From 01319a310cf06e4139b65afb12f998dbea636103 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 17 Jan 2019 11:36:46 +0200
Subject: Add tests for S4U2Self with certificate

[ghudson@mit.edu: fixed memory leaks in test KDB method]

ticket: 8781
---
 src/tests/gssapi/t_s4u.py | 73 +++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 71 insertions(+), 2 deletions(-)

(limited to 'src/tests/gssapi/t_s4u.py')

diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 7aff9af..63183aa 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -1,4 +1,6 @@
 from k5test import *
+from base64 import b64encode
+import shutil
 
 realm = K5Realm(create_host=False, get_creds=False)
 usercache = 'FILE:' + os.path.join(realm.testdir, 'usercache')
@@ -159,7 +161,8 @@ for realm in multipass_realms(create_host=False, get_creds=False):
 mark('cross-realm S4U2Self')
 testprincs = {'krbtgt/SREALM': {'keys': 'aes128-cts'},
               'krbtgt/UREALM': {'keys': 'aes128-cts'},
-              'user': {'keys': 'aes128-cts', 'flags': '+preauth'}}
+              'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
+              'other': {'keys': 'aes128-cts'}}
 kdcconf1 = {'realms': {'$realm': {'database_module': 'test'}},
             'dbmodules': {'test': {'db_library': 'test',
                                    'princs': testprincs,
@@ -178,6 +181,8 @@ r1.start_kdc()
 r2.start_kdc()
 r1.extract_keytab(r1.user_princ, r1.keytab)
 r1.kinit(r1.user_princ, None, ['-k', '-t', r1.keytab])
+savefile = r1.ccache + '.save'
+shutil.copyfile(r1.ccache, savefile)
 
 # Include a regression test for #8741 by unsetting the default realm.
 remove_default = {'libdefaults': {'default_realm': None}}
@@ -193,7 +198,7 @@ msgs = ('Getting credentials user@UREALM -> user@SREALM',
 r1.run(['./t_s4u', 'p:' + r2.user_princ, '-', r1.keytab], env=no_default,
        expected_trace=msgs)
 
-# Test realm identification of enterprise principal names ([MS-S4U]
+# Test realm identification of enterprise principal names ([MS-SFU]
 # 3.1.5.1.1.1).  Attach a bogus realm to the enterprise name to verify
 # that we start at the server realm.
 mark('cross-realm S4U2Self with enterprise name')
@@ -209,6 +214,70 @@ msgs = ('Getting initial credentials for enterprise\\@abc@SREALM',
 r1.run(['./t_s4u', 'e:enterprise@abc@NOREALM', '-', r1.keytab],
        expected_trace=msgs)
 
+mark('S4U2Self using X509 certificate')
+
+# Encode name as a PEM certificate file (sort of) for use by kvno.
+def princ_cert(name):
+    enc = b64encode(name.encode('ascii')).decode('ascii')
+    return '-----BEGIN CERTIFICATE-----\n%s\n-----END y\n' % enc
+
+cert_path = os.path.join(r1.testdir, 'fake_cert')
+with open(cert_path, "w") as cert_file:
+    cert_file.write(princ_cert('other'))
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting initial credentials for @SREALM',
+        'Identified realm of client principal as SREALM',
+        'TGS reply is for other@SREALM',
+        'Getting credentials other@SREALM',
+        'Storing other@SREALM')
+r1.run([kvno, '-F', cert_path, r1.user_princ], expected_trace=msgs)
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting credentials other@SREALM',
+        'TGS reply is for other@SREALM',
+        'Storing other@SREALM')
+r1.run([kvno, '-I', 'other', '-F', cert_path, r1.user_princ],
+       expected_trace=msgs)
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting initial credentials for other@SREALM',
+        'Identified realm of client principal as SREALM',
+        'Getting credentials other@SREALM',
+        'TGS reply is for other@SREALM',
+        'Storing other@SREALM')
+r1.run([kvno, '-U', 'other', '-F', cert_path, r1.user_princ],
+       expected_trace=msgs)
+
+mark('cross-realm S4U2Self using X509 certificate')
+
+with open(cert_path, "w") as cert_file:
+    cert_file.write(princ_cert('user@UREALM'))
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting initial credentials for @SREALM',
+        'Identified realm of client principal as UREALM',
+        'TGS reply is for user@UREALM',
+        'Getting credentials user@UREALM',
+        'Storing user@UREALM')
+r1.run([kvno, '-F', cert_path, r1.user_princ], expected_trace=msgs)
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting credentials user@UREALM',
+        'TGS reply is for user@UREALM',
+        'Storing user@UREALM')
+r1.run([kvno, '-I', 'user@UREALM', '-F', cert_path, r1.user_princ],
+       expected_trace=msgs)
+
+shutil.copyfile(savefile, r1.ccache)
+msgs = ('Getting initial credentials for enterprise\\@abc@SREALM',
+        'Identified realm of client principal as UREALM',
+        'Getting credentials enterprise\\@abc@UREALM',
+        'TGS reply is for enterprise\\@abc@UREALM',
+        'Storing enterprise\\@abc@UREALM')
+r1.run([kvno, '-U', 'enterprise@abc', '-F', cert_path, r1.user_princ],
+       expected_trace=msgs)
+
 r1.stop()
 r2.stop()
 
-- 
cgit v1.1