diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | src/tests/gssapi/Makefile.in | 15 | ||||
-rw-r--r-- | src/tests/gssapi/t_authind.py | 38 | ||||
-rw-r--r-- | src/tests/gssapi/t_srcattrs.c | 63 |
4 files changed, 112 insertions, 5 deletions
@@ -419,6 +419,7 @@ local.properties /src/tests/gssapi/t_s4u2proxy_krb5 /src/tests/gssapi/t_saslname /src/tests/gssapi/t_spnego +/src/tests/gssapi/t_srcattrs /src/tests/gssapi/t_inq_ctx /src/tests/hammer/kdc5_hammer diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in index 0a329a0..5604e8d 100644 --- a/src/tests/gssapi/Makefile.in +++ b/src/tests/gssapi/Makefile.in @@ -17,13 +17,14 @@ SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \ $(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \ $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c $(srcdir)/t_pcontok.c \ $(srcdir)/t_prf.c $(srcdir)/t_s4u.c $(srcdir)/t_s4u2proxy_krb5.c \ - $(srcdir)/t_saslname.c $(srcdir)/t_spnego.c + $(srcdir)/t_saslname.c $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_ciflags.o \ t_credstore.o t_enctypes.o t_err.o t_export_cred.o t_export_name.o \ t_gssexts.o t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o \ t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_namingexts.o t_oid.o \ - t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o t_spnego.o + t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \ + t_spnego.o t_srcattrs.o COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS) @@ -31,7 +32,8 @@ COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS) all:: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore t_enctypes \ t_err t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name \ t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_namingexts \ - t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego + t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego \ + t_srcattrs check-unix:: t_oid $(RUN_TEST) ./t_invalid @@ -41,13 +43,14 @@ check-unix:: t_oid check-pytests:: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore \ t_enctypes t_err t_export_cred t_export_name t_imp_cred t_inq_cred \ t_inq_ctx t_inq_mechs_name t_iov t_pcontok t_s4u t_s4u2proxy_krb5 \ - t_spnego + t_spnego t_srcattrs $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_enctypes.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_export_cred.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_authind.py $(PYTESTFLAGS) ccinit: ccinit.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o ccinit ccinit.o $(KRB5_BASE_LIBS) @@ -101,10 +104,12 @@ t_saslname: t_saslname.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_saslname.o $(COMMON_LIBS) t_spnego: t_spnego.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_spnego.o $(COMMON_LIBS) +t_srcattrs: t_srcattrs.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_srcattrs.o $(COMMON_LIBS) clean:: $(RM) ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore $(RM) t_enctypes t_err t_export_cred t_export_name t_gssexts t_imp_cred $(RM) t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov $(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 - $(RM) t_saslname t_spnego + $(RM) t_saslname t_spnego t_srcattrs diff --git a/src/tests/gssapi/t_authind.py b/src/tests/gssapi/t_authind.py new file mode 100644 index 0000000..316bc40 --- /dev/null +++ b/src/tests/gssapi/t_authind.py @@ -0,0 +1,38 @@ +#!/usr/bin/python +from k5test import * + +# Test authentication indicators. Load the test preauth module so we +# can control the indicators asserted. +testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so') +conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth}, + 'clpreauth': {'module': 'test:' + testpreauth}}} +realm = K5Realm(krb5_conf=conf) +realm.run([kadminl, 'addprinc', '-randkey', 'service/1']) +realm.run([kadminl, 'addprinc', '-randkey', 'service/2']) +realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ]) +realm.run([kadminl, 'setstr', 'service/1', 'require_auth', 'superstrong']) +realm.run([kadminl, 'setstr', 'service/2', 'require_auth', 'one two']) +realm.run([kadminl, 'xst', 'service/1']) +realm.run([kadminl, 'xst', 'service/2']) + +realm.kinit(realm.user_princ, password('user'), + ['-X', 'indicators=superstrong']) +out = realm.run(['./t_srcattrs', 'p:service/1']) +if ('Attribute auth-indicators Authenticated Complete') not in out: + fail('Expected attribute type data not seen') +# UTF8 "superstrong" +if '73757065727374726f6e67' not in out: + fail('Expected auth indicator not seen in name attributes') + +out = realm.run(['./t_srcattrs', 'p:service/2'], expected_code=1) +if 'gss_init_sec_context: KDC policy rejects request' not in out: + fail('Expected error message not seen for indicator mismatch') + +realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=one two']) +out = realm.run(['./t_srcattrs', 'p:service/2']) +# Hexademical "one" and "two" +if '6f6e65' not in out or '74776f' not in out: + fail('Expected auth indicator not seen in name attributes') + +realm.stop() +success('GSSAPI auth indicator tests') diff --git a/src/tests/gssapi/t_srcattrs.c b/src/tests/gssapi/t_srcattrs.c new file mode 100644 index 0000000..e83c356 --- /dev/null +++ b/src/tests/gssapi/t_srcattrs.c @@ -0,0 +1,63 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* src/tests/gssapi/t_accname_authind.c - test harness for auth indicators */ +/* + * Copyright (C) 2016 by Red Hat, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <stdio.h> +#include <stdlib.h> +#include "common.h" + +/* Establish a context to the given target name and enumerate the attributes of + * the source name. */ + +int +main(int argc, char *argv[]) +{ + OM_uint32 minor, flags; + gss_name_t tname, sname; + gss_ctx_id_t ictx, actx; + + if (argc != 2) { + fprintf(stderr, "Usage: %s targetname\n", argv[0]); + return 1; + } + tname = import_name(argv[1]); + + flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; + establish_contexts(&mech_krb5, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL, + tname, flags, &ictx, &actx, &sname, NULL, NULL); + enumerate_attributes(sname, 1); + + (void)gss_release_name(&minor, &tname); + (void)gss_release_name(&minor, &sname); + (void)gss_delete_sec_context(&minor, &ictx, NULL); + (void)gss_delete_sec_context(&minor, &actx, NULL); + return 0; +} |