|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Unfortunately, we can't reliably test the k5login module. We can control
|
|
Packit |
fd8b60 |
# the directory where k5login files are read, but we can't suppress the UID
|
|
Packit |
fd8b60 |
# validity check, which might fail in some filesystems for a .k5login file
|
|
Packit |
fd8b60 |
# we create.
|
|
Packit |
fd8b60 |
conf = {'plugins': {'localauth': { 'disable': 'k5login'}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(create_kdb=False, krb5_conf=conf)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def test_an2ln(env, aname, result, msg):
|
|
Packit |
fd8b60 |
out = realm.run(['./localauth', aname], env=env)
|
|
Packit |
fd8b60 |
if out != result + '\n':
|
|
Packit |
fd8b60 |
fail(msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def test_an2ln_err(env, aname, err, msg):
|
|
Packit |
fd8b60 |
realm.run(['./localauth', aname], env=env, expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg=err)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def test_userok(env, aname, lname, ok, msg):
|
|
Packit |
fd8b60 |
out = realm.run(['./localauth', aname, lname], env=env)
|
|
Packit |
fd8b60 |
if ((ok and out != 'yes\n') or
|
|
Packit |
fd8b60 |
(not ok and out != 'no\n')):
|
|
Packit |
fd8b60 |
fail(msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# The default an2ln method works only in the default realm, and works
|
|
Packit |
fd8b60 |
# for a single-component principal or a two-component principal where
|
|
Packit |
fd8b60 |
# the second component is the default realm.
|
|
Packit |
fd8b60 |
mark('default')
|
|
Packit |
fd8b60 |
test_an2ln(None, 'user@KRBTEST.COM', 'user', 'default rule 1')
|
|
Packit |
fd8b60 |
test_an2ln(None, 'user/KRBTEST.COM@KRBTEST.COM', 'user', 'default rule 2')
|
|
Packit |
fd8b60 |
test_an2ln_err(None, 'user/KRBTEST.COM/x@KRBTEST.COM', 'No translation',
|
|
Packit |
fd8b60 |
'default rule (3)')
|
|
Packit |
fd8b60 |
test_an2ln_err(None, 'user/X@KRBTEST.COM', 'No translation',
|
|
Packit |
fd8b60 |
'default rule comp mismatch')
|
|
Packit |
fd8b60 |
test_an2ln_err(None, 'user@X', 'No translation', 'default rule realm mismatch')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# auth_to_local_names matches ignore the realm but are case-sensitive.
|
|
Packit |
fd8b60 |
mark('auth_to_local_names')
|
|
Packit |
fd8b60 |
conf_names1 = {'realms': {'$realm': {'auth_to_local_names': {'user': 'abcd'}}}}
|
|
Packit |
fd8b60 |
names1 = realm.special_env('names1', False, conf_names1)
|
|
Packit |
fd8b60 |
test_an2ln(names1, 'user@KRBTEST.COM', 'abcd', 'auth_to_local_names match')
|
|
Packit |
fd8b60 |
test_an2ln(names1, 'user@X', 'abcd', 'auth_to_local_names out-of-realm match')
|
|
Packit |
fd8b60 |
test_an2ln(names1, 'x@KRBTEST.COM', 'x', 'auth_to_local_names mismatch')
|
|
Packit |
fd8b60 |
test_an2ln(names1, 'User@KRBTEST.COM', 'User', 'auth_to_local_names case')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# auth_to_local_names values must be in the default realm's section.
|
|
Packit |
fd8b60 |
conf_names2 = {'realms': {'X': {'auth_to_local_names': {'user': 'abcd'}}}}
|
|
Packit |
fd8b60 |
names2 = realm.special_env('names2', False, conf_names2)
|
|
Packit |
fd8b60 |
test_an2ln_err(names2, 'user@X', 'No translation',
|
|
Packit |
fd8b60 |
'auth_to_local_names section mismatch')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Return a realm environment containing an auth_to_local value (or list).
|
|
Packit |
fd8b60 |
def a2l_realm(name, values):
|
|
Packit |
fd8b60 |
conf = {'realms': {'$realm': {'auth_to_local': values}}}
|
|
Packit |
fd8b60 |
return realm.special_env(name, False, conf)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test explicit use of default method.
|
|
Packit |
fd8b60 |
mark('explicit default')
|
|
Packit |
fd8b60 |
auth1 = a2l_realm('auth1', 'DEFAULT')
|
|
Packit |
fd8b60 |
test_an2ln(auth1, 'user@KRBTEST.COM', 'user', 'default rule')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test some invalid auth_to_local values.
|
|
Packit |
fd8b60 |
mark('auth_to_local invalid')
|
|
Packit |
fd8b60 |
auth2 = a2l_realm('auth2', 'RULE')
|
|
Packit |
fd8b60 |
test_an2ln_err(auth2, 'user@X', 'Improper format', 'null rule')
|
|
Packit |
fd8b60 |
auth3 = a2l_realm('auth3', 'UNRECOGNIZED:stuff')
|
|
Packit |
fd8b60 |
test_an2ln_err(auth3, 'user@X', 'Improper format', 'null rule')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# An empty rule has the default selection string (unparsed principal
|
|
Packit |
fd8b60 |
# without realm) and no match or substitutions.
|
|
Packit |
fd8b60 |
mark('rule (empty)')
|
|
Packit |
fd8b60 |
rule1 = a2l_realm('rule1', 'RULE:')
|
|
Packit |
fd8b60 |
test_an2ln(rule1, 'user@KRBTEST.COM', 'user', 'empty rule')
|
|
Packit |
fd8b60 |
test_an2ln(rule1, 'user@X', 'user', 'empty rule (foreign realm)')
|
|
Packit |
fd8b60 |
test_an2ln(rule1, 'a/b/c@X', 'a/b/c', 'empty rule (multi-component)')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test explicit selection string. Also test that the default method
|
|
Packit |
fd8b60 |
# is suppressed when auth_to_local values are present.
|
|
Packit |
fd8b60 |
mark('rule (selection string)')
|
|
Packit |
fd8b60 |
rule2 = a2l_realm('rule2', 'RULE:[2:$$0.$$2.$$1]')
|
|
Packit |
fd8b60 |
test_an2ln(rule2, 'aaron/burr@REALM', 'REALM.burr.aaron', 'selection string')
|
|
Packit |
fd8b60 |
test_an2ln_err(rule2, 'user@KRBTEST.COM', 'No translation', 'suppress default')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test match string.
|
|
Packit |
fd8b60 |
mark('rule (match string)')
|
|
Packit |
fd8b60 |
rule3 = a2l_realm('rule3', 'RULE:(.*tail)')
|
|
Packit |
fd8b60 |
test_an2ln(rule3, 'withtail@X', 'withtail', 'rule match 1')
|
|
Packit |
fd8b60 |
test_an2ln(rule3, 'x/withtail@X', 'x/withtail', 'rule match 2')
|
|
Packit |
fd8b60 |
test_an2ln_err(rule3, 'tails@X', 'No translation', 'rule anchor mismatch')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test substitutions.
|
|
Packit |
fd8b60 |
mark('rule (substitutions)')
|
|
Packit |
fd8b60 |
rule4 = a2l_realm('rule4', 'RULE:s/birds/bees/')
|
|
Packit |
fd8b60 |
test_an2ln(rule4, 'thebirdsbirdsbirds@X', 'thebeesbirdsbirds', 'subst 1')
|
|
Packit |
fd8b60 |
rule5 = a2l_realm('rule4', 'RULE:s/birds/bees/g s/bees/birds/')
|
|
Packit |
fd8b60 |
test_an2ln(rule4, 'the/birdsbirdsbirds@x', 'the/birdsbeesbees', 'subst 2')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test a bunch of auth_to_local values and rule features in combination.
|
|
Packit |
fd8b60 |
mark('rule (combo)')
|
|
Packit |
fd8b60 |
combo = a2l_realm('combo', ['RULE:[1:$$1-$$0](fred.*)s/-/ /g',
|
|
Packit |
fd8b60 |
'DEFAULT',
|
|
Packit |
fd8b60 |
'RULE:[3:$$1](z.*z)'])
|
|
Packit |
fd8b60 |
test_an2ln(combo, 'fred@X', 'fred X', 'combo 1')
|
|
Packit |
fd8b60 |
test_an2ln(combo, 'fred-too@X', 'fred too X', 'combo 2')
|
|
Packit |
fd8b60 |
test_an2ln(combo, 'fred@KRBTEST.COM', 'fred KRBTEST.COM', 'combo 3')
|
|
Packit |
fd8b60 |
test_an2ln(combo, 'user@KRBTEST.COM', 'user', 'combo 4')
|
|
Packit |
fd8b60 |
test_an2ln(combo, 'zazz/b/c@X', 'zazz', 'combo 5')
|
|
Packit |
fd8b60 |
test_an2ln_err(combo, 'a/b@KRBTEST.COM', 'No translation', 'combo 6')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test the an2ln userok method with the combo environment.
|
|
Packit |
fd8b60 |
mark('userok (an2ln)')
|
|
Packit |
fd8b60 |
test_userok(combo, 'fred@X', 'fred X', True, 'combo userok 1')
|
|
Packit |
fd8b60 |
test_userok(combo, 'user@KRBTEST.COM', 'user', True, 'combo userok 2')
|
|
Packit |
fd8b60 |
test_userok(combo, 'user@KRBTEST.COM', 'X', False, 'combo userok 3')
|
|
Packit |
fd8b60 |
test_userok(combo, 'a/b@KRBTEST.COM', 'a/b', False, 'combo userok 4')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('test modules')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Register the two test modules and set up some auth_to_local and
|
|
Packit |
fd8b60 |
# auth_to_local_names entries.
|
|
Packit |
fd8b60 |
modpath = os.path.join(buildtop, 'plugins', 'localauth', 'test',
|
|
Packit |
fd8b60 |
'localauth_test.so')
|
|
Packit |
fd8b60 |
conf = {'plugins': {'localauth': { 'module': [
|
|
Packit |
fd8b60 |
'test1:' + modpath,
|
|
Packit |
fd8b60 |
'test2:' + modpath]}},
|
|
Packit |
fd8b60 |
'realms': {'$realm': {'auth_to_local': [
|
|
Packit |
fd8b60 |
'RULE:(test/rulefirst)s/.*/rule/',
|
|
Packit |
fd8b60 |
'TYPEA',
|
|
Packit |
fd8b60 |
'DEFAULT',
|
|
Packit |
fd8b60 |
'TYPEB:resid']},
|
|
Packit |
fd8b60 |
'auth_to_local_names': {'test/a/b': 'name'}}}
|
|
Packit |
fd8b60 |
mod = realm.special_env('mod', False, conf)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# test1's untyped an2ln method should come before the names method, mapping
|
|
Packit |
fd8b60 |
# test/a/b@X to its realm name (superceding auth_to_local_names).
|
|
Packit |
fd8b60 |
test_an2ln(mod, 'test/a/b@X', 'X', 'mod untyped an2ln')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Match the auth_to_local values in order. test2's TYPEA should map
|
|
Packit |
fd8b60 |
# test/notrule to its second component, and its TYPEB should map
|
|
Packit |
fd8b60 |
# anything which gets there to the residual string.
|
|
Packit |
fd8b60 |
test_an2ln(mod, 'test/rulefirst@X', 'rule', 'mod auth_to_local 1')
|
|
Packit |
fd8b60 |
test_an2ln(mod, 'test/notrule', 'notrule', 'mod auth_to_local 2')
|
|
Packit |
fd8b60 |
test_an2ln(mod, 'user@KRBTEST.COM', 'user', 'mod auth_to_local 3')
|
|
Packit |
fd8b60 |
test_an2ln(mod, 'xyz@X', 'resid', 'mod auth_to_local 4')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# test2's userok module should succeed when the number of components
|
|
Packit |
fd8b60 |
# is equal to the length of the local name, should pass if the first
|
|
Packit |
fd8b60 |
# component is 'pass', and should reject otherwise.
|
|
Packit |
fd8b60 |
test_userok(mod, 'a/b/c/d@X', 'four', True, 'mod userok 1')
|
|
Packit |
fd8b60 |
test_userok(mod, 'x/y/z@X', 'four', False, 'mod userok 2')
|
|
Packit |
fd8b60 |
test_userok(mod, 'pass@KRBTEST.COM', 'pass', True, 'mod userok 3')
|
|
Packit |
fd8b60 |
test_userok(mod, 'user@KRBTEST.COM', 'user', False, 'mod userok 4')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('krb5_kuserok and krb5_aname_to_localname tests')
|