|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Load the sample KDC authdata module.
|
|
Packit |
fd8b60 |
greet_path = os.path.join(buildtop, 'plugins', 'authdata', 'greet_server',
|
|
Packit |
fd8b60 |
'greet_server.so')
|
|
Packit |
fd8b60 |
conf = {'plugins': {'kdcauthdata': {'module': 'greet:' + greet_path}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=conf)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# With no requested authdata, we expect to see SIGNTICKET (512) in an
|
|
Packit |
fd8b60 |
# if-relevant container and the greet authdata in a kdc-issued
|
|
Packit |
fd8b60 |
# container.
|
|
Packit |
fd8b60 |
mark('baseline authdata')
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', realm.host_princ])
|
|
Packit |
fd8b60 |
if '?512: ' not in out or '^-42: Hello' not in out:
|
|
Packit |
fd8b60 |
fail('expected authdata not seen for basic request')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Requested authdata is copied into the ticket, with KDC-only types
|
|
Packit |
fd8b60 |
# filtered out. (128 is win2k-pac, which should be filtered.)
|
|
Packit |
fd8b60 |
mark('request authdata')
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', realm.host_princ, '-5', 'test1', '?-6', 'test2',
|
|
Packit |
fd8b60 |
'128', 'fakepac', '?128', 'ifrelfakepac',
|
|
Packit |
fd8b60 |
'^-8', 'fakekdcissued', '?^-8', 'ifrelfakekdcissued'])
|
|
Packit |
fd8b60 |
if ' -5: test1' not in out or '?-6: test2' not in out:
|
|
Packit |
fd8b60 |
fail('expected authdata not seen for request with authdata')
|
|
Packit |
fd8b60 |
if 'fake' in out:
|
|
Packit |
fd8b60 |
fail('KDC-only authdata not filtered for request with authdata')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('AD-MANDATORY-FOR-KDC')
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.host_princ, '!-1', 'mandatoryforkdc'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='KDC policy rejects request')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# The no_auth_data_required server flag should suppress SIGNTICKET,
|
|
Packit |
fd8b60 |
# but not module or request authdata.
|
|
Packit |
fd8b60 |
mark('no_auth_data_required server flag')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-randkey', '+no_auth_data_required', 'noauth'])
|
|
Packit |
fd8b60 |
realm.extract_keytab('noauth', realm.keytab)
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', 'noauth', '-2', 'test'])
|
|
Packit |
fd8b60 |
if '^-42: Hello' not in out or ' -2: test' not in out:
|
|
Packit |
fd8b60 |
fail('expected authdata not seen for no_auth_data_required request')
|
|
Packit |
fd8b60 |
if '512: ' in out:
|
|
Packit |
fd8b60 |
fail('SIGNTICKET authdata seen for no_auth_data_required request')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Cross-realm TGT requests should also suppress SIGNTICKET, but not
|
|
Packit |
fd8b60 |
# module or request authdata.
|
|
Packit |
fd8b60 |
mark('cross-realm')
|
|
Packit |
fd8b60 |
realm.addprinc('krbtgt/XREALM')
|
|
Packit |
fd8b60 |
realm.extract_keytab('krbtgt/XREALM', realm.keytab)
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', 'krbtgt/XREALM', '-3', 'test'])
|
|
Packit |
fd8b60 |
if '^-42: Hello' not in out or ' -3: test' not in out:
|
|
Packit |
fd8b60 |
fail('expected authdata not seen for cross-realm TGT request')
|
|
Packit |
fd8b60 |
if '512: ' in out:
|
|
Packit |
fd8b60 |
fail('SIGNTICKET authdata seen in cross-realm TGT')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
|
|
Packit |
fd8b60 |
skipped('anonymous ticket authdata tests', 'PKINIT not built')
|
|
Packit |
fd8b60 |
else:
|
|
Packit |
fd8b60 |
# Set up a realm with PKINIT support and get anonymous tickets.
|
|
Packit |
fd8b60 |
certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
|
|
Packit |
fd8b60 |
ca_pem = os.path.join(certs, 'ca.pem')
|
|
Packit |
fd8b60 |
kdc_pem = os.path.join(certs, 'kdc.pem')
|
|
Packit |
fd8b60 |
privkey_pem = os.path.join(certs, 'privkey.pem')
|
|
Packit |
fd8b60 |
pkinit_conf = {'realms': {'$realm': {
|
|
Packit |
fd8b60 |
'pkinit_anchors': 'FILE:%s' % ca_pem,
|
|
Packit |
fd8b60 |
'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}}
|
|
Packit |
fd8b60 |
conf.update(pkinit_conf)
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=conf, get_creds=False)
|
|
Packit |
fd8b60 |
realm.addprinc('WELLKNOWN/ANONYMOUS')
|
|
Packit |
fd8b60 |
realm.kinit('@%s' % realm.realm, flags=['-n'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# SIGNTICKET and module authdata should be suppressed for
|
|
Packit |
fd8b60 |
# anonymous tickets, but not request authdata.
|
|
Packit |
fd8b60 |
mark('anonymous')
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', realm.host_princ, '-4', 'test'])
|
|
Packit |
fd8b60 |
if ' -4: test' not in out:
|
|
Packit |
fd8b60 |
fail('expected authdata not seen for anonymous request')
|
|
Packit |
fd8b60 |
if '512: ' in out or '-42: ' in out:
|
|
Packit |
fd8b60 |
fail('SIGNTICKET or greet authdata seen for anonymous request')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test authentication indicators. Load the test preauth module so we
|
|
Packit |
fd8b60 |
# can control the indicators asserted.
|
|
Packit |
fd8b60 |
testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
|
|
Packit |
fd8b60 |
krb5conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
|
|
Packit |
fd8b60 |
'clpreauth': {'module': 'test:' + testpreauth}}}
|
|
Packit |
fd8b60 |
realm, realm2 = cross_realms(2, args=({'realm': 'LOCAL'},
|
|
Packit |
fd8b60 |
{'realm': 'FOREIGN'}),
|
|
Packit |
fd8b60 |
krb5_conf=krb5conf, get_creds=False)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '+requires_preauth', '-maxrenewlife', '2 days',
|
|
Packit |
fd8b60 |
realm.user_princ])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-maxrenewlife', '2 days', realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-maxrenewlife', '2 days', realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
|
|
Packit |
fd8b60 |
realm.extract_keytab(realm.host_princ, realm.keytab)
|
|
Packit |
fd8b60 |
realm.extract_keytab('krbtgt/FOREIGN', realm.keytab)
|
|
Packit |
fd8b60 |
realm2.extract_keytab(realm2.krbtgt_princ, realm.keytab)
|
|
Packit |
fd8b60 |
realm2.extract_keytab(realm2.host_princ, realm.keytab)
|
|
Packit |
fd8b60 |
realm2.extract_keytab('krbtgt/LOCAL', realm.keytab)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# AS request to local-realm service
|
|
Packit |
fd8b60 |
mark('AS-REQ to local service auth indicator')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'),
|
|
Packit |
fd8b60 |
['-X', 'indicators=indcl', '-r', '2d', '-S', realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Ticket modification request
|
|
Packit |
fd8b60 |
mark('ticket modification auth indicator')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, None, ['-R', '-S', realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# AS request to cross TGT
|
|
Packit |
fd8b60 |
mark('AS-REQ to cross TGT auth indicator')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'),
|
|
Packit |
fd8b60 |
['-X', 'indicators=indcl', '-S', 'krbtgt/FOREIGN'])
|
|
Packit |
fd8b60 |
realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Multiple indicators
|
|
Packit |
fd8b60 |
mark('AS multiple indicators')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'),
|
|
Packit |
fd8b60 |
['-X', 'indicators=indcl indcl2 indcl3'])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.krbtgt_princ],
|
|
Packit |
fd8b60 |
expected_msg='+97: [indcl, indcl2, indcl3]')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# AS request to local TGT (resulting creds are used for TGS tests)
|
|
Packit |
fd8b60 |
mark('AS-REQ to local TGT auth indicator')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=indcl'])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.krbtgt_princ], expected_msg='+97: [indcl]')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Local TGS request for local realm service
|
|
Packit |
fd8b60 |
mark('TGS-REQ to local service auth indicator')
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Local TGS request for cross TGT service
|
|
Packit |
fd8b60 |
mark('TGS-REQ to cross TGT auth indicator')
|
|
Packit |
fd8b60 |
realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# We don't yet have support for passing auth indicators across realms,
|
|
Packit |
fd8b60 |
# so just verify that indicators don't survive cross-realm requests.
|
|
Packit |
fd8b60 |
mark('TGS-REQ to foreign service auth indicator')
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', realm2.krbtgt_princ])
|
|
Packit |
fd8b60 |
if '97:' in out:
|
|
Packit |
fd8b60 |
fail('auth-indicator seen in cross TGT request to local TGT')
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', 'krbtgt/LOCAL@FOREIGN'])
|
|
Packit |
fd8b60 |
if '97:' in out:
|
|
Packit |
fd8b60 |
fail('auth-indicator seen in cross TGT request to cross TGT')
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', realm2.host_princ])
|
|
Packit |
fd8b60 |
if '97:' in out:
|
|
Packit |
fd8b60 |
fail('auth-indicator seen in cross TGT request to service')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that the CAMMAC signature still works during a krbtgt rollover.
|
|
Packit |
fd8b60 |
mark('CAMMAC signature across krbtgt rollover')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test indicator enforcement.
|
|
Packit |
fd8b60 |
mark('auth indicator enforcement')
|
|
Packit |
fd8b60 |
realm.addprinc('restricted')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'superstrong'])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), ['-S', 'restricted'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='KDC policy rejects request')
|
|
Packit |
fd8b60 |
realm.run([kvno, 'restricted'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='KDC policy rejects request')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'indcl'])
|
|
Packit |
fd8b60 |
realm.run([kvno, 'restricted'])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=ind1 ind2'])
|
|
Packit |
fd8b60 |
realm.run([kvno, 'restricted'], expected_code=1)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'a b c ind2'])
|
|
Packit |
fd8b60 |
realm.run([kvno, 'restricted'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Regression test for one manifestation of #8139: ensure that
|
|
Packit |
fd8b60 |
# forwarded TGTs obtained across a TGT re-key still work when the
|
|
Packit |
fd8b60 |
# preferred krbtgt enctype changes.
|
|
Packit |
fd8b60 |
mark('#8139 regression test')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), ['-f'])
|
|
rpm-build |
1cb403 |
realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-sha2',
|
|
Packit |
fd8b60 |
realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
realm.run(['./forward'])
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Repeat the above test using a renewed TGT.
|
|
Packit |
fd8b60 |
mark('#8139 regression test (renewed TGT)')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), ['-r', '2d'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes128-cts',
|
|
Packit |
fd8b60 |
realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, None, ['-R'])
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
realm2.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Load the test KDB module to allow successful S4U2Proxy
|
|
Packit |
fd8b60 |
# auth-indicator requests.
|
|
Packit |
fd8b60 |
testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
|
|
Packit |
fd8b60 |
'krbtgt/FOREIGN': {'keys': 'aes128-cts'},
|
|
Packit |
fd8b60 |
'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
|
|
Packit |
fd8b60 |
'user2': {'keys': 'aes128-cts', 'flags': '+preauth'},
|
|
Packit |
fd8b60 |
'rservice': {'keys': 'aes128-cts',
|
|
Packit |
fd8b60 |
'strings': 'require_auth:strong'},
|
|
Packit |
fd8b60 |
'service/1': {'keys': 'aes128-cts',
|
|
Packit |
fd8b60 |
'flags': '+ok_to_auth_as_delegate'},
|
|
Packit |
fd8b60 |
'service/2': {'keys': 'aes128-cts'},
|
|
Packit |
fd8b60 |
'noauthdata': {'keys': 'aes128-cts',
|
|
Packit |
fd8b60 |
'flags': '+no_auth_data_required'}}
|
|
Packit |
fd8b60 |
kdcconf = {'realms': {'$realm': {'database_module': 'test'}},
|
|
Packit |
fd8b60 |
'dbmodules': {'test': {'db_library': 'test',
|
|
Packit |
fd8b60 |
'princs': testprincs,
|
|
Packit |
fd8b60 |
'delegation': {'service/1': 'service/2'}}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=krb5conf, kdc_conf=kdcconf, create_kdb=False)
|
|
Packit |
fd8b60 |
usercache = 'FILE:' + os.path.join(realm.testdir, 'usercache')
|
|
Packit |
fd8b60 |
realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
|
|
Packit |
fd8b60 |
realm.extract_keytab('krbtgt/FOREIGN', realm.keytab)
|
|
Packit |
fd8b60 |
realm.extract_keytab(realm.user_princ, realm.keytab)
|
|
Packit |
fd8b60 |
realm.extract_keytab('ruser', realm.keytab)
|
|
Packit |
fd8b60 |
realm.extract_keytab('service/1', realm.keytab)
|
|
Packit |
fd8b60 |
realm.extract_keytab('service/2', realm.keytab)
|
|
Packit |
fd8b60 |
realm.extract_keytab('noauthdata', realm.keytab)
|
|
Packit |
fd8b60 |
realm.start_kdc()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# S4U2Self (should have no indicators since client did not authenticate)
|
|
Packit |
fd8b60 |
mark('S4U2Self (no auth indicators expected)')
|
|
Packit |
fd8b60 |
realm.kinit('service/1', None, ['-k', '-f', '-X', 'indicators=inds1'])
|
|
Packit |
fd8b60 |
realm.run([kvno, '-U', 'user', 'service/1'])
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', '-p', realm.user_princ, 'service/1'])
|
|
Packit |
fd8b60 |
if '97:' in out:
|
|
Packit |
fd8b60 |
fail('auth-indicator present in S4U2Self response')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Get another S4U2Self ticket with requested authdata.
|
|
Packit |
fd8b60 |
realm.run(['./s4u2self', 'user', 'service/1', '-', '-2', 'self_ad'])
|
|
Packit |
fd8b60 |
realm.run(['./adata', '-p', realm.user_princ, 'service/1', '-2', 'self_ad'],
|
|
Packit |
fd8b60 |
expected_msg=' -2: self_ad')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# S4U2Proxy (indicators should come from evidence ticket, not TGT)
|
|
Packit |
fd8b60 |
mark('S4U2Proxy (auth indicators from evidence ticket expected)')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, None, ['-k', '-f', '-X', 'indicators=indcl',
|
|
Packit |
fd8b60 |
'-S', 'service/1', '-c', usercache])
|
|
Packit |
fd8b60 |
realm.run(['./s4u2proxy', usercache, 'service/2'])
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', '-p', realm.user_princ, 'service/2'])
|
|
Packit |
fd8b60 |
if '+97: [indcl]' not in out or '[inds1]' in out:
|
|
Packit |
fd8b60 |
fail('correct auth-indicator not seen for S4U2Proxy req')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Get another S4U2Proxy ticket including request-authdata.
|
|
Packit |
fd8b60 |
realm.run(['./s4u2proxy', usercache, 'service/2', '-2', 'proxy_ad'])
|
|
Packit |
fd8b60 |
realm.run(['./adata', '-p', realm.user_princ, 'service/2', '-2', 'proxy_ad'],
|
|
Packit |
fd8b60 |
expected_msg=' -2: proxy_ad')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Get an S4U2Proxy ticket using an evidence ticket obtained by S4U2Self,
|
|
Packit |
fd8b60 |
# with request authdata in both steps.
|
|
Packit |
fd8b60 |
realm.run(['./s4u2self', 'user2', 'service/1', usercache, '-2', 'self_ad'])
|
|
Packit |
fd8b60 |
realm.run(['./s4u2proxy', usercache, 'service/2', '-2', 'proxy_ad'])
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', '-p', 'user2', 'service/2', '-2', 'proxy_ad'])
|
|
Packit |
fd8b60 |
if ' -2: self_ad' not in out or ' -2: proxy_ad' not in out:
|
|
Packit |
fd8b60 |
fail('expected authdata not seen in S4U2Proxy ticket')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test alteration of auth indicators by KDB module (AS and TGS).
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, None, ['-k', '-X', 'indicators=dummy dbincr1'])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.krbtgt_princ], expected_msg='+97: [dbincr2]')
|
|
Packit |
fd8b60 |
realm.run(['./adata', 'service/1'], expected_msg='+97: [dbincr3]')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, None,
|
|
Packit |
fd8b60 |
['-k', '-X', 'indicators=strong', '-S', 'rservice'])
|
|
Packit |
fd8b60 |
# Test enforcement of altered indicators during AS request.
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, None,
|
|
Packit |
fd8b60 |
['-k', '-X', 'indicators=strong dbincr1', '-S', 'rservice'],
|
|
Packit |
fd8b60 |
expected_code=1)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that KDB module authdata is included in an AS request, by
|
|
Packit |
fd8b60 |
# default or with an explicit PAC request.
|
|
Packit |
fd8b60 |
mark('AS-REQ KDB module authdata')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, None, ['-k'])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.krbtgt_princ],
|
|
Packit |
fd8b60 |
expected_msg='-456: db-authdata-test')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, None, ['-k', '--request-pac'])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.krbtgt_princ],
|
|
Packit |
fd8b60 |
expected_msg='-456: db-authdata-test')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that KDB module authdata is suppressed in an AS request by a
|
|
Packit |
fd8b60 |
# negative PAC request.
|
|
Packit |
fd8b60 |
mark('AS-REQ KDB module authdata client supression')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, None, ['-k', '--no-request-pac'])
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
if '-456: db-authdata-test' in out:
|
|
Packit |
fd8b60 |
fail('DB authdata not suppressed by --no-request-pac')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that KDB authdata is included in a TGS request by default.
|
|
Packit |
fd8b60 |
mark('TGS-REQ KDB authdata')
|
|
Packit |
fd8b60 |
realm.run(['./adata', 'service/1'], expected_msg='-456: db-authdata-test')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that KDB authdata is suppressed in a TGS request by the
|
|
Packit |
fd8b60 |
# +no_auth_data_required flag.
|
|
Packit |
fd8b60 |
mark('TGS-REQ KDB authdata service suppression')
|
|
Packit |
fd8b60 |
out = realm.run(['./adata', 'noauthdata'])
|
|
Packit |
fd8b60 |
if '-456: db-authdata-test' in out:
|
|
Packit |
fd8b60 |
fail('DB authdata not suppressed by +no_auth_data_required')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('S4U2Proxy with a foreign client')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
a_princs = {'krbtgt/A': {'keys': 'aes128-cts'},
|
|
Packit |
fd8b60 |
'krbtgt/B': {'keys': 'aes128-cts'},
|
|
Packit |
fd8b60 |
'impersonator': {'keys': 'aes128-cts'},
|
|
Packit |
fd8b60 |
'resource': {'keys': 'aes128-cts'}}
|
|
Packit |
fd8b60 |
a_kconf = {'realms': {'$realm': {'database_module': 'test'}},
|
|
Packit |
fd8b60 |
'dbmodules': {'test': {'db_library': 'test',
|
|
Packit |
fd8b60 |
'delegation': {'impersonator' : 'resource'},
|
|
Packit |
fd8b60 |
'princs': a_princs}}}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
b_princs = {'krbtgt/B': {'keys': 'aes128-cts'},
|
|
Packit |
fd8b60 |
'krbtgt/A': {'keys': 'aes128-cts'},
|
|
Packit |
fd8b60 |
'user': {'keys': 'aes128-cts', 'flags': '+preauth'}}
|
|
Packit |
fd8b60 |
b_kconf = {'realms': {'$realm': {'database_module': 'test'}},
|
|
Packit |
fd8b60 |
'dbmodules': {'test': {'db_library': 'test',
|
|
Packit |
fd8b60 |
'princs': b_princs}}}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ra, rb = cross_realms(2, xtgts=(),
|
|
Packit |
fd8b60 |
args=({'realm': 'A', 'kdc_conf': a_kconf},
|
|
Packit |
fd8b60 |
{'realm': 'B', 'kdc_conf': b_kconf}),
|
|
Packit |
fd8b60 |
create_kdb=False)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ra.start_kdc()
|
|
Packit |
fd8b60 |
rb.start_kdc()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ra.extract_keytab('impersonator@A', ra.keytab)
|
|
Packit |
fd8b60 |
rb.extract_keytab('user@B', rb.keytab)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
usercache = 'FILE:' + os.path.join(rb.testdir, 'usercache')
|
|
Packit |
fd8b60 |
rb.kinit(rb.user_princ, None, ['-k', '-f', '-c', usercache])
|
|
Packit |
fd8b60 |
rb.run([kvno, '-C', 'impersonator@A', '-c', usercache])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ra.kinit('impersonator@A', None, ['-f', '-k', '-t', ra.keytab])
|
|
Packit |
fd8b60 |
ra.run(['./s4u2proxy', usercache, 'resource@A'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ra.stop()
|
|
Packit |
fd8b60 |
rb.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Additional KDB module authdata behavior we don't currently test:
|
|
Packit |
fd8b60 |
# * KDB module authdata is suppressed in TGS requests if the TGT
|
|
Packit |
fd8b60 |
# contains no authdata and the request is not cross-realm or S4U.
|
|
Packit |
fd8b60 |
# * KDB module authdata is suppressed for anonymous tickets.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('Authorization data tests')
|