Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/krb5/src/tests/gssapi/t_ccselect.py
34889 views
1
# Copyright (C) 2011 by the Massachusetts Institute of Technology.

2
# All rights reserved.

3


4
# Export of this software from the United States of America may

5
#   require a specific license from the United States Government.

6
#   It is the responsibility of any person or organization contemplating

7
#   export to obtain such a license before exporting.

8
#

9
# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and

10
# distribute this software and its documentation for any purpose and

11
# without fee is hereby granted, provided that the above copyright

12
# notice appear in all copies and that both that copyright notice and

13
# this permission notice appear in supporting documentation, and that

14
# the name of M.I.T. not be used in advertising or publicity pertaining

15
# to distribution of the software without specific, written prior

16
# permission.  Furthermore if you modify this software you must label

17
# your software as modified software and not distribute it in such a

18
# fashion that it might be confused with the original M.I.T. software.

19
# M.I.T. makes no representations about the suitability of

20
# this software for any purpose.  It is provided "as is" without express

21
# or implied warranty.

22


23
from k5test import *

24


25
# Create two independent realms (no cross-realm TGTs).  For the

26
# fallback realm tests we need to control the precise server hostname,

27
# so turn off DNS canonicalization and shortname qualification.

28
conf = {'libdefaults': {'dns_canonicalize_hostname': 'false',

29
                        'qualify_shortname': ''}}

30
r1 = K5Realm(create_user=False, krb5_conf=conf)

31
r2 = K5Realm(create_user=False, krb5_conf=conf, realm='KRBTEST2.COM',

32
             portbase=62000, testdir=os.path.join(r1.testdir, 'r2'))

33


34
host1 = 'p:' + r1.host_princ

35
host2 = 'p:' + r2.host_princ

36
foo = 'foo.krbtest.com'

37
foo2 = 'foo.krbtest2.com'

38
foobar = "foo.bar.krbtest.com"

39


40
# These strings specify the target as a GSS name.  The resulting

41
# principal will have the host-based type, with the referral realm

42
# (since k5test realms have no domain-realm mapping by default).

43
# krb5_cc_select() will use the fallback realm, which is either the

44
# uppercased parent domain, or the default realm if the hostname is a

45
# single component.

46
gssserver = 'h:host@' + foo

47
gssserver2 = 'h:host@' + foo2

48
gssserver_bar = 'h:host@' + foobar

49
gsslocal = 'h:host@localhost'

50


51
# refserver specifies the target as a principal in the referral realm.

52
# The principal won't be treated as a host principal by the

53
# .k5identity rules since it has unknown type.

54
refserver = 'p:host/' + hostname + '@'

55


56
# Verify that we can't get initiator creds with no credentials in the

57
# collection.

58
r1.run(['./t_ccselect', host1, '-'], expected_code=1,

59
       expected_msg='No Kerberos credentials available')

60


61
# Make a directory collection and use it for client commands in both realms.

62
ccdir = os.path.join(r1.testdir, 'cc')

63
ccname = 'DIR:' + ccdir

64
r1.env['KRB5CCNAME'] = ccname

65
r2.env['KRB5CCNAME'] = ccname

66


67
# Use .k5identity from testdir and not from the tester's homedir.

68
r1.env['HOME'] = r1.testdir

69
r2.env['HOME'] = r1.testdir

70


71
# Create two users in r1 and one in r2.

72
alice='[email protected]'

73
bob='[email protected]'

74
zaphod='[email protected]'

75
r1.addprinc(alice, password('alice'))

76
r1.addprinc(bob, password('bob'))

77
r2.addprinc(zaphod, password('zaphod'))

78


79
# Create host principals and keytabs for fallback realm tests.

80
if hostname != 'localhost':

81
    r1.addprinc('host/localhost')

82
    r2.addprinc('host/localhost')

83
r1.addprinc('host/' + foo)

84
r2.addprinc('host/' + foo2)

85
r1.addprinc('host/' + foobar)

86
r1.extract_keytab('host/localhost', r1.keytab)

87
r2.extract_keytab('host/localhost', r2.keytab)

88
r1.extract_keytab('host/' + foo, r1.keytab)

89
r2.extract_keytab('host/' + foo2, r2.keytab)

90
r1.extract_keytab('host/' + foobar, r1.keytab)

91


92
# Get tickets for one user in each realm (zaphod will be primary).

93
r1.kinit(alice, password('alice'))

94
r2.kinit(zaphod, password('zaphod'))

95


96
# Check that we can find a cache for a specified client principal.

97
output = r1.run(['./t_ccselect', host1, 'p:' + alice])

98
if output != (alice + '\n'):

99
    fail('alice not chosen when specified')

100
output = r2.run(['./t_ccselect', host2, 'p:' + zaphod])

101
if output != (zaphod + '\n'):

102
    fail('zaphod not chosen when specified')

103


104
# Check that we can guess a cache based on the service realm.

105
output = r1.run(['./t_ccselect', host1])

106
if output != (alice + '\n'):

107
    fail('alice not chosen as default initiator cred for server in r1')

108
output = r1.run(['./t_ccselect', host1, '-'])

109
if output != (alice + '\n'):

110
    fail('alice not chosen as default initiator name for server in r1')

111
output = r2.run(['./t_ccselect', host2])

112
if output != (zaphod + '\n'):

113
    fail('zaphod not chosen as default initiator cred for server in r1')

114
output = r2.run(['./t_ccselect', host2, '-'])

115
if output != (zaphod + '\n'):

116
    fail('zaphod not chosen as default initiator name for server in r1')

117


118
# Check that primary cache is used if server realm is unknown.

119
output = r2.run(['./t_ccselect', refserver])

120
if output != (zaphod + '\n'):

121
    fail('zaphod not chosen via primary cache for unknown server realm')

122
r1.run(['./t_ccselect', gssserver2], expected_code=1)

123
# Check ccache selection using a fallback realm.

124
output = r1.run(['./t_ccselect', gssserver])

125
if output != (alice + '\n'):

126
    fail('alice not chosen via parent domain fallback')

127
output = r2.run(['./t_ccselect', gssserver2])

128
if output != (zaphod + '\n'):

129
    fail('zaphod not chosen via parent domain fallback')

130
# Check ccache selection using a fallback realm (default realm).

131
output = r1.run(['./t_ccselect', gsslocal])

132
if output != (alice + '\n'):

133
    fail('alice not chosen via default realm fallback')

134
output = r2.run(['./t_ccselect', gsslocal])

135
if output != (zaphod + '\n'):

136
    fail('zaphod not chosen via default realm fallback')

137


138
# Check that realm ccselect fallback works correctly

139
r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice)

140
r2.kinit(zaphod, password('zaphod'))

141
r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice)

142


143
# Get a second cred in r1 (bob will be primary).

144
r1.kinit(bob, password('bob'))

145


146
# Try some cache selections using .k5identity.

147
k5id = open(os.path.join(r1.testdir, '.k5identity'), 'w')

148
k5id.write('%s realm=%s\n' % (alice, r1.realm))

149
k5id.write('%s service=ho*t host=localhost\n' % zaphod)

150
k5id.write('noprinc service=bogus')

151
k5id.close()

152
output = r1.run(['./t_ccselect', host1])

153
if output != (alice + '\n'):

154
    fail('alice not chosen via .k5identity realm line.')

155
output = r2.run(['./t_ccselect', gsslocal])

156
if output != (zaphod + '\n'):

157
    fail('zaphod not chosen via .k5identity service/host line.')

158
output = r1.run(['./t_ccselect', refserver])

159
if output != (bob + '\n'):

160
    fail('bob not chosen via primary cache when no .k5identity line matches.')

161
r1.run(['./t_ccselect', 'h:bogus@' + foo2], expected_code=1,

162
       expected_msg="Can't find client principal noprinc")

163


164
success('GSSAPI credential selection tests')

165


166