|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
from datetime import datetime
|
|
Packit |
fd8b60 |
import re
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
|
|
Packit |
fd8b60 |
testpolicy = os.path.join(buildtop, 'plugins', 'kdcpolicy', 'test',
|
|
Packit |
fd8b60 |
'kdcpolicy_test.so')
|
|
Packit |
fd8b60 |
krb5_conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
|
|
Packit |
fd8b60 |
'clpreauth': {'module': 'test:' + testpreauth},
|
|
Packit |
fd8b60 |
'kdcpolicy': {'module': 'test:' + testpolicy}}}
|
|
Packit |
fd8b60 |
kdc_conf = {'realms': {'$realm': {'default_principal_flags': '+preauth',
|
|
Packit |
fd8b60 |
'max_renewable_life': '1d'}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def verify_time(out, target_time):
|
|
Packit |
fd8b60 |
times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
|
|
Packit |
fd8b60 |
times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
|
|
Packit |
fd8b60 |
divisor = 1
|
|
Packit |
fd8b60 |
while len(times) > 0:
|
|
Packit |
fd8b60 |
starttime = times.pop(0)
|
|
Packit |
fd8b60 |
endtime = times.pop(0)
|
|
Packit |
fd8b60 |
renewtime = times.pop(0)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if str((endtime - starttime) * divisor) != target_time:
|
|
Packit |
fd8b60 |
fail('unexpected lifetime value')
|
|
Packit |
fd8b60 |
if str((renewtime - endtime) * divisor) != target_time:
|
|
Packit |
fd8b60 |
fail('unexpected renewable value')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Service tickets should have half the lifetime of initial
|
|
Packit |
fd8b60 |
# tickets.
|
|
Packit |
fd8b60 |
divisor = 2
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
rflags = ['-r', '1d', '-l', '12h']
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test AS+TGS success path.
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'),
|
|
Packit |
fd8b60 |
rflags + ['-X', 'indicators=SEVEN_HOURS'])
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]')
|
|
Packit |
fd8b60 |
out = realm.run([klist, '-e', realm.ccache])
|
|
Packit |
fd8b60 |
verify_time(out, '7:00:00')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test AS+TGS success path with different values.
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'),
|
|
Packit |
fd8b60 |
rflags + ['-X', 'indicators=ONE_HOUR'])
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]')
|
|
Packit |
fd8b60 |
out = realm.run([klist, '-e', realm.ccache])
|
|
Packit |
fd8b60 |
verify_time(out, '1:00:00')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test TGS failure path (using previous creds).
|
|
Packit |
fd8b60 |
realm.run([kvno, 'fail@%s' % realm.realm], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='KDC policy rejects request')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test AS failure path.
|
|
Packit |
fd8b60 |
realm.kinit('fail@%s' % realm.realm, password('fail'),
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='KDC policy rejects request')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('kdcpolicy tests')
|