41
41
# Test with acceptor name containing service only, including
42
42
# client/keytab hostname mismatch (non-fatal) and service name
43
43
# mismatch (fatal).
44
output = realm.run_as_client(['./t_accname', 'service1/andrew', 'service1'])
44
output = realm.run_as_client(['./t_accname', 'p:service1/andrew',
45
46
if 'service1/abraham' not in output:
46
47
fail('Expected service1/abraham in t_accname output')
47
output = realm.run_as_client(['./t_accname', 'service1/andrew', 'service2'],
48
output = realm.run_as_client(['./t_accname', 'p:service1/andrew',
49
'h:service2'], expected_code=1)
49
50
if 'Wrong principal in request' not in output:
50
51
fail('Expected error message not seen in t_accname output')
51
output = realm.run_as_client(['./t_accname', 'service2/calvin', 'service2'])
52
output = realm.run_as_client(['./t_accname', 'p:service2/calvin',
52
54
if 'service2/calvin' not in output:
53
55
fail('Expected service2/calvin in t_accname output')
54
output = realm.run_as_client(['./t_accname', 'service2/calvin', 'service1'],
56
output = realm.run_as_client(['./t_accname', 'p:service2/calvin',
57
'h:service1'], expected_code=1)
56
58
if 'Wrong principal in request' not in output:
57
59
fail('Expected error message not seen in t_accname output')
59
61
# Test with acceptor name containing service and host. Use the
60
62
# client's un-canonicalized hostname as acceptor input to mirror what
62
output = realm.run_as_client(['./t_accname', realm.host_princ,
63
'host@%s' % socket.gethostname()])
64
output = realm.run_as_client(['./t_accname', 'p:' + realm.host_princ,
65
'h:host@%s' % socket.gethostname()])
64
66
if realm.host_princ not in output:
65
67
fail('Expected %s in t_accname output' % realm.host_princ)
66
output = realm.run_as_client(['./t_accname', 'host/-nomatch-',
67
'host@%s' % socket.gethostname()],
68
output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-',
69
'h:host@%s' % socket.gethostname()],
69
71
if 'Wrong principal in request' not in output:
70
72
fail('Expected error message not seen in t_accname output')
72
74
# Test krb5_gss_import_cred.
73
realm.run_as_client(['./t_imp_cred', 'service1/barack'])
74
realm.run_as_client(['./t_imp_cred', 'service1/barack', 'service1/barack'])
75
realm.run_as_client(['./t_imp_cred', 'service1/andrew', 'service1/abraham'])
76
output = realm.run_as_client(['./t_imp_cred', 'service2/dwight'],
75
realm.run_as_client(['./t_imp_cred', 'p:service1/barack'])
76
realm.run_as_client(['./t_imp_cred', 'p:service1/barack', 'service1/barack'])
77
realm.run_as_client(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham'])
78
output = realm.run_as_client(['./t_imp_cred', 'p:service2/dwight'],
78
80
if 'Wrong principal in request' not in output:
79
81
fail('Expected error message not seen in t_imp_cred output')
83
# Test credential store extension.
84
tmpccname = 'FILE:' + os.path.join(realm.testdir, 'def_cache')
85
realm.env_client['KRB5CCNAME'] = tmpccname
86
storagecache = 'FILE:' + os.path.join(realm.testdir, 'user_store')
87
servicekeytab = os.path.join(realm.testdir, 'kt')
88
service_cs = 'service/cs@%s' % realm.realm
89
realm.addprinc(service_cs)
90
realm.extract_keytab(service_cs, servicekeytab)
91
realm.kinit(service_cs, None, ['-k', '-t', servicekeytab])
92
output = realm.run_as_client(['./t_credstore', service_cs, '--cred_store',
93
'ccache', storagecache, 'keytab', servicekeytab])
94
if 'Cred Store Success' not in output:
95
fail('Expected test to succeed')
97
# Verify that we can't acquire acceptor creds without a keytab.
98
os.remove(realm.keytab)
99
output = realm.run_as_client(['./t_accname', 'p:abc'], expected_code=1)
100
if ('gss_acquire_cred: Keytab' not in output or
101
'nonexistent or empty' not in output):
102
fail('Expected error message not seen for nonexistent keytab')
83
106
# Re-run the last acceptor name test with ignore_acceptor_hostname set
84
107
# and the principal for the mismatching hostname in the keytab.
85
108
ignore_conf = { 'all' : { 'libdefaults' : {
86
109
'ignore_acceptor_hostname' : 'true' } } }
87
realm = K5Realm(krb5_conf=ignore_conf, start_kadmind=False)
110
realm = K5Realm(krb5_conf=ignore_conf)
88
111
realm.run_kadminl('addprinc -randkey host/-nomatch-')
89
112
realm.run_kadminl('xst host/-nomatch-')
90
output = realm.run_as_client(['./t_accname', 'host/-nomatch-',
91
'host@%s' % socket.gethostname()])
113
output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-',
114
'h:host@%s' % socket.gethostname()])
92
115
if 'host/-nomatch-' not in output:
93
116
fail('Expected host/-nomatch- in t_accname output')
95
success('GSSAPI tests.')
120
# Make sure a GSSAPI acceptor can handle cross-realm tickets with a
121
# transited field. (Regression test for #7639.)
122
r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
123
create_user=False, create_host=False,
124
args=[{'realm': 'A.X', 'create_user': True},
126
{'realm': 'B.X', 'create_host': True}])
127
os.rename(r3.keytab, r1.keytab)
128
r1.run_as_client(['./t_accname', 'p:' + r3.host_princ, 'h:host'])
133
### Test gss_inquire_cred behavior.
137
# Test deferred resolution of the default ccache for initiator creds.
138
output = realm.run_as_client(['./t_inq_cred'])
139
if realm.user_princ not in output:
140
fail('Expected %s in t_inq_cred output' % realm.user_princ)
141
output = realm.run_as_client(['./t_inq_cred', '-k'])
142
if realm.user_princ not in output:
143
fail('Expected %s in t_inq_cred output' % realm.user_princ)
144
output = realm.run_as_client(['./t_inq_cred', '-s'])
145
if realm.user_princ not in output:
146
fail('Expected %s in t_inq_cred output' % realm.user_princ)
148
# Test picking a name from the keytab for acceptor creds.
149
output = realm.run_as_client(['./t_inq_cred', '-a'])
150
if realm.host_princ not in output:
151
fail('Expected %s in t_inq_cred output' % realm.host_princ)
152
output = realm.run_as_client(['./t_inq_cred', '-k', '-a'])
153
if realm.host_princ not in output:
154
fail('Expected %s in t_inq_cred output' % realm.host_princ)
155
output = realm.run_as_client(['./t_inq_cred', '-s', '-a'])
156
if realm.host_princ not in output:
157
fail('Expected %s in t_inq_cred output' % realm.host_princ)
159
# Test client keytab initiation (non-deferred) with a specified name.
160
realm.extract_keytab(realm.user_princ, realm.client_keytab)
161
os.remove(realm.ccache)
162
output = realm.run_as_client(['./t_inq_cred', '-k'])
163
if realm.user_princ not in output:
164
fail('Expected %s in t_inq_cred output' % realm.user_princ)
166
# Test deferred client keytab initiation and GSS_C_BOTH cred usage.
167
os.remove(realm.client_keytab)
168
os.remove(realm.ccache)
169
shutil.copyfile(realm.keytab, realm.client_keytab)
170
output = realm.run_as_client(['./t_inq_cred', '-k', '-b'])
171
if realm.host_princ not in output:
172
fail('Expected %s in t_inq_cred output' % realm.host_princ)
174
# Test gss_export_name behavior.
175
out = realm.run_as_client(['./t_export_name', 'u:x'])
176
if out != '0401000B06092A864886F7120102020000000D78404B5242544553542E434F4D\n':
177
fail('Unexpected output from t_export_name (krb5 username)')
178
output = realm.run_as_client(['./t_export_name', '-s', 'u:xyz'])
179
if output != '0401000806062B06010505020000000378797A\n':
180
fail('Unexpected output from t_export_name (SPNEGO username)')
181
output = realm.run_as_client(['./t_export_name', 'p:a@b'])
182
if output != '0401000B06092A864886F71201020200000003614062\n':
183
fail('Unexpected output from t_export_name (krb5 principal)')
184
output = realm.run_as_client(['./t_export_name', '-s', 'p:a@b'])
185
if output != '0401000806062B060105050200000003614062\n':
186
fail('Unexpected output from t_export_name (SPNEGO krb5 principal)')
188
# Test gss_inquire_mechs_for_name behavior.
189
krb5_mech = '{ 1 2 840 113554 1 2 2 }'
190
spnego_mech = '{ 1 3 6 1 5 5 2 }'
191
out = realm.run_as_client(['./t_inq_mechs_name', 'p:a@b'])
192
if krb5_mech not in out:
193
fail('t_inq_mechs_name (principal)')
194
out = realm.run_as_client(['./t_inq_mechs_name', 'u:x'])
195
if krb5_mech not in out or spnego_mech not in out:
196
fail('t_inq_mecs_name (user)')
197
out = realm.run_as_client(['./t_inq_mechs_name', 'h:host'])
198
if krb5_mech not in out or spnego_mech not in out:
199
fail('t_inq_mecs_name (hostbased)')
201
success('GSSAPI tests')