Add doctor tests on security_compliance and rename

This patch adds symptom tests for the checks in doctor security_compliance. In addition, this renames one security compliance symptom to follow the convention of the other symptom names Change-Id: Ic47404021c328f74523b00b67cb7d25d43022039 Partial-Bug: #1641621
2016-12-08 17:41:07 +00:00 · 2016-12-08 17:41:07 +00:00 · e4ecc046c8
parent 3f850d5d00
commit e4ecc046c8
2 changed files with 108 additions and 1 deletions
--- a/keystone/cmd/doctor/security_compliance.py
+++ b/keystone/cmd/doctor/security_compliance.py
@ -18,7 +18,7 @@ import keystone.conf
 CONF = keystone.conf.CONF


-def symptom_minimum_password_age_should_be_less_than_password_expires_days():
+def symptom_minimum_password_age_greater_than_expires_days():
    """Minimum password age should be less than the password expires days.

    If the minimum password age is greater than or equal to the password
--- a/keystone/tests/unit/test_cli.py
+++ b/keystone/tests/unit/test_cli.py
@ -28,6 +28,7 @@ from keystone.cmd import cli
 from keystone.cmd.doctor import caching
 from keystone.cmd.doctor import debug
 from keystone.cmd.doctor import federation
+from keystone.cmd.doctor import security_compliance
 from keystone.common import dependency
 from keystone.common.sql import upgrades
 import keystone.conf
@ -785,3 +786,109 @@ class FederationDoctorTests(unit.TestCase):
        self.config_fixture.config(group='saml', keyfile='signing_key.pem')
        self.assertFalse(
            federation.symptom_comma_in_SAML_private_key_file_path())
+
+
+class SecurityComplianceDoctorTests(unit.TestCase):
+
+    def test_minimum_password_age_greater_than_password_expires_days(self):
+        # Symptom Detected: Minimum password age is greater than the password
+        # expires days. Both values are positive integers greater than zero.
+        self.config_fixture.config(group='security_compliance',
+                                   minimum_password_age=2)
+        self.config_fixture.config(group='security_compliance',
+                                   password_expires_days=1)
+        self.assertTrue(
+            security_compliance.
+            symptom_minimum_password_age_greater_than_expires_days())
+
+    def test_minimum_password_age_equal_to_password_expires_days(self):
+        # Symptom Detected: Minimum password age is equal to the password
+        # expires days. Both values are positive integers greater than zero.
+        self.config_fixture.config(group='security_compliance',
+                                   minimum_password_age=1)
+        self.config_fixture.config(group='security_compliance',
+                                   password_expires_days=1)
+        self.assertTrue(
+            security_compliance.
+            symptom_minimum_password_age_greater_than_expires_days())
+
+    def test_minimum_password_age_less_than_password_expires_days(self):
+        # No Symptom Detected: Minimum password age is less than password
+        # expires days. Both values are positive integers greater than zero.
+        self.config_fixture.config(group='security_compliance',
+                                   minimum_password_age=1)
+        self.config_fixture.config(group='security_compliance',
+                                   password_expires_days=2)
+        self.assertFalse(
+            security_compliance.
+            symptom_minimum_password_age_greater_than_expires_days())
+
+    def test_minimum_password_age_and_password_expires_days_deactivated(self):
+        # No Symptom Detected: Both values are deactivated to 0
+        self.config_fixture.config(group='security_compliance',
+                                   minimum_password_age=0)
+        self.config_fixture.config(group='security_compliance',
+                                   password_expires_days=0)
+        self.assertFalse(
+            security_compliance.
+            symptom_minimum_password_age_greater_than_expires_days())
+
+    def test_invalid_password_regular_expression(self):
+        # Symptom Detected: Regular expression is invalid
+        self.config_fixture.config(
+            group='security_compliance',
+            password_regex='^^(??=.*\d)$')
+        self.assertTrue(
+            security_compliance.symptom_invalid_password_regular_expression())
+
+    def test_valid_password_regular_expression(self):
+        # No Symptom Detected: Regular expression is valid
+        self.config_fixture.config(
+            group='security_compliance',
+            password_regex='^(?=.*\d)(?=.*[a-zA-Z]).{7,}$')
+        self.assertFalse(
+            security_compliance.symptom_invalid_password_regular_expression())
+
+    def test_password_regular_expression_deactivated(self):
+        # No Symptom Detected: Regular expression deactivated to None
+        self.config_fixture.config(
+            group='security_compliance',
+            password_regex=None)
+        self.assertFalse(
+            security_compliance.symptom_invalid_password_regular_expression())
+
+    def test_password_regular_expression_description_not_set(self):
+        # Symptom Detected: Regular expression is set but description is not
+        self.config_fixture.config(
+            group='security_compliance',
+            password_regex='^(?=.*\d)(?=.*[a-zA-Z]).{7,}$')
+        self.config_fixture.config(
+            group='security_compliance',
+            password_regex_description=None)
+        self.assertTrue(
+            security_compliance.
+            symptom_password_regular_expression_description_not_set())
+
+    def test_password_regular_expression_description_set(self):
+        # No Symptom Detected: Regular expression and description are set
+        desc = '1 letter, 1 digit, and a minimum length of 7 is required'
+        self.config_fixture.config(
+            group='security_compliance',
+            password_regex='^(?=.*\d)(?=.*[a-zA-Z]).{7,}$')
+        self.config_fixture.config(
+            group='security_compliance',
+            password_regex_description=desc)
+        self.assertFalse(
+            security_compliance.
+            symptom_password_regular_expression_description_not_set())
+
+    def test_password_regular_expression_description_deactivated(self):
+        # No Symptom Detected: Regular expression and description are
+        # deactivated to None
+        self.config_fixture.config(
+            group='security_compliance', password_regex=None)
+        self.config_fixture.config(
+            group='security_compliance', password_regex_description=None)
+        self.assertFalse(
+            security_compliance.
+            symptom_password_regular_expression_description_not_set())