Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/krb5/src/appl/gss-sample/t_gss_sample.py
34907 views
1
# Copyright (C) 2010 by the Massachusetts Institute of Technology.

2
# All rights reserved.

3
#

4
# Export of this software from the United States of America may

5
#   require a specific license from the United States Government.

6
#   It is the responsibility of any person or organization contemplating

7
#   export to obtain such a license before exporting.

8
#

9
# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and

10
# distribute this software and its documentation for any purpose and

11
# without fee is hereby granted, provided that the above copyright

12
# notice appear in all copies and that both that copyright notice and

13
# this permission notice appear in supporting documentation, and that

14
# the name of M.I.T. not be used in advertising or publicity pertaining

15
# to distribution of the software without specific, written prior

16
# permission.  Furthermore if you modify this software you must label

17
# your software as modified software and not distribute it in such a

18
# fashion that it might be confused with the original M.I.T. software.

19
# M.I.T. makes no representations about the suitability of

20
# this software for any purpose.  It is provided "as is" without express

21
# or implied warranty.

22


23
from k5test import *

24


25
appdir = os.path.join(buildtop, 'appl', 'gss-sample')

26
gss_client = os.path.join(appdir, 'gss-client')

27
gss_server = os.path.join(appdir, 'gss-server')

28


29
# Run a gss-server process and a gss-client process, with additional

30
# gss-client flags given by options and additional gss-server flags

31
# given by server_options.  Return the output of gss-client.

32
def run_client_server(realm, options, server_options, **kwargs):

33
    portstr = str(realm.server_port())

34
    server_args = [gss_server, '-export', '-port', portstr]

35
    server_args += server_options + ['host']

36
    server = realm.start_server(server_args, 'starting...')

37
    realm.run([gss_client, '-port', portstr] + options +

38
              [hostname, 'host', 'testmsg'], **kwargs)

39


40
    seen1 = seen2 = False

41
    while 'expected_code' not in kwargs and not (seen1 and seen2):

42
        line = server.stdout.readline()

43
        if line == '':

44
            fail('gss-server process exited unexpectedly')

45
        if line == 'Accepted connection: "[email protected]"\n':

46
            seen1 = True

47
        if line == 'Received message: "testmsg"\n':

48
            seen2 = True

49


50
    stop_daemon(server)

51


52
# Run a gss-server and gss-client process, and verify that gss-client

53
# displayed the expected output for a successful negotiation.

54
def server_client_test(realm, options, server_options):

55
    run_client_server(realm, options, server_options,

56
                      expected_msg='Signature verified.')

57


58
# Make up a filename to hold user's initial credentials.

59
def ccache_savefile(realm):

60
    return os.path.join(realm.testdir, 'ccache.copy')

61


62
# Move user's initial credentials into the save file.

63
def ccache_save(realm):

64
    os.rename(realm.ccache, ccache_savefile(realm))

65


66
# Copy user's initial credentials from the save file into the ccache.

67
def ccache_restore(realm):

68
    shutil.copyfile(ccache_savefile(realm), realm.ccache)

69


70
# Perform a regular (TGS path) test of the server and client.

71
def tgs_test(realm, options, server_options=[]):

72
    ccache_restore(realm)

73
    server_client_test(realm, options, server_options)

74
    realm.klist(realm.user_princ, realm.host_princ)

75


76
# Perform a test of the server and client with initial credentials

77
# obtained through gss_acquire_cred_with_password().

78
def pw_test(realm, options, server_options=[]):

79
    if os.path.exists(realm.ccache):

80
        os.remove(realm.ccache)

81
    if '-iakerb' in options:

82
        # Use IAKERB realm discovery.

83
        user = realm.user_princ.split('@')[0]

84
    else:

85
        user = realm.user_princ

86
    options = options + ['-user', user, '-pass', password('user')]

87
    server_client_test(realm, options, server_options)

88
    if os.path.exists(realm.ccache):

89
        fail('gss_acquire_cred_with_password created ccache')

90


91
# Perform a test using the wrong password, and make sure that failure

92
# occurs during the expected operation (gss_init_sec_context() for

93
# IAKERB, gss_aqcuire_cred_with_password() otherwise).

94
def wrong_pw_test(realm, options, server_options=[], iakerb=False):

95
    options = options + ['-user', realm.user_princ, '-pass', 'wrongpw']

96
    failed_op = 'initializing context' if iakerb else 'acquiring creds'

97
    msg = 'GSS-API error ' + failed_op

98
    run_client_server(realm, options, server_options, expected_code=1,

99
                      expected_msg=msg)

100


101
# Perform a test of the server and client with initial credentials

102
# obtained with the client keytab

103
def kt_test(realm, options, server_options=[]):

104
    if os.path.exists(realm.ccache):

105
        os.remove(realm.ccache)

106
    server_client_test(realm, options, server_options)

107
    realm.klist(realm.user_princ, realm.host_princ)

108


109
for realm in multipass_realms():

110
    ccache_save(realm)

111


112
    mark('TGS')

113
    tgs_test(realm, ['-krb5'])

114
    tgs_test(realm, ['-spnego'])

115
    tgs_test(realm, ['-iakerb'], ['-iakerb'])

116
    # test default (i.e., krb5) mechanism with GSS_C_DCE_STYLE

117
    tgs_test(realm, ['-dce'])

118


119
    mark('AP')

120
    ccache_save(realm)

121
    tgs_test(realm, ['-krb5'])

122
    tgs_test(realm, ['-spnego'])

123
    tgs_test(realm, ['-iakerb'], ['-iakerb'])

124
    tgs_test(realm, ['-dce'])

125


126
    mark('pw')

127
    pw_test(realm, ['-krb5'])

128
    pw_test(realm, ['-spnego'])

129
    pw_test(realm, ['-iakerb'], ['-iakerb'])

130
    pw_test(realm, ['-dce'])

131


132
    mark('wrong pw')

133
    wrong_pw_test(realm, ['-krb5'])

134
    wrong_pw_test(realm, ['-spnego'])

135
    wrong_pw_test(realm, ['-iakerb'], ['-iakerb'], True)

136
    wrong_pw_test(realm, ['-dce'])

137


138
    mark('client keytab')

139
    realm.extract_keytab(realm.user_princ, realm.client_keytab)

140
    kt_test(realm, ['-krb5'])

141
    kt_test(realm, ['-spnego'])

142
    kt_test(realm, ['-iakerb'], ['-iakerb'])

143
    kt_test(realm, ['-dce'])

144


145
success('GSS sample application')

146


147