tests/security-server-tests/security_server_tests_password.cpp

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  */
   4 /*
   5  * @file    security_server_tests_password.cpp
   6  * @author  Bumjin Im (bj.im@samsung.com)
   7  * @author  Pawel Polawski (p.polawski@partner.samsung.com)
   8  * @author  Radoslaw Bartosiak (r.bartosiak@samsung.com)
   9  * @author  Jan Olszak (j.olszak@samsung.com)
  10  * @version 2.0
  11  * @brief   Test cases for security server
  12  *
  13  * WARNING: In this file test order is very important. They have to always be run
  14  * in correct order. This is done by correct test case names ("tcXX_").
  15  */
  16
  17 #include <stdio.h>
  18 #include <errno.h>
  19 #include <stdlib.h>
  20 #include <string.h>
  21 #include <limits.h>
  22 #include <sys/types.h>
  23 #include <sys/param.h>
  24 #include <fcntl.h>
  25 #include <sys/un.h>
  26 #include <unistd.h>
  27 #include <sys/socket.h>
  28 #include <sys/time.h>
  29 #include <dirent.h>
  30 #include "security-server.h"
  31 #include <dpl/test/test_runner.h>
  32 #include <dlog.h>
  33 #include "test.h"
  34 #include "security_server_clean_env.h"
  35
  36
  37 // security server retry timeout in microseconds
  38 const unsigned int PASSWORD_RETRY_TIMEOUT_US = 500000;
  39
  40 // sleep time (in seconds) after security server restart
  41 const unsigned int SLEEP_AFTER_RESART = 2;
  42
  43 // test passwords
  44 const char* TEST_PASSWORD =         "IDLEPASS";
  45 const char* SECOND_TEST_PASSWORD =  "OTHERIDLEPASS";
  46 const char* THIRD_TEST_PASSWORD =   "THIRDPASS";
  47 const char* FOURTH_TEST_PASSWORD =  "FOURTHPASS";
  48
  49 /**
  50  * Reset security-server.
  51  *
  52  * Function should be run at the begining of every test, so every test is independent of each other.
  53  */
  54 void reset_security_server(){
  55     system("if [ -d /opt/data/security-server ]; then \n rm -rf /opt/data/security-server/*; \n fi");
  56     sync();
  57     restart_security_server();
  58     sleep(SLEEP_AFTER_RESART);
  59 }
  60
  61
  62 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_PASSWORD);
  63
  64
  65 /**
  66  * Confirm there is no password before tests are run.
  67  */
  68 RUNNER_TEST(tc01_clear_environment)
  69 {
  70     int ret;
  71     unsigned int attempt, max_attempt, expire_sec;
  72
  73     if (getuid() == 0)
  74     {
  75         reset_security_server();
  76
  77         ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
  78
  79         RUNNER_ASSERT_MSG(expire_sec == 0, "expire_sec = " << expire_sec);
  80         RUNNER_ASSERT_MSG(max_attempt == 0, "max_attempt = " << max_attempt);
  81         RUNNER_ASSERT_MSG(attempt == 0, "attempt = " << attempt);
  82         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
  83     }
  84     else
  85     {
  86         SLOGD("To run the test as non root user, please remove password files (/opt/data/security-server/*) in root shell\n");
  87         SLOGD("If not, you will see some failures\n");
  88
  89         RUNNER_IGNORED_MSG("I'm not root");
  90     }
  91     sleep(1);
  92 }
  93
  94 /**
  95  * Basic test of setting validity period.
  96  */
  97 RUNNER_TEST(tc02_security_server_set_pwd_validity)
  98 {
  99     int ret;
 100
 101     // Prepare environment
 102     reset_security_server();
 103
 104     // TESTS:
 105     // WITHOUT password
 106     ret = security_server_set_pwd_validity(10);
 107     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 108
 109     ret = security_server_set_pwd_validity(11);
 110     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 111
 112     // WITH password
 113     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 114     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 115
 116     ret = security_server_set_pwd_validity(10);
 117     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 118
 119     ret = security_server_set_pwd_validity(11);
 120     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 121
 122     sleep(1);
 123 }
 124
 125 /**
 126  * Basic test of setting maximum number of password challenges.
 127  */
 128 RUNNER_TEST(tc03_security_server_set_pwd_max_challenge)
 129 {
 130     int ret;
 131
 132     // Prepare environment
 133     reset_security_server();
 134
 135     // TESTS:
 136     // WITHOUT password
 137     ret = security_server_set_pwd_max_challenge(5);
 138     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 139
 140     ret = security_server_set_pwd_max_challenge(6);
 141     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 142
 143     // WITH password
 144     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 145     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 146
 147     ret = security_server_set_pwd_max_challenge(5);
 148     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 149
 150     ret = security_server_set_pwd_max_challenge(6);
 151     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 152
 153     sleep(1);
 154     reset_security_server();
 155 }
 156
 157 /**
 158  * Test checking a too long password.
 159  */
 160 RUNNER_TEST(tc04_security_server_chk_pwd_too_long_password_case)
 161 {
 162     int ret;
 163     unsigned int attempt, max_attempt, expire_sec;
 164
 165     // 33 char password
 166     ret = security_server_chk_pwd("abcdefghijklmnopqrstuvwxyz0123456", &attempt, &max_attempt, &expire_sec);
 167     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 168 }
 169
 170 /**
 171  * Test various parameter values when checking a password.
 172  */
 173 RUNNER_TEST(tc05_security_server_chk_pwd_null_input_case)
 174 {
 175     int ret;
 176     unsigned int attempt, max_attempt, expire_sec;
 177
 178     ret = security_server_chk_pwd(NULL, &attempt, &max_attempt, &expire_sec);
 179     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 180
 181     ret = security_server_chk_pwd("password", NULL, &max_attempt, &expire_sec);
 182     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 183
 184     ret = security_server_chk_pwd("password", &attempt, NULL, &expire_sec);
 185     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 186
 187     ret = security_server_chk_pwd("password", &attempt, &max_attempt, NULL);
 188     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 189 }
 190
 191 /**
 192  * Check the given password when no password is set.
 193  */
 194 RUNNER_TEST(tc06_security_server_chk_pwd_no_password_case)
 195 {
 196     int ret;
 197     unsigned int attempt, max_attempt, expire_sec;
 198
 199     // Prepare environment - there is no password now!
 200     reset_security_server();
 201
 202     // TEST
 203     ret = security_server_chk_pwd("isthisempty", &attempt, &max_attempt, &expire_sec);
 204
 205     RUNNER_ASSERT_MSG(expire_sec == 0, expire_sec);
 206     RUNNER_ASSERT_MSG(max_attempt == 0, max_attempt);
 207     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 208 }
 209
 210 /**
 211  * Checks various parameter values.
 212  */
 213 RUNNER_TEST(tc07_security_server_set_pwd_null_input_case)
 214 {
 215     int ret;
 216
 217     // Prepare environment
 218     reset_security_server();
 219
 220     // TEST
 221     ret = security_server_set_pwd(NULL, NULL, 0, 0);
 222     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 223 }
 224
 225 /**
 226  * Test setting too long password.
 227  */
 228 RUNNER_TEST(tc08_security_server_set_pwd_too_long_input_param)
 229 {
 230     int ret;
 231
 232     // Prepare environment
 233     reset_security_server();
 234
 235     // TEST
 236     // 33 char password
 237     ret = security_server_set_pwd("abcdefghijklmnopqrstuvwxyz0123456", "abcdefghijklmnopqrstuvwxyz0123456", 0, 0);
 238     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 239 }
 240
 241 /**
 242  * Basic password setting.
 243  */
 244 RUNNER_TEST(tc09_security_server_set_pwd_current_pwd_empty)
 245 {
 246     int ret;
 247
 248     // Prepare environment
 249     reset_security_server();
 250
 251     // TEST
 252     sleep(1);
 253     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
 254     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 255 }
 256
 257 /**
 258  * Set a maximum password period.
 259  */
 260 RUNNER_TEST(tc10_security_server_set_pwd_current_pwd_max_valid_period_in_days)
 261 {
 262     int ret;
 263     // Prepare environment
 264     reset_security_server();
 265     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 266     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 267
 268     // TEST
 269     sleep(1);
 270     // UINT_MAX will cause api error, it is to big value
 271     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, UINT_MAX);
 272     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 273     sleep(1);
 274     // calculate max applicable valid days that will not be rejected by ss
 275     // ensure, that after conversion from days to seconds in ss there will be no uint overflow
 276     unsigned int valid_days = ((UINT_MAX - time(NULL)) / 86400) - 1;
 277     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, valid_days);
 278     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 279 }
 280
 281 /**
 282  * Set a maximum password challenge number.
 283  */
 284 RUNNER_TEST(tc11_security_server_set_pwd_current_pwd_max_max_challenge)
 285 {
 286     int ret;
 287     // Prepare environment
 288     reset_security_server();
 289     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 290     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 291
 292     // TEST
 293     sleep(1);
 294     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, UINT_MAX, 0);
 295     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 296 }
 297
 298 /**
 299  * Set empty password.
 300  */
 301 RUNNER_TEST(tc12_security_server_set_pwd_current_pwd_nonempty2zero)
 302 {
 303     int ret;
 304     // Prepare environment
 305     reset_security_server();
 306     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 307     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 308
 309     // TEST
 310     sleep(1);
 311     ret = security_server_set_pwd(TEST_PASSWORD, "", 0, 0);
 312     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 313 }
 314
 315 /**
 316  * Change password to a too long password.
 317  */
 318 RUNNER_TEST(tc14_security_server_set_pwd_current_pwd_too_long_input_param)
 319 {
 320     int ret;
 321     // Prepare environment
 322     reset_security_server();
 323     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 324     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 325
 326     // TEST
 327     sleep(1);
 328     char* long_password = (char*) malloc(5001);
 329     long_password[5000] = '\0';
 330     memset(long_password, 'A', 5000);
 331     ret = security_server_set_pwd(TEST_PASSWORD,long_password, 10, 10);
 332     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 333 }
 334
 335 /**
 336  * Check empty password.
 337  */
 338 RUNNER_TEST(tc15_security_server_chk_pwd_shortest_password)
 339 {
 340     int ret;
 341     unsigned int attempt, max_attempt, expire_sec;
 342
 343     // Prepare environment
 344     reset_security_server();
 345     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 346     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 347
 348     // TEST
 349     sleep(1);
 350     ret = security_server_chk_pwd("", &attempt, &max_attempt, &expire_sec);
 351     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 352 }
 353
 354 /**
 355  * Various validity parameter values.
 356  */
 357 RUNNER_TEST(tc16_security_server_set_pwd_validity)
 358 {
 359     int ret;
 360     // Prepare environment
 361     reset_security_server();
 362     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 363     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 364
 365     // TEST
 366     ret = security_server_set_pwd_validity(0);
 367     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 368
 369     ret = security_server_set_pwd_validity(1);
 370     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 371
 372     //When trying to set UINT_MAX we should get error.
 373     ret = security_server_set_pwd_validity(UINT_MAX);
 374     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 375
 376     ret = security_server_set_pwd_validity(2);
 377     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 378 }
 379
 380 /**
 381  * Check passwords validity
 382  */
 383 RUNNER_TEST(tc17_security_server_is_pwd_valid)
 384 {
 385     int ret;
 386     unsigned int attempt, max_attempt, expire_sec;
 387
 388     // Prepare environment
 389     reset_security_server();
 390     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 2);
 391     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 392
 393     // TEST:
 394     sleep(1);
 395     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 396     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST,  "ret = " << ret);
 397     RUNNER_ASSERT_MSG((expire_sec > 172795) && (expire_sec < 172805),  "expire_sec = " << expire_sec);
 398 }
 399
 400 /**
 401  * Various numbers of challenges.
 402  */
 403 RUNNER_TEST(tc18_security_server_set_pwd_max_challenge)
 404 {
 405     int ret;
 406     // Prepare environment
 407     reset_security_server();
 408     // calculate max applicable valid days that will not be rejected by ss
 409     // ensure, that after conversion from days to seconds in ss there will be no uint overflow
 410     unsigned int valid_days = ((UINT_MAX - time(NULL)) / 86400) - 1;
 411     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, valid_days);
 412     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 413
 414     // TESTS
 415     sleep(1);
 416     ret = security_server_set_pwd_max_challenge(0);
 417     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 418
 419     sleep(1);
 420     ret = security_server_set_pwd_max_challenge(UINT_MAX);
 421     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 422
 423     sleep(1);
 424     ret = security_server_set_pwd_max_challenge(5);
 425     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 426
 427     sleep(1);
 428     ret = security_server_set_pwd_max_challenge(6);
 429     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 430 }
 431
 432
 433 /**
 434  * Check the max number of challenges.
 435  */
 436 RUNNER_TEST(tc19_security_server_is_pwd_valid)
 437 {
 438     int ret;
 439     unsigned int attempt, max_attempt, expire_sec;
 440     // Prepare environment
 441     reset_security_server();
 442     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 443     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 444     sleep(1);
 445     ret = security_server_set_pwd_max_challenge(6);
 446     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 447
 448     // TEST
 449     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 450     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 451     RUNNER_ASSERT_MSG(max_attempt == 6,  "max_attempt = " << max_attempt);
 452 }
 453
 454 /**
 455  * Basic password check.
 456  */
 457 RUNNER_TEST(tc20_security_server_chk_pwd)
 458 {
 459     int ret;
 460     unsigned int attempt, max_attempt, expire_sec;
 461
 462     // Prepare environment
 463     reset_security_server();
 464     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 465     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 466
 467     // TEST
 468     sleep(1);
 469     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 470     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, ret);
 471
 472     sleep(1);
 473     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 474     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 475 }
 476
 477 /**
 478  * Check an incorrect password.
 479  */
 480 RUNNER_TEST(tc21_security_server_chk_incorrect_pwd)
 481 {
 482     int ret;
 483     unsigned int attempt, max_attempt, expire_sec;
 484
 485     // Prepare environment
 486     reset_security_server();
 487     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 488     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 489
 490     //TEST
 491     sleep(1);
 492     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 493     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 494 }
 495
 496 /**
 497  * Check an incorrect password
 498  */
 499 RUNNER_TEST(tc22_security_server_set_pwd_incorrect_current)
 500 {
 501     int ret;
 502
 503     // Prepare environment
 504     reset_security_server();
 505     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 506     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 507
 508     // TEST
 509     sleep(1);
 510     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 10, 10);
 511     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,  "ret = " << ret);
 512 }
 513
 514 /**
 515  * Change password
 516  */
 517 RUNNER_TEST(tc23_security_server_set_pwd_correct_current)
 518 {
 519     int ret;
 520
 521     // Prepare environment
 522     reset_security_server();
 523     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 524     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 525
 526     // TEST
 527     sleep(1);
 528     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 10, 10);
 529     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 530 }
 531
 532 /**
 533  * Check wrong password multiple times and then check a correct one.
 534  */
 535 RUNNER_TEST(tc24_security_server_attempt_exceeding)
 536 {
 537     int ret;
 538     unsigned int i, attempt, max_attempt, expire_sec;
 539
 540     // Prepare environment
 541     reset_security_server();
 542     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 543     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 544
 545     // TEST
 546     printf("5 subtests started...");
 547     for (i = 0; i < 5; i++) {
 548         sleep(1);
 549         ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 550         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 551         RUNNER_ASSERT_MSG(attempt == i, attempt);
 552     }
 553     printf("DONE\n");
 554
 555     sleep(1);
 556     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 557     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 558
 559     sleep(1);
 560     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 561     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 562     RUNNER_ASSERT_MSG(attempt == 0, "ret = " << ret);
 563     RUNNER_ASSERT_MSG(max_attempt == 10, "ret = " << ret);
 564 }
 565
 566 /**
 567  * Try to exceed maximum number of challenges.
 568  */
 569 RUNNER_TEST(tc25_security_server_attempt_exceeding)
 570 {
 571     int ret;
 572     unsigned int i, attempt, max_attempt, expire_sec;
 573
 574     // Prepare environment
 575     reset_security_server();
 576     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 1);
 577     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 578
 579     // TEST
 580     printf("10 subtests started...");
 581     for (i = 0; i < 10; i++) {
 582         sleep(1);
 583         ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 584         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 585         RUNNER_ASSERT_MSG(attempt == i, "attempt = " << attempt);
 586     }
 587
 588     // The check, that exceeds max number
 589     sleep(1);
 590     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 591     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED, "ret = " << ret);
 592     printf("DONE\n");
 593
 594     sleep(1);
 595     ret = security_server_chk_pwd(TEST_PASSWORD,  &attempt, &max_attempt, &expire_sec);
 596     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED, "ret = " << ret);
 597 }
 598
 599 /**
 600  * Reset password
 601  */
 602 RUNNER_TEST(tc26_security_server_reset_pwd)
 603 {
 604     int ret;
 605
 606     // Prepare environment
 607     reset_security_server();
 608     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 10);
 609     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 610
 611     // TEST
 612     sleep(1);
 613     ret = security_server_reset_pwd(TEST_PASSWORD, 10, 10);
 614     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 615 }
 616
 617 /**
 618  * Check too long password.
 619  */
 620 RUNNER_TEST(tc27_security_server_chk_pwd_too_long_password)
 621 {
 622     int ret;
 623     unsigned int attempt, max_attempt, expire_sec;
 624     // Prepare environment
 625     reset_security_server();
 626     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 10);
 627     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 628
 629     // TEST
 630     char* long_password = (char*) malloc(5001);
 631     long_password[5000] = '\0';
 632     memset(long_password, 'A', 5000);
 633     ret = security_server_chk_pwd(long_password,  &attempt, &max_attempt, &expire_sec);
 634     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 635 }
 636
 637 /**
 638  * Check passwords expiration (not expired)
 639  */
 640 RUNNER_TEST(tc28_security_server_check_expiration)
 641 {
 642     int ret;
 643     unsigned int attempt, max_attempt, expire_sec;
 644
 645     // Prepare environment
 646     reset_security_server();
 647     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 1);
 648     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 649
 650     // TEST
 651     sleep(1);
 652     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 653     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 654     RUNNER_ASSERT_MSG((expire_sec < 86402) && (expire_sec > 86396), "expire_sec = " << ret);
 655 }
 656
 657 /**
 658  * Use various parameter values of parameters.
 659  */
 660 RUNNER_TEST(tc29_security_server_set_pwd_history)
 661 {
 662     int ret;
 663
 664     // Prepare environment
 665     reset_security_server();
 666     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 1);
 667     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 668
 669     // TESTS
 670     sleep(1);
 671     ret = security_server_set_pwd_history(100);
 672     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 673
 674     sleep(1);
 675     ret = security_server_set_pwd_history(51);
 676     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 677
 678     sleep(1);
 679     ret = security_server_set_pwd_history(-5);
 680     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 681
 682     sleep(1);
 683     ret = security_server_set_pwd_history(50);
 684     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 685
 686     sleep(1);
 687     ret = security_server_set_pwd_history(0);
 688     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 689
 690     sleep(1);
 691     ret = security_server_set_pwd_history(INT_MAX);
 692     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 693
 694     sleep(1);
 695     ret = security_server_set_pwd_history(INT_MIN);
 696     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 697
 698     sleep(1);
 699     ret = security_server_set_pwd_history(10);
 700     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 701 }
 702
 703
 704
 705 int dir_filter(const struct dirent *entry)
 706 {
 707     if ((strcmp(entry->d_name, ".") == 0) ||
 708         (strcmp(entry->d_name, "..") == 0) ||
 709         (strcmp(entry->d_name, "attempts") == 0) ||
 710         (strcmp(entry->d_name, "history") == 0))
 711         return (0);
 712     else
 713         return (1);
 714 }
 715
 716 void clean_password_dir(void)
 717 {
 718     int ret;
 719     int i;
 720     struct dirent **mydirent;
 721
 722     ret = scandir("/opt/data/security-server", &mydirent, &dir_filter, alphasort);
 723     i = ret;
 724     while (i--)
 725         free(mydirent[i]);
 726     free(mydirent);
 727 }
 728
 729
 730 /**
 731  * Check password history.
 732  */
 733 RUNNER_TEST(tc30_security_server_check_history)
 734 {
 735     int ret;
 736     int i;
 737     char buf1[33], buf2[33];
 738
 739     // Prepare environment
 740     reset_security_server();
 741
 742     clean_password_dir();
 743
 744     sleep(1);
 745     ret = security_server_set_pwd_history(10);
 746     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 747
 748     sleep(1);
 749     ret = security_server_reset_pwd("history0", 0, 0);
 750     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 751
 752     printf("11 subtests started...");
 753     for (i = 0; i < 11; i++) {
 754         sprintf(buf1, "history%d", i);
 755         sprintf(buf2, "history%d", i + 1);
 756
 757         sleep(1);
 758         ret = security_server_set_pwd(buf1, buf2, 0, 0);
 759         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 760     }
 761     printf("DONE\n");
 762
 763     sleep(1);
 764     ret = security_server_set_pwd("history11", "history1", 0, 0);
 765     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 766
 767     sleep(1);
 768     ret = security_server_set_pwd("history1", "history8", 0, 0);
 769     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
 770
 771     sleep(1);
 772     ret = security_server_set_pwd("history1", "history12", 0, 0);
 773     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 774
 775     printf("48 subtests started...");
 776     for (i = 12; i < 60; i++) {
 777         sleep(1);
 778
 779         sprintf(buf1, "history%d", i);
 780         sprintf(buf2, "history%d", i + 1);
 781
 782         ret = security_server_set_pwd(buf1, buf2, 0, 0);
 783         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 784     }
 785     printf("DONE\n");
 786
 787     clean_password_dir();
 788 }
 789
 790 /**
 791  * Replay attack
 792  */
 793 RUNNER_TEST(tc31_security_server_replay_attack)
 794 {
 795     int ret;
 796     int i = 0;
 797     unsigned int attempt, max_attempt, expire_sec;
 798
 799     sleep(1);
 800     ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec);
 801
 802     while (ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER) {
 803         i += 100000;
 804
 805         ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec);
 806         usleep(i);
 807     }
 808
 809     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 810 }
 811
 812 /**
 813  * Expired password
 814  */
 815 RUNNER_TEST(tc32_security_server_challenge_on_expired_password)
 816 {
 817     int ret;
 818     unsigned int attempt, max_attempt, expire_sec;
 819     struct timeval cur_time;
 820
 821     // Prepare environment
 822     reset_security_server();
 823     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 4, 1);
 824     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 825
 826     // TEST
 827     sleep(1);
 828     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 829     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 830
 831     ret = gettimeofday(&cur_time, NULL);
 832     RUNNER_ASSERT_MSG(ret > -1, ret);
 833
 834     cur_time.tv_sec += (expire_sec + 1);
 835     ret = settimeofday(&cur_time, NULL);
 836     RUNNER_ASSERT_MSG(ret > -1, ret);
 837
 838     sleep(1);
 839     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 840     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED, "ret = " << ret);
 841
 842     sleep(1);
 843     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 844     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 845 }
 846
 847 /**
 848  * Reset password
 849  */
 850 RUNNER_TEST(tc33_security_server_reset_by_null_pwd)
 851 {
 852     int ret;
 853
 854     // Prepare environment
 855     reset_security_server();
 856
 857     // TEST
 858     sleep(1);
 859     ret = security_server_reset_pwd(NULL, 10, 10);
 860     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 861 }
 862
 863 /*
 864  * Use this instead of security_server_chk_pwd directly to verify the function output.
 865  * For example:
 866  * verify_chk_pwd(__LINE__, "password", SECURITY_SERVER_API_SUCCESS, 2, 5, 10000, "debug string")
 867  */
 868 void verify_chk_pwd(int line_num, const char* challenge, int expected_result,
 869                     unsigned int expected_current_attempt, unsigned int expected_max_attempt,
 870                     unsigned int expected_valid_secs, const char* debug_str = "")
 871 {
 872     /* ensure that initial values differ from expected ones */
 873     unsigned int attempt = expected_current_attempt - 1;
 874     unsigned int max_attempt = expected_max_attempt - 1;
 875     unsigned int expire_sec = expected_valid_secs - 1;
 876
 877     usleep(PASSWORD_RETRY_TIMEOUT_US);
 878     int ret = security_server_chk_pwd(challenge, &attempt, &max_attempt, &expire_sec);
 879
 880     // validate returned value
 881     RUNNER_ASSERT_MSG(ret == expected_result, "[line " << line_num << "] "
 882                       "security_server_chk_pwd returned "
 883                       << ret << " (expected: " << expected_result << ") " << debug_str);
 884
 885     // validate current attempts value
 886     RUNNER_ASSERT_MSG(attempt == expected_current_attempt, "[line " << line_num << "] "
 887                       "security_server_chk_pwd returned attempt = " << attempt <<
 888                       " (expected: " << expected_current_attempt << ") " << debug_str);
 889
 890     // validate max attempt value
 891     RUNNER_ASSERT_MSG(max_attempt == expected_max_attempt, "[line " << line_num << "] "
 892                       "security_server_chk_pwd returned max_attempt = " << max_attempt <<
 893                       " (expected: " << expected_max_attempt << ") " << debug_str);
 894
 895     // validate expire seconds
 896     RUNNER_ASSERT_MSG(expire_sec == expected_valid_secs, "[line " << line_num << "] "
 897                       "security_server_chk_pwd returned expire_sec = " << expire_sec <<
 898                       " (expected: " << expected_valid_secs << ") " << debug_str);
 899 }
 900
 901 /**
 902  * Reach last attempt few times in a row (before exceeding max_attempt).
 903  */
 904 RUNNER_TEST(tc34_security_server_max_attempts)
 905 {
 906     // Prepare environment
 907     reset_security_server();
 908
 909     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
 910     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 911
 912     // change max attempts number few times
 913     std::vector<unsigned int> max_challenge_tab = {1, 4, 2};
 914
 915     for (size_t pass = 0; pass < max_challenge_tab.size(); ++pass) {
 916         unsigned int max_challenges = max_challenge_tab[pass];
 917
 918         usleep(PASSWORD_RETRY_TIMEOUT_US);
 919         ret = security_server_set_pwd_max_challenge(max_challenges);
 920         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 921
 922         // max_challenges-1 wrong password attempts
 923         for (unsigned int attempt_nr = 0; attempt_nr < max_challenges - 1; ++attempt_nr)
 924             verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD,
 925                            SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
 926                            attempt_nr, max_challenges, 0,
 927                            std::string("pass = " + std::to_string(pass) +
 928                            ", attempt = " + std::to_string(attempt_nr)).c_str());
 929
 930         // Check correct password finally
 931         verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS,
 932                        max_challenges - 1, max_challenges, 0);
 933     }
 934 }
 935
 936 /**
 937  * Decrease 'max challenge' number after several missed attempts.
 938  */
 939 RUNNER_TEST(tc35_security_server_decrease_max_attempts)
 940 {
 941     const unsigned int max_challenge_more = 10;
 942     const unsigned int max_challenge_less = 5;
 943
 944     // Prepare environment
 945     reset_security_server();
 946
 947     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge_more, 0);
 948     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 949
 950     // missed attempts
 951     for (unsigned int attempt = 0; attempt < max_challenge_more; ++attempt)
 952         verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD,
 953                        SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
 954                        attempt, max_challenge_more, 0,
 955                        std::string("attempt = " + std::to_string(attempt)).c_str());
 956
 957     // lower max_challenge
 958     usleep(PASSWORD_RETRY_TIMEOUT_US);
 959     ret = security_server_set_pwd_max_challenge(max_challenge_less);
 960     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 961
 962     // try valid password - should pass (curr attempts is reset)
 963     verify_chk_pwd(__LINE__,  TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS,
 964                    0, max_challenge_less, 0);
 965
 966     // remove max attempts limit
 967     usleep(PASSWORD_RETRY_TIMEOUT_US);
 968     ret = security_server_set_pwd_max_challenge(0);
 969     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 970
 971     // try valid password again - should pass
 972     verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 0, 0, 0);
 973
 974     // try to change the password - should pass
 975     usleep(PASSWORD_RETRY_TIMEOUT_US);
 976     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
 977     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 978
 979     // validate new password
 980     verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 0, 0, 0);
 981 }
 982
 983 /**
 984  * Change password few times and challenge previous passwords - checks if security_server_set_pwd
 985  * works as it should.
 986  */
 987 RUNNER_TEST(tc36_security_server_challenge_previous_passwords)
 988 {
 989     const int history_depth = 5;
 990     const unsigned int max_challenge = 3;
 991     std::string prev_pass, new_pass = TEST_PASSWORD;
 992
 993     // Prepare environment
 994     reset_security_server();
 995
 996     int ret = security_server_set_pwd_history(history_depth);
 997     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 998
 999     usleep(PASSWORD_RETRY_TIMEOUT_US);
1000     ret = security_server_reset_pwd(TEST_PASSWORD, max_challenge, 0);
1001     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1002
1003     for (int depth = 0; depth < history_depth; ++depth) {
1004         prev_pass = new_pass;
1005
1006         //generate password name
1007         new_pass = "history" + std::to_string(depth+1);
1008
1009         usleep(PASSWORD_RETRY_TIMEOUT_US);
1010         ret = security_server_set_pwd(prev_pass.c_str(), new_pass.c_str(), max_challenge, 0);
1011         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1012
1013         // challenge initial password
1014         verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1015                        0, max_challenge, 0,
1016                        std::string("depth = " + std::to_string(depth)).c_str());
1017
1018         // challenge previous password
1019         verify_chk_pwd(__LINE__, prev_pass.c_str(), SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1020                        1, max_challenge, 0,
1021                        std::string("depth = " + std::to_string(depth)).c_str());
1022     }
1023 }
1024
1025 /**
1026  * Challenge correct and incorrect passwords, check security_server_chk_pwd output.
1027  * This test simulates user's behaviour - challenges valid and invalid passwords
1028  * in various combinations.
1029  */
1030 RUNNER_TEST(tc37_security_server_challenge_mixed)
1031 {
1032     // Prepare environment
1033     reset_security_server();
1034
1035     const unsigned int max_challenge = 2;
1036     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge, 0);
1037     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1038
1039     // 2x correct pwd - verify that 'cuurrent attempt' isn't increased
1040     for (unsigned int i = 0; i < max_challenge; ++i)
1041         verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS,
1042                        0, max_challenge, 0,
1043                        std::string("i = " + std::to_string(i)).c_str());
1044
1045     // Ensure that challenging valid password resets 'cuurrent attempt' value.
1046     // If it didn't, the test would fail in third loop pass.
1047     for (unsigned int i = 0; i < max_challenge + 1; ++i) {
1048         // incorrect pwd
1049         verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD, SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1050                        0, max_challenge, 0,
1051                        std::string("i = " + std::to_string(i)).c_str());
1052
1053         // correct pwd
1054         verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS,
1055                        1, max_challenge, 0,
1056                        std::string("i = " + std::to_string(i)).c_str());
1057     }
1058
1059     // incorrect pwd 2x - 'cuurrent attempt' reaches max_challenge -
1060     // any further attempts (even correct) are blocked
1061     for (unsigned int i = 0; i < max_challenge; ++i)
1062         verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD, SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1063                        i, max_challenge, 0,
1064                        std::string("i = " + std::to_string(i)).c_str());
1065
1066     // correct - refused
1067     for (unsigned int i = 0; i < max_challenge; ++i)
1068         verify_chk_pwd(__LINE__, TEST_PASSWORD,
1069                        SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED,
1070                        2, max_challenge, 0,
1071                        std::string("i = " + std::to_string(i)).c_str());
1072 }
1073
1074 /*
1075  * Pasword change mixed with history depth change.
1076  */
1077 RUNNER_TEST(tc38_security_server_history_depth_change)
1078 {
1079     int ret;
1080     const int initial_history_depth = 3;
1081     const int decreased_history_depth = 2;
1082     const int increased_history_depth = 4;
1083
1084     // Prepare environment
1085     reset_security_server();
1086
1087     ret = security_server_set_pwd_history(initial_history_depth);
1088     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1089
1090     usleep(PASSWORD_RETRY_TIMEOUT_US);
1091     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1092     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1093
1094     usleep(PASSWORD_RETRY_TIMEOUT_US);
1095     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1096     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1097
1098     usleep(PASSWORD_RETRY_TIMEOUT_US);
1099     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1100     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1101
1102     // TEST_PASSWORD, 2nd and 3rd remembered => 1st should be refused
1103     usleep(PASSWORD_RETRY_TIMEOUT_US);
1104     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1105     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1106
1107     /*
1108      * Lower history depth. At this point SS should remember THIRD_TEST_PASSWORD
1109      * and SECOND_TEST_PASSWORD only.
1110      */
1111     usleep(PASSWORD_RETRY_TIMEOUT_US);
1112     ret = security_server_set_pwd_history(decreased_history_depth);
1113     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1114
1115     usleep(PASSWORD_RETRY_TIMEOUT_US);
1116     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1117     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1118
1119     usleep(PASSWORD_RETRY_TIMEOUT_US);
1120     ret = security_server_set_pwd(TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1121     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1122
1123     /*
1124      * Increase history depth to 4. At this point SS should remember TEST_PASSWORD
1125      * and THIRD_TEST_PASSWORD only.
1126      */
1127     usleep(PASSWORD_RETRY_TIMEOUT_US);
1128     ret = security_server_set_pwd_history(increased_history_depth);
1129     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1130
1131     // 3th and TEST_PASSWORD remembered => 2nd should be accepted
1132     usleep(PASSWORD_RETRY_TIMEOUT_US);
1133     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1134     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1135
1136     // TEST_PASSWORD, 2nd and 3rd remembered => 3rd should be refused
1137     usleep(PASSWORD_RETRY_TIMEOUT_US);
1138     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1139     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1140 }
1141
1142 /**
1143  * Challenge invalid password, reset server and check if 'current attempts' is restored.
1144  */
1145 RUNNER_TEST(tc39_security_server_attempts_num_check_after_reset)
1146 {
1147     unsigned int attempt, max_attempt, expire_sec;
1148     const unsigned int max_challenge = 10;
1149     const unsigned int invalid_attempts_num = 3;
1150
1151     // Prepare environment
1152     reset_security_server();
1153
1154     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge, 0);
1155     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1156
1157     // missed attempts
1158     for (unsigned int attempt = 0; attempt < invalid_attempts_num; ++attempt)
1159         verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD, SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1160                        attempt, max_challenge, 0,
1161                        std::string("attempt = " + std::to_string(attempt)).c_str());
1162
1163     usleep(PASSWORD_RETRY_TIMEOUT_US);
1164     attempt = max_attempt = expire_sec = UINT_MAX;
1165     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
1166     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
1167     RUNNER_ASSERT_MSG(max_attempt == max_challenge, "max_attempt = " << max_attempt);
1168     RUNNER_ASSERT_MSG(attempt == invalid_attempts_num, "attempt = " << attempt);
1169     RUNNER_ASSERT_MSG(expire_sec == 0, "expire_sec = " << expire_sec);
1170
1171     // restart server - triggers loading password data from file
1172     restart_security_server();
1173     sleep(SLEEP_AFTER_RESART);
1174
1175     // challenge invalid password
1176     verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD, SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1177                    invalid_attempts_num, max_challenge, 0);
1178
1179     // challenge valid password
1180     verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, invalid_attempts_num+1,
1181                    max_challenge, 0);
1182 }
1183
1184 /**
1185  * Validate passwords history after security server reset.
1186  */
1187 RUNNER_TEST(tc40_security_server_history_check_after_reset)
1188 {
1189     const unsigned int history_depth = 3;
1190
1191     // Prepare environment
1192     reset_security_server();
1193
1194     int ret = security_server_set_pwd_history(history_depth);
1195     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1196
1197     usleep(PASSWORD_RETRY_TIMEOUT_US);
1198     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1199     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1200
1201     usleep(PASSWORD_RETRY_TIMEOUT_US);
1202     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1203     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1204
1205     usleep(PASSWORD_RETRY_TIMEOUT_US);
1206     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1207     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1208
1209     usleep(PASSWORD_RETRY_TIMEOUT_US);
1210     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, FOURTH_TEST_PASSWORD, 0, 0);
1211     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1212
1213     // restart server - triggers loading password data from file
1214     restart_security_server();
1215     sleep(SLEEP_AFTER_RESART);
1216
1217     // try to reuse history passwords
1218     usleep(PASSWORD_RETRY_TIMEOUT_US);
1219     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1220     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1221
1222     usleep(PASSWORD_RETRY_TIMEOUT_US);
1223     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1224     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1225
1226     usleep(PASSWORD_RETRY_TIMEOUT_US);
1227     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1228     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1229 }
1230
1231
1232 int main(int argc, char *argv[])
1233 {
1234     int status = DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
1235
1236     return status;
1237 }