diff options
Diffstat (limited to 'src/tests')
| -rw-r--r-- | src/tests/gssapi/t_ccselect.py | 41 | ||||
| -rw-r--r-- | src/tests/gssapi/t_client_keytab.py | 76 | ||||
| -rw-r--r-- | src/tests/gssapi/t_export_cred.py | 4 | ||||
| -rwxr-xr-x | src/tests/gssapi/t_gssapi.py | 89 | ||||
| -rw-r--r-- | src/tests/gssapi/t_s4u.py | 23 | ||||
| -rw-r--r-- | src/tests/t_allowed_keysalts.py | 3 | ||||
| -rw-r--r-- | src/tests/t_anonpkinit.py | 25 | ||||
| -rw-r--r-- | src/tests/t_ccache.py | 39 | ||||
| -rw-r--r-- | src/tests/t_crossrealm.py | 39 | ||||
| -rwxr-xr-x | src/tests/t_general.py | 18 | ||||
| -rw-r--r-- | src/tests/t_iprop.py | 89 | ||||
| -rw-r--r-- | src/tests/t_kadm5_hook.py | 10 | ||||
| -rw-r--r-- | src/tests/t_kadmin_acl.py | 2 | ||||
| -rw-r--r-- | src/tests/t_kdb.py | 36 | ||||
| -rw-r--r-- | src/tests/t_kdb_locking.py | 8 | ||||
| -rw-r--r-- | src/tests/t_keyrollover.py | 20 | ||||
| -rw-r--r-- | src/tests/t_keytab.py | 24 | ||||
| -rw-r--r-- | src/tests/t_lockout.py | 8 | ||||
| -rw-r--r-- | src/tests/t_pwhist.py | 4 | ||||
| -rw-r--r-- | src/tests/t_referral.py | 8 | ||||
| -rw-r--r-- | src/tests/t_sesskeynego.py | 44 | ||||
| -rw-r--r-- | src/tests/t_skew.py | 14 |
22 files changed, 285 insertions, 339 deletions
diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py index 6b7bce6171..8858fa8680 100644 --- a/src/tests/gssapi/t_ccselect.py +++ b/src/tests/gssapi/t_ccselect.py @@ -42,27 +42,21 @@ gssserver = 'h:host@' + hostname # .k5identity rules since it has unknown type. refserver = 'p:host/' + hostname + '@' -# Make each realm's keytab contain entries for both realm's servers. -#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' % -# (r2.keytab, r1.keytab, ktutil)]) -#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' % -# (r1.keytab, r2.keytab, ktutil)]) - # Verify that we can't get initiator creds with no credentials in the # collection. -output = r1.run_as_client(['./t_ccselect', host1, '-'], expected_code=1) +output = r1.run(['./t_ccselect', host1, '-'], expected_code=1) if 'No Kerberos credentials available' not in output: fail('Expected error not seen in output when no credentials available') # Make a directory collection and use it for client commands in both realms. ccdir = os.path.join(r1.testdir, 'cc') ccname = 'DIR:' + ccdir -r1.env_client['KRB5CCNAME'] = ccname -r2.env_client['KRB5CCNAME'] = ccname +r1.env['KRB5CCNAME'] = ccname +r2.env['KRB5CCNAME'] = ccname # Use .k5identity from testdir and not from the tester's homedir. -r1.env_client['HOME'] = r1.testdir -r2.env_client['HOME'] = r1.testdir +r1.env['HOME'] = r1.testdir +r2.env['HOME'] = r1.testdir # Create two users in r1 and one in r2. alice='alice@KRBTEST.COM' @@ -77,32 +71,32 @@ r1.kinit(alice, password('alice')) r2.kinit(zaphod, password('zaphod')) # Check that we can find a cache for a specified client principal. -output = r1.run_as_client(['./t_ccselect', host1, 'p:' + alice]) +output = r1.run(['./t_ccselect', host1, 'p:' + alice]) if output != (alice + '\n'): fail('alice not chosen when specified') -output = r2.run_as_client(['./t_ccselect', host2, 'p:' + zaphod]) +output = r2.run(['./t_ccselect', host2, 'p:' + zaphod]) if output != (zaphod + '\n'): fail('zaphod not chosen when specified') # Check that we can guess a cache based on the service realm. -output = r1.run_as_client(['./t_ccselect', host1]) +output = r1.run(['./t_ccselect', host1]) if output != (alice + '\n'): fail('alice not chosen as default initiator cred for server in r1') -output = r1.run_as_client(['./t_ccselect', host1, '-']) +output = r1.run(['./t_ccselect', host1, '-']) if output != (alice + '\n'): fail('alice not chosen as default initiator name for server in r1') -output = r2.run_as_client(['./t_ccselect', host2]) +output = r2.run(['./t_ccselect', host2]) if output != (zaphod + '\n'): fail('zaphod not chosen as default initiator cred for server in r1') -output = r2.run_as_client(['./t_ccselect', host2, '-']) +output = r2.run(['./t_ccselect', host2, '-']) if output != (zaphod + '\n'): fail('zaphod not chosen as default initiator name for server in r1') # Check that primary cache is used if server realm is unknown. -output = r2.run_as_client(['./t_ccselect', gssserver]) +output = r2.run(['./t_ccselect', gssserver]) if output != (zaphod + '\n'): fail('zaphod not chosen via primary cache for unknown server realm') -r1.run_as_client(['./t_ccselect', gssserver], expected_code=1) +r1.run(['./t_ccselect', gssserver], expected_code=1) # Get a second cred in r1 (bob will be primary). r1.kinit(bob, password('bob')) @@ -113,17 +107,16 @@ k5id.write('%s realm=%s\n' % (alice, r1.realm)) k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname)) k5id.write('noprinc service=bogus') k5id.close() -output = r1.run_as_client(['./t_ccselect', host1]) +output = r1.run(['./t_ccselect', host1]) if output != (alice + '\n'): fail('alice not chosen via .k5identity realm line.') -output = r2.run_as_client(['./t_ccselect', gssserver]) +output = r2.run(['./t_ccselect', gssserver]) if output != (zaphod + '\n'): fail('zaphod not chosen via .k5identity service/host line.') -output = r1.run_as_client(['./t_ccselect', refserver]) +output = r1.run(['./t_ccselect', refserver]) if output != (bob + '\n'): fail('bob not chosen via primary cache when no .k5identity line matches.') -output = r1.run_as_client(['./t_ccselect', 'h:bogus@' + hostname], - expected_code=1) +output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1) if 'Can\'t find client principal noprinc' not in output: fail('Expected error not seen when k5identity selects bad principal.') diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py index 71566a5d36..484aacde30 100644 --- a/src/tests/gssapi/t_client_keytab.py +++ b/src/tests/gssapi/t_client_keytab.py @@ -9,126 +9,126 @@ phost = 'p:' + realm.host_princ puser = 'p:' + realm.user_princ pbob = 'p:' + bob gssserver = 'h:host@' + hostname -realm.env_client['HOME'] = realm.testdir +realm.env['HOME'] = realm.testdir realm.addprinc(bob, password('bob')) realm.extract_keytab(realm.user_princ, realm.client_keytab) realm.extract_keytab(bob, realm.client_keytab) # Test 1: no name/cache specified, pick first principal from client keytab -out = realm.run_as_client(['./t_ccselect', phost]) +out = realm.run(['./t_ccselect', phost]) if realm.user_princ not in out: fail('Authenticated as wrong principal') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 2: no name/cache specified, pick principal from k5identity k5idname = os.path.join(realm.testdir, '.k5identity') k5id = open(k5idname, 'w') k5id.write('%s service=host host=%s\n' % (bob, hostname)) k5id.close() -out = realm.run_as_client(['./t_ccselect', gssserver]) +out = realm.run(['./t_ccselect', gssserver]) if bob not in out: fail('Authenticated as wrong principal') os.remove(k5idname) -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 3: no name/cache specified, default ccache has name but no creds -realm.run_as_client(['./ccinit', realm.ccache, bob]) -out = realm.run_as_client(['./t_ccselect', phost]) +realm.run(['./ccinit', realm.ccache, bob]) +out = realm.run(['./t_ccselect', phost]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 4: name specified, non-collectable default cache doesn't match -out = realm.run_as_client(['./t_ccselect', phost, puser], expected_code=1) +out = realm.run(['./t_ccselect', phost, puser], expected_code=1) if 'Principal in credential cache does not match desired name' not in out: fail('Expected error not seen') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 5: name specified, nonexistent default cache -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 6: name specified, matches default cache, time to refresh -realm.run_as_client(['./ccrefresh', realm.ccache, '1']) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +realm.run(['./ccrefresh', realm.ccache, '1']) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') -out = realm.run_as_client(['./ccrefresh', realm.ccache]) +out = realm.run(['./ccrefresh', realm.ccache]) if int(out) < 1000: fail('Credentials apparently not refreshed') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 7: empty ccache specified, pick first principal from client keytab -realm.run_as_client(['./t_imp_cred', phost]) +realm.run(['./t_imp_cred', phost]) realm.klist(realm.user_princ) -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 8: ccache specified with name but no creds; name not in client keytab -realm.run_as_client(['./ccinit', realm.ccache, realm.host_princ]) -out = realm.run_as_client(['./t_imp_cred', phost], expected_code=1) +realm.run(['./ccinit', realm.ccache, realm.host_princ]) +out = realm.run(['./t_imp_cred', phost], expected_code=1) if 'Credential cache is empty' not in out: fail('Expected error not seen') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 9: ccache specified with name but no creds; name in client keytab -realm.run_as_client(['./ccinit', realm.ccache, bob]) -realm.run_as_client(['./t_imp_cred', phost]) +realm.run(['./ccinit', realm.ccache, bob]) +realm.run(['./t_imp_cred', phost]) realm.klist(bob) # Leave tickets for next test. # Test 10: ccache specified with creds, time to refresh -realm.run_as_client(['./ccrefresh', realm.ccache, '1']) -realm.run_as_client(['./t_imp_cred', phost]) +realm.run(['./ccrefresh', realm.ccache, '1']) +realm.run(['./t_imp_cred', phost]) realm.klist(bob) -out = realm.run_as_client(['./ccrefresh', realm.ccache]) +out = realm.run(['./ccrefresh', realm.ccache]) if int(out) < 1000: fail('Credentials apparently not refreshed') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Use a cache collection for the remaining tests. ccdir = os.path.join(realm.testdir, 'cc') ccname = 'DIR:' + ccdir os.mkdir(ccdir) -realm.env_client['KRB5CCNAME'] = ccname +realm.env['KRB5CCNAME'] = ccname # Test 11: name specified, matching cache in collection with no creds bobcache = os.path.join(ccdir, 'tktbob') -realm.run_as_client(['./ccinit', bobcache, bob]) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +realm.run(['./ccinit', bobcache, bob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 12: name specified, matching cache in collection, time to refresh -realm.run_as_client(['./ccrefresh', bobcache, '1']) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +realm.run(['./ccrefresh', bobcache, '1']) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') -out = realm.run_as_client(['./ccrefresh', bobcache]) +out = realm.run(['./ccrefresh', bobcache]) if int(out) < 1000: fail('Credentials apparently not refreshed') -realm.run_as_client([kdestroy, '-A']) +realm.run([kdestroy, '-A']) # Test 13: name specified, collection has default for different principal realm.kinit(realm.user_princ, password('user')) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') -out = realm.run_as_client([klist]) +out = realm.run([klist]) if 'Default principal: %s\n' % realm.user_princ not in out: fail('Default cache overwritten by acquire_cred') -realm.run_as_client([kdestroy, '-A']) +realm.run([kdestroy, '-A']) # Test 14: name specified, collection has no default cache -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Make sure the tickets we acquired didn't become the default -out = realm.run_as_client([klist], expected_code=1) +out = realm.run([klist], expected_code=1) if 'No credentials cache found' not in out: fail('Expected error not seen') -realm.run_as_client([kdestroy, '-A']) +realm.run([kdestroy, '-A']) success('Client keytab tests') diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py index 3f7b6576d9..53dd13c910 100644 --- a/src/tests/gssapi/t_export_cred.py +++ b/src/tests/gssapi/t_export_cred.py @@ -19,8 +19,8 @@ def ccache_restore(realm): # forwarded cred into the default ccache. def check(realm, args): ccache_restore(realm) - realm.run_as_client(['./t_export_cred'] + args) - output = realm.run_as_client([klist, '-f']) + realm.run(['./t_export_cred'] + args) + output = realm.run([klist, '-f']) if 'Flags: Ff' not in output: fail('Forwarded tickets not found in ccache after t_export_cred') diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index e453b7170a..5f1d5d1ff5 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -3,7 +3,7 @@ from k5test import * # Test krb5 negotiation under SPNEGO for all enctype configurations. for realm in multipass_realms(): - realm.run_as_client(['./t_spnego','p:' + realm.host_princ, realm.keytab]) + realm.run(['./t_spnego','p:' + realm.host_princ, realm.keytab]) ### Test acceptor name behavior. @@ -24,79 +24,75 @@ realm.run_kadminl('renprinc -force service1/abraham service1/andrew') # Test with no acceptor name, including client/keytab principal # mismatch (non-fatal) and missing keytab entry (fatal). -output = realm.run_as_client(['./t_accname', 'p:service1/andrew']) +output = realm.run(['./t_accname', 'p:service1/andrew']) if 'service1/abraham' not in output: fail('Expected service1/abraham in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service1/barack']) +output = realm.run(['./t_accname', 'p:service1/barack']) if 'service1/barack' not in output: fail('Expected service1/barack in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/calvin']) +output = realm.run(['./t_accname', 'p:service2/calvin']) if 'service2/calvin' not in output: fail('Expected service1/barack in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/dwight'], - expected_code=1) +output = realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test with acceptor name containing service only, including # client/keytab hostname mismatch (non-fatal) and service name # mismatch (fatal). -output = realm.run_as_client(['./t_accname', 'p:service1/andrew', - 'h:service1']) +output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service1']) if 'service1/abraham' not in output: fail('Expected service1/abraham in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service1/andrew', - 'h:service2'], expected_code=1) +output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], + expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/calvin', - 'h:service2']) +output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service2']) if 'service2/calvin' not in output: fail('Expected service2/calvin in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/calvin', - 'h:service1'], expected_code=1) +output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], + expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test with acceptor name containing service and host. Use the # client's un-canonicalized hostname as acceptor input to mirror what # many servers do. -output = realm.run_as_client(['./t_accname', 'p:' + realm.host_princ, - 'h:host@%s' % socket.gethostname()]) +output = realm.run(['./t_accname', 'p:' + realm.host_princ, + 'h:host@%s' % socket.gethostname()]) if realm.host_princ not in output: fail('Expected %s in t_accname output' % realm.host_princ) -output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-', - 'h:host@%s' % socket.gethostname()], - expected_code=1) +output = realm.run(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()], + expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test krb5_gss_import_cred. -realm.run_as_client(['./t_imp_cred', 'p:service1/barack']) -realm.run_as_client(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) -realm.run_as_client(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham']) -output = realm.run_as_client(['./t_imp_cred', 'p:service2/dwight'], - expected_code=1) +realm.run(['./t_imp_cred', 'p:service1/barack']) +realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) +realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham']) +output = realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_imp_cred output') # Test credential store extension. tmpccname = 'FILE:' + os.path.join(realm.testdir, 'def_cache') -realm.env_client['KRB5CCNAME'] = tmpccname +realm.env['KRB5CCNAME'] = tmpccname storagecache = 'FILE:' + os.path.join(realm.testdir, 'user_store') servicekeytab = os.path.join(realm.testdir, 'kt') service_cs = 'service/cs@%s' % realm.realm realm.addprinc(service_cs) realm.extract_keytab(service_cs, servicekeytab) realm.kinit(service_cs, None, ['-k', '-t', servicekeytab]) -output = realm.run_as_client(['./t_credstore', service_cs, '--cred_store', - 'ccache', storagecache, 'keytab', servicekeytab]) +output = realm.run(['./t_credstore', service_cs, '--cred_store', + 'ccache', storagecache, 'keytab', servicekeytab]) if 'Cred Store Success' not in output: fail('Expected test to succeed') # Verify that we can't acquire acceptor creds without a keytab. os.remove(realm.keytab) -output = realm.run_as_client(['./t_accname', 'p:abc'], expected_code=1) +output = realm.run(['./t_accname', 'p:abc'], expected_code=1) if ('gss_acquire_cred: Keytab' not in output or 'nonexistent or empty' not in output): fail('Expected error message not seen for nonexistent keytab') @@ -105,13 +101,12 @@ realm.stop() # Re-run the last acceptor name test with ignore_acceptor_hostname set # and the principal for the mismatching hostname in the keytab. -ignore_conf = { 'all' : { 'libdefaults' : { - 'ignore_acceptor_hostname' : 'true' } } } +ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}} realm = K5Realm(krb5_conf=ignore_conf) realm.run_kadminl('addprinc -randkey host/-nomatch-') realm.run_kadminl('xst host/-nomatch-') -output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-', - 'h:host@%s' % socket.gethostname()]) +output = realm.run(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()]) if 'host/-nomatch-' not in output: fail('Expected host/-nomatch- in t_accname output') @@ -122,31 +117,31 @@ realm.stop() realm = K5Realm() # Test deferred resolution of the default ccache for initiator creds. -output = realm.run_as_client(['./t_inq_cred']) +output = realm.run(['./t_inq_cred']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) -output = realm.run_as_client(['./t_inq_cred', '-k']) +output = realm.run(['./t_inq_cred', '-k']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) -output = realm.run_as_client(['./t_inq_cred', '-s']) +output = realm.run(['./t_inq_cred', '-s']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) # Test picking a name from the keytab for acceptor creds. -output = realm.run_as_client(['./t_inq_cred', '-a']) +output = realm.run(['./t_inq_cred', '-a']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) -output = realm.run_as_client(['./t_inq_cred', '-k', '-a']) +output = realm.run(['./t_inq_cred', '-k', '-a']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) -output = realm.run_as_client(['./t_inq_cred', '-s', '-a']) +output = realm.run(['./t_inq_cred', '-s', '-a']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) # Test client keytab initiation (non-deferred) with a specified name. realm.extract_keytab(realm.user_princ, realm.client_keytab) os.remove(realm.ccache) -output = realm.run_as_client(['./t_inq_cred', '-k']) +output = realm.run(['./t_inq_cred', '-k']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) @@ -154,34 +149,34 @@ if realm.user_princ not in output: os.remove(realm.client_keytab) os.remove(realm.ccache) shutil.copyfile(realm.keytab, realm.client_keytab) -output = realm.run_as_client(['./t_inq_cred', '-k', '-b']) +output = realm.run(['./t_inq_cred', '-k', '-b']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) # Test gss_export_name behavior. -out = realm.run_as_client(['./t_export_name', 'u:x']) +out = realm.run(['./t_export_name', 'u:x']) if out != '0401000B06092A864886F7120102020000000D78404B5242544553542E434F4D\n': fail('Unexpected output from t_export_name (krb5 username)') -output = realm.run_as_client(['./t_export_name', '-s', 'u:xyz']) +output = realm.run(['./t_export_name', '-s', 'u:xyz']) if output != '0401000806062B06010505020000000378797A\n': fail('Unexpected output from t_export_name (SPNEGO username)') -output = realm.run_as_client(['./t_export_name', 'p:a@b']) +output = realm.run(['./t_export_name', 'p:a@b']) if output != '0401000B06092A864886F71201020200000003614062\n': fail('Unexpected output from t_export_name (krb5 principal)') -output = realm.run_as_client(['./t_export_name', '-s', 'p:a@b']) +output = realm.run(['./t_export_name', '-s', 'p:a@b']) if output != '0401000806062B060105050200000003614062\n': fail('Unexpected output from t_export_name (SPNEGO krb5 principal)') # Test gss_inquire_mechs_for_name behavior. krb5_mech = '{ 1 2 840 113554 1 2 2 }' spnego_mech = '{ 1 3 6 1 5 5 2 }' -out = realm.run_as_client(['./t_inq_mechs_name', 'p:a@b']) +out = realm.run(['./t_inq_mechs_name', 'p:a@b']) if krb5_mech not in out: fail('t_inq_mechs_name (principal)') -out = realm.run_as_client(['./t_inq_mechs_name', 'u:x']) +out = realm.run(['./t_inq_mechs_name', 'u:x']) if krb5_mech not in out or spnego_mech not in out: fail('t_inq_mecs_name (user)') -out = realm.run_as_client(['./t_inq_mechs_name', 'h:host']) +out = realm.run(['./t_inq_mechs_name', 'h:host']) if krb5_mech not in out or spnego_mech not in out: fail('t_inq_mecs_name (hostbased)') diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index cd67591019..67dc810349 100644 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -24,17 +24,17 @@ realm.kinit(service1, None, ['-f', '-k']) # at the S4U2Proxy step since the DB2 back end currently has no # support for allowing it. realm.kinit(realm.user_princ, password('user'), ['-f', '-c', usercache]) -output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache, - '-', pservice1, pservice2], expected_code=1) +output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-', + pservice1, pservice2], expected_code=1) if ('auth1: ' + realm.user_princ not in output or 'NOT_ALLOWED_TO_DELEGATE' not in output): fail('krb5 -> s4u2proxy') # Again with SPNEGO. Bug #7045 prevents us from checking the error # message, but we can at least exercise the code. -output = realm.run_as_server(['./t_s4u2proxy_krb5', '--spnego', usercache, - storagecache, '-', pservice1, pservice2], - expected_code=1) +output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache, + '-', pservice1, pservice2], + expected_code=1) if ('auth1: ' + realm.user_princ not in output): fail('krb5 -> s4u2proxy (SPNEGO)') @@ -42,18 +42,18 @@ if ('auth1: ' + realm.user_princ not in output): # result in no delegated credential being created by # accept_sec_context. realm.kinit(realm.user_princ, password('user'), ['-c', usercache]) -output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache, - pservice1, pservice1, pservice2]) +output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1, + pservice1, pservice2]) if 'no credential delegated' not in output: fail('krb5 -> no delegated cred') # Try S4U2Self. Ask for an S4U2Proxy step; this won't happen because # service/1 isn't allowed to get a forwardable S4U2Self ticket. -output = realm.run_as_server(['./t_s4u', puser, pservice2]) +output = realm.run(['./t_s4u', puser, pservice2]) if ('Warning: no delegated cred handle' not in output or 'Source name:\t' + realm.user_princ not in output): fail('s4u2self') -output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2]) +output = realm.run(['./t_s4u', '--spnego', puser, pservice2]) if ('Warning: no delegated cred handle' not in output or 'Source name:\t' + realm.user_princ not in output): fail('s4u2self (SPNEGO)') @@ -61,7 +61,7 @@ if ('Warning: no delegated cred handle' not in output or # Correct that problem and try again. As above, the S4U2Proxy step # won't actually succeed since we don't support that in DB2. realm.run_kadminl('modprinc +ok_to_auth_as_delegate ' + service1) -output = realm.run_as_server(['./t_s4u', puser, pservice2], expected_code=1) +output = realm.run(['./t_s4u', puser, pservice2], expected_code=1) if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') @@ -70,8 +70,7 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output: # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred # directly rather than saving and reacquiring it) so bug #7045 does # not apply and we can verify the error message. -output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2], - expected_code=1) +output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1) if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') diff --git a/src/tests/t_allowed_keysalts.py b/src/tests/t_allowed_keysalts.py index 8c763358aa..e7b7833ed3 100644 --- a/src/tests/t_allowed_keysalts.py +++ b/src/tests/t_allowed_keysalts.py @@ -2,8 +2,7 @@ from k5test import * import re -krb5_conf1 = {'all': {'libdefaults': { - 'supported_enctypes': 'aes256-cts'}}} +krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}} realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False) diff --git a/src/tests/t_anonpkinit.py b/src/tests/t_anonpkinit.py index 7ae955d17e..03b2fdd686 100644 --- a/src/tests/t_anonpkinit.py +++ b/src/tests/t_anonpkinit.py @@ -12,29 +12,22 @@ ca_pem = os.path.join(certs, 'ca.pem') kdc_pem = os.path.join(certs, 'kdc.pem') privkey_pem = os.path.join(certs, 'privkey.pem') pkinit_krb5_conf = { - 'all' : { - 'libdefaults' : { - 'pkinit_anchors' : 'FILE:' + ca_pem - }, - 'realms' : { - '$realm' : { - 'pkinit_anchors' : 'FILE:%s' % ca_pem, - 'pkinit_identity' : 'FILE:%s,%s' % (kdc_pem, privkey_pem), - } - } - } -} + 'libdefaults': { + 'pkinit_anchors': 'FILE:' + ca_pem}, + 'realms': {'$realm': { + 'pkinit_anchors': 'FILE:%s' % ca_pem, + 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}} restrictive_kdc_conf = { - 'all': { 'realms' : { '$realm' : { - 'restrict_anonymous_to_tgt' : 'true' } } } } + 'realms': {'$realm' : { + 'restrict_anonymous_to_tgt': 'true' }}} # In the basic test, anonymous is not restricted, so kvno should succeed. realm = K5Realm(krb5_conf=pkinit_krb5_conf, create_user=False) realm.addprinc('WELLKNOWN/ANONYMOUS') realm.kinit('@%s' % realm.realm, flags=['-n']) realm.klist('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS') -realm.run_as_client([kvno, realm.host_princ]) +realm.run([kvno, realm.host_princ]) realm.stop() # Now try again with anonymous restricted; kvno should fail. @@ -44,6 +37,6 @@ realm.addprinc('WELLKNOWN/ANONYMOUS') realm.kinit('@%s' % realm.realm, flags=['-n']) # now try FAST realm.kinit('@%s' % realm.realm, flags=['-n', '-T', realm.ccache]) -realm.run_as_client([kvno, realm.host_princ], expected_code=1) +realm.run([kvno, realm.host_princ], expected_code=1) success('Anonymous PKINIT') diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py index e85d009dde..a761d48fbe 100644 --- a/src/tests/t_ccache.py +++ b/src/tests/t_ccache.py @@ -26,66 +26,65 @@ from k5test import * realm = K5Realm(create_host=False) # Test kdestroy and klist of a non-existent ccache. -realm.run_as_client([kdestroy]) -output = realm.run_as_client([klist], expected_code=1) +realm.run([kdestroy]) +output = realm.run([klist], expected_code=1) if 'No credentials cache found' not in output: fail('Expected error message not seen in klist output') # Make a directory collection and use it for client commands. ccname = 'DIR:' + os.path.join(realm.testdir, 'cc') -realm.env_client['KRB5CCNAME'] = ccname +realm.env['KRB5CCNAME'] = ccname realm.addprinc('alice', password('alice')) realm.addprinc('bob', password('bob')) realm.addprinc('carol', password('carol')) realm.kinit('alice', password('alice')) -output = realm.run_as_client([klist]) +output = realm.run([klist]) if 'Default principal: alice@' not in output: fail('Initial kinit failed to get credentials for alice.') -realm.run_as_client([kdestroy]) -output = realm.run_as_client([klist], expected_code=1) +realm.run([kdestroy]) +output = realm.run([klist], expected_code=1) if 'No credentials cache found' not in output: fail('Initial kdestroy failed to destroy primary cache.') -output = realm.run_as_client([klist, '-l'], expected_code=1) +output = realm.run([klist, '-l'], expected_code=1) if not output.endswith('---\n') or output.count('\n') != 2: fail('Initial kdestroy failed to empty cache collection.') realm.kinit('alice', password('alice')) realm.kinit('carol', password('carol')) -output = realm.run_as_client([klist, '-l']) +output = realm.run([klist, '-l']) if '---\ncarol@' not in output or '\nalice@' not in output: fail('klist -l did not show expected output after two kinits.') realm.kinit('alice', password('alice')) -output = realm.run_as_client([klist, '-l']) +output = realm.run([klist, '-l']) if '---\nalice@' not in output or output.count('\n') != 4: fail('klist -l did not show expected output after re-kinit for alice.') realm.kinit('bob', password('bob')) -output = realm.run_as_client([klist, '-A']) +output = realm.run([klist, '-A']) if 'bob@' not in output.splitlines()[1] or 'alice@' not in output or \ 'carol' not in output or output.count('Default principal:') != 3: fail('klist -A did not show expected output after kinit for bob.') -realm.run_as_client([kswitch, '-p', 'carol']) -output = realm.run_as_client([klist, '-l']) +realm.run([kswitch, '-p', 'carol']) +output = realm.run([klist, '-l']) if '---\ncarol@' not in output or output.count('\n') != 5: fail('klist -l did not show expected output after kswitch to carol.') -realm.run_as_client([kdestroy]) -output = realm.run_as_client([klist, '-l']) +realm.run([kdestroy]) +output = realm.run([klist, '-l']) if 'carol@' in output or 'bob@' not in output or output.count('\n') != 4: fail('kdestroy failed to remove only primary ccache.') -realm.run_as_client([kdestroy, '-A']) -output = realm.run_as_client([klist, '-l'], expected_code=1) +realm.run([kdestroy, '-A']) +output = realm.run([klist, '-l'], expected_code=1) if not output.endswith('---\n') or output.count('\n') != 2: fail('kdestroy -a failed to empty cache collection.') # Test parameter expansion in default_ccache_name realm.stop() -conf = {'client': {'libdefaults': { - 'default_ccache_name': 'testdir/%{null}abc%{uid}'}}} +conf = {'libdefaults': {'default_ccache_name': 'testdir/%{null}abc%{uid}'}} realm = K5Realm(krb5_conf=conf, create_kdb=False) -del realm.env_client['KRB5CCNAME'] +del realm.env['KRB5CCNAME'] uidstr = str(os.getuid()) -out = realm.run_as_client([klist], expected_code=1) +out = realm.run([klist], expected_code=1) if 'FILE:testdir/abc%s' % uidstr not in out: fail('Wrong ccache in klist') diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py index c0c3ccb158..0d967b8a50 100644 --- a/src/tests/t_crossrealm.py +++ b/src/tests/t_crossrealm.py @@ -24,8 +24,8 @@ from k5test import * -def test_kvno(r, princ, test): - output = r.run_as_client([kvno, princ]) +def test_kvno(r, princ, test, env=None): + output = r.run([kvno, princ], env=env) if princ not in output: fail('%s: principal %s not in kvno output' % (test, princ)) @@ -58,26 +58,23 @@ stop(r1, r2, r3) # transited checks, including a capaths for A->C. capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}}} r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), - args=({'realm': 'A', - 'krb5_conf': {'client': capaths}}, + args=({'realm': 'A'}, {'realm': 'B'}, - {'realm': 'C', - 'krb5_conf': {'master': capaths}}, - {'realm': 'D', - 'krb5_conf': {'master': capaths}})) -test_kvno(r1, r4.host_princ, 'client capaths') + {'realm': 'C', 'krb5_conf': capaths}, + {'realm': 'D', 'krb5_conf': capaths})) +r1client = r1.special_env('client', False, krb5_conf=capaths) +test_kvno(r1, r4.host_princ, 'client capaths', r1client) stop(r1, r2, r3, r4) # Test KDC capaths. The KDCs for A and B have appropriate capaths # settings to determine intermediate TGTs to return, but the client # has no idea. capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}, 'B': {'D': 'C'}}} -conf = {'master': capaths} r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), - args=({'realm': 'A', 'krb5_conf': conf}, - {'realm': 'B', 'krb5_conf': conf}, - {'realm': 'C', 'krb5_conf': conf}, - {'realm': 'D', 'krb5_conf': conf})) + args=({'realm': 'A', 'krb5_conf': capaths}, + {'realm': 'B', 'krb5_conf': capaths}, + {'realm': 'C', 'krb5_conf': capaths}, + {'realm': 'D', 'krb5_conf': capaths})) test_kvno(r1, r4.host_princ, 'KDC capaths') stop(r1, r2, r3, r4) @@ -86,10 +83,9 @@ stop(r1, r2, r3, r4) # ticket. capaths = {'capaths': {'A': {'C': 'B'}}} r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)), - args=({'realm': 'A', - 'krb5_conf': {'client': capaths}}, + args=({'realm': 'A', 'krb5_conf': capaths}, {'realm': 'B'}, {'realm': 'C'})) -output = r1.run_as_client([kvno, r3.host_princ], expected_code=1) +output = r1.run([kvno, r3.host_princ], expected_code=1) if 'KDC policy rejects request' not in output: fail('transited 1: Expected error message not in output') stop(r1, r2, r3) @@ -98,13 +94,12 @@ stop(r1, r2, r3) # recognize B as an intermediate realm for A->C, so it refuses to # verify the krbtgt/C@B ticket in the TGS AP-REQ. capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}, 'B': {'D': 'C'}}} -conf = {'master': capaths} r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), - args=({'realm': 'A', 'krb5_conf': conf}, - {'realm': 'B', 'krb5_conf': conf}, - {'realm': 'C', 'krb5_conf': conf}, + args=({'realm': 'A', 'krb5_conf': capaths}, + {'realm': 'B', 'krb5_conf': capaths}, + {'realm': 'C', 'krb5_conf': capaths}, {'realm': 'D'})) -output = r1.run_as_client([kvno, r4.host_princ], expected_code=1) +output = r1.run([kvno, r4.host_princ], expected_code=1) if 'Illegal cross-realm ticket' not in output: fail('transited 2: Expected error message not in output') stop(r1, r2, r3, r4) diff --git a/src/tests/t_general.py b/src/tests/t_general.py index 77246d52f2..1ba95dccca 100755 --- a/src/tests/t_general.py +++ b/src/tests/t_general.py @@ -3,8 +3,8 @@ from k5test import * for realm in multipass_realms(create_host=False): # Check that kinit fails appropriately with the wrong password. - output = realm.run_as_client([kinit, realm.user_princ], input='wrong\n', - expected_code=1) + output = realm.run([kinit, realm.user_princ], input='wrong\n', + expected_code=1) if 'Password incorrect while getting initial credentials' not in output: fail('Expected error message not seen in kinit output') @@ -20,29 +20,29 @@ for realm in multipass_realms(create_host=False): realm.klist('user/fast@%s' % realm.realm) # Test kinit against kdb keytab - realm.run_as_master([kinit, "-k", "-t", "KDB:", realm.user_princ]) + realm.run([kinit, "-k", "-t", "KDB:", realm.user_princ]) realm = K5Realm(create_host=False) # Create a policy and see if it survives a dump/load. realm.run_kadminl('addpol fred') dumpfile = os.path.join(realm.testdir, 'dump') -realm.run_as_master([kdb5_util, 'dump', dumpfile]) +realm.run([kdb5_util, 'dump', dumpfile]) f = open('testdir/dump', 'a') f.write('policy barney 0 0 1 1 1 0 ' '0 0 0 0 0 0 - 1 ' '2 28 ' 'fd100f5064625f6372656174696f6e404b5242544553542e434f4d00') f.close() -realm.run_as_master([kdb5_util, 'load', dumpfile]) +realm.run([kdb5_util, 'load', dumpfile]) output = realm.run_kadminl('getpols') if 'fred\n' not in output: fail('Policy not preserved across dump/load.') if 'barney\n' not in output: fail('Policy not loaded.') -realm.run_as_master([kdb5_util, 'dump', dumpfile]) -realm.run_as_master([kdb5_util, 'load', dumpfile]) +realm.run([kdb5_util, 'dump', dumpfile]) +realm.run([kdb5_util, 'load', dumpfile]) output = realm.run_kadminl('getpols') if 'fred\n' not in output: fail('Policy not preserved across dump/load.') @@ -51,8 +51,8 @@ if 'barney\n' not in output: # Spot-check KRB5_TRACE output tracefile = os.path.join(realm.testdir, 'trace') -realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kinit, - realm.user_princ], input=(password('user') + "\n")) +realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ], + input=(password('user') + "\n")) f = open(tracefile, 'r') trace = f.read() f.close() diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py index 7a96a7ca70..df97b9224c 100644 --- a/src/tests/t_iprop.py +++ b/src/tests/t_iprop.py @@ -7,11 +7,11 @@ from k5test import * # Read lines from kpropd output until we are synchronized. Error if # full_expected is true and we didn't see a full propagation or vice # versa. -def wait_for_prop(realm, full_expected): +def wait_for_prop(kpropd, full_expected): output('*** Waiting for sync from kpropd\n') full_seen = False while True: - line = realm.read_from_kpropd() + line = kpropd.stdout.readline() if line == '': fail('kpropd process exited unexpectedly') output('kpropd: ' + line) @@ -29,7 +29,7 @@ def wait_for_prop(realm, full_expected): # kpropd's child process has finished a DB load; make the parent # do another iprop request. This will be unnecessary if kpropd # is simplified to use a single process. - realm.prod_kpropd() + kpropd.send_signal(signal.SIGUSR1) # Detect some failure conditions. if 'Rejected connection' in line: @@ -43,22 +43,19 @@ def wait_for_prop(realm, full_expected): if 'invalid return' in line: fail('kadmind returned invalid result') +conf = { + 'realms': {'$realm': { + 'iprop_enable': 'true', + 'iprop_logfile' : '$testdir/db.ulog'}}} -iprop_kdc_conf = { - 'all' : { 'libdefaults' : { 'default_realm' : 'KRBTEST.COM'}, - 'realms' : { '$realm' : { - 'iprop_enable' : 'true', - 'iprop_slave_poll' : '600' - }}}, - 'master' : { 'realms' : { '$realm' : { - 'iprop_logfile' : '$testdir/db.ulog' - }}}, - 'slave' : { 'realms' : { '$realm' : { - 'iprop_logfile' : '$testdir/slave-db.ulog' - }}} -} +conf_slave = { + 'realms': {'$realm': { + 'iprop_slave_poll': '600', + 'iprop_logfile' : '$testdir/db.slave.ulog'}}, + 'dbmodules': {'db': {'database_name': '$testdir/db.slave'}}} -realm = K5Realm(kdc_conf=iprop_kdc_conf, create_user=False, start_kadmind=True) +realm = K5Realm(kdc_conf=conf, create_user=False, start_kadmind=True) +slave = realm.special_env('slave', True, kdc_conf=conf_slave) ulog = os.path.join(realm.testdir, 'db.ulog') if not os.path.exists(ulog): @@ -71,9 +68,9 @@ realm.extract_keytab(kiprop_princ, realm.keytab) # Create the slave db. dumpfile = os.path.join(realm.testdir, 'dump') -realm.run_as_master([kdb5_util, 'dump', dumpfile]) -realm.run_as_slave([kdb5_util, 'load', dumpfile]) -realm.run_as_slave([kdb5_util, 'stash', '-P', 'master']) +realm.run([kdb5_util, 'dump', dumpfile]) +realm.run([kdb5_util, 'load', dumpfile], slave) +realm.run([kdb5_util, 'stash', '-P', 'master'], slave) # Make some changes to the master db. realm.addprinc('wakawaka') @@ -87,7 +84,7 @@ realm.addprinc('w') realm.run_kadminl('modprinc -allow_tix w') realm.run_kadminl('modprinc +allow_tix w') -out = realm.run_as_master([kproplog, '-h']) +out = realm.run([kproplog, '-h']) if 'Last serial # : 7' not in out: fail('Update log on master has incorrect last serial number') @@ -98,76 +95,76 @@ acl.write(realm.host_princ + '\n') acl.close() # Start kpropd and get a full dump from master. -realm.start_kpropd(['-d']) -wait_for_prop(realm, True) +kpropd = realm.start_kpropd(slave, ['-d']) +wait_for_prop(kpropd, True) realm.run_kadminl('modprinc -allow_tix w') -out = realm.run_as_master([kproplog, '-h']) +out = realm.run([kproplog, '-h']) if 'Last serial # : 8' not in out: fail('Update log on master has incorrect last serial number') # Get an incremental update and check that it happened. -realm.prod_kpropd() -wait_for_prop(realm, False) -out = realm.run_as_slave([kproplog, '-h']) +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : 8' not in out: fail('Update log on slave has incorrect last serial number') # Make another change. realm.run_kadminl('modprinc +allow_tix w') -out = realm.run_as_master([kproplog, '-h']) +out = realm.run([kproplog, '-h']) if 'Last serial # : 9' not in out: fail('Update log on master has incorrect last serial number') # Get an update and check that we're at sno 9 on the slave side too. -realm.prod_kpropd() -wait_for_prop(realm, False) -out = realm.run_as_slave([kproplog, '-h']) +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : 9' not in out: fail('Update log on slave has incorrect last serial number') # Reset the ulog on the slave side to force a full resync to the slave. -realm.run_as_slave([kproplog, '-R']) -out = realm.run_as_slave([kproplog, '-h']) +realm.run([kproplog, '-R'], slave) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : None' not in out: fail('Reset of update log on slave failed') # Get a full resync and check the result. -realm.prod_kpropd() -wait_for_prop(realm, True) -out = realm.run_as_slave([kproplog, '-h']) +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : 9' not in out: fail('Update log on slave has incorrect last serial number') # Make another change. realm.run_kadminl('modprinc +allow_tix w') -out = realm.run_as_master([kproplog, '-h']) +out = realm.run([kproplog, '-h']) if 'Last serial # : 10' not in out: fail('Update log on master has incorrect last serial number') # Get and check an incremental update. -realm.prod_kpropd() -wait_for_prop(realm, False) -out = realm.run_as_slave([kproplog, '-h']) +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : 10' not in out: fail('Update log on slave has incorrect last serial number') # Reset the ulog on the master side to force a full resync to all slaves. # XXX Note that we only have one slave in this test, so we can't really # test this. -realm.run_as_master([kproplog, '-R']) -out = realm.run_as_master([kproplog, '-h']) +realm.run([kproplog, '-R']) +out = realm.run([kproplog, '-h']) if 'Last serial # : None' not in out: fail('Reset of update log on master failed') realm.run_kadminl('modprinc -allow_tix w') -out = realm.run_as_master([kproplog, '-h']) +out = realm.run([kproplog, '-h']) if 'Last serial # : 1' not in out: fail('Update log on master has incorrect last serial number') # Get and check a full resync. -realm.prod_kpropd() -wait_for_prop(realm, True) -out = realm.run_as_slave([kproplog, '-h']) +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) +out = realm.run([kproplog, '-h'], slave) if 'Last serial # : 1' not in out: fail('Update log on slave has incorrect last serial number') diff --git a/src/tests/t_kadm5_hook.py b/src/tests/t_kadm5_hook.py index 0c8b19dac0..1f023ea0f2 100644 --- a/src/tests/t_kadm5_hook.py +++ b/src/tests/t_kadm5_hook.py @@ -4,15 +4,7 @@ from k5test import * plugin = os.path.join(buildtop, "plugins", "kadm5_hook", "test", "kadm5_hook_test.so") -hook_krb5_conf = { - 'all' : { - "plugins" : { - "kadm5_hook" : { - "module" : "test:" + plugin - } - } - } -} +hook_krb5_conf = {'plugins': {'kadm5_hook': { 'module': 'test:' + plugin}}} realm = K5Realm(krb5_conf=hook_krb5_conf, create_user=False, create_host=False) output = realm.run_kadminl ('addprinc -randkey test') diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py index 3d36ad09cf..1d7b1d0981 100644 --- a/src/tests/t_kadmin_acl.py +++ b/src/tests/t_kadmin_acl.py @@ -14,7 +14,7 @@ def make_client(name): def kadmin_as(client, query): global realm - return realm.run_as_client([kadmin, '-c', client, '-q', query]) + return realm.run([kadmin, '-c', client, '-q', query]) def delprinc(name): global realm diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py index 2f0d6fd90e..3c664f0ef4 100644 --- a/src/tests/t_kdb.py +++ b/src/tests/t_kdb.py @@ -13,7 +13,7 @@ def which(progname): # Run kdbtest against the BDB module. realm = K5Realm(create_kdb=False) -realm.run_as_master(['./kdbtest']) +realm.run(['./kdbtest']) # Set up an OpenLDAP test server if we can. @@ -87,24 +87,22 @@ output('*** Started slapd (pid %d, output in %s)\n' % (slapd_pid, slapd_out)) time.sleep(1) # Run kdbtest against the LDAP module. -kdc_conf = {'all': { - 'realms': {'$realm': {'database_module': 'ldap'}}, - 'dbmodules': {'ldap': { - 'db_library': 'kldap', - 'ldap_kerberos_container_dn': top_dn, - 'ldap_kdc_dn': admin_dn, - 'ldap_kadmind_dn': admin_dn, - 'ldap_service_password_file': ldap_pwfile, - 'ldap_servers': ldap_uri}}}} -realm = K5Realm(create_kdb=False, kdc_conf=kdc_conf) +conf = {'realms': {'$realm': {'database_module': 'ldap'}}, + 'dbmodules': {'ldap': {'db_library': 'kldap', + 'ldap_kerberos_container_dn': top_dn, + 'ldap_kdc_dn': admin_dn, + 'ldap_kadmind_dn': admin_dn, + 'ldap_service_password_file': ldap_pwfile, + 'ldap_servers': ldap_uri}}} +realm = K5Realm(create_kdb=False, kdc_conf=conf) input = admin_pw + '\n' + admin_pw + '\n' -realm.run_as_master([kdb5_ldap_util, 'stashsrvpw', admin_dn], input=input) -realm.run_as_master(['./kdbtest']) +realm.run([kdb5_ldap_util, 'stashsrvpw', admin_dn], input=input) +realm.run(['./kdbtest']) # Run a kdb5_ldap_util command using the test server's admin DN and password. def kldaputil(args, **kw): - return realm.run_as_master([kdb5_ldap_util, '-D', admin_dn, '-w', - admin_pw] + args, **kw) + return realm.run([kdb5_ldap_util, '-D', admin_dn, '-w', admin_pw] + args, + **kw) # kdbtest can't currently clean up after itself since the LDAP module # doesn't support krb5_db_destroy. So clean up after it with @@ -243,17 +241,17 @@ realm.addprinc(realm.user_princ, password('user')) realm.addprinc(realm.host_princ) realm.extract_keytab(realm.host_princ, realm.keytab) realm.kinit(realm.user_princ, password('user')) -realm.run_as_client([kvno, realm.host_princ]) +realm.run([kvno, realm.host_princ]) realm.klist(realm.user_princ, realm.host_princ) realm.stop() # Briefly test dump and load. dumpfile = os.path.join(realm.testdir, 'dump') -realm.run_as_master([kdb5_util, 'dump', dumpfile]) -out = realm.run_as_master([kdb5_util, 'load', dumpfile], expected_code=1) +realm.run([kdb5_util, 'dump', dumpfile]) +out = realm.run([kdb5_util, 'load', dumpfile], expected_code=1) if 'plugin requires -update argument' not in out: fail('Unexpected error from kdb5_util load without -update') -realm.run_as_master([kdb5_util, 'load', '-update', dumpfile]) +realm.run([kdb5_util, 'load', '-update', dumpfile]) # Destroy the realm. kldaputil(['destroy', '-f']) diff --git a/src/tests/t_kdb_locking.py b/src/tests/t_kdb_locking.py index 89da97b422..7c0755ead0 100644 --- a/src/tests/t_kdb_locking.py +++ b/src/tests/t_kdb_locking.py @@ -12,15 +12,11 @@ import os from k5test import * -kdc_conf = { - 'all' : { 'libdefaults' : { 'default_realm' : 'KRBTEST.COM'}} -} - p = 'foo' -realm = K5Realm(kdc_conf=kdc_conf, create_user=False) +realm = K5Realm(create_user=False) realm.addprinc(p, p) -kadm5_lock = os.path.join(realm.testdir, 'master-db.kadm5.lock') +kadm5_lock = os.path.join(realm.testdir, 'db.kadm5.lock') if not os.path.exists(kadm5_lock): fail('kadm5 lock file not created: ' + kadm5_lock) os.unlink(kadm5_lock) diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py index 9f9346aca6..29d1291639 100644 --- a/src/tests/t_keyrollover.py +++ b/src/tests/t_keyrollover.py @@ -1,7 +1,7 @@ #!/usr/bin/python from k5test import * -rollover_krb5_conf = {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}} +rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}} realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal', krb5_conf=rollover_krb5_conf) @@ -11,19 +11,19 @@ princ2 = 'host/test2@%s' % (realm.realm,) realm.addprinc(princ1) realm.addprinc(princ2) -realm.run_as_client([kvno, realm.host_princ]) +realm.run([kvno, realm.host_princ]) # Change key for TGS, keeping old key. realm.run_kadminl('cpw -randkey -e aes256-cts:normal -keepold krbtgt/%s@%s' % (realm.realm, realm.realm)) # Ensure that kvno still works with an old TGT. -realm.run_as_client([kvno, princ1]) +realm.run([kvno, princ1]) realm.run_kadminl('purgekeys krbtgt/%s@%s' % (realm.realm, realm.realm)) # Make sure an old TGT fails after purging old TGS key. -realm.run_as_client([kvno, princ2], expected_code=1) -output = realm.run_as_client([klist, '-e']) +realm.run([kvno, princ2], expected_code=1) +output = realm.run([klist, '-e']) expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ (realm.realm, realm.realm) @@ -33,8 +33,8 @@ if expected not in output: # Check that new key actually works. realm.kinit(realm.user_princ, password('user')) -realm.run_as_client([kvno, realm.host_princ]) -output = realm.run_as_client([klist, '-e']) +realm.run([kvno, realm.host_princ]) +output = realm.run([klist, '-e']) expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \ @@ -60,7 +60,7 @@ output = realm.run_kadminl('getprinc krbtgt/%s' % realm.realm) if 'vno 1, aes256' not in output or 'vno 1, des3' not in output: fail('keyrollover: setup for TGS enctype test failed') # Now present the DES3 ticket to the KDC and make sure it's rejected. -realm.run_as_client([kvno, realm.host_princ], expected_code=1) +realm.run([kvno, realm.host_princ], expected_code=1) realm.stop() @@ -72,10 +72,10 @@ realm.stop() # multiple keys. r1, r2 = cross_realms(2) r1.run_kadminl('modprinc -kvno 0 krbtgt/%s' % r2.realm) -r1.run_as_client([kvno, r2.host_princ]) +r1.run([kvno, r2.host_princ]) r2.run_kadminl('cpw -pw newcross -keepold krbtgt/%s@%s' % (r2.realm, r1.realm)) r1.run_kadminl('cpw -pw newcross krbtgt/%s' % r2.realm) r1.run_kadminl('modprinc -kvno 0 krbtgt/%s' % r2.realm) -r1.run_as_client([kvno, r2.user_princ]) +r1.run([kvno, r2.user_princ]) success('keyrollover') diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py index bc547d9437..3008911ecf 100644 --- a/src/tests/t_keytab.py +++ b/src/tests/t_keytab.py @@ -9,8 +9,8 @@ realm = K5Realm(get_creds=False) # Test kinit with a partial keytab. pkeytab = realm.keytab + '.partial' -realm.run_as_master([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' % - (realm.keytab, pkeytab))) +realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' % + (realm.keytab, pkeytab))) realm.kinit(realm.host_princ, flags=['-k', '-t', pkeytab]) # Test kinit with no keys for client in keytab. @@ -22,17 +22,17 @@ if 'no suitable keys' not in output: realm.extract_keytab(realm.user_princ, realm.client_keytab); realm.kinit(realm.user_princ, flags=['-k', '-i']) realm.klist(realm.user_princ) -out = realm.run_as_client([klist, '-k', '-i']) +out = realm.run([klist, '-k', '-i']) if realm.client_keytab not in out or realm.user_princ not in out: fail('Expected output not seen from klist -k -i') # Test implicit request for keytab (-i or -t without -k) -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) output = realm.kinit(realm.host_princ, flags=['-t', realm.keytab]) if 'keytab specified, forcing -k' not in output: fail('Expected output not seen from kinit -t keytab') realm.klist(realm.host_princ) -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) output = realm.kinit(realm.user_princ, flags=['-i']) if 'keytab specified, forcing -k' not in output: fail('Expected output not seen from kinit -i') @@ -54,17 +54,17 @@ if 'Key: vno 258,' not in output: # Test parameter expansion in profile variables realm.stop() -conf = {'client': {'libdefaults': { - 'default_keytab_name': 'testdir/%{null}abc%{uid}', - 'default_client_keytab_name': 'testdir/%{null}xyz%{uid}'}}} +conf = {'libdefaults': { + 'default_keytab_name': 'testdir/%{null}abc%{uid}', + 'default_client_keytab_name': 'testdir/%{null}xyz%{uid}'}} realm = K5Realm(krb5_conf=conf, create_kdb=False) -del realm.env_client['KRB5_KTNAME'] -del realm.env_client['KRB5_CLIENT_KTNAME'] +del realm.env['KRB5_KTNAME'] +del realm.env['KRB5_CLIENT_KTNAME'] uidstr = str(os.getuid()) -out = realm.run_as_client([klist, '-k'], expected_code=1) +out = realm.run([klist, '-k'], expected_code=1) if 'FILE:testdir/abc%s' % uidstr not in out: fail('Wrong keytab in klist -k output') -out = realm.run_as_client([klist, '-ki'], expected_code=1) +out = realm.run([klist, '-ki'], expected_code=1) if 'FILE:testdir/xyz%s' % uidstr not in out: fail('Wrong keytab in klist -ki output') diff --git a/src/tests/t_lockout.py b/src/tests/t_lockout.py index e3d1dd4154..8da8c57481 100644 --- a/src/tests/t_lockout.py +++ b/src/tests/t_lockout.py @@ -29,17 +29,15 @@ realm.run_kadminl('addpol -maxfailure 2 -failurecountinterval 5m lockout') realm.run_kadminl('modprinc +requires_preauth -policy lockout user') # kinit twice with the wrong password. -output = realm.run_as_client([kinit, realm.user_princ], input='wrong\n', - expected_code=1) +output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) if 'Password incorrect while getting initial credentials' not in output: fail('Expected error message not seen in kinit output') -output = realm.run_as_client([kinit, realm.user_princ], input='wrong\n', - expected_code=1) +output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) if 'Password incorrect while getting initial credentials' not in output: fail('Expected error message not seen in kinit output') # Now the account should be locked out. -output = realm.run_as_client([kinit, realm.user_princ], expected_code=1) +output = realm.run([kinit, realm.user_princ], expected_code=1) if 'Clients credentials have been revoked while getting initial credentials' \ not in output: fail('Expected lockout error message not seen in kinit output') diff --git a/src/tests/t_pwhist.py b/src/tests/t_pwhist.py index bfb9f0045b..3d8c7c1b23 100644 --- a/src/tests/t_pwhist.py +++ b/src/tests/t_pwhist.py @@ -6,12 +6,12 @@ from k5test import * # first one to create history entries. realm = K5Realm(start_kdc=False) # Create a history principal with two keys. -realm.run_as_master(['./hist', 'make']) +realm.run(['./hist', 'make']) realm.run_kadminl('addpol -history 2 pol') realm.run_kadminl('modprinc -policy pol user') realm.run_kadminl('cpw -pw pw2 user') # Swap the keys, simulating older kadmin having chosen the second entry. -realm.run_as_master(['./hist', 'swap']) +realm.run(['./hist', 'swap']) # Make sure we can read the history entry. output = realm.run_kadminl('cpw -pw %s user' % password('user')) if 'Cannot reuse password' not in output: diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py index 6654d71e8e..985f9da70e 100644 --- a/src/tests/t_referral.py +++ b/src/tests/t_referral.py @@ -6,12 +6,12 @@ from k5test import * # have a regression test for #7483. # A KDC should not return a host referral to its own realm. -krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}} -kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}} +krb5_conf = {'domain_realm': {'y': 'KRBTEST.COM'}} +kdc_conf = {'realms': {'$realm': {'host_based_services': 'x'}}} realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False) tracefile = os.path.join(realm.testdir, 'trace') -realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'], - expected_code=1) +realm.run(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'], + expected_code=1) f = open(tracefile, 'r') trace = f.read() f.close() diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py index 9239e12544..3a4a81452f 100644 --- a/src/tests/t_sesskeynego.py +++ b/src/tests/t_sesskeynego.py @@ -8,8 +8,8 @@ etypes_re = re.compile(r'server@[^\n]+\n\tEtype \(skey, tkt\): ' '([^,]+), ([^\s]+)') def test_kvno(realm, expected_skey, expected_tkt): realm.kinit(realm.user_princ, password('user')) - realm.run_as_client([kvno, 'server']) - output = realm.run_as_client([klist, '-e']) + realm.run([kvno, 'server']) + output = realm.run([klist, '-e']) m = etypes_re.search(output) if not m: fail('could not parse etypes from klist -e output') @@ -19,29 +19,21 @@ def test_kvno(realm, expected_skey, expected_tkt): if tkt != expected_tkt: fail('got ticket key type %s, expected %s' % (tkt, expected_tkt)) -krb5_conf1 = {'all': {'libdefaults': { - 'default_tgs_enctypes': 'aes128-cts,aes256-cts'}}} - -krb5_conf2 = {'all': {'libdefaults': { - 'default_tgs_enctypes': 'aes256-cts,aes128-cts'}}} - -krb5_conf3 = {'all': {'libdefaults': { - 'allow_weak_crypto': 'true', - 'default_tkt_enctypes': 'aes128-cts', - 'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}}} - -krb5_conf4 = {'all' :{ - 'libdefaults': { - 'allow_weak_crypto': 'true', - 'default_tkt_enctypes': 'aes256-cts', - 'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts' - }, - 'realms': {'$realm': { - 'des_crc_session_supported' : 'false'}}}} +conf1 = {'libdefaults': {'default_tgs_enctypes': 'aes128-cts,aes256-cts'}} +conf2 = {'libdefaults': {'default_tgs_enctypes': 'aes256-cts,aes128-cts'}} +conf3 = {'libdefaults': { + 'allow_weak_crypto': 'true', + 'default_tkt_enctypes': 'aes128-cts', + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}} +conf4 = {'libdefaults': { + 'allow_weak_crypto': 'true', + 'default_tkt_enctypes': 'aes256-cts', + 'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts'}, + 'realms': {'$realm': {'des_crc_session_supported': 'false'}}} # Test with client request and session_enctypes preferring aes128, but # aes256 long-term key. -realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False) +realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') realm.run_kadminl('setstr server session_enctypes aes128-cts,aes256-cts') test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') @@ -50,14 +42,14 @@ realm.stop() # Second go, almost same as first, but resulting session key must be aes256 # because of the difference in default_tgs_enctypes order. This tests that # session_enctypes doesn't change the order in which we negotiate. -realm = K5Realm(krb5_conf=krb5_conf2, create_host=False, get_creds=False) +realm = K5Realm(krb5_conf=conf2, create_host=False, get_creds=False) realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') realm.run_kadminl('setstr server session_enctypes aes128-cts,aes256-cts') test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') realm.stop() -# Next we use krb5_conf3 and try various things. -realm = K5Realm(krb5_conf=krb5_conf3, create_host=False, get_creds=False) +# Next we use conf3 and try various things. +realm = K5Realm(krb5_conf=conf3, create_host=False, get_creds=False) realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') # 3a: Negotiate aes128 session key when principal only has aes256 long-term. @@ -75,7 +67,7 @@ test_kvno(realm, 'des-cbc-crc', 'aes256-cts-hmac-sha1-96') realm.stop() # Last go: test that we can disable the des-cbc-crc assumption -realm = K5Realm(krb5_conf=krb5_conf4, get_creds=False) +realm = K5Realm(krb5_conf=conf4, get_creds=False) realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') realm.stop() diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py index 18bd922874..aa91471428 100644 --- a/src/tests/t_skew.py +++ b/src/tests/t_skew.py @@ -8,23 +8,23 @@ realm.start_kdc(['-T', '-3600']) # kinit (no preauth) should work, and should set a clock skew allowing # kvno to work, with or without FAST. realm.kinit(realm.user_princ, password('user')) -realm.run_as_client([kvno, realm.host_princ]) +realm.run([kvno, realm.host_princ]) realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache]) -realm.run_as_client([kvno, realm.host_princ]) -realm.run_as_client([kdestroy]) +realm.run([kvno, realm.host_princ]) +realm.run([kdestroy]) # kinit (with preauth) should work, with or without FAST. realm.run_kadminl('modprinc +requires_preauth user') realm.kinit(realm.user_princ, password('user')) -realm.run_as_client([kvno, realm.host_princ]) +realm.run([kvno, realm.host_princ]) realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache]) -realm.run_as_client([kvno, realm.host_princ]) -realm.run_as_client([kdestroy]) +realm.run([kvno, realm.host_princ]) +realm.run([kdestroy]) realm.stop() # Repeat the above tests with kdc_timesync disabled. -conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}} +conf = {'libdefaults': {'kdc_timesync': '0'}} realm = K5Realm(start_kdc=False, krb5_conf=conf) realm.start_kdc(['-T', '-3600']) |