Add clock skew tests

Add a KDC option (-T) to run with a time offset, and use that to
test kdc_timesync behavior.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25807 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 38 insertions, 0 deletions

diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py
new file mode 100644
index 0000000000..f00c2f9200
--- /dev/null
+++ b/src/tests/t_skew.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+from k5test import *
+
+# Create a realm with the KDC one hour in the past.
+realm = K5Realm(start_kadmind=False, start_kdc=False)
+realm.start_kdc(['-T', '-3600'])
+
+# kinit (no preauth) should work, and should set a clock skew allowing
+# kvno to work, with or without FAST.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ])
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
+realm.run_as_client([kvno, realm.host_princ])
+realm.run_as_client([kdestroy])
+
+# kinit (with preauth) should fail.
+realm.run_kadminl('modprinc +requires_preauth user')
+realm.kinit(realm.user_princ, password('user'), expected_code=1)
+
+realm.stop()
+
+# Repeat the above tests with kdc_timesync disabled.
+conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}}
+realm = K5Realm(start_kadmind=False, start_kdc=False, krb5_conf=conf)
+realm.start_kdc(['-T', '-3600'])
+
+# kinit (no preauth) should work, but kvno should not.  kinit with
+# FAST should also fail since the armor AP-REQ won't be valid.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ], expected_code=1)
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache],
+            expected_code=1)
+
+# kinit (with preauth) should fail.
+realm.run_kadminl('modprinc +requires_preauth user')
+realm.kinit(realm.user_princ, password('user'), expected_code=1)
+
+success('Clock skew tests')