From 8d689cea3561d5912db218a4fdf9bdf3c1c6d3b0 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 17 Apr 2012 03:19:12 +0000
Subject: Add clock skew tests

Add a KDC option (-T) to run with a time offset, and use that to
test kdc_timesync behavior.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25807 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/tests/t_skew.py | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 src/tests/t_skew.py

(limited to 'src/tests/t_skew.py')

diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py
new file mode 100644
index 0000000000..f00c2f9200
--- /dev/null
+++ b/src/tests/t_skew.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+from k5test import *
+
+# Create a realm with the KDC one hour in the past.
+realm = K5Realm(start_kadmind=False, start_kdc=False)
+realm.start_kdc(['-T', '-3600'])
+
+# kinit (no preauth) should work, and should set a clock skew allowing
+# kvno to work, with or without FAST.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ])
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
+realm.run_as_client([kvno, realm.host_princ])
+realm.run_as_client([kdestroy])
+
+# kinit (with preauth) should fail.
+realm.run_kadminl('modprinc +requires_preauth user')
+realm.kinit(realm.user_princ, password('user'), expected_code=1)
+
+realm.stop()
+
+# Repeat the above tests with kdc_timesync disabled.
+conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}}
+realm = K5Realm(start_kadmind=False, start_kdc=False, krb5_conf=conf)
+realm.start_kdc(['-T', '-3600'])
+
+# kinit (no preauth) should work, but kvno should not.  kinit with
+# FAST should also fail since the armor AP-REQ won't be valid.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ], expected_code=1)
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache],
+            expected_code=1)
+
+# kinit (with preauth) should fail.
+realm.run_kadminl('modprinc +requires_preauth user')
+realm.kinit(realm.user_princ, password('user'), expected_code=1)
+
+success('Clock skew tests')
-- 
cgit