Test KDC host-based referral support

Test the KDC host-based referral support in t_referral.py, using a new
harness to call krb5_get_credentials with a specified server name
type.  Also use this new harness for the #7483 regression test, to
avoid relying on an undocumented kvno extension.

1 files changed, 82 insertions, 9 deletions

diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
index 985f9da70e..ff8527b7fa 100644
--- a/src/tests/t_referral.py
+++ b/src/tests/t_referral.py
@@ -1,16 +1,89 @@
 #!/usr/bin/python
 from k5test import *
 
-# We should have a comprehensive suite of KDC host referral tests
-# here, based on the tests in the kdc_realm subdir.  For now, we just
-# have a regression test for #7483.
-
-# A KDC should not return a host referral to its own realm.
-krb5_conf = {'domain_realm': {'y': 'KRBTEST.COM'}}
-kdc_conf = {'realms': {'$realm': {'host_based_services': 'x'}}}
-realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False)
+# Create a realm where the KDC has a [domain_realm] mapping for 'd'
+# and clients will not try to use DNS to look up KDC addresses.  The
+# KDC believes it has a cross-realm TGT for REFREALM, but we won't
+# actually create REFREALM.
+nodns = {'libdefaults': {'dns_lookup_kdc': 'false'}}
+drealm = {'domain_realm': {'d': 'REFREALM'}}
+realm = K5Realm(krb5_conf=nodns, kdc_conf=drealm, create_host=False)
+realm.addprinc('krbtgt/REFREALM')
+
+# Get credentials for a/x.d and check whether the KDC returned a referral.
+def test(realm, nametype, expected_ref, msg):
+    out = realm.run(['./gcred', nametype, 'a/x.d'], expected_code=1)
+    if ((expected_ref and 'Cannot find KDC for realm "REFREALM"' not in out) or
+        (not expected_ref and 'not found in Kerberos database' not in out)):
+        fail(msg)
+
+# Create a modified KDC environment and restart the KDC.
+def restart_kdc(realm, kdc_conf):
+    env = realm.special_env('extravars', True, kdc_conf=kdc_conf)
+    realm.stop_kdc()
+    realm.start_kdc(env=env)
+
+# With no KDC configuration besides [domain_realm], we should get a
+# referral for a NT-SRV-HST or NT-SRV-INST server name, but not an
+# NT-UNKNOWN or NT-PRINCIPAL server name.
+test(realm, 'srv-hst', True, 'srv-hst, no variables')
+test(realm, 'srv-inst', True, 'srv-inst, no variables')
+test(realm, 'principal', False, 'principal, no variables')
+test(realm, 'unknown', False, 'unknown, no variables')
+
+# With host_based_services matching the first server name component
+# ("a"), we should get a referral for an NT-UNKNOWN server name.
+# host_based_services can appear in either [kdcdefaults] or the realm
+# section, with the realm value supplementing the kdcdefaults value.
+# NT-SRV-HST server names should be unaffected by host_based_services,
+# and NT-PRINCIPAL server names shouldn't get a referral regardless.
+restart_kdc(realm, {'kdcdefaults': {'host_based_services': '*'}})
+test(realm, 'unknown', True, 'unknown, kdcdefaults hostbased *')
+test(realm, 'principal', False, 'principal, kdcdefaults hostbased *')
+restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,a,c'}})
+test(realm, 'unknown', True, 'unknown, kdcdefaults hostbased b,a,c')
+restart_kdc(realm, {'realms': {'$realm': {'host_based_services': 'a b c'}}})
+test(realm, 'unknown', True, 'unknown, realm hostbased a b c')
+restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'a'},
+                    'realms': {'$realm': {'host_based_services': 'b c'}}})
+test(realm, 'unknown', True, 'unknown, kdcdefaults hostbased a (w/ realm)')
+restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'},
+                    'realms': {'$realm': {'host_based_services': 'a,b'}}})
+test(realm, 'unknown', True, 'unknown, realm hostbased a,b (w/ kdcdefaults)')
+restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'}})
+test(realm, 'unknown', False, 'unknown, kdcdefaults hostbased b,c')
+test(realm, 'srv-hst', True, 'srv-hst, kdcdefaults hostbased b,c')
+
+# With no_host_referrals matching the first server name component, we
+# should not get a referral even for NT-SRV-HOST server names
+restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*'}})
+test(realm, 'srv-hst', False, 'srv-hst, kdcdefaults nohost *')
+restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,a,c'}})
+test(realm, 'srv-hst', False, 'srv-hst, kdcdefaults nohost b,a,c')
+restart_kdc(realm, {'realms': {'$realm': {'no_host_referral': 'a b c'}}})
+test(realm, 'srv-hst', False, 'srv-hst, realm nohost a b c')
+restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'a'},
+                    'realms': {'$realm': {'no_host_referral': 'b c'}}})
+test(realm, 'srv-hst', False, 'srv-hst, kdcdefaults nohost a (w/ realm)')
+restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'},
+                    'realms': {'$realm': {'no_host_referral': 'a,b'}}})
+test(realm, 'srv-hst', False, 'srv-hst, realm nohost a,b (w/ kdcdefaults)')
+restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'}})
+test(realm, 'srv-hst', True, 'srv-hst, kdcdefaults nohost b,c')
+
+# no_host_referrals should override host_based_services for NT-UNKNWON
+# server names.
+restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*',
+                                    'host_based_services': '*'}})
+test(realm, 'unknown', False, 'srv-hst, kdcdefaults nohost * hostbased *')
+
+# Regression test for #7483: a KDC should not return a host referral
+# to its own realm.
+drealm = {'domain_realm': {'d': 'KRBTEST.COM'}}
+realm.stop()
+realm = K5Realm(kdc_conf=drealm, create_host=False)
 tracefile = os.path.join(realm.testdir, 'trace')
-realm.run(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'],
+realm.run(['env', 'KRB5_TRACE=' + tracefile, './gcred', 'srv-hst', 'a/x.d@'],
           expected_code=1)
 f = open(tracefile, 'r')
 trace = f.read()