diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-12-16 16:55:29 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-12-20 11:45:20 -0500 |
| commit | 966547dfeb011800d4b78b8e5d494813bc80559c (patch) | |
| tree | 4226bd168056336c965a4aa77c845093ef723da3 /src | |
| parent | 76c27cf7e3161e0f20f8935d82ae0f2feb77b01a (diff) | |
| download | krb5-966547dfeb011800d4b78b8e5d494813bc80559c.tar.gz krb5-966547dfeb011800d4b78b8e5d494813bc80559c.tar.xz krb5-966547dfeb011800d4b78b8e5d494813bc80559c.zip | |
Simplify k5test.py environments
The initial k5test.py design, copied from the dejagnu suite, is to
create config files and environments for four expected roles: client,
server, master, and slave. This approach exaggerates the complexity
of the common case, where the configurations don't need to vary, and
limits us to having just one slave for kprop/iprop tests.
Instead, create just one configuration by default, and add a
special_env() method which sets up a differently configured
environment for the few test cases which need one. The run_as_*()
methods are collapsed into just run(), which accepts an optional
argument for the environment returned by special_env().
Diffstat (limited to 'src')
33 files changed, 517 insertions, 658 deletions
diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py index 211da97c0d..faec8a07ba 100644 --- a/src/appl/gss-sample/t_gss_sample.py +++ b/src/appl/gss-sample/t_gss_sample.py @@ -35,8 +35,8 @@ def server_client_test(realm, options): portstr = str(realm.server_port()) server = realm.start_server([gss_server, '-port', portstr, 'host'], 'starting...') - output = realm.run_as_client([gss_client, '-port', portstr] + options + - [hostname, 'host', 'testmsg']) + output = realm.run([gss_client, '-port', portstr] + options + + [hostname, 'host', 'testmsg']) if 'Signature verified.' not in output: fail('Expected message not seen in gss-client output') stop_daemon(server) diff --git a/src/appl/user_user/t_user2user.py b/src/appl/user_user/t_user2user.py index abd66413f2..8bdef8e07b 100644 --- a/src/appl/user_user/t_user2user.py +++ b/src/appl/user_user/t_user2user.py @@ -10,7 +10,7 @@ for realm in multipass_realms(): else: srv_output = realm.start_server(['./uuserver', '9999'], 'Server started') - output = realm.run_as_client(['./uuclient', hostname, 'testing message', '9999']) + output = realm.run(['./uuclient', hostname, 'testing message', '9999']) if 'uu-client: server says \"Hello, other end of connection.\"' not in output: fail('Message not echoed back.') diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py index d532debc17..8f7717a011 100644 --- a/src/kdc/t_emptytgt.py +++ b/src/kdc/t_emptytgt.py @@ -2,7 +2,7 @@ from k5test import * realm = K5Realm(create_host=False) -output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1) +output = realm.run([kvno, 'krbtgt/'], expected_code=1) if 'not found in Kerberos database' not in output: fail('TGT lookup for empty realm failed in unexpected way') success('Empty tgt lookup.') diff --git a/src/lib/kdb/t_stringattr.py b/src/lib/kdb/t_stringattr.py index f520370a48..085e179e44 100644 --- a/src/lib/kdb/t_stringattr.py +++ b/src/lib/kdb/t_stringattr.py @@ -2,5 +2,5 @@ from k5test import * realm = K5Realm(create_kdb=False) -realm.run_as_master(['./t_stringattr']) +realm.run(['./t_stringattr']) success('String attribute unit tests') diff --git a/src/lib/krb5/ccache/t_cccol.py b/src/lib/krb5/ccache/t_cccol.py index 8c459ddebc..acd2b6e76c 100644 --- a/src/lib/krb5/ccache/t_cccol.py +++ b/src/lib/krb5/ccache/t_cccol.py @@ -16,7 +16,7 @@ realm.kinit('alice', password('alice'), flags=['-c', dalice]) realm.kinit('bob', password('bob'), flags=['-c', dbob]) def cursor_test(testname, args, expected): - outlines = realm.run_as_client(['./t_cccursor'] + args).splitlines() + outlines = realm.run(['./t_cccursor'] + args).splitlines() outlines.sort() expected.sort() if outlines != expected: @@ -37,14 +37,14 @@ cursor_test('filemem', [fccname, mfoo, mbar], [fccname, mfoo, mbar]) cursor_test('dirmem', [dccname, mfoo], [duser, dalice, dbob, mfoo]) # Test krb5_cccol_have_content. -realm.run_as_client(['./t_cccursor', dccname, 'CONTENT']) -realm.run_as_client(['./t_cccursor', fccname, 'CONTENT']) -realm.run_as_client(['./t_cccursor', realm.ccache, 'CONTENT']) -realm.run_as_client(['./t_cccursor', mfoo, 'CONTENT'], expected_code=1) +realm.run(['./t_cccursor', dccname, 'CONTENT']) +realm.run(['./t_cccursor', fccname, 'CONTENT']) +realm.run(['./t_cccursor', realm.ccache, 'CONTENT']) +realm.run(['./t_cccursor', mfoo, 'CONTENT'], expected_code=1) # Make sure FILE doesn't yield a nonexistent default cache. -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) cursor_test('noexist', [], []) -realm.run_as_client(['./t_cccursor', fccname, 'CONTENT'], expected_code=1) +realm.run(['./t_cccursor', fccname, 'CONTENT'], expected_code=1) success('Renewing credentials') diff --git a/src/lib/krb5/krb/t_expire_warn.py b/src/lib/krb5/krb/t_expire_warn.py index f803b4595f..4c9b5cc7af 100644 --- a/src/lib/krb5/krb/t_expire_warn.py +++ b/src/lib/krb5/krb/t_expire_warn.py @@ -34,28 +34,28 @@ realm.run_kadminl('addprinc -pw pass -pwexpire "12 hours" hours') realm.run_kadminl('addprinc -pw pass -pwexpire "3 days" days') # Check for expected prompter warnings when no expire callback is used. -output = realm.run_as_client(['./t_expire_warn', 'noexpire', 'pass', '0']) +output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '0']) if output: fail('Unexpected output for noexpire') -output = realm.run_as_client(['./t_expire_warn', 'minutes', 'pass', '0']) +output = realm.run(['./t_expire_warn', 'minutes', 'pass', '0']) if ' less than one hour on ' not in output: fail('Expected warning not seen for minutes') -output = realm.run_as_client(['./t_expire_warn', 'hours', 'pass', '0']) +output = realm.run(['./t_expire_warn', 'hours', 'pass', '0']) if ' hours on ' not in output: fail('Expected warning not seen for hours') -output = realm.run_as_client(['./t_expire_warn', 'days', 'pass', '0']) +output = realm.run(['./t_expire_warn', 'days', 'pass', '0']) if ' days on ' not in output: fail('Expected warning not seen for days') # Check for expected expire callback behavior. These tests are # carefully agnostic about whether the KDC supports last_req fields, # and could be made more specific if last_req support is added. -output = realm.run_as_client(['./t_expire_warn', 'noexpire', 'pass', '1']) +output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '1']) if 'password_expiration = 0\n' not in output or \ 'account_expiration = 0\n' not in output or \ 'is_last_req = ' not in output: fail('Expected callback output not seen for noexpire') -output = realm.run_as_client(['./t_expire_warn', 'days', 'pass', '1']) +output = realm.run(['./t_expire_warn', 'days', 'pass', '1']) if 'password_expiration = ' not in output or \ 'password_expiration = 0\n' in output: fail('Expected non-zero password expiration not seen for days') diff --git a/src/lib/krb5/krb/t_in_ccache_patypes.py b/src/lib/krb5/krb/t_in_ccache_patypes.py index f040b8e76a..7e3c7b033e 100644 --- a/src/lib/krb5/krb/t_in_ccache_patypes.py +++ b/src/lib/krb5/krb/t_in_ccache_patypes.py @@ -33,58 +33,52 @@ realm.run_kadminl('addprinc -pw pass +requires_preauth preauth') # Check that we can get creds without preauth without an in_ccache. This is # the default behavior for kinit. -realm.run_as_client(['./t_in_ccache', 'nopreauth', 'pass']) +realm.run(['./t_in_ccache', 'nopreauth', 'pass']) # Check that we can get creds with preauth without an in_ccache. This is the # default behavior for kinit. -realm.run_as_client(['./t_in_ccache', 'preauth', 'pass']) +realm.run(['./t_in_ccache', 'preauth', 'pass']) # Check that we can get creds while supplying a now-populated input ccache that # doesn't contain any relevant configuration. -realm.run_as_client(['./t_in_ccache', 'nopreauth', 'pass']) -realm.run_as_client(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass']) +realm.run(['./t_in_ccache', 'nopreauth', 'pass']) +realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass']) # Check that we can get creds while supplying a now-populated input ccache. -realm.run_as_client(['./t_in_ccache', 'preauth', 'pass']) -realm.run_as_client(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass']) +realm.run(['./t_in_ccache', 'preauth', 'pass']) +realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass']) # Check that we can't get creds while specifying patypes that aren't available # in a FAST tunnel while using a FAST tunnel. Expect the client-end # preauth-failed error. -realm.run_as_client(['./t_in_ccache', 'nopreauth', 'pass']) -realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ, - 'pa_type', '2']) -realm.run_as_client(['./t_in_ccache', '-A', realm.ccache, '-I', realm.ccache, - 'preauth', 'pass'], expected_code=210) +realm.run(['./t_in_ccache', 'nopreauth', 'pass']) +realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '2']) +realm.run(['./t_in_ccache', '-A', realm.ccache, '-I', realm.ccache, + 'preauth', 'pass'], expected_code=210) # Check that we can't get creds while specifying patypes that are only # available in a FAST tunnel while not using a FAST tunnel. Expect the # client-end preauth-failed error. -realm.run_as_client(['./t_in_ccache', 'nopreauth', 'pass']) -realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ, - 'pa_type', '138']) -realm.run_as_client(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'], - expected_code=210) +realm.run(['./t_in_ccache', 'nopreauth', 'pass']) +realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '138']) +realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'], + expected_code=210) # Check that we can get creds using FAST, and that we end up using # encrypted_challenge when we do. -realm.run_as_client(['./t_in_ccache', 'preauth', 'pass']) -realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ, - 'pa_type', '138']) -realm.run_as_client(['./t_in_ccache', '-A', realm.ccache, 'preauth', 'pass']) -output = realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ, - 'pa_type']) +realm.run(['./t_in_ccache', 'preauth', 'pass']) +realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '138']) +realm.run(['./t_in_ccache', '-A', realm.ccache, 'preauth', 'pass']) +output = realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type']) # We should have selected and used encrypted_challenge. if output != '138': fail('Unexpected pa_type value in out_ccache: "%s"' % output) # Check that we can get creds while specifying the right patypes. -realm.run_as_client(['./t_in_ccache', 'nopreauth', 'pass']) -realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ, - 'pa_type', '2']) -realm.run_as_client(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass']) -output = realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ, - 'pa_type']) +realm.run(['./t_in_ccache', 'nopreauth', 'pass']) +realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '2']) +realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass']) +output = realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type']) # We should have selected and used encrypted_timestamp. if output != '2': fail('Unexpected pa_type value in out_ccache') diff --git a/src/lib/krb5/krb/t_vfy_increds.py b/src/lib/krb5/krb/t_vfy_increds.py index a06b740fc6..a17b4784be 100644 --- a/src/lib/krb5/krb/t_vfy_increds.py +++ b/src/lib/krb5/krb/t_vfy_increds.py @@ -27,20 +27,20 @@ from k5test import * realm = K5Realm() # Verify the default test realm credentials with the default keytab. -realm.run_as_server(['./t_vfy_increds']) -realm.run_as_server(['./t_vfy_increds', '-n']) +realm.run(['./t_vfy_increds']) +realm.run(['./t_vfy_increds', '-n']) # Verify after updating the keytab (so the keytab contains an outdated # version 1 key followed by an up-to-date version 2 key). realm.run_kadminl('ktadd ' + realm.host_princ) -realm.run_as_server(['./t_vfy_increds']) -realm.run_as_server(['./t_vfy_increds', '-n']) +realm.run(['./t_vfy_increds']) +realm.run(['./t_vfy_increds', '-n']) # Bump the host key without updating the keytab and make sure that # verification fails as we expect it to. realm.run_kadminl('change_password -randkey ' + realm.host_princ) -realm.run_as_server(['./t_vfy_increds'], expected_code=1) -realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1) +realm.run(['./t_vfy_increds'], expected_code=1) +realm.run(['./t_vfy_increds', '-n'], expected_code=1) # Simulate a system where the hostname has changed and the keytab # contains host service principals with a hostname that no longer @@ -49,14 +49,14 @@ realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1) # test. Verify should succeed, with or without nofail. realm.run_kadminl('addprinc -randkey host/wrong.hostname') realm.run_kadminl('ktadd host/wrong.hostname') -realm.run_as_server(['./t_vfy_increds']) -realm.run_as_server(['./t_vfy_increds', '-n']) +realm.run(['./t_vfy_increds']) +realm.run(['./t_vfy_increds', '-n']) # Remove the keytab and verify again. This should succeed if nofail # is not set, and fail if it is set. os.remove(realm.keytab) -realm.run_as_server(['./t_vfy_increds']) -realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1) +realm.run(['./t_vfy_increds']) +realm.run(['./t_vfy_increds', '-n'], expected_code=1) # Create an empty keytab file and verify again. This simulates a # system where an admin ran "touch krb5.keytab" to work around a @@ -66,8 +66,8 @@ realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1) # causing a KRB5_KEYTAB_BADVNO error, so any tightening of the # krb5_verify_init_creds semantics needs to take this into account.) open(realm.keytab, 'w').close() -realm.run_as_server(['./t_vfy_increds']) -realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1) +realm.run(['./t_vfy_increds']) +realm.run(['./t_vfy_increds', '-n'], expected_code=1) os.remove(realm.keytab) # Add an NFS service principal to keytab. Verify should ignore it by @@ -75,27 +75,26 @@ os.remove(realm.keytab) # when it is specifically requested. realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ) realm.run_kadminl('ktadd ' + realm.nfs_princ) -realm.run_as_server(['./t_vfy_increds']) -realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1) -realm.run_as_server(['./t_vfy_increds', realm.nfs_princ]) -realm.run_as_server(['./t_vfy_increds', '-n', realm.nfs_princ]) +realm.run(['./t_vfy_increds']) +realm.run(['./t_vfy_increds', '-n'], expected_code=1) +realm.run(['./t_vfy_increds', realm.nfs_princ]) +realm.run(['./t_vfy_increds', '-n', realm.nfs_princ]) # Invalidating the NFS keys in the keytab. We should get the same # results with the default principal argument, but verification should # now fail if we request it specifically. realm.run_kadminl('change_password -randkey ' + realm.nfs_princ) -realm.run_as_server(['./t_vfy_increds']) -realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1) -realm.run_as_server(['./t_vfy_increds', realm.nfs_princ], expected_code=1) -realm.run_as_server(['./t_vfy_increds', '-n', realm.nfs_princ], - expected_code=1) +realm.run(['./t_vfy_increds']) +realm.run(['./t_vfy_increds', '-n'], expected_code=1) +realm.run(['./t_vfy_increds', realm.nfs_princ], expected_code=1) +realm.run(['./t_vfy_increds', '-n', realm.nfs_princ], expected_code=1) # Spot-check that verify_ap_req_nofail works equivalently to the # programmatic nofail option. realm.stop() -conf = { 'server' : { 'libdefaults' : { 'verify_ap_req_nofail' : 'true' } } } +conf = {'libdefaults': {'verify_ap_req_nofail': 'true'}} realm = K5Realm(krb5_conf=conf) os.remove(realm.keytab) -realm.run_as_server(['./t_vfy_increds'], expected_code=1) +realm.run(['./t_vfy_increds'], expected_code=1) success('krb5_verify_init_creds tests') diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py index 6b7bce6171..8858fa8680 100644 --- a/src/tests/gssapi/t_ccselect.py +++ b/src/tests/gssapi/t_ccselect.py @@ -42,27 +42,21 @@ gssserver = 'h:host@' + hostname # .k5identity rules since it has unknown type. refserver = 'p:host/' + hostname + '@' -# Make each realm's keytab contain entries for both realm's servers. -#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' % -# (r2.keytab, r1.keytab, ktutil)]) -#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' % -# (r1.keytab, r2.keytab, ktutil)]) - # Verify that we can't get initiator creds with no credentials in the # collection. -output = r1.run_as_client(['./t_ccselect', host1, '-'], expected_code=1) +output = r1.run(['./t_ccselect', host1, '-'], expected_code=1) if 'No Kerberos credentials available' not in output: fail('Expected error not seen in output when no credentials available') # Make a directory collection and use it for client commands in both realms. ccdir = os.path.join(r1.testdir, 'cc') ccname = 'DIR:' + ccdir -r1.env_client['KRB5CCNAME'] = ccname -r2.env_client['KRB5CCNAME'] = ccname +r1.env['KRB5CCNAME'] = ccname +r2.env['KRB5CCNAME'] = ccname # Use .k5identity from testdir and not from the tester's homedir. -r1.env_client['HOME'] = r1.testdir -r2.env_client['HOME'] = r1.testdir +r1.env['HOME'] = r1.testdir +r2.env['HOME'] = r1.testdir # Create two users in r1 and one in r2. alice='alice@KRBTEST.COM' @@ -77,32 +71,32 @@ r1.kinit(alice, password('alice')) r2.kinit(zaphod, password('zaphod')) # Check that we can find a cache for a specified client principal. -output = r1.run_as_client(['./t_ccselect', host1, 'p:' + alice]) +output = r1.run(['./t_ccselect', host1, 'p:' + alice]) if output != (alice + '\n'): fail('alice not chosen when specified') -output = r2.run_as_client(['./t_ccselect', host2, 'p:' + zaphod]) +output = r2.run(['./t_ccselect', host2, 'p:' + zaphod]) if output != (zaphod + '\n'): fail('zaphod not chosen when specified') # Check that we can guess a cache based on the service realm. -output = r1.run_as_client(['./t_ccselect', host1]) +output = r1.run(['./t_ccselect', host1]) if output != (alice + '\n'): fail('alice not chosen as default initiator cred for server in r1') -output = r1.run_as_client(['./t_ccselect', host1, '-']) +output = r1.run(['./t_ccselect', host1, '-']) if output != (alice + '\n'): fail('alice not chosen as default initiator name for server in r1') -output = r2.run_as_client(['./t_ccselect', host2]) +output = r2.run(['./t_ccselect', host2]) if output != (zaphod + '\n'): fail('zaphod not chosen as default initiator cred for server in r1') -output = r2.run_as_client(['./t_ccselect', host2, '-']) +output = r2.run(['./t_ccselect', host2, '-']) if output != (zaphod + '\n'): fail('zaphod not chosen as default initiator name for server in r1') # Check that primary cache is used if server realm is unknown. -output = r2.run_as_client(['./t_ccselect', gssserver]) +output = r2.run(['./t_ccselect', gssserver]) if output != (zaphod + '\n'): fail('zaphod not chosen via primary cache for unknown server realm') -r1.run_as_client(['./t_ccselect', gssserver], expected_code=1) +r1.run(['./t_ccselect', gssserver], expected_code=1) # Get a second cred in r1 (bob will be primary). r1.kinit(bob, password('bob')) @@ -113,17 +107,16 @@ k5id.write('%s realm=%s\n' % (alice, r1.realm)) k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname)) k5id.write('noprinc service=bogus') k5id.close() -output = r1.run_as_client(['./t_ccselect', host1]) +output = r1.run(['./t_ccselect', host1]) if output != (alice + '\n'): fail('alice not chosen via .k5identity realm line.') -output = r2.run_as_client(['./t_ccselect', gssserver]) +output = r2.run(['./t_ccselect', gssserver]) if output != (zaphod + '\n'): fail('zaphod not chosen via .k5identity service/host line.') -output = r1.run_as_client(['./t_ccselect', refserver]) +output = r1.run(['./t_ccselect', refserver]) if output != (bob + '\n'): fail('bob not chosen via primary cache when no .k5identity line matches.') -output = r1.run_as_client(['./t_ccselect', 'h:bogus@' + hostname], - expected_code=1) +output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1) if 'Can\'t find client principal noprinc' not in output: fail('Expected error not seen when k5identity selects bad principal.') diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py index 71566a5d36..484aacde30 100644 --- a/src/tests/gssapi/t_client_keytab.py +++ b/src/tests/gssapi/t_client_keytab.py @@ -9,126 +9,126 @@ phost = 'p:' + realm.host_princ puser = 'p:' + realm.user_princ pbob = 'p:' + bob gssserver = 'h:host@' + hostname -realm.env_client['HOME'] = realm.testdir +realm.env['HOME'] = realm.testdir realm.addprinc(bob, password('bob')) realm.extract_keytab(realm.user_princ, realm.client_keytab) realm.extract_keytab(bob, realm.client_keytab) # Test 1: no name/cache specified, pick first principal from client keytab -out = realm.run_as_client(['./t_ccselect', phost]) +out = realm.run(['./t_ccselect', phost]) if realm.user_princ not in out: fail('Authenticated as wrong principal') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 2: no name/cache specified, pick principal from k5identity k5idname = os.path.join(realm.testdir, '.k5identity') k5id = open(k5idname, 'w') k5id.write('%s service=host host=%s\n' % (bob, hostname)) k5id.close() -out = realm.run_as_client(['./t_ccselect', gssserver]) +out = realm.run(['./t_ccselect', gssserver]) if bob not in out: fail('Authenticated as wrong principal') os.remove(k5idname) -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 3: no name/cache specified, default ccache has name but no creds -realm.run_as_client(['./ccinit', realm.ccache, bob]) -out = realm.run_as_client(['./t_ccselect', phost]) +realm.run(['./ccinit', realm.ccache, bob]) +out = realm.run(['./t_ccselect', phost]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 4: name specified, non-collectable default cache doesn't match -out = realm.run_as_client(['./t_ccselect', phost, puser], expected_code=1) +out = realm.run(['./t_ccselect', phost, puser], expected_code=1) if 'Principal in credential cache does not match desired name' not in out: fail('Expected error not seen') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 5: name specified, nonexistent default cache -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 6: name specified, matches default cache, time to refresh -realm.run_as_client(['./ccrefresh', realm.ccache, '1']) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +realm.run(['./ccrefresh', realm.ccache, '1']) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') -out = realm.run_as_client(['./ccrefresh', realm.ccache]) +out = realm.run(['./ccrefresh', realm.ccache]) if int(out) < 1000: fail('Credentials apparently not refreshed') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 7: empty ccache specified, pick first principal from client keytab -realm.run_as_client(['./t_imp_cred', phost]) +realm.run(['./t_imp_cred', phost]) realm.klist(realm.user_princ) -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 8: ccache specified with name but no creds; name not in client keytab -realm.run_as_client(['./ccinit', realm.ccache, realm.host_princ]) -out = realm.run_as_client(['./t_imp_cred', phost], expected_code=1) +realm.run(['./ccinit', realm.ccache, realm.host_princ]) +out = realm.run(['./t_imp_cred', phost], expected_code=1) if 'Credential cache is empty' not in out: fail('Expected error not seen') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 9: ccache specified with name but no creds; name in client keytab -realm.run_as_client(['./ccinit', realm.ccache, bob]) -realm.run_as_client(['./t_imp_cred', phost]) +realm.run(['./ccinit', realm.ccache, bob]) +realm.run(['./t_imp_cred', phost]) realm.klist(bob) # Leave tickets for next test. # Test 10: ccache specified with creds, time to refresh -realm.run_as_client(['./ccrefresh', realm.ccache, '1']) -realm.run_as_client(['./t_imp_cred', phost]) +realm.run(['./ccrefresh', realm.ccache, '1']) +realm.run(['./t_imp_cred', phost]) realm.klist(bob) -out = realm.run_as_client(['./ccrefresh', realm.ccache]) +out = realm.run(['./ccrefresh', realm.ccache]) if int(out) < 1000: fail('Credentials apparently not refreshed') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Use a cache collection for the remaining tests. ccdir = os.path.join(realm.testdir, 'cc') ccname = 'DIR:' + ccdir os.mkdir(ccdir) -realm.env_client['KRB5CCNAME'] = ccname +realm.env['KRB5CCNAME'] = ccname # Test 11: name specified, matching cache in collection with no creds bobcache = os.path.join(ccdir, 'tktbob') -realm.run_as_client(['./ccinit', bobcache, bob]) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +realm.run(['./ccinit', bobcache, bob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 12: name specified, matching cache in collection, time to refresh -realm.run_as_client(['./ccrefresh', bobcache, '1']) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +realm.run(['./ccrefresh', bobcache, '1']) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') -out = realm.run_as_client(['./ccrefresh', bobcache]) +out = realm.run(['./ccrefresh', bobcache]) if int(out) < 1000: fail('Credentials apparently not refreshed') -realm.run_as_client([kdestroy, '-A']) +realm.run([kdestroy, '-A']) # Test 13: name specified, collection has default for different principal realm.kinit(realm.user_princ, password('user')) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') -out = realm.run_as_client([klist]) +out = realm.run([klist]) if 'Default principal: %s\n' % realm.user_princ not in out: fail('Default cache overwritten by acquire_cred') -realm.run_as_client([kdestroy, '-A']) +realm.run([kdestroy, '-A']) # Test 14: name specified, collection has no default cache -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Make sure the tickets we acquired didn't become the default -out = realm.run_as_client([klist], expected_code=1) +out = realm.run([klist], expected_code=1) if 'No credentials cache found' not in out: fail('Expected error not seen') -realm.run_as_client([kdestroy, '-A']) +realm.run([kdestroy, '-A']) success('Client keytab tests') diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py index 3f7b6576d9..53dd13c910 100644 --- a/src/tests/gssapi/t_export_cred.py +++ b/src/tests/gssapi/t_export_cred.py @@ -19,8 +19,8 @@ def ccache_restore(realm): # forwarded cred into the default ccache. def check(realm, args): ccache_restore(realm) - realm.run_as_client(['./t_export_cred'] + args) - output = realm.run_as_client([klist, '-f']) + realm.run(['./t_export_cred'] + args) + output = realm.run([klist, '-f']) if 'Flags: Ff' not in output: fail('Forwarded tickets not found in ccache after t_export_cred') diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index e453b7170a..5f1d5d1ff5 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -3,7 +3,7 @@ from k5test import * # Test krb5 negotiation under SPNEGO for all enctype configurations. for realm in multipass_realms(): - realm.run_as_client(['./t_spnego','p:' + realm.host_princ, realm.keytab]) + realm.run(['./t_spnego','p:' + realm.host_princ, realm.keytab]) ### Test acceptor name behavior. @@ -24,79 +24,75 @@ realm.run_kadminl('renprinc -force service1/abraham service1/andrew') # Test with no acceptor name, including client/keytab principal # mismatch (non-fatal) and missing keytab entry (fatal). -output = realm.run_as_client(['./t_accname', 'p:service1/andrew']) +output = realm.run(['./t_accname', 'p:service1/andrew']) if 'service1/abraham' not in output: fail('Expected service1/abraham in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service1/barack']) +output = realm.run(['./t_accname', 'p:service1/barack']) if 'service1/barack' not in output: fail('Expected service1/barack in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/calvin']) +output = realm.run(['./t_accname', 'p:service2/calvin']) if 'service2/calvin' not in output: fail('Expected service1/barack in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/dwight'], - expected_code=1) +output = realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test with acceptor name containing service only, including # client/keytab hostname mismatch (non-fatal) and service name # mismatch (fatal). -output = realm.run_as_client(['./t_accname', 'p:service1/andrew', - 'h:service1']) +output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service1']) if 'service1/abraham' not in output: fail('Expected service1/abraham in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service1/andrew', - 'h:service2'], expected_code=1) +output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], + expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/calvin', - 'h:service2']) +output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service2']) if 'service2/calvin' not in output: fail('Expected service2/calvin in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/calvin', - 'h:service1'], expected_code=1) +output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], + expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test with acceptor name containing service and host. Use the # client's un-canonicalized hostname as acceptor input to mirror what # many servers do. -output = realm.run_as_client(['./t_accname', 'p:' + realm.host_princ, - 'h:host@%s' % socket.gethostname()]) +output = realm.run(['./t_accname', 'p:' + realm.host_princ, + 'h:host@%s' % socket.gethostname()]) if realm.host_princ not in output: fail('Expected %s in t_accname output' % realm.host_princ) -output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-', - 'h:host@%s' % socket.gethostname()], - expected_code=1) +output = realm.run(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()], + expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test krb5_gss_import_cred. -realm.run_as_client(['./t_imp_cred', 'p:service1/barack']) -realm.run_as_client(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) -realm.run_as_client(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham']) -output = realm.run_as_client(['./t_imp_cred', 'p:service2/dwight'], - expected_code=1) +realm.run(['./t_imp_cred', 'p:service1/barack']) +realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) +realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham']) +output = realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_imp_cred output') # Test credential store extension. tmpccname = 'FILE:' + os.path.join(realm.testdir, 'def_cache') -realm.env_client['KRB5CCNAME'] = tmpccname +realm.env['KRB5CCNAME'] = tmpccname storagecache = 'FILE:' + os.path.join(realm.testdir, 'user_store') servicekeytab = os.path.join(realm.testdir, 'kt') service_cs = 'service/cs@%s' % realm.realm realm.addprinc(service_cs) realm.extract_keytab(service_cs, servicekeytab) realm.kinit(service_cs, None, ['-k', '-t', servicekeytab]) -output = realm.run_as_client(['./t_credstore', service_cs, '--cred_store', - 'ccache', storagecache, 'keytab', servicekeytab]) +output = realm.run(['./t_credstore', service_cs, '--cred_store', + 'ccache', storagecache, 'keytab', servicekeytab]) if 'Cred Store Success' not in output: fail('Expected test to succeed') # Verify that we can't acquire acceptor creds without a keytab. os.remove(realm.keytab) -output = realm.run_as_client(['./t_accname', 'p:abc'], expected_code=1) +output = realm.run(['./t_accname', 'p:abc'], expected_code=1) if ('gss_acquire_cred: Keytab' not in output or 'nonexistent or empty' not in output): fail('Expected error message not seen for nonexistent keytab') @@ -105,13 +101,12 @@ realm.stop() # Re-run the last acceptor name test with ignore_acceptor_hostname set # and the principal for the mismatching hostname in the keytab. -ignore_conf = { 'all' : { 'libdefaults' : { - 'ignore_acceptor_hostname' : 'true' } } } +ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}} realm = K5Realm(krb5_conf=ignore_conf) realm.run_kadminl('addprinc -randkey host/-nomatch-') realm.run_kadminl('xst host/-nomatch-') -output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-', - 'h:host@%s' % socket.gethostname()]) +output = realm.run(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()]) if 'host/-nomatch-' not in output: fail('Expected host/-nomatch- in t_accname output') @@ -122,31 +117,31 @@ realm.stop() realm = K5Realm() # Test deferred resolution of the default ccache for initiator creds. -output = realm.run_as_client(['./t_inq_cred']) +output = realm.run(['./t_inq_cred']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) -output = realm.run_as_client(['./t_inq_cred', '-k']) +output = realm.run(['./t_inq_cred', '-k']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) -output = realm.run_as_client(['./t_inq_cred', '-s']) +output = realm.run(['./t_inq_cred', '-s']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) # Test picking a name from the keytab for acceptor creds. -output = realm.run_as_client(['./t_inq_cred', '-a']) +output = realm.run(['./t_inq_cred', '-a']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) -output = realm.run_as_client(['./t_inq_cred', '-k', '-a']) +output = realm.run(['./t_inq_cred', '-k', '-a']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) -output = realm.run_as_client(['./t_inq_cred', '-s', '-a']) +output = realm.run(['./t_inq_cred', '-s', '-a']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) # Test client keytab initiation (non-deferred) with a specified name. realm.extract_keytab(realm.user_princ, realm.client_keytab) os.remove(realm.ccache) -output = realm.run_as_client(['./t_inq_cred', '-k']) +output = realm.run(['./t_inq_cred', '-k']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) @@ -154,34 +149,34 @@ if realm.user_princ not in output: os.remove(realm.client_keytab) os.remove(realm.ccache) shutil.copyfile(realm.keytab, realm.client_keytab) -output = realm.run_as_client(['./t_inq_cred', '-k', '-b']) +output = realm.run(['./t_inq_cred', '-k', '-b']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) # Test gss_export_name behavior. -out = realm.run_as_client(['./t_export_name', 'u:x']) +out = realm.run(['./t_export_name', 'u:x']) if out != '0401000B06092A864886F7120102020000000D78404B5242544553542E434F4D\n': fail('Unexpected output from t_export_name (krb5 username)') -output = realm.run_as_client(['./t_export_name', '-s', 'u:xyz']) +output = realm.run(['./t_export_name', '-s', 'u:xyz']) if output != '0401000806062B06010505020000000378797A\n': fail('Unexpected output from t_export_name (SPNEGO username)') -output = realm.run_as_client(['./t_export_name', 'p:a@b']) +output = realm.run(['./t_export_name', 'p:a@b']) if output != '0401000B06092A864886F71201020200000003614062\n': fail('Unexpected output from t_export_name (krb5 principal)') -output = realm.run_as_client(['./t_export_name', '-s', 'p:a@b']) +output = realm.run(['./t_export_name', '-s', 'p:a@b']) if output != '0401000806062B060105050200000003614062\n': fail('Unexpected output from t_export_name (SPNEGO krb5 principal)') # Test gss_inquire_mechs_for_name behavior. krb5_mech = '{ 1 2 840 113554 1 2 2 }' spnego_mech = '{ 1 3 6 1 5 5 2 }' -out = realm.run_as_client(['./t_inq_mechs_name', 'p:a@b']) +out = realm.run(['./t_inq_mechs_name', 'p:a@b']) if krb5_mech not in out: fail('t_inq_mechs_name (principal)') -out = realm.run_as_client(['./t_inq_mechs_name', 'u:x']) +out = realm.run(['./t_inq_mechs_name', 'u:x']) if krb5_mech not in out or spnego_mech not in out: fail('t_inq_mecs_name (user)') -out = realm.run_as_client(['./t_inq_mechs_name', 'h:host']) +out = realm.run(['./t_inq_mechs_name', 'h:host']) if krb5_mech not in out or spnego_mech not in out: fail('t_inq_mecs_name (hostbased)') diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index cd67591019..67dc810349 100644 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -24,17 +24,17 @@ realm.kinit(service1, None, ['-f', '-k']) # at the S4U2Proxy step since the DB2 back end currently has no # support for allowing it. realm.kinit(realm.user_princ, password('user'), ['-f', '-c', usercache]) -output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache, - '-', pservice1, pservice2], expected_code=1) +output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-', + pservice1, pservice2], expected_code=1) if ('auth1: ' + realm.user_princ not in output or 'NOT_ALLOWED_TO_DELEGATE' not in output): fail('krb5 -> s4u2proxy') # Again with SPNEGO. Bug #7045 prevents us from checking the error # message, but we can at least exercise the code. -output = realm.run_as_server(['./t_s4u2proxy_krb5', '--spnego', usercache, - storagecache, '-', pservice1, pservice2], - expected_code=1) +output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache, + '-', pservice1, pservice2], + expected_code=1) if ('auth1: ' + realm.user_princ not in output): fail('krb5 -> s4u2proxy (SPNEGO)') @@ -42,18 +42,18 @@ if ('auth1: ' + realm.user_princ not in output): # result in no delegated credential being created by # accept_sec_context. realm.kinit(realm.user_princ, password('user'), ['-c', usercache]) -output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache, - pservice1, pservice1, pservice2]) +output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1, + pservice1, pservice2]) if 'no credential delegated' not in output: fail('krb5 -> no delegated cred') # Try S4U2Self. Ask for an S4U2Proxy step; this won't happen because # service/1 isn't allowed to get a forwardable S4U2Self ticket. -output = realm.run_as_server(['./t_s4u', puser, pservice2]) +output = realm.run(['./t_s4u', puser, pservice2]) if ('Warning: no delegated cred handle' not in output or 'Source name:\t' + realm.user_princ not in output): fail('s4u2self') -output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2]) +output = realm.run(['./t_s4u', '--spnego', puser, pservice2]) if ('Warning: no delegated cred handle' not in output or 'Source name:\t' + realm.user_princ not in output): fail('s4u2self (SPNEGO)') @@ -61,7 +61,7 @@ if ('Warning: no delegated cred handle' not in output or # Correct that problem and try again. As above, the S4U2Proxy step # won't actually succeed since we don't support that in DB2. realm.run_kadminl('modprinc +ok_to_auth_as_delegate ' + service1) -output = realm.run_as_server(['./t_s4u', puser, pservice2], expected_code=1) +output = realm.run(['./t_s4u', puser, pservice2], expected_code=1) if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') @@ -70,8 +70,7 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output: # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred # directly rather than saving and reacquiring it) so bug #7045 does # not apply and we can verify the error message. -output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2], - expected_code=1) +output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1) if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') diff --git a/src/tests/t_allowed_keysalts.py b/src/tests/t_allowed_keysalts.py index 8c763358aa..e7b7833ed3 100644 --- a/src/tests/t_allowed_keysalts.py +++ b/src/tests/t_allowed_keysalts.py @@ -2,8 +2,7 @@ from k5test import * import re -krb5_conf1 = {'all': {'libdefaults': { - 'supported_enctypes': 'aes256-cts'}}} +krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}} realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False) diff --git a/src/tests/t_anonpkinit.py b/src/tests/t_anonpkinit.py index 7ae955d17e..03b2fdd686 100644 --- a/src/tests/t_anonpkinit.py +++ b/src/tests/t_anonpkinit.py @@ -12,29 +12,22 @@ ca_pem = os.path.join(certs, 'ca.pem') kdc_pem = os.path.join(certs, 'kdc.pem') privkey_pem = os.path.join(certs, 'privkey.pem') pkinit_krb5_conf = { - 'all' : { - 'libdefaults' : { - 'pkinit_anchors' : 'FILE:' + ca_pem - }, - 'realms' : { - '$realm' : { - 'pkinit_anchors' : 'FILE:%s' % ca_pem, - 'pkinit_identity' : 'FILE:%s,%s' % (kdc_pem, privkey_pem), - } - } - } -} + 'libdefaults': { + 'pkinit_anchors': 'FILE:' + ca_pem}, + 'realms': {'$realm': { + 'pkinit_anchors': 'FILE:%s' % ca_pem, + 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}} restrictive_kdc_conf = { - 'all': { 'realms' : { '$realm' : { - 'restrict_anonymous_to_tgt' : 'true' } } } } + 'realms': {'$realm' : { + 'restrict_anonymous_to_tgt': 'true' }}} # In the basic test, anonymous is not restricted, so kvno should succeed. realm = K5Realm(krb5_conf=pkinit_krb5_conf, create_user=False) realm.addprinc('WELLKNOWN/ANONYMOUS') realm.kinit('@%s' % realm.realm, flags=['-n']) realm.klist('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS') -realm.run_as_client([kvno, realm.host_princ]) +realm.run([kvno, realm.host_princ]) realm.stop() # Now try again with anonymous restricted; kvno should fail. @@ -44,6 +37,6 @@ realm.addprinc('WELLKNOWN/ANONYMOUS') realm.kinit('@%s' % realm.realm, flags=['-n']) # now try FAST realm.kinit('@%s' % realm.realm, flags=['-n', '-T', realm.ccache]) -realm.run_as_client([kvno, realm.host_princ], expected_code=1) +realm.run([kvno, realm.host_princ], expected_code=1) success('Anonymous PKINIT') diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py index e85d009dde..a761d48fbe 100644 --- a/src/tests/t_ccache.py +++ b/src/tests/t_ccache.py @@ -26,66 +26,65 @@ from k5test import * realm = K5Realm(create_host=False) # Test kdestroy and klist of a non-existent ccache. -realm.run_as_client([kdestroy]) -output = realm.run_as_client([klist], expected_code=1) +realm.run([kdestroy]) +output = realm.run([klist], expected_code=1) if 'No credentials cache found' not in output: fail('Expected error message not seen in klist output') # Make a directory collection and use it for client commands. ccname = 'DIR:' + os.path.join(realm.testdir, 'cc') -realm.env_client['KRB5CCNAME'] = ccname +realm.env['KRB5CCNAME'] = ccname realm.addprinc('alice', password('alice')) realm.addprinc('bob', password('bob')) realm.addprinc('carol', password('carol')) realm.kinit('alice', password('alice')) -output = realm.run_as_client([klist]) +output = realm.run([klist]) if 'Default principal: alice@' not in output: fail('Initial kinit failed to get credentials for alice.') -realm.run_as_client([kdestroy]) -output = realm.run_as_client([klist], expected_code=1) +realm.run([kdestroy]) +output = realm.run([klist], expected_code=1) if 'No credentials cache found' not in output: fail('Initial kdestroy failed to destroy primary cache.') -output = realm.run_as_client([klist, '-l'], expected_code=1) +output = realm.run([klist, '-l'], expected_code=1) if not output.endswith('---\n') or output.count('\n') != 2: fail('Initial kdestroy failed to empty cache collection.') realm.kinit('alice', password('alice')) realm.kinit('carol', password('carol')) -output = realm.run_as_client([klist, '-l']) +output = realm.run([klist, '-l']) if '---\ncarol@' not in output or '\nalice@' not in output: fail('klist -l did not show expected output after two kinits.') realm.kinit('alice', password('alice')) -output = realm.run_as_client([klist, '-l']) +output = realm.run([klist, '-l']) if '---\nalice@' not in output or output.count('\n') != 4: fail('klist -l did not show expected output after re-kinit for alice.') realm.kinit('bob', password('bob')) -output = realm.run_as_client([klist, '-A']) +output = realm.run([klist, '-A']) if 'bob@' not in output.splitlines()[1] or 'alice@' not in output or \ 'carol' not in output or output.count('Default principal:') != 3: fail('klist -A did not show expected output after kinit for bob.') -realm.run_as_client([kswitch, '-p', 'carol']) -output = realm.run_as_client([klist, '-l']) +realm.run([kswitch, '-p', 'carol']) +output = realm.run([klist, '-l']) if '---\ncarol@' not in output or output.count('\n') != 5: fail('klist -l did not show expected output after kswitch to carol.') -realm.run_as_client([kdestroy]) -output = realm.run_as_client([klist, '-l']) +realm.run([kdestroy]) +output = realm.run([klist, '-l']) if 'carol@' in output or 'bob@' not in output or output.count('\n') != 4: fail('kdestroy failed to remove only primary ccache.') -realm.run_as_client([kdestroy, '-A']) -output = realm.run_as_client([klist, '-l'], expected_code=1) +realm.run([kdestroy, '-A']) +output = realm.run([klist, '-l'], expected_code=1) if not output.endswith('---\n') or output.count('\n') != 2: fail('kdestroy -a failed to empty cache collection.') # Test parameter expansion in default_ccache_name realm.stop() -conf = {'client': {'libdefaults': { - 'default_ccache_name': 'testdir/%{null}abc%{uid}'}}} +conf = {'libdefaults': {'default_ccache_name': 'testdir/%{null}abc%{uid}'}} realm = K5Realm(krb5_conf=conf, create_kdb=False) -del realm.env_client['KRB5CCNAME'] +del realm.env['KRB5CCNAME'] uidstr = str(os.getuid()) -out = realm.run_as_client([klist], expected_code=1) +out = realm.run([klist], expected_code=1) if 'FILE:testdir/abc%s' % uidstr not in out: fail('Wrong ccache in klist') diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py index c0c3ccb158..0d967b8a50 100644 --- a/src/tests/t_crossrealm.py +++ b/src/tests/t_crossrealm.py @@ -24,8 +24,8 @@ from k5test import * -def test_kvno(r, princ, test): - output = r.run_as_client([kvno, princ]) +def test_kvno(r, princ, test, env=None): + output = r.run([kvno, princ], env=env) if princ not in output: fail('%s: principal %s not in kvno output' % (test, princ)) @@ -58,26 +58,23 @@ stop(r1, r2, r3) # transited checks, including a capaths for A->C. capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}}} r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), - args=({'realm': 'A', - 'krb5_conf': {'client': capaths}}, + args=({'realm': 'A'}, {'realm': 'B'}, - {'realm': 'C', - 'krb5_conf': {'master': capaths}}, - {'realm': 'D', - 'krb5_conf': {'master': capaths}})) -test_kvno(r1, r4.host_princ, 'client capaths') + {'realm': 'C', 'krb5_conf': capaths}, + {'realm': 'D', 'krb5_conf': capaths})) +r1client = r1.special_env('client', False, krb5_conf=capaths) +test_kvno(r1, r4.host_princ, 'client capaths', r1client) stop(r1, r2, r3, r4) # Test KDC capaths. The KDCs for A and B have appropriate capaths # settings to determine intermediate TGTs to return, but the client # has no idea. capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}, 'B': {'D': 'C'}}} -conf = {'master': capaths} r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), - args=({'realm': 'A', 'krb5_conf': conf}, - {'realm': 'B', 'krb5_conf': conf}, - {'realm': 'C', 'krb5_conf': conf}, - {'realm': 'D', 'krb5_conf': conf})) + args=({'realm': 'A', 'krb5_conf': capaths}, + {'realm': 'B', 'krb5_conf': capaths}, + {'realm': 'C', 'krb5_conf': capaths}, + {'realm': 'D', 'krb5_conf': capaths})) test_kvno(r1, r4.host_princ, 'KDC capaths') stop(r1, r2, r3, r4) @@ -86,10 +83,9 @@ stop(r1, r2, r3, r4) # ticket. capaths = {'capaths': {'A': {'C': 'B'}}} r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)), - args=({'realm': 'A', - 'krb5_conf': {'client': capaths}}, + args=({'realm': 'A', 'krb5_conf': capaths}, {'realm': 'B'}, {'realm': 'C'})) -output = r1.run_as_client([kvno, r3.host_princ], expected_code=1) +output = r1.run([kvno, r3.host_princ], expected_code=1) if 'KDC policy rejects request' not in output: fail('transited 1: Expected error message not in output') stop(r1, r2, r3) @@ -98,13 +94,12 @@ stop(r1, r2, r3) # recognize B as an intermediate realm for A->C, so it refuses to # verify the krbtgt/C@B ticket in the TGS AP-REQ. capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}, 'B': {'D': 'C'}}} -conf = {'master': capaths} r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), - args=({'realm': 'A', 'krb5_conf': conf}, - {'realm': 'B', 'krb5_conf': conf}, - {'realm': 'C', 'krb5_conf': conf}, + args=({'realm': 'A', 'krb5_conf': capaths}, + {'realm': 'B', 'krb5_conf': capaths}, + {'realm': 'C', 'krb5_conf': capaths}, {'realm': 'D'})) -output = r1.run_as_client([kvno, r4.host_princ], expected_code=1) +output = r1.run([kvno, r4.host_princ], expected_code=1) if 'Illegal cross-realm ticket' not in output: fail('transited 2: Expected error message not in output') stop(r1, r2, r3, r4) diff --git a/src/tests/t_general.py b/src/tests/t_general.py index 77246d52f2..1ba95dccca 100755 --- a/src/tests/t_general.py +++ b/src/tests/t_general.py @@ -3,8 +3,8 @@ from k5test import * for realm in multipass_realms(create_host=False): # Check that kinit fails appropriately with the wrong password. - output = realm.run_as_client([kinit, realm.user_princ], input='wrong\n', - expected_code=1) + output = realm.run([kinit, realm.user_princ], input='wrong\n', + expected_code=1) if 'Password incorrect while getting initial credentials' not in output: fail('Expected error message not seen in kinit output') @@ -20,29 +20,29 @@ for realm in multipass_realms(create_host=False): realm.klist('user/fast@%s' % realm.realm) # Test kinit against kdb keytab - realm.run_as_master([kinit, "-k", "-t", "KDB:", realm.user_princ]) + realm.run([kinit, "-k", "-t", "KDB:", realm.user_princ]) realm = K5Realm(create_host=False) # Create a policy and see if it survives a dump/load. realm.run_kadminl('addpol fred') dumpfile = os.path.join(realm.testdir, 'dump') -realm.run_as_master([kdb5_util, 'dump', dumpfile]) +realm.run([kdb5_util, 'dump', dumpfile]) f = open('testdir/dump', 'a') f.write('policy barney 0 0 1 1 1 0 ' '0 0 0 0 0 0 - 1 ' '2 28 ' 'fd100f5064625f6372656174696f6e404b5242544553542e434f4d00') f.close() -realm.run_as_master([kdb5_util, 'load', dumpfile]) +realm.run([kdb5_util, 'load', dumpfile]) output = realm.run_kadminl('getpols') if 'fred\n' not in output: fail('Policy not preserved across dump/load.') if 'barney\n' not in output: fail('Policy not loaded.') -realm.run_as_master([kdb5_util, 'dump', dumpfile]) -realm.run_as_master([kdb5_util, 'load', dumpfile]) +realm.run([kdb5_util, 'dump', dumpfile]) +realm.run([kdb5_util, 'load', dumpfile]) output = realm.run_kadminl('getpols') if 'fred\n' not in output: fail('Policy not preserved across dump/load.') @@ -51,8 +51,8 @@ if 'barney\n' not in output: # Spot-check KRB5_TRACE output tracefile = os.path.join(realm.testdir, 'trace') -realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kinit, - realm.user_princ], input=(password('user') + "\n")) +realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ], + input=(password('user') + "\n")) f = open(tracefile, 'r') trace = f.read() f.close() diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py index 7a96a7ca70..df97b9224c 100644 --- a/src/tests/t_iprop.py +++ b/src/tests/t_iprop.py @@ -7,11 +7,11 @@ from k5test import * # Read lines from kpropd output until we are synchronized. Error if # full_expected is true and we didn't see a full propagation or vice # versa. -def wait_for_prop(realm, full_expected): +def wait_for_prop(kpropd, full_expected): output('*** Waiting for sync from kpropd\n') full_seen = False while True: - line = realm.read_from_kpropd() + line = kpropd.stdout.readline() if line == '': fail('kpropd process exited unexpectedly') output('kpropd: ' + line) @@ -29,7 +29,7 @@ def wait_for_prop(realm, full_expected): # kpropd's child process has finished a DB load; make the parent # do another iprop request. This will be unnecessary if kpropd # is simplified to use a single process. - realm.prod_kpropd() + kpropd.send_signal(signal.SIGUSR1) # Detect some failure conditions. if 'Rejected connection' in line: @@ -43,22 +43,19 @@ def wait_for_prop(realm, full_expected): if 'invalid return' in line: fail('kadmind returned invalid result') +conf = { + 'realms': {'$realm': { + 'iprop_enable': 'true', + 'iprop_logfile' : '$testdir/db.ulog'}}} -iprop_kdc_conf = { - 'all' : { 'libdefaults' : { 'default_realm' : 'KRBTEST.COM'}, - 'realms' : { '$realm' : { - 'iprop_enable' : 'true', - 'iprop_slave_poll' : '600' - }}}, - 'master' : { 'realms' : { '$realm' : { - 'iprop_logfile' : '$testdir/db.ulog' - }}}, - 'slave' : { 'realms' : { '$realm' : { - 'iprop_logfile' : '$testdir/slave-db.ulog' - }}} -} +conf_slave = { + 'realms': {'$realm': { + 'iprop_slave_poll': '600', + 'iprop_logfile' : '$testdir/db.slave.ulog'}}, + 'dbmodules': {'db': {'database_name': '$testdir/db.slave'}}} -realm = K5Realm(kdc_conf=iprop_kdc_conf, create_user=False, start_kadmind=True) +realm = K5Realm(kdc_conf=conf, create_user=False, start_kadmind=True) +slave = realm.special_env('slave', True, kdc_conf=conf_slave) ulog = os.path.join(realm.testdir, 'db.ulog') if not os.path.exists(ulog): @@ -71,9 +68,9 @@ realm.extract_keytab(kiprop_princ, realm.keytab) # Create the slave db. dumpfile = os.path.join(realm.testdir, 'dump') -realm.run_as_master([kdb5_util, 'dump', dumpfile]) -realm.run_as_slave([kdb5_util, 'load', dumpfile]) -realm.run_as_slave([kdb5_util, 'stash', '-P', 'master']) +realm.run([kdb5_util, 'dump', dumpfile]) +realm.run([kdb5_util, 'load', dumpfile], slave) +realm.run([kdb5_util, 'stash', '-P', 'master'], slave) # Make some changes to the master db. realm.addprinc('wakawaka') @@ -87,7 +84,7 @@ realm.addprinc('w') realm.run_kadminl('modprinc -allow_tix w') realm.run_kadminl('modprinc +allow_tix w') -out = realm.run_as_master([kproplog, '-h']) +out = realm.run([kproplog, '-h']) if 'Last serial # : 7' not in out: fail('Update log on master has incorrect last serial number') @@ -98,76 +95,76 @@ acl.write(realm.host_princ + '\n') acl.close() # Start kpropd and get a full dump from master. -realm.start_kpropd(['-d']) -wait_for_prop(realm, True) +kpropd = realm.start_kpropd(slave, ['-d']) +wait_for_prop(kpropd, True) realm.run_kadminl('modprinc -allow_tix w') -out = realm.run_as_master([kproplog, '-h']) +out = realm.run([kproplog, '-h']) if 'Last serial # : 8' not in out: fail('Update log on master has incorrect last serial number') # Get an incremental update and check that it happened. -realm.prod_kpropd() -wait_for_prop(realm, False) -out = realm.run_as_slave([kproplog, '-h']) +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : 8' not in out: fail('Update log on slave has incorrect last serial number') # Make another change. realm.run_kadminl('modprinc +allow_tix w') -out = realm.run_as_master([kproplog, '-h']) +out = realm.run([kproplog, '-h']) if 'Last serial # : 9' not in out: fail('Update log on master has incorrect last serial number') # Get an update and check that we're at sno 9 on the slave side too. -realm.prod_kpropd() -wait_for_prop(realm, False) -out = realm.run_as_slave([kproplog, '-h']) +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : 9' not in out: fail('Update log on slave has incorrect last serial number') # Reset the ulog on the slave side to force a full resync to the slave. -realm.run_as_slave([kproplog, '-R']) -out = realm.run_as_slave([kproplog, '-h']) +realm.run([kproplog, '-R'], slave) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : None' not in out: fail('Reset of update log on slave failed') # Get a full resync and check the result. -realm.prod_kpropd() -wait_for_prop(realm, True) -out = realm.run_as_slave([kproplog, '-h']) +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : 9' not in out: fail('Update log on slave has incorrect last serial number') # Make another change. realm.run_kadminl('modprinc +allow_tix w') -out = realm.run_as_master([kproplog, '-h']) +out = realm.run([kproplog, '-h']) if 'Last serial # : 10' not in out: fail('Update log on master has incorrect last serial number') # Get and check an incremental update. -realm.prod_kpropd() -wait_for_prop(realm, False) -out = realm.run_as_slave([kproplog, '-h']) +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : 10' not in out: fail('Update log on slave has incorrect last serial number') # Reset the ulog on the master side to force a full resync to all slaves. # XXX Note that we only have one slave in this test, so we can't really # test this. -realm.run_as_master([kproplog, '-R']) -out = realm.run_as_master([kproplog, '-h']) +realm.run([kproplog, '-R']) +out = realm.run([kproplog, '-h']) if 'Last serial # : None' not in out: fail('Reset of update log on master failed') realm.run_kadminl('modprinc -allow_tix w') -out = realm.run_as_master([kproplog, '-h']) +out = realm.run([kproplog, '-h']) if 'Last serial # : 1' not in out: fail('Update log on master has incorrect last serial number') # Get and check a full resync. -realm.prod_kpropd() -wait_for_prop(realm, True) -out = realm.run_as_slave([kproplog, '-h']) +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : 1' not in out: fail('Update log on slave has incorrect last serial number') diff --git a/src/tests/t_kadm5_hook.py b/src/tests/t_kadm5_hook.py index 0c8b19dac0..1f023ea0f2 100644 --- a/src/tests/t_kadm5_hook.py +++ b/src/tests/t_kadm5_hook.py @@ -4,15 +4,7 @@ from k5test import * plugin = os.path.join(buildtop, "plugins", "kadm5_hook", "test", "kadm5_hook_test.so") -hook_krb5_conf = { - 'all' : { - "plugins" : { - "kadm5_hook" : { - "module" : "test:" + plugin - } - } - } -} +hook_krb5_conf = {'plugins': {'kadm5_hook': { 'module': 'test:' + plugin}}} realm = K5Realm(krb5_conf=hook_krb5_conf, create_user=False, create_host=False) output = realm.run_kadminl ('addprinc -randkey test') diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py index 3d36ad09cf..1d7b1d0981 100644 --- a/src/tests/t_kadmin_acl.py +++ b/src/tests/t_kadmin_acl.py @@ -14,7 +14,7 @@ def make_client(name): def kadmin_as(client, query): global realm - return realm.run_as_client([kadmin, '-c', client, '-q', query]) + return realm.run([kadmin, '-c', client, '-q', query]) def delprinc(name): global realm diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py index 2f0d6fd90e..3c664f0ef4 100644 --- a/src/tests/t_kdb.py +++ b/src/tests/t_kdb.py @@ -13,7 +13,7 @@ def which(progname): # Run kdbtest against the BDB module. realm = K5Realm(create_kdb=False) -realm.run_as_master(['./kdbtest']) +realm.run(['./kdbtest']) # Set up an OpenLDAP test server if we can. @@ -87,24 +87,22 @@ output('*** Started slapd (pid %d, output in %s)\n' % (slapd_pid, slapd_out)) time.sleep(1) # Run kdbtest against the LDAP module. -kdc_conf = {'all': { - 'realms': {'$realm': {'database_module': 'ldap'}}, - 'dbmodules': {'ldap': { - 'db_library': 'kldap', - 'ldap_kerberos_container_dn': top_dn, - 'ldap_kdc_dn': admin_dn, - 'ldap_kadmind_dn': admin_dn, - 'ldap_service_password_file': ldap_pwfile, - 'ldap_servers': ldap_uri}}}} -realm = K5Realm(create_kdb=False, kdc_conf=kdc_conf) +conf = {'realms': {'$realm': {'database_module': 'ldap'}}, + 'dbmodules': {'ldap': {'db_library': 'kldap', + 'ldap_kerberos_container_dn': top_dn, + 'ldap_kdc_dn': admin_dn, + 'ldap_kadmind_dn': admin_dn, + 'ldap_service_password_file': ldap_pwfile, + 'ldap_servers': ldap_uri}}} +realm = K5Realm(create_kdb=False, kdc_conf=conf) input = admin_pw + '\n' + admin_pw + '\n' -realm.run_as_master([kdb5_ldap_util, 'stashsrvpw', admin_dn], input=input) -realm.run_as_master(['./kdbtest']) +realm.run([kdb5_ldap_util, 'stashsrvpw', admin_dn], input=input) +realm.run(['./kdbtest']) # Run a kdb5_ldap_util command using the test server's admin DN and password. def kldaputil(args, **kw): - return realm.run_as_master([kdb5_ldap_util, '-D', admin_dn, '-w', - admin_pw] + args, **kw) + return realm.run([kdb5_ldap_util, '-D', admin_dn, '-w', admin_pw] + args, + **kw) # kdbtest can't currently clean up after itself since the LDAP module # doesn't support krb5_db_destroy. So clean up after it with @@ -243,17 +241,17 @@ realm.addprinc(realm.user_princ, password('user')) realm.addprinc(realm.host_princ) realm.extract_keytab(realm.host_princ, realm.keytab) realm.kinit(realm.user_princ, password('user')) -realm.run_as_client([kvno, realm.host_princ]) +realm.run([kvno, realm.host_princ]) realm.klist(realm.user_princ, realm.host_princ) realm.stop() # Briefly test dump and load. dumpfile = os.path.join(realm.testdir, 'dump') -realm.run_as_master([kdb5_util, 'dump', dumpfile]) -out = realm.run_as_master([kdb5_util, 'load', dumpfile], expected_code=1) +realm.run([kdb5_util, 'dump', dumpfile]) +out = realm.run([kdb5_util, 'load', dumpfile], expected_code=1) if 'plugin requires -update argument' not in out: fail('Unexpected error from kdb5_util load without -update') -realm.run_as_master([kdb5_util, 'load', '-update', dumpfile]) +realm.run([kdb5_util, 'load', '-update', dumpfile]) # Destroy the realm. kldaputil(['destroy', '-f']) diff --git a/src/tests/t_kdb_locking.py b/src/tests/t_kdb_locking.py index 89da97b422..7c0755ead0 100644 --- a/src/tests/t_kdb_locking.py +++ b/src/tests/t_kdb_locking.py @@ -12,15 +12,11 @@ import os from k5test import * -kdc_conf = { - 'all' : { 'libdefaults' : { 'default_realm' : 'KRBTEST.COM'}} -} - p = 'foo' -realm = K5Realm(kdc_conf=kdc_conf, create_user=False) +realm = K5Realm(create_user=False) realm.addprinc(p, p) -kadm5_lock = os.path.join(realm.testdir, 'master-db.kadm5.lock') +kadm5_lock = os.path.join(realm.testdir, 'db.kadm5.lock') if not os.path.exists(kadm5_lock): fail('kadm5 lock file not created: ' + kadm5_lock) os.unlink(kadm5_lock) diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py index 9f9346aca6..29d1291639 100644 --- a/src/tests/t_keyrollover.py +++ b/src/tests/t_keyrollover.py @@ -1,7 +1,7 @@ #!/usr/bin/python from k5test import * -rollover_krb5_conf = {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}} +rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}} realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal', krb5_conf=rollover_krb5_conf) @@ -11,19 +11,19 @@ princ2 = 'host/test2@%s' % (realm.realm,) realm.addprinc(princ1) realm.addprinc(princ2) -realm.run_as_client([kvno, realm.host_princ]) +realm.run([kvno, realm.host_princ]) # Change key for TGS, keeping old key. realm.run_kadminl('cpw -randkey -e aes256-cts:normal -keepold krbtgt/%s@%s' % (realm.realm, realm.realm)) # Ensure that kvno still works with an old TGT. -realm.run_as_client([kvno, princ1]) +realm.run([kvno, princ1]) realm.run_kadminl('purgekeys krbtgt/%s@%s' % (realm.realm, realm.realm)) # Make sure an old TGT fails after purging old TGS key. -realm.run_as_client([kvno, princ2], expected_code=1) -output = realm.run_as_client([klist, '-e']) +realm.run([kvno, princ2], expected_code=1) +output = realm.run([klist, '-e']) expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ (realm.realm, realm.realm) @@ -33,8 +33,8 @@ if expected not in output: # Check that new key actually works. realm.kinit(realm.user_princ, password('user')) -realm.run_as_client([kvno, realm.host_princ]) -output = realm.run_as_client([klist, '-e']) +realm.run([kvno, realm.host_princ]) +output = realm.run([klist, '-e']) expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \ @@ -60,7 +60,7 @@ output = realm.run_kadminl('getprinc krbtgt/%s' % realm.realm) if 'vno 1, aes256' not in output or 'vno 1, des3' not in output: fail('keyrollover: setup for TGS enctype test failed') # Now present the DES3 ticket to the KDC and make sure it's rejected. -realm.run_as_client([kvno, realm.host_princ], expected_code=1) +realm.run([kvno, realm.host_princ], expected_code=1) realm.stop() @@ -72,10 +72,10 @@ realm.stop() # multiple keys. r1, r2 = cross_realms(2) r1.run_kadminl('modprinc -kvno 0 krbtgt/%s' % r2.realm) -r1.run_as_client([kvno, r2.host_princ]) +r1.run([kvno, r2.host_princ]) r2.run_kadminl('cpw -pw newcross -keepold krbtgt/%s@%s' % (r2.realm, r1.realm)) r1.run_kadminl('cpw -pw newcross krbtgt/%s' % r2.realm) r1.run_kadminl('modprinc -kvno 0 krbtgt/%s' % r2.realm) -r1.run_as_client([kvno, r2.user_princ]) +r1.run([kvno, r2.user_princ]) success('keyrollover') diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py index bc547d9437..3008911ecf 100644 --- a/src/tests/t_keytab.py +++ b/src/tests/t_keytab.py @@ -9,8 +9,8 @@ realm = K5Realm(get_creds=False) # Test kinit with a partial keytab. pkeytab = realm.keytab + '.partial' -realm.run_as_master([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' % - (realm.keytab, pkeytab))) +realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' % + (realm.keytab, pkeytab))) realm.kinit(realm.host_princ, flags=['-k', '-t', pkeytab]) # Test kinit with no keys for client in keytab. @@ -22,17 +22,17 @@ if 'no suitable keys' not in output: realm.extract_keytab(realm.user_princ, realm.client_keytab); realm.kinit(realm.user_princ, flags=['-k', '-i']) realm.klist(realm.user_princ) -out = realm.run_as_client([klist, '-k', '-i']) +out = realm.run([klist, '-k', '-i']) if realm.client_keytab not in out or realm.user_princ not in out: fail('Expected output not seen from klist -k -i') # Test implicit request for keytab (-i or -t without -k) -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) output = realm.kinit(realm.host_princ, flags=['-t', realm.keytab]) if 'keytab specified, forcing -k' not in output: fail('Expected output not seen from kinit -t keytab') realm.klist(realm.host_princ) -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) output = realm.kinit(realm.user_princ, flags=['-i']) if 'keytab specified, forcing -k' not in output: fail('Expected output not seen from kinit -i') @@ -54,17 +54,17 @@ if 'Key: vno 258,' not in output: # Test parameter expansion in profile variables realm.stop() -conf = {'client': {'libdefaults': { - 'default_keytab_name': 'testdir/%{null}abc%{uid}', - 'default_client_keytab_name': 'testdir/%{null}xyz%{uid}'}}} +conf = {'libdefaults': { + 'default_keytab_name': 'testdir/%{null}abc%{uid}', + 'default_client_keytab_name': 'testdir/%{null}xyz%{uid}'}} realm = K5Realm(krb5_conf=conf, create_kdb=False) -del realm.env_client['KRB5_KTNAME'] -del realm.env_client['KRB5_CLIENT_KTNAME'] +del realm.env['KRB5_KTNAME'] +del realm.env['KRB5_CLIENT_KTNAME'] uidstr = str(os.getuid()) -out = realm.run_as_client([klist, '-k'], expected_code=1) +out = realm.run([klist, '-k'], expected_code=1) if 'FILE:testdir/abc%s' % uidstr not in out: fail('Wrong keytab in klist -k output') -out = realm.run_as_client([klist, '-ki'], expected_code=1) +out = realm.run([klist, '-ki'], expected_code=1) if 'FILE:testdir/xyz%s' % uidstr not in out: fail('Wrong keytab in klist -ki output') diff --git a/src/tests/t_lockout.py b/src/tests/t_lockout.py index e3d1dd4154..8da8c57481 100644 --- a/src/tests/t_lockout.py +++ b/src/tests/t_lockout.py @@ -29,17 +29,15 @@ realm.run_kadminl('addpol -maxfailure 2 -failurecountinterval 5m lockout') realm.run_kadminl('modprinc +requires_preauth -policy lockout user') # kinit twice with the wrong password. -output = realm.run_as_client([kinit, realm.user_princ], input='wrong\n', - expected_code=1) +output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) if 'Password incorrect while getting initial credentials' not in output: fail('Expected error message not seen in kinit output') -output = realm.run_as_client([kinit, realm.user_princ], input='wrong\n', - expected_code=1) +output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) if 'Password incorrect while getting initial credentials' not in output: fail('Expected error message not seen in kinit output') # Now the account should be locked out. -output = realm.run_as_client([kinit, realm.user_princ], expected_code=1) +output = realm.run([kinit, realm.user_princ], expected_code=1) if 'Clients credentials have been revoked while getting initial credentials' \ not in output: fail('Expected lockout error message not seen in kinit output') diff --git a/src/tests/t_pwhist.py b/src/tests/t_pwhist.py index bfb9f0045b..3d8c7c1b23 100644 --- a/src/tests/t_pwhist.py +++ b/src/tests/t_pwhist.py @@ -6,12 +6,12 @@ from k5test import * # first one to create history entries. realm = K5Realm(start_kdc=False) # Create a history principal with two keys. -realm.run_as_master(['./hist', 'make']) +realm.run(['./hist', 'make']) realm.run_kadminl('addpol -history 2 pol') realm.run_kadminl('modprinc -policy pol user') realm.run_kadminl('cpw -pw pw2 user') # Swap the keys, simulating older kadmin having chosen the second entry. -realm.run_as_master(['./hist', 'swap']) +realm.run(['./hist', 'swap']) # Make sure we can read the history entry. output = realm.run_kadminl('cpw -pw %s user' % password('user')) if 'Cannot reuse password' not in output: diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py index 6654d71e8e..985f9da70e 100644 --- a/src/tests/t_referral.py +++ b/src/tests/t_referral.py @@ -6,12 +6,12 @@ from k5test import * # have a regression test for #7483. # A KDC should not return a host referral to its own realm. -krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}} -kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}} +krb5_conf = {'domain_realm': {'y': 'KRBTEST.COM'}} +kdc_conf = {'realms': {'$realm': {'host_based_services': 'x'}}} realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False) tracefile = os.path.join(realm.testdir, 'trace') -realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'], - expected_code=1) +realm.run(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'], + expected_code=1) f = open(tracefile, 'r') trace = f.read() f.close() diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py index 9239e12544..3a4a81452f 100644 --- a/src/tests/t_sesskeynego.py +++ b/src/tests/t_sesskeynego.py @@ -8,8 +8,8 @@ etypes_re = re.compile(r'server@[^\n]+\n\tEtype \(skey, tkt\): ' '([^,]+), ([^\s]+)') def test_kvno(realm, expected_skey, expected_tkt): realm.kinit(realm.user_princ, password('user')) - realm.run_as_client([kvno, 'server']) - output = realm.run_as_client([klist, '-e']) + realm.run([kvno, 'server']) + output = realm.run([klist, '-e']) m = etypes_re.search(output) if not m: fail('could not parse etypes from klist -e output') @@ -19,29 +19,21 @@ def test_kvno(realm, expected_skey, expected_tkt): if tkt != expected_tkt: fail('got ticket key type %s, expected %s' % (tkt, expected_tkt)) -krb5_conf1 = {'all': {'libdefaults': { - 'default_tgs_enctypes': 'aes128-cts,aes256-cts'}}} - -krb5_conf2 = {'all': {'libdefaults': { - 'default_tgs_enctypes': 'aes256-cts,aes128-cts'}}} - -krb5_conf3 = {'all': {'libdefaults': { - 'allow_weak_crypto': 'true', - 'default_tkt_enctypes': 'aes128-cts', - 'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}}} - -krb5_conf4 = {'all' :{ - 'libdefaults': { - 'allow_weak_crypto': 'true', - 'default_tkt_enctypes': 'aes256-cts', - 'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts' - }, - 'realms': {'$realm': { - 'des_crc_session_supported' : 'false'}}}} +conf1 = {'libdefaults': {'default_tgs_enctypes': 'aes128-cts,aes256-cts'}} +conf2 = {'libdefaults': {'default_tgs_enctypes': 'aes256-cts,aes128-cts'}} +conf3 = {'libdefaults': { + 'allow_weak_crypto': 'true', + 'default_tkt_enctypes': 'aes128-cts', + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}} +conf4 = {'libdefaults': { + 'allow_weak_crypto': 'true', + 'default_tkt_enctypes': 'aes256-cts', + 'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts'}, + 'realms': {'$realm': {'des_crc_session_supported': 'false'}}} # Test with client request and session_enctypes preferring aes128, but # aes256 long-term key. -realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False) +realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') realm.run_kadminl('setstr server session_enctypes aes128-cts,aes256-cts') test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') @@ -50,14 +42,14 @@ realm.stop() # Second go, almost same as first, but resulting session key must be aes256 # because of the difference in default_tgs_enctypes order. This tests that # session_enctypes doesn't change the order in which we negotiate. -realm = K5Realm(krb5_conf=krb5_conf2, create_host=False, get_creds=False) +realm = K5Realm(krb5_conf=conf2, create_host=False, get_creds=False) realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') realm.run_kadminl('setstr server session_enctypes aes128-cts,aes256-cts') test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') realm.stop() -# Next we use krb5_conf3 and try various things. -realm = K5Realm(krb5_conf=krb5_conf3, create_host=False, get_creds=False) +# Next we use conf3 and try various things. +realm = K5Realm(krb5_conf=conf3, create_host=False, get_creds=False) realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') # 3a: Negotiate aes128 session key when principal only has aes256 long-term. @@ -75,7 +67,7 @@ test_kvno(realm, 'des-cbc-crc', 'aes256-cts-hmac-sha1-96') realm.stop() # Last go: test that we can disable the des-cbc-crc assumption -realm = K5Realm(krb5_conf=krb5_conf4, get_creds=False) +realm = K5Realm(krb5_conf=conf4, get_creds=False) realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') realm.stop() diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py index 18bd922874..aa91471428 100644 --- a/src/tests/t_skew.py +++ b/src/tests/t_skew.py @@ -8,23 +8,23 @@ realm.start_kdc(['-T', '-3600']) # kinit (no preauth) should work, and should set a clock skew allowing # kvno to work, with or without FAST. realm.kinit(realm.user_princ, password('user')) -realm.run_as_client([kvno, realm.host_princ]) +realm.run([kvno, realm.host_princ]) realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache]) -realm.run_as_client([kvno, realm.host_princ]) -realm.run_as_client([kdestroy]) +realm.run([kvno, realm.host_princ]) +realm.run([kdestroy]) # kinit (with preauth) should work, with or without FAST. realm.run_kadminl('modprinc +requires_preauth user') realm.kinit(realm.user_princ, password('user')) -realm.run_as_client([kvno, realm.host_princ]) +realm.run([kvno, realm.host_princ]) realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache]) -realm.run_as_client([kvno, realm.host_princ]) -realm.run_as_client([kdestroy]) +realm.run([kvno, realm.host_princ]) +realm.run([kdestroy]) realm.stop() # Repeat the above tests with kdc_timesync disabled. -conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}} +conf = {'libdefaults': {'kdc_timesync': '0'}} realm = K5Realm(start_kdc=False, krb5_conf=conf) realm.start_kdc(['-T', '-3600']) diff --git a/src/util/gss-kernel-lib/t_kgss.py b/src/util/gss-kernel-lib/t_kgss.py index 52d1da2456..00eab050e7 100644 --- a/src/util/gss-kernel-lib/t_kgss.py +++ b/src/util/gss-kernel-lib/t_kgss.py @@ -25,6 +25,6 @@ from k5test import * # Test krb5 negotiation under SPNEGO for all enctype configurations. for realm in multipass_realms(): - realm.run_as_client(['./t_kgss_user', realm.host_princ]) + realm.run(['./t_kgss_user', realm.host_princ]) success('Kernel GSSAPI subset tests') diff --git a/src/util/k5test.py b/src/util/k5test.py index 37e8929c3e..6c2d091e28 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py @@ -34,12 +34,12 @@ A sample test script: # Run a test program under a variety of configurations: for realm in multipass_realms(): - realm.run_as_client(['./testprog', 'arg']) + realm.run(['./testprog', 'arg']) # Run a test server and client under just the default configuration: realm = K5Realm() realm.start_server(['./serverprog'], 'starting...') - realm.run_as_client(['./clientprog', realm.host_princ]) + realm.run(['./clientprog', realm.host_princ]) # Inform framework that tests completed successfully. success('World peace and cure for cancer') @@ -48,10 +48,7 @@ By default, the realm will have: * The name KRBTEST.COM * Listener ports starting at 61000 -* Four different krb5.conf files for the client, server, master KDC, - and slave KDC, specifying only the variables necessary for - self-contained test operation -* Two different kdc.conf files for the master and slave KDCs +* krb5.conf and kdc.conf files * A fresh DB2 KDB * Running krb5kdc (but not kadmind) * Principals named realm.user_princ and realm.admin_princ; call @@ -73,15 +70,12 @@ keyword arguments: (path may be specified relative to the current working dir) * krb5_conf={ ... }: krb5.conf options, expressed as a nested - dictionary, to be merged with the default krb5.conf settings. The - top level keys of the dictionary should be 'all' to apply to all - four krb5.conf files, and/or 'client'/'server'/'master'/'slave' to - apply to a particular one. A key may be mapped to None to delete a - setting from the defaults. A key may be mapped to a list in order - to create multiple settings for the same variable name. Keys and - values undergo the following template substitutions: - - - $type: The configuration type (client/server/master/slave) + dictionary, to be merged with the default krb5.conf settings. A key + may be mapped to None to delete a setting from the defaults. A key + may be mapped to a list in order to create multiple settings for the + same variable name. Keys and values undergo the following template + substitutions: + - $realm: The realm name - $testdir: The realm storage directory (absolute path) - $buildtop: The root of the build directory @@ -102,9 +96,8 @@ keyword arguments: - port5 is the return value of realm.server_port() * kdc_conf={...}: kdc.conf options, expressed as a nested dictionary, - to be merged with the default kdc.conf settings. The top level keys - should be 'all' or 'master'/'slave'. The same conventions and - substitutions for krb5_conf apply. + to be merged with the default kdc.conf settings. The same + conventions and substitutions for krb5_conf apply. * create_kdb=False: Don't create a KDB. Implicitly disables all of the other options since they all require a KDB. @@ -123,8 +116,6 @@ keyword arguments: * start_kadmind=True: Start kadmind. -* start_kpropd=True: Start kpropd. - * get_creds=False: Don't get user credentials. Scripts may use the following functions and variables: @@ -210,66 +201,45 @@ Scripts may use the following functions and variables: Scripts may use the following realm methods and attributes: -* realm.run_as_client(args, **keywords): Run a command with an - environment pointing at the client krb5.conf, obeying the +* realm.run(args, env=None, **keywords): Run a command in a specified + environment (or the realm's environment by default), obeying the command-line debugging options. Fail if the command does not return 0. Log the command output appropriately, and return it as a single multi-line string. Keyword arguments can contain input='string' to send an input string to the command, and expected_code=N to expect a return code other than 0. -* Similar methods for the server, master KDC, and slave KDC - environments: - - realm.run_as_server - - realm.run_as_master - - realm.run_as_slave - * realm.server_port(): Returns a port number based on realm.portbase intended for use by server processes. -* realm.start_server(args, sentinel): Start a process in the server - environment. Wait until sentinel appears as a substring of a line - in the server process's stdout or stderr (which are folded - together). Returns a subprocess.Popen object which can be passed to +* realm.start_server(args, sentinel, env=None): Start a daemon + process. Wait until sentinel appears as a substring of a line in + the server process's stdout or stderr (which are folded together). + Returns a subprocess.Popen object which can be passed to stop_daemon() to stop the server, or used to read from the server's output. -* realm.start_in_inetd(args, port=None): Begin a t_inetd process which - will spawn a server process within the server environment after - accepting a client connection. If port is not specified, - realm.server_port() will be used. Returns a process object which - can be passed to stop_daemon() to stop the server. +* realm.start_in_inetd(args, port=None, env=None): Begin a t_inetd + process which will spawn a server process after accepting a client + connection. If port is not specified, realm.server_port() will be + used. Returns a process object which can be passed to stop_daemon() + to stop the server. -* realm.create_kdb(): Create a new master KDB. +* realm.create_kdb(): Create a new KDB. -* realm.start_kdc(args=[]): Start a krb5kdc with the realm's master - KDC environment. Errors if a KDC is already running. If args is - given, it contains a list of additional krb5kdc arguments. +* realm.start_kdc(args=[]): Start a krb5kdc process. Errors if a KDC + is already running. If args is given, it contains a list of + additional krb5kdc arguments. * realm.stop_kdc(): Stop the krb5kdc process. Errors if no KDC is running. -* realm.start_kadmind(): Start a kadmind with the realm's master KDC - environment. Errors if a kadmind is already running. +* realm.start_kadmind(): Start a kadmind process. Errors if a kadmind + is already running. * realm.stop_kadmind(): Stop the kadmind process. Errors if no kadmind is running. -* realm.start_kpropd(args=[]): Start a kpropd with the realm's slave - KDC environment. Errors if a kpropd is already running. If args is - given, it contains a list of additional kpropd arguments. - -* realm.stop_kpropd(): Stop the kpropd process. Errors if no kpropd - is running. - -* realm.read_from_kpropd(): Read a line from the stdout or stderr of - the kpropd process. Most useful if kpropd is started with the -d - option. - -* realm.prod_kpropd(): Send a USR1 signal to a kpropd to make it stop - sleeping and perform an iprop request. kpropd must be running in - iprop mode or a USR1 will simply terminate it. - * realm.stop(): Stop any daemon processes running on behalf of the realm. @@ -306,7 +276,20 @@ Scripts may use the following realm methods and attributes: * realm.run_kadmin(query, **keywords): Run the specified query in kadmin, using realm.kadmin_ccache to authenticate. Accepts the same - keyword arguments as run_as_client. + keyword arguments as run. + +* realm.special_env(name, has_kdc_conf, krb5_conf=None, + kdc_conf=None): Create an environment with a modified krb5.conf + and/or kdc.conf. The specified krb5_conf and kdc_conf fragments, if + any, will be merged with the realm's existing configuration. If + has_kdc_conf is false, the new environment will have no kdc.conf. + The environment returned by this method can be used with realm.run() + or similar methods. + +* realm.start_kpropd(env, args=[]): Start a kpropd process. Pass an + environment created with realm.special_env() for the slave. If args + is given, it contains a list of additional kpropd arguments. + Returns a handle to the kpropd process. * realm.realm: The realm's name. @@ -339,12 +322,8 @@ Scripts may use the following realm methods and attributes: * realm.kadmin_ccache: The ccache file initialized by prep_kadmin and used by run_kadmin. -* Attributes for the client, server, master, and slave environments. - These environments are extensions of os.environ. - - realm.env_client - - realm.env_server - - realm.env_master - - realm.env_slave +* env: The realm's environment, extended from os.environ to point at + the realm's config files and the build tree's shared libraries. When the test script is run, its behavior can be modified with command-line flags. These are documented in the --help output. @@ -737,23 +716,17 @@ class K5Realm(object): self._kdc_conf = _cfg_merge(_default_kdc_conf, kdc_conf) self._kdc_proc = None self._kadmind_proc = None - self._kpropd_proc = None + self._kpropd_procs = [] + krb5_conf_path = os.path.join(self.testdir, 'krb5.conf') + kdc_conf_path = os.path.join(self.testdir, 'kdc.conf') + self.env = self._make_env(krb5_conf_path, kdc_conf_path) self._create_empty_dir() - self._create_krb5_conf('client') - self._create_krb5_conf('server') - self._create_krb5_conf('master') - self._create_krb5_conf('slave') - self._create_kdc_conf('master') - self._create_kdc_conf('slave') + self._create_conf(self._krb5_conf, krb5_conf_path) + self._create_conf(self._kdc_conf, kdc_conf_path) self._create_acl() self._create_dictfile() - self.env_client = self._make_env('client', False) - self.env_server = self._make_env('server', False) - self.env_master = self._make_env('master', True) - self.env_slave = self._make_env('slave', True) - if create_kdb: self.create_kdb() if krbtgt_keysalt and create_kdb: @@ -769,8 +742,6 @@ class K5Realm(object): self.start_kdc() if start_kadmind and create_kdb: self.start_kadmind() - if start_kpropd and create_kdb: - self.start_kpropd() if get_creds and create_kdb and create_user and start_kdc: self.kinit(self.user_princ, password('user')) self.klist(self.user_princ) @@ -782,50 +753,38 @@ class K5Realm(object): fail('Cannot remove %s to create test realm.' % dir) os.mkdir(dir) - def _create_krb5_conf(self, type): - filename = os.path.join(self.testdir, 'krb5.%s.conf' % type) + def _create_conf(self, profile, filename): file = open(filename, 'w') - profile = _cfg_merge(self._krb5_conf['all'], self._krb5_conf.get(type)) for section, contents in profile.items(): file.write('[%s]\n' % section) - self._write_cfg_section(file, type, contents, 1) + self._write_cfg_section(file, contents, 1) file.close() - def _create_kdc_conf(self, type): - filename = os.path.join(self.testdir, 'kdc.%s.conf' % type) - file = open(filename, 'w') - profile = _cfg_merge(self._kdc_conf['all'], self._kdc_conf.get(type)) - for section, contents in profile.items(): - file.write('[%s]\n' % section) - self._write_cfg_section(file, type, contents, 1) - file.close() - - def _write_cfg_section(self, file, type, contents, indent_level): + def _write_cfg_section(self, file, contents, indent_level): indent = '\t' * indent_level for name, value in contents.items(): - name = self._subst_cfg_value(name, type) + name = self._subst_cfg_value(name) if isinstance(value, dict): # A dictionary value yields a list subsection. file.write('%s%s = {\n' % (indent, name)) - self._write_cfg_section(file, type, value, indent_level + 1) + self._write_cfg_section(file, value, indent_level + 1) file.write('%s}\n' % indent) elif isinstance(value, list): # A list value yields multiple values for the same name. for item in value: - item = self._subst_cfg_value(item, type) + item = self._subst_cfg_value(item) file.write('%s%s = %s\n' % (indent, name, item)) elif isinstance(value, str): # A string value yields a straightforward variable setting. - value = self._subst_cfg_value(value, type) + value = self._subst_cfg_value(value) file.write('%s%s = %s\n' % (indent, name, value)) elif value is not None: raise TypeError() - def _subst_cfg_value(self, value, type): + def _subst_cfg_value(self, value): global buildtop, srctop, hostname template = string.Template(value) - return template.substitute(type=type, - realm=self.realm, + return template.substitute(realm=self.realm, testdir=self.testdir, buildtop=buildtop, srctop=srctop, @@ -856,12 +815,10 @@ class K5Realm(object): file.write('weak_password\n') file.close() - def _make_env(self, type, has_kdc_conf): + def _make_env(self, krb5_conf_path, kdc_conf_path): env = _build_env() - env['KRB5_CONFIG'] = os.path.join(self.testdir, 'krb5.%s.conf' % type) - if has_kdc_conf: - filename = os.path.join(self.testdir, 'kdc.%s.conf' % type) - env['KRB5_KDC_PROFILE'] = filename + env['KRB5_CONFIG'] = krb5_conf_path + env['KRB5_KDC_PROFILE'] = kdc_conf_path or os.devnull env['KRB5CCNAME'] = self.ccache env['KRB5_KTNAME'] = self.keytab env['KRB5_CLIENT_KTNAME'] = self.client_keytab @@ -870,38 +827,35 @@ class K5Realm(object): env['KPROP_PORT'] = str(self.portbase + 3) return env - def run_as_client(self, args, **keywords): - return _run_cmd(args, self.env_client, **keywords) - - def run_as_server(self, args, **keywords): - return _run_cmd(args, self.env_server, **keywords) - - def run_as_master(self, args, **keywords): - return _run_cmd(args, self.env_master, **keywords) - - def run_as_slave(self, args, **keywords): - return _run_cmd(args, self.env_slave, **keywords) + def run(self, args, env=None, **keywords): + if env is None: + env = self.env + return _run_cmd(args, env, **keywords) def server_port(self): return self.portbase + 5 - def start_server(self, args, sentinel): - return _start_daemon(args, self.env_server, sentinel) + def start_server(self, args, sentinel, env=None): + if env is None: + env = self.env + return _start_daemon(args, env, sentinel) - def start_in_inetd(self, args, port=None): + def start_in_inetd(self, args, port=None, env=None): if not port: port = self.server_port() + if env is None: + env = self.env inetd_args = [t_inetd, str(port)] + args - return _start_daemon(inetd_args, self.env_server, 'Ready!') + return _start_daemon(inetd_args, env, 'Ready!') def create_kdb(self): global kdb5_util - self.run_as_master([kdb5_util, 'create', '-W', '-s', '-P', 'master']) + self.run([kdb5_util, 'create', '-W', '-s', '-P', 'master']) def start_kdc(self, args=[]): global krb5kdc assert(self._kdc_proc is None) - self._kdc_proc = _start_daemon([krb5kdc, '-n'] + args, self.env_master, + self._kdc_proc = _start_daemon([krb5kdc, '-n'] + args, self.env, 'starting...') def stop_kdc(self): @@ -912,49 +866,35 @@ class K5Realm(object): def start_kadmind(self): global krb5kdc assert(self._kadmind_proc is None) - dump_path = os.path.join(self.testdir, 'master-dump') + dump_path = os.path.join(self.testdir, 'dump') self._kadmind_proc = _start_daemon([kadmind, '-nofork', '-W', '-p', kdb5_util, '-K', kprop, '-F', dump_path], - self.env_master, 'starting...') + self.env, 'starting...') def stop_kadmind(self): assert(self._kadmind_proc is not None) stop_daemon(self._kadmind_proc) self._kadmind_proc = None - def start_kpropd(self, args=[]): + def start_kpropd(self, env, args=[]): global krb5kdc - assert(self._kpropd_proc is None) slavedump_path = os.path.join(self.testdir, 'incoming-slave-datatrans') kpropdacl_path = os.path.join(self.testdir, 'kpropd-acl') - self._kpropd_proc = _start_daemon([kpropd, '-D', '-P', - str(self.portbase + 3), - '-f', slavedump_path, - '-p', kdb5_util, - '-a', kpropdacl_path] + args, - self.env_slave, 'ready') - - def stop_kpropd(self): - assert(self._kpropd_proc is not None) - stop_daemon(self._kpropd_proc) - self._kpropd_proc = None - - def read_from_kpropd(self): - assert(self._kpropd_proc is not None) - return self._kpropd_proc.stdout.readline() - - def prod_kpropd(self): - assert(self._kpropd_proc is not None) - self._kpropd_proc.send_signal(signal.SIGUSR1) + proc = _start_daemon([kpropd, '-D', '-P', str(self.portbase + 3), + '-f', slavedump_path, '-p', kdb5_util, + '-a', kpropdacl_path] + args, env, 'ready') + self._kpropd_procs.append(proc) + return proc def stop(self): if self._kdc_proc: self.stop_kdc() if self._kadmind_proc: self.stop_kadmind() - if self._kpropd_proc: - self.stop_kpropd() + for p in self._kpropd_procs: + stop_daemon(p) + self._kpropd_procs = [] def addprinc(self, princname, password=None): if password: @@ -970,8 +910,7 @@ class K5Realm(object): input = password + "\n" else: input = None - return self.run_as_client([kinit] + flags + [princname], input=input, - **keywords) + return self.run([kinit] + flags + [princname], input=input, **keywords) def klist(self, client_princ, service_princ=None, ccache=None, **keywords): if service_princ is None: @@ -981,7 +920,7 @@ class K5Realm(object): ccachestr = ccache if len(ccachestr) < 2 or ':' not in ccachestr[2:]: ccachestr = 'FILE:' + ccachestr - output = self.run_as_client([klist, ccache], **keywords) + output = self.run([klist, ccache], **keywords) if (('Ticket cache: %s\n' % ccachestr) not in output or ('Default principal: %s\n' % client_princ) not in output or service_princ not in output): @@ -990,7 +929,7 @@ class K5Realm(object): def klist_keytab(self, princ, keytab=None, **keywords): if keytab is None: keytab = self.keytab - output = self.run_as_client([klist, '-k', keytab], **keywords) + output = self.run([klist, '-k', keytab], **keywords) if (('Keytab name: FILE:%s\n' % keytab) not in output or 'KVNO Principal\n----' not in output or princ not in output): @@ -998,7 +937,7 @@ class K5Realm(object): def run_kadminl(self, query): global kadmin_local - return self.run_as_master([kadmin_local, '-q', query]) + return self.run([kadmin_local, '-q', query]) def prep_kadmin(self, princname=None, pw=None, flags=[]): if princname is None: @@ -1009,8 +948,20 @@ class K5Realm(object): '-c', self.kadmin_ccache] + flags) def run_kadmin(self, query, **keywords): - return self.run_as_client([kadmin, '-c', self.kadmin_ccache, - '-q', query], **keywords) + return self.run([kadmin, '-c', self.kadmin_ccache, '-q', query], + **keywords) + + def special_env(self, name, has_kdc_conf, krb5_conf=None, kdc_conf=None): + krb5_conf_path = os.path.join(self.testdir, 'krb5.conf.%s' % name) + krb5_conf = _cfg_merge(self._krb5_conf, krb5_conf) + self._create_conf(krb5_conf, krb5_conf_path) + if has_kdc_conf: + kdc_conf_path = os.path.join(self.testdir, 'kdc.conf.%s' % name) + kdc_conf = _cfg_merge(self._kdc_conf, kdc_conf) + self._create_conf(kdc_conf, kdc_conf_path) + else: + kdc_conf_path = None + return self._make_env(krb5_conf_path, kdc_conf_path) def multipass_realms(**keywords): @@ -1065,7 +1016,7 @@ def cross_realms(num, xtgts=None, args=None, **keywords): 'admin_server' : '$hostname:%d' % (portbase + 1), 'kpasswd_server' : '$hostname:%d' % (portbase + 2) } - realmscfg = { 'all' : { 'realms' : realmsection } } + realmscfg = {'realms': realmsection} # Set realmsection in each realm's krb5_conf keyword argument. for a in realm_args: @@ -1098,65 +1049,34 @@ def cross_realms(num, xtgts=None, args=None, **keywords): _default_krb5_conf = { - 'all' : { - 'libdefaults' : { - 'default_realm' : '$realm', - 'dns_lookup_kdc' : 'false', - 'plugin_base_dir' : '$plugins' - }, - 'realms' : { - '$realm' : { - 'kdc' : '$hostname:$port0', - 'admin_server' : '$hostname:$port1', - 'kpasswd_server' : '$hostname:$port2' - } - } - } -} + 'libdefaults': { + 'default_realm': '$realm', + 'dns_lookup_kdc': 'false', + 'plugin_base_dir': '$plugins'}, + 'realms': {'$realm': { + 'kdc': '$hostname:$port0', + 'admin_server': '$hostname:$port1', + 'kpasswd_server': '$hostname:$port2'}}} _default_kdc_conf = { - 'all' : { - 'realms' : { - '$realm' : { - 'database_module' : 'foo_db2', - 'iprop_port' : '$port4' - } - }, - 'dbmodules' : { - 'db_module_dir' : '$plugins/kdb', - 'foo_db2' : { - 'db_library' : 'db2', - 'database_name' : '$testdir/$type-db' - } - }, - 'logging' : { - 'admin_server' : 'FILE:$testdir/kadmind5.log', - 'kdc' : 'FILE:$testdir/kdc.log', - 'default' : 'FILE:$testdir/others.log' - } - }, - 'master' : { - 'realms' : { - '$realm' : { - 'key_stash_file' : '$testdir/stash', - 'acl_file' : '$testdir/acl', - 'dictfile' : '$testdir/dictfile', - 'kadmind_port' : '$port1', - 'kpasswd_port' : '$port2', - 'kdc_ports' : '$port0', - 'kdc_tcp_ports' : '$port0' - } - } - }, - 'slave' : { - 'realms' : { - '$realm' : { - 'key_stash_file' : '$testdir/slave-stash', - } - } - } -} + 'realms': {'$realm': { + 'database_module': 'db', + 'iprop_port': '$port4', + 'key_stash_file': '$testdir/stash', + 'acl_file': '$testdir/acl', + 'dictfile': '$testdir/dictfile', + 'kadmind_port': '$port1', + 'kpasswd_port': '$port2', + 'kdc_ports': '$port0', + 'kdc_tcp_ports': '$port0'}}, + 'dbmodules': { + 'db_module_dir': '$plugins/kdb', + 'db': {'db_library': 'db2', 'database_name' : '$testdir/db'}}, + 'logging': { + 'admin_server': 'FILE:$testdir/kadmind5.log', + 'kdc': 'FILE:$testdir/kdc.log', + 'default': 'FILE:$testdir/others.log'}} # A pass is a tuple of: name, krbtgt_keysalt, krb5_conf, kdc_conf. @@ -1166,58 +1086,58 @@ _passes = [ # Exercise a DES enctype and the v4 salt type. ('desv4', None, - {'all' : {'libdefaults' : { - 'default_tgs_enctypes' : 'des-cbc-crc', - 'default_tkt_enctypes' : 'des-cbc-crc', - 'permitted_enctypes' : 'des-cbc-crc', - 'allow_weak_crypto' : 'true'}}}, - {'master' : {'realms' : {'$realm' : { - 'supported_enctypes' : 'des-cbc-crc:v4', - 'master_key_type' : 'des-cbc-crc'}}}}), + {'libdefaults': { + 'default_tgs_enctypes': 'des-cbc-crc', + 'default_tkt_enctypes': 'des-cbc-crc', + 'permitted_enctypes': 'des-cbc-crc', + 'allow_weak_crypto': 'true'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'des-cbc-crc:v4', + 'master_key_type': 'des-cbc-crc'}}}), # Exercise the DES3 enctype. ('des3', None, - {'all' : {'libdefaults' : { - 'default_tgs_enctypes' : 'des3', - 'default_tkt_enctypes' : 'des3', - 'permitted_enctypes' : 'des3'}}}, - {'master' : {'realms' : {'$realm' : { - 'supported_enctypes' : 'des3-cbc-sha1:normal', - 'master_key_type' : 'des3-cbc-sha1'}}}}), + {'libdefaults': { + 'default_tgs_enctypes': 'des3', + 'default_tkt_enctypes': 'des3', + 'permitted_enctypes': 'des3'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'des3-cbc-sha1:normal', + 'master_key_type': 'des3-cbc-sha1'}}}), # Exercise the arcfour enctype. ('arcfour', None, - {'all' : {'libdefaults' : { - 'default_tgs_enctypes' : 'rc4', - 'default_tkt_enctypes' : 'rc4', - 'permitted_enctypes' : 'rc4'}}}, - {'master' : {'realms' : {'$realm' : { - 'supported_enctypes' : 'arcfour-hmac:normal', - 'master_key_type' : 'arcfour-hmac'}}}}), + {'libdefaults': { + 'default_tgs_enctypes': 'rc4', + 'default_tkt_enctypes': 'rc4', + 'permitted_enctypes': 'rc4'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'arcfour-hmac:normal', + 'master_key_type': 'arcfour-hmac'}}}), # Exercise the AES128 enctype. ('aes128', None, - {'all' : {'libdefaults' : { - 'default_tgs_enctypes' : 'aes128-cts', - 'default_tkt_enctypes' : 'aes128-cts', - 'permitted_enctypes' : 'aes128-cts'}}}, - {'master' : {'realms' : {'$realm' : { - 'supported_enctypes' : 'aes128-cts:normal', - 'master_key_type' : 'aes128-cts'}}}}), + {'libdefaults': { + 'default_tgs_enctypes': 'aes128-cts', + 'default_tkt_enctypes': 'aes128-cts', + 'permitted_enctypes': 'aes128-cts'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'aes128-cts:normal', + 'master_key_type': 'aes128-cts'}}}), # Exercise the camellia256-cts enctype. ('camellia256', None, - {'all' : {'libdefaults' : { - 'default_tgs_enctypes' : 'camellia256-cts', - 'default_tkt_enctypes' : 'camellia256-cts', - 'permitted_enctypes' : 'camellia256-cts'}}}, - {'master' : {'realms' : {'$realm' : { - 'supported_enctypes' : 'camellia256-cts:normal', - 'master_key_type' : 'camellia256-cts'}}}}), + {'libdefaults': { + 'default_tgs_enctypes': 'camellia256-cts', + 'default_tkt_enctypes': 'camellia256-cts', + 'permitted_enctypes': 'camellia256-cts'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'camellia256-cts:normal', + 'master_key_type': 'camellia256-cts'}}}), # Test a setup with modern principal keys but an old TGT key. ('aes256.destgt', 'des-cbc-crc:normal', - {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}}, + {'libdefaults': {'allow_weak_crypto': 'true'}}, None) ] diff --git a/src/util/testrealm.py b/src/util/testrealm.py index 0bf976d40f..fba3ae0799 100644 --- a/src/util/testrealm.py +++ b/src/util/testrealm.py @@ -60,7 +60,7 @@ if args: realm = realms[0] else: realm = K5Realm(start_kadmind=True) -env = realm.env_master.copy() +env = realm.env.copy() supplement_path(env) pwfilename = os.path.join('testdir', 'passwords') |