tests/security-server-tests/security_server_tests_password.cpp

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  */
   4 /*
   5  * @file    security_server_tests_password.cpp
   6  * @author  Bumjin Im (bj.im@samsung.com)
   7  * @author  Pawel Polawski (p.polawski@partner.samsung.com)
   8  * @author  Radoslaw Bartosiak (r.bartosiak@samsung.com)
   9  * @author  Jan Olszak (j.olszak@samsung.com)
  10  * @version 2.0
  11  * @brief   Test cases for security server
  12  *
  13  * WARNING: In this file test order is very important. They have to always be run
  14  * in correct order. This is done by correct test case names ("tcXX_").
  15  */
  16
  17 #include <stdio.h>
  18 #include <errno.h>
  19 #include <stdlib.h>
  20 #include <string.h>
  21 #include <limits.h>
  22 #include <sys/types.h>
  23 #include <sys/param.h>
  24 #include <fcntl.h>
  25 #include <sys/un.h>
  26 #include <unistd.h>
  27 #include <sys/socket.h>
  28 #include <sys/time.h>
  29 #include <dirent.h>
  30 #include "security-server.h"
  31 #include <dpl/test/test_runner.h>
  32 #include <dlog.h>
  33 #include "security_server_clean_env.h"
  34 #include <tracker.h>
  35 #include <summary_collector.h>
  36
  37
  38 // security server retry timeout in microseconds
  39 const unsigned int PASSWORD_RETRY_TIMEOUT_US = 500000;
  40
  41 // the maximum time (in seconds) passwords can expire in
  42 const unsigned int PASSWORD_INFINITE_EXPIRATION_TIME = 0xFFFFFFFF;
  43
  44 // test passwords
  45 const char* TEST_PASSWORD =         "IDLEPASS";
  46 const char* SECOND_TEST_PASSWORD =  "OTHERIDLEPASS";
  47 const char* THIRD_TEST_PASSWORD =   "THIRDPASS";
  48 const char* FOURTH_TEST_PASSWORD =  "FOURTHPASS";
  49
  50 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_PASSWORD);
  51
  52 /**
  53  * Confirm there is no password before tests are run.
  54  */
  55 RUNNER_TEST(tc01_clear_environment)
  56 {
  57     int ret;
  58     unsigned int attempt, max_attempt, expire_sec;
  59
  60     if (getuid() == 0)
  61     {
  62         reset_security_server(TRACE_FROM_HERE);
  63
  64         ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
  65
  66         RUNNER_ASSERT_MSG(expire_sec == 0, "expire_sec = " << expire_sec);
  67         RUNNER_ASSERT_MSG(max_attempt == 0, "max_attempt = " << max_attempt);
  68         RUNNER_ASSERT_MSG(attempt == 0, "attempt = " << attempt);
  69         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
  70     }
  71     else
  72     {
  73         SLOGD("To run the test as non root user, please remove password files (/opt/data/security-server/*) in root shell\n");
  74         SLOGD("If not, you will see some failures\n");
  75
  76         RUNNER_IGNORED_MSG("I'm not root");
  77     }
  78 }
  79
  80 /**
  81  * Basic test of setting validity period.
  82  */
  83 RUNNER_TEST(tc02_security_server_set_pwd_validity)
  84 {
  85     int ret;
  86
  87     // Prepare environment
  88     reset_security_server(TRACE_FROM_HERE);
  89
  90     // TESTS:
  91     // WITHOUT password
  92     ret = security_server_set_pwd_validity(10);
  93     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
  94
  95     ret = security_server_set_pwd_validity(11);
  96     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
  97
  98     // WITH password
  99     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 100     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 101
 102     ret = security_server_set_pwd_validity(10);
 103     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 104
 105     ret = security_server_set_pwd_validity(11);
 106     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 107 }
 108
 109 /**
 110  * Basic test of setting maximum number of password challenges.
 111  */
 112 RUNNER_TEST(tc03_security_server_set_pwd_max_challenge)
 113 {
 114     int ret;
 115
 116     // Prepare environment
 117     reset_security_server(TRACE_FROM_HERE);
 118
 119     // TESTS:
 120     // WITHOUT password
 121     ret = security_server_set_pwd_max_challenge(5);
 122     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 123
 124     ret = security_server_set_pwd_max_challenge(6);
 125     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 126
 127     // WITH password
 128     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 129     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 130
 131     ret = security_server_set_pwd_max_challenge(5);
 132     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 133
 134     ret = security_server_set_pwd_max_challenge(6);
 135     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 136 }
 137
 138 /**
 139  * Test checking a too long password.
 140  */
 141 RUNNER_TEST(tc04_security_server_chk_pwd_too_long_password_case)
 142 {
 143     int ret;
 144     unsigned int attempt, max_attempt, expire_sec;
 145
 146     // 33 char password
 147     ret = security_server_chk_pwd("abcdefghijklmnopqrstuvwxyz0123456", &attempt, &max_attempt, &expire_sec);
 148     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 149 }
 150
 151 /**
 152  * Test various parameter values when checking a password.
 153  */
 154 RUNNER_TEST(tc05_security_server_chk_pwd_null_input_case)
 155 {
 156     int ret;
 157     unsigned int attempt, max_attempt, expire_sec;
 158
 159     ret = security_server_chk_pwd(NULL, &attempt, &max_attempt, &expire_sec);
 160     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 161
 162     ret = security_server_chk_pwd("password", NULL, &max_attempt, &expire_sec);
 163     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 164
 165     ret = security_server_chk_pwd("password", &attempt, NULL, &expire_sec);
 166     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 167
 168     ret = security_server_chk_pwd("password", &attempt, &max_attempt, NULL);
 169     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 170 }
 171
 172 /**
 173  * Check the given password when no password is set.
 174  */
 175 RUNNER_TEST(tc06_security_server_chk_pwd_no_password_case)
 176 {
 177     int ret;
 178     unsigned int attempt, max_attempt, expire_sec;
 179
 180     // Prepare environment - there is no password now!
 181     reset_security_server(TRACE_FROM_HERE);
 182
 183     // TEST
 184     ret = security_server_chk_pwd("isthisempty", &attempt, &max_attempt, &expire_sec);
 185
 186     RUNNER_ASSERT_MSG(expire_sec == 0, expire_sec);
 187     RUNNER_ASSERT_MSG(max_attempt == 0, max_attempt);
 188     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 189 }
 190
 191 /**
 192  * Checks various parameter values.
 193  */
 194 RUNNER_TEST(tc07_security_server_set_pwd_null_input_case)
 195 {
 196     int ret;
 197
 198     // Prepare environment
 199     reset_security_server(TRACE_FROM_HERE);
 200
 201     // TEST
 202     ret = security_server_set_pwd(NULL, NULL, 0, 0);
 203     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 204 }
 205
 206 /**
 207  * Test setting too long password.
 208  */
 209 RUNNER_TEST(tc08_security_server_set_pwd_too_long_input_param)
 210 {
 211     int ret;
 212
 213     // Prepare environment
 214     reset_security_server(TRACE_FROM_HERE);
 215
 216     // TEST
 217     // 33 char password
 218     ret = security_server_set_pwd("abcdefghijklmnopqrstuvwxyz0123456", "abcdefghijklmnopqrstuvwxyz0123456", 0, 0);
 219     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 220 }
 221
 222 /**
 223  * Basic password setting.
 224  */
 225 RUNNER_TEST(tc09_security_server_set_pwd_current_pwd_empty)
 226 {
 227     int ret;
 228
 229     // Prepare environment
 230     reset_security_server(TRACE_FROM_HERE);
 231
 232     // TEST
 233     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
 234     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 235 }
 236
 237 /**
 238  * Set a maximum password period.
 239  */
 240 RUNNER_TEST(tc10_security_server_set_pwd_current_pwd_max_valid_period_in_days)
 241 {
 242     int ret;
 243     // Prepare environment
 244     reset_security_server(TRACE_FROM_HERE);
 245     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 246     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 247
 248     // TEST
 249     sleep(1);
 250     // UINT_MAX will cause api error, it is to big value
 251     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, UINT_MAX);
 252     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 253     sleep(1);
 254     // calculate max applicable valid days that will not be rejected by ss
 255     // ensure, that after conversion from days to seconds in ss there will be no uint overflow
 256     unsigned int valid_days = ((UINT_MAX - time(NULL)) / 86400) - 1;
 257     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, valid_days);
 258     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 259 }
 260
 261 /**
 262  * Set a maximum password challenge number.
 263  */
 264 RUNNER_TEST(tc11_security_server_set_pwd_current_pwd_max_max_challenge)
 265 {
 266     int ret;
 267     // Prepare environment
 268     reset_security_server(TRACE_FROM_HERE);
 269     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 270     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 271
 272     // TEST
 273     sleep(1);
 274     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, UINT_MAX, 0);
 275     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 276 }
 277
 278 /**
 279  * Set empty password.
 280  */
 281 RUNNER_TEST(tc12_security_server_set_pwd_current_pwd_nonempty2zero)
 282 {
 283     int ret;
 284     // Prepare environment
 285     reset_security_server(TRACE_FROM_HERE);
 286     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 287     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 288
 289     // TEST
 290     sleep(1);
 291     ret = security_server_set_pwd(TEST_PASSWORD, "", 0, 0);
 292     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 293 }
 294
 295 /**
 296  * Change password to a too long password.
 297  */
 298 RUNNER_TEST(tc14_security_server_set_pwd_current_pwd_too_long_input_param)
 299 {
 300     int ret;
 301     // Prepare environment
 302     reset_security_server(TRACE_FROM_HERE);
 303     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 304     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 305
 306     // TEST
 307     sleep(1);
 308     char* long_password = (char*) malloc(5001);
 309     long_password[5000] = '\0';
 310     memset(long_password, 'A', 5000);
 311     ret = security_server_set_pwd(TEST_PASSWORD,long_password, 10, 10);
 312     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 313 }
 314
 315 /**
 316  * Check empty password.
 317  */
 318 RUNNER_TEST(tc15_security_server_chk_pwd_shortest_password)
 319 {
 320     int ret;
 321     unsigned int attempt, max_attempt, expire_sec;
 322
 323     // Prepare environment
 324     reset_security_server(TRACE_FROM_HERE);
 325     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 326     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 327
 328     // TEST
 329     sleep(1);
 330     ret = security_server_chk_pwd("", &attempt, &max_attempt, &expire_sec);
 331     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 332 }
 333
 334 /**
 335  * Various validity parameter values.
 336  */
 337 RUNNER_TEST(tc16_security_server_set_pwd_validity)
 338 {
 339     int ret;
 340     // Prepare environment
 341     reset_security_server(TRACE_FROM_HERE);
 342     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 343     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 344
 345     // TEST
 346     ret = security_server_set_pwd_validity(0);
 347     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 348
 349     ret = security_server_set_pwd_validity(1);
 350     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 351
 352     //When trying to set UINT_MAX we should get error.
 353     ret = security_server_set_pwd_validity(UINT_MAX);
 354     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 355
 356     ret = security_server_set_pwd_validity(2);
 357     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 358 }
 359
 360 /**
 361  * Check passwords validity
 362  */
 363 RUNNER_TEST(tc17_security_server_is_pwd_valid)
 364 {
 365     int ret;
 366     unsigned int attempt, max_attempt, expire_sec;
 367
 368     // Prepare environment
 369     reset_security_server(TRACE_FROM_HERE);
 370     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 2);
 371     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 372
 373     // TEST:
 374     sleep(1);
 375     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 376     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST,  "ret = " << ret);
 377     RUNNER_ASSERT_MSG((expire_sec > 172795) && (expire_sec < 172805),  "expire_sec = " << expire_sec);
 378 }
 379
 380 /**
 381  * Various numbers of challenges.
 382  */
 383 RUNNER_TEST(tc18_security_server_set_pwd_max_challenge)
 384 {
 385     int ret;
 386     // Prepare environment
 387     reset_security_server(TRACE_FROM_HERE);
 388     // calculate max applicable valid days that will not be rejected by ss
 389     // ensure, that after conversion from days to seconds in ss there will be no uint overflow
 390     unsigned int valid_days = ((UINT_MAX - time(NULL)) / 86400) - 1;
 391     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, valid_days);
 392     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 393
 394     // TESTS
 395     sleep(1);
 396     ret = security_server_set_pwd_max_challenge(0);
 397     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 398
 399     sleep(1);
 400     ret = security_server_set_pwd_max_challenge(UINT_MAX);
 401     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 402
 403     sleep(1);
 404     ret = security_server_set_pwd_max_challenge(5);
 405     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 406
 407     sleep(1);
 408     ret = security_server_set_pwd_max_challenge(6);
 409     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 410 }
 411
 412
 413 /**
 414  * Check the max number of challenges.
 415  */
 416 RUNNER_TEST(tc19_security_server_is_pwd_valid)
 417 {
 418     int ret;
 419     unsigned int attempt, max_attempt, expire_sec;
 420     // Prepare environment
 421     reset_security_server(TRACE_FROM_HERE);
 422     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 423     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 424     sleep(1);
 425     ret = security_server_set_pwd_max_challenge(6);
 426     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 427
 428     // TEST
 429     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 430     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 431     RUNNER_ASSERT_MSG(max_attempt == 6,  "max_attempt = " << max_attempt);
 432 }
 433
 434 /**
 435  * Basic password check.
 436  */
 437 RUNNER_TEST(tc20_security_server_chk_pwd)
 438 {
 439     int ret;
 440     unsigned int attempt, max_attempt, expire_sec;
 441
 442     // Prepare environment
 443     reset_security_server(TRACE_FROM_HERE);
 444     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 445     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 446
 447     // TEST
 448     sleep(1);
 449     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 450     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, ret);
 451
 452     sleep(1);
 453     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 454     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 455 }
 456
 457 /**
 458  * Check an incorrect password.
 459  */
 460 RUNNER_TEST(tc21_security_server_chk_incorrect_pwd)
 461 {
 462     int ret;
 463     unsigned int attempt, max_attempt, expire_sec;
 464
 465     // Prepare environment
 466     reset_security_server(TRACE_FROM_HERE);
 467     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 468     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 469
 470     //TEST
 471     sleep(1);
 472     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 473     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 474 }
 475
 476 /**
 477  * Check an incorrect password
 478  */
 479 RUNNER_TEST(tc22_security_server_set_pwd_incorrect_current)
 480 {
 481     int ret;
 482
 483     // Prepare environment
 484     reset_security_server(TRACE_FROM_HERE);
 485     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 486     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 487
 488     // TEST
 489     sleep(1);
 490     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 10, 10);
 491     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,  "ret = " << ret);
 492 }
 493
 494 /**
 495  * Change password
 496  */
 497 RUNNER_TEST(tc23_security_server_set_pwd_correct_current)
 498 {
 499     int ret;
 500
 501     // Prepare environment
 502     reset_security_server(TRACE_FROM_HERE);
 503     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 504     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 505
 506     // TEST
 507     sleep(1);
 508     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 10, 10);
 509     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 510 }
 511
 512 /**
 513  * Check wrong password multiple times and then check a correct one.
 514  */
 515 RUNNER_TEST(tc24_security_server_attempt_exceeding)
 516 {
 517     int ret;
 518     unsigned int i, attempt, max_attempt, expire_sec;
 519
 520     // Prepare environment
 521     reset_security_server(TRACE_FROM_HERE);
 522     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 523     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 524
 525     // TEST
 526     printf("5 subtests started...");
 527     for (i = 1; i <= 5; i++) {
 528         sleep(1);
 529         ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 530         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 531         RUNNER_ASSERT_MSG(attempt == i, "attempt = " << attempt << ", expected " << i);
 532     }
 533     printf("DONE\n");
 534
 535     sleep(1);
 536     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 537     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 538
 539     sleep(1);
 540     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 541     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 542     RUNNER_ASSERT_MSG(attempt == 0, "ret = " << ret);
 543     RUNNER_ASSERT_MSG(max_attempt == 10, "ret = " << ret);
 544 }
 545
 546 /**
 547  * Try to exceed maximum number of challenges.
 548  */
 549 RUNNER_TEST(tc25_security_server_attempt_exceeding)
 550 {
 551     int ret;
 552     unsigned int i, attempt, max_attempt, expire_sec;
 553
 554     // Prepare environment
 555     reset_security_server(TRACE_FROM_HERE);
 556     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 1);
 557     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 558
 559     // TEST
 560     printf("10 subtests started...");
 561     for (i = 1; i <= 10; i++) {
 562         sleep(1);
 563         ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 564         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 565         RUNNER_ASSERT_MSG(attempt == i, "attempt = " << attempt << ", expected " << i);
 566     }
 567
 568     // The check, that exceeds max number
 569     sleep(1);
 570     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 571     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED, "ret = " << ret);
 572     printf("DONE\n");
 573
 574     sleep(1);
 575     ret = security_server_chk_pwd(TEST_PASSWORD,  &attempt, &max_attempt, &expire_sec);
 576     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED, "ret = " << ret);
 577 }
 578
 579 /**
 580  * Reset password
 581  */
 582 RUNNER_TEST(tc26_security_server_reset_pwd)
 583 {
 584     int ret;
 585
 586     // Prepare environment
 587     reset_security_server(TRACE_FROM_HERE);
 588     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 10);
 589     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 590
 591     // TEST
 592     sleep(1);
 593     ret = security_server_reset_pwd(TEST_PASSWORD, 10, 10);
 594     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 595 }
 596
 597 /**
 598  * Check too long password.
 599  */
 600 RUNNER_TEST(tc27_security_server_chk_pwd_too_long_password)
 601 {
 602     int ret;
 603     unsigned int attempt, max_attempt, expire_sec;
 604     // Prepare environment
 605     reset_security_server(TRACE_FROM_HERE);
 606     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 10);
 607     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 608
 609     // TEST
 610     char* long_password = (char*) malloc(5001);
 611     long_password[5000] = '\0';
 612     memset(long_password, 'A', 5000);
 613     ret = security_server_chk_pwd(long_password,  &attempt, &max_attempt, &expire_sec);
 614     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 615 }
 616
 617 /**
 618  * Check passwords expiration (not expired)
 619  */
 620 RUNNER_TEST(tc28_security_server_check_expiration)
 621 {
 622     int ret;
 623     unsigned int attempt, max_attempt, expire_sec;
 624
 625     // Prepare environment
 626     reset_security_server(TRACE_FROM_HERE);
 627     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 1);
 628     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 629
 630     // TEST
 631     sleep(1);
 632     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 633     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 634     RUNNER_ASSERT_MSG((expire_sec < 86402) && (expire_sec > 86396), "expire_sec = " << ret);
 635 }
 636
 637 /**
 638  * Use various parameter values of parameters.
 639  */
 640 RUNNER_TEST(tc29_security_server_set_pwd_history)
 641 {
 642     int ret;
 643
 644     // Prepare environment
 645     reset_security_server(TRACE_FROM_HERE);
 646     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 1);
 647     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 648
 649     // TESTS
 650     sleep(1);
 651     ret = security_server_set_pwd_history(100);
 652     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 653
 654     sleep(1);
 655     ret = security_server_set_pwd_history(51);
 656     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 657
 658     sleep(1);
 659     ret = security_server_set_pwd_history(-5);
 660     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 661
 662     sleep(1);
 663     ret = security_server_set_pwd_history(50);
 664     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 665
 666     sleep(1);
 667     ret = security_server_set_pwd_history(0);
 668     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 669
 670     sleep(1);
 671     ret = security_server_set_pwd_history(INT_MAX);
 672     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 673
 674     sleep(1);
 675     ret = security_server_set_pwd_history(INT_MIN);
 676     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 677
 678     sleep(1);
 679     ret = security_server_set_pwd_history(10);
 680     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 681 }
 682
 683
 684
 685 int dir_filter(const struct dirent *entry)
 686 {
 687     if ((strcmp(entry->d_name, ".") == 0) ||
 688         (strcmp(entry->d_name, "..") == 0) ||
 689         (strcmp(entry->d_name, "attempts") == 0) ||
 690         (strcmp(entry->d_name, "history") == 0))
 691         return (0);
 692     else
 693         return (1);
 694 }
 695
 696 void clean_password_dir(void)
 697 {
 698     int ret;
 699     int i;
 700     struct dirent **mydirent;
 701
 702     ret = scandir("/opt/data/security-server", &mydirent, &dir_filter, alphasort);
 703     i = ret;
 704     while (i--)
 705         free(mydirent[i]);
 706     free(mydirent);
 707 }
 708
 709
 710 /**
 711  * Check password history.
 712  */
 713 RUNNER_TEST(tc30_security_server_check_history)
 714 {
 715     int ret;
 716     int i;
 717     char buf1[33], buf2[33];
 718
 719     // Prepare environment
 720     reset_security_server(TRACE_FROM_HERE);
 721
 722     clean_password_dir();
 723
 724     ret = security_server_set_pwd_history(9);
 725     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 726
 727     sleep(1);
 728     ret = security_server_reset_pwd("history0", 0, 0);
 729     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 730
 731     printf("11 subtests started...");
 732     for (i = 0; i < 11; i++) {
 733         sprintf(buf1, "history%d", i);
 734         sprintf(buf2, "history%d", i + 1);
 735
 736         sleep(1);
 737         ret = security_server_set_pwd(buf1, buf2, 0, 0);
 738         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 739     }
 740     printf("DONE\n");
 741
 742     sleep(1);
 743     ret = security_server_set_pwd("history11", "history1", 0, 0);
 744     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 745
 746     sleep(1);
 747     ret = security_server_set_pwd("history1", "history8", 0, 0);
 748     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
 749
 750     sleep(1);
 751     ret = security_server_set_pwd("history1", "history12", 0, 0);
 752     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 753
 754     printf("48 subtests started...");
 755     for (i = 12; i < 60; i++) {
 756         sleep(1);
 757
 758         sprintf(buf1, "history%d", i);
 759         sprintf(buf2, "history%d", i + 1);
 760
 761         ret = security_server_set_pwd(buf1, buf2, 0, 0);
 762         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 763     }
 764     printf("DONE\n");
 765
 766     clean_password_dir();
 767 }
 768
 769 /**
 770  * Replay attack
 771  */
 772 RUNNER_TEST(tc31_security_server_replay_attack)
 773 {
 774     int ret;
 775     int i = 0;
 776     unsigned int attempt, max_attempt, expire_sec;
 777
 778     sleep(1);
 779     ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec);
 780
 781     while (ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER) {
 782         i += 100000;
 783
 784         ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec);
 785         usleep(i);
 786     }
 787
 788     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 789 }
 790
 791 /**
 792  * Expired password
 793  */
 794 RUNNER_TEST(tc32_security_server_challenge_on_expired_password)
 795 {
 796     int ret;
 797     unsigned int attempt, max_attempt, expire_sec;
 798     struct timeval cur_time;
 799
 800     // Prepare environment
 801     reset_security_server(TRACE_FROM_HERE);
 802     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 4, 1);
 803     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 804
 805     // TEST
 806     sleep(1);
 807     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 808     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 809
 810     ret = gettimeofday(&cur_time, NULL);
 811     RUNNER_ASSERT_MSG(ret > -1, ret);
 812
 813     cur_time.tv_sec += (expire_sec + 1);
 814     ret = settimeofday(&cur_time, NULL);
 815     RUNNER_ASSERT_MSG(ret > -1, ret);
 816
 817     sleep(1);
 818     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 819     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED, "ret = " << ret);
 820
 821     sleep(1);
 822     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 823     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 824 }
 825
 826 /**
 827  * Reset password
 828  */
 829 RUNNER_TEST(tc33_security_server_reset_by_null_pwd)
 830 {
 831     int ret;
 832
 833     // Prepare environment
 834     reset_security_server(TRACE_FROM_HERE);
 835
 836     // TEST
 837     ret = security_server_reset_pwd(NULL, 10, 10);
 838     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 839 }
 840
 841 /*
 842  * Use this instead of security_server_chk_pwd directly to verify the function output.
 843  * For example:
 844  * verify_chk_pwd(__LINE__, "password", SECURITY_SERVER_API_SUCCESS, 2, 5, 10000, "debug string")
 845  */
 846 void verify_chk_pwd_basic(
 847     const char* challenge,
 848     int expected_result,
 849     unsigned int expected_current_attempt,
 850     unsigned int expected_max_attempt,
 851     unsigned int expected_valid_secs,
 852     const Tracker &tracker = Tracker())
 853 {
 854     /* ensure that initial values differ from expected ones */
 855     unsigned int attempt = expected_current_attempt - 1;
 856     unsigned int max_attempt = expected_max_attempt - 1;
 857     unsigned int expire_sec = expected_valid_secs - 1;
 858
 859     usleep(PASSWORD_RETRY_TIMEOUT_US);
 860     int ret = security_server_chk_pwd(challenge, &attempt, &max_attempt, &expire_sec);
 861
 862     // validate returned value
 863     RUNNER_ASSERT_MSG(ret == expected_result,
 864         tracker.str() <<
 865         "security_server_chk_pwd returned "
 866          << ret << " (expected: " << expected_result << ")");
 867
 868     // validate current attempts value
 869     RUNNER_ASSERT_MSG(attempt == expected_current_attempt,
 870         tracker.str() <<
 871         "security_server_chk_pwd returned attempt = " << attempt <<
 872         " (expected: " << expected_current_attempt << ")");
 873
 874     // validate max attempt value
 875     RUNNER_ASSERT_MSG(max_attempt == expected_max_attempt,
 876         tracker.str() <<
 877         "security_server_chk_pwd returned max_attempt = " << max_attempt <<
 878         " (expected: " << expected_max_attempt << ")");
 879
 880     // validate expire seconds
 881     if (expected_valid_secs == PASSWORD_INFINITE_EXPIRATION_TIME) {
 882         RUNNER_ASSERT_MSG(expire_sec == expected_valid_secs,
 883             tracker.str() <<
 884             "security_server_chk_pwd returned expire_sec = " << expire_sec <<
 885             " (expected: " << expected_valid_secs << ")");
 886     } else {
 887         // because of sleeps in test code we need to check period of time.
 888         unsigned int begin = expected_valid_secs > 5 ? expected_valid_secs - 5 : 0;
 889         unsigned int end   = expected_valid_secs + 5;
 890
 891         RUNNER_ASSERT_MSG(expire_sec >= begin && expire_sec <= end,
 892             tracker.str() <<
 893             "security_server_chk_pwd returned expire_sec = " << expire_sec <<
 894             " (expected: <" << begin << "," << end << ")");
 895     }
 896 }
 897
 898 /* This function is required because we cannot use default value in expected_valid_secs in
 899  * verify_chk_pwd_basic and define Tracker at the same time. */
 900 void verify_chk_pwd(
 901     const char *challenge,
 902     int expected_result,
 903     unsigned int expected_current_attempt,
 904     unsigned int expected_max_attempt,
 905     const Tracker &tracker = Tracker())
 906 {
 907     verify_chk_pwd_basic(
 908         challenge,
 909         expected_result,
 910         expected_current_attempt,
 911         expected_max_attempt,
 912         PASSWORD_INFINITE_EXPIRATION_TIME,
 913         tracker);
 914 }
 915
 916
 917 /**
 918  * Reach last attempt few times in a row (before exceeding max_attempt).
 919  */
 920 RUNNER_TEST(tc34_security_server_max_attempts)
 921 {
 922     // Prepare environment
 923     reset_security_server(TRACE_FROM_HERE);
 924
 925     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
 926     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 927
 928     // change max attempts number few times
 929     std::vector<unsigned int> max_challenge_tab = {1, 4, 2};
 930
 931     for (size_t pass = 0; pass < max_challenge_tab.size(); ++pass) {
 932         unsigned int max_challenges = max_challenge_tab[pass];
 933
 934         usleep(PASSWORD_RETRY_TIMEOUT_US);
 935         ret = security_server_set_pwd_max_challenge(max_challenges);
 936         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 937
 938         // max_challenges-1 wrong password attempts
 939         for (unsigned int attempt_nr = 1; attempt_nr < max_challenges; ++attempt_nr)
 940             verify_chk_pwd(SECOND_TEST_PASSWORD,
 941                            SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
 942                            attempt_nr,
 943                            max_challenges,
 944                            TRACE_FROM_HERE_MSG(
 945                                std::string("pass = " + std::to_string(pass) +
 946                                ", attempt = " + std::to_string(attempt_nr))));
 947
 948         // Check correct password finally
 949         verify_chk_pwd(TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS,
 950                        max_challenges, max_challenges, TRACE_FROM_HERE);
 951     }
 952 }
 953
 954 /**
 955  * Decrease 'max challenge' number after several missed attempts.
 956  */
 957 RUNNER_TEST(tc35_security_server_decrease_max_attempts)
 958 {
 959     const unsigned int max_challenge_more = 10;
 960     const unsigned int max_challenge_less = 5;
 961
 962     // Prepare environment
 963     reset_security_server(TRACE_FROM_HERE);
 964
 965     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge_more, 0);
 966     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 967
 968     // missed attempts
 969     for (unsigned int attempt = 1; attempt <= max_challenge_more; ++attempt)
 970         verify_chk_pwd(SECOND_TEST_PASSWORD,
 971                        SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
 972                        attempt,
 973                        max_challenge_more,
 974                        TRACE_FROM_HERE_MSG(
 975                            std::string("attempt = " + std::to_string(attempt))));
 976
 977     // lower max_challenge
 978     usleep(PASSWORD_RETRY_TIMEOUT_US);
 979     ret = security_server_set_pwd_max_challenge(max_challenge_less);
 980     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 981
 982     // try valid password - should pass (curr attempts is reset)
 983     verify_chk_pwd(TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 1, max_challenge_less,
 984         TRACE_FROM_HERE);
 985
 986     // remove max attempts limit
 987     usleep(PASSWORD_RETRY_TIMEOUT_US);
 988     ret = security_server_set_pwd_max_challenge(0);
 989     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 990
 991     // try valid password again - should pass
 992     verify_chk_pwd(TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 1, 0, TRACE_FROM_HERE);
 993
 994     // try to change the password - should pass
 995     usleep(PASSWORD_RETRY_TIMEOUT_US);
 996     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
 997     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 998
 999     // validate new password
1000     verify_chk_pwd(SECOND_TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 1, 0, TRACE_FROM_HERE);
1001 }
1002
1003 /**
1004  * Change password few times and challenge previous passwords - checks if security_server_set_pwd
1005  * works as it should.
1006  */
1007 RUNNER_TEST(tc36_security_server_challenge_previous_passwords)
1008 {
1009     const int history_depth = 5;
1010     const unsigned int max_challenge = 3;
1011     std::string prev_pass, new_pass = TEST_PASSWORD;
1012
1013     // Prepare environment
1014     reset_security_server(TRACE_FROM_HERE);
1015
1016     int ret = security_server_set_pwd_history(history_depth);
1017     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1018
1019     usleep(PASSWORD_RETRY_TIMEOUT_US);
1020     ret = security_server_reset_pwd(TEST_PASSWORD, max_challenge, 0);
1021     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1022
1023     for (int depth = 0; depth < history_depth; ++depth) {
1024         prev_pass = new_pass;
1025
1026         //generate password name
1027         new_pass = "history" + std::to_string(depth+1);
1028
1029         usleep(PASSWORD_RETRY_TIMEOUT_US);
1030         ret = security_server_set_pwd(prev_pass.c_str(), new_pass.c_str(), max_challenge, 0);
1031         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1032
1033         // challenge initial password
1034         verify_chk_pwd(
1035             TEST_PASSWORD,
1036             SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1037             1,
1038             max_challenge,
1039             TRACE_FROM_HERE_MSG(
1040                 std::string("depth = " + std::to_string(depth))));
1041
1042         // challenge previous password
1043         verify_chk_pwd(
1044             prev_pass.c_str(),
1045             SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1046             2,
1047             max_challenge,
1048             TRACE_FROM_HERE_MSG(
1049                 std::string("depth = " + std::to_string(depth)).c_str()));
1050     }
1051 }
1052
1053 /**
1054  * Challenge correct and incorrect passwords, check security_server_chk_pwd output.
1055  * This test simulates user's behaviour - challenges valid and invalid passwords
1056  * in various combinations.
1057  */
1058 RUNNER_TEST(tc37_security_server_challenge_mixed)
1059 {
1060     // Prepare environment
1061     reset_security_server(TRACE_FROM_HERE);
1062
1063     const unsigned int max_challenge = 2;
1064     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge, 0);
1065     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1066
1067     // 2x correct pwd - verify that 'cuurrent attempt' isn't increased
1068     for (unsigned int i = 0; i < max_challenge; ++i)
1069         verify_chk_pwd(
1070             TEST_PASSWORD,
1071             SECURITY_SERVER_API_SUCCESS,
1072             1,
1073             max_challenge,
1074             TRACE_FROM_HERE_MSG(
1075                 std::string("i = " + std::to_string(i))));
1076
1077     // Ensure that challenging valid password resets 'cuurrent attempt' value.
1078     // If it didn't, the test would fail in third loop pass.
1079     for (unsigned int i = 0; i < max_challenge + 1; ++i) {
1080         // incorrect pwd
1081         verify_chk_pwd(
1082             SECOND_TEST_PASSWORD,
1083             SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1084             1,
1085             max_challenge,
1086             TRACE_FROM_HERE_MSG(
1087                 std::string("i = " + std::to_string(i))));
1088
1089         // correct pwd
1090         verify_chk_pwd(
1091             TEST_PASSWORD,
1092             SECURITY_SERVER_API_SUCCESS,
1093             2,
1094             max_challenge,
1095             TRACE_FROM_HERE_MSG(
1096                 std::string("i = " + std::to_string(i))));
1097     }
1098
1099     // incorrect pwd 2x - 'cuurrent attempt' reaches max_challenge -
1100     // any further attempts (even correct) are blocked
1101     for (unsigned int i = 1; i <= max_challenge; ++i)
1102         verify_chk_pwd(
1103             SECOND_TEST_PASSWORD,
1104             SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1105             i,
1106             max_challenge,
1107             TRACE_FROM_HERE_MSG(
1108                 std::string("i = " + std::to_string(i))));
1109
1110     // correct - refused
1111     for (unsigned int i = 1; i <= max_challenge; ++i)
1112         verify_chk_pwd(
1113             TEST_PASSWORD,
1114             SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED,
1115             max_challenge + i,
1116             max_challenge,
1117             TRACE_FROM_HERE_MSG(
1118                 std::string("i = " + std::to_string(i))));
1119 }
1120
1121 /*
1122  * Pasword change mixed with history depth change.
1123  */
1124 RUNNER_TEST(tc38_security_server_history_depth_change)
1125 {
1126     int ret;
1127     const int initial_history_depth = 2;
1128     const int decreased_history_depth = 1;
1129     const int increased_history_depth = 3;
1130
1131     // Prepare environment
1132     reset_security_server(TRACE_FROM_HERE);
1133
1134     ret = security_server_set_pwd_history(initial_history_depth);
1135     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1136
1137     usleep(PASSWORD_RETRY_TIMEOUT_US);
1138     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1139     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1140
1141     usleep(PASSWORD_RETRY_TIMEOUT_US);
1142     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1143     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1144
1145     usleep(PASSWORD_RETRY_TIMEOUT_US);
1146     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1147     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1148
1149     // TEST_PASSWORD, 2nd and 3rd remembered => 1st should be refused
1150     usleep(PASSWORD_RETRY_TIMEOUT_US);
1151     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1152     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1153
1154     /*
1155      * Lower history depth. At this point SS should treat THIRD_TEST_PASSWORD as current pwd,
1156      * and SECOND_TEST_PASSWORD as a part of history.
1157      */
1158     usleep(PASSWORD_RETRY_TIMEOUT_US);
1159     ret = security_server_set_pwd_history(decreased_history_depth);
1160     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1161
1162     usleep(PASSWORD_RETRY_TIMEOUT_US);
1163     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1164     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1165
1166     usleep(PASSWORD_RETRY_TIMEOUT_US);
1167     ret = security_server_set_pwd(TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1168     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1169
1170     /*
1171      * Increase history depth to 3. At this point SS should remember TEST_PASSWORD
1172      * and THIRD_TEST_PASSWORD only.
1173      */
1174     usleep(PASSWORD_RETRY_TIMEOUT_US);
1175     ret = security_server_set_pwd_history(increased_history_depth);
1176     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1177
1178     // 3rd and TEST_PASSWORD remembered => 2nd should be accepted
1179     usleep(PASSWORD_RETRY_TIMEOUT_US);
1180     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1181     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1182
1183     // TEST_PASSWORD, 2nd and 3rd remembered => 3rd should be refused
1184     usleep(PASSWORD_RETRY_TIMEOUT_US);
1185     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1186     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1187 }
1188
1189 /**
1190  * Challenge invalid password, reset server and check if 'current attempts' is restored.
1191  */
1192 RUNNER_TEST(tc39_security_server_attempts_num_check_after_reset)
1193 {
1194     unsigned int attempt, max_attempt, expire_sec;
1195     const unsigned int max_challenge = 10;
1196     const unsigned int invalid_attempts_num = 3;
1197
1198     // Prepare environment
1199     reset_security_server(TRACE_FROM_HERE);
1200
1201     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge, 0);
1202     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1203
1204     // missed attempts
1205     for (unsigned int attempt = 1; attempt <= invalid_attempts_num; ++attempt)
1206         verify_chk_pwd(
1207             SECOND_TEST_PASSWORD,
1208             SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1209             attempt,
1210             max_challenge,
1211             TRACE_FROM_HERE_MSG(
1212                 std::string("attempt = " + std::to_string(attempt))));
1213
1214     usleep(PASSWORD_RETRY_TIMEOUT_US);
1215     attempt = max_attempt = expire_sec = UINT_MAX;
1216     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
1217     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
1218     RUNNER_ASSERT_MSG(max_attempt == max_challenge, "max_attempt = " << max_attempt);
1219     RUNNER_ASSERT_MSG(attempt == invalid_attempts_num, "attempt = " << attempt);
1220     RUNNER_ASSERT_MSG(expire_sec == PASSWORD_INFINITE_EXPIRATION_TIME, "expire_sec = " <<
1221                       expire_sec);
1222
1223     // restart server - triggers loading password data from file
1224     restart_security_server();
1225
1226     // challenge invalid password
1227     verify_chk_pwd(
1228         SECOND_TEST_PASSWORD,
1229         SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1230         invalid_attempts_num + 1,
1231         max_challenge,
1232         TRACE_FROM_HERE);
1233
1234     // challenge valid password
1235     verify_chk_pwd(
1236         TEST_PASSWORD,
1237         SECURITY_SERVER_API_SUCCESS,
1238         invalid_attempts_num + 2,
1239         max_challenge,
1240         TRACE_FROM_HERE);
1241 }
1242
1243 /**
1244  * Validate passwords history after security server reset.
1245  */
1246 RUNNER_TEST(tc40_security_server_history_check_after_reset)
1247 {
1248     const unsigned int history_depth = 2;
1249
1250     // Prepare environment
1251     reset_security_server(TRACE_FROM_HERE);
1252
1253     int ret = security_server_set_pwd_history(history_depth);
1254     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1255
1256     usleep(PASSWORD_RETRY_TIMEOUT_US);
1257     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1258     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1259
1260     usleep(PASSWORD_RETRY_TIMEOUT_US);
1261     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1262     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1263
1264     usleep(PASSWORD_RETRY_TIMEOUT_US);
1265     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1266     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1267
1268     usleep(PASSWORD_RETRY_TIMEOUT_US);
1269     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, FOURTH_TEST_PASSWORD, 0, 0);
1270     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1271
1272     // restart server - triggers loading password data from file
1273     restart_security_server();
1274
1275     // try to reuse history passwords
1276     usleep(PASSWORD_RETRY_TIMEOUT_US);
1277     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1278     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1279
1280     usleep(PASSWORD_RETRY_TIMEOUT_US);
1281     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1282     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1283
1284     usleep(PASSWORD_RETRY_TIMEOUT_US);
1285     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1286     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1287 }
1288
1289 /**
1290  * Check if SS has correct behaviour when changing history depth to 0.
1291  */
1292 RUNNER_TEST(tc41_security_server_empty_history_check)
1293 {
1294     const unsigned int history_depth = 2;
1295     const unsigned int empty_history_depth = 0;
1296
1297     //prepare environment
1298     reset_security_server(TRACE_FROM_HERE);
1299
1300     //set new history count
1301     int ret = security_server_set_pwd_history(history_depth);
1302     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1303
1304     //set new password and fill history
1305     usleep(PASSWORD_RETRY_TIMEOUT_US);
1306     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1307     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1308
1309     usleep(PASSWORD_RETRY_TIMEOUT_US);
1310     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1311     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1312
1313     usleep(PASSWORD_RETRY_TIMEOUT_US);
1314     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1315     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1316
1317     //make sure, that everything went OK - try setting something that would cause reuse error
1318     usleep(PASSWORD_RETRY_TIMEOUT_US);
1319     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1320     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1321
1322     usleep(PASSWORD_RETRY_TIMEOUT_US);
1323     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1324     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1325
1326     //reset history limit to no history at all
1327     usleep(PASSWORD_RETRY_TIMEOUT_US);
1328     ret = security_server_set_pwd_history(empty_history_depth);
1329     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1330
1331     //make sure, that current password still exists in memory
1332     //expected attempt 3 because our previous tries increased attempt counter
1333     verify_chk_pwd(
1334         THIRD_TEST_PASSWORD,
1335         SECURITY_SERVER_API_SUCCESS,
1336         3,
1337         0,
1338         TRACE_FROM_HERE);
1339
1340     //make sure that it's possible to reuse old password once history limit is set to 0
1341     usleep(PASSWORD_RETRY_TIMEOUT_US);
1342     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1343     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1344
1345     //once again try setting earlier used passwords - now API should return success
1346     usleep(PASSWORD_RETRY_TIMEOUT_US);
1347     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1348     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1349
1350     usleep(PASSWORD_RETRY_TIMEOUT_US);
1351     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1352     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1353 }
1354
1355 RUNNER_TEST(tc42_security_server_set_new_pwd_with_current_empty)
1356 {
1357     //prepare environment
1358     reset_security_server(TRACE_FROM_HERE);
1359
1360     //set a password
1361     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1362     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1363
1364     //try setting different password and giving NULL as current once again
1365     usleep(PASSWORD_RETRY_TIMEOUT_US);
1366     ret = security_server_set_pwd(NULL, SECOND_TEST_PASSWORD, 0, 0);
1367     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
1368 }
1369
1370 RUNNER_TEST(tc43_security_server_no_retry_timeout_is_pwd_valid)
1371 {
1372     //prepare environment
1373     reset_security_server();
1374
1375     //set a password
1376     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1377     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1378
1379     //do test
1380     unsigned int attempt, max_attempt, expire_sec;
1381     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
1382     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
1383     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
1384     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
1385 }
1386
1387 RUNNER_TEST(tc44_security_server_retry_timeout_chk_pwd)
1388 {
1389     //prepare environment
1390     reset_security_server();
1391
1392     //set a password
1393     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1394     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1395
1396     //do test
1397     unsigned int attempt, max_attempt, expire_sec;
1398     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
1399     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret);
1400     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
1401     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret);
1402 }
1403
1404 RUNNER_TEST(tc45_security_server_retry_timeout_set_pwd)
1405 {
1406     //prepare environment
1407     reset_security_server();
1408
1409     //set a password
1410     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1411     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1412
1413     //do test
1414     ret = security_server_set_pwd(TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1415     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret);
1416     ret = security_server_set_pwd(TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1417     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret);
1418 }
1419
1420 RUNNER_TEST(tc46_security_server_no_retry_timeout_set_pwd_validity)
1421 {
1422     //prepare environment
1423     reset_security_server();
1424
1425     //set a password
1426     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1427     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1428
1429     //do test
1430     ret = security_server_set_pwd_validity(11);
1431     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1432     ret = security_server_set_pwd_validity(11);
1433     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1434 }
1435
1436 RUNNER_TEST(tc47_security_server_no_retry_timeout_reset_pwd)
1437 {
1438     //prepare environment
1439     reset_security_server();
1440
1441     //set a password
1442     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1443     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1444
1445     //do test
1446     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1447     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1448     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1449     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1450 }
1451
1452 RUNNER_TEST(tc48_security_server_no_retry_timeout_pwd_history)
1453 {
1454     //prepare environment
1455     reset_security_server();
1456
1457     //set a password
1458     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1459     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1460
1461     //do test
1462     ret = security_server_set_pwd_history(5);
1463     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1464     ret = security_server_set_pwd_history(5);
1465     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1466 }
1467
1468 RUNNER_TEST(tc49_security_server_no_retry_timeout_set_pwd_max_challenge)
1469 {
1470     //prepare environment
1471     reset_security_server();
1472
1473     //set a password
1474     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1475     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1476
1477     //do test
1478     ret = security_server_set_pwd_max_challenge(5);
1479     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1480     ret = security_server_set_pwd_max_challenge(5);
1481     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1482 }
1483
1484 int main(int argc, char *argv[])
1485 {
1486     SummaryCollector::Register();
1487     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
1488 }