diff options
| author | Greg Hudson <ghudson@mit.edu> | 2017-01-20 12:44:12 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2017-02-23 12:33:28 -0500 |
| commit | 748beda1e36d76bed8b06b272ecb72988eede94b (patch) | |
| tree | 3f7b228fde1dfc14ceeb233857046643d3e7cc3a /src/tests/t_pkinit.py | |
| parent | 52d2de31bc4728dbc2f59c6033dcdab86da919e9 (diff) | |
| download | krb5-748beda1e36d76bed8b06b272ecb72988eede94b.zip krb5-748beda1e36d76bed8b06b272ecb72988eede94b.tar.gz krb5-748beda1e36d76bed8b06b272ecb72988eede94b.tar.bz2 | |
Add test cases for preauth fallback behavior
Add options to icred for performing optimistic preauth and setting
preauth options, and for choosing between the normal and stepwise
interfaces. Add options to the test preauth module to allow induced
failures at several points in processing, factoring out some padata
manipulation functions into a new file to avoid repeating too much
code. Add test cases to t_preauth.py using the new facilities to
exercise and verify several preauth fallback scenarios. Amend the
tryagain test case in t_pkinit.py to look for more trace log messages.
ticket: 8537
Diffstat (limited to 'src/tests/t_pkinit.py')
| -rwxr-xr-x | src/tests/t_pkinit.py | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index 2dc057f..d1d4972 100755 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -172,14 +172,20 @@ realm.klist(realm.user_princ) # Test a DH parameter renegotiation by temporarily setting a 4096-bit # minimum on the KDC. (Preauth type 16 is PKINIT PA_PK_AS_REQ; -# 133 is FAST PA-FX-COOKIE.) +# 109 is PKINIT TD_DH_PARAMETERS; 133 is FAST PA-FX-COOKIE.) minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}} minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf) realm.stop_kdc() realm.start_kdc(env=minbits_env) -expected_trace = ('Key parameters not accepted', - 'Preauth tryagain input types', +expected_trace = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Preauth module pkinit (16) (real) returned: 0/Success', + 'Produced preauth for next request: 133, 16', + '/Key parameters not accepted', + 'Preauth tryagain input types (16): 109, 133', 'trying again with KDC-provided parameters', + 'Preauth module pkinit (16) tryagain returned: 0/Success', 'Followup preauth for next request: 16, 133') realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % file_identity], |