Passw Hardening test - modify the passw change by using chpasswd tool…

… & rm init configuration in fixture
sonic-net · Apr 7, 2022 · c0d0e5d · c0d0e5d
1 parent 9cda91c
commit c0d0e5d
Show file tree

Hide file tree

Showing 3 changed files with 146 additions and 153 deletions.
diff --git a/tests/passw_hardening/conftest.py b/tests/passw_hardening/conftest.py
@@ -18,69 +18,47 @@ def set_default_passw_hardening_policies(duthosts, enum_rand_one_per_hwsku_hostn
     test_passw_hardening.config_and_review_policies(duthost, passw_hardening_ob_dis, test_passw_hardening.PAM_PASSWORD_CONF_DEFAULT_EXPECTED)
 
 
-@pytest.fixture(scope="module", autouse=True)
-def passw_policies_init(duthosts, enum_rand_one_per_hwsku_hostname):
-    set_default_passw_hardening_policies(duthosts, enum_rand_one_per_hwsku_hostname)
-
 @pytest.fixture(scope="function")
 def clean_passw_policies(duthosts, enum_rand_one_per_hwsku_hostname):
     yield
     set_default_passw_hardening_policies(duthosts, enum_rand_one_per_hwsku_hostname)
 
 @pytest.fixture(scope="function")
 def clean_passw_one_policy_user(duthosts, enum_rand_one_per_hwsku_hostname):
-    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
-    res_adduser_simple_0 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_ONE_POLICY, mode='del')    
-    res_chpasswd = duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_ONE_POLICY+':/d /etc/security/opasswd')
     yield
-    # duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
     res_adduser_simple_0 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_ONE_POLICY, mode='del')    
-    res_chpasswd = duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_ONE_POLICY+':/d /etc/security/opasswd')
 
 
 @pytest.fixture(scope="function")
 def clean_passw_len_min(duthosts, enum_rand_one_per_hwsku_hostname):
-    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
-    res_adduser_simple_0 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_LEN_MIN, mode='del')
     yield
-    # duthost = duthosts[enum_rand_one_per_hwsku_hostname] # TODO: maybe can rm this line
-    res_adduser_simple_0 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_LEN_MIN, mode='del')
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_LEN_MIN, mode='del')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_LEN_MIN+':/d /etc/security/opasswd')
 
 @pytest.fixture(scope="function")
 def clean_passw_age(duthosts, enum_rand_one_per_hwsku_hostname):
-    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
-    res_user_clean = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_AGE, mode='del')
     yield
-    # duthost = duthosts[enum_rand_one_per_hwsku_hostname] # TODO: maybe can rm this line
-    res_user_clean = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_AGE, mode='del')
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_AGE, mode='del')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_AGE+':/d /etc/security/opasswd')
+
 
 @pytest.fixture(scope="function")
 def clean_passw_en_dis_policies(duthosts, enum_rand_one_per_hwsku_hostname):
-    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
-    # mv this init to module instead function.(save just the cleaning)
-    res_adduser_simple_1 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_SIMPLE_0, mode='del')
-    res_adduser_simple_0 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_SIMPLE_1, mode='del')
-    res_adduser_strong = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_STRONG, mode='del')
-    res_chpasswd = duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_SIMPLE_0+':/d /etc/security/opasswd')
-    res_chpasswd = duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_SIMPLE_1+':/d /etc/security/opasswd')
-    res_chpasswd = duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_STRONG+':/d /etc/security/opasswd')
-
     yield
-    # duthost = duthosts[enum_rand_one_per_hwsku_hostname] # TODO: maybe can rm this line
-    res_adduser_simple_1 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_SIMPLE_0, mode='del')
-    res_adduser_simple_0 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_SIMPLE_1, mode='del')
-    res_adduser_strong = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_STRONG, mode='del')
-    res_chpasswd = duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_SIMPLE_0+':/d /etc/security/opasswd')
-    res_chpasswd = duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_SIMPLE_1+':/d /etc/security/opasswd')
-    res_chpasswd = duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_STRONG+':/d /etc/security/opasswd')
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_SIMPLE_0, mode='del')
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_SIMPLE_1, mode='del')
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_STRONG, mode='del')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_SIMPLE_0+':/d /etc/security/opasswd')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_SIMPLE_1+':/d /etc/security/opasswd')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_STRONG+':/d /etc/security/opasswd')
 
 @pytest.fixture(scope="function")
 def clean_passw_history(duthosts, enum_rand_one_per_hwsku_hostname):
-    # TODO: first check that user exist
-    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
-    res_adduser_simple_1 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_HISTORY, mode='del')
-    res_chpasswd = duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_HISTORY+':/d /etc/security/opasswd')
     yield
-    # duthost = duthosts[enum_rand_one_per_hwsku_hostname]
-    res_adduser_simple_1 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_HISTORY, mode='del')
-    res_chpasswd = duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_HISTORY+':/d /etc/security/opasswd')
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_HISTORY, mode='del')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_HISTORY+':/d /etc/security/opasswd')
diff --git a/tests/passw_hardening/sample/passw_hardening_default/common-password b/tests/passw_hardening/sample/passw_hardening_default/common-password
@@ -0,0 +1,36 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+# The "yescrypt" option enables
+#hashed passwords using the yescrypt algorithm, introduced in Debian
+#11.  Without this option, the default is Unix crypt.  Prior releases
+#used the option "sha512"; if a shadow password hash will be shared
+#between Debian 11 and older releases replace "yescrypt" with "sha512"
+#for compatibility .  The "obscure" option replaces the old
+#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
+#for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+
+
+password    [success=1 default=ignore]    pam_unix.so obscure yescrypt
+# here's the fallback if no module succeeds
+password    requisite            pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password    required            pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config