Conditionally test KEYRING ccache type

If the keyctl command is found and klist recognizes the KEYRING
credential cache type, then run several tests against keyring ccaches:
the collection test program in lib/krb5/ccache, the command-line
collection tests in tests/t_ccache.py, and some new tests to verify
legacy session cache behavior.  Much of the Python code in t_ccache.py
is moved into a new function named "collection_test" so we can run it
once against a DIR collection and once against a KEYRING collection.

Also: fix a memory leak in the collection test program; add a test for
iteration when the default cache name is a subsidiary name; use a
process keyring ccache in t_cc.c to avoid leaving behind empty
collections in the session keyring after each test run.

Adapted from a patch by simo@redhat.com.

ticket: 7711

1 files changed, 87 insertions, 41 deletions

diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py
index a761d48fbe..15d8141f02 100644
--- a/src/tests/t_ccache.py
+++ b/src/tests/t_ccache.py
@@ -25,58 +25,104 @@ from k5test import *
 
 realm = K5Realm(create_host=False)
 
+keyctl = which('keyctl')
+out = realm.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1)
+test_keyring = (keyctl is not None and
+                'Unknown credential cache type' not in out)
+
 # Test kdestroy and klist of a non-existent ccache.
 realm.run([kdestroy])
 output = realm.run([klist], expected_code=1)
 if 'No credentials cache found' not in output:
     fail('Expected error message not seen in klist output')
 
-# Make a directory collection and use it for client commands.
-ccname = 'DIR:' + os.path.join(realm.testdir, 'cc')
-realm.env['KRB5CCNAME'] = ccname
-
 realm.addprinc('alice', password('alice'))
 realm.addprinc('bob', password('bob'))
 realm.addprinc('carol', password('carol'))
 
-realm.kinit('alice', password('alice'))
-output = realm.run([klist])
-if 'Default principal: alice@' not in output:
-    fail('Initial kinit failed to get credentials for alice.')
-realm.run([kdestroy])
-output = realm.run([klist], expected_code=1)
-if 'No credentials cache found' not in output:
-    fail('Initial kdestroy failed to destroy primary cache.')
-output = realm.run([klist, '-l'], expected_code=1)
-if not output.endswith('---\n') or output.count('\n') != 2:
-    fail('Initial kdestroy failed to empty cache collection.')
+def collection_test(realm, ccname):
+    realm.env['KRB5CCNAME'] = ccname
 
-realm.kinit('alice', password('alice'))
-realm.kinit('carol', password('carol'))
-output = realm.run([klist, '-l'])
-if '---\ncarol@' not in output or '\nalice@' not in output:
-    fail('klist -l did not show expected output after two kinits.')
-realm.kinit('alice', password('alice'))
-output = realm.run([klist, '-l'])
-if '---\nalice@' not in output or output.count('\n') != 4:
-    fail('klist -l did not show expected output after re-kinit for alice.')
-realm.kinit('bob', password('bob'))
-output = realm.run([klist, '-A'])
-if 'bob@' not in output.splitlines()[1] or 'alice@' not in output or \
-        'carol' not in output or output.count('Default principal:') != 3:
-    fail('klist -A did not show expected output after kinit for bob.')
-realm.run([kswitch, '-p', 'carol'])
-output = realm.run([klist, '-l'])
-if '---\ncarol@' not in output or output.count('\n') != 5:
-    fail('klist -l did not show expected output after kswitch to carol.')
-realm.run([kdestroy])
-output = realm.run([klist, '-l'])
-if 'carol@' in output or 'bob@' not in output or output.count('\n') != 4:
-    fail('kdestroy failed to remove only primary ccache.')
-realm.run([kdestroy, '-A'])
-output = realm.run([klist, '-l'], expected_code=1)
-if not output.endswith('---\n') or output.count('\n') != 2:
-    fail('kdestroy -a failed to empty cache collection.')
+    realm.kinit('alice', password('alice'))
+    output = realm.run([klist])
+    if 'Default principal: alice@' not in output:
+        fail('Initial kinit failed to get credentials for alice.')
+    realm.run([kdestroy])
+    output = realm.run([klist], expected_code=1)
+    if 'No credentials cache found' not in output:
+        fail('Initial kdestroy failed to destroy primary cache.')
+    output = realm.run([klist, '-l'], expected_code=1)
+    if not output.endswith('---\n') or output.count('\n') != 2:
+        fail('Initial kdestroy failed to empty cache collection.')
+
+    realm.kinit('alice', password('alice'))
+    realm.kinit('carol', password('carol'))
+    output = realm.run([klist, '-l'])
+    if '---\ncarol@' not in output or '\nalice@' not in output:
+        fail('klist -l did not show expected output after two kinits.')
+    realm.kinit('alice', password('alice'))
+    output = realm.run([klist, '-l'])
+    if '---\nalice@' not in output or output.count('\n') != 4:
+        fail('klist -l did not show expected output after re-kinit for alice.')
+    realm.kinit('bob', password('bob'))
+    output = realm.run([klist, '-A'])
+    if 'bob@' not in output.splitlines()[1] or 'alice@' not in output or \
+            'carol' not in output or output.count('Default principal:') != 3:
+        fail('klist -A did not show expected output after kinit for bob.')
+    realm.run([kswitch, '-p', 'carol'])
+    output = realm.run([klist, '-l'])
+    if '---\ncarol@' not in output or output.count('\n') != 5:
+        fail('klist -l did not show expected output after kswitch to carol.')
+    realm.run([kdestroy])
+    output = realm.run([klist, '-l'])
+    if 'carol@' in output or 'bob@' not in output or output.count('\n') != 4:
+        fail('kdestroy failed to remove only primary ccache.')
+    realm.run([kdestroy, '-A'])
+    output = realm.run([klist, '-l'], expected_code=1)
+    if not output.endswith('---\n') or output.count('\n') != 2:
+        fail('kdestroy -a failed to empty cache collection.')
+
+
+collection_test(realm, 'DIR:' + os.path.join(realm.testdir, 'cc'))
+if test_keyring:
+    # Use realm.testdir as the collection name to avoid conflicts with
+    # other build trees.
+    cname = realm.testdir
+
+    realm.run([keyctl, 'purge', 'keyring', '_krb_' + cname])
+    collection_test(realm, 'KEYRING:session:' + cname)
+    realm.run([keyctl, 'purge', 'keyring', '_krb_' + cname])
+
+    # Test legacy keyring cache linkage.
+    realm.env['KRB5CCNAME'] = 'KEYRING:' + cname
+    realm.run([kdestroy, '-A'])
+    realm.kinit(realm.user_princ, password('user'))
+    out = realm.run([klist, '-l'])
+    if 'KEYRING:legacy:' + cname + ':' + cname not in out:
+        fail('Wrong initial primary name in keyring legacy collection')
+    # Make sure this cache is linked to the session keyring.
+    id = realm.run([keyctl, 'search', '@s', 'keyring', cname])
+    out = realm.run([keyctl, 'list', id.strip()])
+    if 'user: __krb5_princ__' not in out:
+        fail('Legacy cache not linked into session keyring')
+    # Remove the collection keyring.  When the collection is
+    # reinitialized, the legacy cache should reappear inside it
+    # automatically as the primary cache.
+    out = realm.run([keyctl, 'purge', 'keyring', '_krb_' + cname])
+    if 'purged 1 keys' not in out:
+        fail('Could not purge collection keyring')
+    out = realm.run([klist])
+    if realm.user_princ not in out:
+        fail('Cannot see legacy cache after purging collection')
+    coll_id = realm.run([keyctl, 'search', '@s', 'keyring', '_krb_' + cname])
+    out = realm.run([keyctl, 'list', coll_id.strip()])
+    if (id.strip() + ':') not in out:
+        fail('Legacy cache did not reappear in collection after klist')
+    # Destroy the cache and check that it is unlinked from the session keyring.
+    realm.run([kdestroy])
+    realm.run([keyctl, 'search', '@s', 'keyring', cname], expected_code=1)
+    # Clean up the collection key.
+    realm.run([keyctl, 'purge', 'keyring', '_krb_' + cname])
 
 # Test parameter expansion in default_ccache_name
 realm.stop()