diff options
author | Greg Hudson <ghudson@mit.edu> | 2018-08-24 11:40:39 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2018-08-27 11:38:19 -0400 |
commit | 409e0657f8a859d7f3a342ebc1e15755180fef61 (patch) | |
tree | 53cbcbfcebfbf166e48a34f9cbed800f7540ffb5 /src/tests | |
parent | 088ba228acce4fd55bbb7c30122fe2703b8beeb8 (diff) | |
download | krb5-409e0657f8a859d7f3a342ebc1e15755180fef61.zip krb5-409e0657f8a859d7f3a342ebc1e15755180fef61.tar.gz krb5-409e0657f8a859d7f3a342ebc1e15755180fef61.tar.bz2 |
Add kvno option for user-to-user
Add a --u2u option to kvno, with an argument to specify a credential
cache containing a krbtgt for the server principal. Move the
-allow_svr test from appl/user_to_user to a new test script and add
additional tests. Suggested by Chris Hecker.
ticket: 8730 (new)
Diffstat (limited to 'src/tests')
-rw-r--r-- | src/tests/Makefile.in | 1 | ||||
-rw-r--r-- | src/tests/t_u2u.py | 27 |
2 files changed, 28 insertions, 0 deletions
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index aed23e5..e27617e 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -176,6 +176,7 @@ check-pytests: unlockiter $(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_u2u.py $(PYTESTFLAGS) clean: $(RM) adata etinfo forward gcred hist hooks hrealm icinterleave icred diff --git a/src/tests/t_u2u.py b/src/tests/t_u2u.py new file mode 100644 index 0000000..8905dc2 --- /dev/null +++ b/src/tests/t_u2u.py @@ -0,0 +1,27 @@ +from k5test import * + +realm = K5Realm(create_host=False) + +# Create a second user principal and get tickets for it. +u2u_ccache = 'FILE:' + os.path.join(realm.testdir, 'ccu2u') +realm.addprinc('alice', password('alice')) +realm.kinit('alice', password('alice'), ['-c', u2u_ccache]) + +# Verify that -allow_dup_skey denies u2u requests. +realm.run([kadminl, 'modprinc', '-allow_dup_skey', 'alice']) +realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_code=1, + expected_msg='KDC policy rejects request') +realm.run([kadminl, 'modprinc', '+allow_dup_skey', 'alice']) + +# Verify that -allow_svr denies regular TGS requests, but allows +# user-to-user TGS requests. +realm.run([kadminl, 'modprinc', '-allow_svr', 'alice']) +realm.run([kvno, 'alice'], expected_code=1, + expected_msg='Server principal valid for user2user only') +realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_msg='kvno = 0') +realm.run([kadminl, 'modprinc', '+allow_svr', 'alice']) + +# Try u2u against the client user. +realm.run([kvno, '--u2u', realm.ccache, realm.user_princ]) + +realm.run([klist]) |