tests/security-server-tests/security_server_tests_password.cpp

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  */
   4 /*
   5  * @file    security_server_tests_password.cpp
   6  * @author  Bumjin Im (bj.im@samsung.com)
   7  * @author  Pawel Polawski (p.polawski@partner.samsung.com)
   8  * @author  Radoslaw Bartosiak (r.bartosiak@samsung.com)
   9  * @author  Jan Olszak (j.olszak@samsung.com)
  10  * @version 2.0
  11  * @brief   Test cases for security server
  12  *
  13  * WARNING: In this file test order is very important. They have to always be run
  14  * in correct order. This is done by correct test case names ("tcXX_").
  15  */
  16
  17 #include <stdio.h>
  18 #include <errno.h>
  19 #include <stdlib.h>
  20 #include <string.h>
  21 #include <limits.h>
  22 #include <sys/types.h>
  23 #include <sys/param.h>
  24 #include <fcntl.h>
  25 #include <sys/un.h>
  26 #include <unistd.h>
  27 #include <sys/socket.h>
  28 #include <sys/time.h>
  29 #include <dirent.h>
  30 #include "security-server.h"
  31 #include <dpl/test/test_runner.h>
  32 #include <dlog.h>
  33 #include "security_server_clean_env.h"
  34
  35
  36 // security server retry timeout in microseconds
  37 const unsigned int PASSWORD_RETRY_TIMEOUT_US = 500000;
  38
  39 // test passwords
  40 const char* TEST_PASSWORD =         "IDLEPASS";
  41 const char* SECOND_TEST_PASSWORD =  "OTHERIDLEPASS";
  42 const char* THIRD_TEST_PASSWORD =   "THIRDPASS";
  43 const char* FOURTH_TEST_PASSWORD =  "FOURTHPASS";
  44
  45
  46 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_PASSWORD);
  47
  48
  49 /**
  50  * Confirm there is no password before tests are run.
  51  */
  52 RUNNER_TEST(tc01_clear_environment)
  53 {
  54     int ret;
  55     unsigned int attempt, max_attempt, expire_sec;
  56
  57     if (getuid() == 0)
  58     {
  59         reset_security_server();
  60
  61         ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
  62
  63         RUNNER_ASSERT_MSG(expire_sec == 0, "expire_sec = " << expire_sec);
  64         RUNNER_ASSERT_MSG(max_attempt == 0, "max_attempt = " << max_attempt);
  65         RUNNER_ASSERT_MSG(attempt == 0, "attempt = " << attempt);
  66         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
  67     }
  68     else
  69     {
  70         SLOGD("To run the test as non root user, please remove password files (/opt/data/security-server/*) in root shell\n");
  71         SLOGD("If not, you will see some failures\n");
  72
  73         RUNNER_IGNORED_MSG("I'm not root");
  74     }
  75     sleep(1);
  76 }
  77
  78 /**
  79  * Basic test of setting validity period.
  80  */
  81 RUNNER_TEST(tc02_security_server_set_pwd_validity)
  82 {
  83     int ret;
  84
  85     // Prepare environment
  86     reset_security_server();
  87
  88     // TESTS:
  89     // WITHOUT password
  90     ret = security_server_set_pwd_validity(10);
  91     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
  92
  93     ret = security_server_set_pwd_validity(11);
  94     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
  95
  96     // WITH password
  97     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
  98     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
  99
 100     ret = security_server_set_pwd_validity(10);
 101     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 102
 103     ret = security_server_set_pwd_validity(11);
 104     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 105
 106     sleep(1);
 107 }
 108
 109 /**
 110  * Basic test of setting maximum number of password challenges.
 111  */
 112 RUNNER_TEST(tc03_security_server_set_pwd_max_challenge)
 113 {
 114     int ret;
 115
 116     // Prepare environment
 117     reset_security_server();
 118
 119     // TESTS:
 120     // WITHOUT password
 121     ret = security_server_set_pwd_max_challenge(5);
 122     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 123
 124     ret = security_server_set_pwd_max_challenge(6);
 125     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 126
 127     // WITH password
 128     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 129     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 130
 131     ret = security_server_set_pwd_max_challenge(5);
 132     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 133
 134     ret = security_server_set_pwd_max_challenge(6);
 135     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 136
 137     sleep(1);
 138     reset_security_server();
 139 }
 140
 141 /**
 142  * Test checking a too long password.
 143  */
 144 RUNNER_TEST(tc04_security_server_chk_pwd_too_long_password_case)
 145 {
 146     int ret;
 147     unsigned int attempt, max_attempt, expire_sec;
 148
 149     // 33 char password
 150     ret = security_server_chk_pwd("abcdefghijklmnopqrstuvwxyz0123456", &attempt, &max_attempt, &expire_sec);
 151     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 152 }
 153
 154 /**
 155  * Test various parameter values when checking a password.
 156  */
 157 RUNNER_TEST(tc05_security_server_chk_pwd_null_input_case)
 158 {
 159     int ret;
 160     unsigned int attempt, max_attempt, expire_sec;
 161
 162     ret = security_server_chk_pwd(NULL, &attempt, &max_attempt, &expire_sec);
 163     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 164
 165     ret = security_server_chk_pwd("password", NULL, &max_attempt, &expire_sec);
 166     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 167
 168     ret = security_server_chk_pwd("password", &attempt, NULL, &expire_sec);
 169     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 170
 171     ret = security_server_chk_pwd("password", &attempt, &max_attempt, NULL);
 172     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 173 }
 174
 175 /**
 176  * Check the given password when no password is set.
 177  */
 178 RUNNER_TEST(tc06_security_server_chk_pwd_no_password_case)
 179 {
 180     int ret;
 181     unsigned int attempt, max_attempt, expire_sec;
 182
 183     // Prepare environment - there is no password now!
 184     reset_security_server();
 185
 186     // TEST
 187     ret = security_server_chk_pwd("isthisempty", &attempt, &max_attempt, &expire_sec);
 188
 189     RUNNER_ASSERT_MSG(expire_sec == 0, expire_sec);
 190     RUNNER_ASSERT_MSG(max_attempt == 0, max_attempt);
 191     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret);
 192 }
 193
 194 /**
 195  * Checks various parameter values.
 196  */
 197 RUNNER_TEST(tc07_security_server_set_pwd_null_input_case)
 198 {
 199     int ret;
 200
 201     // Prepare environment
 202     reset_security_server();
 203
 204     // TEST
 205     ret = security_server_set_pwd(NULL, NULL, 0, 0);
 206     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 207 }
 208
 209 /**
 210  * Test setting too long password.
 211  */
 212 RUNNER_TEST(tc08_security_server_set_pwd_too_long_input_param)
 213 {
 214     int ret;
 215
 216     // Prepare environment
 217     reset_security_server();
 218
 219     // TEST
 220     // 33 char password
 221     ret = security_server_set_pwd("abcdefghijklmnopqrstuvwxyz0123456", "abcdefghijklmnopqrstuvwxyz0123456", 0, 0);
 222     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 223 }
 224
 225 /**
 226  * Basic password setting.
 227  */
 228 RUNNER_TEST(tc09_security_server_set_pwd_current_pwd_empty)
 229 {
 230     int ret;
 231
 232     // Prepare environment
 233     reset_security_server();
 234
 235     // TEST
 236     sleep(1);
 237     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
 238     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 239 }
 240
 241 /**
 242  * Set a maximum password period.
 243  */
 244 RUNNER_TEST(tc10_security_server_set_pwd_current_pwd_max_valid_period_in_days)
 245 {
 246     int ret;
 247     // Prepare environment
 248     reset_security_server();
 249     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 250     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 251
 252     // TEST
 253     sleep(1);
 254     // UINT_MAX will cause api error, it is to big value
 255     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, UINT_MAX);
 256     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 257     sleep(1);
 258     // calculate max applicable valid days that will not be rejected by ss
 259     // ensure, that after conversion from days to seconds in ss there will be no uint overflow
 260     unsigned int valid_days = ((UINT_MAX - time(NULL)) / 86400) - 1;
 261     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, valid_days);
 262     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 263 }
 264
 265 /**
 266  * Set a maximum password challenge number.
 267  */
 268 RUNNER_TEST(tc11_security_server_set_pwd_current_pwd_max_max_challenge)
 269 {
 270     int ret;
 271     // Prepare environment
 272     reset_security_server();
 273     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 274     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 275
 276     // TEST
 277     sleep(1);
 278     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, UINT_MAX, 0);
 279     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 280 }
 281
 282 /**
 283  * Set empty password.
 284  */
 285 RUNNER_TEST(tc12_security_server_set_pwd_current_pwd_nonempty2zero)
 286 {
 287     int ret;
 288     // Prepare environment
 289     reset_security_server();
 290     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 291     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 292
 293     // TEST
 294     sleep(1);
 295     ret = security_server_set_pwd(TEST_PASSWORD, "", 0, 0);
 296     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 297 }
 298
 299 /**
 300  * Change password to a too long password.
 301  */
 302 RUNNER_TEST(tc14_security_server_set_pwd_current_pwd_too_long_input_param)
 303 {
 304     int ret;
 305     // Prepare environment
 306     reset_security_server();
 307     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 308     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 309
 310     // TEST
 311     sleep(1);
 312     char* long_password = (char*) malloc(5001);
 313     long_password[5000] = '\0';
 314     memset(long_password, 'A', 5000);
 315     ret = security_server_set_pwd(TEST_PASSWORD,long_password, 10, 10);
 316     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 317 }
 318
 319 /**
 320  * Check empty password.
 321  */
 322 RUNNER_TEST(tc15_security_server_chk_pwd_shortest_password)
 323 {
 324     int ret;
 325     unsigned int attempt, max_attempt, expire_sec;
 326
 327     // Prepare environment
 328     reset_security_server();
 329     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 330     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 331
 332     // TEST
 333     sleep(1);
 334     ret = security_server_chk_pwd("", &attempt, &max_attempt, &expire_sec);
 335     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 336 }
 337
 338 /**
 339  * Various validity parameter values.
 340  */
 341 RUNNER_TEST(tc16_security_server_set_pwd_validity)
 342 {
 343     int ret;
 344     // Prepare environment
 345     reset_security_server();
 346     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 347     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 348
 349     // TEST
 350     ret = security_server_set_pwd_validity(0);
 351     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 352
 353     ret = security_server_set_pwd_validity(1);
 354     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 355
 356     //When trying to set UINT_MAX we should get error.
 357     ret = security_server_set_pwd_validity(UINT_MAX);
 358     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 359
 360     ret = security_server_set_pwd_validity(2);
 361     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 362 }
 363
 364 /**
 365  * Check passwords validity
 366  */
 367 RUNNER_TEST(tc17_security_server_is_pwd_valid)
 368 {
 369     int ret;
 370     unsigned int attempt, max_attempt, expire_sec;
 371
 372     // Prepare environment
 373     reset_security_server();
 374     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 2);
 375     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 376
 377     // TEST:
 378     sleep(1);
 379     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 380     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST,  "ret = " << ret);
 381     RUNNER_ASSERT_MSG((expire_sec > 172795) && (expire_sec < 172805),  "expire_sec = " << expire_sec);
 382 }
 383
 384 /**
 385  * Various numbers of challenges.
 386  */
 387 RUNNER_TEST(tc18_security_server_set_pwd_max_challenge)
 388 {
 389     int ret;
 390     // Prepare environment
 391     reset_security_server();
 392     // calculate max applicable valid days that will not be rejected by ss
 393     // ensure, that after conversion from days to seconds in ss there will be no uint overflow
 394     unsigned int valid_days = ((UINT_MAX - time(NULL)) / 86400) - 1;
 395     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, valid_days);
 396     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 397
 398     // TESTS
 399     sleep(1);
 400     ret = security_server_set_pwd_max_challenge(0);
 401     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 402
 403     sleep(1);
 404     ret = security_server_set_pwd_max_challenge(UINT_MAX);
 405     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 406
 407     sleep(1);
 408     ret = security_server_set_pwd_max_challenge(5);
 409     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 410
 411     sleep(1);
 412     ret = security_server_set_pwd_max_challenge(6);
 413     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 414 }
 415
 416
 417 /**
 418  * Check the max number of challenges.
 419  */
 420 RUNNER_TEST(tc19_security_server_is_pwd_valid)
 421 {
 422     int ret;
 423     unsigned int attempt, max_attempt, expire_sec;
 424     // Prepare environment
 425     reset_security_server();
 426     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 427     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 428     sleep(1);
 429     ret = security_server_set_pwd_max_challenge(6);
 430     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 431
 432     // TEST
 433     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 434     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 435     RUNNER_ASSERT_MSG(max_attempt == 6,  "max_attempt = " << max_attempt);
 436 }
 437
 438 /**
 439  * Basic password check.
 440  */
 441 RUNNER_TEST(tc20_security_server_chk_pwd)
 442 {
 443     int ret;
 444     unsigned int attempt, max_attempt, expire_sec;
 445
 446     // Prepare environment
 447     reset_security_server();
 448     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 449     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 450
 451     // TEST
 452     sleep(1);
 453     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 454     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, ret);
 455
 456     sleep(1);
 457     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 458     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 459 }
 460
 461 /**
 462  * Check an incorrect password.
 463  */
 464 RUNNER_TEST(tc21_security_server_chk_incorrect_pwd)
 465 {
 466     int ret;
 467     unsigned int attempt, max_attempt, expire_sec;
 468
 469     // Prepare environment
 470     reset_security_server();
 471     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 472     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 473
 474     //TEST
 475     sleep(1);
 476     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 477     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 478 }
 479
 480 /**
 481  * Check an incorrect password
 482  */
 483 RUNNER_TEST(tc22_security_server_set_pwd_incorrect_current)
 484 {
 485     int ret;
 486
 487     // Prepare environment
 488     reset_security_server();
 489     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 490     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 491
 492     // TEST
 493     sleep(1);
 494     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 10, 10);
 495     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,  "ret = " << ret);
 496 }
 497
 498 /**
 499  * Change password
 500  */
 501 RUNNER_TEST(tc23_security_server_set_pwd_correct_current)
 502 {
 503     int ret;
 504
 505     // Prepare environment
 506     reset_security_server();
 507     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 508     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 509
 510     // TEST
 511     sleep(1);
 512     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 10, 10);
 513     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 514 }
 515
 516 /**
 517  * Check wrong password multiple times and then check a correct one.
 518  */
 519 RUNNER_TEST(tc24_security_server_attempt_exceeding)
 520 {
 521     int ret;
 522     unsigned int i, attempt, max_attempt, expire_sec;
 523
 524     // Prepare environment
 525     reset_security_server();
 526     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 10);
 527     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 528
 529     // TEST
 530     printf("5 subtests started...");
 531     for (i = 0; i < 5; i++) {
 532         sleep(1);
 533         ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 534         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 535         RUNNER_ASSERT_MSG(attempt == i, attempt);
 536     }
 537     printf("DONE\n");
 538
 539     sleep(1);
 540     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 541     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 542
 543     sleep(1);
 544     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 545     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 546     RUNNER_ASSERT_MSG(attempt == 0, "ret = " << ret);
 547     RUNNER_ASSERT_MSG(max_attempt == 10, "ret = " << ret);
 548 }
 549
 550 /**
 551  * Try to exceed maximum number of challenges.
 552  */
 553 RUNNER_TEST(tc25_security_server_attempt_exceeding)
 554 {
 555     int ret;
 556     unsigned int i, attempt, max_attempt, expire_sec;
 557
 558     // Prepare environment
 559     reset_security_server();
 560     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 10, 1);
 561     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 562
 563     // TEST
 564     printf("10 subtests started...");
 565     for (i = 0; i < 10; i++) {
 566         sleep(1);
 567         ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 568         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 569         RUNNER_ASSERT_MSG(attempt == i, "attempt = " << attempt);
 570     }
 571
 572     // The check, that exceeds max number
 573     sleep(1);
 574     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 575     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED, "ret = " << ret);
 576     printf("DONE\n");
 577
 578     sleep(1);
 579     ret = security_server_chk_pwd(TEST_PASSWORD,  &attempt, &max_attempt, &expire_sec);
 580     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED, "ret = " << ret);
 581 }
 582
 583 /**
 584  * Reset password
 585  */
 586 RUNNER_TEST(tc26_security_server_reset_pwd)
 587 {
 588     int ret;
 589
 590     // Prepare environment
 591     reset_security_server();
 592     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 10);
 593     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 594
 595     // TEST
 596     sleep(1);
 597     ret = security_server_reset_pwd(TEST_PASSWORD, 10, 10);
 598     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 599 }
 600
 601 /**
 602  * Check too long password.
 603  */
 604 RUNNER_TEST(tc27_security_server_chk_pwd_too_long_password)
 605 {
 606     int ret;
 607     unsigned int attempt, max_attempt, expire_sec;
 608     // Prepare environment
 609     reset_security_server();
 610     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 10);
 611     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 612
 613     // TEST
 614     char* long_password = (char*) malloc(5001);
 615     long_password[5000] = '\0';
 616     memset(long_password, 'A', 5000);
 617     ret = security_server_chk_pwd(long_password,  &attempt, &max_attempt, &expire_sec);
 618     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 619 }
 620
 621 /**
 622  * Check passwords expiration (not expired)
 623  */
 624 RUNNER_TEST(tc28_security_server_check_expiration)
 625 {
 626     int ret;
 627     unsigned int attempt, max_attempt, expire_sec;
 628
 629     // Prepare environment
 630     reset_security_server();
 631     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 1);
 632     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 633
 634     // TEST
 635     sleep(1);
 636     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 637     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
 638     RUNNER_ASSERT_MSG((expire_sec < 86402) && (expire_sec > 86396), "expire_sec = " << ret);
 639 }
 640
 641 /**
 642  * Use various parameter values of parameters.
 643  */
 644 RUNNER_TEST(tc29_security_server_set_pwd_history)
 645 {
 646     int ret;
 647
 648     // Prepare environment
 649     reset_security_server();
 650     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 5, 1);
 651     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 652
 653     // TESTS
 654     sleep(1);
 655     ret = security_server_set_pwd_history(100);
 656     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 657
 658     sleep(1);
 659     ret = security_server_set_pwd_history(51);
 660     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 661
 662     sleep(1);
 663     ret = security_server_set_pwd_history(-5);
 664     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 665
 666     sleep(1);
 667     ret = security_server_set_pwd_history(50);
 668     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 669
 670     sleep(1);
 671     ret = security_server_set_pwd_history(0);
 672     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 673
 674     sleep(1);
 675     ret = security_server_set_pwd_history(INT_MAX);
 676     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 677
 678     sleep(1);
 679     ret = security_server_set_pwd_history(INT_MIN);
 680     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 681
 682     sleep(1);
 683     ret = security_server_set_pwd_history(10);
 684     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 685 }
 686
 687
 688
 689 int dir_filter(const struct dirent *entry)
 690 {
 691     if ((strcmp(entry->d_name, ".") == 0) ||
 692         (strcmp(entry->d_name, "..") == 0) ||
 693         (strcmp(entry->d_name, "attempts") == 0) ||
 694         (strcmp(entry->d_name, "history") == 0))
 695         return (0);
 696     else
 697         return (1);
 698 }
 699
 700 void clean_password_dir(void)
 701 {
 702     int ret;
 703     int i;
 704     struct dirent **mydirent;
 705
 706     ret = scandir("/opt/data/security-server", &mydirent, &dir_filter, alphasort);
 707     i = ret;
 708     while (i--)
 709         free(mydirent[i]);
 710     free(mydirent);
 711 }
 712
 713
 714 /**
 715  * Check password history.
 716  */
 717 RUNNER_TEST(tc30_security_server_check_history)
 718 {
 719     int ret;
 720     int i;
 721     char buf1[33], buf2[33];
 722
 723     // Prepare environment
 724     reset_security_server();
 725
 726     clean_password_dir();
 727
 728     sleep(1);
 729     ret = security_server_set_pwd_history(9);
 730     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 731
 732     sleep(1);
 733     ret = security_server_reset_pwd("history0", 0, 0);
 734     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 735
 736     printf("11 subtests started...");
 737     for (i = 0; i < 11; i++) {
 738         sprintf(buf1, "history%d", i);
 739         sprintf(buf2, "history%d", i + 1);
 740
 741         sleep(1);
 742         ret = security_server_set_pwd(buf1, buf2, 0, 0);
 743         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 744     }
 745     printf("DONE\n");
 746
 747     sleep(1);
 748     ret = security_server_set_pwd("history11", "history1", 0, 0);
 749     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 750
 751     sleep(1);
 752     ret = security_server_set_pwd("history1", "history8", 0, 0);
 753     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
 754
 755     sleep(1);
 756     ret = security_server_set_pwd("history1", "history12", 0, 0);
 757     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 758
 759     printf("48 subtests started...");
 760     for (i = 12; i < 60; i++) {
 761         sleep(1);
 762
 763         sprintf(buf1, "history%d", i);
 764         sprintf(buf2, "history%d", i + 1);
 765
 766         ret = security_server_set_pwd(buf1, buf2, 0, 0);
 767         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 768     }
 769     printf("DONE\n");
 770
 771     clean_password_dir();
 772 }
 773
 774 /**
 775  * Replay attack
 776  */
 777 RUNNER_TEST(tc31_security_server_replay_attack)
 778 {
 779     int ret;
 780     int i = 0;
 781     unsigned int attempt, max_attempt, expire_sec;
 782
 783     sleep(1);
 784     ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec);
 785
 786     while (ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER) {
 787         i += 100000;
 788
 789         ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec);
 790         usleep(i);
 791     }
 792
 793     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 794 }
 795
 796 /**
 797  * Expired password
 798  */
 799 RUNNER_TEST(tc32_security_server_challenge_on_expired_password)
 800 {
 801     int ret;
 802     unsigned int attempt, max_attempt, expire_sec;
 803     struct timeval cur_time;
 804
 805     // Prepare environment
 806     reset_security_server();
 807     ret = security_server_set_pwd(NULL, TEST_PASSWORD, 4, 1);
 808     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 809
 810     // TEST
 811     sleep(1);
 812     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 813     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 814
 815     ret = gettimeofday(&cur_time, NULL);
 816     RUNNER_ASSERT_MSG(ret > -1, ret);
 817
 818     cur_time.tv_sec += (expire_sec + 1);
 819     ret = settimeofday(&cur_time, NULL);
 820     RUNNER_ASSERT_MSG(ret > -1, ret);
 821
 822     sleep(1);
 823     ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 824     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED, "ret = " << ret);
 825
 826     sleep(1);
 827     ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec);
 828     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret);
 829 }
 830
 831 /**
 832  * Reset password
 833  */
 834 RUNNER_TEST(tc33_security_server_reset_by_null_pwd)
 835 {
 836     int ret;
 837
 838     // Prepare environment
 839     reset_security_server();
 840
 841     // TEST
 842     sleep(1);
 843     ret = security_server_reset_pwd(NULL, 10, 10);
 844     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret);
 845 }
 846
 847 /*
 848  * Use this instead of security_server_chk_pwd directly to verify the function output.
 849  * For example:
 850  * verify_chk_pwd(__LINE__, "password", SECURITY_SERVER_API_SUCCESS, 2, 5, 10000, "debug string")
 851  */
 852 void verify_chk_pwd(int line_num, const char* challenge, int expected_result,
 853                     unsigned int expected_current_attempt, unsigned int expected_max_attempt,
 854                     unsigned int expected_valid_secs, const char* debug_str = "")
 855 {
 856     /* ensure that initial values differ from expected ones */
 857     unsigned int attempt = expected_current_attempt - 1;
 858     unsigned int max_attempt = expected_max_attempt - 1;
 859     unsigned int expire_sec = expected_valid_secs - 1;
 860
 861     usleep(PASSWORD_RETRY_TIMEOUT_US);
 862     int ret = security_server_chk_pwd(challenge, &attempt, &max_attempt, &expire_sec);
 863
 864     // validate returned value
 865     RUNNER_ASSERT_MSG(ret == expected_result, "[line " << line_num << "] "
 866                       "security_server_chk_pwd returned "
 867                       << ret << " (expected: " << expected_result << ") " << debug_str);
 868
 869     // validate current attempts value
 870     RUNNER_ASSERT_MSG(attempt == expected_current_attempt, "[line " << line_num << "] "
 871                       "security_server_chk_pwd returned attempt = " << attempt <<
 872                       " (expected: " << expected_current_attempt << ") " << debug_str);
 873
 874     // validate max attempt value
 875     RUNNER_ASSERT_MSG(max_attempt == expected_max_attempt, "[line " << line_num << "] "
 876                       "security_server_chk_pwd returned max_attempt = " << max_attempt <<
 877                       " (expected: " << expected_max_attempt << ") " << debug_str);
 878
 879     // validate expire seconds
 880     RUNNER_ASSERT_MSG(expire_sec == expected_valid_secs, "[line " << line_num << "] "
 881                       "security_server_chk_pwd returned expire_sec = " << expire_sec <<
 882                       " (expected: " << expected_valid_secs << ") " << debug_str);
 883 }
 884
 885 /**
 886  * Reach last attempt few times in a row (before exceeding max_attempt).
 887  */
 888 RUNNER_TEST(tc34_security_server_max_attempts)
 889 {
 890     // Prepare environment
 891     reset_security_server();
 892
 893     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
 894     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 895
 896     // change max attempts number few times
 897     std::vector<unsigned int> max_challenge_tab = {1, 4, 2};
 898
 899     for (size_t pass = 0; pass < max_challenge_tab.size(); ++pass) {
 900         unsigned int max_challenges = max_challenge_tab[pass];
 901
 902         usleep(PASSWORD_RETRY_TIMEOUT_US);
 903         ret = security_server_set_pwd_max_challenge(max_challenges);
 904         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 905
 906         // max_challenges-1 wrong password attempts
 907         for (unsigned int attempt_nr = 0; attempt_nr < max_challenges - 1; ++attempt_nr)
 908             verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD,
 909                            SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
 910                            attempt_nr, max_challenges, 0,
 911                            std::string("pass = " + std::to_string(pass) +
 912                            ", attempt = " + std::to_string(attempt_nr)).c_str());
 913
 914         // Check correct password finally
 915         verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS,
 916                        max_challenges - 1, max_challenges, 0);
 917     }
 918 }
 919
 920 /**
 921  * Decrease 'max challenge' number after several missed attempts.
 922  */
 923 RUNNER_TEST(tc35_security_server_decrease_max_attempts)
 924 {
 925     const unsigned int max_challenge_more = 10;
 926     const unsigned int max_challenge_less = 5;
 927
 928     // Prepare environment
 929     reset_security_server();
 930
 931     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge_more, 0);
 932     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 933
 934     // missed attempts
 935     for (unsigned int attempt = 0; attempt < max_challenge_more; ++attempt)
 936         verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD,
 937                        SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
 938                        attempt, max_challenge_more, 0,
 939                        std::string("attempt = " + std::to_string(attempt)).c_str());
 940
 941     // lower max_challenge
 942     usleep(PASSWORD_RETRY_TIMEOUT_US);
 943     ret = security_server_set_pwd_max_challenge(max_challenge_less);
 944     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 945
 946     // try valid password - should pass (curr attempts is reset)
 947     verify_chk_pwd(__LINE__,  TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS,
 948                    0, max_challenge_less, 0);
 949
 950     // remove max attempts limit
 951     usleep(PASSWORD_RETRY_TIMEOUT_US);
 952     ret = security_server_set_pwd_max_challenge(0);
 953     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 954
 955     // try valid password again - should pass
 956     verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 0, 0, 0);
 957
 958     // try to change the password - should pass
 959     usleep(PASSWORD_RETRY_TIMEOUT_US);
 960     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
 961     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 962
 963     // validate new password
 964     verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 0, 0, 0);
 965 }
 966
 967 /**
 968  * Change password few times and challenge previous passwords - checks if security_server_set_pwd
 969  * works as it should.
 970  */
 971 RUNNER_TEST(tc36_security_server_challenge_previous_passwords)
 972 {
 973     const int history_depth = 5;
 974     const unsigned int max_challenge = 3;
 975     std::string prev_pass, new_pass = TEST_PASSWORD;
 976
 977     // Prepare environment
 978     reset_security_server();
 979
 980     int ret = security_server_set_pwd_history(history_depth);
 981     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 982
 983     usleep(PASSWORD_RETRY_TIMEOUT_US);
 984     ret = security_server_reset_pwd(TEST_PASSWORD, max_challenge, 0);
 985     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 986
 987     for (int depth = 0; depth < history_depth; ++depth) {
 988         prev_pass = new_pass;
 989
 990         //generate password name
 991         new_pass = "history" + std::to_string(depth+1);
 992
 993         usleep(PASSWORD_RETRY_TIMEOUT_US);
 994         ret = security_server_set_pwd(prev_pass.c_str(), new_pass.c_str(), max_challenge, 0);
 995         RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 996
 997         // challenge initial password
 998         verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
 999                        0, max_challenge, 0,
1000                        std::string("depth = " + std::to_string(depth)).c_str());
1001
1002         // challenge previous password
1003         verify_chk_pwd(__LINE__, prev_pass.c_str(), SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1004                        1, max_challenge, 0,
1005                        std::string("depth = " + std::to_string(depth)).c_str());
1006     }
1007 }
1008
1009 /**
1010  * Challenge correct and incorrect passwords, check security_server_chk_pwd output.
1011  * This test simulates user's behaviour - challenges valid and invalid passwords
1012  * in various combinations.
1013  */
1014 RUNNER_TEST(tc37_security_server_challenge_mixed)
1015 {
1016     // Prepare environment
1017     reset_security_server();
1018
1019     const unsigned int max_challenge = 2;
1020     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge, 0);
1021     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1022
1023     // 2x correct pwd - verify that 'cuurrent attempt' isn't increased
1024     for (unsigned int i = 0; i < max_challenge; ++i)
1025         verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS,
1026                        0, max_challenge, 0,
1027                        std::string("i = " + std::to_string(i)).c_str());
1028
1029     // Ensure that challenging valid password resets 'cuurrent attempt' value.
1030     // If it didn't, the test would fail in third loop pass.
1031     for (unsigned int i = 0; i < max_challenge + 1; ++i) {
1032         // incorrect pwd
1033         verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD, SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1034                        0, max_challenge, 0,
1035                        std::string("i = " + std::to_string(i)).c_str());
1036
1037         // correct pwd
1038         verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS,
1039                        1, max_challenge, 0,
1040                        std::string("i = " + std::to_string(i)).c_str());
1041     }
1042
1043     // incorrect pwd 2x - 'cuurrent attempt' reaches max_challenge -
1044     // any further attempts (even correct) are blocked
1045     for (unsigned int i = 0; i < max_challenge; ++i)
1046         verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD, SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1047                        i, max_challenge, 0,
1048                        std::string("i = " + std::to_string(i)).c_str());
1049
1050     // correct - refused
1051     for (unsigned int i = 0; i < max_challenge; ++i)
1052         verify_chk_pwd(__LINE__, TEST_PASSWORD,
1053                        SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED,
1054                        2, max_challenge, 0,
1055                        std::string("i = " + std::to_string(i)).c_str());
1056 }
1057
1058 /*
1059  * Pasword change mixed with history depth change.
1060  */
1061 RUNNER_TEST(tc38_security_server_history_depth_change)
1062 {
1063     int ret;
1064     const int initial_history_depth = 2;
1065     const int decreased_history_depth = 1;
1066     const int increased_history_depth = 3;
1067
1068     // Prepare environment
1069     reset_security_server();
1070
1071     ret = security_server_set_pwd_history(initial_history_depth);
1072     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1073
1074     usleep(PASSWORD_RETRY_TIMEOUT_US);
1075     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1076     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1077
1078     usleep(PASSWORD_RETRY_TIMEOUT_US);
1079     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1080     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1081
1082     usleep(PASSWORD_RETRY_TIMEOUT_US);
1083     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1084     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1085
1086     // TEST_PASSWORD, 2nd and 3rd remembered => 1st should be refused
1087     usleep(PASSWORD_RETRY_TIMEOUT_US);
1088     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1089     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1090
1091     /*
1092      * Lower history depth. At this point SS should treat THIRD_TEST_PASSWORD as current pwd,
1093      * and SECOND_TEST_PASSWORD as a part of history.
1094      */
1095     usleep(PASSWORD_RETRY_TIMEOUT_US);
1096     ret = security_server_set_pwd_history(decreased_history_depth);
1097     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1098
1099     usleep(PASSWORD_RETRY_TIMEOUT_US);
1100     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1101     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1102
1103     usleep(PASSWORD_RETRY_TIMEOUT_US);
1104     ret = security_server_set_pwd(TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1105     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1106
1107     /*
1108      * Increase history depth to 3. At this point SS should remember TEST_PASSWORD
1109      * and THIRD_TEST_PASSWORD only.
1110      */
1111     usleep(PASSWORD_RETRY_TIMEOUT_US);
1112     ret = security_server_set_pwd_history(increased_history_depth);
1113     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1114
1115     // 3rd and TEST_PASSWORD remembered => 2nd should be accepted
1116     usleep(PASSWORD_RETRY_TIMEOUT_US);
1117     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1118     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1119
1120     // TEST_PASSWORD, 2nd and 3rd remembered => 3rd should be refused
1121     usleep(PASSWORD_RETRY_TIMEOUT_US);
1122     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1123     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1124 }
1125
1126 /**
1127  * Challenge invalid password, reset server and check if 'current attempts' is restored.
1128  */
1129 RUNNER_TEST(tc39_security_server_attempts_num_check_after_reset)
1130 {
1131     unsigned int attempt, max_attempt, expire_sec;
1132     const unsigned int max_challenge = 10;
1133     const unsigned int invalid_attempts_num = 3;
1134
1135     // Prepare environment
1136     reset_security_server();
1137
1138     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, max_challenge, 0);
1139     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1140
1141     // missed attempts
1142     for (unsigned int attempt = 0; attempt < invalid_attempts_num; ++attempt)
1143         verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD, SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1144                        attempt, max_challenge, 0,
1145                        std::string("attempt = " + std::to_string(attempt)).c_str());
1146
1147     usleep(PASSWORD_RETRY_TIMEOUT_US);
1148     attempt = max_attempt = expire_sec = UINT_MAX;
1149     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
1150     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
1151     RUNNER_ASSERT_MSG(max_attempt == max_challenge, "max_attempt = " << max_attempt);
1152     RUNNER_ASSERT_MSG(attempt == invalid_attempts_num, "attempt = " << attempt);
1153     RUNNER_ASSERT_MSG(expire_sec == 0, "expire_sec = " << expire_sec);
1154
1155     // restart server - triggers loading password data from file
1156     restart_security_server();
1157
1158     // challenge invalid password
1159     verify_chk_pwd(__LINE__, SECOND_TEST_PASSWORD, SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH,
1160                    invalid_attempts_num, max_challenge, 0);
1161
1162     // challenge valid password
1163     verify_chk_pwd(__LINE__, TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, invalid_attempts_num+1,
1164                    max_challenge, 0);
1165 }
1166
1167 /**
1168  * Validate passwords history after security server reset.
1169  */
1170 RUNNER_TEST(tc40_security_server_history_check_after_reset)
1171 {
1172     const unsigned int history_depth = 2;
1173
1174     // Prepare environment
1175     reset_security_server();
1176
1177     int ret = security_server_set_pwd_history(history_depth);
1178     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1179
1180     usleep(PASSWORD_RETRY_TIMEOUT_US);
1181     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1182     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1183
1184     usleep(PASSWORD_RETRY_TIMEOUT_US);
1185     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1186     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1187
1188     usleep(PASSWORD_RETRY_TIMEOUT_US);
1189     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1190     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1191
1192     usleep(PASSWORD_RETRY_TIMEOUT_US);
1193     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, FOURTH_TEST_PASSWORD, 0, 0);
1194     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1195
1196     // restart server - triggers loading password data from file
1197     restart_security_server();
1198
1199     // try to reuse history passwords
1200     usleep(PASSWORD_RETRY_TIMEOUT_US);
1201     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1202     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1203
1204     usleep(PASSWORD_RETRY_TIMEOUT_US);
1205     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1206     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1207
1208     usleep(PASSWORD_RETRY_TIMEOUT_US);
1209     ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1210     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1211 }
1212
1213 /**
1214  * Check if SS has correct behaviour when changing history depth to 0.
1215  */
1216 RUNNER_TEST(tc41_security_server_empty_history_check)
1217 {
1218     const unsigned int history_depth = 2;
1219     const unsigned int empty_history_depth = 0;
1220
1221     //prepare environment
1222     reset_security_server();
1223
1224     //set new history count
1225     int ret = security_server_set_pwd_history(history_depth);
1226     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1227
1228     //set new password and fill history
1229     usleep(PASSWORD_RETRY_TIMEOUT_US);
1230     ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0);
1231     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1232
1233     usleep(PASSWORD_RETRY_TIMEOUT_US);
1234     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1235     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1236
1237     usleep(PASSWORD_RETRY_TIMEOUT_US);
1238     ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1239     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1240
1241     //make sure, that everything went OK - try setting something that would cause reuse error
1242     usleep(PASSWORD_RETRY_TIMEOUT_US);
1243     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1244     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1245
1246     usleep(PASSWORD_RETRY_TIMEOUT_US);
1247     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1248     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1249
1250     //reset history limit to no history at all
1251     usleep(PASSWORD_RETRY_TIMEOUT_US);
1252     ret = security_server_set_pwd_history(empty_history_depth);
1253     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1254
1255     //make sure, that current password still exists in memory
1256     //expected attempt 2 because our previous tries increased attempt counter
1257     verify_chk_pwd(__LINE__, THIRD_TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 2, 0, 0);
1258
1259     //we also shouldn't be able to set the same password - it's a part of history after all
1260     usleep(PASSWORD_RETRY_TIMEOUT_US);
1261     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0);
1262     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret);
1263
1264     //once again try setting earlier used passwords - now API should return success
1265     usleep(PASSWORD_RETRY_TIMEOUT_US);
1266     ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0);
1267     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1268
1269     usleep(PASSWORD_RETRY_TIMEOUT_US);
1270     ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0);
1271     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1272 }
1273
1274 RUNNER_TEST(tc42_security_server_set_new_pwd_with_current_empty)
1275 {
1276     //prepare environment
1277     reset_security_server();
1278
1279     //set a password
1280     int ret = security_server_set_pwd(NULL, TEST_PASSWORD, 0, 0);
1281     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
1282
1283     //try setting different password and giving NULL as current once again
1284     usleep(PASSWORD_RETRY_TIMEOUT_US);
1285     ret = security_server_set_pwd(NULL, SECOND_TEST_PASSWORD, 0, 0);
1286     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret);
1287 }
1288
1289 int main(int argc, char *argv[])
1290 {
1291     int status = DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
1292
1293     return status;
1294 }