|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Set up a basic realm and a client keytab containing two user principals.
|
|
Packit |
fd8b60 |
# Point HOME at realm.testdir for tests using .k5identity.
|
|
Packit |
fd8b60 |
realm = K5Realm(get_creds=False)
|
|
Packit |
fd8b60 |
bob = 'bob@' + realm.realm
|
|
Packit |
fd8b60 |
phost = 'p:' + realm.host_princ
|
|
Packit |
fd8b60 |
puser = 'p:' + realm.user_princ
|
|
Packit |
fd8b60 |
pbob = 'p:' + bob
|
|
Packit |
fd8b60 |
gssserver = 'h:host@' + hostname
|
|
Packit |
fd8b60 |
realm.env['HOME'] = realm.testdir
|
|
Packit |
fd8b60 |
realm.addprinc(bob, password('bob'))
|
|
Packit |
fd8b60 |
realm.extract_keytab(realm.user_princ, realm.client_keytab)
|
|
Packit |
fd8b60 |
realm.extract_keytab(bob, realm.client_keytab)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 1: no name/cache specified, pick first principal from client keytab
|
|
Packit |
fd8b60 |
realm.run(['./t_ccselect', phost], expected_msg=realm.user_princ)
|
|
Packit |
fd8b60 |
realm.run([kdestroy])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 2: no name/cache specified, pick principal from k5identity
|
|
Packit |
fd8b60 |
k5idname = os.path.join(realm.testdir, '.k5identity')
|
|
Packit |
fd8b60 |
k5id = open(k5idname, 'w')
|
|
Packit |
fd8b60 |
k5id.write('%s service=host host=%s\n' % (bob, hostname))
|
|
Packit |
fd8b60 |
k5id.close()
|
|
Packit |
fd8b60 |
realm.run(['./t_ccselect', gssserver], expected_msg=bob)
|
|
Packit |
fd8b60 |
os.remove(k5idname)
|
|
Packit |
fd8b60 |
realm.run([kdestroy])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 3: no name/cache specified, default ccache has name but no creds
|
|
Packit |
fd8b60 |
realm.run(['./ccinit', realm.ccache, bob])
|
|
Packit |
fd8b60 |
realm.run(['./t_ccselect', phost], expected_msg=bob)
|
|
Packit |
fd8b60 |
# Leave tickets for next test.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 4: name specified, non-collectable default cache doesn't match
|
|
Packit |
fd8b60 |
msg = 'Principal in credential cache does not match desired name'
|
|
Packit |
fd8b60 |
realm.run(['./t_ccselect', phost, puser], expected_code=1, expected_msg=msg)
|
|
Packit |
fd8b60 |
realm.run([kdestroy])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 5: name specified, nonexistent default cache
|
|
Packit |
fd8b60 |
realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
|
|
Packit |
fd8b60 |
# Leave tickets for next test.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 6: name specified, matches default cache, time to refresh
|
|
Packit |
fd8b60 |
realm.run(['./ccrefresh', realm.ccache, '1'])
|
|
Packit |
fd8b60 |
realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
|
|
Packit |
fd8b60 |
out = realm.run(['./ccrefresh', realm.ccache])
|
|
Packit |
fd8b60 |
if int(out) < 1000:
|
|
Packit |
fd8b60 |
fail('Credentials apparently not refreshed')
|
|
Packit |
fd8b60 |
realm.run([kdestroy])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 7: empty ccache specified, pick first principal from client keytab
|
|
Packit |
fd8b60 |
realm.run(['./t_imp_cred', phost])
|
|
Packit |
fd8b60 |
realm.klist(realm.user_princ)
|
|
Packit |
fd8b60 |
realm.run([kdestroy])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 8: ccache specified with name but no creds; name not in client keytab
|
|
Packit |
fd8b60 |
realm.run(['./ccinit', realm.ccache, realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run(['./t_imp_cred', phost], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Credential cache is empty')
|
|
Packit |
fd8b60 |
realm.run([kdestroy])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 9: ccache specified with name but no creds; name in client keytab
|
|
Packit |
fd8b60 |
realm.run(['./ccinit', realm.ccache, bob])
|
|
Packit |
fd8b60 |
realm.run(['./t_imp_cred', phost])
|
|
Packit |
fd8b60 |
realm.klist(bob)
|
|
Packit |
fd8b60 |
# Leave tickets for next test.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 10: ccache specified with creds, time to refresh
|
|
Packit |
fd8b60 |
realm.run(['./ccrefresh', realm.ccache, '1'])
|
|
Packit |
fd8b60 |
realm.run(['./t_imp_cred', phost])
|
|
Packit |
fd8b60 |
realm.klist(bob)
|
|
Packit |
fd8b60 |
out = realm.run(['./ccrefresh', realm.ccache])
|
|
Packit |
fd8b60 |
if int(out) < 1000:
|
|
Packit |
fd8b60 |
fail('Credentials apparently not refreshed')
|
|
Packit |
fd8b60 |
realm.run([kdestroy])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 11: gss_import_cred_from with client_keytab value
|
|
Packit |
fd8b60 |
store_keytab = os.path.join(realm.testdir, 'store_keytab')
|
|
Packit |
fd8b60 |
os.rename(realm.client_keytab, store_keytab)
|
|
Packit |
fd8b60 |
realm.run(['./t_credstore', '-i', 'p:' + realm.user_princ, 'client_keytab',
|
|
Packit |
fd8b60 |
store_keytab])
|
|
Packit |
fd8b60 |
realm.klist(realm.user_princ)
|
|
Packit |
fd8b60 |
os.rename(store_keytab, realm.client_keytab)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use a cache collection for the remaining tests.
|
|
Packit |
fd8b60 |
ccdir = os.path.join(realm.testdir, 'cc')
|
|
Packit |
fd8b60 |
ccname = 'DIR:' + ccdir
|
|
Packit |
fd8b60 |
os.mkdir(ccdir)
|
|
Packit |
fd8b60 |
realm.env['KRB5CCNAME'] = ccname
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 12: name specified, matching cache in collection with no creds
|
|
Packit |
fd8b60 |
bobcache = os.path.join(ccdir, 'tktbob')
|
|
Packit |
fd8b60 |
realm.run(['./ccinit', bobcache, bob])
|
|
Packit |
fd8b60 |
realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
|
|
Packit |
fd8b60 |
# Leave tickets for next test.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 13: name specified, matching cache in collection, time to refresh
|
|
Packit |
fd8b60 |
realm.run(['./ccrefresh', bobcache, '1'])
|
|
Packit |
fd8b60 |
realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
|
|
Packit |
fd8b60 |
out = realm.run(['./ccrefresh', bobcache])
|
|
Packit |
fd8b60 |
if int(out) < 1000:
|
|
Packit |
fd8b60 |
fail('Credentials apparently not refreshed')
|
|
Packit |
fd8b60 |
realm.run([kdestroy, '-A'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 14: name specified, collection has default for different principal
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
|
|
Packit |
fd8b60 |
msg = 'Default principal: %s\n' % realm.user_princ
|
|
Packit |
fd8b60 |
realm.run([klist], expected_msg=msg)
|
|
Packit |
fd8b60 |
realm.run([kdestroy, '-A'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 15: name specified, collection has no default cache
|
|
Packit |
fd8b60 |
realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
|
|
Packit |
fd8b60 |
# Make sure the tickets we acquired didn't become the default
|
|
Packit |
fd8b60 |
realm.run([klist], expected_code=1, expected_msg='No credentials cache found')
|
|
Packit |
fd8b60 |
realm.run([kdestroy, '-A'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test 16: default client keytab cannot be resolved, but valid
|
|
Packit |
fd8b60 |
# credentials exist in ccache.
|
|
Packit |
fd8b60 |
conf = {'libdefaults': {'default_client_keytab_name': '%{'}}
|
|
Packit |
fd8b60 |
bad_cktname = realm.special_env('bad_cktname', False, krb5_conf=conf)
|
|
Packit |
fd8b60 |
del bad_cktname['KRB5_CLIENT_KTNAME']
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.run(['./t_ccselect', phost], env=bad_cktname,
|
|
Packit |
fd8b60 |
expected_msg=realm.user_princ)
|
|
Packit |
fd8b60 |
|
|
rpm-build |
4b8437 |
mark('refresh of manually acquired creds')
|
|
rpm-build |
4b8437 |
|
|
rpm-build |
4b8437 |
# Test 17: no name/ccache specified, manually acquired creds which
|
|
rpm-build |
4b8437 |
# will expire soon. Verify that creds are refreshed using the current
|
|
rpm-build |
4b8437 |
# client name, with refresh_time set in the refreshed ccache.
|
|
rpm-build |
4b8437 |
realm.kinit('bob', password('bob'), ['-l', '15s'])
|
|
rpm-build |
4b8437 |
realm.run(['./t_ccselect', phost], expected_msg='bob')
|
|
rpm-build |
4b8437 |
realm.run([klist, '-C'], expected_msg='refresh_time = ')
|
|
rpm-build |
4b8437 |
|
|
rpm-build |
4b8437 |
# Test 18: no name/ccache specified, manually acquired creds with a
|
|
rpm-build |
4b8437 |
# client principal not present in the client keytab. A refresh is
|
|
rpm-build |
4b8437 |
# attempted but fails, and an expired ticket error results.
|
|
rpm-build |
4b8437 |
realm.kinit(realm.admin_princ, password('admin'), ['-l', '-1s'])
|
|
rpm-build |
4b8437 |
msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
|
|
rpm-build |
4b8437 |
'/Matching credential not found')
|
|
rpm-build |
4b8437 |
realm.run(['./t_ccselect', phost], expected_code=1,
|
|
rpm-build |
4b8437 |
expected_msg='Ticket expired', expected_trace=msgs)
|
|
rpm-build |
4b8437 |
|
|
Packit |
fd8b60 |
success('Client keytab tests')
|