diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-02-07 18:56:10 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2014-06-02 18:47:17 -0400 |
| commit | 3e2c7cc557048faac3400ae41b0228bd37a82a4c (patch) | |
| tree | 30a2785aeb5f4fd6657fd093afa0222f5183eb10 | |
| parent | 142255ba9af4ce1016a8eadf147e599ee490f1f7 (diff) | |
| download | krb5-3e2c7cc557048faac3400ae41b0228bd37a82a4c.tar.gz krb5-3e2c7cc557048faac3400ae41b0228bd37a82a4c.tar.xz krb5-3e2c7cc557048faac3400ae41b0228bd37a82a4c.zip | |
Add tests for MS-KKDCP client support
Exercise the MS-KKDCP client support using the test proxy server, for
AS, TGS, and kpasswd requests while also checking the certificate
verification and name checks.
ticket: 7929
| -rw-r--r-- | src/tests/Makefile.in | 1 | ||||
| -rw-r--r-- | src/tests/t_proxy.py | 219 |
2 files changed, 220 insertions, 0 deletions
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 7347ed6c8..536f5cb0b 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -134,6 +134,7 @@ check-pytests:: t_init_creds t_localauth -i au.log $(RUNPYTEST) $(srcdir)/t_salt.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_bogus_kdc_req.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_proxy.py $(PYTESTFLAGS) clean:: $(RM) gcred hist hrealm kdbtest plugorder rdreq responder s2p diff --git a/src/tests/t_proxy.py b/src/tests/t_proxy.py new file mode 100644 index 000000000..e4e3d482c --- /dev/null +++ b/src/tests/t_proxy.py @@ -0,0 +1,219 @@ +#!/usr/bin/python +from k5test import * + +# Skip this test if we're missing proxy functionality or parts of the proxy. +if runenv.proxy_tls_impl == 'no': + success('Warning: not testing proxy support because feature ' + + 'was not enabled') + exit(0) +try: + from paste import httpserver +except: + success('Warning: not testing proxy support because python ' + + 'paste.httpserver module not found') + exit(0) +try: + import kdcproxy +except: + success('Warning: not testing proxy support because python ' + + 'kdcproxy module not found') + exit(0) + +# Construct a krb5.conf fragment configuring the client to use a local proxy +# server. +proxysubjectpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', + 'proxy-subject.pem') +proxysanpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', + 'proxy-san.pem') +proxyidealpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', + 'proxy-ideal.pem') +proxywrongpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', + 'proxy-no-match.pem') +proxybadpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', + 'proxy-badsig.pem') +proxyca = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', 'ca.pem') +proxyurl = 'https://localhost:$port5/KdcProxy' +proxyurlupcase = 'https://LocalHost:$port5/KdcProxy' +proxyurl4 = 'https://127.0.0.1:$port5/KdcProxy' +proxyurl6 = 'https://[::1]:$port5/KdcProxy' + +unanchored_krb5_conf = {'realms': {'$realm': { + 'kdc': proxyurl, + 'kpasswd_server': proxyurl}}} +anchored_name_krb5_conf = {'realms': {'$realm': { + 'kdc': proxyurl, + 'kpasswd_server': proxyurl, + 'http_anchors': 'FILE:%s' % proxyca}}} +anchored_upcasename_krb5_conf = {'realms': {'$realm': { + 'kdc': proxyurlupcase, + 'kpasswd_server': proxyurlupcase, + 'http_anchors': 'FILE:%s' % proxyca}}} +anchored_kadmin_krb5_conf = {'realms': {'$realm': { + 'kdc': proxyurl, + 'admin_server': proxyurl, + 'http_anchors': 'FILE:%s' % proxyca}}} +anchored_ipv4_krb5_conf = {'realms': {'$realm': { + 'kdc': proxyurl4, + 'kpasswd_server': proxyurl4, + 'http_anchors': 'FILE:%s' % proxyca}}} +kpasswd_input = (password('user') + '\n' + password('user') + '\n' + + password('user') + '\n') + +def start_proxy(realm, keycertpem): + proxy_conf_path = os.path.join(realm.testdir, 'kdcproxy.conf') + proxy_exec_path = os.path.join(srctop, 'util', 'paste-kdcproxy.py') + conf = open(proxy_conf_path, 'w') + conf.write('[%s]\n' % realm.realm) + conf.write('kerberos = kerberos://localhost:%d\n' % realm.portbase) + conf.write('kpasswd = kpasswd://localhost:%d\n' % (realm.portbase + 2)) + conf.close() + realm.env['KDCPROXY_CONFIG'] = proxy_conf_path + cmd = [proxy_exec_path, str(realm.server_port()), keycertpem] + return realm.start_server(cmd, sentinel='proxy server ready') + +# Fail: untrusted issuer and hostname doesn't match. +output("running pass 1: issuer not trusted and hostname doesn't match\n") +realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, + create_host=False) +proxy = start_proxy(realm, proxywrongpem) +realm.kinit(realm.user_princ, password=password('user'), expected_code=1) +stop_daemon(proxy) +realm.stop() + +# Fail: untrusted issuer, host name matches subject. +output("running pass 2: subject matches, issuer not trusted\n") +realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, + create_host=False) +proxy = start_proxy(realm, proxysubjectpem) +realm.kinit(realm.user_princ, password=password('user'), expected_code=1) +stop_daemon(proxy) +realm.stop() + +# Fail: untrusted issuer, host name matches subjectAltName. +output("running pass 3: subjectAltName matches, issuer not trusted\n") +realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, + create_host=False) +proxy = start_proxy(realm, proxysanpem) +realm.kinit(realm.user_princ, password=password('user'), expected_code=1) +stop_daemon(proxy) +realm.stop() + +# Fail: untrusted issuer, certificate signature is bad. +output("running pass 4: subject matches, issuer not trusted\n") +realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, + create_host=False) +proxy = start_proxy(realm, proxybadpem) +realm.kinit(realm.user_princ, password=password('user'), expected_code=1) +stop_daemon(proxy) +realm.stop() + +# Fail: trusted issuer but hostname doesn't match. +output("running pass 5: issuer trusted but hostname doesn't match\n") +realm = K5Realm(krb5_conf=anchored_name_krb5_conf, get_creds=False, + create_host=False) +proxy = start_proxy(realm, proxywrongpem) +realm.kinit(realm.user_princ, password=password('user'), expected_code=1) +stop_daemon(proxy) +realm.stop() + +# Succeed: trusted issuer and host name matches subject. +output("running pass 6: issuer trusted, subject matches\n") +realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True, + get_creds=False) +proxy = start_proxy(realm, proxysubjectpem) +realm.kinit(realm.user_princ, password=password('user')) +realm.run([kvno, realm.host_princ]) +realm.run([kpasswd, realm.user_princ], input=kpasswd_input) +stop_daemon(proxy) +realm.stop() + +# Succeed: trusted issuer and host name matches subjectAltName. +output("running pass 7: issuer trusted, subjectAltName matches\n") +realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True, + get_creds=False) +proxy = start_proxy(realm, proxysanpem) +realm.kinit(realm.user_princ, password=password('user')) +realm.run([kvno, realm.host_princ]) +realm.run([kpasswd, realm.user_princ], input=kpasswd_input) +stop_daemon(proxy) +realm.stop() + +# Fail: certificate signature is bad. +output("running pass 8: issuer trusted and subjectAltName matches, sig bad\n") +realm = K5Realm(krb5_conf=anchored_name_krb5_conf, + get_creds=False, + create_host=False) +proxy = start_proxy(realm, proxybadpem) +realm.kinit(realm.user_princ, password=password('user'), expected_code=1) +stop_daemon(proxy) +realm.stop() + +# Fail: trusted issuer but IP doesn't match. +output("running pass 9: issuer trusted but no name matches IP\n") +realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False, + create_host=False) +proxy = start_proxy(realm, proxywrongpem) +realm.kinit(realm.user_princ, password=password('user'), expected_code=1) +stop_daemon(proxy) +realm.stop() + +# Fail: trusted issuer, but subject does not match. +output("running pass 10: issuer trusted, but subject does not match IP\n") +realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False, + create_host=False) +proxy = start_proxy(realm, proxysubjectpem) +realm.kinit(realm.user_princ, password=password('user'), expected_code=1) +stop_daemon(proxy) +realm.stop() + +# Succeed: trusted issuer and host name matches subjectAltName. +output("running pass 11: issuer trusted, subjectAltName matches IP\n") +realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, start_kadmind=True, + get_creds=False) +proxy = start_proxy(realm, proxysanpem) +realm.kinit(realm.user_princ, password=password('user')) +realm.run([kvno, realm.host_princ]) +realm.run([kpasswd, realm.user_princ], input=kpasswd_input) +stop_daemon(proxy) +realm.stop() + +# Fail: certificate signature is bad. +output("running pass 12: issuer trusted, names don't match, signature bad\n") +realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False, + create_host=False) +proxy = start_proxy(realm, proxybadpem) +realm.kinit(realm.user_princ, password=password('user'), expected_code=1) +stop_daemon(proxy) +realm.stop() + +# Succeed: trusted issuer and host name matches subject, using kadmin +# configuration to find kpasswdd. +output("running pass 13: issuer trusted, subject matches\n") +realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True, + get_creds=False, create_host=False) +proxy = start_proxy(realm, proxysubjectpem) +realm.run([kpasswd, realm.user_princ], input=kpasswd_input) +stop_daemon(proxy) +realm.stop() + +# Succeed: trusted issuer and host name matches subjectAltName, using +# kadmin configuration to find kpasswdd. +output("running pass 14: issuer trusted, subjectAltName matches\n") +realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True, + get_creds=False, create_host=False) +proxy = start_proxy(realm, proxysanpem) +realm.run([kpasswd, realm.user_princ], input=kpasswd_input) +stop_daemon(proxy) +realm.stop() + +# Succeed: trusted issuer and host name matches subjectAltName (give or take +# case). +output("running pass 15: issuer trusted, subjectAltName case-insensitive\n") +realm = K5Realm(krb5_conf=anchored_upcasename_krb5_conf, start_kadmind=True, + get_creds=False, create_host=False) +proxy = start_proxy(realm, proxysanpem) +realm.run([kpasswd, realm.user_princ], input=kpasswd_input) +stop_daemon(proxy) +realm.stop() + +success('MS-KKDCP proxy') |