Add tests for S4U2Self with certificate

[ghudson@mit.edu: fixed memory leaks in test KDB method] ticket: 8781
author: Isaac Boukris <iboukris@gmail.com> 2019-01-17 11:36:46 +0200
committer: Greg Hudson <ghudson@mit.edu> 2019-03-13 19:22:53 -0400
commit: 01319a310cf06e4139b65afb12f998dbea636103 (patch)
tree: cceac4a3aef4a2b27606a61995e44c78f31d4f07 /src/tests/gssapi/t_s4u.py
parent: 0fbfffbef2c266fedac557e00108b944e31e8d50 (diff)
download: krb5-01319a310cf06e4139b65afb12f998dbea636103.zip
krb5-01319a310cf06e4139b65afb12f998dbea636103.tar.gz
krb5-01319a310cf06e4139b65afb12f998dbea636103.tar.bz2
1 files changed, 71 insertions, 2 deletions
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 7aff9af..63183aa 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -1,4 +1,6 @@
 from k5test import *
+from base64 import b64encode
+import shutil
 
 realm = K5Realm(create_host=False, get_creds=False)
 usercache = 'FILE:' + os.path.join(realm.testdir, 'usercache')
@@ -159,7 +161,8 @@ for realm in multipass_realms(create_host=False, get_creds=False):
 mark('cross-realm S4U2Self')
 testprincs = {'krbtgt/SREALM': {'keys': 'aes128-cts'},
               'krbtgt/UREALM': {'keys': 'aes128-cts'},
-              'user': {'keys': 'aes128-cts', 'flags': '+preauth'}}
+              'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
+              'other': {'keys': 'aes128-cts'}}
 kdcconf1 = {'realms': {'$realm': {'database_module': 'test'}},
             'dbmodules': {'test': {'db_library': 'test',
                                    'princs': testprincs,
@@ -178,6 +181,8 @@ r1.start_kdc()
 r2.start_kdc()
 r1.extract_keytab(r1.user_princ, r1.keytab)
 r1.kinit(r1.user_princ, None, ['-k', '-t', r1.keytab])
+savefile = r1.ccache + '.save'
+shutil.copyfile(r1.ccache, savefile)
 
 # Include a regression test for #8741 by unsetting the default realm.
 remove_default = {'libdefaults': {'default_realm': None}}
@@ -193,7 +198,7 @@ msgs = ('Getting credentials user@UREALM -> user@SREALM',
 r1.run(['./t_s4u', 'p:' + r2.user_princ, '-', r1.keytab], env=no_default,
        expected_trace=msgs)
 
-# Test realm identification of enterprise principal names ([MS-S4U]
+# Test realm identification of enterprise principal names ([MS-SFU]
 # 3.1.5.1.1.1).  Attach a bogus realm to the enterprise name to verify
 # that we start at the server realm.
 mark('cross-realm S4U2Self with enterprise name')
@@ -209,6 +214,70 @@ msgs = ('Getting initial credentials for enterprise\\@abc@SREALM',
 r1.run(['./t_s4u', 'e:enterprise@abc@NOREALM', '-', r1.keytab],
        expected_trace=msgs)
 
+mark('S4U2Self using X509 certificate')
+
+# Encode name as a PEM certificate file (sort of) for use by kvno.
+def princ_cert(name):
+    enc = b64encode(name.encode('ascii')).decode('ascii')
+    return '-----BEGIN CERTIFICATE-----\n%s\n-----END y\n' % enc
+
+cert_path = os.path.join(r1.testdir, 'fake_cert')
+with open(cert_path, "w") as cert_file:
+    cert_file.write(princ_cert('other'))
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting initial credentials for @SREALM',
+        'Identified realm of client principal as SREALM',
+        'TGS reply is for other@SREALM',
+        'Getting credentials other@SREALM',
+        'Storing other@SREALM')
+r1.run([kvno, '-F', cert_path, r1.user_princ], expected_trace=msgs)
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting credentials other@SREALM',
+        'TGS reply is for other@SREALM',
+        'Storing other@SREALM')
+r1.run([kvno, '-I', 'other', '-F', cert_path, r1.user_princ],
+       expected_trace=msgs)
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting initial credentials for other@SREALM',
+        'Identified realm of client principal as SREALM',
+        'Getting credentials other@SREALM',
+        'TGS reply is for other@SREALM',
+        'Storing other@SREALM')
+r1.run([kvno, '-U', 'other', '-F', cert_path, r1.user_princ],
+       expected_trace=msgs)
+
+mark('cross-realm S4U2Self using X509 certificate')
+
+with open(cert_path, "w") as cert_file:
+    cert_file.write(princ_cert('user@UREALM'))
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting initial credentials for @SREALM',
+        'Identified realm of client principal as UREALM',
+        'TGS reply is for user@UREALM',
+        'Getting credentials user@UREALM',
+        'Storing user@UREALM')
+r1.run([kvno, '-F', cert_path, r1.user_princ], expected_trace=msgs)
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting credentials user@UREALM',
+        'TGS reply is for user@UREALM',
+        'Storing user@UREALM')
+r1.run([kvno, '-I', 'user@UREALM', '-F', cert_path, r1.user_princ],
+       expected_trace=msgs)
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting initial credentials for enterprise\\@abc@SREALM',
+        'Identified realm of client principal as UREALM',
+        'Getting credentials enterprise\\@abc@UREALM',
+        'TGS reply is for enterprise\\@abc@UREALM',
+        'Storing enterprise\\@abc@UREALM')
+r1.run([kvno, '-U', 'enterprise@abc', '-F', cert_path, r1.user_princ],
+       expected_trace=msgs)
+
 r1.stop()
 r2.stop()
author	Isaac Boukris <iboukris@gmail.com>	2019-01-17 11:36:46 +0200
committer	Greg Hudson <ghudson@mit.edu>	2019-03-13 19:22:53 -0400
commit	01319a310cf06e4139b65afb12f998dbea636103 (patch)
tree	cceac4a3aef4a2b27606a61995e44c78f31d4f07 /src/tests/gssapi/t_s4u.py
parent	0fbfffbef2c266fedac557e00108b944e31e8d50 (diff)
download	krb5-01319a310cf06e4139b65afb12f998dbea636103.zip krb5-01319a310cf06e4139b65afb12f998dbea636103.tar.gz krb5-01319a310cf06e4139b65afb12f998dbea636103.tar.bz2