Consolidate policy tests into t_policy.py

Create a combined script for policy-related tests, and fold in the
existing lockout, password history, and allowed-keysalts tests.

src/tests/Makefile.in

@@ -71,11 +71,10 @@ check-pytests:: hist kdbtest
 	$(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS)
-	$(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kdb_locking.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
-	$(RUNPYTEST) $(srcdir)/t_allowed_keysalts.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_renprinc.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_ccache.py $(PYTESTFLAGS)
@@ -85,7 +84,6 @@ check-pytests:: hist kdbtest
 	$(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS)
-	$(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kadmin_acl.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kdb.py $(PYTESTFLAGS)
 #	$(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS)

src/tests/t_allowed_keysalts.py → src/tests/t_policy.py

@@ -2,8 +2,53 @@
 from k5test import *
 import re
 
-krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}}
+realm = K5Realm(create_host=False)
+
+# Test basic password lockout support.
+
+realm.run_kadminl('addpol -maxfailure 2 -failurecountinterval 5m lockout')
+realm.run_kadminl('modprinc +requires_preauth -policy lockout user')
+
+# kinit twice with the wrong password.
+output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
+if 'Password incorrect while getting initial credentials' not in output:
+    fail('Expected error message not seen in kinit output')
+output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
+if 'Password incorrect while getting initial credentials' not in output:
+    fail('Expected error message not seen in kinit output')
+
+# Now the account should be locked out.
+output = realm.run([kinit, realm.user_princ], expected_code=1)
+if 'Clients credentials have been revoked while getting initial credentials' \
+        not in output:
+    fail('Expected lockout error message not seen in kinit output')
+
+# Check that modprinc -unlock allows a further attempt.
+output = realm.run_kadminl('modprinc -unlock user')
+realm.kinit(realm.user_princ, password('user'))
+
+# Regression test for issue #7099: databases created prior to krb5 1.3 have
+# multiple history keys, and kadmin prior to 1.7 didn't necessarily use the
+# first one to create history entries.
 
+realm.stop()
+realm = K5Realm(start_kdc=False)
+# Create a history principal with two keys.
+realm.run(['./hist', 'make'])
+realm.run_kadminl('addpol -history 2 pol')
+realm.run_kadminl('modprinc -policy pol user')
+realm.run_kadminl('cpw -pw pw2 user')
+# Swap the keys, simulating older kadmin having chosen the second entry.
+realm.run(['./hist', 'swap'])
+# Make sure we can read the history entry.
+output = realm.run_kadminl('cpw -pw %s user' % password('user'))
+if 'Cannot reuse password' not in output:
+    fail('Expected error not seen in output')
+
+# Test key/salt constraints.
+
+realm.stop()
+krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}}
 realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False)
 
 # Add policy.
@@ -87,6 +132,4 @@
     fail('key change rejected that should have been permitted')
 realm.run_kadminl('getprinc server')
 
-realm.stop()
-
-success('allowed_keysalts')
+success('Policy tests')