Conditionally test KEYRING ccache type

If the keyctl command is found and klist recognizes the KEYRING
credential cache type, then run several tests against keyring ccaches:
the collection test program in lib/krb5/ccache, the command-line
collection tests in tests/t_ccache.py, and some new tests to verify
legacy session cache behavior.  Much of the Python code in t_ccache.py
is moved into a new function named "collection_test" so we can run it
once against a DIR collection and once against a KEYRING collection.

Also: fix a memory leak in the collection test program; add a test for
iteration when the default cache name is a subsidiary name; use a
process keyring ccache in t_cc.c to avoid leaving behind empty
collections in the session keyring after each test run.

Adapted from a patch by simo@redhat.com.

ticket: 7711

3 files changed, 69 insertions, 3 deletions

diff --git a/src/lib/krb5/ccache/t_cc.c b/src/lib/krb5/ccache/t_cc.c
index 991cef0253..6069cabd33 100644
--- a/src/lib/krb5/ccache/t_cc.c
+++ b/src/lib/krb5/ccache/t_cc.c
@@ -426,8 +426,8 @@ main(void)
     test_misc(context);
     do_test(context, "");
 
-    if(check_registered(context, "KEYRING:"))
-        do_test(context, "KEYRING:");
+    if (check_registered(context, "KEYRING:process:"))
+        do_test(context, "KEYRING:process:");
     else
         printf("Skiping KEYRING: test - unregistered type\n");
 
diff --git a/src/lib/krb5/ccache/t_cccol.c b/src/lib/krb5/ccache/t_cccol.c
index 3b4d3b3c29..444806e5a2 100644
--- a/src/lib/krb5/ccache/t_cccol.c
+++ b/src/lib/krb5/ccache/t_cccol.c
@@ -294,6 +294,15 @@ main(int argc, char **argv)
     check_collection(initial_primary_name, 2, unique1_name, unique2_name);
 
     /*
+     * Temporarily set the context default ccache to a subsidiary name, and
+     * check that iterating over the collection yields that subsidiary cache
+     * and no others.
+     */
+    check(krb5_cc_set_default_name(ctx, unique1_name));
+    check_collection(unique1_name, 0);
+    check(krb5_cc_set_default_name(ctx, collection_name));
+
+    /*
      * Destroy the primary cache.  Make sure this causes both the initial
      * primary name and the collection name to resolve to an uninitialized
      * cache.  Make sure the primary name doesn't change and doesn't appear in
@@ -349,5 +358,6 @@ main(int argc, char **argv)
     krb5_free_principal(ctx, princ1);
     krb5_free_principal(ctx, princ2);
     krb5_free_principal(ctx, princ3);
+    krb5_free_context(ctx);
     return 0;
 }
diff --git a/src/lib/krb5/ccache/t_cccol.py b/src/lib/krb5/ccache/t_cccol.py
index 8b70470df2..e762625662 100644
--- a/src/lib/krb5/ccache/t_cccol.py
+++ b/src/lib/krb5/ccache/t_cccol.py
@@ -1,9 +1,43 @@
 #!/usr/bin/python
 from k5test import *
 
-# Run the collection test program against each collection-enabled type.
 realm = K5Realm(create_kdb=False)
+
+keyctl = which('keyctl')
+out = realm.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1)
+test_keyring = (keyctl is not None and
+                'Unknown credential cache type' not in out)
+
+# Run the collection test program against each collection-enabled type.
 realm.run(['./t_cccol', 'DIR:' + os.path.join(realm.testdir, 'cc')])
+if test_keyring:
+    # Use the test directory as the collection name to avoid colliding
+    # with other build trees.
+    cname = realm.testdir
+
+    # Remove any keys left behind by previous failed test runs.
+    realm.run(['keyctl', 'purge', 'keyring', '_krb_' + cname])
+    realm.run(['keyctl', 'purge', 'keyring', cname])
+    out = realm.run(['keyctl', 'list', '@u'])
+    if ('keyring: _krb_' + cname + '\n') in out:
+        id = realm.run(['keyctl', 'search', '@u', 'keyring', '_krb_' + cname])
+        realm.run(['keyctl', 'unlink', id.strip(), '@u'])
+
+    # Run test program over each subtype, cleaning up as we go.  Don't
+    # test the persistent subtype, since it supports only one
+    # collection and might be in actual use.
+    realm.run(['./t_cccol', 'KEYRING:' + cname])
+    realm.run(['keyctl', 'purge', 'keyring', '_krb_' + cname])
+    realm.run(['./t_cccol', 'KEYRING:legacy:' + cname])
+    realm.run(['keyctl', 'purge', 'keyring', '_krb_' + cname])
+    realm.run(['./t_cccol', 'KEYRING:session:' + cname])
+    realm.run(['keyctl', 'purge', 'keyring', '_krb_' + cname])
+    realm.run(['./t_cccol', 'KEYRING:user:' + cname])
+    id = realm.run(['keyctl', 'search', '@u', 'keyring', '_krb_' + cname])
+    realm.run(['keyctl', 'unlink', id.strip(), '@u'])
+    realm.run(['./t_cccol', 'KEYRING:process:abcd'])
+    realm.run(['./t_cccol', 'KEYRING:thread:abcd'])
+
 realm.stop()
 
 # Test cursor semantics using real ccaches.
@@ -22,6 +56,18 @@ realm.kinit('user', password('user'), flags=['-c', duser])
 realm.kinit('alice', password('alice'), flags=['-c', dalice])
 realm.kinit('bob', password('bob'), flags=['-c', dbob])
 
+if test_keyring:
+    cname = realm.testdir
+    realm.run(['keyctl', 'purge', 'keyring', '_krb_' + cname])
+    krccname = 'KEYRING:session:' + cname
+    kruser = '%s:tkt1' % krccname
+    kralice = '%s:tkt2' % krccname
+    krbob = '%s:tkt3' % krccname
+    krnoent = '%s:noent' % krccname
+    realm.kinit('user', password('user'), flags=['-c', kruser])
+    realm.kinit('alice', password('alice'), flags=['-c', kralice])
+    realm.kinit('bob', password('bob'), flags=['-c', krbob])
+
 def cursor_test(testname, args, expected):
     outlines = realm.run(['./t_cccursor'] + args).splitlines()
     outlines.sort()
@@ -40,16 +86,26 @@ cursor_test('dir', [dccname], [duser, dalice, dbob])
 cursor_test('dir-subsidiary', [duser], [duser])
 cursor_test('dir-nofile', [dnoent], [])
 
+if test_keyring:
+    cursor_test('keyring', [krccname], [kruser, kralice, krbob])
+    cursor_test('keyring-subsidiary', [kruser], [kruser])
+    cursor_test('keyring-noent', [krnoent], [])
+
 mfoo = 'MEMORY:foo'
 mbar = 'MEMORY:bar'
 cursor_test('filemem', [fccname, mfoo, mbar], [fccname, mfoo, mbar])
 cursor_test('dirmem', [dccname, mfoo], [duser, dalice, dbob, mfoo])
+if test_keyring:
+    cursor_test('keyringmem', [krccname, mfoo], [kruser, kralice, krbob, mfoo])
 
 # Test krb5_cccol_have_content.
 realm.run(['./t_cccursor', dccname, 'CONTENT'])
 realm.run(['./t_cccursor', fccname, 'CONTENT'])
 realm.run(['./t_cccursor', realm.ccache, 'CONTENT'])
 realm.run(['./t_cccursor', mfoo, 'CONTENT'], expected_code=1)
+if test_keyring:
+    realm.run(['./t_cccursor', krccname, 'CONTENT'])
+    realm.run(['keyctl', 'purge', 'keyring', '_krb_' + cname])
 
 # Make sure FILE doesn't yield a nonexistent default cache.
 realm.run([kdestroy])