Manual Tests: Security Password rule setup.

Password rule sub-domain, adding 6 test cases. Change-Id: Iff7b9052a0dae4b2175d0f6eb3b167bf44a054db
2019-03-12 10:27:06 -05:00 · 2019-03-12 10:27:06 -05:00 · 9249e7b2cd
parent cfb8bee920
commit 9249e7b2cd
2 changed files with 396 additions and 0 deletions
--- a/doc/source/manual_tests/security/index.rst
+++ b/doc/source/manual_tests/security/index.rst
@ -19,4 +19,5 @@ Subdomains
   security_https_suite
   security_keystone_auth
   security_OAM_suite
+   security_passw_rule_setup
   security_VM_password_protection
--- a/doc/source/manual_tests/security/security_passw_rule_setup.rst
+++ b/doc/source/manual_tests/security/security_passw_rule_setup.rst
@ -0,0 +1,395 @@
+===================
+Password rule setup
+===================
+
+.. contents::
+   :local:
+   :depth: 1
+
+-------------------------------
+SECURITY_password_rule_setup_01
+-------------------------------
+
+:Test ID: SECURITY_password_rule_setup_01
+:Test Title: System admin user is capable of changing password quality.
+:Tags: psswd
+
+~~~~~~~~~~~~~~~~~~
+Testcase Objective
+~~~~~~~~~~~~~~~~~~
+
+Verify that system admin user is capable of changing password quality.
+
+Password quality configuration is validated using "pam_pwquality" library.
+
+~~~~~~~~~~~~~~~~~~~
+Test Pre-Conditions
+~~~~~~~~~~~~~~~~~~~
+
+At least 1 Controllers + 1 compute.
+
+~~~~~~~~~~
+Test Steps
+~~~~~~~~~~
+
+* Login to controller-0 using system admin user, source /etc/nova/openrc
+
+* To change password quality configuration on the controller, edit ``/etc/pam.d/common-password.``
+
+* The password quality validation is configured via the first non-comment line
+
+.. code :: bash
+
+  password    required                        pam_pwquality.so try_first_pass retry=3 authtok_type=    difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug
+
+* Change the minimum password length by changing the 'minlen' parameter to 9.
+
+* Change the minimum number of characters that must change between subseqent passwords by editing the ""difok"" parameter to 3.
+
+* Change least one uppercase character in the password by adding 'ucredit=-1'
+
+* Change the password on behalf a user. Sign on to "root" or "su" the "root" account. Type:
+
+.. code :: bash
+
+  $ sudo su
+
+* Make sure you are "root" by typing:
+
+.. code :: bash
+
+  $ whoami
+
+* Change the password on behalf a user by typing "passwd <user>"
+
+* Enter a password with 8 characters, 1 uppercase letter and 1 non-alphanumeric character.
+
+* Enter a password with 8 characters, none uppercase letter and 1 non-alphanumeric character.
+
+* Enter same old password and add characters until the lenght reach 9 characters, 1 uppercase letter and 1 non-alphanumeric character.
+
+~~~~~~~~~~~~~~~~~
+Expected Behavior
+~~~~~~~~~~~~~~~~~
+
+* Logged in to controller-0 successfully.
+
+* minlen parameter = 9 changed successfully.
+
+* difok parameter = 3 changed successfully that password must have at least three bytes that are not present in the old password.
+
+* ucredit parameter = -1 changed successfully.
+
+* Signed on to ""root"" or ""su"" successfully.
+
+* By typing whoami the system should get back with ""root"" successfully.
+
+* The system should get back with "New Password:" prompt request successfully.
+
+* The system should get back with "BAD PASSWORD: The password is shorter than 9 characters"" message successfully.
+
+* The system should get back with "BAD PASSWORD: The password contains less than 1 upper case letters"" message successfully.
+
+* The system should get back with "BAD PASSWORD"
+
+::
+  e.g.
+  Radawa$ka1
+  RRRapava$ka1
+  RRRRapava$ka1
+  RRRRRapava$ka1
+  RRRRRapava$ka122222
+  RRRRRapava$ka1222222"""
+
+-------------------------------
+SECURITY_password_rule_setup_02
+-------------------------------
+
+:Test ID: SECURITY_password_rule_setup_02
+:Test Title: wrsroot changed password and propagated.
+:Tags: psswd
+
+~~~~~~~~~~~~~~~~~~
+Testcase Objective
+~~~~~~~~~~~~~~~~~~
+
+Verify that wrsroot password can be changed it and propagate it in every
+single node.
+
+~~~~~~~~~~~~~~~~~~~
+Test Pre-Conditions
+~~~~~~~~~~~~~~~~~~~
+
+At least 1 Controllers + 1 compute.
+
+~~~~~~~~~~
+Test Steps
+~~~~~~~~~~
+
+* Login to controller-0 using system admin user.
+
+... code :: bash
+
+  Change the password on behalf wrsroot. Sign on to "root" or "su" the "root" account. Type:
+    $ sudo su
+
+* Make sure you are """"root"""" by typing:
+
+... code :: bash
+
+  $ whoami
+
+* Change the password on behalf wrsroot by typing "passwd wrsroot"
+
+* Go through every single node into your cluster and make sure the new wrsroot password is propageted.
+
+~~~~~~~~~~~~~~~~~
+Expected Behavior
+~~~~~~~~~~~~~~~~~
+
+* Logged in to controller-0 successfully.
+
+* Signed on to "root" or "su" successfully.
+
+* By typing whoami the system should get back with ""root"" successfully.
+
+* The system should get back with "New Password:" prompt request successfully.
+
+* wrsroot new password is propagated."
+
+-------------------------------
+SECURITY_password_rule_setup_03
+-------------------------------
+
+:Test ID: SECURITY_password_rule_setup_03
+:Test Title: password rule locked out.
+:Tags: psswd
+
+~~~~~~~~~~~~~~~~~~
+Testcase Objective
+~~~~~~~~~~~~~~~~~~
+
+Verify after setting rule where after 6 consecutive failes the user should be
+locked out for 5 minutes.
+
+~~~~~~~~~~~~~~~~~~~
+Test Pre-Conditions
+~~~~~~~~~~~~~~~~~~~
+
+a) At least 1 Controllers + 1 compute.
+
+b) Setup hydra or any other tool to perform password brute force against the
+Starlingx product.
+
+~~~~~~~~~~
+Test Steps
+~~~~~~~~~~
+
+* Login to controller-0 using system admin user, source /etc/nova/openrc
+
+* Change tu SU user
+
+* Please modify this 2 files with the following structure
+
+::
+
+	Files to be modified:
+		#/etc/pam.d/system-auth
+		#/etc/pam.d/password-auth
+
+	lines to add:
+		Below the auth section please add following the Structure as shown in the example:
+
+		auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=300
+		auth        [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=300
+
+		Example: The structure sholud be like this in both files:
+
+		auth        required      pam_env.so
+		auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=300
+		auth        sufficient    pam_fprintd.so
+		auth        sufficient    pam_unix.so nullok try_first_pass
+		auth        [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=300
+		auth        requisite     pam_succeed_if.so uid >= 1000 quiet
+		auth        required      pam_deny.so
+
+		Below the account section please add:
+
+		account     required      pam_faillock.so
+
+		Example: The structure sholud be like this in both files:
+
+		account     required      pam_unix.so
+		account     sufficient    pam_localuser.so
+		account     sufficient    pam_succeed_if.so uid < 500 quiet
+		account     required      pam_permit.so
+		account     required      pam_faillock.so
+
+* Open other terminal and change to SU user monitor the attemps where faillock will be called
+
+... code :: bash
+
+  $ faillock
+
+**Note** that faillock should not have any user locked
+
+* Open other terminal and try to change to SU with bad authentification password
+
+* Monitor each attempt, you should be able to see the wrong password on the Terminal where you have faillock cmd
+
+* Monitor that after 3 attempts the SU account is locked, after 2 min is unlocked, you can use date command to check time.
+
+~~~~~~~~~~~~~~~~~
+Expected Behavior
+~~~~~~~~~~~~~~~~~
+
+* After 3 attempts the account is locked, after 2 min the account is unlocked.
+
+-------------------------------
+SECURITY_password_rule_setup_04
+-------------------------------
+
+:Test ID: SECURITY_password_rule_setup_04
+:Test Title: account stays locked after swact.
+:Tags: psswd
+
+~~~~~~~~~~~~~~~~~~
+Testcase Objective
+~~~~~~~~~~~~~~~~~~
+
+Verify account stays locked after swact.
+
+~~~~~~~~~~~~~~~~~~~
+Test Pre-Conditions
+~~~~~~~~~~~~~~~~~~~
+
+At least 2 Controllers + 1 compute
+
+~~~~~~~~~~
+Test Steps
+~~~~~~~~~~
+
+1. On Controller-0 console try to login more than 5 times with same user and
+wrong password.
+
+2. Open another Controller-0 prompt console or establish a ssh connection to
+the controller-0 and this time use the correct password to login.
+
+... code :: bash
+
+  $ ssh <user>@<IP>
+
+3. Go to horizon and do a SWACT.
+
+4. Right after the SWACT is completed try to login using same user and correct
+password on controller-1.
+
+5. Right after the SWACT is completed try to login using another NOT locked
+user controller-1.
+
+6. Wait for more than 5 minutes and this time try to login using same user and
+correct password on controller-1.
+
+~~~~~~~~~~~~~~~~~
+Expected Behavior
+~~~~~~~~~~~~~~~~~
+
+1. More than 5 login with wrong password attempted.
+
+2. The Controller-0 should not allowed you to login since the user is locked
+out.
+
+3. SWACT is completed successfully.
+
+4. The Controller-1 should not allowed you to login since the user is still
+locked out.
+
+5. The Controller-1 should allowed you to login with NOT locked user and you
+can verify only one user account is locked.
+
+6. After 5 minutes the Controller-1 should  allowed you to login.
+
+-------------------------------
+SECURITY_password_rule_setup_05
+-------------------------------
+
+:Test ID: SECURITY_password_rule_setup_05
+:Test Title: relogin after timed out horizon session.
+:Tags: psswd
+
+~~~~~~~~~~~~~~~~~~
+Testcase Objective
+~~~~~~~~~~~~~~~~~~
+
+Verify that you can relogin to a timed out Horizon session with only one
+attempt.
+
+~~~~~~~~~~~~~~~~~~~
+Test Pre-Conditions
+~~~~~~~~~~~~~~~~~~~
+
+At least 1 Controllers + 1 compute.
+
+~~~~~~~~~~
+Test Steps
+~~~~~~~~~~
+
+* From horizon as admin user go to identity tab -> users.
+
+* Wait 'n' minutes until Horizon session expires.
+
+* Once the Horizon session expires make sure you can re-login using same user/password."
+
+~~~~~~~~~~~~~~~~~
+Expected Behavior
+~~~~~~~~~~~~~~~~~
+
+* Identity /Users Frame is displayed successfully.
+
+* Session is expired successfully.
+
+* User is able to re-loged in using same credentials.
+
+-------------------------------
+SECURITY_password_rule_setup_06
+-------------------------------
+
+:Test ID: SECURITY_password_rule_setup_06
+:Test Title: login to active controller horizon is blocked for locked account.
+:Tags: psswd
+
+~~~~~~~~~~~~~~~~~~
+Testcase Objective
+~~~~~~~~~~~~~~~~~~
+
+Verify login to active controller horizon is blocked for locked account.
+
+~~~~~~~~~~~~~~~~~~~
+Test Pre-Conditions
+~~~~~~~~~~~~~~~~~~~
+
+At least 1 Controllers + 1 compute.
+
+~~~~~~~~~~
+Test Steps
+~~~~~~~~~~
+
+* Go to Horizon Web page, try to login more than 5 times with same user and wrong password.
+
+* Right after is locked out try to login using same user and correct password on Horizon.
+
+* Wait for more than 5 minutes and this time try to login using same user and correct passw
+
+~~~~~~~~~~~~~~~~~
+Expected Behavior
+~~~~~~~~~~~~~~~~~
+
+* More than 5 login with same user and wrong password attempted and Horizon get back with ""user currently locked out"" message successfully.
+
+* Horizon should not allowed you to login since the user is still locked out.
+
+* After 5 minutes the Horizon should  allowed you to login to Horizon.
+
+~~~~~~~~~~~
+References:
+~~~~~~~~~~~