|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# These tests will become much less important after the y2038 boundary
|
|
Packit |
fd8b60 |
# has elapsed, and may start exhibiting problems around the year 2075.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if runenv.sizeof_time_t <= 4:
|
|
Packit |
fd8b60 |
skip_rest('y2038 timestamp tests', 'platform has 32-bit time_t')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Start a KDC running roughly 21 years in the future, after the y2038
|
|
Packit |
fd8b60 |
# boundary. Set long maximum lifetimes for later tests.
|
|
Packit |
fd8b60 |
conf = {'realms': {'$realm': {'max_life': '9000d',
|
|
Packit |
fd8b60 |
'max_renewable_life': '9000d'}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(start_kdc=False, kdc_conf=conf)
|
|
Packit |
fd8b60 |
realm.start_kdc(['-T', '662256000'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# kinit without preauth should succeed with clock skew correction, but
|
|
Packit |
fd8b60 |
# will result in an expired ticket, because we sent an absolute end
|
|
Packit |
fd8b60 |
# time and didn't get a chance to correct it..
|
|
Packit |
fd8b60 |
mark('kinit, no preauth')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Ticket expired')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# kinit with preauth should succeed and result in a valid ticket, as
|
|
Packit |
fd8b60 |
# we get a chance to correct the end time based on the KDC time. Try
|
|
Packit |
fd8b60 |
# with encrypted timestamp and encrypted challenge.
|
|
Packit |
fd8b60 |
mark('kinit, with preauth')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that expiration warning works after y2038, by setting a
|
|
Packit |
fd8b60 |
# password expiration time ten minutes after the KDC time.
|
|
Packit |
fd8b60 |
mark('expiration warning')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-pwexpire', '662256600 seconds', 'user'])
|
|
Packit |
fd8b60 |
out = realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
if 'will expire in less than one hour' not in out:
|
|
Packit |
fd8b60 |
fail('password expiration message')
|
|
Packit |
fd8b60 |
year = int(out.split()[-1])
|
|
Packit |
fd8b60 |
if year < 2038 or year > 9999:
|
|
Packit |
fd8b60 |
fail('password expiration year')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop_kdc()
|
|
Packit |
fd8b60 |
realm.start_kdc()
|
|
Packit |
fd8b60 |
realm.start_kadmind()
|
|
Packit |
fd8b60 |
realm.prep_kadmin()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test getdate parsing of absolute timestamps after 2038 and
|
|
Packit |
fd8b60 |
# marshalling over the kadmin protocol. The local time zone will
|
|
Packit |
fd8b60 |
# affect the display time by a little bit, so just look for the year.
|
|
Packit |
fd8b60 |
mark('kadmin marshalling')
|
|
Packit |
fd8b60 |
realm.run_kadmin(['modprinc', '-pwexpire', '2040-02-03', realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run_kadmin(['getprinc', realm.host_princ], expected_msg=' 2040\n')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Get a ticket whose lifetime crosses the y2038 boundary and
|
|
Packit |
fd8b60 |
# range-check the expiration year as reported by klist.
|
|
Packit |
fd8b60 |
mark('ticket lifetime across y2038')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'),
|
|
Packit |
fd8b60 |
flags=['-l', '8000d', '-r', '8500d'])
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
out = realm.run([klist])
|
|
Packit |
fd8b60 |
if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
|
|
Packit |
fd8b60 |
fail('unexpected tgt expiration year')
|
|
Packit |
fd8b60 |
if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
|
|
Packit |
fd8b60 |
fail('unexpected tgt rtill year')
|
|
Packit |
fd8b60 |
if int(out.split('\n')[6].split()[2].split('/')[2]) < 39:
|
|
Packit |
fd8b60 |
fail('unexpected service ticket expiration year')
|
|
Packit |
fd8b60 |
if int(out.split('\n')[7].split()[2].split('/')[2]) < 40:
|
|
Packit |
fd8b60 |
fail('unexpected service ticket rtill year')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, None, ['-R'])
|
|
Packit |
fd8b60 |
out = realm.run([klist])
|
|
Packit |
fd8b60 |
if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
|
|
Packit |
fd8b60 |
fail('unexpected renewed tgt expiration year')
|
|
Packit |
fd8b60 |
if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
|
|
Packit |
fd8b60 |
fail('unexpected renewed tgt rtill year')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('y2038 tests')
|