from k5test import *

realm = K5Realm(create_user=False, create_host=False)

# Create a principal with no keys.
realm.run([kadminl, 'addprinc', '-nokey', 'user'])
realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')

# Change its password and check the resulting kvno.
realm.run([kadminl, 'cpw', '-pw', 'password', 'user'])
realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')

# Delete all of its keys.
realm.run([kadminl, 'purgekeys', '-all', 'user'])
realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')

# Randomize its keys and check the resulting kvno.
realm.run([kadminl, 'cpw', '-randkey', 'user'])
realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')

# Return true if patype appears to have been received in a hint list
# from a KDC error message, based on the trace file fname.
def preauth_type_received(trace, patype):
    found = False
    for line in trace.splitlines():
        if 'Processing preauth types:' in line:
            ind = line.find('types:')
            patypes = line[ind + 6:].split(', ')
            if str(patype) in patypes:
                found = True
    return found

# Make sure the KDC doesn't offer encrypted timestamp for a principal
# with no keys.
realm.run([kadminl, 'purgekeys', '-all', 'user'])
realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
out, trace = realm.run([kinit, 'user'], expected_code=1, return_trace=True)
if preauth_type_received(trace, 2):
    fail('encrypted timestamp')

# Make sure it doesn't offer encrypted challenge either.
realm.run([kadminl, 'addprinc', '-pw', 'fast', 'armor'])
realm.kinit('armor', 'fast')
out, trace = realm.run([kinit, '-T', realm.ccache, 'user'], expected_code=1,
                       return_trace=True)
if preauth_type_received(trace, 138):
    fail('encrypted challenge')

success('Key data tests')