|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Skip this test if pkinit wasn't built.
|
|
Packit |
fd8b60 |
if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
|
|
Packit |
fd8b60 |
skip_rest('certauth tests', 'PKINIT module not built')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
|
|
Packit |
fd8b60 |
ca_pem = os.path.join(certs, 'ca.pem')
|
|
Packit |
fd8b60 |
kdc_pem = os.path.join(certs, 'kdc.pem')
|
|
Packit |
fd8b60 |
privkey_pem = os.path.join(certs, 'privkey.pem')
|
|
Packit |
fd8b60 |
user_pem = os.path.join(certs, 'user.pem')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
modpath = os.path.join(buildtop, 'plugins', 'certauth', 'test',
|
|
Packit |
fd8b60 |
'certauth_test.so')
|
|
Packit |
fd8b60 |
pkinit_krb5_conf = {'realms': {'$realm': {
|
|
Packit |
fd8b60 |
'pkinit_anchors': 'FILE:%s' % ca_pem}},
|
|
Packit |
fd8b60 |
'plugins': {'certauth': {'module': ['test1:' + modpath,
|
|
Packit |
fd8b60 |
'test2:' + modpath],
|
|
Packit |
fd8b60 |
'enable_only': ['test1', 'test2']}}}
|
|
Packit |
fd8b60 |
pkinit_kdc_conf = {'realms': {'$realm': {
|
|
Packit |
fd8b60 |
'default_principal_flags': '+preauth',
|
|
Packit |
fd8b60 |
'pkinit_eku_checking': 'none',
|
|
Packit |
fd8b60 |
'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem),
|
|
Packit |
fd8b60 |
'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
|
|
Packit |
fd8b60 |
get_creds=False)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Let the test module match user to CN=user, with indicators.
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ,
|
|
Packit |
fd8b60 |
flags=['-X', 'X509_user_identity=%s' % file_identity])
|
|
Packit |
fd8b60 |
realm.klist(realm.user_princ)
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.host_princ],
|
|
Packit |
fd8b60 |
expected_msg='+97: [test1, test2, user, indpkinit1, indpkinit2]')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Let the test module mismatch with user2 to CN=user.
|
|
Packit |
fd8b60 |
realm.addprinc("user2@KRBTEST.COM")
|
|
Packit |
fd8b60 |
out = realm.kinit("user2@KRBTEST.COM",
|
|
Packit |
fd8b60 |
flags=['-X', 'X509_user_identity=%s' % file_identity],
|
|
Packit |
fd8b60 |
expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='kinit: Certificate mismatch')
|
|
Packit |
fd8b60 |
|
|
rpm-build |
b17877 |
# Test the KRB5_CERTAUTH_HWAUTH return code.
|
|
rpm-build |
b17877 |
mark('hw-authent flag tests')
|
|
rpm-build |
b17877 |
# First test +requires_hwauth without causing the hw-authent ticket
|
|
rpm-build |
b17877 |
# flag to be set. This currently results in a preauth loop.
|
|
rpm-build |
b17877 |
realm.run([kadminl, 'modprinc', '+requires_hwauth', realm.user_princ])
|
|
rpm-build |
b17877 |
realm.kinit(realm.user_princ,
|
|
rpm-build |
b17877 |
flags=['-X', 'X509_user_identity=%s' % file_identity],
|
|
rpm-build |
b17877 |
expected_code=1, expected_msg='Looping detected')
|
|
rpm-build |
b17877 |
# Cause the test2 module to return KRB5_CERTAUTH_HWAUTH and try again.
|
|
rpm-build |
b17877 |
realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'x'])
|
|
rpm-build |
b17877 |
realm.kinit(realm.user_princ,
|
|
rpm-build |
b17877 |
flags=['-X', 'X509_user_identity=%s' % file_identity])
|
|
rpm-build |
b17877 |
|
|
Packit |
fd8b60 |
success("certauth tests")
|