source-git / krb5

Clone
Source Code
GIT

Blame src/tests/t_proxy.py

c8 c8s master
  1.   c8
  2.   src
  3.   tests
  4.   t_proxy.py
Blob History Raw
Packit Service 99d1c0 
from k5test import *
Packit Service 99d1c0
Packit Service 99d1c0 
# Skip this test if we're missing proxy functionality or parts of the proxy.
Packit Service 99d1c0 
if runenv.tls_impl == 'no':
Packit Service 99d1c0 
    skip_rest('HTTP proxy tests', 'TLS build support not enabled')
Packit Service 99d1c0 
try:
Packit Service 99d1c0 
    import kdcproxy
Packit Service 99d1c0 
except:
Packit Service 99d1c0 
    skip_rest('HTTP proxy tests', 'Python kdcproxy module not found')
Packit Service 99d1c0
Packit Service 99d1c0 
# Construct a krb5.conf fragment configuring the client to use a local proxy
Packit Service 99d1c0 
# server.
Packit Service 99d1c0 
proxysubjectpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
Packit Service 99d1c0 
                               'proxy-subject.pem')
Packit Service 99d1c0 
proxysanpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
Packit Service 99d1c0 
                           'proxy-san.pem')
Packit Service 99d1c0 
proxyidealpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
Packit Service 99d1c0 
                             'proxy-ideal.pem')
Packit Service 99d1c0 
proxywrongpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
Packit Service 99d1c0 
                             'proxy-no-match.pem')
Packit Service 99d1c0 
proxybadpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
Packit Service 99d1c0 
                           'proxy-badsig.pem')
Packit Service 99d1c0 
proxyca = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', 'ca.pem')
Packit Service 99d1c0 
proxyurl = 'https://localhost:$port5/KdcProxy'
Packit Service 99d1c0 
proxyurlupcase = 'https://LocalHost:$port5/KdcProxy'
Packit Service 99d1c0 
proxyurl4 = 'https://127.0.0.1:$port5/KdcProxy'
Packit Service 99d1c0 
proxyurl6 = 'https://[::1]:$port5/KdcProxy'
Packit Service 99d1c0
Packit Service 99d1c0 
unanchored_krb5_conf = {'realms': {'$realm': {
Packit Service 99d1c0 
                        'kdc': proxyurl,
Packit Service 99d1c0 
                        'kpasswd_server': proxyurl}}}
Packit Service 99d1c0 
anchored_name_krb5_conf = {'realms': {'$realm': {
Packit Service 99d1c0 
                           'kdc': proxyurl,
Packit Service 99d1c0 
                           'kpasswd_server': proxyurl,
Packit Service 99d1c0 
                           'http_anchors': 'FILE:%s' % proxyca}}}
Packit Service 99d1c0 
anchored_upcasename_krb5_conf = {'realms': {'$realm': {
Packit Service 99d1c0 
                                 'kdc': proxyurlupcase,
Packit Service 99d1c0 
                                 'kpasswd_server': proxyurlupcase,
Packit Service 99d1c0 
                                 'http_anchors': 'FILE:%s' % proxyca}}}
Packit Service 99d1c0 
anchored_kadmin_krb5_conf = {'realms': {'$realm': {
Packit Service 99d1c0 
                             'kdc': proxyurl,
Packit Service 99d1c0 
                             'admin_server': proxyurl,
Packit Service 99d1c0 
                             'http_anchors': 'FILE:%s' % proxyca}}}
Packit Service 99d1c0 
anchored_ipv4_krb5_conf = {'realms': {'$realm': {
Packit Service 99d1c0 
                           'kdc': proxyurl4,
Packit Service 99d1c0 
                           'kpasswd_server': proxyurl4,
Packit Service 99d1c0 
                           'http_anchors': 'FILE:%s' % proxyca}}}
Packit Service 99d1c0 
kpasswd_input = (password('user') + '\n' + password('user') + '\n' +
Packit Service 99d1c0 
                 password('user') + '\n')
Packit Service 99d1c0
Packit Service 99d1c0 
def start_proxy(realm, keycertpem):
Packit Service 99d1c0 
    proxy_conf_path = os.path.join(realm.testdir, 'kdcproxy.conf')
Packit Service 99d1c0 
    proxy_exec_path = os.path.join(srctop, 'util', 'wsgiref-kdcproxy.py')
Packit Service 99d1c0 
    conf = open(proxy_conf_path, 'w')
Packit Service 99d1c0 
    conf.write('[%s]\n' % realm.realm)
Packit Service 99d1c0 
    conf.write('kerberos = kerberos://localhost:%d\n' % realm.portbase)
Packit Service 99d1c0 
    conf.write('kpasswd = kpasswd://localhost:%d\n' % (realm.portbase + 2))
Packit Service 99d1c0 
    conf.close()
Packit Service 99d1c0 
    realm.env['KDCPROXY_CONFIG'] = proxy_conf_path
Packit Service 99d1c0 
    cmd = [sys.executable, proxy_exec_path, str(realm.server_port()),
Packit Service 99d1c0 
           keycertpem]
Packit Service 99d1c0 
    return realm.start_server(cmd, sentinel='proxy server ready')
Packit Service 99d1c0
Packit Service 99d1c0 
# Fail: untrusted issuer and hostname doesn't match.
Packit Service 99d1c0 
mark('untrusted issuer, hostname mismatch')
Packit Service 99d1c0 
output("running pass 1: issuer not trusted and hostname doesn't match\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
Packit Service 99d1c0 
                create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxywrongpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Fail: untrusted issuer, host name matches subject.
Packit Service 99d1c0 
mark('untrusted issuer, hostname subject match')
Packit Service 99d1c0 
output("running pass 2: subject matches, issuer not trusted\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
Packit Service 99d1c0 
                create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxysubjectpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Fail: untrusted issuer, host name matches subjectAltName.
Packit Service 99d1c0 
mark('untrusted issuer, hostname SAN match')
Packit Service 99d1c0 
output("running pass 3: subjectAltName matches, issuer not trusted\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
Packit Service 99d1c0 
                create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxysanpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Fail: untrusted issuer, certificate signature is bad.
Packit Service 99d1c0 
mark('untrusted issuer, bad signature')
Packit Service 99d1c0 
output("running pass 4: subject matches, issuer not trusted\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
Packit Service 99d1c0 
                create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxybadpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Fail: trusted issuer but hostname doesn't match.
Packit Service 99d1c0 
mark('trusted issuer, hostname mismatch')
Packit Service 99d1c0 
output("running pass 5: issuer trusted but hostname doesn't match\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=anchored_name_krb5_conf, get_creds=False,
Packit Service 99d1c0 
                create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxywrongpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Succeed: trusted issuer and host name matches subject.
Packit Service 99d1c0 
mark('trusted issuer, hostname subject match')
Packit Service 99d1c0 
output("running pass 6: issuer trusted, subject matches\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True,
Packit Service 99d1c0 
                get_creds=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxysubjectpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'))
Packit Service 99d1c0 
realm.run([kvno, realm.host_princ])
Packit Service 99d1c0 
realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Succeed: trusted issuer and host name matches subjectAltName.
Packit Service 99d1c0 
mark('trusted issuer, hostname SAN match')
Packit Service 99d1c0 
output("running pass 7: issuer trusted, subjectAltName matches\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True,
Packit Service 99d1c0 
                get_creds=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxysanpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'))
Packit Service 99d1c0 
realm.run([kvno, realm.host_princ])
Packit Service 99d1c0 
realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Fail: certificate signature is bad.
Packit Service 99d1c0 
mark('bad signature')
Packit Service 99d1c0 
output("running pass 8: issuer trusted and subjectAltName matches, sig bad\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=anchored_name_krb5_conf,
Packit Service 99d1c0 
                get_creds=False,
Packit Service 99d1c0 
		                create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxybadpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Fail: trusted issuer but IP doesn't match.
Packit Service 99d1c0 
mark('trusted issuer, IP mismatch')
Packit Service 99d1c0 
output("running pass 9: issuer trusted but no name matches IP\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
Packit Service 99d1c0 
                create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxywrongpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Fail: trusted issuer, but subject does not match.
Packit Service 99d1c0 
mark('trusted issuer, IP mismatch (hostname in subject)')
Packit Service 99d1c0 
output("running pass 10: issuer trusted, but subject does not match IP\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
Packit Service 99d1c0 
                create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxysubjectpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Succeed: trusted issuer and host name matches subjectAltName.
Packit Service 99d1c0 
mark('trusted issuer, IP SAN match')
Packit Service 99d1c0 
output("running pass 11: issuer trusted, subjectAltName matches IP\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, start_kadmind=True,
Packit Service 99d1c0 
                get_creds=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxysanpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'))
Packit Service 99d1c0 
realm.run([kvno, realm.host_princ])
Packit Service 99d1c0 
realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Fail: certificate signature is bad.
Packit Service 99d1c0 
mark('bad signature (IP hostname)')
Packit Service 99d1c0 
output("running pass 12: issuer trusted, names don't match, signature bad\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
Packit Service 99d1c0 
                create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxybadpem)
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Succeed: trusted issuer and host name matches subject, using kadmin
Packit Service 99d1c0 
# configuration to find kpasswdd.
Packit Service 99d1c0 
mark('trusted issuer, hostname subject match (kadmin)')
Packit Service 99d1c0 
output("running pass 13: issuer trusted, subject matches\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True,
Packit Service 99d1c0 
                get_creds=False, create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxysubjectpem)
Packit Service 99d1c0 
realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Succeed: trusted issuer and host name matches subjectAltName, using
Packit Service 99d1c0 
# kadmin configuration to find kpasswdd.
Packit Service 99d1c0 
mark('trusted issuer, hostname SAN match (kadmin)')
Packit Service 99d1c0 
output("running pass 14: issuer trusted, subjectAltName matches\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True,
Packit Service 99d1c0 
                get_creds=False, create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxysanpem)
Packit Service 99d1c0 
realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Succeed: trusted issuer and host name matches subjectAltName (give or take
Packit Service 99d1c0 
# case).
Packit Service 99d1c0 
mark('trusted issuer, hostname SAN case-insensitive match')
Packit Service 99d1c0 
output("running pass 15: issuer trusted, subjectAltName case-insensitive\n")
Packit Service 99d1c0 
realm = K5Realm(krb5_conf=anchored_upcasename_krb5_conf, start_kadmind=True,
Packit Service 99d1c0 
                get_creds=False, create_host=False)
Packit Service 99d1c0 
proxy = start_proxy(realm, proxysanpem)
Packit Service 99d1c0 
realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
Packit Service 99d1c0 
stop_daemon(proxy)
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
success('MS-KKDCP proxy')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation