Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/krb5/src/tests/gssapi/t_credstore.py
34907 views
1
from k5test import *

2


3
realm = K5Realm()

4


5
mark('gss_store_cred_into() and ccache/keytab')

6
storagecache = 'FILE:' + os.path.join(realm.testdir, 'user_store')

7
servicekeytab = os.path.join(realm.testdir, 'kt')

8
service_cs = 'service/cs@%s' % realm.realm

9
realm.addprinc(service_cs)

10
realm.extract_keytab(service_cs, servicekeytab)

11
realm.kinit(service_cs, None, ['-k', '-t', servicekeytab])

12
msgs = ('Storing %s -> %s in MEMORY:' % (service_cs, realm.krbtgt_princ),

13
        'Moving ccache MEMORY:',

14
        'Retrieving %s from FILE:%s' % (service_cs, servicekeytab))

15
realm.run(['./t_credstore', '-s', 'p:' + service_cs, 'ccache', storagecache,

16
           'keytab', servicekeytab], expected_trace=msgs)

17


18
mark('matching')

19
scc = 'FILE:' + os.path.join(realm.testdir, 'service_cache')

20
realm.kinit(realm.host_princ, flags=['-k', '-c', scc])

21
realm.run(['./t_credstore', '-i', 'p:' + realm.host_princ, 'ccache', scc])

22
realm.run(['./t_credstore', '-i', 'h:host', 'ccache', scc])

23
realm.run(['./t_credstore', '-i', 'h:host@' + hostname, 'ccache', scc])

24
realm.run(['./t_credstore', '-i', 'p:wrong', 'ccache', scc],

25
          expected_code=1, expected_msg='does not match desired name')

26
realm.run(['./t_credstore', '-i', 'h:host@-nomatch-', 'ccache', scc],

27
          expected_code=1, expected_msg='does not match desired name')

28
realm.run(['./t_credstore', '-i', 'h:svc', 'ccache', scc],

29
          expected_code=1, expected_msg='does not match desired name')

30


31
mark('matching (fallback)')

32
canonname = canonicalize_hostname(hostname)

33
if canonname != hostname:

34
    canonprinc = 'host/%s@%s' % (canonname, realm.realm)

35
    realm.addprinc(canonprinc)

36
    realm.extract_keytab(canonprinc, realm.keytab)

37
    realm.kinit(canonprinc, flags=['-k', '-c', scc])

38
    realm.run(['./t_credstore', '-i', 'h:host', 'ccache', scc])

39
    realm.run(['./t_credstore', '-i', 'h:host@' + hostname, 'ccache', scc])

40
    realm.run(['./t_credstore', '-i', 'h:host@' + canonname, 'ccache', scc])

41
    realm.run(['./t_credstore', '-i', 'p:' + canonprinc, 'ccache', scc])

42
    realm.run(['./t_credstore', '-i', 'p:' + realm.host_princ, 'ccache', scc],

43
              expected_code=1, expected_msg='does not match desired name')

44
    realm.run(['./t_credstore', '-i', 'h:host@-nomatch-', 'ccache', scc],

45
              expected_code=1, expected_msg='does not match desired name')

46
else:

47
    skipped('fallback matching test',

48
            '%s does not canonicalize to a different name' % hostname)

49


50
mark('rcache')

51
# t_credstore -r should produce a replay error normally, but not with

52
# rcache set to "none:".

53
realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ],

54
          expected_code=1,

55
          expected_msg='gss_accept_sec_context(2): Request is a replay')

56
realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ,

57
           'rcache', 'none:'])

58


59
# Test password feature.

60
mark('password')

61
# Must be used with a desired name.

62
realm.run(['./t_credstore', '-i', '', 'password', 'pw'],

63
          expected_code=1, expected_msg='An invalid name was supplied')

64
# Must not be used with a client keytab.

65
realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ,

66
           'password', 'pw', 'client_keytab', servicekeytab],

67
          expected_code=1, expected_msg='Credential usage type is unknown')

68
# Must not be used with a ccache.

69
realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ,

70
           'password', 'pw', 'ccache', storagecache],

71
          expected_code=1, expected_msg='Credential usage type is unknown')

72
# Must be acquiring initiator credentials.

73
realm.run(['./t_credstore', '-a', 'u:' + realm.user_princ, 'password', 'pw'],

74
          expected_code=1, expected_msg='Credential usage type is unknown')

75
msgs = ('Getting initial credentials for %s' % realm.user_princ,

76
        'Storing %s -> %s in MEMORY:' % (realm.user_princ, realm.krbtgt_princ),

77
        'Destroying ccache MEMORY:')

78
realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ, 'password',

79
           password('user')], expected_trace=msgs)

80


81
mark('verify')

82
msgs = ('Getting initial credentials for %s' % realm.user_princ,

83
        'Storing %s -> %s in MEMORY:' % (realm.user_princ, realm.krbtgt_princ),

84
        'Getting credentials %s -> %s' % (realm.user_princ, service_cs),

85
        'Storing %s -> %s in MEMORY:' % (realm.user_princ, service_cs))

86
realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ, 'password',

87
           password('user'), 'keytab', servicekeytab, 'verify',

88
           service_cs], expected_trace=msgs)

89
# Try again with verification failing due to key mismatch.

90
realm.run([kadminl, 'cpw', '-randkey', service_cs])

91
realm.run([kadminl, 'modprinc', '-kvno', '1', service_cs])

92
errmsg = 'Cannot decrypt ticket for %s' % service_cs

93
realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ, 'password',

94
           password('user'), 'keytab', servicekeytab, 'verify',

95
           service_cs], expected_code=1, expected_msg=errmsg)

96


97
success('Credential store tests')

98


99