1
# Copyright (C) 2011 by the Massachusetts Institute of Technology.
2
# All rights reserved.
3

4
# Export of this software from the United States of America may
5
#   require a specific license from the United States Government.
6
#   It is the responsibility of any person or organization contemplating
7
#   export to obtain such a license before exporting.
8
#
9
# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
10
# distribute this software and its documentation for any purpose and
11
# without fee is hereby granted, provided that the above copyright
12
# notice appear in all copies and that both that copyright notice and
13
# this permission notice appear in supporting documentation, and that
14
# the name of M.I.T. not be used in advertising or publicity pertaining
15
# to distribution of the software without specific, written prior
16
# permission.  Furthermore if you modify this software you must label
17
# your software as modified software and not distribute it in such a
18
# fashion that it might be confused with the original M.I.T. software.
19
# M.I.T. makes no representations about the suitability of
20
# this software for any purpose.  It is provided "as is" without express
21
# or implied warranty.
22

23
from k5test import *
24
import tempfile
25

26
socketdir = tempfile.TemporaryDirectory()
27
kcm_socket_path = os.path.join(socketdir.name, 'kcm')
28
conf = {'libdefaults': {'kcm_socket': kcm_socket_path,
29
                        'kcm_mach_service': '-'}}
30
realm = K5Realm(krb5_conf=conf)
31

32
realm.addprinc('contest')
33
realm.extract_keytab('contest', realm.keytab)
34
realm.run(['./conccache', realm.ccache + '.contest', 'contest',
35
           realm.host_princ])
36

37
keyctl = which('keyctl')
38
out = realm.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1)
39
test_keyring = (keyctl is not None and
40
                'Unknown credential cache type' not in out)
41
if not test_keyring:
42
    skipped('keyring ccache tests', 'keyring support not built')
43

44
# Test kdestroy and klist of a non-existent ccache.
45
mark('no ccache')
46
realm.run([kdestroy])
47
realm.run([klist], expected_code=1, expected_msg='No credentials cache found')
48

49
# Test kinit with an inaccessible ccache.
50
mark('inaccessible ccache')
51
realm.kinit(realm.user_princ, password('user'), flags=['-c', 'testdir/xx/yy'],
52
            expected_code=1, expected_msg='Failed to store credentials')
53

54
# Test klist -s with a single ccache.
55
mark('klist -s single ccache')
56
realm.run([klist, '-s'], expected_code=1)
57
realm.kinit(realm.user_princ, password('user'))
58
realm.run([klist, '-s'])
59
realm.kinit(realm.user_princ, password('user'), ['-l', '-10s'])
60
realm.run([klist, '-s'], expected_code=1)
61
realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/admin'])
62
realm.run([klist, '-s'])
63
realm.run([kdestroy])
64
realm.run([klist, '-s'], expected_code=1)
65

66
realm.addprinc('alice', password('alice'))
67
realm.addprinc('bob', password('bob'))
68
realm.addprinc('carol', password('carol'))
69
realm.addprinc('doug', password('doug'))
70

71
def collection_test(realm, ccname):
72
    cctype = ccname.partition(':')[0]
73
    oldccname = realm.env['KRB5CCNAME']
74
    realm.env['KRB5CCNAME'] = ccname
75

76
    mark('%s collection, single cache' % cctype)
77
    realm.run([klist, '-A', '-s'], expected_code=1)
78
    realm.kinit('alice', password('alice'))
79
    realm.run([klist], expected_msg='Default principal: alice@')
80
    realm.run([klist, '-A', '-s'])
81
    realm.run([kvno, realm.host_princ], expected_msg = 'kvno = 1')
82
    realm.run([kvno, realm.host_princ], expected_msg = 'kvno = 1')
83
    out = realm.run([klist])
84
    if out.count(realm.host_princ) != 1:
85
        fail('Wrong number of service tickets in cache')
86
    realm.run([kdestroy])
87
    output = realm.run([klist], expected_code=1)
88
    if 'No credentials cache' not in output and 'not found' not in output:
89
        fail('Initial kdestroy failed to destroy primary cache.')
90
    output = realm.run([klist, '-l'], expected_code=1)
91
    if not output.endswith('---\n') or output.count('\n') != 2:
92
        fail('Initial kdestroy failed to empty cache collection.')
93
    realm.run([klist, '-A', '-s'], expected_code=1)
94

95
    mark('%s collection, multiple caches' % cctype)
96
    realm.kinit('alice', password('alice'))
97
    realm.kinit('carol', password('carol'))
98
    output = realm.run([klist, '-l'])
99
    if '---\ncarol@' not in output or '\nalice@' not in output:
100
        fail('klist -l did not show expected output after two kinits.')
101
    realm.kinit('alice', password('alice'))
102
    output = realm.run([klist, '-l'])
103
    if '---\nalice@' not in output or output.count('\n') != 4:
104
        fail('klist -l did not show expected output after re-kinit for alice.')
105
    realm.kinit('doug', password('doug'))
106
    realm.kinit('bob', password('bob'))
107
    output = realm.run([klist, '-A', ccname])
108
    if 'bob@' not in output.splitlines()[1] or 'alice@' not in output or \
109
       'carol@' not in output or 'doug@' not in output or \
110
       output.count('Default principal:') != 4:
111
        fail('klist -A did not show expected output after kinit doug+bob.')
112
    realm.run([kswitch, '-p', 'carol'])
113
    output = realm.run([klist, '-l'])
114
    if '---\ncarol@' not in output or output.count('\n') != 6:
115
        fail('klist -l did not show expected output after kswitch to carol.')
116

117
    # Switch to specifying the collection name on the command line
118
    # (only works with klist/kdestroy for now, not kinit/kswitch).
119
    realm.env['KRB5CCNAME'] = oldccname
120

121
    mark('%s collection, command-line specifier' % cctype)
122
    realm.run([kdestroy, '-c', ccname])
123
    output = realm.run([klist, '-l', ccname])
124
    if 'carol@' in output or 'bob@' not in output or output.count('\n') != 5:
125
        fail('kdestroy failed to remove only primary ccache.')
126
    realm.run([klist, '-s', ccname], expected_code=1)
127
    realm.run([klist, '-A', '-s', ccname])
128
    realm.run([kdestroy, '-p', 'alice', '-c', ccname])
129
    output = realm.run([klist, '-l', ccname])
130
    if 'alice@' in output or 'bob@' not in output or output.count('\n') != 4:
131
        fail('kdestroy -p failed to remove alice')
132
    realm.run([kdestroy, '-A', '-c', ccname])
133
    output = realm.run([klist, '-l', ccname], expected_code=1)
134
    if not output.endswith('---\n') or output.count('\n') != 2:
135
        fail('kdestroy -a failed to empty cache collection.')
136
    realm.run([klist, '-A', '-s', ccname], expected_code=1)
137

138

139
collection_test(realm, 'DIR:' + os.path.join(realm.testdir, 'cc'))
140

141
# Test KCM with and without RETRIEVE and GET_CRED_LIST support.
142
kcmserver_path = os.path.join(srctop, 'tests', 'kcmserver.py')
143
kcmd = realm.start_server([sys.executable, kcmserver_path, kcm_socket_path],
144
                          'starting...')
145
collection_test(realm, 'KCM:')
146
stop_daemon(kcmd)
147
os.remove(kcm_socket_path)
148
realm.start_server([sys.executable, kcmserver_path, '-f', kcm_socket_path],
149
                   'starting...')
150
collection_test(realm, 'KCM:')
151

152
if test_keyring:
153
    def cleanup_keyring(anchor, name):
154
        out = realm.run(['keyctl', 'list', anchor])
155
        if ('keyring: ' + name + '\n') in out:
156
            keyid = realm.run(['keyctl', 'search', anchor, 'keyring', name])
157
            realm.run(['keyctl', 'unlink', keyid.strip(), anchor])
158

159
    # Use realm.testdir as the collection name to avoid conflicts with
160
    # other build trees.
161
    cname = realm.testdir
162
    col_ringname = '_krb_' + cname
163

164
    cleanup_keyring('@s', col_ringname)
165
    collection_test(realm, 'KEYRING:session:' + cname)
166
    cleanup_keyring('@s', col_ringname)
167

168
    # Test legacy keyring cache linkage.
169
    mark('legacy keyring cache linkage')
170
    realm.env['KRB5CCNAME'] = 'KEYRING:' + cname
171
    realm.run([kdestroy, '-A'])
172
    realm.kinit(realm.user_princ, password('user'))
173
    msg = 'KEYRING:legacy:' + cname + ':' + cname
174
    realm.run([klist, '-l'], expected_msg=msg)
175
    # Make sure this cache is linked to the session keyring.
176
    id = realm.run([keyctl, 'search', '@s', 'keyring', cname])
177
    realm.run([keyctl, 'list', id.strip()],
178
              expected_msg='user: __krb5_princ__')
179
    # Remove the collection keyring.  When the collection is
180
    # reinitialized, the legacy cache should reappear inside it
181
    # automatically as the primary cache.
182
    cleanup_keyring('@s', col_ringname)
183
    realm.run([klist], expected_msg=realm.user_princ)
184
    coll_id = realm.run([keyctl, 'search', '@s', 'keyring', '_krb_' + cname])
185
    msg = id.strip() + ':'
186
    realm.run([keyctl, 'list', coll_id.strip()], expected_msg=msg)
187
    # Destroy the cache and check that it is unlinked from the session keyring.
188
    realm.run([kdestroy])
189
    realm.run([keyctl, 'search', '@s', 'keyring', cname], expected_code=1)
190
    cleanup_keyring('@s', col_ringname)
191

192
# Test parameter expansion in default_ccache_name
193
mark('default_ccache_name parameter expansion')
194
realm.stop()
195
conf = {'libdefaults': {'default_ccache_name': 'testdir/%{null}abc%{uid}'}}
196
realm = K5Realm(krb5_conf=conf, create_kdb=False)
197
del realm.env['KRB5CCNAME']
198
uidstr = str(os.getuid())
199
msg = 'testdir/abc%s' % uidstr
200
realm.run([klist], expected_code=1, expected_msg=msg)
201

202
success('Credential cache tests')
203

204