|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
conf = {'realms': {'$realm': {'supported_enctypes': 'aes256-cts aes128-cts'}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(create_host=False, kdc_conf=conf)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Define some server principal names.
|
|
Packit |
fd8b60 |
princ1 = 'host/1@%s' % realm.realm
|
|
Packit |
fd8b60 |
princ2 = 'host/2@%s' % realm.realm
|
|
Packit |
fd8b60 |
princ3 = 'HTTP/3@%s' % realm.realm
|
|
Packit |
fd8b60 |
princ4 = 'HTTP/4@%s' % realm.realm
|
|
Packit |
fd8b60 |
matchprinc = 'host/@'
|
|
Packit |
fd8b60 |
nomatchprinc = 'x/@'
|
|
Packit |
fd8b60 |
realm.addprinc(princ1)
|
|
Packit |
fd8b60 |
realm.addprinc(princ2)
|
|
Packit |
fd8b60 |
realm.addprinc(princ3)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def test(tserver, server, expected):
|
|
Packit |
fd8b60 |
args = ['./rdreq', tserver]
|
|
Packit |
fd8b60 |
if server is not None:
|
|
Packit |
fd8b60 |
args += [server]
|
|
Packit |
fd8b60 |
out = realm.run(args)
|
|
Packit |
fd8b60 |
if out.strip() != expected:
|
|
Packit |
fd8b60 |
fail('unexpected rdreq output')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# No keytab present.
|
|
Packit |
fd8b60 |
mark('no keytab')
|
|
Packit |
fd8b60 |
nokeytab_err = "45 Key table file '%s' not found" % realm.keytab
|
|
Packit |
fd8b60 |
test(princ1, None, nokeytab_err)
|
|
Packit |
fd8b60 |
test(princ1, princ1, nokeytab_err)
|
|
Packit |
fd8b60 |
test(princ1, matchprinc, nokeytab_err)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Keytab present, successful decryption.
|
|
Packit |
fd8b60 |
mark('success')
|
|
Packit |
fd8b60 |
realm.extract_keytab(princ1, realm.keytab)
|
|
Packit |
fd8b60 |
test(princ1, None, '0 success')
|
|
Packit |
fd8b60 |
test(princ1, princ1, '0 success')
|
|
Packit |
fd8b60 |
test(princ1, matchprinc, '0 success')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Explicit server principal not found in keytab.
|
|
Packit |
fd8b60 |
mark('explicit server not found')
|
|
Packit |
fd8b60 |
test(princ2, princ2, '45 No key table entry found for host/2@KRBTEST.COM')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Matching server principal does not match any entries in keytab (with
|
|
Packit |
fd8b60 |
# and without ticket server present in keytab).
|
|
Packit |
fd8b60 |
mark('matching server')
|
|
Packit |
fd8b60 |
nomatch_err = '45 Server principal x/@ does not match any keys in keytab'
|
|
Packit |
fd8b60 |
test(princ1, nomatchprinc, nomatch_err)
|
|
Packit |
fd8b60 |
test(princ2, nomatchprinc, nomatch_err)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Ticket server does not match explicit server principal (with and
|
|
Packit |
fd8b60 |
# without ticket server present in keytab).
|
|
Packit |
fd8b60 |
mark('ticket server mismatch')
|
|
Packit |
fd8b60 |
test(princ1, princ2, '45 No key table entry found for host/2@KRBTEST.COM')
|
|
Packit |
fd8b60 |
test(princ2, princ1,
|
|
Packit |
fd8b60 |
'35 Cannot decrypt ticket for host/2@KRBTEST.COM using keytab key for '
|
|
Packit |
fd8b60 |
'host/1@KRBTEST.COM')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Ticket server not found in keytab during iteration.
|
|
Packit |
fd8b60 |
mark('ticket server not found')
|
|
Packit |
fd8b60 |
test(princ2, None,
|
|
Packit |
fd8b60 |
'35 Request ticket server host/2@KRBTEST.COM not found in keytab '
|
|
Packit |
fd8b60 |
'(ticket kvno 1)')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Ticket server found in keytab but is not matched by server principal
|
|
Packit |
fd8b60 |
# (but other principals in keytab do match).
|
|
Packit |
fd8b60 |
mark('ticket server mismatch (matching)')
|
|
Packit |
fd8b60 |
realm.extract_keytab(princ3, realm.keytab)
|
|
Packit |
fd8b60 |
test(princ3, matchprinc,
|
|
Packit |
fd8b60 |
'35 Request ticket server HTTP/3@KRBTEST.COM found in keytab but does '
|
|
Packit |
fd8b60 |
'not match server principal host/@')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Service ticket is out of date.
|
|
Packit |
fd8b60 |
mark('outdated service ticket')
|
|
Packit |
fd8b60 |
os.remove(realm.keytab)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ktadd', princ1])
|
|
Packit |
fd8b60 |
test(princ1, None,
|
|
Packit |
fd8b60 |
'44 Request ticket server host/1@KRBTEST.COM kvno 1 not found in keytab; '
|
|
Packit |
fd8b60 |
'ticket is likely out of date')
|
|
Packit |
fd8b60 |
test(princ1, princ1,
|
|
Packit |
fd8b60 |
'44 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# kvno mismatch due to ticket principal mismatch with explicit server.
|
|
Packit |
fd8b60 |
mark('ticket server mismatch (kvno)')
|
|
Packit |
fd8b60 |
test(princ2, princ1,
|
|
Packit |
fd8b60 |
'35 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab (request '
|
|
Packit |
fd8b60 |
'ticket server host/2@KRBTEST.COM)')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Keytab is out of date.
|
|
Packit |
fd8b60 |
mark('outdated keytab')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', princ1])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
test(princ1, None,
|
|
Packit |
fd8b60 |
'44 Request ticket server host/1@KRBTEST.COM kvno 3 not found in keytab; '
|
|
Packit |
fd8b60 |
'keytab is likely out of date')
|
|
Packit |
fd8b60 |
test(princ1, princ1,
|
|
Packit |
fd8b60 |
'44 Cannot find key for host/1@KRBTEST.COM kvno 3 in keytab')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Ticket server and kvno found but not with ticket enctype.
|
|
Packit |
fd8b60 |
mark('missing enctype')
|
|
Packit |
fd8b60 |
os.remove(realm.keytab)
|
|
Packit |
fd8b60 |
realm.extract_keytab(princ1, realm.keytab)
|
|
Packit |
fd8b60 |
pkeytab = realm.keytab + '.partial'
|
|
Packit |
fd8b60 |
realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' %
|
|
Packit |
fd8b60 |
(realm.keytab, pkeytab)))
|
|
Packit |
fd8b60 |
os.rename(pkeytab, realm.keytab)
|
|
Packit |
fd8b60 |
realm.run([klist, '-ke'])
|
|
Packit |
fd8b60 |
test(princ1, None,
|
|
Packit |
fd8b60 |
'44 Request ticket server host/1@KRBTEST.COM kvno 3 found in keytab but '
|
|
Packit |
fd8b60 |
'not with enctype aes256-cts')
|
|
Packit |
fd8b60 |
# This is a bad code (KRB_AP_ERR_NOKEY) and message, because
|
|
Packit |
fd8b60 |
# krb5_kt_get_entry returns the same result for this and not finding
|
|
Packit |
fd8b60 |
# the principal at all. But it's an uncommon case; GSSAPI apps
|
|
Packit |
fd8b60 |
# usually use a matching principal and missing key enctypes are rare.
|
|
Packit |
fd8b60 |
test(princ1, princ1, '45 No key table entry found for host/1@KRBTEST.COM')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Ticket server, kvno, and enctype matched, but key does not work.
|
|
Packit |
fd8b60 |
mark('wrong key')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', princ1])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-kvno', '3', princ1])
|
|
Packit |
fd8b60 |
os.remove(realm.keytab)
|
|
Packit |
fd8b60 |
realm.extract_keytab(princ1, realm.keytab)
|
|
Packit |
fd8b60 |
test(princ1, None,
|
|
Packit |
fd8b60 |
'31 Request ticket server host/1@KRBTEST.COM kvno 3 enctype aes256-cts '
|
|
Packit |
fd8b60 |
'found in keytab but cannot decrypt ticket')
|
|
Packit |
fd8b60 |
test(princ1, princ1,
|
|
Packit |
fd8b60 |
'31 Cannot decrypt ticket for host/1@KRBTEST.COM using keytab key for '
|
|
Packit |
fd8b60 |
'host/1@KRBTEST.COM')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that aliases work. The ticket server (princ4) isn't present in
|
|
Packit |
fd8b60 |
# keytab, but there is a usable princ1 entry with the same key.
|
|
Packit |
fd8b60 |
mark('aliases')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'renprinc', princ1, princ4])
|
|
Packit |
fd8b60 |
test(princ4, None, '0 success')
|
|
Packit |
fd8b60 |
test(princ4, princ1, '0 success')
|
|
Packit |
fd8b60 |
test(princ4, matchprinc, '0 success')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('krb5_rd_req tests')
|