1 # Copyright 2000, International Business Machines Corporation and others.
4 # This software has been released under the terms of the IBM Public
5 # License. For details, see the LICENSE file in the top-level source
6 # directory or online at http://www.openafs.org/dl/license10.html
9 # verify locking occurs on n+1 failures, where n is the permitted number.
10 # verify that n in {0,1,253,254} work
11 # verify that n == 255 or greater fails
12 # verify that n < 0 fails
13 # locktime < 0 should fail
14 # locktime == 0 should succeed (infinite)
15 # verify locktime of 0 (infinite) produces correct output from kas exam
16 # locktime <= 36*60 should work quietly
17 # locktime > 2160 should give error message
18 # test locktimes in hh:mm also, 00:00 00:01 01:00 01:01 35:59 36:00 36:01
20 # invent a bunch of temporary users (delete, then create them)
21 # setfields their attempts and locktimes: Note -- I don't verify that
22 # kas exam reports the correct thing as doing the conversion from text
23 # to numeric and the math and the conversion in expect would be more likely
24 # to be wrong than the C code in admin_tools.c and kaprocs.c and kaauxdb.c
26 # fail to authenticate once
27 # verify that klog does not report locked
28 # verify that exam reports not locked
29 # fail to authenticate many times - 1.
30 # verify that klog does not report locked
31 # verify that exam reports locked (unless -attempts is 0)
32 # fail to authenticate once more.
33 # verify that klog does report locked (unless -attempts is 0)
34 # verify that exam reports locked (unless -attempts is 0)
36 # note: attempts don't reset totally, only one server's attempts counter
38 # set attempts to 200 (check that the attempts reset)
39 # fail several times, then succeed
40 # check that you can retry 200 times before id gets locked
42 # check that kas unlock works (implicit)
43 # check that the correct # of attempts remain after some # of failures? (implicit)
45 # the following things are not yet tested. That is, this test procedure
46 # does not sleep for 36 hours to see if the id will automatically unlock
49 # verify locktimes of 1 min to 36*60-1 work
50 # test locktimes of 36*60, 36*60+1, 36*60+14, 36*60+15
51 # verify locktime of 0 (infinite) remains locked for longer than 36*60+30
55 set multiklog
"multiklog"
57 set adminpass
"adminpassword"
60 set admininfo
"-admin_us admin -password_for adminpass"
61 set cellinfo
"-cell cellname2"
63 set initialpasswd
"InitialPassword"
64 trap SIG_IGN
{ SIGCHLD
}
72 proc verify_attempts
{ usr x
} {
73 global kas klog admin adminpass cell timeout timeout
75 spawn
$kas exam
$usr -admin_us $admin -password_fo $adminpass -cell $cell
76 print
"Expecting $x attempts.\n"
78 expect timeout
{print
"\nFAILED: timeout: presume user is not locked\n"} \
79 eof {print
"\nFAILED: eof: presume user is not locked\n"} \
80 "{* An unlimited number*}" { if $x then
{ print
"\nFAILED: expected only $x attempts, got: $expect_match" } else { print
"\nSUCCESS\n" } } \
81 "{*consecutive unsuccessful authentications are permitted*}" \
82 { if $x then
{ print
"SUCCESS\n"; print
\
83 "!!! in this case, should check to be sure that the int matches $x\n" } \
84 else { print
"\nFAILED: expected unlimited, got: $expect_match"} }
89 proc FailToAuthenticate
{ usr reps expectlockmsg
} {
94 spawn
$multiklog $usr randomtrashnotpassword
-cell $cell -rep $reps
96 expect timeout
{print
"\nFAILED: timeout\n"; set failed
1 } \
97 "{*Unable*locked*(KALOCKED)*}" { set locked
1 } \
98 "{*password was incorrect*}" { } \
99 eof {print
"\nFAILED: eof but expected KALOCKED\n"; set failed
1 }
104 if { $expectlockmsg } then
{ \
105 if { $locked } then
{ \
106 print
"\nSUCCESS\n" } \
107 else { print
"\nFAILED: klog didn't report KALOCKED\n" } \
110 if { $locked } then
{ \
111 print
"\nFAILED: (locked too soon) $expect_match\n" } \
112 else { print
"\nSUCCESS: klog didn't report KALOCKED\n" } \
117 proc SucceedToAuthenticate
{ usr reps expectlockmsg
} {
118 global multiklog cell initialpasswd
122 spawn
$multiklog $usr $initialpasswd -cell $cell -rep $reps
124 expect timeout
{print
"\nSUCCESS: timeout\n"; set failed
0 } \
125 "{*Unable*is locked*}" { set locked
1 } \
126 "{*password was incorrect*}" { } \
127 eof {print
"\nSUCCESS: eof\n"; set failed
0}
130 if { $expectlockmsg } then
{ if {$locked} then
{ \
131 print
"\nSUCCESS: klog reported KALOCKED\n" } \
132 else { print
"\nFAILED: expected KALOCKED but got $expect_match\n" } } \
133 else { if { $failed } { \
134 print
"\nFAILED: $expect_match" } }
137 proc ExamKasLocked
{ usr expectlockmsg
} {
138 global kas admin adminpass cell
140 spawn
$kas exam
$usr -admin_us $admin -password_fo $adminpass -cell $cell
141 if { $expectlockmsg } { print
"Expecting to find user locked..." }
143 expect timeout
{ if { $expectlockmsg } {print
"\nFAILED: timeout\n"} else { print
"\nSUCCESS: timeout\n" } } \
144 eof { if { $expectlockmsg } {print
"\nFAILED: eof\n"} else { print
"\nSUCCESS: eof\n" } } \
145 "{*User is not locked*}" { if { $expectlockmsg } then
{ print
"\nFAILED: expected $usr to be locked\n"} else { print
"\nSUCCESS: kas didn't report LOCKED\n" } } \
146 "{*User is locked*}" { if { ! $expectlockmsg } then
{ print
"\nFAILED: $usr should not be locked\n"} else { print
"\nSUCCESS: kas reported LOCKED\n"} }
151 # klog should not return KALOCKED after j failures. That is, the ID becomes
152 # locked after the j'th failure, but that's not the reason for the denial.
153 # On the next attempt, klog returns KALOCKED regardless of whether the password
154 # was correct or not. So if a user is restricted to -attempts 1, he gets one
155 # chance, and if he blows it, his ID gets locked.
156 proc verify_lock
{ usr j
} {
157 global kas klog admin adminpass cell multiklog
161 if { $j == 0 } then
{ set x
258 } else { set x
$j }
163 spawn
$kas unloc
$usr -admin_user $admin -password_fo $adminpass -cell $cell
168 # fail once if $x is sufficiently large, and make sure that neither klog
169 # nor kas report that the id is locked.
172 FailToAuthenticate
$usr 1 0
176 # after this multiklog, exam should report that the ID is locked (only if $j>0)
177 # but klog should not have reported KALOCKED.
180 FailToAuthenticate
$usr $x $expectlockmsg
181 ExamKasLocked
$usr $j
184 # after this klog, kas exam should report that the user is locked. klog
185 # should also return KALOCKED.
188 FailToAuthenticate
$usr 1 1
193 # If a user fails several times, but then successfully authenticates,
194 # the attempts counter on one server should get reset. Check to be
196 proc verify_auto_reset
{ usr
} {
197 global kas klog admin adminpass cell multiklog initialpasswd
199 spawn
$kas unloc
$usr -admin_user $admin -password_fo $adminpass -cell $cell
203 # set attempts to be 103
204 spawn
$kas setfields
$usr -attempts 103 -admin_us $admin \
205 -password_for $adminpass -cell $cell
209 FailToAuthenticate
$usr 101 0
212 # this should make some more attempts possible. Expected value is 101/#servers, but
213 # multiklog may not distribute attempts randomly.
214 SucceedToAuthenticate
$usr 1 0
216 # ordinarily, this would fail (101+14 > 103) but the success above should have set
218 FailToAuthenticate
$usr 14 0
221 # If there is one server, it should take ~89 attempts to lock this ID.
222 # If there are seven, it should take only ~15...
223 FailToAuthenticate
$usr 90 1
225 SucceedToAuthenticate
$usr 1 1
229 proc verify_lock_time
{usr x
} {
230 global kas klog admin adminpass cell timeout timeout
232 spawn
$kas exam
$usr -admin_us $admin -password_fo $adminpass -cell $cell
233 print
"Expecting locktime == $x.\n"
234 case
"$x" in
{ 00:00 } { set x
0 }
236 expect
"{* The lock time for this user is not limited.*}" \
237 { if {$x} then
{ print
"\nFAILED: expected limited locktime, got: $expect_match" } else { print
"\nSUCCESS\n" } } \
238 "{* The lock time for this user is * minutes*}" \
239 { if {$x} then
{ print
"SUCCESS\n"; print
\
240 "!!! in this case, should check to be sure that the interval matches $x\n" } \
241 else {print
"\nFAILED: expected unlimited locktime, got: $expect_match"}}\
242 timeout
{print
"\nFAILED: timeout checking locktime\n"} \
243 eof {print
"\nFAILED: eof checking locktime\n"}
248 proc expect_timelimits_msg
{x
} {
249 expect timeout
{print
"\nFAILED: timeout\n"} \
250 eof {print
"\nFAILED: eof\n"} \
251 "{*Lockout times must be either minutes or hh:mm.\r\nLockout times must be less than 36 hours.*}" {print
"\nSUCCESS\n" }
254 proc expect_limits_msg
{x
} {
255 expect timeout
{print
"\nFAILED: timeout\n"} \
256 eof {print
"\nFAILED: eof\n"} \
257 "{*Failure limit must be in*}" {print
"\nSUCCESS\n" } \
258 "*" {print
"\nFAILED: $expect_match"}
261 proc expect_nothing
{ x
} {
262 expect
{*Note
:\ Operation
\ is
\ performed
\ on
\ cell
\ *\n} { print
"\n" } \
263 timeout
{ print
"\n" } \
265 "*" { print
"\nFAILED: expected nothing, got: $expect_match" }
268 proc create_user
{ usr
} {
269 global kas klog admin adminpass cell initialpasswd timeout
271 spawn
$kas delete
$usr -admin_us $admin -password_fo $adminpass -cell $cell
273 expect timeout
{ print
"\nSUCCESS: delete didn't complain\n" } \
274 eof { print
"\nSUCCESS: delete didn't complain\n" } \
275 "{Deleting user $usr already*}" { print
"\nSUCCESS: user gone\n" } \
276 "*" { print
"\nFAILURE: $expect_match\n" }
280 spawn
$kas create
$usr $initialpasswd -admin_us $admin -password_fo $adminpass -cell $cell
281 expect timeout
{ print
"\nSUCCESS: create didn't complain\n" } \
282 eof { print
"\nSUCCESS: create didn't complain\n" } \
283 "*" { print
"\nFAILURE: $expect_match\n" }
287 verify_attempts
$usr 0