|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test krb5 negotiation under SPNEGO for all enctype configurations. Also
|
|
Packit |
fd8b60 |
# test IOV wrap/unwrap with and without SPNEGO.
|
|
Packit |
fd8b60 |
for realm in multipass_realms():
|
|
Packit |
fd8b60 |
realm.run(['./t_spnego','p:' + realm.host_princ, realm.keytab])
|
|
Packit |
fd8b60 |
realm.run(['./t_iov', 'p:' + realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run(['./t_iov', '-s', 'p:' + realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run(['./t_pcontok', 'p:' + realm.host_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test gss_add_cred().
|
|
Packit |
fd8b60 |
realm = K5Realm()
|
|
Packit |
fd8b60 |
realm.run(['./t_add_cred'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
### Test acceptor name behavior.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create some host-based principals and put most of them into the
|
|
Packit |
fd8b60 |
# keytab. Rename one principal so that the keytab name matches the
|
|
Packit |
fd8b60 |
# key but not the client name.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', 'service1/abraham'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', 'service1/barack'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', 'service2/calvin'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', 'service2/dwight'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'xst', 'service1/abraham'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'xst', 'service1/barack'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'xst', 'service2/calvin'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'renprinc', 'service1/abraham', 'service1/andrew'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test with no acceptor name, including client/keytab principal
|
|
Packit |
fd8b60 |
# mismatch (non-fatal) and missing keytab entry (fatal).
|
|
Packit |
fd8b60 |
realm.run(['./t_accname', 'p:service1/andrew'],
|
|
Packit |
fd8b60 |
expected_msg='service1/abraham')
|
|
Packit |
fd8b60 |
realm.run(['./t_accname', 'p:service1/barack'], expected_msg='service1/barack')
|
|
Packit |
fd8b60 |
realm.run(['./t_accname', 'p:service2/calvin'], expected_msg='service2/calvin')
|
|
Packit |
fd8b60 |
realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg=' not found in keytab')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test with acceptor name containing service only, including
|
|
Packit |
fd8b60 |
# client/keytab hostname mismatch (non-fatal) and service name
|
|
Packit |
fd8b60 |
# mismatch (fatal).
|
|
Packit |
fd8b60 |
realm.run(['./t_accname', 'p:service1/andrew', 'h:service1'],
|
|
Packit |
fd8b60 |
expected_msg='service1/abraham')
|
|
Packit |
fd8b60 |
realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg=' not found in keytab')
|
|
Packit |
fd8b60 |
realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'],
|
|
Packit |
fd8b60 |
expected_msg='service2/calvin')
|
|
Packit |
fd8b60 |
realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg=' found in keytab but does not match server principal')
|
|
rpm-build |
6726ce |
# Regression test for #8892 (trailing @ in name).
|
|
rpm-build |
6726ce |
realm.run(['./t_accname', 'p:service1/andrew', 'h:service1@'],
|
|
rpm-build |
6726ce |
expected_msg='service1/abraham')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test with acceptor name containing service and host. Use the
|
|
Packit |
fd8b60 |
# client's un-canonicalized hostname as acceptor input to mirror what
|
|
Packit |
fd8b60 |
# many servers do.
|
|
Packit |
fd8b60 |
realm.run(['./t_accname', 'p:' + realm.host_princ,
|
|
Packit |
fd8b60 |
'h:host@%s' % socket.gethostname()], expected_msg=realm.host_princ)
|
|
Packit |
fd8b60 |
realm.run(['./t_accname', 'p:host/-nomatch-',
|
|
Packit |
fd8b60 |
'h:host@%s' % socket.gethostname()], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg=' not found in keytab')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test krb5_gss_import_cred.
|
|
Packit |
fd8b60 |
realm.run(['./t_imp_cred', 'p:service1/barack'])
|
|
Packit |
fd8b60 |
realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack'])
|
|
Packit |
fd8b60 |
realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham'])
|
|
Packit |
fd8b60 |
realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg=' not found in keytab')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test credential store extension.
|
|
Packit |
fd8b60 |
tmpccname = 'FILE:' + os.path.join(realm.testdir, 'def_cache')
|
|
Packit |
fd8b60 |
realm.env['KRB5CCNAME'] = tmpccname
|
|
Packit |
fd8b60 |
storagecache = 'FILE:' + os.path.join(realm.testdir, 'user_store')
|
|
Packit |
fd8b60 |
servicekeytab = os.path.join(realm.testdir, 'kt')
|
|
Packit |
fd8b60 |
service_cs = 'service/cs@%s' % realm.realm
|
|
Packit |
fd8b60 |
realm.addprinc(service_cs)
|
|
Packit |
fd8b60 |
realm.extract_keytab(service_cs, servicekeytab)
|
|
Packit |
fd8b60 |
realm.kinit(service_cs, None, ['-k', '-t', servicekeytab])
|
|
Packit |
fd8b60 |
realm.run(['./t_credstore', '-s', 'p:' + service_cs, 'ccache', storagecache,
|
|
Packit |
fd8b60 |
'keytab', servicekeytab])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test rcache feature of cred stores. t_credstore -r should produce a
|
|
Packit |
fd8b60 |
# replay error normally, but not with rcache set to "none:".
|
|
Packit |
fd8b60 |
output = realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ],
|
|
Packit |
fd8b60 |
expected_code=1)
|
|
Packit |
fd8b60 |
if 'gss_accept_sec_context(2): Request is a replay' not in output:
|
|
Packit |
fd8b60 |
fail('Expected replay error not seen in t_credstore output')
|
|
Packit |
fd8b60 |
realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ,
|
|
Packit |
fd8b60 |
'rcache', 'none:'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Verify that we can't acquire acceptor creds without a keytab.
|
|
Packit |
fd8b60 |
os.remove(realm.keytab)
|
|
Packit |
fd8b60 |
output = realm.run(['./t_accname', 'p:abc'], expected_code=1)
|
|
Packit |
fd8b60 |
if ('gss_acquire_cred: Keytab' not in output or
|
|
Packit |
fd8b60 |
'nonexistent or empty' not in output):
|
|
Packit |
fd8b60 |
fail('Expected error message not seen for nonexistent keytab')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Re-run the last acceptor name test with ignore_acceptor_hostname set
|
|
Packit |
fd8b60 |
# and the principal for the mismatching hostname in the keytab.
|
|
Packit |
fd8b60 |
ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}}
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=ignore_conf)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'xst', 'host/-nomatch-'])
|
|
Packit |
fd8b60 |
realm.run(['./t_accname', 'p:host/-nomatch-',
|
|
Packit |
fd8b60 |
'h:host@%s' % socket.gethostname()], expected_msg='host/-nomatch-')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Make sure a GSSAPI acceptor can handle cross-realm tickets with a
|
|
Packit |
fd8b60 |
# transited field. (Regression test for #7639.)
|
|
Packit |
fd8b60 |
r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
|
|
Packit |
fd8b60 |
create_user=False, create_host=False,
|
|
Packit |
fd8b60 |
args=[{'realm': 'A.X', 'create_user': True},
|
|
Packit |
fd8b60 |
{'realm': 'X'},
|
|
Packit |
fd8b60 |
{'realm': 'B.X', 'create_host': True}])
|
|
Packit |
fd8b60 |
os.rename(r3.keytab, r1.keytab)
|
|
Packit |
fd8b60 |
r1.run(['./t_accname', 'p:' + r3.host_princ, 'h:host'])
|
|
Packit |
fd8b60 |
r1.stop()
|
|
Packit |
fd8b60 |
r2.stop()
|
|
Packit |
fd8b60 |
r3.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
### Test gss_inquire_cred behavior.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm = K5Realm()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test deferred resolution of the default ccache for initiator creds.
|
|
Packit |
fd8b60 |
realm.run(['./t_inq_cred'], expected_msg=realm.user_princ)
|
|
Packit |
fd8b60 |
realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ)
|
|
Packit |
fd8b60 |
realm.run(['./t_inq_cred', '-s'], expected_msg=realm.user_princ)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test picking a name from the keytab for acceptor creds.
|
|
Packit |
fd8b60 |
realm.run(['./t_inq_cred', '-a'], expected_msg=realm.host_princ)
|
|
Packit |
fd8b60 |
realm.run(['./t_inq_cred', '-k', '-a'], expected_msg=realm.host_princ)
|
|
Packit |
fd8b60 |
realm.run(['./t_inq_cred', '-s', '-a'], expected_msg=realm.host_princ)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test client keytab initiation (non-deferred) with a specified name.
|
|
Packit |
fd8b60 |
realm.extract_keytab(realm.user_princ, realm.client_keytab)
|
|
Packit |
fd8b60 |
os.remove(realm.ccache)
|
|
Packit |
fd8b60 |
realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test deferred client keytab initiation and GSS_C_BOTH cred usage.
|
|
Packit |
fd8b60 |
os.remove(realm.client_keytab)
|
|
Packit |
fd8b60 |
os.remove(realm.ccache)
|
|
Packit |
fd8b60 |
shutil.copyfile(realm.keytab, realm.client_keytab)
|
|
Packit |
fd8b60 |
realm.run(['./t_inq_cred', '-k', '-b'], expected_msg=realm.host_princ)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test gss_export_name behavior.
|
|
Packit |
fd8b60 |
out = realm.run(['./t_export_name', 'u:x'])
|
|
Packit |
fd8b60 |
if out != '0401000B06092A864886F7120102020000000D78404B5242544553542E434F4D\n':
|
|
Packit |
fd8b60 |
fail('Unexpected output from t_export_name (krb5 username)')
|
|
Packit |
fd8b60 |
output = realm.run(['./t_export_name', '-s', 'u:xyz'])
|
|
Packit |
fd8b60 |
if output != '0401000806062B06010505020000000378797A\n':
|
|
Packit |
fd8b60 |
fail('Unexpected output from t_export_name (SPNEGO username)')
|
|
Packit |
fd8b60 |
output = realm.run(['./t_export_name', 'p:a@b'])
|
|
Packit |
fd8b60 |
if output != '0401000B06092A864886F71201020200000003614062\n':
|
|
Packit |
fd8b60 |
fail('Unexpected output from t_export_name (krb5 principal)')
|
|
Packit |
fd8b60 |
output = realm.run(['./t_export_name', '-s', 'p:a@b'])
|
|
Packit |
fd8b60 |
if output != '0401000806062B060105050200000003614062\n':
|
|
Packit |
fd8b60 |
fail('Unexpected output from t_export_name (SPNEGO krb5 principal)')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that composite-export tokens can be imported.
|
|
Packit |
fd8b60 |
output = realm.run(['./t_export_name', '-c', 'p:a@b'])
|
|
Packit |
fd8b60 |
if (output != '0402000B06092A864886F7120102020000000361406200000000\n'):
|
|
Packit |
fd8b60 |
fail('Unexpected output from t_export_name (using COMPOSITE_EXPORT)')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test gss_inquire_mechs_for_name behavior.
|
|
Packit |
fd8b60 |
krb5_mech = '{ 1 2 840 113554 1 2 2 }'
|
|
Packit |
fd8b60 |
spnego_mech = '{ 1 3 6 1 5 5 2 }'
|
|
Packit |
fd8b60 |
out = realm.run(['./t_inq_mechs_name', 'p:a@b'])
|
|
Packit |
fd8b60 |
if krb5_mech not in out:
|
|
Packit |
fd8b60 |
fail('t_inq_mechs_name (principal)')
|
|
Packit |
fd8b60 |
out = realm.run(['./t_inq_mechs_name', 'u:x'])
|
|
Packit |
fd8b60 |
if krb5_mech not in out or spnego_mech not in out:
|
|
Packit |
fd8b60 |
fail('t_inq_mecs_name (user)')
|
|
Packit |
fd8b60 |
out = realm.run(['./t_inq_mechs_name', 'h:host'])
|
|
Packit |
fd8b60 |
if krb5_mech not in out or spnego_mech not in out:
|
|
Packit |
fd8b60 |
fail('t_inq_mecs_name (hostbased)')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that accept_sec_context can produce an error token and
|
|
Packit |
fd8b60 |
# init_sec_context can interpret it.
|
|
Packit |
fd8b60 |
realm.run(['./t_err', 'p:' + realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run(['./t_err', '--spnego', 'p:' + realm.host_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option.
|
|
Packit |
fd8b60 |
realm.run(['./t_ciflags', 'p:' + realm.host_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that inquire_context works properly, even on incomplete
|
|
Packit |
fd8b60 |
# contexts.
|
|
Packit |
fd8b60 |
realm.run(['./t_inq_ctx', 'user', password('user'), 'p:%s' % realm.host_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if runenv.sizeof_time_t <= 4:
|
|
Packit |
fd8b60 |
skip_rest('y2038 GSSAPI tests', 'platform has 32-bit time_t')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test lifetime results, using a realm with a large maximum lifetime
|
|
Packit |
fd8b60 |
# so that we can test ticket end dates after y2038.
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
conf = {'realms': {'$realm': {'max_life': '9000d'}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(kdc_conf=conf, get_creds=False)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Check a lifetime string result against an expected number value (or None).
|
|
Packit |
fd8b60 |
# Allow some variance due to time elapsed during the tests.
|
|
Packit |
fd8b60 |
def check_lifetime(msg, val, expected):
|
|
Packit |
fd8b60 |
if expected is None and val != 'indefinite':
|
|
Packit |
fd8b60 |
fail('%s: expected indefinite, got %s' % (msg, val))
|
|
Packit |
fd8b60 |
if expected is not None and val == 'indefinite':
|
|
Packit |
fd8b60 |
fail('%s: expected %d, got indefinite' % (msg, expected))
|
|
Packit |
fd8b60 |
if expected is not None and abs(int(val) - expected) > 100:
|
|
Packit |
fd8b60 |
fail('%s: expected %d, got %s' % (msg, expected, val))
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), flags=['-l', '8500d'])
|
|
Packit |
fd8b60 |
out = realm.run(['./t_lifetime', 'p:' + realm.host_princ, str(8000 * 86400)])
|
|
Packit |
fd8b60 |
ln = out.split('\n')
|
|
Packit |
fd8b60 |
check_lifetime('icred gss_acquire_cred', ln[0], 8500 * 86400)
|
|
Packit |
fd8b60 |
check_lifetime('icred gss_inquire_cred', ln[1], 8500 * 86400)
|
|
Packit |
fd8b60 |
check_lifetime('acred gss_acquire_cred', ln[2], None)
|
|
Packit |
fd8b60 |
check_lifetime('acred gss_inquire_cred', ln[3], None)
|
|
Packit |
fd8b60 |
check_lifetime('ictx gss_init_sec_context', ln[4], 8000 * 86400)
|
|
Packit |
fd8b60 |
check_lifetime('ictx gss_inquire_context', ln[5], 8000 * 86400)
|
|
Packit |
fd8b60 |
check_lifetime('ictx gss_context_time', ln[6], 8000 * 86400)
|
|
Packit |
fd8b60 |
check_lifetime('actx gss_accept_sec_context', ln[7], 8000 * 86400 + 300)
|
|
Packit |
fd8b60 |
check_lifetime('actx gss_inquire_context', ln[8], 8000 * 86400 + 300)
|
|
Packit |
fd8b60 |
check_lifetime('actx gss_context_time', ln[9], 8000 * 86400 + 300)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('GSSAPI tests')
|