|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
import os
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm = K5Realm(create_host=False, create_user=False)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def make_client(name):
|
|
Packit |
fd8b60 |
global realm
|
|
Packit |
fd8b60 |
realm.addprinc(name, password(name))
|
|
Packit |
fd8b60 |
ccache = os.path.join(realm.testdir,
|
|
Packit |
fd8b60 |
'kadmin_ccache_' + name.replace('/', '_'))
|
|
Packit |
fd8b60 |
realm.kinit(name, password(name),
|
|
Packit |
fd8b60 |
flags=['-S', 'kadmin/admin', '-c', ccache])
|
|
Packit |
fd8b60 |
return ccache
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def kadmin_as(client, query, **kwargs):
|
|
Packit |
fd8b60 |
global realm
|
|
Packit |
fd8b60 |
return realm.run([kadmin, '-c', client] + query, **kwargs)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
all_add = make_client('all_add')
|
|
Packit |
fd8b60 |
all_changepw = make_client('all_changepw')
|
|
Packit |
fd8b60 |
all_delete = make_client('all_delete')
|
|
Packit |
fd8b60 |
all_inquire = make_client('all_inquire')
|
|
Packit |
fd8b60 |
all_list = make_client('all_list')
|
|
Packit |
fd8b60 |
all_modify = make_client('all_modify')
|
|
Packit |
fd8b60 |
all_rename = make_client('all_rename')
|
|
Packit |
fd8b60 |
all_wildcard = make_client('all_wildcard')
|
|
Packit |
fd8b60 |
all_extract = make_client('all_extract')
|
|
Packit |
fd8b60 |
some_add = make_client('some_add')
|
|
Packit |
fd8b60 |
some_changepw = make_client('some_changepw')
|
|
Packit |
fd8b60 |
some_delete = make_client('some_delete')
|
|
Packit |
fd8b60 |
some_inquire = make_client('some_inquire')
|
|
Packit |
fd8b60 |
some_modify = make_client('some_modify')
|
|
Packit |
fd8b60 |
some_rename = make_client('some_rename')
|
|
Packit |
fd8b60 |
restricted_add = make_client('restricted_add')
|
|
Packit |
fd8b60 |
restricted_modify = make_client('restricted_modify')
|
|
Packit |
fd8b60 |
restricted_rename = make_client('restricted_rename')
|
|
Packit |
fd8b60 |
wctarget = make_client('wctarget')
|
|
Packit |
fd8b60 |
admin = make_client('user/admin')
|
|
Packit |
fd8b60 |
none = make_client('none')
|
|
Packit |
fd8b60 |
restrictions = make_client('restrictions')
|
|
Packit |
fd8b60 |
onetwothreefour = make_client('one/two/three/four')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', '-minlife', '1 day', 'minlife'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
f = open(os.path.join(realm.testdir, 'acl'), 'w')
|
|
Packit |
fd8b60 |
f.write('''
|
|
Packit |
fd8b60 |
all_add a
|
|
Packit |
fd8b60 |
all_changepw c
|
|
Packit |
fd8b60 |
all_delete d
|
|
Packit |
fd8b60 |
all_inquire i
|
|
Packit |
fd8b60 |
all_list l
|
|
Packit |
fd8b60 |
all_modify im
|
|
Packit |
fd8b60 |
all_rename ad
|
|
Packit |
fd8b60 |
all_wildcard x
|
|
Packit |
fd8b60 |
all_extract ie
|
|
Packit |
fd8b60 |
some_add a selected
|
|
Packit |
fd8b60 |
some_changepw c selected
|
|
Packit |
fd8b60 |
some_delete d selected
|
|
Packit |
fd8b60 |
some_inquire i selected
|
|
Packit |
fd8b60 |
some_modify im selected
|
|
Packit |
fd8b60 |
some_rename d from
|
|
Packit |
fd8b60 |
some_rename a to
|
|
Packit |
fd8b60 |
restricted_add a * +preauth
|
|
Packit |
fd8b60 |
restricted_modify im * +preauth
|
|
Packit |
fd8b60 |
restricted_rename ad * +preauth
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*/* d *2/*1
|
|
Packit |
fd8b60 |
# The next line is a regression test for #8154; it is not used directly.
|
|
Packit |
fd8b60 |
one/*/*/five l
|
|
Packit |
fd8b60 |
*/two/*/* d *3/*1/*2
|
|
Packit |
fd8b60 |
*/admin a
|
|
Packit |
fd8b60 |
wctarget a wild/*
|
|
Packit |
fd8b60 |
restrictions a type1 -policy minlife
|
|
Packit |
fd8b60 |
restrictions a type2 -clearpolicy
|
|
Packit |
fd8b60 |
restrictions a type3 -maxlife 1h -maxrenewlife 2h
|
|
Packit |
fd8b60 |
''')
|
|
Packit |
fd8b60 |
f.close()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.start_kadmind()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# cpw can generate four different RPC calls depending on options.
|
|
Packit |
fd8b60 |
realm.addprinc('selected', 'oldpw')
|
|
Packit |
fd8b60 |
realm.addprinc('unselected', 'oldpw')
|
|
Packit |
fd8b60 |
for pw in (['-pw', 'newpw'], ['-randkey']):
|
|
Packit |
fd8b60 |
for ks in ([], ['-e', 'aes256-cts']):
|
|
Packit |
fd8b60 |
mark('cpw: %s %s' % (repr(pw), repr(ks)))
|
|
Packit |
fd8b60 |
args = pw + ks
|
|
Packit |
fd8b60 |
kadmin_as(all_changepw, ['cpw'] + args + ['unselected'])
|
|
Packit |
fd8b60 |
kadmin_as(some_changepw, ['cpw'] + args + ['selected'])
|
|
Packit |
fd8b60 |
msg = "Operation requires ``change-password'' privilege"
|
|
Packit |
fd8b60 |
kadmin_as(none, ['cpw'] + args + ['selected'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg=msg)
|
|
Packit |
fd8b60 |
kadmin_as(some_changepw, ['cpw'] + args + ['unselected'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg=msg)
|
|
Packit |
fd8b60 |
kadmin_as(none, ['cpw'] + args + ['none'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none'])
|
|
Packit |
fd8b60 |
msg = "Current password's minimum life has not expired"
|
|
Packit |
fd8b60 |
kadmin_as(none, ['cpw'] + args + ['none'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg=msg)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-clearpolicy', 'none'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'selected'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'unselected'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('addpol')
|
|
Packit |
fd8b60 |
kadmin_as(all_add, ['addpol', 'policy'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delpol', 'policy'])
|
|
Packit |
fd8b60 |
kadmin_as(none, ['addpol', 'policy'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``add'' privilege")
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# addprinc can generate two different RPC calls depending on options.
|
|
Packit |
fd8b60 |
for ks in ([], ['-e', 'aes256-cts']):
|
|
Packit |
fd8b60 |
mark('addprinc: %s' % repr(ks))
|
|
Packit |
fd8b60 |
args = ['-pw', 'pw'] + ks
|
|
Packit |
fd8b60 |
kadmin_as(all_add, ['addprinc'] + args + ['unselected'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'unselected'])
|
|
Packit |
fd8b60 |
kadmin_as(some_add, ['addprinc'] + args + ['selected'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'selected'])
|
|
Packit |
fd8b60 |
kadmin_as(restricted_add, ['addprinc'] + args + ['unselected'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'unselected'],
|
|
Packit |
fd8b60 |
expected_msg='REQUIRES_PRE_AUTH')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'unselected'])
|
|
Packit |
fd8b60 |
kadmin_as(none, ['addprinc'] + args + ['selected'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``add'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(some_add, ['addprinc'] + args + ['unselected'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``add'' privilege")
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('delprinc')
|
|
Packit |
fd8b60 |
realm.addprinc('unselected', 'pw')
|
|
Packit |
fd8b60 |
kadmin_as(all_delete, ['delprinc', 'unselected'])
|
|
Packit |
fd8b60 |
realm.addprinc('selected', 'pw')
|
|
Packit |
fd8b60 |
kadmin_as(some_delete, ['delprinc', 'selected'])
|
|
Packit |
fd8b60 |
realm.addprinc('unselected', 'pw')
|
|
Packit |
fd8b60 |
kadmin_as(none, ['delprinc', 'unselected'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``delete'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(some_delete, ['delprinc', 'unselected'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``delete'' privilege")
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'unselected'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('getpol')
|
|
Packit |
fd8b60 |
kadmin_as(all_inquire, ['getpol', 'minlife'], expected_msg='Policy: minlife')
|
|
Packit |
fd8b60 |
kadmin_as(none, ['getpol', 'minlife'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``get'' privilege")
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none'])
|
|
Packit |
fd8b60 |
kadmin_as(none, ['getpol', 'minlife'], expected_msg='Policy: minlife')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-clearpolicy', 'none'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('getprinc')
|
|
Packit |
fd8b60 |
realm.addprinc('selected', 'pw')
|
|
Packit |
fd8b60 |
realm.addprinc('unselected', 'pw')
|
|
Packit |
fd8b60 |
kadmin_as(all_inquire, ['getprinc', 'unselected'],
|
|
Packit |
fd8b60 |
expected_msg='Principal: unselected@KRBTEST.COM')
|
|
Packit |
fd8b60 |
kadmin_as(some_inquire, ['getprinc', 'selected'],
|
|
Packit |
fd8b60 |
expected_msg='Principal: selected@KRBTEST.COM')
|
|
Packit |
fd8b60 |
kadmin_as(none, ['getprinc', 'selected'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``get'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(some_inquire, ['getprinc', 'unselected'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``get'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(none, ['getprinc', 'none'],
|
|
Packit |
fd8b60 |
expected_msg='Principal: none@KRBTEST.COM')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'selected'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'unselected'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('listprincs')
|
|
Packit |
fd8b60 |
kadmin_as(all_list, ['listprincs'], expected_msg='K/M@KRBTEST.COM')
|
|
Packit |
fd8b60 |
kadmin_as(none, ['listprincs'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``list'' privilege")
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('getstrs')
|
|
Packit |
fd8b60 |
realm.addprinc('selected', 'pw')
|
|
Packit |
fd8b60 |
realm.addprinc('unselected', 'pw')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'selected', 'key', 'value'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'unselected', 'key', 'value'])
|
|
Packit |
fd8b60 |
kadmin_as(all_inquire, ['getstrs', 'unselected'], expected_msg='key: value')
|
|
Packit |
fd8b60 |
kadmin_as(some_inquire, ['getstrs', 'selected'], expected_msg='key: value')
|
|
Packit |
fd8b60 |
kadmin_as(none, ['getstrs', 'selected'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``get'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(some_inquire, ['getstrs', 'unselected'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``get'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(none, ['getstrs', 'none'], expected_msg='(No string attributes.)')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'selected'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'unselected'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('modpol')
|
|
Packit |
fd8b60 |
out = kadmin_as(all_modify, ['modpol', '-maxlife', '1 hour', 'policy'],
|
|
Packit |
fd8b60 |
expected_code=1)
|
|
Packit |
fd8b60 |
if 'Operation requires' in out:
|
|
Packit |
fd8b60 |
fail('modpol success (acl)')
|
|
Packit |
fd8b60 |
kadmin_as(none, ['modpol', '-maxlife', '1 hour', 'policy'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``modify'' privilege")
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('modprinc')
|
|
Packit |
fd8b60 |
realm.addprinc('selected', 'pw')
|
|
Packit |
fd8b60 |
realm.addprinc('unselected', 'pw')
|
|
Packit |
fd8b60 |
kadmin_as(all_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'])
|
|
Packit |
fd8b60 |
kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'selected'])
|
|
Packit |
fd8b60 |
kadmin_as(restricted_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'unselected'],
|
|
Packit |
fd8b60 |
expected_msg='REQUIRES_PRE_AUTH')
|
|
Packit |
fd8b60 |
kadmin_as(all_inquire, ['modprinc', '-maxlife', '1 hour', 'selected'],
|
|
Packit |
fd8b60 |
expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``modify'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='Operation requires')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'selected'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'unselected'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('purgekeys')
|
|
Packit |
fd8b60 |
realm.addprinc('selected', 'pw')
|
|
Packit |
fd8b60 |
realm.addprinc('unselected', 'pw')
|
|
Packit |
fd8b60 |
kadmin_as(all_modify, ['purgekeys', 'unselected'])
|
|
Packit |
fd8b60 |
kadmin_as(some_modify, ['purgekeys', 'selected'])
|
|
Packit |
fd8b60 |
kadmin_as(none, ['purgekeys', 'selected'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``modify'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(some_modify, ['purgekeys', 'unselected'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``modify'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(none, ['purgekeys', 'none'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'selected'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'unselected'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('renprinc')
|
|
Packit |
fd8b60 |
realm.addprinc('from', 'pw')
|
|
Packit |
fd8b60 |
kadmin_as(all_rename, ['renprinc', 'from', 'to'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'renprinc', 'to', 'from'])
|
|
Packit |
fd8b60 |
kadmin_as(some_rename, ['renprinc', 'from', 'to'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'renprinc', 'to', 'from'])
|
|
Packit |
fd8b60 |
kadmin_as(all_add, ['renprinc', 'from', 'to'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Insufficient authorization for operation")
|
|
Packit |
fd8b60 |
kadmin_as(all_delete, ['renprinc', 'from', 'to'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Insufficient authorization for operation")
|
|
Packit |
fd8b60 |
kadmin_as(some_rename, ['renprinc', 'from', 'notto'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Insufficient authorization for operation")
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'renprinc', 'from', 'notfrom'])
|
|
Packit |
fd8b60 |
kadmin_as(some_rename, ['renprinc', 'notfrom', 'to'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Insufficient authorization for operation")
|
|
Packit |
fd8b60 |
kadmin_as(restricted_rename, ['renprinc', 'notfrom', 'to'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Insufficient authorization for operation")
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'notfrom'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('setstr')
|
|
Packit |
fd8b60 |
realm.addprinc('selected', 'pw')
|
|
Packit |
fd8b60 |
realm.addprinc('unselected', 'pw')
|
|
Packit |
fd8b60 |
kadmin_as(all_modify, ['setstr', 'unselected', 'key', 'value'])
|
|
Packit |
fd8b60 |
kadmin_as(some_modify, ['setstr', 'selected', 'key', 'value'])
|
|
Packit |
fd8b60 |
kadmin_as(none, ['setstr', 'selected', 'key', 'value'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``modify'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(some_modify, ['setstr', 'unselected', 'key', 'value'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='Operation requires')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'selected'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'unselected'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('addprinc/delprinc (wildcard)')
|
|
Packit |
fd8b60 |
kadmin_as(admin, ['addprinc', '-pw', 'pw', 'anytarget'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'anytarget'])
|
|
Packit |
fd8b60 |
kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'wild/card'])
|
|
Packit |
fd8b60 |
kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card/extra'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='Operation requires')
|
|
Packit |
fd8b60 |
realm.addprinc('admin/user', 'pw')
|
|
Packit |
fd8b60 |
kadmin_as(admin, ['delprinc', 'admin/user'])
|
|
Packit |
fd8b60 |
kadmin_as(admin, ['delprinc', 'none'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Operation requires')
|
|
Packit |
fd8b60 |
realm.addprinc('four/one/three', 'pw')
|
|
Packit |
fd8b60 |
kadmin_as(onetwothreefour, ['delprinc', 'four/one/three'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('addprinc (restrictions)')
|
|
Packit |
fd8b60 |
kadmin_as(restrictions, ['addprinc', '-pw', 'pw', 'type1'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'type1'], expected_msg='Policy: minlife')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'type1'])
|
|
Packit |
fd8b60 |
kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-policy', 'minlife',
|
|
Packit |
fd8b60 |
'type2'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'type2'], expected_msg='Policy: [none]')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'type2'])
|
|
Packit |
fd8b60 |
kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxlife', '1 minute',
|
|
Packit |
fd8b60 |
'type3'])
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'getprinc', 'type3'])
|
|
Packit |
fd8b60 |
if ('Maximum ticket life: 0 days 00:01:00' not in out or
|
|
Packit |
fd8b60 |
'Maximum renewable life: 0 days 02:00:00' not in out):
|
|
Packit |
fd8b60 |
fail('restriction (maxlife low, maxrenewlife unspec)')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'type3'])
|
|
Packit |
fd8b60 |
kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxrenewlife', '1 day',
|
|
Packit |
fd8b60 |
'type3'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'type3'],
|
|
Packit |
fd8b60 |
expected_msg='Maximum renewable life: 0 days 02:00:00')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('extract')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-pw', 'pw', 'extractkeys'])
|
|
Packit |
fd8b60 |
kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'],
|
|
Packit |
fd8b60 |
expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``extract-keys'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
|
|
Packit |
fd8b60 |
realm.kinit('extractkeys', flags=['-k'])
|
|
Packit |
fd8b60 |
os.remove(realm.keytab)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('lockdown_keys')
|
|
Packit |
fd8b60 |
kadmin_as(all_modify, ['modprinc', '+lockdown_keys', 'extractkeys'])
|
|
Packit |
fd8b60 |
kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'],
|
|
Packit |
fd8b60 |
expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``change-password'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(all_changepw, ['cpw', '-randkey', 'extractkeys'])
|
|
Packit |
fd8b60 |
kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``extract-keys'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``delete'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'],
|
|
Packit |
fd8b60 |
expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``delete'' privilege")
|
|
Packit |
fd8b60 |
kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'],
|
|
Packit |
fd8b60 |
expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg="Operation requires ``modify'' privilege")
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-lockdown_keys', 'extractkeys'])
|
|
Packit |
fd8b60 |
kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
|
|
Packit |
fd8b60 |
realm.kinit('extractkeys', flags=['-k'])
|
|
Packit |
fd8b60 |
os.remove(realm.keytab)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Verify that self-service key changes require an initial ticket.
|
|
Packit |
fd8b60 |
mark('self-service initial ticket')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', password('none'), 'none'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '+allow_tgs_req', 'kadmin/admin'])
|
|
Packit |
fd8b60 |
realm.kinit('none', password('none'))
|
|
Packit |
fd8b60 |
realm.run([kvno, 'kadmin/admin'])
|
|
Packit |
fd8b60 |
msg = 'Operation requires initial ticket'
|
|
Packit |
fd8b60 |
realm.run([kadmin, '-c', realm.ccache, 'cpw', '-pw', 'newpw', 'none'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg=msg)
|
|
Packit |
fd8b60 |
realm.run([kadmin, '-c', realm.ccache, 'cpw', '-pw', 'newpw',
|
|
Packit |
fd8b60 |
'-e', 'aes256-cts', 'none'], expected_code=1, expected_msg=msg)
|
|
Packit |
fd8b60 |
realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', 'none'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg=msg)
|
|
Packit |
fd8b60 |
realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', '-e', 'aes256-cts',
|
|
Packit |
fd8b60 |
'none'], expected_code=1, expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('kadmin ACL enforcement')
|