From a9fb3af717d08713d395a54f34da518a8437f3f0 Mon Sep 17 00:00:00 2001
From: davidpil2002 <91657985+davidpil2002@users.noreply.github.com>
Date: Sun, 16 Oct 2022 10:36:49 +0300
Subject: [PATCH] Password hardening test fix (#6453)
What is the motivation for this PR?
Fix the issue #6428
How did you do it?
explained in the summary.
How did you verify/test it?
Run the test with the sonic-builimage build from branch 202205
command line:
py.test /sonic-mgmt/tests/passw_hardening/test_passw_hardening.py
---
tests/passw_hardening/conftest.py | 47 +-
.../passw_hardening/passw_hardening_utils.py | 112 +++++
.../passw_hardening_digits/common-password | 2 +-
.../passw_hardening_history/common-password | 2 +-
.../common-password | 2 +-
.../passw_hardening_min_len/common-password | 2 +-
.../common-password | 2 +-
.../common-password | 2 +-
.../common-password | 2 +-
tests/passw_hardening/test_passw_hardening.py | 452 ++++++++----------
10 files changed, 342 insertions(+), 283 deletions(-)
create mode 100755 tests/passw_hardening/passw_hardening_utils.py
diff --git a/tests/passw_hardening/conftest.py b/tests/passw_hardening/conftest.py
index a78d6dd014a..333f0323331 100644
--- a/tests/passw_hardening/conftest.py
+++ b/tests/passw_hardening/conftest.py
@@ -1,10 +1,11 @@
import pytest
-import test_passw_hardening
+from tests.common.utilities import skip_release
+import passw_hardening_utils
def set_default_passw_hardening_policies(duthosts, enum_rand_one_per_hwsku_hostname):
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
- passw_hardening_ob_dis = test_passw_hardening.PasswHardening(state='disabled',
+ passw_hardening_ob_dis = passw_hardening_utils.PasswHardening(state='disabled',
expiration='100',
expiration_warning='15',
history='12',
@@ -15,7 +16,21 @@ def set_default_passw_hardening_policies(duthosts, enum_rand_one_per_hwsku_hostn
digit_class="true",
special_class='true')
- test_passw_hardening.config_and_review_policies(duthost, passw_hardening_ob_dis, test_passw_hardening.PAM_PASSWORD_CONF_DEFAULT_EXPECTED)
+ passw_hardening_utils.config_and_review_policies(duthost, passw_hardening_ob_dis, passw_hardening_utils.PAM_PASSWORD_CONF_DEFAULT_EXPECTED)
+
+@pytest.fixture(scope="module", autouse=True)
+def passw_version_required(duthosts, enum_rand_one_per_hwsku_hostname):
+ """Skips this test if the SONiC image installed on DUT is older than 202111
+
+ Args:
+ duthost: DUT host object.
+
+ Returns:
+ None.
+ """
+ duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+ skip_release(duthost, ["201811", "201911", "202012", "202106", "202111"])
+
@pytest.fixture(scope="function")
def clean_passw_policies(duthosts, enum_rand_one_per_hwsku_hostname):
@@ -26,38 +41,38 @@ def clean_passw_policies(duthosts, enum_rand_one_per_hwsku_hostname):
def clean_passw_one_policy_user(duthosts, enum_rand_one_per_hwsku_hostname):
yield
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
- res_adduser_simple_0 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_ONE_POLICY, mode='del')
+ res_adduser_simple_0 = passw_hardening_utils.config_user(duthost=duthost, username=passw_hardening_utils.USERNAME_ONE_POLICY, mode='del')
@pytest.fixture(scope="function")
def clean_passw_len_min(duthosts, enum_rand_one_per_hwsku_hostname):
yield
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
- test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_LEN_MIN, mode='del')
- duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_LEN_MIN+':/d /etc/security/opasswd')
+ passw_hardening_utils.config_user(duthost=duthost, username=passw_hardening_utils.USERNAME_LEN_MIN, mode='del')
+ duthost.shell('sed -i /^'+passw_hardening_utils.USERNAME_LEN_MIN+':/d /etc/security/opasswd')
@pytest.fixture(scope="function")
def clean_passw_age(duthosts, enum_rand_one_per_hwsku_hostname):
yield
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
- test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_AGE, mode='del')
- duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_AGE+':/d /etc/security/opasswd')
+ passw_hardening_utils.config_user(duthost=duthost, username=passw_hardening_utils.USERNAME_AGE, mode='del')
+ duthost.shell('sed -i /^'+passw_hardening_utils.USERNAME_AGE+':/d /etc/security/opasswd')
@pytest.fixture(scope="function")
def clean_passw_en_dis_policies(duthosts, enum_rand_one_per_hwsku_hostname):
yield
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
- test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_SIMPLE_0, mode='del')
- test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_SIMPLE_1, mode='del')
- test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_STRONG, mode='del')
- duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_SIMPLE_0+':/d /etc/security/opasswd')
- duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_SIMPLE_1+':/d /etc/security/opasswd')
- duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_STRONG+':/d /etc/security/opasswd')
+ passw_hardening_utils.config_user(duthost=duthost, username=passw_hardening_utils.USERNAME_SIMPLE_0, mode='del')
+ passw_hardening_utils.config_user(duthost=duthost, username=passw_hardening_utils.USERNAME_SIMPLE_1, mode='del')
+ passw_hardening_utils.config_user(duthost=duthost, username=passw_hardening_utils.USERNAME_STRONG, mode='del')
+ duthost.shell('sed -i /^'+passw_hardening_utils.USERNAME_SIMPLE_0+':/d /etc/security/opasswd')
+ duthost.shell('sed -i /^'+passw_hardening_utils.USERNAME_SIMPLE_1+':/d /etc/security/opasswd')
+ duthost.shell('sed -i /^'+passw_hardening_utils.USERNAME_STRONG+':/d /etc/security/opasswd')
@pytest.fixture(scope="function")
def clean_passw_history(duthosts, enum_rand_one_per_hwsku_hostname):
yield
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
- test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_HISTORY, mode='del')
- duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_HISTORY+':/d /etc/security/opasswd')
+ passw_hardening_utils.config_user(duthost=duthost, username=passw_hardening_utils.USERNAME_HISTORY, mode='del')
+ duthost.shell('sed -i /^'+passw_hardening_utils.USERNAME_HISTORY+':/d /etc/security/opasswd')
diff --git a/tests/passw_hardening/passw_hardening_utils.py b/tests/passw_hardening/passw_hardening_utils.py
new file mode 100755
index 00000000000..03301579e06
--- /dev/null
+++ b/tests/passw_hardening/passw_hardening_utils.py
@@ -0,0 +1,112 @@
+import logging
+import os
+import difflib
+from tests.common.helpers.assertions import pytest_assert
+
+CURR_DIR = os.path.dirname(os.path.abspath(__file__))
+
+# Sample/Expected files
+PAM_PASSWORD_CONF_DEFAULT_EXPECTED = CURR_DIR + '/sample/passw_hardening_default/common-password'
+PAM_PASSWORD_CONF_EXPECTED = CURR_DIR + '/sample/passw_hardening_enable/common-password'
+PAM_PASSWORD_CONF_HISTORY_ONLY_EXPECTED = CURR_DIR + '/sample/passw_hardening_history/common-password'
+PAM_PASSWORD_CONF_REJECT_USER_PASSW_MATCH_EXPECTED = CURR_DIR + '/sample/passw_hardening_reject_user_passw_match/common-password'
+PAM_PASSWORD_CONF_DIGITS_ONLY_EXPECTED = CURR_DIR + '/sample/passw_hardening_digits/common-password'
+PAM_PASSWORD_CONF_LOWER_LETTER_ONLY_EXPECTED = CURR_DIR + '/sample/passw_hardening_lower_letter/common-password'
+PAM_PASSWORD_CONF_UPPER_LETTER_ONLY_EXPECTED = CURR_DIR + '/sample/passw_hardening_upper_letter/common-password'
+PAM_PASSWORD_CONF_SPECIAL_LETTER_ONLY_EXPECTED = CURR_DIR + '/sample/passw_hardening_special_letter/common-password'
+PAM_PASSWORD_CONF_LEN_MIN_ONLY_EXPECTED = CURR_DIR + '/sample/passw_hardening_min_len/common-password'
+PAM_PASSWORD_CONF_OUTPUT = CURR_DIR + '/output/login.def'
+PAM_PASSWORD_CONF = "/etc/pam.d/common-password"
+
+# users
+USERNAME_STRONG = 'user_strong_test'
+USERNAME_SIMPLE_0 = 'user_simple_0_test'
+USERNAME_SIMPLE_1 = 'user_simple_1_test'
+USERNAME_ONE_POLICY = 'user_one_policy_test'
+USERNAME_AGE = 'user_test'
+USERNAME_HISTORY = 'user_history_test'
+USERNAME_LEN_MIN = 'user_test'
+
+
+class PasswHardening:
+ def __init__(self, state='disabled', expiration='100', expiration_warning='15', history='12',
+ len_min='8', reject_user_passw_match='true', lower_class='true',
+ upper_class='true', digit_class='true', special_class='true'):
+ self.policies = {
+ "state": state,
+ "expiration": expiration,
+ "expiration-warning": expiration_warning,
+ "history-cnt": history,
+ "len-min": len_min,
+ "reject-user-passw-match": reject_user_passw_match,
+ "lower-class": lower_class,
+ "upper-class": upper_class,
+ "digits-class": digit_class,
+ "special-class": special_class
+ }
+
+
+def config_user(duthost, username, mode='add'):
+ """ Function add or rm users using useradd/userdel tool. """
+
+ username = username.strip()
+ command = "user{} {}".format(mode, username)
+ user_cmd = duthost.shell(command, module_ignore_errors=True)
+ return user_cmd
+
+
+def configure_passw_policies(duthost, passw_hardening_ob):
+ for key, value in passw_hardening_ob.policies.items():
+ logging.debug("configuration to be set: key={}, value={}".format(key, value))
+ # cmd_config = 'sudo config passw-hardening policies ' + key + ' ' + value
+
+ cmd_config = 'sudo config passw-hardening policies {} {}'.format(key, value)
+
+ duthost.command(cmd_config)
+ return True
+
+
+def compare_passw_policies_in_linux(duthost, pam_file_expected=PAM_PASSWORD_CONF_EXPECTED):
+ """Compare DUT common-password with the expected one."""
+
+ command_password_stdout = ''
+ read_command_password = 'cat {}'.format(PAM_PASSWORD_CONF)
+
+ logging.debug('DUT command = {}'.format(read_command_password))
+ read_command_password_cmd = duthost.command(read_command_password)
+ command_password_stdout = read_command_password_cmd["stdout_lines"]
+ command_password_stdout = [line.encode('utf-8') for line in command_password_stdout]
+
+ common_password_expected = []
+ with open(pam_file_expected, 'r') as expected_common_password_file:
+ for line in expected_common_password_file:
+ line = line.strip()
+ line = line.strip('\n')
+ line = line.strip('\t')
+ common_password_expected.append(line)
+
+ common_password_diff = [li for li in difflib.ndiff(command_password_stdout, common_password_expected) if
+ li[0] != ' ']
+ pytest_assert(len(common_password_diff) == 0, common_password_diff)
+
+
+def config_and_review_policies(duthost, passw_hardening_ob, pam_file_expected):
+ """
+ 1. Config passw hardening policies
+ 2. Show passw hardening policies
+ 3. Compare passw hardening polices from show cli to the expected (configured)
+ 4. Verify polices in PAM files was set according the configured
+ """
+ FIRST_LINE = 0
+ configure_passw_policies(duthost, passw_hardening_ob)
+
+ curr_show_policies = duthost.show_and_parse('show passw-hardening policies')[FIRST_LINE]
+ exp_show_policies = dict((k.replace('-', ' '), v) for k, v in passw_hardening_ob.policies.items())
+
+ # ~~ test passw policies in show CLI ~~
+ cli_passw_policies_cmp = cmp(exp_show_policies, curr_show_policies)
+ pytest_assert(cli_passw_policies_cmp == 0, "Fail: exp_show_policies='{}',not equal to curr_show_policies='{}'"
+ .format(exp_show_policies, curr_show_policies))
+
+ # ~~ test passw policies in PAM files ~~
+ compare_passw_policies_in_linux(duthost, pam_file_expected)
diff --git a/tests/passw_hardening/sample/passw_hardening_digits/common-password b/tests/passw_hardening/sample/passw_hardening_digits/common-password
index 4b20b163b03..e70d441f995 100644
--- a/tests/passw_hardening/sample/passw_hardening_digits/common-password
+++ b/tests/passw_hardening/sample/passw_hardening_digits/common-password
@@ -26,7 +26,7 @@
password requisite pam_cracklib.so retry=3 maxrepeat=0 minlen=1 ucredit=0 lcredit=0 dcredit=-1 ocredit=0 enforce_for_root
-password required pam_pwhistory.so remember=0 use_authtok enforce_for_root
+password required pam_pwhistory.so remember=12 use_authtok enforce_for_root
password [success=1 default=ignore] pam_unix.so obscure yescrypt
# here's the fallback if no module succeeds
diff --git a/tests/passw_hardening/sample/passw_hardening_history/common-password b/tests/passw_hardening/sample/passw_hardening_history/common-password
index 4494e419552..0a92071fea1 100644
--- a/tests/passw_hardening/sample/passw_hardening_history/common-password
+++ b/tests/passw_hardening/sample/passw_hardening_history/common-password
@@ -24,7 +24,7 @@
# here are the per-package modules (the "Primary" block)
-password requisite pam_cracklib.so retry=3 maxrepeat=0 minlen=1 ucredit=0 lcredit=0 dcredit=-1 ocredit=0 enforce_for_root
+password requisite pam_cracklib.so retry=3 maxrepeat=0 minlen=8 ucredit=0 lcredit=0 dcredit=-1 ocredit=0 enforce_for_root
password required pam_pwhistory.so remember=10 use_authtok enforce_for_root
diff --git a/tests/passw_hardening/sample/passw_hardening_lower_letter/common-password b/tests/passw_hardening/sample/passw_hardening_lower_letter/common-password
index ed226d92595..0f6380c7ba1 100644
--- a/tests/passw_hardening/sample/passw_hardening_lower_letter/common-password
+++ b/tests/passw_hardening/sample/passw_hardening_lower_letter/common-password
@@ -26,7 +26,7 @@
password requisite pam_cracklib.so retry=3 maxrepeat=0 minlen=1 ucredit=0 lcredit=-1 dcredit=0 ocredit=0 enforce_for_root
-password required pam_pwhistory.so remember=0 use_authtok enforce_for_root
+password required pam_pwhistory.so remember=10 use_authtok enforce_for_root
password [success=1 default=ignore] pam_unix.so obscure yescrypt
# here's the fallback if no module succeeds
diff --git a/tests/passw_hardening/sample/passw_hardening_min_len/common-password b/tests/passw_hardening/sample/passw_hardening_min_len/common-password
index 1594bcdf68e..0a92071fea1 100644
--- a/tests/passw_hardening/sample/passw_hardening_min_len/common-password
+++ b/tests/passw_hardening/sample/passw_hardening_min_len/common-password
@@ -26,7 +26,7 @@
password requisite pam_cracklib.so retry=3 maxrepeat=0 minlen=8 ucredit=0 lcredit=0 dcredit=-1 ocredit=0 enforce_for_root
-password required pam_pwhistory.so remember=1 use_authtok enforce_for_root
+password required pam_pwhistory.so remember=10 use_authtok enforce_for_root
password [success=1 default=ignore] pam_unix.so obscure yescrypt
# here's the fallback if no module succeeds
diff --git a/tests/passw_hardening/sample/passw_hardening_reject_user_passw_match/common-password b/tests/passw_hardening/sample/passw_hardening_reject_user_passw_match/common-password
index be94336b798..74ecf7bdb8e 100644
--- a/tests/passw_hardening/sample/passw_hardening_reject_user_passw_match/common-password
+++ b/tests/passw_hardening/sample/passw_hardening_reject_user_passw_match/common-password
@@ -26,7 +26,7 @@
password requisite pam_cracklib.so retry=3 maxrepeat=0 minlen=1 ucredit=0 lcredit=0 dcredit=0 ocredit=0 reject_username enforce_for_root
-password required pam_pwhistory.so remember=0 use_authtok enforce_for_root
+password required pam_pwhistory.so remember=10 use_authtok enforce_for_root
password [success=1 default=ignore] pam_unix.so obscure yescrypt
# here's the fallback if no module succeeds
diff --git a/tests/passw_hardening/sample/passw_hardening_special_letter/common-password b/tests/passw_hardening/sample/passw_hardening_special_letter/common-password
index fd72d4d5286..0143b1c96fb 100644
--- a/tests/passw_hardening/sample/passw_hardening_special_letter/common-password
+++ b/tests/passw_hardening/sample/passw_hardening_special_letter/common-password
@@ -26,7 +26,7 @@
password requisite pam_cracklib.so retry=3 maxrepeat=0 minlen=1 ucredit=0 lcredit=0 dcredit=0 ocredit=-1 enforce_for_root
-password required pam_pwhistory.so remember=0 use_authtok enforce_for_root
+password required pam_pwhistory.so remember=10 use_authtok enforce_for_root
password [success=1 default=ignore] pam_unix.so obscure yescrypt
# here's the fallback if no module succeeds
diff --git a/tests/passw_hardening/sample/passw_hardening_upper_letter/common-password b/tests/passw_hardening/sample/passw_hardening_upper_letter/common-password
index 5c2740986da..5cf5f3822d7 100644
--- a/tests/passw_hardening/sample/passw_hardening_upper_letter/common-password
+++ b/tests/passw_hardening/sample/passw_hardening_upper_letter/common-password
@@ -26,7 +26,7 @@
password requisite pam_cracklib.so retry=3 maxrepeat=0 minlen=1 ucredit=-1 lcredit=0 dcredit=0 ocredit=0 enforce_for_root
-password required pam_pwhistory.so remember=0 use_authtok enforce_for_root
+password required pam_pwhistory.so remember=10 use_authtok enforce_for_root
password [success=1 default=ignore] pam_unix.so obscure yescrypt
# here's the fallback if no module succeeds
diff --git a/tests/passw_hardening/test_passw_hardening.py b/tests/passw_hardening/test_passw_hardening.py
index da0f0612c04..e6bf2b81f32 100644
--- a/tests/passw_hardening/test_passw_hardening.py
+++ b/tests/passw_hardening/test_passw_hardening.py
@@ -5,16 +5,13 @@
- test end to end by adding new user and set passwords according passw policies configured in the different tests.
"""
-
import logging
import re
import pytest
-import os
import sys
import datetime
-import difflib
from tests.common.helpers.assertions import pytest_assert
-
+import passw_hardening_utils
pytestmark = [
pytest.mark.sanity_check(skip_sanity=True),
@@ -22,118 +19,64 @@
pytest.mark.topology('any')
]
-CURR_DIR = os.path.dirname(os.path.abspath(__file__))
-CWD = os.path.abspath(os.getcwd())
-
-ETC_LOGIN_DEF = "/etc/login.defs"
-PAM_PASSWORD_CONF = "/etc/pam.d/common-password"
-
-# Sample/Expected files
-PAM_PASSWORD_CONF_DEFAULT_EXPECTED = CURR_DIR+'/sample/passw_hardening_default/common-password'
-PAM_PASSWORD_CONF_EXPECTED = CURR_DIR+'/sample/passw_hardening_enable/common-password'
-PAM_PASSWORD_CONF_HISTORY_ONLY_EXPECTED = CURR_DIR+'/sample/passw_hardening_history/common-password'
-PAM_PASSWORD_CONF_REJECT_USER_PASSW_MATCH_EXPECTED = CURR_DIR+'/sample/passw_hardening_reject_user_passw_match/common-password'
-PAM_PASSWORD_CONF_DIGITS_ONLY_EXPECTED = CURR_DIR+'/sample/passw_hardening_digits/common-password'
-PAM_PASSWORD_CONF_LOWER_LETTER_ONLY_EXPECTED = CURR_DIR+'/sample/passw_hardening_lower_letter/common-password'
-PAM_PASSWORD_CONF_UPPER_LETTER_ONLY_EXPECTED = CURR_DIR+'/sample/passw_hardening_upper_letter/common-password'
-PAM_PASSWORD_CONF_SPECIAL_LETTER_ONLY_EXPECTED = CURR_DIR+'/sample/passw_hardening_special_letter/common-password'
-PAM_PASSWORD_CONF_LEN_MIN_ONLY_EXPECTED = CURR_DIR+'/sample/passw_hardening_min_len/common-password'
-PAM_PASSWORD_CONF_OUTPUT = CURR_DIR+'/output/login.def'
-
-# Linux login.def default values (password hardening disable)
-LINUX_DEFAULT_PASS_MAX_DAYS = 99999
-LINUX_DEFAULT_PASS_WARN_AGE = 7
-
-
-AGE_DICT = { 'MAX_DAYS': {'REGEX_DAYS': 'grep \'^PASS_MAX_DAYS[ \\t]*\'', 'DAYS': 'max_days', 'CHAGE_FLAG': '-M '},
+AGE_DICT = {'MAX_DAYS': {'REGEX_DAYS': 'grep \'^PASS_MAX_DAYS[ \\t]*\'', 'DAYS': 'max_days', 'CHAGE_FLAG': '-M '},
'WARN_DAYS': {'REGEX_DAYS': 'grep \'^PASS_WARN_AGE[ \\t]*\'', 'DAYS': 'warn_days', 'CHAGE_FLAG': '-W '}
}
-# users
-USERNAME_STRONG = 'user_strong_test'
-USERNAME_SIMPLE_0 = 'user_simple_0_test'
-USERNAME_SIMPLE_1 = 'user_simple_1_test'
-USERNAME_ONE_POLICY = 'user_one_policy_test'
-USERNAME_AGE = 'user_test'
-USERNAME_HISTORY = 'user_history_test'
-USERNAME_LEN_MIN = 'user_test'
-
-FAIL_CODE = -1 # custom error code
SUCCESS_CODE = 0
-FIRST_LINE = 0
-
-class PasswHardening:
- def __init__(self, state='disabled', expiration='100', expiration_warning='15', history='12',
- len_min='8', reject_user_passw_match='true', lower_class='true',
- upper_class='true', digit_class='true', special_class='true'):
-
- self.policies = {
- "state": state,
- "expiration": expiration,
- "expiration-warning": expiration_warning,
- "history-cnt": history,
- "len-min": len_min,
- "reject-user-passw-match": reject_user_passw_match,
- "lower-class": lower_class,
- "upper-class": upper_class,
- "digits-class": digit_class,
- "special-class": special_class
- }
-
-def config_user(duthost, username, mode='add'):
- """ Function add or rm users using useradd/userdel tool. """
- username = username.strip()
- command = "user{} {}".format(mode, username)
- user_cmd = duthost.shell(command, module_ignore_errors=True)
- return user_cmd
def config_user_and_passw(duthost, username, password):
""" Config users and set password. """
-
+
username = username.strip()
- config_user(duthost, username)
+ passw_hardening_utils.config_user(duthost, username)
chpasswd_cmd = change_password(duthost, password, username)
return chpasswd_cmd
+
def change_password(duthost, password, username):
- chpasswd_cmd = duthost.shell('echo '+username+':'+password+' | chpasswd', module_ignore_errors=True)
+ cmd = 'echo {}:{} | chpasswd'.format(username, password)
+ chpasswd_cmd = duthost.shell(cmd, module_ignore_errors=True)
return chpasswd_cmd
+
def get_user_expire_time_global(duthost, age_type):
""" Function get the expire/expire warning days from linux filename login.def
according the age_type.
"""
+ FIRST_LINE = 0
DAY_INDEX = 1
days_num = -1
regex_days = AGE_DICT[age_type]['REGEX_DAYS']
- days_type = AGE_DICT[age_type]['DAYS']
- command = regex_days+ ' /etc/login.defs'
+ command = '{} /etc/login.defs'.format(regex_days)
grep_max_days_out = duthost.command(command)["stdout_lines"][FIRST_LINE].encode()
-
+
days_num = grep_max_days_out.split()[DAY_INDEX]
logging.debug('command output lines = {}'.format(grep_max_days_out))
return days_num
+
def modify_last_password_change_user(duthost, normal_account):
"Modify the passw change day of a user (subtract 100 days)."
days_to_subtract = 100
old_date = datetime.date.today() - datetime.timedelta(days=days_to_subtract)
-
- command = 'chage '+ normal_account + ' -i --lastday ' + str(old_date.isoformat())
- chage_cmd = duthost.command(command)
+ command = 'chage {} -i --lastday {}'.format(normal_account, str(old_date.isoformat()))
+
+ duthost.command(command)
return
+
def get_passw_expire_time_existing_user(duthost, normal_account):
last_passw_change = ''
REGEX_MAX_PASSW_CHANGE = r'^Maximum number of days between password change[ \t]*:[ \t]*(?P<max_passw_change>.*)'
- command = 'chage -l '+ normal_account
+ command = 'chage -l {}'.format(normal_account)
chage_stdout = duthost.command(command)["stdout_lines"]
for line in chage_stdout:
@@ -144,12 +87,6 @@ def get_passw_expire_time_existing_user(duthost, normal_account):
return last_passw_change
-def configure_passw_policies(duthost, passw_hardening_ob):
- for key, value in passw_hardening_ob.policies.items():
- logging.debug("configuration to be set: key={}, value={}".format(key, value))
- cmd_config = 'sudo config passw-hardening policies ' + key + ' ' + value
- passw_policies_config_res = duthost.command(cmd_config)
- return True
def compare_passw_age_in_pam_dir(duthost, passw_hardening_ob, username=None):
'''
@@ -174,53 +111,12 @@ def compare_passw_age_in_pam_dir(duthost, passw_hardening_ob, username=None):
passw_max_days_exist_username = get_passw_expire_time_existing_user(duthost, username)
pytest_assert(passw_max_days_exist_username == passw_hardening_ob.policies['expiration'],
- "Fail: expected max days exp='{}' ! current max days exp='{}'".format(
- passw_hardening_ob.policies['expiration'], passw_max_days_exist_username))
-
-def compare_passw_policies_in_linux(duthost, pam_file_expected=PAM_PASSWORD_CONF_EXPECTED):
- """Compare DUT common-password with the expected one."""
-
- command_password_stdout = ''
- read_command_password = 'cat ' + PAM_PASSWORD_CONF
+ "Fail: expected max days exp='{}' ! current max days exp='{}'".format(
+ passw_hardening_ob.policies['expiration'], passw_max_days_exist_username))
- logging.debug('DUT command = {}'.format(read_command_password))
- read_command_password_cmd = duthost.command(read_command_password)
- command_password_stdout = read_command_password_cmd["stdout_lines"]
- command_password_stdout = [line.encode('utf-8') for line in command_password_stdout]
- common_password_expected = []
- with open(pam_file_expected, 'r') as expected_common_password_file:
- for line in expected_common_password_file:
- line = line.strip()
- line = line.strip('\n')
- line = line.strip('\t')
- common_password_expected.append(line)
-
- common_password_diff = [li for li in difflib.ndiff(command_password_stdout, common_password_expected) if li[0] != ' ']
- pytest_assert(len(common_password_diff) == 0, common_password_diff)
-
-def config_and_review_policies(duthost, passw_hardening_ob, pam_file_expected):
- """
- 1. Config passw hardening policies
- 2. Show passw hardening policies
- 3. Compare passw hardening polices from show cli to the expected (configured)
- 4. Verify polices in PAM files was set according the configured
- """
- configure_passw_policies(duthost, passw_hardening_ob)
-
- curr_show_policies = duthost.show_and_parse('show passw-hardening policies')[FIRST_LINE]
- exp_show_policies = dict((k.replace('-', ' '), v) for k, v in passw_hardening_ob.policies.items())
-
- # ~~ test passw policies in show CLI ~~
- cli_passw_policies_cmp = cmp(exp_show_policies, curr_show_policies)
- pytest_assert(cli_passw_policies_cmp == 0, "Fail: exp_show_policies='{}',not equal to curr_show_policies='{}'"
- .format(exp_show_policies, curr_show_policies))
-
- # ~~ test passw policies in PAM files ~~
- compare_passw_policies_in_linux(duthost, pam_file_expected)
-
-
-def review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error, pam_file_expected=PAM_PASSWORD_CONF_EXPECTED):
+def review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error,
+ pam_file_expected=passw_hardening_utils.PAM_PASSWORD_CONF_EXPECTED):
"""
Funtion desc:
1. config one policy, check show CLI, test policy configured in switch
@@ -231,52 +127,60 @@ def review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_b
"""
# 1. config one policy, check show CLI, test policy configured in switch
- config_and_review_policies(duthost, passw_hardening_ob, pam_file_expected)
-
+ passw_hardening_utils.config_and_review_policies(duthost, passw_hardening_ob, pam_file_expected)
+
# 2. test good flow - create new user with good passw
- chpasswd_cmd = config_user_and_passw(duthost, USERNAME_ONE_POLICY, passw_test)
+ chpasswd_cmd = config_user_and_passw(duthost, passw_hardening_utils.USERNAME_ONE_POLICY, passw_test)
# 3. test user created succefully.
- pytest_assert(chpasswd_cmd['rc'] == SUCCESS_CODE , "Fail creating user: username={} with strong password={}"
- .format(USERNAME_ONE_POLICY, passw_test))
+ pytest_assert(chpasswd_cmd['rc'] == SUCCESS_CODE, "Fail creating user: username={} with strong password={}"
+ .format(passw_hardening_utils.USERNAME_ONE_POLICY, passw_test))
# 4. test bad flow - create new user with bad passw
if passw_bad_test:
- chpasswd_cmd = change_password(duthost, passw_bad_test, USERNAME_ONE_POLICY)
+ chpasswd_cmd = change_password(duthost, passw_bad_test, passw_hardening_utils.USERNAME_ONE_POLICY)
# 5. test user was not change passw succefully.
- pytest_assert(passw_exp_error in chpasswd_cmd['stderr'],"Fail: username='{}' with password='{}' was set, even though,\
- strong policy configured, passw_exp_error = '{}'".format(USERNAME_ONE_POLICY, passw_bad_test, passw_exp_error))
-
+ pytest_assert(passw_exp_error in chpasswd_cmd['stderr'], "Fail: username='{}' with password='{}' was set, even though,\
+ strong policy configured, passw_exp_error = '{}'".format(passw_hardening_utils.USERNAME_ONE_POLICY, passw_bad_test,
+ passw_exp_error))
+
+
def verify_age_flow(duthost, passw_hardening_ob, expected_login_error):
login_response = ''
# config one policy, check show CLI, test policy configured in switch
- config_and_review_policies(duthost, passw_hardening_ob, PAM_PASSWORD_CONF_LEN_MIN_ONLY_EXPECTED)
-
+ passw_hardening_utils.config_and_review_policies(duthost, passw_hardening_ob, passw_hardening_utils.PAM_PASSWORD_CONF_LEN_MIN_ONLY_EXPECTED)
+
# create user
passw_test = 'a_n_y_1989_2022'
- chpasswd_cmd = config_user_and_passw(duthost, USERNAME_AGE, passw_test)
+ chpasswd_cmd = config_user_and_passw(duthost, passw_hardening_utils.USERNAME_AGE, passw_test)
- pytest_assert(chpasswd_cmd['rc'] == SUCCESS_CODE, "Fail creating user: username='{}' with strong password='{}'".format(USERNAME_AGE, passw_test))
+ pytest_assert(chpasswd_cmd['rc'] == SUCCESS_CODE,
+ "Fail creating user: username='{}' with strong password='{}'".format(passw_hardening_utils.USERNAME_AGE, passw_test))
# (mimic passw is old by rest 100 days)
- modify_last_password_change_user(duthost, USERNAME_AGE)
+ modify_last_password_change_user(duthost, passw_hardening_utils.USERNAME_AGE)
# verify Age configuration in Linux files
- compare_passw_age_in_pam_dir(duthost, passw_hardening_ob, USERNAME_AGE)
+ compare_passw_age_in_pam_dir(duthost, passw_hardening_ob, passw_hardening_utils.USERNAME_AGE)
# login expecting to require passw change
- login_cmd = duthost.shell('echo '+passw_test+' | sudo -S su '+USERNAME_AGE, module_ignore_errors=True)
+ user_age_cmd = 'echo {} | sudo -S su {}'.format(passw_test, passw_hardening_utils.USERNAME_AGE)
+ login_cmd = duthost.shell(user_age_cmd, module_ignore_errors=True)
# test login results
- if 'Warning' in expected_login_error: # expiration warning time case, the cmd is not failing
+ if 'Warning' in expected_login_error: # expiration warning time case, the cmd is not failing
login_response = login_cmd['stdout']
- else: # expiration time case the cmd is failing
+ else: # expiration time case the cmd is failing
login_response = login_cmd['stderr']
- pytest_assert(expected_login_error in login_response, "Fail: the username='{}' could login by error, expected_login_error={} , but got this msg={}".format(USERNAME_AGE, expected_login_error, login_response))
+ pytest_assert(expected_login_error in login_response,
+ "Fail: the username='{}' could login by error, expected_login_error={} , but got this msg={}".format(
+ passw_hardening_utils.USERNAME_AGE, expected_login_error, login_response))
+
-def test_passw_hardening_en_dis_policies(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies, clean_passw_en_dis_policies):
+def test_passw_hardening_en_dis_policies(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies,
+ clean_passw_en_dis_policies):
"""
Test password hardening policies default.
Test passw policies configured in CLI (Verify output of `show passw-hardening policies`)
@@ -285,45 +189,53 @@ def test_passw_hardening_en_dis_policies(duthosts, enum_rand_one_per_hwsku_hostn
"""
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
- # create user with weak passw when passw policies are disable (feature is disabled by default).
+ # create user with weak passw when passw policies are disable.
+ passw_hardening_ob_pre = passw_hardening_utils.PasswHardening(state='disabled')
+
+ # config one policy, check show CLI, test policy configured in switch
+ passw_hardening_utils.config_and_review_policies(duthost, passw_hardening_ob_pre, passw_hardening_utils.PAM_PASSWORD_CONF_DEFAULT_EXPECTED)
+
simple_passw_0 = '12345678'
- chpasswd_cmd = config_user_and_passw(duthost, USERNAME_SIMPLE_0, simple_passw_0)
+ chpasswd_cmd = config_user_and_passw(duthost, passw_hardening_utils.USERNAME_SIMPLE_0, simple_passw_0)
- pytest_assert(chpasswd_cmd['rc']==SUCCESS_CODE, "Fail: expected: username={} to be added with weak passw={},\
- because passw hardening disabled".format(USERNAME_SIMPLE_0, simple_passw_0))
+ pytest_assert(chpasswd_cmd['rc'] == SUCCESS_CODE, "Fail: expected: username={} to be added with weak passw={},\
+ because passw hardening disabled".format(passw_hardening_utils.USERNAME_SIMPLE_0, simple_passw_0))
- passw_hardening_ob = PasswHardening(state='enabled')
+ passw_hardening_ob = passw_hardening_utils.PasswHardening(state='enabled')
# config one policy, check show CLI, test policy configured in switch
- config_and_review_policies(duthost, passw_hardening_ob, PAM_PASSWORD_CONF_EXPECTED)
+ passw_hardening_utils.config_and_review_policies(duthost, passw_hardening_ob, passw_hardening_utils.PAM_PASSWORD_CONF_EXPECTED)
# ~~ test user with weak passw (only digits) expecting to fail (bad flow) ~~
simple_passw_1 = '12345678'
- chpasswd_cmd = config_user_and_passw(duthost, USERNAME_SIMPLE_1, simple_passw_1)
+ chpasswd_cmd = config_user_and_passw(duthost, passw_hardening_utils.USERNAME_SIMPLE_1, simple_passw_1)
- pytest_assert("BAD PASSWORD: it is too simplistic/systematic" in chpasswd_cmd['stderr'],"Fail: username='{}'\
- with simple password='{}' was set, even though, strong policy configured".format(USERNAME_SIMPLE_1, simple_passw_1))
+ pytest_assert("BAD PASSWORD: it is too simplistic/systematic" in chpasswd_cmd['stderr'], "Fail: username='{}'\
+ with simple password='{}' was set, even though, strong policy configured".format(
+ passw_hardening_utils.USERNAME_SIMPLE_1, simple_passw_1))
# ~~ test user with strong password (digits, lower class, upper class, special class) ~~
strong_passw = 'Nvi_d_ia_2020'
- strong_chpasswd_cmd = config_user_and_passw(duthost, USERNAME_STRONG, strong_passw)
+ strong_chpasswd_cmd = config_user_and_passw(duthost, passw_hardening_utils.USERNAME_STRONG, strong_passw)
- pytest_assert(strong_chpasswd_cmd['rc']==SUCCESS_CODE, "Fail creating user: username='{}' with strong password='{}'".format(USERNAME_STRONG, strong_passw))
+ pytest_assert(strong_chpasswd_cmd['rc'] == SUCCESS_CODE,
+ "Fail creating user: username='{}' with strong password='{}'".format(passw_hardening_utils.USERNAME_STRONG, strong_passw))
# clean new users
- userdel_cmd = config_user(duthost=duthost, username=USERNAME_SIMPLE_1, mode='del')
+ userdel_cmd = passw_hardening_utils.config_user(duthost=duthost, username=passw_hardening_utils.USERNAME_SIMPLE_1, mode='del')
- pytest_assert(userdel_cmd['rc']==SUCCESS_CODE, "Fail: users: '{}' was not deleted correctly".format(userdel_cmd['stderr']))
+ pytest_assert(userdel_cmd['rc'] == SUCCESS_CODE,
+ "Fail: users: '{}' was not deleted correctly".format(userdel_cmd['stderr']))
- # disable feature
- passw_hardening_dis_ob = PasswHardening(state='disabled')
- config_and_review_policies(duthost, passw_hardening_dis_ob, PAM_PASSWORD_CONF_DEFAULT_EXPECTED)
+ # disable feature
+ passw_hardening_dis_ob = passw_hardening_utils.PasswHardening(state='disabled')
+ passw_hardening_utils.config_and_review_policies(duthost, passw_hardening_dis_ob, passw_hardening_utils.PAM_PASSWORD_CONF_DEFAULT_EXPECTED)
# ~~ test feature disabled: by trying to create a new user with a weak passw after feature disabled expecting to success.
- chpasswd_cmd = config_user_and_passw(duthost, USERNAME_SIMPLE_1, simple_passw_1)
+ chpasswd_cmd = config_user_and_passw(duthost, passw_hardening_utils.USERNAME_SIMPLE_1, simple_passw_1)
- pytest_assert(chpasswd_cmd['rc']==SUCCESS_CODE, "Fail: expected: username={} to be added with weak passw={}, \
- because passw hardening disabled".format(USERNAME_SIMPLE_1, simple_passw_1))
+ pytest_assert(chpasswd_cmd['rc'] == SUCCESS_CODE, "Fail: expected: username={} to be added with weak passw={}, \
+ because passw hardening disabled".format(passw_hardening_utils.USERNAME_SIMPLE_1, simple_passw_1))
def test_passw_hardening_history(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies, clean_passw_history):
@@ -339,40 +251,46 @@ def test_passw_hardening_history(duthosts, enum_rand_one_per_hwsku_hostname, cle
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
# 1. set new policies for history passw support
- passw_hardening_ob = PasswHardening(state='enabled',
- expiration='0',
- expiration_warning='0',
+ passw_hardening_ob = passw_hardening_utils.PasswHardening(state='enabled',
+ expiration='10',
+ expiration_warning='10',
history='10',
- len_min='1',
+ len_min='8',
reject_user_passw_match='false',
lower_class='false',
upper_class='false',
digit_class="true",
special_class='false')
-
- config_and_review_policies(duthost, passw_hardening_ob, pam_file_expected=PAM_PASSWORD_CONF_HISTORY_ONLY_EXPECTED)
+
+ passw_hardening_utils.config_and_review_policies(duthost, passw_hardening_ob, pam_file_expected=passw_hardening_utils.PAM_PASSWORD_CONF_HISTORY_ONLY_EXPECTED)
# 2. create user + 3. set passw
first_passw = 'Nvidia_2020'
- strong_chpasswd_cmd = config_user_and_passw(duthost, USERNAME_HISTORY, first_passw)
+ strong_chpasswd_cmd = config_user_and_passw(duthost, passw_hardening_utils.USERNAME_HISTORY, first_passw)
- pytest_assert(strong_chpasswd_cmd['rc']==SUCCESS_CODE, "Fail creating user: username='{}' with strong password='{}'".format(USERNAME_HISTORY, first_passw))
+ pytest_assert(strong_chpasswd_cmd['rc'] == SUCCESS_CODE,
+ "Fail creating user: username='{}' with strong password='{}'".format(passw_hardening_utils.USERNAME_HISTORY, first_passw))
# 4. set other passw
second_passw = 'So_nic_p1'
- chpasswd_cmd = change_password(duthost, second_passw, USERNAME_HISTORY)
+ chpasswd_cmd = change_password(duthost, second_passw, passw_hardening_utils.USERNAME_HISTORY)
- pytest_assert(chpasswd_cmd['rc']==SUCCESS_CODE, "Fail changing passw with: username='{}' with strong password='{}'".format(USERNAME_HISTORY, second_passw))
+ pytest_assert(chpasswd_cmd['rc'] == SUCCESS_CODE,
+ "Fail changing passw with: username='{}' with strong password='{}'".format(passw_hardening_utils.USERNAME_HISTORY,
+ second_passw))
# 5. try to set the first passw
- chpasswd_cmd = change_password(duthost, first_passw, USERNAME_HISTORY)
+ chpasswd_cmd = change_password(duthost, first_passw, passw_hardening_utils.USERNAME_HISTORY)
# 6. expected "fail" because the firsts passw was already used.
- pytest_assert('Password has been already used. Choose another.' in chpasswd_cmd['stderr'], "Fail : username='{}' with strong password='{}' was set with an old passw, even though, history was configured".format(USERNAME_HISTORY, first_passw))
+ pytest_assert('Password has been already used. Choose another.' in chpasswd_cmd['stderr'],
+ "Fail : username='{}' with strong password='{}' was set with an old passw, even though, history was configured".format(
+ passw_hardening_utils.USERNAME_HISTORY, first_passw))
-def test_passw_hardening_age_expiration(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies, clean_passw_age):
- """
+def test_passw_hardening_age_expiration(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies,
+ clean_passw_age):
+ """
Test password hardening age expiration, by change the last passw change of the user to a date old by 100 days
then the test will try to login and its expected a failure beacause the passw is expered, other the test will fail.
"""
@@ -380,10 +298,10 @@ def test_passw_hardening_age_expiration(duthosts, enum_rand_one_per_hwsku_hostna
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
# set new passw hardening policies values
- passw_hardening_ob = PasswHardening(state='enabled',
+ passw_hardening_ob = passw_hardening_utils.PasswHardening(state='enabled',
expiration='30',
expiration_warning='15',
- history='1',
+ history='10',
len_min='8',
reject_user_passw_match='false',
lower_class='false',
@@ -394,9 +312,10 @@ def test_passw_hardening_age_expiration(duthosts, enum_rand_one_per_hwsku_hostna
expected_login_error = 'You are required to change your password immediately (password expired).'
verify_age_flow(duthost, passw_hardening_ob, expected_login_error)
-
-def test_passw_hardening_age_expiration_warning(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies, clean_passw_age):
- """
+
+def test_passw_hardening_age_expiration_warning(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies,
+ clean_passw_age):
+ """
Test password hardening age expiration, by change the last passw change of the user to a date old by 100 days
then the test will try to login and its expected a failure beacause the passw is expered, other the test will fail.
"""
@@ -404,22 +323,23 @@ def test_passw_hardening_age_expiration_warning(duthosts, enum_rand_one_per_hwsk
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
# set new passw hardening policies values
- passw_hardening_ob = PasswHardening(state='enabled',
- expiration='140',
- expiration_warning='120',
- history='1',
+ passw_hardening_ob = passw_hardening_utils.PasswHardening(state='enabled',
+ expiration='120',
+ expiration_warning='30',
+ history='10',
len_min='8',
reject_user_passw_match='false',
lower_class='false',
upper_class='false',
digit_class="true",
special_class='false')
-
-
- # warning expected because the passw chage is 100 days old and the warning should be after 140-120=20 days
- expected_login_error = 'Warning: your password will expire in 40 days.'
+
+ # warning msg is expected because in the flow the function modify_last_password_change_user
+ # mimic that the passw should be change in 20 days time and the warning is higher than that.
+ expected_login_error = 'Warning: your password will expire'
verify_age_flow(duthost, passw_hardening_ob, expected_login_error)
+
def test_passw_hardening_len_min(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies, clean_passw_len_min):
""" Test password hardening len min
1. good flow: set min len and password according
@@ -428,53 +348,55 @@ def test_passw_hardening_len_min(duthosts, enum_rand_one_per_hwsku_hostname, cle
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
# set new passw hardening policies values
- passw_hardening_ob = PasswHardening(state='enabled',
- expiration='0',
- expiration_warning='0',
- history='1',
+ passw_hardening_ob = passw_hardening_utils.PasswHardening(state='enabled',
+ expiration='10',
+ expiration_warning='10',
+ history='10',
len_min='8',
reject_user_passw_match='false',
lower_class='false',
upper_class='false',
digit_class="true",
special_class='false')
-
+
# config one policy, check show CLI, test policy configured in switch
- config_and_review_policies(duthost, passw_hardening_ob, PAM_PASSWORD_CONF_LEN_MIN_ONLY_EXPECTED)
-
+ passw_hardening_utils.config_and_review_policies(duthost, passw_hardening_ob, passw_hardening_utils.PAM_PASSWORD_CONF_LEN_MIN_ONLY_EXPECTED)
+
passw_test = '19892022'
- chpasswd_cmd = config_user_and_passw(duthost, USERNAME_LEN_MIN, passw_test)
-
+ chpasswd_cmd = config_user_and_passw(duthost, passw_hardening_utils.USERNAME_LEN_MIN, passw_test)
+
pytest_assert(chpasswd_cmd['rc'] == SUCCESS_CODE, "Fail creating user: username='{}' with strong password='{}'"
- .format(USERNAME_LEN_MIN, passw_test))
+ .format(passw_hardening_utils.USERNAME_LEN_MIN, passw_test))
# --- Bad Flow ---
# set new passw hardening policies values
- passw_hardening_ob_len_min_big = PasswHardening(state='enabled',
- expiration='0',
- expiration_warning='0',
- history='1',
- len_min='10',
- reject_user_passw_match='false',
- lower_class='false',
- upper_class='false',
- digit_class="true",
- special_class='false')
-
- configure_passw_policies(duthost, passw_hardening_ob_len_min_big)
+ passw_hardening_ob_len_min_big = passw_hardening_utils.PasswHardening(state='enabled',
+ expiration='10',
+ expiration_warning='10',
+ history='10',
+ len_min='10',
+ reject_user_passw_match='false',
+ lower_class='false',
+ upper_class='false',
+ digit_class="true",
+ special_class='false')
+
+ passw_hardening_utils.configure_passw_policies(duthost, passw_hardening_ob_len_min_big)
# test user with len min small than config
passw_bad_test = 'asDD@@12'
# test settig smaller passw than config
- chpasswd_cmd = change_password(duthost, passw_bad_test, USERNAME_LEN_MIN)
-
+ chpasswd_cmd = change_password(duthost, passw_bad_test, passw_hardening_utils.USERNAME_LEN_MIN)
+
pytest_assert('BAD PASSWORD: is too simple' in chpasswd_cmd['stderr'], "Fail : password='{}' was set with an small len than the policy,\
- even though, it was configured".format(passw_bad_test))
+ even though, it was configured".format(
+ passw_bad_test))
-def test_passw_hardening_policies_digits(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies, clean_passw_one_policy_user):
- """
+def test_passw_hardening_policies_digits(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies,
+ clean_passw_one_policy_user):
+ """
Test password hardening digits class
Good flow - set passw according the policy
Bad flow - set passw not according the policy and expecting to get an error
@@ -486,10 +408,10 @@ def test_passw_hardening_policies_digits(duthosts, enum_rand_one_per_hwsku_hostn
passw_exp_error = 'BAD PASSWORD: is too simple'
# set new passw hardening policies values
- passw_hardening_ob = PasswHardening(state='enabled',
- expiration='0',
- expiration_warning='0',
- history='0',
+ passw_hardening_ob = passw_hardening_utils.PasswHardening(state='enabled',
+ expiration='100',
+ expiration_warning='15',
+ history='12',
len_min='1',
reject_user_passw_match='false',
lower_class='false',
@@ -497,12 +419,14 @@ def test_passw_hardening_policies_digits(duthosts, enum_rand_one_per_hwsku_hostn
digit_class="true",
special_class='false')
- review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error, PAM_PASSWORD_CONF_DIGITS_ONLY_EXPECTED)
+ review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error,
+ passw_hardening_utils.PAM_PASSWORD_CONF_DIGITS_ONLY_EXPECTED)
-def test_passw_hardening_policies_lower_class(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies, clean_passw_one_policy_user):
- """
- Test password hardening lower class
+def test_passw_hardening_policies_lower_class(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies,
+ clean_passw_one_policy_user):
+ """
+ Test password hardening lower class
Good flow - set passw according the policy
Bad flow - set passw not according the policy and expecting to get an error
"""
@@ -513,10 +437,10 @@ def test_passw_hardening_policies_lower_class(duthosts, enum_rand_one_per_hwsku_
passw_exp_error = 'BAD PASSWORD: is too simple'
# set new passw hardening policies values
- passw_hardening_ob = PasswHardening(state='enabled',
- expiration='0',
- expiration_warning='0',
- history='0',
+ passw_hardening_ob = passw_hardening_utils.PasswHardening(state='enabled',
+ expiration='10',
+ expiration_warning='10',
+ history='10',
len_min='1',
reject_user_passw_match='false',
lower_class='true',
@@ -524,11 +448,14 @@ def test_passw_hardening_policies_lower_class(duthosts, enum_rand_one_per_hwsku_
digit_class="false",
special_class='false')
- review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error, PAM_PASSWORD_CONF_LOWER_LETTER_ONLY_EXPECTED)
+ review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error,
+ passw_hardening_utils.PAM_PASSWORD_CONF_LOWER_LETTER_ONLY_EXPECTED)
+
-def test_passw_hardening_policies_upper_class(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies, clean_passw_one_policy_user):
- """
- Test password hardening upper class
+def test_passw_hardening_policies_upper_class(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies,
+ clean_passw_one_policy_user):
+ """
+ Test password hardening upper class
Good flow - set passw according the policy
Bad flow - set passw not according the policy and expecting to get an error
"""
@@ -537,12 +464,12 @@ def test_passw_hardening_policies_upper_class(duthosts, enum_rand_one_per_hwsku_
passw_test = 'NVI_DI_A_UP#'
passw_bad_test = 'l_o_w_l_#_e#t1'
passw_exp_error = 'BAD PASSWORD: is too simple'
-
+
# set new passw hardening policies values
- passw_hardening_ob = PasswHardening(state='enabled',
- expiration='0',
- expiration_warning='0',
- history='0',
+ passw_hardening_ob = passw_hardening_utils.PasswHardening(state='enabled',
+ expiration='10',
+ expiration_warning='10',
+ history='10',
len_min='1',
reject_user_passw_match='false',
lower_class='false',
@@ -550,11 +477,14 @@ def test_passw_hardening_policies_upper_class(duthosts, enum_rand_one_per_hwsku_
digit_class="false",
special_class='false')
- review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error, PAM_PASSWORD_CONF_UPPER_LETTER_ONLY_EXPECTED)
+ review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error,
+ passw_hardening_utils.PAM_PASSWORD_CONF_UPPER_LETTER_ONLY_EXPECTED)
+
-def test_passw_hardening_policies_special_class(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies, clean_passw_one_policy_user):
- """
- Test password hardening special class
+def test_passw_hardening_policies_special_class(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies,
+ clean_passw_one_policy_user):
+ """
+ Test password hardening special class
Good flow - set passw according the policy
Bad flow - set passw not according the policy and expecting to get an error
"""
@@ -565,10 +495,10 @@ def test_passw_hardening_policies_special_class(duthosts, enum_rand_one_per_hwsk
passw_exp_error = 'BAD PASSWORD: is too simple'
# set new passw hardening policies values
- passw_hardening_ob = PasswHardening(state='enabled',
- expiration='0',
- expiration_warning='0',
- history='0',
+ passw_hardening_ob = passw_hardening_utils.PasswHardening(state='enabled',
+ expiration='10',
+ expiration_warning='10',
+ history='10',
len_min='1',
reject_user_passw_match='false',
lower_class='false',
@@ -576,24 +506,27 @@ def test_passw_hardening_policies_special_class(duthosts, enum_rand_one_per_hwsk
digit_class="false",
special_class='true')
- review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error, PAM_PASSWORD_CONF_SPECIAL_LETTER_ONLY_EXPECTED)
+ review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error,
+ passw_hardening_utils.PAM_PASSWORD_CONF_SPECIAL_LETTER_ONLY_EXPECTED)
-def test_passw_hardening_policy_reject_user_passw_match(duthosts, enum_rand_one_per_hwsku_hostname, clean_passw_policies, clean_passw_one_policy_user):
- """
+
+def test_passw_hardening_policy_reject_user_passw_match(duthosts, enum_rand_one_per_hwsku_hostname,
+ clean_passw_policies, clean_passw_one_policy_user):
+ """
Test password hardening reject user passw match
Bad flow - set passw not according the policy and expecting to get an error
"""
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
passw_test = '19892022'
- passw_bad_test = USERNAME_ONE_POLICY
- passw_exp_error='BAD PASSWORD: contains the user name in some form'
-
+ passw_bad_test = passw_hardening_utils.USERNAME_ONE_POLICY
+ passw_exp_error = 'BAD PASSWORD: contains the user name in some form'
+
# set new passw hardening policies values
- passw_hardening_ob = PasswHardening(state='enabled',
- expiration='0',
- expiration_warning='0',
- history='0',
+ passw_hardening_ob = passw_hardening_utils.PasswHardening(state='enabled',
+ expiration='10',
+ expiration_warning='10',
+ history='10',
len_min='1',
reject_user_passw_match='true',
lower_class='false',
@@ -601,6 +534,5 @@ def test_passw_hardening_policy_reject_user_passw_match(duthosts, enum_rand_one_
digit_class="false",
special_class='false')
- review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error, PAM_PASSWORD_CONF_REJECT_USER_PASSW_MATCH_EXPECTED)
-
-
+ review_one_policy_with_user(duthost, passw_hardening_ob, passw_test, passw_bad_test, passw_exp_error,
+ passw_hardening_utils.PAM_PASSWORD_CONF_REJECT_USER_PASSW_MATCH_EXPECTED)