diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-02-07 18:40:00 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-02-07 18:40:00 +0000 |
| commit | 66587fcd6380eac2c53674df4f64a827d337aee5 (patch) | |
| tree | e3e98004479a87b3f1e1171056464f3a6be65d95 /src/tests/gssapi/t_gssapi.py | |
| parent | 1b46b254240d95534b7a3ee1f45ac85f6c38db1b (diff) | |
| download | krb5-66587fcd6380eac2c53674df4f64a827d337aee5.tar.gz krb5-66587fcd6380eac2c53674df4f64a827d337aee5.tar.xz krb5-66587fcd6380eac2c53674df4f64a827d337aee5.zip | |
Improve acceptor name flexibility
Be more flexible about the principal names we will accept for a given
GSS acceptor name. Also add support for a new libdefaults profile
variable ignore_acceptor_hostname, which causes the hostnames of
host-based service principals to be ignored when passed by server
applications as acceptor names.
Note that we still always invoke krb5_sname_to_principal() when
importing a gss-krb5 mechanism name, even though we won't always use
the result. This is an unfortunate waste of getaddrinfo/getnameinfo
queries in some situations, but the code surgery necessary to defer
it appears too risky at this time.
The project proposal for this change is at:
http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names
ticket: 6855
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24616 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/tests/gssapi/t_gssapi.py')
| -rw-r--r-- | src/tests/gssapi/t_gssapi.py | 81 |
1 files changed, 80 insertions, 1 deletions
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index d88f7949b8..f4dd9e3cb8 100644 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -1,7 +1,86 @@ #!/usr/bin/python from k5test import * +# Test krb5 negotiation under SPNEGO for all enctype configurations. for realm in multipass_realms(): realm.run_as_client(['./t_spnego', realm.host_princ, realm.keytab]) -success('GSSAPI test programs (SPNEGO only).') +### Test acceptor name behavior. + +realm = K5Realm(start_kadmind=False) + +# Create some host-based principals and put most of them into the +# keytab. Rename one principal so that the keytab name matches the +# key but not the client name. +realm.run_kadminl('addprinc -randkey service1/abraham') +realm.run_kadminl('addprinc -randkey service1/barack') +realm.run_kadminl('addprinc -randkey service2/calvin') +realm.run_kadminl('addprinc -randkey service2/dwight') +realm.run_kadminl('addprinc -randkey host/-nomatch-') +realm.run_kadminl('xst service1/abraham') +realm.run_kadminl('xst service1/barack') +realm.run_kadminl('xst service2/calvin') +realm.run_kadminl('renprinc -force service1/abraham service1/andrew') + +# Test with no acceptor name, including client/keytab principal +# mismatch (non-fatal) and missing keytab entry (fatal). +output = realm.run_as_client(['./t_accname', 'service1/andrew']) +if 'service1/abraham' not in output: + fail('Expected service1/abraham in t_accname output') +output = realm.run_as_client(['./t_accname', 'service1/barack']) +if 'service1/barack' not in output: + fail('Expected service1/barack in t_accname output') +output = realm.run_as_client(['./t_accname', 'service2/calvin']) +if 'service2/calvin' not in output: + fail('Expected service1/barack in t_accname output') +output = realm.run_as_client(['./t_accname', 'service2/dwight'], + expected_code=1) +if 'Wrong principal in request' not in output: + fail('Expected error message not seen in t_accname output') + +# Test with acceptor name containing service only, including +# client/keytab hostname mismatch (non-fatal) and service name +# mismatch (fatal). +output = realm.run_as_client(['./t_accname', 'service1/andrew', 'service1']) +if 'service1/abraham' not in output: + fail('Expected service1/abraham in t_accname output') +output = realm.run_as_client(['./t_accname', 'service1/andrew', 'service2'], + expected_code=1) +if 'Wrong principal in request' not in output: + fail('Expected error message not seen in t_accname output') +output = realm.run_as_client(['./t_accname', 'service2/calvin', 'service2']) +if 'service2/calvin' not in output: + fail('Expected service2/calvin in t_accname output') +output = realm.run_as_client(['./t_accname', 'service2/calvin', 'service1'], + expected_code=1) +if 'Wrong principal in request' not in output: + fail('Expected error message not seen in t_accname output') + +# Test with acceptor name containing service and host. Use the +# client's un-canonicalized hostname as acceptor input to mirror what +# many servers do. +output = realm.run_as_client(['./t_accname', realm.host_princ, + 'host@%s' % socket.gethostname()]) +if realm.host_princ not in output: + fail('Expected %s in t_accname output' % realm.host_princ) +output = realm.run_as_client(['./t_accname', 'host/-nomatch-', + 'host@%s' % socket.gethostname()], + expected_code=1) +if 'Wrong principal in request' not in output: + fail('Expected error message not seen in t_accname output') + +realm.stop() + +# Re-run that last test with ignore_acceptor_hostname set and the +# principal for the mismatching hostname in the keytab. +ignore_conf = { 'all' : { 'libdefaults' : { + 'ignore_acceptor_hostname' : 'true' } } } +realm = K5Realm(krb5_conf=ignore_conf, start_kadmind=False) +realm.run_kadminl('addprinc -randkey host/-nomatch-') +realm.run_kadminl('xst host/-nomatch-') +output = realm.run_as_client(['./t_accname', 'host/-nomatch-', + 'host@%s' % socket.gethostname()]) +if 'host/-nomatch-' not in output: + fail('Expected error message not seen in t_accname output') + +success('GSSAPI tests.') |