diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-01-08 15:20:45 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-01-09 15:35:43 -0500 |
| commit | 0780e46fc13dbafa177525164997cd204cc50b51 (patch) | |
| tree | eacb2400a78bfab43bbc95cb8ab3055498da881b /src/lib/kadm5/unit-test/api.current | |
| parent | 090f561c631db7e4970b71cbe1426d636c39c77a (diff) | |
| download | krb5-0780e46fc13dbafa177525164997cd204cc50b51.tar.gz krb5-0780e46fc13dbafa177525164997cd204cc50b51.tar.xz krb5-0780e46fc13dbafa177525164997cd204cc50b51.zip | |
Allow principals to refer to nonexistent policies
Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.
In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.
ticket: 7385
Diffstat (limited to 'src/lib/kadm5/unit-test/api.current')
4 files changed, 7 insertions, 447 deletions
diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/unit-test/api.current/crte-principal.exp index 774e20414a..52dda78a38 100644 --- a/src/lib/kadm5/unit-test/api.current/crte-principal.exp +++ b/src/lib/kadm5/unit-test/api.current/crte-principal.exp @@ -536,11 +536,11 @@ proc test21 {} { perror "$test: unexpected failure in init" return } - one_line_fail_test [format { + one_line_succeed_test [format { kadm5_create_principal $server_handle \ [princ_w_pol "%s/a" non-existant-pol] \ {KADM5_PRINCIPAL KADM5_POLICY} NotinTheDictionary - } $test] "UNK_POLICY" + } $test] if { ! [cmd {kadm5_destroy $server_handle}]} { perror "$test: unexpected failure in destroy" return diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/unit-test/api.current/dlte-policy.exp index cecb5c3be6..4ba40fd496 100644 --- a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp +++ b/src/lib/kadm5/unit-test/api.current/dlte-policy.exp @@ -181,8 +181,9 @@ proc test12 {} { perror "$test: unexpected failure in init" return } - one_line_fail_test \ - {kadm5_delete_policy $server_handle test-pol} "POLICY_REF" + one_line_succeed_test [format { + kadm5_delete_policy $server_handle "%s/a" + } $test] if { ! [cmd {kadm5_destroy $server_handle}]} { perror "$test: unexpected failure in destroy" return diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/unit-test/api.current/dlte-principal.exp index f6d267fae2..6604685346 100644 --- a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp +++ b/src/lib/kadm5/unit-test/api.current/dlte-principal.exp @@ -236,82 +236,6 @@ proc test11 {} { } test11 -test "delete-principal 12" -proc test12 {} { - global test - global prompt - - if {! (( [principal_exists "$test/a"]) || - [create_principal_pol "$test/a" test-pol])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if { ! [cmd [format { - kadm5_delete_principal $server_handle "%s/a" - } $test]]} { - fail "$test: delete failed" - return - } - if { [cmd [format { - kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK - } $test]]} { - fail "$test: principal still exists" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} { - perror "$test: unexpected failure on get policy" - return - } - send "lindex \$p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - - send "lindex \$p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { [expr "$oldref - 1"] != $newref } { - fail "$test: policy reference count is wrong" - return; - } - pass "$test" - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} - -test12 - test "delete-principal 13" proc test13 {} { global test diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/unit-test/api.current/mod-principal.exp index 25fb272b5a..44f8548df1 100644 --- a/src/lib/kadm5/unit-test/api.current/mod-principal.exp +++ b/src/lib/kadm5/unit-test/api.current/mod-principal.exp @@ -380,10 +380,10 @@ proc test17 {} { perror "$test: unexpected failure in init" return } - one_line_fail_test [format { + one_line_succeed_test [format { kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \ no-policy] {KADM5_POLICY} - } $test] "UNK_POLICY" + } $test] if { ! [cmd {kadm5_destroy $server_handle}]} { perror "$test: unexpected failure in destroy" return @@ -391,371 +391,6 @@ proc test17 {} { } test17 -test "modify-principal 18" -proc test18 {} { - global test - global prompt - if {! (( ! [principal_exists "$test/a"]) || - [delete_principal "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - if { !( [create_principal "$test/a"])} { - error_and_restart "$test: could not create principal \"$test/a\"" - return - } - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if {! [cmd [format { - kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \ - test-pol] {KADM5_POLICY} - } $test]]} { - fail "$test: modify failed" - return - } - if {! [cmd [format { - kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK - } $test]]} { - error_and_restart "$test: could not retrieve principal" - return - } - send "lindex \$principal 10\n" - expect { - -re "test-pol\n$prompt$" { pass "$test" } - timeout { fail "$test" } - } - send "lindex \$p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} { - perror "$test: unexpected failure on get policy" - return - } - - send "lindex \$p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { [expr "$oldref + 1"] != $newref } { - fail "$test: policy reference count is wrong" - return; - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test18 - -test "modify-principal 19" -proc test19 {} { - global test - global prompt - if {! (( ! [principal_exists "$test/a"]) || - [delete_principal "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - if { !( [create_principal "$test/a"])} { - error_and_restart "$test: could not create principal \"$test/a\"" - return - } - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if {! [cmd [format { - kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \ - test-pol] {KADM5_POLICY} - } $test]]} { - fail "$test: modify failed" - return - } - if {! [cmd [format { - kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK - } $test]]} { - error_and_restart "$test: could not retrieve principal" - return - } - send "lindex \$principal 10\n" - expect { - -re "test-pol\n$prompt$" { pass "$test" } - timeout { fail "$test" } - } - send "lindex \$p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} { - perror "$test: unexpected failure on get policy" - return - } - - send "lindex \$p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { [expr "$oldref + 1"] != $newref } { - fail "$test: policy reference count is wrong" - return; - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test19 - -test "modify-principal 20" -proc test20 {} { - global test - global prompt - if {! (( ! [principal_exists "$test/a"]) || - [delete_principal "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - if { !( [create_principal_pol "$test/a" "test-pol"])} { - error_and_restart "$test: could not create principal \"$test/a\"" - return - } - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if {! [cmd [format { - kadm5_modify_principal $server_handle [simple_principal "%s/a"] \ - {KADM5_POLICY_CLR} - } $test]]} { - perror "$test: modify failed" - return - } - if {! [cmd [format { - kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK - } $test]]} { - error_and_restart "$test: could not retrieve principal" - return - } - send "lindex \$principal 10\n" - expect { - -re "test-pol\n$prompt$" { fail "$test" } - -re "null\n$prompt$" { pass "$test" } - timeout { pass "$test" } - } - send "lindex \$p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} { - perror "$test: unexpected failure on get policy" - return - } - - send "lindex \$p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { [expr "$oldref - 1"] != $newref } { - fail "$test: policy reference count is wrong" - return; - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test20 - -test "modify-principal 21" -proc test21 {} { - global test - global prompt - if {! (( ! [principal_exists "$test/a"]) || - [delete_principal "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - if { !( [create_principal_pol "$test/a" "test-pol"])} { - error_and_restart "$test: could not create principal \"$test/a\"" - return - } - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol old_p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol-nopw old_p2}]} { - perror "$test: unexpected failure on get policy" - return - } - if {! [cmd [format { - kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \ - test-pol-nopw] {KADM5_POLICY} - } $test]]} { - fail "$test: modify failed" - return - } - if {! [cmd [format { - kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK - } $test]]} { - error_and_restart "$test: could not retrieve principal" - return - } - send "lindex \$old_p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set old_p1_ref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - send "lindex \$old_p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set old_p2_ref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - - if { ! [cmd {kadm5_get_policy $server_handle test-pol new_p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol-nopw new_p2}]} { - perror "$test: unexpected failure on get policy" - return - } - - send "lindex \$new_p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set new_p1_ref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - send "lindex \$new_p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set new_p2_ref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { [expr "$old_p1_ref - 1"] != $new_p1_ref } { - fail "$test: policy reference count is wrong" - return; - } - if { [expr "$old_p2_ref + 1"] != $new_p2_ref } { - fail "$test: policy reference count is wrong" - return; - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test21 - test "modify-principal 21.5" proc test21.5 {} { global test |