from k5test import *
import re
# KDC option test coverage notes:
#
# FORWARDABLE here
# FORWARDED no test
# PROXIABLE here
# PROXY no test
# ALLOW_POSTDATE no test
# POSTDATED no test
# RENEWABLE t_renew.py
# CNAME_IN_ADDL_TKT gssapi/t_s4u.py
# CANONICALIZE t_kdb.py and various other tests
# REQUEST_ANONYMOUS t_pkinit.py
# DISABLE_TRANSITED_CHECK no test
# RENEWABLE_OK t_renew.py
# ENC_TKT_IN_SKEY t_u2u.py
# RENEW t_renew.py
# VALIDATE no test
# Run klist -f and return the flags on the ticket for svcprinc.
def get_flags(realm, svcprinc):
grab_flags = False
for line in realm.run([klist, '-f']).splitlines():
if grab_flags:
return re.findall(r'Flags: ([a-zA-Z]*)', line)[0]
grab_flags = line.endswith(svcprinc)
# Get the flags on the ticket for svcprinc, and check for an expected
# element and an expected-absent element, either of which can be None.
def check_flags(realm, svcprinc, expected_flag, expected_noflag):
flags = get_flags(realm, svcprinc)
if expected_flag is not None and not expected_flag in flags:
fail('expected flag ' + expected_flag)
if expected_noflag is not None and expected_noflag in flags:
fail('did not expect flag ' + expected_noflag)
# Run kinit with the given flags, and check the flags on the resulting
# TGT.
def kinit_check_flags(realm, flags, expected_flag, expected_noflag):
realm.kinit(realm.user_princ, password('user'), flags)
check_flags(realm, realm.krbtgt_princ, expected_flag, expected_noflag)
# Run kinit with kflags. Then get credentials for the host principal
# with gflags, and check the flags on the resulting ticket.
def gcred_check_flags(realm, kflags, gflags, expected_flag, expected_noflag):
realm.kinit(realm.user_princ, password('user'), kflags)
realm.run(['./gcred'] + gflags + ['unknown', realm.host_princ])
check_flags(realm, realm.host_princ, expected_flag, expected_noflag)
realm = K5Realm()
mark('proxiable (AS)')
kinit_check_flags(realm, [], None, 'P')
kinit_check_flags(realm, ['-p'], 'P', None)
realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.user_princ])
kinit_check_flags(realm, ['-p'], None, 'P')
realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.user_princ])
realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.krbtgt_princ])
kinit_check_flags(realm, ['-p'], None, 'P')
realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.krbtgt_princ])
mark('proxiable (TGS)')
gcred_check_flags(realm, [], [], None, 'P')
gcred_check_flags(realm, ['-p'], [], 'P', None)
# Not tested: PROXIABLE option set with a non-proxiable TGT (because
# there is no krb5_get_credentials() flag to request this; would
# expect a non-proxiable ticket).
# Not tested: proxiable TGT but PROXIABLE flag not set (because we
# internally set the PROXIABLE option when using a proxiable TGT;
# would expect a non-proxiable ticket).
mark('forwardable (AS)')
kinit_check_flags(realm, [], None, 'F')
kinit_check_flags(realm, ['-f'], 'F', None)
realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.user_princ])
kinit_check_flags(realm, ['-f'], None, 'F')
realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.user_princ])
realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.krbtgt_princ])
kinit_check_flags(realm, ['-f'], None, 'F')
realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.krbtgt_princ])
mark('forwardable (TGS)')
realm.kinit(realm.user_princ, password('user'))
gcred_check_flags(realm, [], [], None, 'F')
gcred_check_flags(realm, [], ['-f'], None, 'F')
gcred_check_flags(realm, ['-f'], [], 'F', None)
# Not tested: forwardable TGT but FORWARDABLE flag not set (because we
# internally set the FORWARDABLE option when using a forwardable TGT;
# would expect a non-proxiable ticket).
success('KDC option tests')