|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test authentication indicators. Load the test preauth module so we
|
|
Packit |
fd8b60 |
# can control the indicators asserted.
|
|
Packit |
fd8b60 |
testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
|
|
Packit |
fd8b60 |
conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
|
|
Packit |
fd8b60 |
'clpreauth': {'module': 'test:' + testpreauth}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=conf)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', 'service/1'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', 'service/2'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'service/1', 'require_auth', 'superstrong'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'service/2', 'require_auth', 'one two'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'xst', 'service/1'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'xst', 'service/2'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'),
|
|
Packit |
fd8b60 |
['-X', 'indicators=superstrong'])
|
|
Packit |
fd8b60 |
out = realm.run(['./t_srcattrs', 'p:service/1'])
|
|
Packit |
fd8b60 |
if ('Attribute auth-indicators Authenticated Complete') not in out:
|
|
Packit |
fd8b60 |
fail('Expected attribute type data not seen')
|
|
Packit |
fd8b60 |
# UTF8 "superstrong"
|
|
Packit |
fd8b60 |
if '73757065727374726f6e67' not in out:
|
|
Packit |
fd8b60 |
fail('Expected auth indicator not seen in name attributes')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
msg = 'gss_init_sec_context: KDC policy rejects request'
|
|
Packit |
fd8b60 |
realm.run(['./t_srcattrs', 'p:service/2'], expected_code=1, expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=one two'])
|
|
Packit |
fd8b60 |
out = realm.run(['./t_srcattrs', 'p:service/2'])
|
|
Packit |
fd8b60 |
# Hexademical "one" and "two"
|
|
Packit |
fd8b60 |
if '6f6e65' not in out or '74776f' not in out:
|
|
Packit |
fd8b60 |
fail('Expected auth indicator not seen in name attributes')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test the FAST encrypted challenge auth indicator.
|
|
Packit |
fd8b60 |
kdcconf = {'realms': {'$realm': {'encrypted_challenge_indicator': 'fast'}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(kdc_conf=kdcconf)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'xst', realm.host_princ])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), ['-T', realm.ccache])
|
|
Packit |
fd8b60 |
out = realm.run(['./t_srcattrs', 'p:' + realm.host_princ])
|
|
Packit |
fd8b60 |
if ('Attribute auth-indicators Authenticated Complete') not in out:
|
|
Packit |
fd8b60 |
fail('Expected attribute type not seen')
|
|
Packit |
fd8b60 |
if '66617374' not in out:
|
|
Packit |
fd8b60 |
fail('Expected auth indicator not seen in name attributes')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
success('GSSAPI auth indicator tests')
|