source-git / krb5

Clone
Source Code
GIT

Blame src/tests/t_kdcoptions.py

c8 c8s master
  1.   c8
  2.   src
  3.   tests
  4.   t_kdcoptions.py
Blob History Raw
Packit Service 99d1c0 
from k5test import *
Packit Service 99d1c0 
import re
Packit Service 99d1c0
Packit Service 99d1c0 
# KDC option test coverage notes:
Packit Service 99d1c0 
#
Packit Service 99d1c0 
# FORWARDABLE              here
Packit Service 99d1c0 
# FORWARDED                no test
Packit Service 99d1c0 
# PROXIABLE                here
Packit Service 99d1c0 
# PROXY                    no test
Packit Service 99d1c0 
# ALLOW_POSTDATE           no test
Packit Service 99d1c0 
# POSTDATED                no test
Packit Service 99d1c0 
# RENEWABLE                t_renew.py
Packit Service 99d1c0 
# CNAME_IN_ADDL_TKT        gssapi/t_s4u.py
Packit Service 99d1c0 
# CANONICALIZE             t_kdb.py and various other tests
Packit Service 99d1c0 
# REQUEST_ANONYMOUS        t_pkinit.py
Packit Service 99d1c0 
# DISABLE_TRANSITED_CHECK  no test
Packit Service 99d1c0 
# RENEWABLE_OK             t_renew.py
Packit Service 99d1c0 
# ENC_TKT_IN_SKEY          t_u2u.py
Packit Service 99d1c0 
# RENEW                    t_renew.py
Packit Service 99d1c0 
# VALIDATE                 no test
Packit Service 99d1c0
Packit Service 99d1c0 
# Run klist -f and return the flags on the ticket for svcprinc.
Packit Service 99d1c0 
def get_flags(realm, svcprinc):
Packit Service 99d1c0 
    grab_flags = False
Packit Service 99d1c0 
    for line in realm.run([klist, '-f']).splitlines():
Packit Service 99d1c0 
        if grab_flags:
Packit Service 99d1c0 
            return re.findall(r'Flags: ([a-zA-Z]*)', line)[0]
Packit Service 99d1c0 
        grab_flags = line.endswith(svcprinc)
Packit Service 99d1c0
Packit Service 99d1c0
Packit Service 99d1c0 
# Get the flags on the ticket for svcprinc, and check for an expected
Packit Service 99d1c0 
# element and an expected-absent element, either of which can be None.
Packit Service 99d1c0 
def check_flags(realm, svcprinc, expected_flag, expected_noflag):
Packit Service 99d1c0 
    flags = get_flags(realm, svcprinc)
Packit Service 99d1c0 
    if expected_flag is not None and not expected_flag in flags:
Packit Service 99d1c0 
        fail('expected flag ' + expected_flag)
Packit Service 99d1c0 
    if expected_noflag is not None and expected_noflag in flags:
Packit Service 99d1c0 
        fail('did not expect flag ' + expected_noflag)
Packit Service 99d1c0
Packit Service 99d1c0
Packit Service 99d1c0 
# Run kinit with the given flags, and check the flags on the resulting
Packit Service 99d1c0 
# TGT.
Packit Service 99d1c0 
def kinit_check_flags(realm, flags, expected_flag, expected_noflag):
Packit Service 99d1c0 
    realm.kinit(realm.user_princ, password('user'), flags)
Packit Service 99d1c0 
    check_flags(realm, realm.krbtgt_princ, expected_flag, expected_noflag)
Packit Service 99d1c0
Packit Service 99d1c0
Packit Service 99d1c0 
# Run kinit with kflags.  Then get credentials for the host principal
Packit Service 99d1c0 
# with gflags, and check the flags on the resulting ticket.
Packit Service 99d1c0 
def gcred_check_flags(realm, kflags, gflags, expected_flag, expected_noflag):
Packit Service 99d1c0 
    realm.kinit(realm.user_princ, password('user'), kflags)
Packit Service 99d1c0 
    realm.run(['./gcred'] + gflags + ['unknown', realm.host_princ])
Packit Service 99d1c0 
    check_flags(realm, realm.host_princ, expected_flag, expected_noflag)
Packit Service 99d1c0
Packit Service 99d1c0
Packit Service 99d1c0 
realm = K5Realm()
Packit Service 99d1c0
Packit Service 99d1c0 
mark('proxiable (AS)')
Packit Service 99d1c0 
kinit_check_flags(realm, [], None, 'P')
Packit Service 99d1c0 
kinit_check_flags(realm, ['-p'], 'P', None)
Packit Service 99d1c0 
realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.user_princ])
Packit Service 99d1c0 
kinit_check_flags(realm, ['-p'], None, 'P')
Packit Service 99d1c0 
realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.user_princ])
Packit Service 99d1c0 
realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.krbtgt_princ])
Packit Service 99d1c0 
kinit_check_flags(realm, ['-p'], None, 'P')
Packit Service 99d1c0 
realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.krbtgt_princ])
Packit Service 99d1c0
Packit Service 99d1c0 
mark('proxiable (TGS)')
Packit Service 99d1c0 
gcred_check_flags(realm, [], [], None, 'P')
Packit Service 99d1c0 
gcred_check_flags(realm, ['-p'], [], 'P', None)
Packit Service 99d1c0
Packit Service 99d1c0 
# Not tested: PROXIABLE option set with a non-proxiable TGT (because
Packit Service 99d1c0 
# there is no krb5_get_credentials() flag to request this; would
Packit Service 99d1c0 
# expect a non-proxiable ticket).
Packit Service 99d1c0
Packit Service 99d1c0 
# Not tested: proxiable TGT but PROXIABLE flag not set (because we
Packit Service 99d1c0 
# internally set the PROXIABLE option when using a proxiable TGT;
Packit Service 99d1c0 
# would expect a non-proxiable ticket).
Packit Service 99d1c0
Packit Service 99d1c0 
mark('forwardable (AS)')
Packit Service 99d1c0 
kinit_check_flags(realm, [], None, 'F')
Packit Service 99d1c0 
kinit_check_flags(realm, ['-f'], 'F', None)
Packit Service 99d1c0 
realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.user_princ])
Packit Service 99d1c0 
kinit_check_flags(realm, ['-f'], None, 'F')
Packit Service 99d1c0 
realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.user_princ])
Packit Service 99d1c0 
realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.krbtgt_princ])
Packit Service 99d1c0 
kinit_check_flags(realm, ['-f'], None, 'F')
Packit Service 99d1c0 
realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.krbtgt_princ])
Packit Service 99d1c0
Packit Service 99d1c0 
mark('forwardable (TGS)')
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password('user'))
Packit Service 99d1c0 
gcred_check_flags(realm, [], [], None, 'F')
Packit Service 99d1c0 
gcred_check_flags(realm, [], ['-f'], None, 'F')
Packit Service 99d1c0 
gcred_check_flags(realm, ['-f'], [], 'F', None)
Packit Service 99d1c0
Packit Service 99d1c0 
# Not tested: forwardable TGT but FORWARDABLE flag not set (because we
Packit Service 99d1c0 
# internally set the FORWARDABLE option when using a forwardable TGT;
Packit Service 99d1c0 
# would expect a non-proxiable ticket).
Packit Service 99d1c0
Packit Service 99d1c0 
success('KDC option tests')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation