Test KDB authdata and kinit pac options

Add a sign_authdata method to the test KDB module.  Add tests to
t_authdata.py for KDB module authdata and the kinit --request-pac and
--no-request-pac options.

ticket: 7985

2 files changed, 63 insertions, 12 deletions

diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c
index a0e4970..db939b9 100644
--- a/src/plugins/kdb/test/kdb_test.c
+++ b/src/plugins/kdb/test/kdb_test.c
@@ -71,6 +71,8 @@
 #include "adm_proto.h"
 #include <ctype.h>
 
+#define TEST_AD_TYPE -456
+
 typedef struct {
     void *profile;
     char *section;
@@ -490,6 +492,29 @@ test_encrypt_key_data(krb5_context context, const krb5_keyblock *mkey,
 }
 
 static krb5_error_code
+test_sign_authdata(krb5_context context, unsigned int flags,
+                   krb5_const_principal client_princ, krb5_db_entry *client,
+                   krb5_db_entry *server, krb5_db_entry *krbtgt,
+                   krb5_keyblock *client_key, krb5_keyblock *server_key,
+                   krb5_keyblock *krbtgt_key, krb5_keyblock *session_key,
+                   krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
+                   krb5_authdata ***signed_auth_data)
+{
+    krb5_authdata **list, *ad;
+
+    ad = ealloc(sizeof(*ad));
+    ad->magic = KV5M_AUTHDATA;
+    ad->ad_type = TEST_AD_TYPE;
+    ad->contents = (uint8_t *)estrdup("db-authdata-test");
+    ad->length = strlen((char *)ad->contents);
+    list = ealloc(2 * sizeof(*list));
+    list[0] = ad;
+    list[1] = NULL;
+    *signed_auth_data = list;
+    return 0;
+}
+
+static krb5_error_code
 test_check_allowed_to_delegate(krb5_context context,
                                krb5_const_principal client,
                                const krb5_db_entry *server,
@@ -551,7 +576,7 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_test, kdb_function_table) = {
     NULL, /* promote_db */
     test_decrypt_key_data,
     test_encrypt_key_data,
-    NULL, /* sign_authdata */
+    test_sign_authdata,
     NULL, /* check_transited_realms */
     NULL, /* check_policy_as */
     NULL, /* check_policy_tgs */
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
index d98c3fd..20c8bc6 100644
--- a/src/tests/t_authdata.py
+++ b/src/tests/t_authdata.py
@@ -163,6 +163,7 @@ realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'a b c ind2'])
 realm.run([kvno, 'restricted'])
 
 realm.stop()
+realm2.stop()
 
 # Load the test KDB module to allow successful S4U2Proxy
 # auth-indicator requests.
@@ -170,7 +171,9 @@ testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
               'krbtgt/FOREIGN': {'keys': 'aes128-cts'},
               'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
               'service/1': {'keys': 'aes128-cts', 'flags': '+preauth'},
-              'service/2': {'keys': 'aes128-cts'}}
+              'service/2': {'keys': 'aes128-cts'},
+              'noauthdata': {'keys': 'aes128-cts',
+                             'flags': '+no_auth_data_required'}}
 kdcconf = {'realms': {'$realm': {'database_module': 'test'}},
            'dbmodules': {'test': {'db_library': 'test',
                                   'princs': testprincs,
@@ -182,6 +185,7 @@ realm.extract_keytab('krbtgt/FOREIGN', realm.keytab)
 realm.extract_keytab(realm.user_princ, realm.keytab)
 realm.extract_keytab('service/1', realm.keytab)
 realm.extract_keytab('service/2', realm.keytab)
+realm.extract_keytab('noauthdata', realm.keytab)
 realm.start_kdc()
 
 # S4U2Self (should have no indicators since client did not authenticate)
@@ -199,16 +203,38 @@ out = realm.run(['./adata', '-p', realm.user_princ, 'service/2'])
 if '+97: [indcl]' not in out or '[inds1]' in out:
     fail('correct auth-indicator not seen for S4U2Proxy req')
 
-# KDB authdata is not tested here; we would need a test KDB module to
-# generate authdata, and also some additions to the test harness.  The
-# current rules we would want to test are:
-#
-# * The no_auth_data_required server flag suppresses KDB authdata in
-#   TGS requests.
-# * KDB authdata is also suppressed in TGS requests if the TGT
+# Test that KDB module authdata is included in an AS request, by
+# default or with an explicit PAC request.
+realm.kinit(realm.user_princ, None, ['-k'])
+out = realm.run(['./adata', realm.krbtgt_princ])
+if '-456: db-authdata-test' not in out:
+    fail('DB authdata not seen in default AS request')
+realm.kinit(realm.user_princ, None, ['-k', '--request-pac'])
+out = realm.run(['./adata', realm.krbtgt_princ])
+if '-456: db-authdata-test' not in out:
+    fail('DB authdata not seen with --request-pac')
+
+# Test that KDB module authdata is suppressed in an AS request by a
+# negative PAC request.
+realm.kinit(realm.user_princ, None, ['-k', '--no-request-pac'])
+out = realm.run(['./adata', realm.krbtgt_princ])
+if '-456: db-authdata-test' in out:
+    fail('DB authdata not suppressed by --no-request-pac')
+
+# Test that KDB authdata is included in a TGS request by default.
+out = realm.run(['./adata', 'service/1'])
+if '-456: db-authdata-test' not in out:
+    fail('DB authdata not seen in TGS request')
+
+# Test that KDB authdata is suppressed in a TGS request by the
+# +no_auth_data_required flag.
+out = realm.run(['./adata', 'noauthdata'])
+if '-456: db-authdata-test' in out:
+    fail('DB authdata not suppressed by +no_auth_data_required')
+
+# Additional KDB module authdata behavior we don't currently test:
+# * KDB module authdata is suppressed in TGS requests if the TGT
 #   contains no authdata and the request is not cross-realm or S4U.
-# * For AS requests, KDB authdata is suppressed if negative
-#   KRB5_PADATA_PAC_REQUEST padata is present in the request.
-# * KDB authdata is suppressed for anonymous tickets.
+# * KDB module authdata is suppressed for anonymous tickets.
 
 success('Authorization data tests')