tests/security-server-tests/security_server_tests_password.cpp

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  */
   4 /*
   5  * @file    security_server_tests_password.cpp
   6  * @author  Bumjin Im (bj.im@samsung.com)
   7  * @author  Pawel Polawski (p.polawski@partner.samsung.com)
   8  * @author  Radoslaw Bartosiak (r.bartosiak@samsung.com)
   9  * @author  Jan Olszak (j.olszak@samsung.com)
  10  * @version 2.0
  11  * @brief   Test cases for security server
  12  *
  13  * WARNING: In this file test order is very important. They have to always be run
  14  * in correct order. This is done by correct test case names ("tcXX_").
  15  */
  16
  17 #include <stdio.h>
  18 #include <errno.h>
  19 #include <stdlib.h>
  20 #include <string.h>
  21 #include <limits.h>
  22 #include <sys/types.h>
  23 #include <sys/param.h>
  24 #include <fcntl.h>
  25 #include <sys/un.h>
  26 #include <unistd.h>
  27 #include <sys/socket.h>
  28 #include <sys/time.h>
  29 #include <dirent.h>
  30 #include "security-server.h"
  31 #include <dpl/test/test_runner.h>
  32 #include <dlog.h>
  33 #include "security_server_clean_env.h"
  34 #include <tracker.h>
  35
  36
  37 // security server retry timeout in microseconds
  38 const unsigned int PASSWORD_RETRY_TIMEOUT_US = 500000;
  39
  40 // the maximum time (in seconds) passwords can expire in
  41 const unsigned int PASSWORD_INFINITE_EXPIRATION_TIME = 0xFFFFFFFF;
  42
  43 // test passwords
  44 const char* TEST_PASSWORD =         "IDLEPASS";
  45 const char* SECOND_TEST_PASSWORD =  "OTHERIDLEPASS";
  46 const char* THIRD_TEST_PASSWORD =   "THIRDPASS";
  47 const char* FOURTH_TEST_PASSWORD =  "FOURTHPASS";
  48
  49
  50 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_PASSWORD);
  51
  52
  53 /**
  54  * Confirm there is no password before tests are run.
  55  */
  56 RUNNER_TEST(tc01_clear_environment)
  57 {
  58     int ret;
  59     unsigned int attempt, max_attempt, expire_sec;
  60
  61     if (getuid() == 0)
  62     {
  63         reset_security_server();
  64
  65         ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
  66
  67         RUNNER_ASSERT_MSG(expire_sec == 0, "expire_sec = " << expire_sec);
  68         RUNNER_ASSERT_MSG(max_attempt == 0, "max_attempt = " << max_attempt);
  69         RUNNER_ASSERT_MSG(attempt == 0, "attempt = " << attempt);
  70         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
  71     }
  72     else
  73     {
  74         SLOGD("To run the test as non root user, please remove password files (/opt/data/security-server/*) in root shell\n");
  75         SLOGD("If not, you will see some failures\n");
  76
  77         RUNNER_IGNORED_MSG("I'm not root");
  78     }
  79     sleep(1);
  80 }
  81
  82 /**
  83  * Basic test of setting validity period.
  84  */
  85 RUNNER_TEST(tc02_security_server_set_pwd_validity)
  86 {
  87     int ret;
  88
  89     // Prepare environment
  90     reset_security_server();
  91
  92     // TESTS:
  93     // WITHOUT password
  94     ret = security_server_set_pwd_validity(10);
  95     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
  96
  97     ret = security_server_set_pwd_validity(11);
  98     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
  99
 100     // WITH password
 101     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 102     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 103
 104     ret = security_server_set_pwd_validity(10);
 105     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 106
 107     ret = security_server_set_pwd_validity(11);
 108     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 109
 110     sleep(1);
 111 }
 112
 113 /**
 114  * Basic test of setting maximum number of password challenges.
 115  */
 116 RUNNER_TEST(tc03_security_server_set_pwd_max_challenge)
 117 {
 118     int ret;
 119
 120     // Prepare environment
 121     reset_security_server();
 122
 123     // TESTS:
 124     // WITHOUT password
 125     ret = security_server_set_pwd_max_challenge(5);
 126     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 127
 128     ret = security_server_set_pwd_max_challenge(6);
 129     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 130
 131     // WITH password
 132     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 133     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 134
 135     ret = security_server_set_pwd_max_challenge(5);
 136     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 137
 138     ret = security_server_set_pwd_max_challenge(6);
 139     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 140
 141     sleep(1);
 142     reset_security_server();
 143 }
 144
 145 /**
 146  * Test checking a too long password.
 147  */
 148 RUNNER_TEST(tc04_security_server_chk_pwd_too_long_password_case)
 149 {
 150     int ret;
 151     unsigned int attempt, max_attempt, expire_sec;
 152
 153     // 33 char password
 154     ret = security_server_chk_pwd("abcdefghijklmnopqrstuvwxyz0123456", &attempt, &max_attempt, &expire_sec);
 155     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 156 }
 157
 158 /**
 159  * Test various parameter values when checking a password.
 160  */
 161 RUNNER_TEST(tc05_security_server_chk_pwd_null_input_case)
 162 {
 163     int ret;
 164     unsigned int attempt, max_attempt, expire_sec;
 165
 166     ret = security_server_chk_pwd(NULL, &attempt, &max_attempt, &expire_sec);
 167     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 168
 169     ret = security_server_chk_pwd("password", NULL, &max_attempt, &expire_sec);
 170     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 171
 172     ret = security_server_chk_pwd("password", &attempt, NULL, &expire_sec);
 173     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 174
 175     ret = security_server_chk_pwd("password", &attempt, &max_attempt, NULL);
 176     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 177 }
 178
 179 /**
 180  * Check the given password when no password is set.
 181  */
 182 RUNNER_TEST(tc06_security_server_chk_pwd_no_password_case)
 183 {
 184     int ret;
 185     unsigned int attempt, max_attempt, expire_sec;
 186
 187     // Prepare environment - there is no password now!
 188     reset_security_server();
 189
 190     // TEST
 191     ret = security_server_chk_pwd("isthisempty", &attempt, &max_attempt, &expire_sec);
 192
 193     RUNNER_ASSERT_MSG(expire_sec == 0, expire_sec);
 194     RUNNER_ASSERT_MSG(max_attempt == 0, max_attempt);
 195     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 196 }
 197
 198 /**
 199  * Checks various parameter values.
 200  */
 201 RUNNER_TEST(tc07_security_server_set_pwd_null_input_case)
 202 {
 203     int ret;
 204
 205     // Prepare environment
 206     reset_security_server();
 207
 208     // TEST
 209     ret = security_server_set_pwd(NULL, NULL, 0, 0);
 210     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 211 }
 212
 213 /**
 214  * Test setting too long password.
 215  */
 216 RUNNER_TEST(tc08_security_server_set_pwd_too_long_input_param)
 217 {
 218     int ret;
 219
 220     // Prepare environment
 221     reset_security_server();
 222
 223     // TEST
 224     // 33 char password
 225     ret = security_server_set_pwd("abcdefghijklmnopqrstuvwxyz0123456", "abcdefghijklmnopqrstuvwxyz0123456", 0, 0);
 226     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 227 }
 228
 229 /**
 230  * Basic password setting.
 231  */
 232 RUNNER_TEST(tc09_security_server_set_pwd_current_pwd_empty)
 233 {
 234     int ret;
 235
 236     // Prepare environment
 237     reset_security_server();
 238
 239     // TEST
 240     sleep(1);
 241     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
 242     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 243 }
 244
 245 /**
 246  * Set a maximum password period.
 247  */
 248 RUNNER_TEST(tc10_security_server_set_pwd_current_pwd_max_valid_period_in_days)
 249 {
 250     int ret;
 251     // Prepare environment
 252     reset_security_server();
 253     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 254     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 255
 256     // TEST
 257     sleep(1);
 258     // UINT_MAX will cause api error, it is to big value
 259     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, UINT_MAX);
 260     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 261     sleep(1);
 262     // calculate max applicable valid days that will not be rejected by ss
 263     // ensure, that after conversion from days to seconds in ss there will be no uint overflow
 264     unsigned int valid_days = ((UINT_MAX - time(NULL)) / 86400) - 1;
 265     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, valid_days);
 266     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 267 }
 268
 269 /**
 270  * Set a maximum password challenge number.
 271  */
 272 RUNNER_TEST(tc11_security_server_set_pwd_current_pwd_max_max_challenge)
 273 {
 274     int ret;
 275     // Prepare environment
 276     reset_security_server();
 277     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 278     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 279
 280     // TEST
 281     sleep(1);
 282     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, UINT_MAX, 0);
 283     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 284 }
 285
 286 /**
 287  * Set empty password.
 288  */
 289 RUNNER_TEST(tc12_security_server_set_pwd_current_pwd_nonempty2zero)
 290 {
 291     int ret;
 292     // Prepare environment
 293     reset_security_server();
 294     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 295     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 296
 297     // TEST
 298     sleep(1);
 299     ret = security_server_set_pwd(TEST_PASSWORD, "", 0, 0);
 300     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 301 }
 302
 303 /**
 304  * Change password to a too long password.
 305  */
 306 RUNNER_TEST(tc14_security_server_set_pwd_current_pwd_too_long_input_param)
 307 {
 308     int ret;
 309     // Prepare environment
 310     reset_security_server();
 311     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 312     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 313
 314     // TEST
 315     sleep(1);
 316     char* long_password = (char*) malloc(5001);
 317     long_password[5000] = '\0';
 318     memset(long_password, 'A', 5000);
 319     ret = security_server_set_pwd(TEST_PASSWORD,long_password, 10, 10);
 320     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 321 }
 322
 323 /**
 324  * Check empty password.
 325  */
 326 RUNNER_TEST(tc15_security_server_chk_pwd_shortest_password)
 327 {
 328     int ret;
 329     unsigned int attempt, max_attempt, expire_sec;
 330
 331     // Prepare environment
 332     reset_security_server();
 333     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 334     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 335
 336     // TEST
 337     sleep(1);
 338     ret = security_server_chk_pwd("", &attempt, &max_attempt, &expire_sec);
 339     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 340 }
 341
 342 /**
 343  * Various validity parameter values.
 344  */
 345 RUNNER_TEST(tc16_security_server_set_pwd_validity)
 346 {
 347     int ret;
 348     // Prepare environment
 349     reset_security_server();
 350     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 351     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 352
 353     // TEST
 354     ret = security_server_set_pwd_validity(0);
 355     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 356
 357     ret = security_server_set_pwd_validity(1);
 358     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 359
 360     //When trying to set UINT_MAX we should get error.
 361     ret = security_server_set_pwd_validity(UINT_MAX);
 362     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 363
 364     ret = security_server_set_pwd_validity(2);
 365     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 366 }
 367
 368 /**
 369  * Check passwords validity
 370  */
 371 RUNNER_TEST(tc17_security_server_is_pwd_valid)
 372 {
 373     int ret;
 374     unsigned int attempt, max_attempt, expire_sec;
 375
 376     // Prepare environment
 377     reset_security_server();
 378     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 2);
 379     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 380
 381     // TEST:
 382     sleep(1);
 383     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 384     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST,  "ret = " << ret);
 385     RUNNER_ASSERT_MSG((expire_sec > 172795) && (expire_sec < 172805),  "expire_sec = " << expire_sec);
 386 }
 387
 388 /**
 389  * Various numbers of challenges.
 390  */
 391 RUNNER_TEST(tc18_security_server_set_pwd_max_challenge)
 392 {
 393     int ret;
 394     // Prepare environment
 395     reset_security_server();
 396     // calculate max applicable valid days that will not be rejected by ss
 397     // ensure, that after conversion from days to seconds in ss there will be no uint overflow
 398     unsigned int valid_days = ((UINT_MAX - time(NULL)) / 86400) - 1;
 399     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, valid_days);
 400     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 401
 402     // TESTS
 403     sleep(1);
 404     ret = security_server_set_pwd_max_challenge(0);
 405     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 406
 407     sleep(1);
 408     ret = security_server_set_pwd_max_challenge(UINT_MAX);
 409     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 410
 411     sleep(1);
 412     ret = security_server_set_pwd_max_challenge(5);
 413     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 414
 415     sleep(1);
 416     ret = security_server_set_pwd_max_challenge(6);
 417     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 418 }
 419
 420
 421 /**
 422  * Check the max number of challenges.
 423  */
 424 RUNNER_TEST(tc19_security_server_is_pwd_valid)
 425 {
 426     int ret;
 427     unsigned int attempt, max_attempt, expire_sec;
 428     // Prepare environment
 429     reset_security_server();
 430     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 431     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 432     sleep(1);
 433     ret = security_server_set_pwd_max_challenge(6);
 434     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 435
 436     // TEST
 437     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 438     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 439     RUNNER_ASSERT_MSG(max_attempt == 6,  "max_attempt = " << max_attempt);
 440 }
 441
 442 /**
 443  * Basic password check.
 444  */
 445 RUNNER_TEST(tc20_security_server_chk_pwd)
 446 {
 447     int ret;
 448     unsigned int attempt, max_attempt, expire_sec;
 449
 450     // Prepare environment
 451     reset_security_server();
 452     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 453     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 454
 455     // TEST
 456     sleep(1);
 457     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 458     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, ret);
 459
 460     sleep(1);
 461     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 462     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 463 }
 464
 465 /**
 466  * Check an incorrect password.
 467  */
 468 RUNNER_TEST(tc21_security_server_chk_incorrect_pwd)
 469 {
 470     int ret;
 471     unsigned int attempt, max_attempt, expire_sec;
 472
 473     // Prepare environment
 474     reset_security_server();
 475     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 476     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 477
 478     //TEST
 479     sleep(1);
 480     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 481     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 482 }
 483
 484 /**
 485  * Check an incorrect password
 486  */
 487 RUNNER_TEST(tc22_security_server_set_pwd_incorrect_current)
 488 {
 489     int ret;
 490
 491     // Prepare environment
 492     reset_security_server();
 493     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 494     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 495
 496     // TEST
 497     sleep(1);
 498     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 10, 10);
 499     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,  "ret = " << ret);
 500 }
 501
 502 /**
 503  * Change password
 504  */
 505 RUNNER_TEST(tc23_security_server_set_pwd_correct_current)
 506 {
 507     int ret;
 508
 509     // Prepare environment
 510     reset_security_server();
 511     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 512     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 513
 514     // TEST
 515     sleep(1);
 516     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 10, 10);
 517     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 518 }
 519
 520 /**
 521  * Check wrong password multiple times and then check a correct one.
 522  */
 523 RUNNER_TEST(tc24_security_server_attempt_exceeding)
 524 {
 525     int ret;
 526     unsigned int i, attempt, max_attempt, expire_sec;
 527
 528     // Prepare environment
 529     reset_security_server();
 530     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 531     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 532
 533     // TEST
 534     printf("5 subtests started...");
 535     for (i = 1; i <= 5; i++) {
 536         sleep(1);
 537         ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 538         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 539         RUNNER_ASSERT_MSG(attempt == i, "attempt = " << attempt << ", expected " << i);
 540     }
 541     printf("DONE\n");
 542
 543     sleep(1);
 544     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 545     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 546
 547     sleep(1);
 548     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 549     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 550     RUNNER_ASSERT_MSG(attempt == 0, "ret = " << ret);
 551     RUNNER_ASSERT_MSG(max_attempt == 10, "ret = " << ret);
 552 }
 553
 554 /**
 555  * Try to exceed maximum number of challenges.
 556  */
 557 RUNNER_TEST(tc25_security_server_attempt_exceeding)
 558 {
 559     int ret;
 560     unsigned int i, attempt, max_attempt, expire_sec;
 561
 562     // Prepare environment
 563     reset_security_server();
 564     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 1);
 565     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 566
 567     // TEST
 568     printf("10 subtests started...");
 569     for (i = 1; i <= 10; i++) {
 570         sleep(1);
 571         ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 572         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 573         RUNNER_ASSERT_MSG(attempt == i, "attempt = " << attempt << ", expected " << i);
 574     }
 575
 576     // The check, that exceeds max number
 577     sleep(1);
 578     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 579     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED, "ret = " << ret);
 580     printf("DONE\n");
 581
 582     sleep(1);
 583     ret = security_server_chk_pwd(TEST_PASSWORD,  &attempt, &max_attempt, &expire_sec);
 584     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED, "ret = " << ret);
 585 }
 586
 587 /**
 588  * Reset password
 589  */
 590 RUNNER_TEST(tc26_security_server_reset_pwd)
 591 {
 592     int ret;
 593
 594     // Prepare environment
 595     reset_security_server();
 596     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 10);
 597     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 598
 599     // TEST
 600     sleep(1);
 601     ret = security_server_reset_pwd(TEST_PASSWORD, 10, 10);
 602     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 603 }
 604
 605 /**
 606  * Check too long password.
 607  */
 608 RUNNER_TEST(tc27_security_server_chk_pwd_too_long_password)
 609 {
 610     int ret;
 611     unsigned int attempt, max_attempt, expire_sec;
 612     // Prepare environment
 613     reset_security_server();
 614     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 10);
 615     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 616
 617     // TEST
 618     char* long_password = (char*) malloc(5001);
 619     long_password[5000] = '\0';
 620     memset(long_password, 'A', 5000);
 621     ret = security_server_chk_pwd(long_password,  &attempt, &max_attempt, &expire_sec);
 622     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 623 }
 624
 625 /**
 626  * Check passwords expiration (not expired)
 627  */
 628 RUNNER_TEST(tc28_security_server_check_expiration)
 629 {
 630     int ret;
 631     unsigned int attempt, max_attempt, expire_sec;
 632
 633     // Prepare environment
 634     reset_security_server();
 635     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 1);
 636     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 637
 638     // TEST
 639     sleep(1);
 640     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 641     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 642     RUNNER_ASSERT_MSG((expire_sec < 86402) && (expire_sec > 86396), "expire_sec = " << ret);
 643 }
 644
 645 /**
 646  * Use various parameter values of parameters.
 647  */
 648 RUNNER_TEST(tc29_security_server_set_pwd_history)
 649 {
 650     int ret;
 651
 652     // Prepare environment
 653     reset_security_server();
 654     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 1);
 655     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 656
 657     // TESTS
 658     sleep(1);
 659     ret = security_server_set_pwd_history(100);
 660     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 661
 662     sleep(1);
 663     ret = security_server_set_pwd_history(51);
 664     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 665
 666     sleep(1);
 667     ret = security_server_set_pwd_history(-5);
 668     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 669
 670     sleep(1);
 671     ret = security_server_set_pwd_history(50);
 672     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 673
 674     sleep(1);
 675     ret = security_server_set_pwd_history(0);
 676     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 677
 678     sleep(1);
 679     ret = security_server_set_pwd_history(INT_MAX);
 680     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 681
 682     sleep(1);
 683     ret = security_server_set_pwd_history(INT_MIN);
 684     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 685
 686     sleep(1);
 687     ret = security_server_set_pwd_history(10);
 688     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 689 }
 690
 691
 692
 693 int dir_filter(const struct dirent *entry)
 694 {
 695     if ((strcmp(entry->d_name, ".") == 0) ||
 696         (strcmp(entry->d_name, "..") == 0) ||
 697         (strcmp(entry->d_name, "attempts") == 0) ||
 698         (strcmp(entry->d_name, "history") == 0))
 699         return (0);
 700     else
 701         return (1);
 702 }
 703
 704 void clean_password_dir(void)
 705 {
 706     int ret;
 707     int i;
 708     struct dirent **mydirent;
 709
 710     ret = scandir("/opt/data/security-server", &mydirent, &dir_filter, alphasort);
 711     i = ret;
 712     while (i--)
 713         free(mydirent[i]);
 714     free(mydirent);
 715 }
 716
 717
 718 /**
 719  * Check password history.
 720  */
 721 RUNNER_TEST(tc30_security_server_check_history)
 722 {
 723     int ret;
 724     int i;
 725     char buf1[33], buf2[33];
 726
 727     // Prepare environment
 728     reset_security_server();
 729
 730     clean_password_dir();
 731
 732     sleep(1);
 733     ret = security_server_set_pwd_history(9);
 734     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 735
 736     sleep(1);
 737     ret = security_server_reset_pwd("history0", 0, 0);
 738     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 739
 740     printf("11 subtests started...");
 741     for (i = 0; i < 11; i++) {
 742         sprintf(buf1, "history%d", i);
 743         sprintf(buf2, "history%d", i + 1);
 744
 745         sleep(1);
 746         ret = security_server_set_pwd(buf1, buf2, 0, 0);
 747         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 748     }
 749     printf("DONE\n");
 750
 751     sleep(1);
 752     ret = security_server_set_pwd("history11", "history1", 0, 0);
 753     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 754
 755     sleep(1);
 756     ret = security_server_set_pwd("history1", "history8", 0, 0);
 757     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
 758
 759     sleep(1);
 760     ret = security_server_set_pwd("history1", "history12", 0, 0);
 761     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 762
 763     printf("48 subtests started...");
 764     for (i = 12; i < 60; i++) {
 765         sleep(1);
 766
 767         sprintf(buf1, "history%d", i);
 768         sprintf(buf2, "history%d", i + 1);
 769
 770         ret = security_server_set_pwd(buf1, buf2, 0, 0);
 771         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 772     }
 773     printf("DONE\n");
 774
 775     clean_password_dir();
 776 }
 777
 778 /**
 779  * Replay attack
 780  */
 781 RUNNER_TEST(tc31_security_server_replay_attack)
 782 {
 783     int ret;
 784     int i = 0;
 785     unsigned int attempt, max_attempt, expire_sec;
 786
 787     sleep(1);
 788     ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec);
 789
 790     while (ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER) {
 791         i += 100000;
 792
 793         ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec);
 794         usleep(i);
 795     }
 796
 797     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 798 }
 799
 800 /**
 801  * Expired password
 802  */
 803 RUNNER_TEST(tc32_security_server_challenge_on_expired_password)
 804 {
 805     int ret;
 806     unsigned int attempt, max_attempt, expire_sec;
 807     struct timeval cur_time;
 808
 809     // Prepare environment
 810     reset_security_server();
 811     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 4, 1);
 812     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 813
 814     // TEST
 815     sleep(1);
 816     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 817     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 818
 819     ret = gettimeofday(&cur_time, NULL);
 820     RUNNER_ASSERT_MSG(ret > -1, ret);
 821
 822     cur_time.tv_sec += (expire_sec + 1);
 823     ret = settimeofday(&cur_time, NULL);
 824     RUNNER_ASSERT_MSG(ret > -1, ret);
 825
 826     sleep(1);
 827     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 828     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED, "ret = " << ret);
 829
 830     sleep(1);
 831     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 832     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 833 }
 834
 835 /**
 836  * Reset password
 837  */
 838 RUNNER_TEST(tc33_security_server_reset_by_null_pwd)
 839 {
 840     int ret;
 841
 842     // Prepare environment
 843     reset_security_server();
 844
 845     // TEST
 846     sleep(1);
 847     ret = security_server_reset_pwd(NULL, 10, 10);
 848     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 849 }
 850
 851 /*
 852  * Use this instead of security_server_chk_pwd directly to verify the function output.
 853  * For example:
 854  * verify_chk_pwd(__LINE__, "password", SECURITY_SERVER_API_SUCCESS, 2, 5, 10000, "debug string")
 855  */
 856 void verify_chk_pwd_basic(
 857     const char* challenge,
 858     int expected_result,
 859     unsigned int expected_current_attempt,
 860     unsigned int expected_max_attempt,
 861     unsigned int expected_valid_secs,
 862     const Tracker &tracker = Tracker())
 863 {
 864     /* ensure that initial values differ from expected ones */
 865     unsigned int attempt = expected_current_attempt - 1;
 866     unsigned int max_attempt = expected_max_attempt - 1;
 867     unsigned int expire_sec = expected_valid_secs - 1;
 868
 869     usleep(PASSWORD_RETRY_TIMEOUT_US);
 870     int ret = security_server_chk_pwd(challenge, &attempt, &max_attempt, &expire_sec);
 871
 872     // validate returned value
 873     RUNNER_ASSERT_MSG(ret == expected_result,
 874         tracker.str() <<
 875         "security_server_chk_pwd returned "
 876          << ret << " (expected: " << expected_result << ")");
 877
 878     // validate current attempts value
 879     RUNNER_ASSERT_MSG(attempt == expected_current_attempt,
 880         tracker.str() <<
 881         "security_server_chk_pwd returned attempt = " << attempt <<
 882         " (expected: " << expected_current_attempt << ")");
 883
 884     // validate max attempt value
 885     RUNNER_ASSERT_MSG(max_attempt == expected_max_attempt,
 886         tracker.str() <<
 887         "security_server_chk_pwd returned max_attempt = " << max_attempt <<
 888         " (expected: " << expected_max_attempt << ")");
 889
 890     // validate expire seconds
 891     if (expected_valid_secs == PASSWORD_INFINITE_EXPIRATION_TIME) {
 892         RUNNER_ASSERT_MSG(expire_sec == expected_valid_secs,
 893             tracker.str() <<
 894             "security_server_chk_pwd returned expire_sec = " << expire_sec <<
 895             " (expected: " << expected_valid_secs << ")");
 896     } else {
 897         // because of sleeps in test code we need to check period of time.
 898         unsigned int begin = expected_valid_secs > 5 ? expected_valid_secs - 5 : 0;
 899         unsigned int end   = expected_valid_secs + 5;
 900
 901         RUNNER_ASSERT_MSG(expire_sec >= begin && expire_sec <= end,
 902             tracker.str() <<
 903             "security_server_chk_pwd returned expire_sec = " << expire_sec <<
 904             " (expected: <" << begin << "," << end << ")");
 905     }
 906 }
 907
 908 /* This function is required because we cannot use default value in expected_valid_secs in
 909  * verify_chk_pwd_basic and define Tracker at the same time. */
 910 void verify_chk_pwd(
 911     const char *challenge,
 912     int expected_result,
 913     unsigned int expected_current_attempt,
 914     unsigned int expected_max_attempt,
 915     const Tracker &tracker = Tracker())
 916 {
 917     verify_chk_pwd_basic(
 918         challenge,
 919         expected_result,
 920         expected_current_attempt,
 921         expected_max_attempt,
 922         PASSWORD_INFINITE_EXPIRATION_TIME,
 923         tracker);
 924 }
 925
 926
 927 /**
 928  * Reach last attempt few times in a row (before exceeding max_attempt).
 929  */
 930 RUNNER_TEST(tc34_security_server_max_attempts)
 931 {
 932     // Prepare environment
 933     reset_security_server();
 934
 935     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
 936     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 937
 938     // change max attempts number few times
 939     std::vector<unsigned int> max_challenge_tab = {1, 4, 2};
 940
 941     for (size_t pass = 0; pass < max_challenge_tab.size(); ++pass) {
 942         unsigned int max_challenges = max_challenge_tab[pass];
 943
 944         usleep(PASSWORD_RETRY_TIMEOUT_US);
 945         ret = security_server_set_pwd_max_challenge(max_challenges);
 946         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 947
 948         // max_challenges-1 wrong password attempts
 949         for (unsigned int attempt_nr = 1; attempt_nr < max_challenges; ++attempt_nr)
 950             verify_chk_pwd(SECOND_TEST_PASSWORD,
 951                            SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
 952                            attempt_nr,
 953                            max_challenges,
 954                            TRACE_FROM_HERE_MSG(
 955                                std::string("pass = " + std::to_string(pass) +
 956                                ", attempt = " + std::to_string(attempt_nr))));
 957
 958         // Check correct password finally
 959         verify_chk_pwd(TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS,
 960                        max_challenges, max_challenges, TRACE_FROM_HERE);
 961     }
 962 }
 963
 964 /**
 965  * Decrease 'max challenge' number after several missed attempts.
 966  */
 967 RUNNER_TEST(tc35_security_server_decrease_max_attempts)
 968 {
 969     const unsigned int max_challenge_more = 10;
 970     const unsigned int max_challenge_less = 5;
 971
 972     // Prepare environment
 973     reset_security_server();
 974
 975     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge_more, 0);
 976     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 977
 978     // missed attempts
 979     for (unsigned int attempt = 1; attempt <= max_challenge_more; ++attempt)
 980         verify_chk_pwd(SECOND_TEST_PASSWORD,
 981                        SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
 982                        attempt,
 983                        max_challenge_more,
 984                        TRACE_FROM_HERE_MSG(
 985                            std::string("attempt = " + std::to_string(attempt))));
 986
 987     // lower max_challenge
 988     usleep(PASSWORD_RETRY_TIMEOUT_US);
 989     ret = security_server_set_pwd_max_challenge(max_challenge_less);
 990     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 991
 992     // try valid password - should pass (curr attempts is reset)
 993     verify_chk_pwd(TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 1, max_challenge_less,
 994         TRACE_FROM_HERE);
 995
 996     // remove max attempts limit
 997     usleep(PASSWORD_RETRY_TIMEOUT_US);
 998     ret = security_server_set_pwd_max_challenge(0);
 999     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1000
1001     // try valid password again - should pass
1002     verify_chk_pwd(TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 1, 0, TRACE_FROM_HERE);
1003
1004     // try to change the password - should pass
1005     usleep(PASSWORD_RETRY_TIMEOUT_US);
1006     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1007     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1008
1009     // validate new password
1010     verify_chk_pwd(SECOND_TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 1, 0, TRACE_FROM_HERE);
1011 }
1012
1013 /**
1014  * Change password few times and challenge previous passwords - checks if security_server_set_pwd
1015  * works as it should.
1016  */
1017 RUNNER_TEST(tc36_security_server_challenge_previous_passwords)
1018 {
1019     const int history_depth = 5;
1020     const unsigned int max_challenge = 3;
1021     std::string prev_pass, new_pass = TEST_PASSWORD;
1022
1023     // Prepare environment
1024     reset_security_server();
1025
1026     int ret = security_server_set_pwd_history(history_depth);
1027     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1028
1029     usleep(PASSWORD_RETRY_TIMEOUT_US);
1030     ret = security_server_reset_pwd(TEST_PASSWORD, max_challenge, 0);
1031     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1032
1033     for (int depth = 0; depth < history_depth; ++depth) {
1034         prev_pass = new_pass;
1035
1036         //generate password name
1037         new_pass = "history" + std::to_string(depth+1);
1038
1039         usleep(PASSWORD_RETRY_TIMEOUT_US);
1040         ret = security_server_set_pwd(prev_pass.c_str(), new_pass.c_str(), max_challenge, 0);
1041         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1042
1043         // challenge initial password
1044         verify_chk_pwd(
1045             TEST_PASSWORD,
1046             SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1047             1,
1048             max_challenge,
1049             TRACE_FROM_HERE_MSG(
1050                 std::string("depth = " + std::to_string(depth))));
1051
1052         // challenge previous password
1053         verify_chk_pwd(
1054             prev_pass.c_str(),
1055             SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1056             2,
1057             max_challenge,
1058             TRACE_FROM_HERE_MSG(
1059                 std::string("depth = " + std::to_string(depth)).c_str()));
1060     }
1061 }
1062
1063 /**
1064  * Challenge correct and incorrect passwords, check security_server_chk_pwd output.
1065  * This test simulates user's behaviour - challenges valid and invalid passwords
1066  * in various combinations.
1067  */
1068 RUNNER_TEST(tc37_security_server_challenge_mixed)
1069 {
1070     // Prepare environment
1071     reset_security_server();
1072
1073     const unsigned int max_challenge = 2;
1074     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge, 0);
1075     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1076
1077     // 2x correct pwd - verify that 'cuurrent attempt' isn't increased
1078     for (unsigned int i = 0; i < max_challenge; ++i)
1079         verify_chk_pwd(
1080             TEST_PASSWORD,
1081             SECURITY_SERVER_API_SUCCESS,
1082             1,
1083             max_challenge,
1084             TRACE_FROM_HERE_MSG(
1085                 std::string("i = " + std::to_string(i))));
1086
1087     // Ensure that challenging valid password resets 'cuurrent attempt' value.
1088     // If it didn't, the test would fail in third loop pass.
1089     for (unsigned int i = 0; i < max_challenge + 1; ++i) {
1090         // incorrect pwd
1091         verify_chk_pwd(
1092             SECOND_TEST_PASSWORD,
1093             SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1094             1,
1095             max_challenge,
1096             TRACE_FROM_HERE_MSG(
1097                 std::string("i = " + std::to_string(i))));
1098
1099         // correct pwd
1100         verify_chk_pwd(
1101             TEST_PASSWORD,
1102             SECURITY_SERVER_API_SUCCESS,
1103             2,
1104             max_challenge,
1105             TRACE_FROM_HERE_MSG(
1106                 std::string("i = " + std::to_string(i))));
1107     }
1108
1109     // incorrect pwd 2x - 'cuurrent attempt' reaches max_challenge -
1110     // any further attempts (even correct) are blocked
1111     for (unsigned int i = 1; i <= max_challenge; ++i)
1112         verify_chk_pwd(
1113             SECOND_TEST_PASSWORD,
1114             SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1115             i,
1116             max_challenge,
1117             TRACE_FROM_HERE_MSG(
1118                 std::string("i = " + std::to_string(i))));
1119
1120     // correct - refused
1121     for (unsigned int i = 1; i <= max_challenge; ++i)
1122         verify_chk_pwd(
1123             TEST_PASSWORD,
1124             SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED,
1125             max_challenge + i,
1126             max_challenge,
1127             TRACE_FROM_HERE_MSG(
1128                 std::string("i = " + std::to_string(i))));
1129 }
1130
1131 /*
1132  * Pasword change mixed with history depth change.
1133  */
1134 RUNNER_TEST(tc38_security_server_history_depth_change)
1135 {
1136     int ret;
1137     const int initial_history_depth = 2;
1138     const int decreased_history_depth = 1;
1139     const int increased_history_depth = 3;
1140
1141     // Prepare environment
1142     reset_security_server();
1143
1144     ret = security_server_set_pwd_history(initial_history_depth);
1145     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1146
1147     usleep(PASSWORD_RETRY_TIMEOUT_US);
1148     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1149     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1150
1151     usleep(PASSWORD_RETRY_TIMEOUT_US);
1152     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1153     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1154
1155     usleep(PASSWORD_RETRY_TIMEOUT_US);
1156     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1157     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1158
1159     // TEST_PASSWORD, 2nd and 3rd remembered => 1st should be refused
1160     usleep(PASSWORD_RETRY_TIMEOUT_US);
1161     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1162     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1163
1164     /*
1165      * Lower history depth. At this point SS should treat THIRD_TEST_PASSWORD as current pwd,
1166      * and SECOND_TEST_PASSWORD as a part of history.
1167      */
1168     usleep(PASSWORD_RETRY_TIMEOUT_US);
1169     ret = security_server_set_pwd_history(decreased_history_depth);
1170     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1171
1172     usleep(PASSWORD_RETRY_TIMEOUT_US);
1173     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1174     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1175
1176     usleep(PASSWORD_RETRY_TIMEOUT_US);
1177     ret = security_server_set_pwd(TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1178     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1179
1180     /*
1181      * Increase history depth to 3. At this point SS should remember TEST_PASSWORD
1182      * and THIRD_TEST_PASSWORD only.
1183      */
1184     usleep(PASSWORD_RETRY_TIMEOUT_US);
1185     ret = security_server_set_pwd_history(increased_history_depth);
1186     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1187
1188     // 3rd and TEST_PASSWORD remembered => 2nd should be accepted
1189     usleep(PASSWORD_RETRY_TIMEOUT_US);
1190     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1191     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1192
1193     // TEST_PASSWORD, 2nd and 3rd remembered => 3rd should be refused
1194     usleep(PASSWORD_RETRY_TIMEOUT_US);
1195     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1196     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1197 }
1198
1199 /**
1200  * Challenge invalid password, reset server and check if 'current attempts' is restored.
1201  */
1202 RUNNER_TEST(tc39_security_server_attempts_num_check_after_reset)
1203 {
1204     unsigned int attempt, max_attempt, expire_sec;
1205     const unsigned int max_challenge = 10;
1206     const unsigned int invalid_attempts_num = 3;
1207
1208     // Prepare environment
1209     reset_security_server();
1210
1211     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge, 0);
1212     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1213
1214     // missed attempts
1215     for (unsigned int attempt = 1; attempt <= invalid_attempts_num; ++attempt)
1216         verify_chk_pwd(
1217             SECOND_TEST_PASSWORD,
1218             SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1219             attempt,
1220             max_challenge,
1221             TRACE_FROM_HERE_MSG(
1222                 std::string("attempt = " + std::to_string(attempt))));
1223
1224     usleep(PASSWORD_RETRY_TIMEOUT_US);
1225     attempt = max_attempt = expire_sec = UINT_MAX;
1226     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
1227     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
1228     RUNNER_ASSERT_MSG(max_attempt == max_challenge, "max_attempt = " << max_attempt);
1229     RUNNER_ASSERT_MSG(attempt == invalid_attempts_num, "attempt = " << attempt);
1230     RUNNER_ASSERT_MSG(expire_sec == PASSWORD_INFINITE_EXPIRATION_TIME, "expire_sec = " <<
1231                       expire_sec);
1232
1233     // restart server - triggers loading password data from file
1234     restart_security_server();
1235
1236     // challenge invalid password
1237     verify_chk_pwd(
1238         SECOND_TEST_PASSWORD,
1239         SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1240         invalid_attempts_num + 1,
1241         max_challenge,
1242         TRACE_FROM_HERE);
1243
1244     // challenge valid password
1245     verify_chk_pwd(
1246         TEST_PASSWORD,
1247         SECURITY_SERVER_API_SUCCESS,
1248         invalid_attempts_num + 2,
1249         max_challenge,
1250         TRACE_FROM_HERE);
1251 }
1252
1253 /**
1254  * Validate passwords history after security server reset.
1255  */
1256 RUNNER_TEST(tc40_security_server_history_check_after_reset)
1257 {
1258     const unsigned int history_depth = 2;
1259
1260     // Prepare environment
1261     reset_security_server();
1262
1263     int ret = security_server_set_pwd_history(history_depth);
1264     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1265
1266     usleep(PASSWORD_RETRY_TIMEOUT_US);
1267     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1268     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1269
1270     usleep(PASSWORD_RETRY_TIMEOUT_US);
1271     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1272     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1273
1274     usleep(PASSWORD_RETRY_TIMEOUT_US);
1275     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1276     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1277
1278     usleep(PASSWORD_RETRY_TIMEOUT_US);
1279     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, FOURTH_TEST_PASSWORD, 0, 0);
1280     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1281
1282     // restart server - triggers loading password data from file
1283     restart_security_server();
1284
1285     // try to reuse history passwords
1286     usleep(PASSWORD_RETRY_TIMEOUT_US);
1287     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1288     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1289
1290     usleep(PASSWORD_RETRY_TIMEOUT_US);
1291     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1292     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1293
1294     usleep(PASSWORD_RETRY_TIMEOUT_US);
1295     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1296     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1297 }
1298
1299 /**
1300  * Check if SS has correct behaviour when changing history depth to 0.
1301  */
1302 RUNNER_TEST(tc41_security_server_empty_history_check)
1303 {
1304     const unsigned int history_depth = 2;
1305     const unsigned int empty_history_depth = 0;
1306
1307     //prepare environment
1308     reset_security_server();
1309
1310     //set new history count
1311     int ret = security_server_set_pwd_history(history_depth);
1312     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1313
1314     //set new password and fill history
1315     usleep(PASSWORD_RETRY_TIMEOUT_US);
1316     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1317     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1318
1319     usleep(PASSWORD_RETRY_TIMEOUT_US);
1320     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1321     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1322
1323     usleep(PASSWORD_RETRY_TIMEOUT_US);
1324     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1325     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1326
1327     //make sure, that everything went OK - try setting something that would cause reuse error
1328     usleep(PASSWORD_RETRY_TIMEOUT_US);
1329     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1330     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1331
1332     usleep(PASSWORD_RETRY_TIMEOUT_US);
1333     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1334     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1335
1336     //reset history limit to no history at all
1337     usleep(PASSWORD_RETRY_TIMEOUT_US);
1338     ret = security_server_set_pwd_history(empty_history_depth);
1339     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1340
1341     //make sure, that current password still exists in memory
1342     //expected attempt 3 because our previous tries increased attempt counter
1343     verify_chk_pwd(
1344         THIRD_TEST_PASSWORD,
1345         SECURITY_SERVER_API_SUCCESS,
1346         3,
1347         0,
1348         TRACE_FROM_HERE);
1349
1350     //make sure that it's possible to reuse old password once history limit is set to 0
1351     usleep(PASSWORD_RETRY_TIMEOUT_US);
1352     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1353     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1354
1355     //once again try setting earlier used passwords - now API should return success
1356     usleep(PASSWORD_RETRY_TIMEOUT_US);
1357     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1358     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1359
1360     usleep(PASSWORD_RETRY_TIMEOUT_US);
1361     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1362     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1363 }
1364
1365 RUNNER_TEST(tc42_security_server_set_new_pwd_with_current_empty)
1366 {
1367     //prepare environment
1368     reset_security_server();
1369
1370     //set a password
1371     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1372     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1373
1374     //try setting different password and giving NULL as current once again
1375     usleep(PASSWORD_RETRY_TIMEOUT_US);
1376     ret = security_server_set_pwd(NULL, SECOND_TEST_PASSWORD, 0, 0);
1377     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
1378 }
1379
1380 RUNNER_TEST(tc43_security_server_no_retry_timeout_is_pwd_valid)
1381 {
1382     //prepare environment
1383     reset_security_server();
1384
1385     //set a password
1386     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1387     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1388
1389     //do test
1390     unsigned int attempt, max_attempt, expire_sec;
1391     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
1392     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
1393     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
1394     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
1395 }
1396
1397 RUNNER_TEST(tc44_security_server_retry_timeout_chk_pwd)
1398 {
1399     //prepare environment
1400     reset_security_server();
1401
1402     //set a password
1403     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1404     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1405
1406     //do test
1407     unsigned int attempt, max_attempt, expire_sec;
1408     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
1409     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret);
1410     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
1411     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret);
1412 }
1413
1414 RUNNER_TEST(tc45_security_server_retry_timeout_set_pwd)
1415 {
1416     //prepare environment
1417     reset_security_server();
1418
1419     //set a password
1420     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1421     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1422
1423     //do test
1424     ret = security_server_set_pwd(TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1425     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret);
1426     ret = security_server_set_pwd(TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1427     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret);
1428 }
1429
1430 RUNNER_TEST(tc46_security_server_no_retry_timeout_set_pwd_validity)
1431 {
1432     //prepare environment
1433     reset_security_server();
1434
1435     //set a password
1436     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1437     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1438
1439     //do test
1440     ret = security_server_set_pwd_validity(11);
1441     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1442     ret = security_server_set_pwd_validity(11);
1443     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1444 }
1445
1446 RUNNER_TEST(tc47_security_server_no_retry_timeout_reset_pwd)
1447 {
1448     //prepare environment
1449     reset_security_server();
1450
1451     //set a password
1452     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1453     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1454
1455     //do test
1456     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1457     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1458     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1459     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1460 }
1461
1462 RUNNER_TEST(tc48_security_server_no_retry_timeout_pwd_history)
1463 {
1464     //prepare environment
1465     reset_security_server();
1466
1467     //set a password
1468     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1469     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1470
1471     //do test
1472     ret = security_server_set_pwd_history(5);
1473     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1474     ret = security_server_set_pwd_history(5);
1475     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1476 }
1477
1478 RUNNER_TEST(tc49_security_server_no_retry_timeout_set_pwd_max_challenge)
1479 {
1480     //prepare environment
1481     reset_security_server();
1482
1483     //set a password
1484     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1485     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1486
1487     //do test
1488     ret = security_server_set_pwd_max_challenge(5);
1489     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1490     ret = security_server_set_pwd_max_challenge(5);
1491     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1492 }
1493
1494 int main(int argc, char *argv[])
1495 {
1496     int status = DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
1497
1498     return status;
1499 }