1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
# Copyright (C) 2011 by the Massachusetts Institute of Technology.
# All rights reserved.
# Export of this software from the United States of America may
# require a specific license from the United States Government.
# It is the responsibility of any person or organization contemplating
# export to obtain such a license before exporting.
#
# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
# distribute this software and its documentation for any purpose and
# without fee is hereby granted, provided that the above copyright
# notice appear in all copies and that both that copyright notice and
# this permission notice appear in supporting documentation, and that
# the name of M.I.T. not be used in advertising or publicity pertaining
# to distribution of the software without specific, written prior
# permission. Furthermore if you modify this software you must label
# your software as modified software and not distribute it in such a
# fashion that it might be confused with the original M.I.T. software.
# M.I.T. makes no representations about the suitability of
# this software for any purpose. It is provided "as is" without express
# or implied warranty.
#!/usr/bin/python
from k5test import *
# Create two independent realms (no cross-realm TGTs).
r1 = K5Realm(start_kadmind=False, create_user=False)
r2 = K5Realm(start_kadmind=False, create_user=False, realm='KRBTEST2.COM',
testdir=os.path.join(r1.testdir, 'r2'), portbase=62000)
# gsserver specifies the target as a GSS name. The resulting
# principal will have the host-based type, but the realm won't be
# known before the client cache is selected (since k5test realms have
# no domain-realm mapping by default).
gssserver = 'gss:host@' + hostname
# refserver specifies the target as a principal in the referral realm.
# The principal won't be treated as a host principal by the
# .k5identity rules since it has unknown type.
refserver = 'host/' + hostname + '@'
# Make each realm's keytab contain entries for both realm's servers.
#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' %
# (r2.keytab, r1.keytab, ktutil)])
#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' %
# (r1.keytab, r2.keytab, ktutil)])
# Make a directory collection and use it for client commands in both realms.
ccdir = os.path.join(r1.testdir, 'cc')
ccname = 'DIR:' + ccdir
os.mkdir(ccdir)
r1.env_client['KRB5CCNAME'] = ccname
r2.env_client['KRB5CCNAME'] = ccname
# Use .k5identity from testdir and not from the tester's homedir.
r1.env_client['HOME'] = r1.testdir
r2.env_client['HOME'] = r1.testdir
# Create two users in r1 and one in r2.
alice='alice@KRBTEST.COM'
bob='bob@KRBTEST.COM'
zaphod='zaphod@KRBTEST2.COM'
r1.addprinc(alice, password('alice'))
r1.addprinc(bob, password('bob'))
r2.addprinc(zaphod, password('zaphod'))
# Get tickets for one user in each realm (zaphod will be primary).
r1.kinit(alice, password('alice'))
r2.kinit(zaphod, password('zaphod'))
# Check that we can find a cache for a specified client principal.
output = r1.run_as_client(['./t_ccselect', r1.host_princ, alice])
if output != (alice + '\n'):
fail('alice not chosen when specified')
output = r2.run_as_client(['./t_ccselect', r2.host_princ, zaphod])
if output != (zaphod + '\n'):
fail('zaphod not chosen when specified')
# Check that we can guess a cache based on the service realm.
output = r1.run_as_client(['./t_ccselect', r1.host_princ])
if output != (alice + '\n'):
fail('alice not chosen as default initiator cred for server in r1')
output = r1.run_as_client(['./t_ccselect', r1.host_princ, '-'])
if output != (alice + '\n'):
fail('alice not chosen as default initiator name for server in r1')
output = r2.run_as_client(['./t_ccselect', r2.host_princ])
if output != (zaphod + '\n'):
fail('zaphod not chosen as default initiator cred for server in r1')
output = r2.run_as_client(['./t_ccselect', r2.host_princ, '-'])
if output != (zaphod + '\n'):
fail('zaphod not chosen as default initiator name for server in r1')
# Check that primary cache is used if server realm is unknown.
output = r2.run_as_client(['./t_ccselect', gssserver])
if output != (zaphod + '\n'):
fail('zaphod not chosen via primary cache for unknown server realm')
r1.run_as_client(['./t_ccselect', gssserver], expected_code=1)
# Get a second cred in r1 (bob will be primary).
r1.kinit(bob, password('bob'))
# Try some cache selections using .k5identity.
k5id = open(os.path.join(r1.testdir, '.k5identity'), 'w')
k5id.write('%s realm=%s\n' % (alice, r1.realm))
k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname))
k5id.write('noprinc service=bogus')
k5id.close()
output = r1.run_as_client(['./t_ccselect', r1.host_princ])
if output != (alice + '\n'):
fail('alice not chosen via .k5identity realm line.')
output = r2.run_as_client(['./t_ccselect', gssserver])
if output != (zaphod + '\n'):
fail('zaphod not chosen via .k5identity service/host line.')
output = r1.run_as_client(['./t_ccselect', refserver])
if output != (bob + '\n'):
fail('bob not chosen via primary cache when no .k5identity line matches.')
output = r1.run_as_client(['./t_ccselect', 'gss:bogus@' + hostname],
expected_code=1)
if 'does not match desired' not in output:
fail('Expected error not seen when k5identity selects bad principal.')
success('GSSAPI credential selection tests')
|
