aboutsummaryrefslogtreecommitdiff
path: root/src/tests
diff options
context:
space:
mode:
Diffstat (limited to 'src/tests')
-rw-r--r--src/tests/Makefile.in1
-rw-r--r--src/tests/t_kadm5_auth.py81
-rwxr-xr-xsrc/tests/t_kadmin_acl.py15
3 files changed, 97 insertions, 0 deletions
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index b44c7bc..0013442 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -132,6 +132,7 @@ check-pytests: unlockiter
$(RUNPYTEST) $(srcdir)/t_otp.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_kadm5_auth.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_pwqual.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_hostrealm.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kdb_locking.py $(PYTESTFLAGS)
diff --git a/src/tests/t_kadm5_auth.py b/src/tests/t_kadm5_auth.py
new file mode 100644
index 0000000..ba4ab8e
--- /dev/null
+++ b/src/tests/t_kadm5_auth.py
@@ -0,0 +1,81 @@
+#!/usr/bin/python
+from k5test import *
+
+# Create a realm with the welcomer and bouncer kadm5_auth test modules
+# in place of the builtin modules.
+modpath = os.path.join(buildtop, 'plugins', 'kadm5_auth', 'test',
+ 'kadm5_auth_test.so')
+conf = {'plugins': {'kadm5_auth': {'module': ['welcomer:' + modpath,
+ 'bouncer:' + modpath],
+ 'enable_only': ['welcomer', 'bouncer']}}}
+realm = K5Realm(krb5_conf=conf, create_host=False)
+realm.start_kadmind()
+realm.prep_kadmin()
+
+# addprinc: welcomer accepts with policy VIP, bouncer denies maxlife.
+realm.run_kadmin(['addprinc', '-randkey', 'princ'], expected_code=1)
+realm.run_kadmin(['addprinc', '-randkey', '-policy', 'VIP', 'princ'])
+realm.run_kadmin(['addprinc', '-randkey', '-policy', 'VIP', '-maxlife', '3',
+ 'princ'], expected_code=1)
+
+# modprinc: welcomer accepts with only maxrenewlife, bouncer denies
+# with even-component target principal.
+realm.run_kadmin(['modprinc', '-maxlife', '3', 'princ'], expected_code=1)
+realm.run_kadmin(['modprinc', '-maxrenewlife', '3', 'princ'])
+realm.run_kadmin(['modprinc', '-maxrenewlife', '3', 'user/admin'],
+ expected_code=1)
+
+# setstr: welcomer accepts with key 'note', bouncer denies with value
+# length > 10.
+realm.run_kadmin(['setstr', 'princ', 'somekey', 'someval'], expected_code=1)
+realm.run_kadmin(['setstr', 'princ', 'note', 'abc'])
+realm.run_kadmin(['setstr', 'princ', 'note', 'abcdefghijkl'], expected_code=1)
+
+# delprinc: welcomer accepts with target principal beginning with 'd',
+# bouncer denies with "nodelete" string attribute.
+realm.run_kadmin(['delprinc', 'user'], expected_code=1)
+realm.run([kadminl, 'addprinc', '-randkey', 'deltest'])
+realm.run_kadmin(['delprinc', 'deltest'])
+realm.run([kadminl, 'addprinc', '-randkey', 'deltest'])
+realm.run([kadminl, 'setstr', 'deltest', 'nodelete', 'yes'])
+realm.run_kadmin(['delprinc', 'deltest'], expected_code=1)
+
+# renprinc: welcomer accepts with same-length first components, bouncer
+# refuses with source principal beginning with 'a'.
+realm.run_kadmin(['renprinc', 'princ', 'xyz'], expected_code=1)
+realm.run_kadmin(['renprinc', 'princ', 'abcde'])
+realm.run_kadmin(['renprinc', 'abcde', 'fghij'], expected_code=1)
+
+# addpol: welcomer accepts with minlength 3, bouncer denies with name
+# length <= 3.
+realm.run_kadmin(['addpol', 'testpol'], expected_code=1)
+realm.run_kadmin(['addpol', '-minlength', '3', 'testpol'])
+realm.run_kadmin(['addpol', '-minlength', '3', 'abc'], expected_code=1)
+
+# modpol: welcomer accepts changes to minlife, bouncer denies with
+# minlife > 10.
+realm.run_kadmin(['modpol', '-minlength', '4', 'testpol'], expected_code=1)
+realm.run_kadmin(['modpol', '-minlife', '8', 'testpol'])
+realm.run_kadmin(['modpol', '-minlife', '11', 'testpol'], expected_code=1)
+
+# getpol: welcomer accepts if policy and client policy have same length,
+# bouncer denies if policy name begins with 'x'.
+realm.run([kadminl, 'addpol', 'aaaa'])
+realm.run([kadminl, 'addpol', 'bbbb'])
+realm.run([kadminl, 'addpol', 'xxxx'])
+realm.run([kadminl, 'modprinc', '-policy', 'aaaa', 'user/admin'])
+realm.run_kadmin(['getpol', 'testpol'], expected_code=1)
+realm.run_kadmin(['getpol', 'bbbb'])
+realm.run_kadmin(['getpol', 'xxxx'], expected_code=1)
+
+# end: welcomer counts operations using "ends" string attribute on
+# "opcount" principal. kadmind is dumb and invokes the end method for
+# every RPC operation including init, so we expect four calls to the
+# end operation.
+realm.run([kadminl, 'addprinc', '-nokey', 'opcount'])
+realm.run([kadminl, 'setstr', 'opcount', 'ends', '0'])
+realm.run_kadmin(['getprinc', 'user'])
+realm.run_kadmin(['getpol', 'bbbb'])
+realm.run([kadminl, 'getstrs', 'opcount'], expected_msg='ends: 4')
+
+success('kadm5_auth pluggable interface tests')
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index f7c04cf..42bdf42 100755
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -296,4 +296,19 @@ kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
realm.kinit('extractkeys', flags=['-k'])
os.remove(realm.keytab)
+# Verify that self-service key changes require an initial ticket.
+realm.run([kadminl, 'cpw', '-pw', password('none'), 'none'])
+realm.run([kadminl, 'modprinc', '+allow_tgs_req', 'kadmin/admin'])
+realm.kinit('none', password('none'))
+realm.run([kvno, 'kadmin/admin'])
+msg = 'Operation requires initial ticket'
+realm.run([kadmin, '-c', realm.ccache, 'cpw', '-pw', 'newpw', 'none'],
+ expected_code=1, expected_msg=msg)
+realm.run([kadmin, '-c', realm.ccache, 'cpw', '-pw', 'newpw',
+ '-e', 'aes256-cts', 'none'], expected_code=1, expected_msg=msg)
+realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', 'none'],
+ expected_code=1, expected_msg=msg)
+realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', '-e', 'aes256-cts',
+ 'none'], expected_code=1, expected_msg=msg)
+
success('kadmin ACL enforcement')
generated by cgit v1.1 at 2024-07-09 00:27:15 +0000