From f43dfa88148724fb8a9543015c69fa1b2b24bb66 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 1 Apr 2013 12:34:14 -0400
Subject: Add gss_import_cred_from client keytab test

Modify t_credstore.c to be more flexible and adjust t_gssapi.py
accordingly.  Add a test to t_client_keytab.py which acquire creds
using a programmatically specified client keytab.

ticket: 7598
---
 src/tests/gssapi/t_client_keytab.py | 16 +++++--
 src/tests/gssapi/t_credstore.c      | 95 +++++++++++++++++++------------------
 src/tests/gssapi/t_gssapi.py        |  6 +--
 3 files changed, 63 insertions(+), 54 deletions(-)

diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
index 484aacde30..ef27d5e599 100644
--- a/src/tests/gssapi/t_client_keytab.py
+++ b/src/tests/gssapi/t_client_keytab.py
@@ -87,13 +87,21 @@ if int(out) < 1000:
     fail('Credentials apparently not refreshed')
 realm.run([kdestroy])
 
+# Test 11: gss_import_cred_from with client_keytab value
+store_keytab = os.path.join(realm.testdir, 'store_keytab')
+os.rename(realm.client_keytab, store_keytab)
+realm.run(['./t_credstore', '-i', 'p:' + realm.user_princ, 'client_keytab',
+           store_keytab])
+realm.klist(realm.user_princ)
+os.rename(store_keytab, realm.client_keytab)
+
 # Use a cache collection for the remaining tests.
 ccdir = os.path.join(realm.testdir, 'cc')
 ccname = 'DIR:' + ccdir
 os.mkdir(ccdir)
 realm.env['KRB5CCNAME'] = ccname
 
-# Test 11: name specified, matching cache in collection with no creds
+# Test 12: name specified, matching cache in collection with no creds
 bobcache = os.path.join(ccdir, 'tktbob')
 realm.run(['./ccinit', bobcache, bob])
 out = realm.run(['./t_ccselect', phost, pbob])
@@ -101,7 +109,7 @@ if bob not in out:
     fail('Authenticated as wrong principal')
 # Leave tickets for next test.
 
-# Test 12: name specified, matching cache in collection, time to refresh
+# Test 13: name specified, matching cache in collection, time to refresh
 realm.run(['./ccrefresh', bobcache, '1'])
 out = realm.run(['./t_ccselect', phost, pbob])
 if bob not in out:
@@ -111,7 +119,7 @@ if int(out) < 1000:
     fail('Credentials apparently not refreshed')
 realm.run([kdestroy, '-A'])
 
-# Test 13: name specified, collection has default for different principal
+# Test 14: name specified, collection has default for different principal
 realm.kinit(realm.user_princ, password('user'))
 out = realm.run(['./t_ccselect', phost, pbob])
 if bob not in out:
@@ -121,7 +129,7 @@ if 'Default principal: %s\n' % realm.user_princ not in out:
     fail('Default cache overwritten by acquire_cred')
 realm.run([kdestroy, '-A'])
 
-# Test 14: name specified, collection has no default cache
+# Test 15: name specified, collection has no default cache
 out = realm.run(['./t_ccselect', phost, pbob])
 if bob not in out:
     fail('Authenticated as wrong principal')
diff --git a/src/tests/gssapi/t_credstore.c b/src/tests/gssapi/t_credstore.c
index 085bc794ec..a5b851dae4 100644
--- a/src/tests/gssapi/t_credstore.c
+++ b/src/tests/gssapi/t_credstore.c
@@ -33,7 +33,7 @@ static void
 usage(void)
 {
     fprintf(stderr,
-            "Usage: t_credstore principal [--cred_store {key value} ...]\n");
+            "Usage: t_credstore [-sabi] principal [{key value} ...]\n");
     exit(1);
 }
 
@@ -42,63 +42,66 @@ main(int argc, char *argv[])
 {
     OM_uint32 minor, major;
     gss_key_value_set_desc store;
-    gss_buffer_desc buf;
-    gss_name_t service = GSS_C_NO_NAME;
+    gss_name_t name;
+    gss_cred_usage_t cred_usage = GSS_C_BOTH;
+    gss_OID_set mechs = GSS_C_NO_OID_SET;
     gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
-    int i, e;
-
-    if (argc < 2 || ((argc - 3) % 2))
-        usage();
-
-    store.count = (argc - 3) / 2;
-    store.elements = calloc(store.count,
-                            sizeof(struct gss_key_value_element_struct));
-    if (!store.elements) {
-        fprintf(stderr, "OOM\n");
-        exit(1);
+    krb5_boolean store_creds = FALSE;
+    char opt;
+
+    /* Parse options. */
+    for (argv++; *argv != NULL && **argv == '-'; argv++) {
+        opt = (*argv)[1];
+        if (opt == 's')
+            store_creds = TRUE;
+        else if (opt == 'a')
+            cred_usage = GSS_C_ACCEPT;
+        else if (opt == 'b')
+            cred_usage = GSS_C_BOTH;
+        else if (opt == 'i')
+            cred_usage = GSS_C_INITIATE;
+        else
+            usage();
     }
 
-    if (argc > 2) {
-        if (strcmp(argv[2], "--cred_store") != 0)
+    /* Get the principal name. */
+    if (*argv == NULL)
+        usage();
+    name = import_name(*argv++);
+
+    /* Put any remaining arguments into the store. */
+    store.elements = calloc(argc, sizeof(struct gss_key_value_element_struct));
+    if (!store.elements)
+        errout("OOM");
+    store.count = 0;
+    while (*argv != NULL) {
+        if ((*argv + 1) == NULL)
             usage();
-
-        for (i = 3, e = 0; i < argc; i += 2, e++) {
-            store.elements[e].key = argv[i];
-            store.elements[e].value = argv[i + 1];
-            continue;
-        }
+        store.elements[store.count].key = *argv;
+        store.elements[store.count].value = *(argv + 1);
+        store.count++;
+        argv += 2;
     }
 
-    /* First acquire default creds and try to store them in the cred store. */
-
-    major = gss_acquire_cred(&minor, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET,
-                             GSS_C_INITIATE, &cred, NULL, NULL);
-    check_gsserr("gss_acquire_cred", major, minor);
+    if (store_creds) {
+        /* Acquire default creds and try to store them in the cred store. */
+        major = gss_acquire_cred(&minor, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET,
+                                 GSS_C_INITIATE, &cred, NULL, NULL);
+        check_gsserr("gss_acquire_cred", major, minor);
 
-    major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE,
-                                GSS_C_NO_OID, 1, 0, &store, NULL, NULL);
-    check_gsserr("gss_store_cred_into", major, minor);
+        major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE,
+                                    GSS_C_NO_OID, 1, 0, &store, NULL, NULL);
+        check_gsserr("gss_store_cred_into", major, minor);
 
-    gss_release_cred(&minor, &cred);
-
-    /* Then try to acquire creds from store. */
-
-    buf.value = argv[1];
-    buf.length = strlen(argv[1]);
-
-    major = gss_import_name(&minor, &buf,
-                            (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME,
-                            &service);
-    check_gsserr("gss_import_name", major, minor);
+        gss_release_cred(&minor, &cred);
+    }
 
-    major = gss_acquire_cred_from(&minor, service,
-                                  0, GSS_C_NO_OID_SET, GSS_C_BOTH,
+    /* Try to acquire creds from store. */
+    major = gss_acquire_cred_from(&minor, name, 0, mechs, cred_usage,
                                   &store, &cred, NULL, NULL);
     check_gsserr("gss_acquire_cred_from", major, minor);
 
-    fprintf(stdout, "Cred Store Success\n");
-
-    gss_release_name(&minor, &service);
+    gss_release_name(&minor, &name);
     gss_release_cred(&minor, &cred);
     free(store.elements);
     return 0;
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 5f1d5d1ff5..de778cc910 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -85,10 +85,8 @@ service_cs = 'service/cs@%s' % realm.realm
 realm.addprinc(service_cs)
 realm.extract_keytab(service_cs, servicekeytab)
 realm.kinit(service_cs, None, ['-k', '-t', servicekeytab])
-output = realm.run(['./t_credstore', service_cs, '--cred_store',
-                    'ccache', storagecache, 'keytab', servicekeytab])
-if 'Cred Store Success' not in output:
-    fail('Expected test to succeed')
+realm.run(['./t_credstore', '-s', 'p:' + service_cs, 'ccache', storagecache,
+           'keytab', servicekeytab])
 
 # Verify that we can't acquire acceptor creds without a keytab.
 os.remove(realm.keytab)
-- 
cgit