|
Packit Service |
99d1c0 |
from k5test import *
|
|
Packit Service |
99d1c0 |
import re
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# KDC option test coverage notes:
|
|
Packit Service |
99d1c0 |
#
|
|
Packit Service |
99d1c0 |
# FORWARDABLE here
|
|
Packit Service |
99d1c0 |
# FORWARDED no test
|
|
Packit Service |
99d1c0 |
# PROXIABLE here
|
|
Packit Service |
99d1c0 |
# PROXY no test
|
|
Packit Service |
99d1c0 |
# ALLOW_POSTDATE no test
|
|
Packit Service |
99d1c0 |
# POSTDATED no test
|
|
Packit Service |
99d1c0 |
# RENEWABLE t_renew.py
|
|
Packit Service |
99d1c0 |
# CNAME_IN_ADDL_TKT gssapi/t_s4u.py
|
|
Packit Service |
99d1c0 |
# CANONICALIZE t_kdb.py and various other tests
|
|
Packit Service |
99d1c0 |
# REQUEST_ANONYMOUS t_pkinit.py
|
|
Packit Service |
99d1c0 |
# DISABLE_TRANSITED_CHECK no test
|
|
Packit Service |
99d1c0 |
# RENEWABLE_OK t_renew.py
|
|
Packit Service |
99d1c0 |
# ENC_TKT_IN_SKEY t_u2u.py
|
|
Packit Service |
99d1c0 |
# RENEW t_renew.py
|
|
Packit Service |
99d1c0 |
# VALIDATE no test
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Run klist -f and return the flags on the ticket for svcprinc.
|
|
Packit Service |
99d1c0 |
def get_flags(realm, svcprinc):
|
|
Packit Service |
99d1c0 |
grab_flags = False
|
|
Packit Service |
99d1c0 |
for line in realm.run([klist, '-f']).splitlines():
|
|
Packit Service |
99d1c0 |
if grab_flags:
|
|
Packit Service |
99d1c0 |
return re.findall(r'Flags: ([a-zA-Z]*)', line)[0]
|
|
Packit Service |
99d1c0 |
grab_flags = line.endswith(svcprinc)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Get the flags on the ticket for svcprinc, and check for an expected
|
|
Packit Service |
99d1c0 |
# element and an expected-absent element, either of which can be None.
|
|
Packit Service |
99d1c0 |
def check_flags(realm, svcprinc, expected_flag, expected_noflag):
|
|
Packit Service |
99d1c0 |
flags = get_flags(realm, svcprinc)
|
|
Packit Service |
99d1c0 |
if expected_flag is not None and not expected_flag in flags:
|
|
Packit Service |
99d1c0 |
fail('expected flag ' + expected_flag)
|
|
Packit Service |
99d1c0 |
if expected_noflag is not None and expected_noflag in flags:
|
|
Packit Service |
99d1c0 |
fail('did not expect flag ' + expected_noflag)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Run kinit with the given flags, and check the flags on the resulting
|
|
Packit Service |
99d1c0 |
# TGT.
|
|
Packit Service |
99d1c0 |
def kinit_check_flags(realm, flags, expected_flag, expected_noflag):
|
|
Packit Service |
99d1c0 |
realm.kinit(realm.user_princ, password('user'), flags)
|
|
Packit Service |
99d1c0 |
check_flags(realm, realm.krbtgt_princ, expected_flag, expected_noflag)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Run kinit with kflags. Then get credentials for the host principal
|
|
Packit Service |
99d1c0 |
# with gflags, and check the flags on the resulting ticket.
|
|
Packit Service |
99d1c0 |
def gcred_check_flags(realm, kflags, gflags, expected_flag, expected_noflag):
|
|
Packit Service |
99d1c0 |
realm.kinit(realm.user_princ, password('user'), kflags)
|
|
Packit Service |
99d1c0 |
realm.run(['./gcred'] + gflags + ['unknown', realm.host_princ])
|
|
Packit Service |
99d1c0 |
check_flags(realm, realm.host_princ, expected_flag, expected_noflag)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
realm = K5Realm()
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
mark('proxiable (AS)')
|
|
Packit Service |
99d1c0 |
kinit_check_flags(realm, [], None, 'P')
|
|
Packit Service |
99d1c0 |
kinit_check_flags(realm, ['-p'], 'P', None)
|
|
Packit Service |
99d1c0 |
realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.user_princ])
|
|
Packit Service |
99d1c0 |
kinit_check_flags(realm, ['-p'], None, 'P')
|
|
Packit Service |
99d1c0 |
realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.user_princ])
|
|
Packit Service |
99d1c0 |
realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.krbtgt_princ])
|
|
Packit Service |
99d1c0 |
kinit_check_flags(realm, ['-p'], None, 'P')
|
|
Packit Service |
99d1c0 |
realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.krbtgt_princ])
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
mark('proxiable (TGS)')
|
|
Packit Service |
99d1c0 |
gcred_check_flags(realm, [], [], None, 'P')
|
|
Packit Service |
99d1c0 |
gcred_check_flags(realm, ['-p'], [], 'P', None)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Not tested: PROXIABLE option set with a non-proxiable TGT (because
|
|
Packit Service |
99d1c0 |
# there is no krb5_get_credentials() flag to request this; would
|
|
Packit Service |
99d1c0 |
# expect a non-proxiable ticket).
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Not tested: proxiable TGT but PROXIABLE flag not set (because we
|
|
Packit Service |
99d1c0 |
# internally set the PROXIABLE option when using a proxiable TGT;
|
|
Packit Service |
99d1c0 |
# would expect a non-proxiable ticket).
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
mark('forwardable (AS)')
|
|
Packit Service |
99d1c0 |
kinit_check_flags(realm, [], None, 'F')
|
|
Packit Service |
99d1c0 |
kinit_check_flags(realm, ['-f'], 'F', None)
|
|
Packit Service |
99d1c0 |
realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.user_princ])
|
|
Packit Service |
99d1c0 |
kinit_check_flags(realm, ['-f'], None, 'F')
|
|
Packit Service |
99d1c0 |
realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.user_princ])
|
|
Packit Service |
99d1c0 |
realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.krbtgt_princ])
|
|
Packit Service |
99d1c0 |
kinit_check_flags(realm, ['-f'], None, 'F')
|
|
Packit Service |
99d1c0 |
realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.krbtgt_princ])
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
mark('forwardable (TGS)')
|
|
Packit Service |
99d1c0 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit Service |
99d1c0 |
gcred_check_flags(realm, [], [], None, 'F')
|
|
Packit Service |
99d1c0 |
gcred_check_flags(realm, [], ['-f'], None, 'F')
|
|
Packit Service |
99d1c0 |
gcred_check_flags(realm, ['-f'], [], 'F', None)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Not tested: forwardable TGT but FORWARDABLE flag not set (because we
|
|
Packit Service |
99d1c0 |
# internally set the FORWARDABLE option when using a forwardable TGT;
|
|
Packit Service |
99d1c0 |
# would expect a non-proxiable ticket).
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
success('KDC option tests')
|