diff options
author | Greg Hudson <ghudson@mit.edu> | 2015-03-23 12:20:15 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2015-07-22 12:22:47 -0400 |
commit | 8ca82f0e3059cd8805f4dda388a8aa1d67c80920 (patch) | |
tree | 802d772b57f96c6484755a1a86b6267fc68a9f22 /src/tests/t_pkinit.py | |
parent | e6e6e54e89bc9644144436c3f267796ed790f70c (diff) | |
download | krb5-8ca82f0e3059cd8805f4dda388a8aa1d67c80920.zip krb5-8ca82f0e3059cd8805f4dda388a8aa1d67c80920.tar.gz krb5-8ca82f0e3059cd8805f4dda388a8aa1d67c80920.tar.bz2 |
Add indicator support to PKINIT
Read a "pkinit_indicator" profile variable for PKINIT realm
configuration and assert its values as indicators when PKINIT is used
to authenticate. Add a test case in t_pkinit.py for this feature.
ticket: 8157
Diffstat (limited to 'src/tests/t_pkinit.py')
-rwxr-xr-x | src/tests/t_pkinit.py | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index e1cc514..b66c458 100755 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -31,7 +31,8 @@ pkinit_krb5_conf = {'realms': {'$realm': { pkinit_kdc_conf = {'realms': {'$realm': { 'default_principal_flags': '+preauth', 'pkinit_eku_checking': 'none', - 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}} + 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem), + 'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}} restrictive_kdc_conf = {'realms': {'$realm': { 'restrict_anonymous_to_tgt': 'true' }}} @@ -67,6 +68,9 @@ realm.addprinc('WELLKNOWN/ANONYMOUS') realm.kinit('@%s' % realm.realm, flags=['-n']) realm.klist('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS') realm.run([kvno, realm.host_princ]) +out = realm.run(['./adata', realm.host_princ]) +if '97:' in out: + fail('auth indicators seen in anonymous PKINIT ticket') # Test anonymous kadmin. f = open(os.path.join(realm.testdir, 'acl'), 'a') @@ -113,6 +117,9 @@ realm.kinit(realm.user_princ, password='encrypted') realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) +out = realm.run(['./adata', realm.host_princ]) +if '+97: [indpkinit1, indpkinit2]' not in out: + fail('auth indicators not seen in PKINIT ticket') # Run the basic test - PKINIT with FILE: identity, with a password on the key, # supplied by the responder. |