|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
offline = (len(args) > 0 and args[0] != "no")
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
conf = {'domain_realm': {'kerberos.org': 'R1',
|
|
Packit |
fd8b60 |
'example.com': 'R2',
|
|
Packit |
fd8b60 |
'mit.edu': 'R3'}}
|
|
Packit |
fd8b60 |
no_rdns_conf = {'libdefaults': {'rdns': 'false'}}
|
|
Packit |
fd8b60 |
no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false',
|
|
Packit |
fd8b60 |
'qualify_shortname': 'example.com'}}
|
|
Packit |
fd8b60 |
fallback_canon_conf = {'libdefaults':
|
|
Packit |
fd8b60 |
{'rdns': 'false',
|
|
Packit |
fd8b60 |
'dns_canonicalize_hostname': 'fallback'}}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm = K5Realm(realm='R1', create_host=False, krb5_conf=conf)
|
|
Packit |
fd8b60 |
no_rdns = realm.special_env('no_rdns', False, krb5_conf=no_rdns_conf)
|
|
Packit |
fd8b60 |
no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf)
|
|
Packit |
fd8b60 |
fallback_canon = realm.special_env('fallback_canon', False,
|
|
Packit |
fd8b60 |
krb5_conf=fallback_canon_conf)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def testbase(host, nametype, princhost, princrealm, env=None):
|
|
Packit |
fd8b60 |
# Run the sn2princ harness with a specified host and name type and
|
|
Packit |
fd8b60 |
# the fixed service string 'svc', and compare the result to the
|
|
Packit |
fd8b60 |
# expected hostname and realm part.
|
|
Packit |
fd8b60 |
out = realm.run(['./s2p', host, 'SVC', nametype], env=env).rstrip()
|
|
Packit |
fd8b60 |
expected = 'SVC/%s@%s' % (princhost, princrealm)
|
|
Packit |
fd8b60 |
if out != expected:
|
|
Packit |
fd8b60 |
fail('Expected %s, got %s' % (expected, out))
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def test(host, princhost, princrealm):
|
|
Packit |
fd8b60 |
# Test with the host-based name type in the default environment.
|
|
Packit |
fd8b60 |
testbase(host, 'srv-hst', princhost, princrealm)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def testnc(host, princhost, princrealm):
|
|
Packit |
fd8b60 |
# Test with the host-based name type with canonicalization disabled.
|
|
Packit |
fd8b60 |
testbase(host, 'srv-hst', princhost, princrealm, env=no_canon)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def testnr(host, princhost, princrealm):
|
|
Packit |
fd8b60 |
# Test with the host-based name type with reverse lookup disabled.
|
|
Packit |
fd8b60 |
testbase(host, 'srv-hst', princhost, princrealm, env=no_rdns)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def testu(host, princhost, princrealm):
|
|
Packit |
fd8b60 |
# Test with the unknown name type.
|
|
Packit |
fd8b60 |
testbase(host, 'unknown', princhost, princrealm)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def testfc(host, princhost, princrealm):
|
|
Packit |
fd8b60 |
# Test with the host-based name type with canonicalization fallback.
|
|
Packit |
fd8b60 |
testbase(host, 'srv-hst', princhost, princrealm, env=fallback_canon)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# With the unknown principal type, we do not canonicalize or downcase,
|
|
Packit |
fd8b60 |
# but we do remove a trailing period and look up the realm.
|
|
Packit |
fd8b60 |
mark('unknown type')
|
|
Packit |
fd8b60 |
testu('ptr-mismatch.kerberos.org', 'ptr-mismatch.kerberos.org', 'R1')
|
|
Packit |
fd8b60 |
testu('Example.COM', 'Example.COM', 'R2')
|
|
Packit |
fd8b60 |
testu('abcde', 'abcde', '')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# A ':port' or ':instance' trailer should be ignored for realm lookup.
|
|
Packit |
fd8b60 |
# If there is more than one colon in the name, we assume it's an IPv6
|
|
Packit |
fd8b60 |
# address and don't treat it as having a trailer.
|
|
Packit |
fd8b60 |
mark('port trailer')
|
|
Packit |
fd8b60 |
testu('example.com.:123', 'example.com.:123', 'R2')
|
|
Packit |
fd8b60 |
testu('Example.COM:xyZ', 'Example.COM:xyZ', 'R2')
|
|
Packit |
fd8b60 |
testu('example.com.::123', 'example.com.::123', '')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# With dns_canonicalize_hostname=false, we downcase and remove
|
|
Packit |
fd8b60 |
# trailing dots but do not canonicalize the hostname.
|
|
Packit |
fd8b60 |
# Single-component names are qualified with the configured suffix
|
|
Packit |
fd8b60 |
# (defaulting to the first OS search domain, but Python cannot easily
|
|
Packit |
fd8b60 |
# retrieve that value so we don't test it). Trailers do not get
|
|
Packit |
fd8b60 |
# downcased.
|
|
Packit |
fd8b60 |
mark('dns_canonicalize_host=false')
|
|
Packit |
fd8b60 |
testnc('ptr-mismatch.kerberos.org', 'ptr-mismatch.kerberos.org', 'R1')
|
|
Packit |
fd8b60 |
testnc('Example.COM', 'example.com', 'R2')
|
|
Packit |
fd8b60 |
testnc('abcde', 'abcde.example.com', 'R2')
|
|
Packit |
fd8b60 |
testnc('example.com.:123', 'example.com:123', 'R2')
|
|
Packit |
fd8b60 |
testnc('Example.COM:xyZ', 'example.com:xyZ', 'R2')
|
|
Packit |
fd8b60 |
testnc('example.com.::123', 'example.com.::123', '')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if offline:
|
|
Packit |
fd8b60 |
skip_rest('sn2princ tests', 'offline mode requested')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# For the online tests, we rely on ptr-mismatch.kerberos.org forward
|
|
Packit |
fd8b60 |
# and reverse resolving to these names.
|
|
Packit |
fd8b60 |
oname = 'ptr-mismatch.kerberos.org'
|
|
Packit |
fd8b60 |
fname = 'www.kerberos.org'
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test fallback canonicalization krb5_sname_to_principal() results
|
|
Packit |
fd8b60 |
# (same as dns_canonicalize_hostname=false).
|
|
Packit |
fd8b60 |
mark('dns_canonicalize_host=fallback')
|
|
Packit |
fd8b60 |
testfc(oname, oname, 'R1')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test fallback canonicalization in krb5_get_credentials().
|
|
Packit |
fd8b60 |
oprinc = 'host/' + oname
|
|
Packit |
fd8b60 |
fprinc = 'host/' + fname
|
|
Packit |
fd8b60 |
shutil.copy(realm.ccache, realm.ccache + '.save')
|
|
Packit |
fd8b60 |
realm.addprinc(fprinc)
|
|
Packit |
fd8b60 |
# oprinc doesn't exist, so we get the canonicalized fprinc as a fallback.
|
|
Packit |
fd8b60 |
msgs = ('Falling back to canonicalized server hostname ' + fname,)
|
|
Packit |
fd8b60 |
realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon,
|
|
Packit |
fd8b60 |
expected_msg=fprinc, expected_trace=msgs)
|
|
Packit |
fd8b60 |
realm.addprinc(oprinc)
|
|
Packit |
fd8b60 |
# oprinc now exists, but we still get the fprinc ticket from the cache.
|
|
Packit |
fd8b60 |
realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon,
|
|
Packit |
fd8b60 |
expected_msg=fprinc)
|
|
Packit |
fd8b60 |
# Without the cached result, we sould get oprinc in preference to fprinc.
|
|
Packit |
fd8b60 |
os.rename(realm.ccache + '.save', realm.ccache)
|
|
Packit |
fd8b60 |
realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon,
|
|
Packit |
fd8b60 |
expected_msg=oprinc)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Verify forward resolution before testing for it.
|
|
Packit |
fd8b60 |
try:
|
|
Packit |
fd8b60 |
ai = socket.getaddrinfo(oname, None, 0, 0, 0, socket.AI_CANONNAME)
|
|
Packit |
fd8b60 |
except socket.gaierror:
|
|
Packit |
fd8b60 |
skip_rest('sn2princ tests', 'cannot forward resolve %s' % oname)
|
|
Packit |
fd8b60 |
(family, socktype, proto, canonname, sockaddr) = ai[0]
|
|
Packit |
fd8b60 |
if canonname.lower() != fname:
|
|
Packit |
fd8b60 |
skip_rest('sn2princ tests',
|
|
Packit |
fd8b60 |
'%s forward resolves to %s, not %s' % (oname, canonname, fname))
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test forward-only canonicalization (rdns=false).
|
|
Packit |
fd8b60 |
mark('rdns=false')
|
|
Packit |
fd8b60 |
testnr(oname, fname, 'R1')
|
|
Packit |
fd8b60 |
testnr(oname + ':123', fname + ':123', 'R1')
|
|
Packit |
fd8b60 |
testnr(oname + ':xyZ', fname + ':xyZ', 'R1')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Verify reverse resolution before testing for it.
|
|
Packit |
fd8b60 |
try:
|
|
Packit |
fd8b60 |
names = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD)
|
|
Packit |
fd8b60 |
except socket.gaierror:
|
|
Packit |
fd8b60 |
skip_rest('reverse sn2princ tests', 'cannot reverse resolve %s' % oname)
|
|
Packit |
fd8b60 |
rname = names[0].lower()
|
|
Packit |
fd8b60 |
if rname == fname:
|
|
Packit |
fd8b60 |
skip_rest('reverse sn2princ tests',
|
|
Packit |
fd8b60 |
'%s reverse resolves to %s '
|
|
Packit |
fd8b60 |
'which should be different from %s' % (oname, rname, fname))
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test default canonicalization (forward and reverse lookup).
|
|
Packit |
fd8b60 |
mark('default')
|
|
Packit |
fd8b60 |
test(oname, rname, 'R3')
|
|
Packit |
fd8b60 |
test(oname + ':123', rname + ':123', 'R3')
|
|
Packit |
fd8b60 |
test(oname + ':xyZ', rname + ':xyZ', 'R3')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('krb5_sname_to_principal tests')
|