diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-10-09 12:56:13 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-10-09 13:38:20 -0400 |
| commit | 69c190ed9189273a79fdb8e8d95ce970d21118b3 (patch) | |
| tree | e5e7537593ac28cc962ea78459b253dd9f788952 /src/tests/t_referral.py | |
| parent | b44879db690581270a765904ed0a32d9663e345b (diff) | |
| download | krb5-69c190ed9189273a79fdb8e8d95ce970d21118b3.tar.gz krb5-69c190ed9189273a79fdb8e8d95ce970d21118b3.tar.xz krb5-69c190ed9189273a79fdb8e8d95ce970d21118b3.zip | |
Perform complete referrals in t_referral.py
t_referral.py was written to exercise KDC host referral logic, and did
not actually create the target realm, instead just looking at the
error message from gcred to determine whether the KDC returned a
referral or not. It's only a small amount of additional work to
actually set up the target realm and check that the client code
successfully retrieves the referral, so do that instead.
Since the referral and non-referral outcomes aren't all that similar
any more, split test() into testref() and testfail(). Get rid of the
message argument, since it wouldn't be output in most cases where we
get an unexpected result.
Diffstat (limited to 'src/tests/t_referral.py')
| -rw-r--r-- | src/tests/t_referral.py | 75 |
1 files changed, 44 insertions, 31 deletions
diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py index 884e45bf86..ff23073206 100644 --- a/src/tests/t_referral.py +++ b/src/tests/t_referral.py @@ -1,21 +1,32 @@ #!/usr/bin/python from k5test import * -# Create a realm where the KDC has a [domain_realm] mapping for 'd' -# and clients will not try to use DNS to look up KDC addresses. The -# KDC believes it has a cross-realm TGT for REFREALM, but we won't -# actually create REFREALM. -nodns = {'libdefaults': {'dns_lookup_kdc': 'false'}} +# Create a pair of realms, where KRBTEST1.COM can authenticate to +# REFREALM and has a domain-realm mapping for 'd' pointing to it. drealm = {'domain_realm': {'d': 'REFREALM'}} -realm = K5Realm(krb5_conf=nodns, kdc_conf=drealm, create_host=False) +realm, refrealm = cross_realms(2, xtgts=((0,1),), + args=({'kdc_conf': drealm}, + {'realm': 'REFREALM', + 'create_user': False}), + create_host=False) realm.addprinc('krbtgt/REFREALM') +refrealm.addprinc('a/x.d') -# Get credentials for a/x.d and check whether the KDC returned a referral. -def test(realm, nametype, expected_ref, msg): +savefile = os.path.join(realm.testdir, 'ccache.copy') +os.rename(realm.ccache, savefile) + +# Get credentials and check that we got a referral to REFREALM. +def testref(realm, nametype): + shutil.copyfile(savefile, realm.ccache) + realm.run(['./gcred', nametype, 'a/x.d']) + realm.klist(realm.user_princ, 'a/x.d@REFREALM') + +# Get credentials and check that we get an error, not a referral. +def testfail(realm, nametype): + shutil.copyfile(savefile, realm.ccache) out = realm.run(['./gcred', nametype, 'a/x.d'], expected_code=1) - if ((expected_ref and 'Cannot find KDC for realm "REFREALM"' not in out) or - (not expected_ref and 'not found in Kerberos database' not in out)): - fail(msg) + if 'not found in Kerberos database' not in out: + fail('unexpected error') # Create a modified KDC environment and restart the KDC. def restart_kdc(realm, kdc_conf): @@ -26,10 +37,10 @@ def restart_kdc(realm, kdc_conf): # With no KDC configuration besides [domain_realm], we should get a # referral for a NT-SRV-HST or NT-SRV-INST server name, but not an # NT-UNKNOWN or NT-PRINCIPAL server name. -test(realm, 'srv-hst', True, 'srv-hst, no variables') -test(realm, 'srv-inst', True, 'srv-inst, no variables') -test(realm, 'principal', False, 'principal, no variables') -test(realm, 'unknown', False, 'unknown, no variables') +testref(realm, 'srv-hst') +testref(realm, 'srv-inst') +testfail(realm, 'principal') +testfail(realm, 'unknown') # With host_based_services matching the first server name component # ("a"), we should get a referral for an NT-UNKNOWN server name. @@ -38,49 +49,51 @@ test(realm, 'unknown', False, 'unknown, no variables') # NT-SRV-HST server names should be unaffected by host_based_services, # and NT-PRINCIPAL server names shouldn't get a referral regardless. restart_kdc(realm, {'kdcdefaults': {'host_based_services': '*'}}) -test(realm, 'unknown', True, 'unknown, kdcdefaults hostbased *') -test(realm, 'principal', False, 'principal, kdcdefaults hostbased *') +testref(realm, 'unknown') +testfail(realm, 'principal') restart_kdc(realm, {'kdcdefaults': {'host_based_services': ['b', 'a,c']}}) -test(realm, 'unknown', True, 'unknown, kdcdefaults hostbased b and a,c') +testref(realm, 'unknown') restart_kdc(realm, {'realms': {'$realm': {'host_based_services': 'a b c'}}}) -test(realm, 'unknown', True, 'unknown, realm hostbased a b c') +testref(realm, 'unknown') restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'a'}, 'realms': {'$realm': {'host_based_services': 'b c'}}}) -test(realm, 'unknown', True, 'unknown, kdcdefaults hostbased a (w/ realm)') +testref(realm, 'unknown') restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'}, 'realms': {'$realm': {'host_based_services': 'a,b'}}}) -test(realm, 'unknown', True, 'unknown, realm hostbased a,b (w/ kdcdefaults)') +testref(realm, 'unknown') restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'}}) -test(realm, 'unknown', False, 'unknown, kdcdefaults hostbased b,c') -test(realm, 'srv-hst', True, 'srv-hst, kdcdefaults hostbased b,c') +testfail(realm, 'unknown') +testref(realm, 'srv-hst') # With no_host_referrals matching the first server name component, we # should not get a referral even for NT-SRV-HOST server names restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*'}}) -test(realm, 'srv-hst', False, 'srv-hst, kdcdefaults nohost *') +testfail(realm, 'srv-hst') restart_kdc(realm, {'kdcdefaults': {'no_host_referral': ['b', 'a,c']}}) -test(realm, 'srv-hst', False, 'srv-hst, kdcdefaults nohost b and a,c') +testfail(realm, 'srv-hst') restart_kdc(realm, {'realms': {'$realm': {'no_host_referral': 'a b c'}}}) -test(realm, 'srv-hst', False, 'srv-hst, realm nohost a b c') +testfail(realm, 'srv-hst') restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'a'}, 'realms': {'$realm': {'no_host_referral': 'b c'}}}) -test(realm, 'srv-hst', False, 'srv-hst, kdcdefaults nohost a (w/ realm)') +testfail(realm, 'srv-hst') restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'}, 'realms': {'$realm': {'no_host_referral': 'a,b'}}}) -test(realm, 'srv-hst', False, 'srv-hst, realm nohost a,b (w/ kdcdefaults)') +testfail(realm, 'srv-hst') restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'}}) -test(realm, 'srv-hst', True, 'srv-hst, kdcdefaults nohost b,c') +testref(realm, 'srv-hst') # no_host_referrals should override host_based_services for NT-UNKNWON # server names. restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*', 'host_based_services': '*'}}) -test(realm, 'unknown', False, 'srv-hst, kdcdefaults nohost * hostbased *') +testfail(realm, 'unknown') + +realm.stop() +refrealm.stop() # Regression test for #7483: a KDC should not return a host referral # to its own realm. drealm = {'domain_realm': {'d': 'KRBTEST.COM'}} -realm.stop() realm = K5Realm(kdc_conf=drealm, create_host=False) tracefile = os.path.join(realm.testdir, 'trace') realm.run(['env', 'KRB5_TRACE=' + tracefile, './gcred', 'srv-hst', 'a/x.d@'], |