Add client keytab initiation support

Support acquiring GSSAPI krb5 credentials by fetching initial
credentials using the client keytab.  Credentials obtained this way
will be stored in the default ccache or collection, and will be
refreshed when they are halfway to expiring.

ticket: 7189 (new)

1 files changed, 132 insertions, 0 deletions

diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
new file mode 100644
index 000000000..71cb89e78
--- /dev/null
+++ b/src/tests/gssapi/t_client_keytab.py
@@ -0,0 +1,132 @@
+#!/usr/bin/python
+from k5test import *
+
+# Set up a basic realm and a client keytab containing two user principals.
+# Point HOME at realm.testdir for tests using .k5identity.
+realm = K5Realm(get_creds=False)
+bob = 'bob@' + realm.realm
+gssserver = 'gss:host@' + hostname
+realm.env_client['HOME'] = realm.testdir
+realm.addprinc(bob, password('bob'))
+realm.extract_keytab(realm.user_princ, realm.client_keytab)
+realm.extract_keytab(bob, realm.client_keytab)
+
+# Test 1: no name/cache specified, pick first principal from client keytab
+out = realm.run_as_client(['./t_ccselect', realm.host_princ])
+if realm.user_princ not in out:
+    fail('Authenticated as wrong principal')
+realm.run_as_client([kdestroy])
+
+# Test 2: no name/cache specified, pick principal from k5identity
+k5idname = os.path.join(realm.testdir, '.k5identity')
+k5id = open(k5idname, 'w')
+k5id.write('%s service=host host=%s\n' % (bob, hostname))
+k5id.close()
+out = realm.run_as_client(['./t_ccselect', gssserver])
+if bob not in out:
+    fail('Authenticated as wrong principal')
+os.remove(k5idname)
+realm.run_as_client([kdestroy])
+
+# Test 3: no name/cache specified, default ccache has name but no creds
+realm.run_as_client(['./ccinit', realm.ccache, bob])
+out = realm.run_as_client(['./t_ccselect', realm.host_princ])
+if bob not in out:
+    fail('Authenticated as wrong principal')
+# Leave tickets for next test.
+
+# Test 4: name specified, non-collectable default cache doesn't match
+out = realm.run_as_client(['./t_ccselect', realm.host_princ, realm.user_princ],
+                          expected_code=1)
+if 'Principal in credential cache does not match desired name' not in out:
+    fail('Expected error not seen')
+realm.run_as_client([kdestroy])
+
+# Test 5: name specified, nonexistent default cache
+out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob])
+if bob not in out:
+    fail('Authenticated as wrong principal')
+# Leave tickets for next test.
+
+# Test 6: name specified, matches default cache, time to refresh
+realm.run_as_client(['./ccrefresh', realm.ccache, '1'])
+out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob])
+if bob not in out:
+    fail('Authenticated as wrong principal')
+out = realm.run_as_client(['./ccrefresh', realm.ccache])
+if int(out) < 1000:
+    fail('Credentials apparently not refreshed')
+realm.run_as_client([kdestroy])
+
+# Test 7: empty ccache specified, pick first principal from client keytab
+realm.run_as_client(['./t_imp_cred', realm.host_princ])
+realm.klist(realm.user_princ)
+realm.run_as_client([kdestroy])
+
+# Test 8: ccache specified with name but no creds; name not in client keytab
+realm.run_as_client(['./ccinit', realm.ccache, realm.host_princ])
+out = realm.run_as_client(['./t_imp_cred', realm.host_princ], expected_code=1)
+if 'Credential cache is empty' not in out:
+    fail('Expected error not seen')
+realm.run_as_client([kdestroy])
+
+# Test 9: ccache specified with name but no creds; name in client keytab
+realm.run_as_client(['./ccinit', realm.ccache, bob])
+realm.run_as_client(['./t_imp_cred', realm.host_princ])
+realm.klist(bob)
+# Leave tickets for next test.
+
+# Test 10: ccache specified with creds, time to refresh
+realm.run_as_client(['./ccrefresh', realm.ccache, '1'])
+realm.run_as_client(['./t_imp_cred', realm.host_princ])
+realm.klist(bob)
+out = realm.run_as_client(['./ccrefresh', realm.ccache])
+if int(out) < 1000:
+    fail('Credentials apparently not refreshed')
+realm.run_as_client([kdestroy])
+
+# Use a cache collection for the remaining tests.
+ccdir = os.path.join(realm.testdir, 'cc')
+ccname = 'DIR:' + ccdir
+os.mkdir(ccdir)
+realm.env_client['KRB5CCNAME'] = ccname
+
+# Test 11: name specified, matching cache in collection with no creds
+bobcache = os.path.join(ccdir, 'tktbob')
+realm.run_as_client(['./ccinit', bobcache, bob])
+out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob])
+if bob not in out:
+    fail('Authenticated as wrong principal')
+# Leave tickets for next test.
+
+# Test 12: name specified, matching cache in collection, time to refresh
+realm.run_as_client(['./ccrefresh', bobcache, '1'])
+out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob])
+if bob not in out:
+    fail('Authenticated as wrong principal')
+out = realm.run_as_client(['./ccrefresh', bobcache])
+if int(out) < 1000:
+    fail('Credentials apparently not refreshed')
+realm.run_as_client([kdestroy, '-A'])
+
+# Test 13: name specified, collection has default for different principal
+realm.kinit(realm.user_princ, password('user'))
+out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob])
+if bob not in out:
+    fail('Authenticated as wrong principal')
+out = realm.run_as_client([klist])
+if 'Default principal: %s\n' % realm.user_princ not in out:
+    fail('Default cache overwritten by acquire_cred')
+realm.run_as_client([kdestroy, '-A'])
+
+# Test 14: name specified, collection has no default cache
+out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob])
+if bob not in out:
+    fail('Authenticated as wrong principal')
+# Make sure the tickets we acquired didn't become the default
+out = realm.run_as_client([klist], expected_code=1)
+if 'No credentials cache found' not in out:
+    fail('Expected error not seen')
+realm.run_as_client([kdestroy, '-A'])
+
+success('Client keytab tests')