diff options
author | Greg Hudson <ghudson@mit.edu> | 2016-04-05 00:23:20 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2016-04-27 15:04:59 -0400 |
commit | 12cc2b9dab45b05c13642c2b4b0ce0d3191663c7 (patch) | |
tree | 82293de92fc4b9e6ac6c598a26e0bf7be1c64c8f /src | |
parent | c5c8e57b77d440dbce565579e10e279acfde4674 (diff) | |
download | krb5-12cc2b9dab45b05c13642c2b4b0ce0d3191663c7.zip krb5-12cc2b9dab45b05c13642c2b4b0ce0d3191663c7.tar.gz krb5-12cc2b9dab45b05c13642c2b4b0ce0d3191663c7.tar.bz2 |
Test KDB authdata and kinit pac options
Add a sign_authdata method to the test KDB module. Add tests to
t_authdata.py for KDB module authdata and the kinit --request-pac and
--no-request-pac options.
ticket: 7985
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/kdb/test/kdb_test.c | 27 | ||||
-rw-r--r-- | src/tests/t_authdata.py | 48 |
2 files changed, 63 insertions, 12 deletions
diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c index a0e4970..db939b9 100644 --- a/src/plugins/kdb/test/kdb_test.c +++ b/src/plugins/kdb/test/kdb_test.c @@ -71,6 +71,8 @@ #include "adm_proto.h" #include <ctype.h> +#define TEST_AD_TYPE -456 + typedef struct { void *profile; char *section; @@ -490,6 +492,29 @@ test_encrypt_key_data(krb5_context context, const krb5_keyblock *mkey, } static krb5_error_code +test_sign_authdata(krb5_context context, unsigned int flags, + krb5_const_principal client_princ, krb5_db_entry *client, + krb5_db_entry *server, krb5_db_entry *krbtgt, + krb5_keyblock *client_key, krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, krb5_keyblock *session_key, + krb5_timestamp authtime, krb5_authdata **tgt_auth_data, + krb5_authdata ***signed_auth_data) +{ + krb5_authdata **list, *ad; + + ad = ealloc(sizeof(*ad)); + ad->magic = KV5M_AUTHDATA; + ad->ad_type = TEST_AD_TYPE; + ad->contents = (uint8_t *)estrdup("db-authdata-test"); + ad->length = strlen((char *)ad->contents); + list = ealloc(2 * sizeof(*list)); + list[0] = ad; + list[1] = NULL; + *signed_auth_data = list; + return 0; +} + +static krb5_error_code test_check_allowed_to_delegate(krb5_context context, krb5_const_principal client, const krb5_db_entry *server, @@ -551,7 +576,7 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_test, kdb_function_table) = { NULL, /* promote_db */ test_decrypt_key_data, test_encrypt_key_data, - NULL, /* sign_authdata */ + test_sign_authdata, NULL, /* check_transited_realms */ NULL, /* check_policy_as */ NULL, /* check_policy_tgs */ diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py index d98c3fd..20c8bc6 100644 --- a/src/tests/t_authdata.py +++ b/src/tests/t_authdata.py @@ -163,6 +163,7 @@ realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'a b c ind2']) realm.run([kvno, 'restricted']) realm.stop() +realm2.stop() # Load the test KDB module to allow successful S4U2Proxy # auth-indicator requests. @@ -170,7 +171,9 @@ testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'}, 'krbtgt/FOREIGN': {'keys': 'aes128-cts'}, 'user': {'keys': 'aes128-cts', 'flags': '+preauth'}, 'service/1': {'keys': 'aes128-cts', 'flags': '+preauth'}, - 'service/2': {'keys': 'aes128-cts'}} + 'service/2': {'keys': 'aes128-cts'}, + 'noauthdata': {'keys': 'aes128-cts', + 'flags': '+no_auth_data_required'}} kdcconf = {'realms': {'$realm': {'database_module': 'test'}}, 'dbmodules': {'test': {'db_library': 'test', 'princs': testprincs, @@ -182,6 +185,7 @@ realm.extract_keytab('krbtgt/FOREIGN', realm.keytab) realm.extract_keytab(realm.user_princ, realm.keytab) realm.extract_keytab('service/1', realm.keytab) realm.extract_keytab('service/2', realm.keytab) +realm.extract_keytab('noauthdata', realm.keytab) realm.start_kdc() # S4U2Self (should have no indicators since client did not authenticate) @@ -199,16 +203,38 @@ out = realm.run(['./adata', '-p', realm.user_princ, 'service/2']) if '+97: [indcl]' not in out or '[inds1]' in out: fail('correct auth-indicator not seen for S4U2Proxy req') -# KDB authdata is not tested here; we would need a test KDB module to -# generate authdata, and also some additions to the test harness. The -# current rules we would want to test are: -# -# * The no_auth_data_required server flag suppresses KDB authdata in -# TGS requests. -# * KDB authdata is also suppressed in TGS requests if the TGT +# Test that KDB module authdata is included in an AS request, by +# default or with an explicit PAC request. +realm.kinit(realm.user_princ, None, ['-k']) +out = realm.run(['./adata', realm.krbtgt_princ]) +if '-456: db-authdata-test' not in out: + fail('DB authdata not seen in default AS request') +realm.kinit(realm.user_princ, None, ['-k', '--request-pac']) +out = realm.run(['./adata', realm.krbtgt_princ]) +if '-456: db-authdata-test' not in out: + fail('DB authdata not seen with --request-pac') + +# Test that KDB module authdata is suppressed in an AS request by a +# negative PAC request. +realm.kinit(realm.user_princ, None, ['-k', '--no-request-pac']) +out = realm.run(['./adata', realm.krbtgt_princ]) +if '-456: db-authdata-test' in out: + fail('DB authdata not suppressed by --no-request-pac') + +# Test that KDB authdata is included in a TGS request by default. +out = realm.run(['./adata', 'service/1']) +if '-456: db-authdata-test' not in out: + fail('DB authdata not seen in TGS request') + +# Test that KDB authdata is suppressed in a TGS request by the +# +no_auth_data_required flag. +out = realm.run(['./adata', 'noauthdata']) +if '-456: db-authdata-test' in out: + fail('DB authdata not suppressed by +no_auth_data_required') + +# Additional KDB module authdata behavior we don't currently test: +# * KDB module authdata is suppressed in TGS requests if the TGT # contains no authdata and the request is not cross-realm or S4U. -# * For AS requests, KDB authdata is suppressed if negative -# KRB5_PADATA_PAC_REQUEST padata is present in the request. -# * KDB authdata is suppressed for anonymous tickets. +# * KDB module authdata is suppressed for anonymous tickets. success('Authorization data tests') |