppolicy/PasswordPolicyTest.java (added)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authn/ppolicy/PasswordPolicyTest.java Tue Jul 13 18:59:57 2010
@@ -0,0 +1,253 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.directory.server.core.authn.ppolicy;
+
+
+import static org.apache.directory.server.core.integ.IntegrationUtils.getAdminNetworkConnection;
+import static org.apache.directory.server.core.integ.IntegrationUtils.getNetworkConnectionAs;
+import static org.apache.directory.shared.ldap.codec.controls.ppolicy.PasswordPolicyErrorEnum.INSUFFICIENT_PASSWORD_QUALITY;
+import static org.apache.directory.shared.ldap.codec.controls.ppolicy.PasswordPolicyErrorEnum.PASSWORD_TOO_SHORT;
+import static org.apache.directory.shared.ldap.codec.controls.ppolicy.PasswordPolicyErrorEnum.PASSWORD_TOO_YOUNG;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.message.AbstractResponseWithResult;
+import org.apache.directory.ldap.client.api.message.AddRequest;
+import org.apache.directory.ldap.client.api.message.AddResponse;
+import org.apache.directory.ldap.client.api.message.ModifyRequest;
+import org.apache.directory.ldap.client.api.message.ModifyResponse;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.authn.AuthenticationInterceptor;
+import org.apache.directory.server.core.authn.PasswordPolicyConfiguration;
+import org.apache.directory.server.core.authn.PasswordUtil;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.core.integ.IntegrationUtils;
+import org.apache.directory.shared.ldap.codec.controls.ppolicy.PasswordPolicyRequestControl;
+import org.apache.directory.shared.ldap.codec.controls.ppolicy.PasswordPolicyResponseControl;
+import org.apache.directory.shared.ldap.codec.controls.ppolicy.PasswordPolicyResponseControlDecoder;
+import org.apache.directory.shared.ldap.constants.LdapSecurityConstants;
+import org.apache.directory.shared.ldap.constants.SchemaConstants;
+import org.apache.directory.shared.ldap.entry.DefaultEntry;
+import org.apache.directory.shared.ldap.entry.Entry;
+import org.apache.directory.shared.ldap.entry.EntryAttribute;
+import org.apache.directory.shared.ldap.message.ResultCodeEnum;
+import org.apache.directory.shared.ldap.message.control.Control;
+import org.apache.directory.shared.ldap.name.DN;
+import org.apache.directory.shared.ldap.util.StringTools;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/**
+ * Test cases for testing PasswordPolicy implementation.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@RunWith(FrameworkRunner.class)
+@CreateLdapServer (
+ transports =
+ {
+ @CreateTransport( protocol = "LDAP" ),
+ @CreateTransport( protocol = "LDAPS" )
+ })
+@CreateDS( enableChangeLog=false )
+public class PasswordPolicyTest extends AbstractLdapTestUnit
+{
+ private PasswordPolicyConfiguration policyConfig;
+
+ private static final PasswordPolicyRequestControl PP_REQ_CTRL = new PasswordPolicyRequestControl();
+
+ private static final PasswordPolicyResponseControlDecoder decoder = new PasswordPolicyResponseControlDecoder();
+
+
+ @Before
+ public void setPwdPolicy()
+ {
+ policyConfig = new PasswordPolicyConfiguration();
+
+ policyConfig.setPwdMaxAge( 110 );
+ policyConfig.setPwdFailureCountInterval( 30 );
+ policyConfig.setPwdMaxFailure( 2 );
+ policyConfig.setPwdLockout( true );
+ policyConfig.setPwdLockoutDuration( 0 );
+ policyConfig.setPwdMinLength( 5 );
+ policyConfig.setPwdInHistory( 5 );
+ policyConfig.setPwdExpireWarning( 600 );
+ policyConfig.setPwdGraceAuthNLimit( 5 );
+ policyConfig.setPwdCheckQuality( 2 ); // DO NOT allow the password if its quality can't be checked
+
+ AuthenticationInterceptor authInterceptor = ( AuthenticationInterceptor ) service
+ .getInterceptor( AuthenticationInterceptor.class.getName() );
+ authInterceptor.setPwdPolicyConfig( policyConfig );
+ }
+
+
+ @After
+ public void closeConnections()
+ {
+ IntegrationUtils.closeConnections();
+ }
+
+
+ @Test
+ public void testAddUserWithClearTextPwd() throws Exception
+ {
+ LdapConnection connection = getAdminNetworkConnection( ldapServer );
+
+ DN userDn = new DN( "cn=user,ou=system" );
+ Entry userEntry = new DefaultEntry( userDn );
+ userEntry.add( SchemaConstants.OBJECT_CLASS, SchemaConstants.PERSON_OC );
+ userEntry.add( SchemaConstants.CN_AT, "user" );
+ userEntry.add( SchemaConstants.SN_AT, "user_sn" );
+ userEntry.add( SchemaConstants.USER_PASSWORD_AT, "1234".getBytes() );
+
+ AddRequest addReq = new AddRequest( userEntry );
+ addReq.add( PP_REQ_CTRL );
+
+ AddResponse addResp = connection.add( addReq );
+ assertEquals( ResultCodeEnum.CONSTRAINT_VIOLATION, addResp.getLdapResult().getResultCode() );
+
+ PasswordPolicyResponseControl respCtrl = getPwdRespCtrl( addResp );
+ assertNotNull( respCtrl );
+ assertEquals( PASSWORD_TOO_SHORT, respCtrl.getPasswordPolicyError() );
+
+ EntryAttribute pwdAt = userEntry.get( SchemaConstants.USER_PASSWORD_AT );
+ pwdAt.clear();
+ pwdAt.add( "12345".getBytes() );
+
+ addResp = connection.add( addReq );
+ assertEquals( ResultCodeEnum.SUCCESS, addResp.getLdapResult().getResultCode() );
+ respCtrl = getPwdRespCtrl( addResp );
+ assertNull( respCtrl );
+
+ LdapConnection userConnection = getNetworkConnectionAs( ldapServer, userDn.getName(), "12345" );
+ assertNotNull( userConnection );
+ assertTrue( userConnection.isAuthenticated() );
+ }
+
+
+ @Test
+ public void testAddUserWithHashedPwd() throws Exception
+ {
+ LdapConnection connection = getAdminNetworkConnection( ldapServer );
+
+ byte[] password = PasswordUtil.encryptPassword( "12345".getBytes(), LdapSecurityConstants.HASH_METHOD_CRYPT, null );
+ String strPwd = "{crypt}" + StringTools.utf8ToString( password );
+ password = strPwd.getBytes();
+
+ DN userDn = new DN( "cn=hashedpwd,ou=system" );
+ Entry userEntry = new DefaultEntry( userDn );
+ userEntry.add( SchemaConstants.OBJECT_CLASS, SchemaConstants.PERSON_OC );
+ userEntry.add( SchemaConstants.CN_AT, "hashedpwd" );
+ userEntry.add( SchemaConstants.SN_AT, "hashedpwd_sn" );
+ userEntry.add( SchemaConstants.USER_PASSWORD_AT, password );
+
+ AddRequest addReq = new AddRequest( userEntry );
+ addReq.add( PP_REQ_CTRL );
+
+ AddResponse addResp = connection.add( addReq );
+ assertEquals( ResultCodeEnum.CONSTRAINT_VIOLATION, addResp.getLdapResult().getResultCode() );
+
+ PasswordPolicyResponseControl respCtrl = getPwdRespCtrl( addResp );
+ assertNotNull( respCtrl );
+ assertEquals( INSUFFICIENT_PASSWORD_QUALITY, respCtrl.getPasswordPolicyError() );
+
+ policyConfig.setPwdCheckQuality( 1 ); // allow the password if its quality can't be checked
+ EntryAttribute pwdAt = userEntry.get( SchemaConstants.USER_PASSWORD_AT );
+ pwdAt.clear();
+ pwdAt.add( password );
+
+ addResp = connection.add( addReq );
+ assertEquals( ResultCodeEnum.SUCCESS, addResp.getLdapResult().getResultCode() );
+ respCtrl = getPwdRespCtrl( addResp );
+ assertNull( respCtrl );
+
+ LdapConnection userConnection = getNetworkConnectionAs( ldapServer, userDn.getName(), StringTools.utf8ToString( password ) );
+ assertNotNull( userConnection );
+ assertTrue( userConnection.isAuthenticated() );
+ }
+
+
+ @Test
+ public void testPwdMinAge() throws Exception
+ {
+ policyConfig.setPwdMinAge( 5 );
+
+ LdapConnection connection = getAdminNetworkConnection( ldapServer );
+
+ DN userDn = new DN( "cn=user,ou=system" );
+ Entry userEntry = new DefaultEntry( userDn );
+ userEntry.add( SchemaConstants.OBJECT_CLASS, SchemaConstants.PERSON_OC );
+ userEntry.add( SchemaConstants.CN_AT, "user" );
+ userEntry.add( SchemaConstants.SN_AT, "user_sn" );
+ userEntry.add( SchemaConstants.USER_PASSWORD_AT, "12345".getBytes() );
+
+ AddRequest addReq = new AddRequest( userEntry );
+ addReq.add( PP_REQ_CTRL );
+
+ AddResponse addResp = connection.add( addReq );
+ assertEquals( ResultCodeEnum.SUCCESS, addResp.getLdapResult().getResultCode() );
+
+ PasswordPolicyResponseControl respCtrl = getPwdRespCtrl( addResp );
+ assertNull( respCtrl );
+
+ ModifyRequest modReq = new ModifyRequest( userDn );
+ modReq.add( PP_REQ_CTRL );
+ modReq.replace( SchemaConstants.USER_PASSWORD_AT, "123456" );
+
+ ModifyResponse modResp = connection.modify( modReq );
+ assertEquals( ResultCodeEnum.CONSTRAINT_VIOLATION, modResp.getLdapResult().getResultCode() );
+
+ respCtrl = getPwdRespCtrl( modResp );
+ assertEquals( PASSWORD_TOO_YOUNG, respCtrl.getPasswordPolicyError() );
+
+ Thread.sleep( 5000 );
+
+ modResp = connection.modify( modReq );
+ assertEquals( ResultCodeEnum.SUCCESS, modResp.getLdapResult().getResultCode() );
+
+ LdapConnection userConnection = getNetworkConnectionAs( ldapServer, userDn.getName(), "123456" );
+ assertNotNull( userConnection );
+ assertTrue( userConnection.isAuthenticated() );
+ }
+
+ private PasswordPolicyResponseControl getPwdRespCtrl( AbstractResponseWithResult resp ) throws Exception
+ {
+ Control ctrl = resp.getControl( PP_REQ_CTRL.getOid() );
+ if ( ctrl == null )
+ {
+ return null;
+ }
+
+ PasswordPolicyResponseControl respCtrl = new PasswordPolicyResponseControl();
+ // System.out.println( StringTools.dumpBytes( ctrl.getValue() ) );
+ decoder.decode( ctrl.getValue(), respCtrl );
+
+ return respCtrl;
+ }
+}