diff options
author | Greg Hudson <ghudson@mit.edu> | 2012-12-16 16:55:29 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2012-12-20 11:45:20 -0500 |
commit | 966547dfeb011800d4b78b8e5d494813bc80559c (patch) | |
tree | 4226bd168056336c965a4aa77c845093ef723da3 /src/tests/gssapi | |
parent | 76c27cf7e3161e0f20f8935d82ae0f2feb77b01a (diff) | |
download | krb5-966547dfeb011800d4b78b8e5d494813bc80559c.tar.gz krb5-966547dfeb011800d4b78b8e5d494813bc80559c.tar.xz krb5-966547dfeb011800d4b78b8e5d494813bc80559c.zip |
Simplify k5test.py environments
The initial k5test.py design, copied from the dejagnu suite, is to
create config files and environments for four expected roles: client,
server, master, and slave. This approach exaggerates the complexity
of the common case, where the configurations don't need to vary, and
limits us to having just one slave for kprop/iprop tests.
Instead, create just one configuration by default, and add a
special_env() method which sets up a differently configured
environment for the few test cases which need one. The run_as_*()
methods are collapsed into just run(), which accepts an optional
argument for the environment returned by special_env().
Diffstat (limited to 'src/tests/gssapi')
-rw-r--r-- | src/tests/gssapi/t_ccselect.py | 41 | ||||
-rw-r--r-- | src/tests/gssapi/t_client_keytab.py | 76 | ||||
-rw-r--r-- | src/tests/gssapi/t_export_cred.py | 4 | ||||
-rwxr-xr-x | src/tests/gssapi/t_gssapi.py | 89 | ||||
-rw-r--r-- | src/tests/gssapi/t_s4u.py | 23 |
5 files changed, 110 insertions, 123 deletions
diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py index 6b7bce617..8858fa868 100644 --- a/src/tests/gssapi/t_ccselect.py +++ b/src/tests/gssapi/t_ccselect.py @@ -42,27 +42,21 @@ gssserver = 'h:host@' + hostname # .k5identity rules since it has unknown type. refserver = 'p:host/' + hostname + '@' -# Make each realm's keytab contain entries for both realm's servers. -#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' % -# (r2.keytab, r1.keytab, ktutil)]) -#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' % -# (r1.keytab, r2.keytab, ktutil)]) - # Verify that we can't get initiator creds with no credentials in the # collection. -output = r1.run_as_client(['./t_ccselect', host1, '-'], expected_code=1) +output = r1.run(['./t_ccselect', host1, '-'], expected_code=1) if 'No Kerberos credentials available' not in output: fail('Expected error not seen in output when no credentials available') # Make a directory collection and use it for client commands in both realms. ccdir = os.path.join(r1.testdir, 'cc') ccname = 'DIR:' + ccdir -r1.env_client['KRB5CCNAME'] = ccname -r2.env_client['KRB5CCNAME'] = ccname +r1.env['KRB5CCNAME'] = ccname +r2.env['KRB5CCNAME'] = ccname # Use .k5identity from testdir and not from the tester's homedir. -r1.env_client['HOME'] = r1.testdir -r2.env_client['HOME'] = r1.testdir +r1.env['HOME'] = r1.testdir +r2.env['HOME'] = r1.testdir # Create two users in r1 and one in r2. alice='alice@KRBTEST.COM' @@ -77,32 +71,32 @@ r1.kinit(alice, password('alice')) r2.kinit(zaphod, password('zaphod')) # Check that we can find a cache for a specified client principal. -output = r1.run_as_client(['./t_ccselect', host1, 'p:' + alice]) +output = r1.run(['./t_ccselect', host1, 'p:' + alice]) if output != (alice + '\n'): fail('alice not chosen when specified') -output = r2.run_as_client(['./t_ccselect', host2, 'p:' + zaphod]) +output = r2.run(['./t_ccselect', host2, 'p:' + zaphod]) if output != (zaphod + '\n'): fail('zaphod not chosen when specified') # Check that we can guess a cache based on the service realm. -output = r1.run_as_client(['./t_ccselect', host1]) +output = r1.run(['./t_ccselect', host1]) if output != (alice + '\n'): fail('alice not chosen as default initiator cred for server in r1') -output = r1.run_as_client(['./t_ccselect', host1, '-']) +output = r1.run(['./t_ccselect', host1, '-']) if output != (alice + '\n'): fail('alice not chosen as default initiator name for server in r1') -output = r2.run_as_client(['./t_ccselect', host2]) +output = r2.run(['./t_ccselect', host2]) if output != (zaphod + '\n'): fail('zaphod not chosen as default initiator cred for server in r1') -output = r2.run_as_client(['./t_ccselect', host2, '-']) +output = r2.run(['./t_ccselect', host2, '-']) if output != (zaphod + '\n'): fail('zaphod not chosen as default initiator name for server in r1') # Check that primary cache is used if server realm is unknown. -output = r2.run_as_client(['./t_ccselect', gssserver]) +output = r2.run(['./t_ccselect', gssserver]) if output != (zaphod + '\n'): fail('zaphod not chosen via primary cache for unknown server realm') -r1.run_as_client(['./t_ccselect', gssserver], expected_code=1) +r1.run(['./t_ccselect', gssserver], expected_code=1) # Get a second cred in r1 (bob will be primary). r1.kinit(bob, password('bob')) @@ -113,17 +107,16 @@ k5id.write('%s realm=%s\n' % (alice, r1.realm)) k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname)) k5id.write('noprinc service=bogus') k5id.close() -output = r1.run_as_client(['./t_ccselect', host1]) +output = r1.run(['./t_ccselect', host1]) if output != (alice + '\n'): fail('alice not chosen via .k5identity realm line.') -output = r2.run_as_client(['./t_ccselect', gssserver]) +output = r2.run(['./t_ccselect', gssserver]) if output != (zaphod + '\n'): fail('zaphod not chosen via .k5identity service/host line.') -output = r1.run_as_client(['./t_ccselect', refserver]) +output = r1.run(['./t_ccselect', refserver]) if output != (bob + '\n'): fail('bob not chosen via primary cache when no .k5identity line matches.') -output = r1.run_as_client(['./t_ccselect', 'h:bogus@' + hostname], - expected_code=1) +output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1) if 'Can\'t find client principal noprinc' not in output: fail('Expected error not seen when k5identity selects bad principal.') diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py index 71566a5d3..484aacde3 100644 --- a/src/tests/gssapi/t_client_keytab.py +++ b/src/tests/gssapi/t_client_keytab.py @@ -9,126 +9,126 @@ phost = 'p:' + realm.host_princ puser = 'p:' + realm.user_princ pbob = 'p:' + bob gssserver = 'h:host@' + hostname -realm.env_client['HOME'] = realm.testdir +realm.env['HOME'] = realm.testdir realm.addprinc(bob, password('bob')) realm.extract_keytab(realm.user_princ, realm.client_keytab) realm.extract_keytab(bob, realm.client_keytab) # Test 1: no name/cache specified, pick first principal from client keytab -out = realm.run_as_client(['./t_ccselect', phost]) +out = realm.run(['./t_ccselect', phost]) if realm.user_princ not in out: fail('Authenticated as wrong principal') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 2: no name/cache specified, pick principal from k5identity k5idname = os.path.join(realm.testdir, '.k5identity') k5id = open(k5idname, 'w') k5id.write('%s service=host host=%s\n' % (bob, hostname)) k5id.close() -out = realm.run_as_client(['./t_ccselect', gssserver]) +out = realm.run(['./t_ccselect', gssserver]) if bob not in out: fail('Authenticated as wrong principal') os.remove(k5idname) -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 3: no name/cache specified, default ccache has name but no creds -realm.run_as_client(['./ccinit', realm.ccache, bob]) -out = realm.run_as_client(['./t_ccselect', phost]) +realm.run(['./ccinit', realm.ccache, bob]) +out = realm.run(['./t_ccselect', phost]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 4: name specified, non-collectable default cache doesn't match -out = realm.run_as_client(['./t_ccselect', phost, puser], expected_code=1) +out = realm.run(['./t_ccselect', phost, puser], expected_code=1) if 'Principal in credential cache does not match desired name' not in out: fail('Expected error not seen') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 5: name specified, nonexistent default cache -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 6: name specified, matches default cache, time to refresh -realm.run_as_client(['./ccrefresh', realm.ccache, '1']) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +realm.run(['./ccrefresh', realm.ccache, '1']) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') -out = realm.run_as_client(['./ccrefresh', realm.ccache]) +out = realm.run(['./ccrefresh', realm.ccache]) if int(out) < 1000: fail('Credentials apparently not refreshed') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 7: empty ccache specified, pick first principal from client keytab -realm.run_as_client(['./t_imp_cred', phost]) +realm.run(['./t_imp_cred', phost]) realm.klist(realm.user_princ) -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 8: ccache specified with name but no creds; name not in client keytab -realm.run_as_client(['./ccinit', realm.ccache, realm.host_princ]) -out = realm.run_as_client(['./t_imp_cred', phost], expected_code=1) +realm.run(['./ccinit', realm.ccache, realm.host_princ]) +out = realm.run(['./t_imp_cred', phost], expected_code=1) if 'Credential cache is empty' not in out: fail('Expected error not seen') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Test 9: ccache specified with name but no creds; name in client keytab -realm.run_as_client(['./ccinit', realm.ccache, bob]) -realm.run_as_client(['./t_imp_cred', phost]) +realm.run(['./ccinit', realm.ccache, bob]) +realm.run(['./t_imp_cred', phost]) realm.klist(bob) # Leave tickets for next test. # Test 10: ccache specified with creds, time to refresh -realm.run_as_client(['./ccrefresh', realm.ccache, '1']) -realm.run_as_client(['./t_imp_cred', phost]) +realm.run(['./ccrefresh', realm.ccache, '1']) +realm.run(['./t_imp_cred', phost]) realm.klist(bob) -out = realm.run_as_client(['./ccrefresh', realm.ccache]) +out = realm.run(['./ccrefresh', realm.ccache]) if int(out) < 1000: fail('Credentials apparently not refreshed') -realm.run_as_client([kdestroy]) +realm.run([kdestroy]) # Use a cache collection for the remaining tests. ccdir = os.path.join(realm.testdir, 'cc') ccname = 'DIR:' + ccdir os.mkdir(ccdir) -realm.env_client['KRB5CCNAME'] = ccname +realm.env['KRB5CCNAME'] = ccname # Test 11: name specified, matching cache in collection with no creds bobcache = os.path.join(ccdir, 'tktbob') -realm.run_as_client(['./ccinit', bobcache, bob]) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +realm.run(['./ccinit', bobcache, bob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 12: name specified, matching cache in collection, time to refresh -realm.run_as_client(['./ccrefresh', bobcache, '1']) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +realm.run(['./ccrefresh', bobcache, '1']) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') -out = realm.run_as_client(['./ccrefresh', bobcache]) +out = realm.run(['./ccrefresh', bobcache]) if int(out) < 1000: fail('Credentials apparently not refreshed') -realm.run_as_client([kdestroy, '-A']) +realm.run([kdestroy, '-A']) # Test 13: name specified, collection has default for different principal realm.kinit(realm.user_princ, password('user')) -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') -out = realm.run_as_client([klist]) +out = realm.run([klist]) if 'Default principal: %s\n' % realm.user_princ not in out: fail('Default cache overwritten by acquire_cred') -realm.run_as_client([kdestroy, '-A']) +realm.run([kdestroy, '-A']) # Test 14: name specified, collection has no default cache -out = realm.run_as_client(['./t_ccselect', phost, pbob]) +out = realm.run(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Make sure the tickets we acquired didn't become the default -out = realm.run_as_client([klist], expected_code=1) +out = realm.run([klist], expected_code=1) if 'No credentials cache found' not in out: fail('Expected error not seen') -realm.run_as_client([kdestroy, '-A']) +realm.run([kdestroy, '-A']) success('Client keytab tests') diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py index 3f7b6576d..53dd13c91 100644 --- a/src/tests/gssapi/t_export_cred.py +++ b/src/tests/gssapi/t_export_cred.py @@ -19,8 +19,8 @@ def ccache_restore(realm): # forwarded cred into the default ccache. def check(realm, args): ccache_restore(realm) - realm.run_as_client(['./t_export_cred'] + args) - output = realm.run_as_client([klist, '-f']) + realm.run(['./t_export_cred'] + args) + output = realm.run([klist, '-f']) if 'Flags: Ff' not in output: fail('Forwarded tickets not found in ccache after t_export_cred') diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index e453b7170..5f1d5d1ff 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -3,7 +3,7 @@ from k5test import * # Test krb5 negotiation under SPNEGO for all enctype configurations. for realm in multipass_realms(): - realm.run_as_client(['./t_spnego','p:' + realm.host_princ, realm.keytab]) + realm.run(['./t_spnego','p:' + realm.host_princ, realm.keytab]) ### Test acceptor name behavior. @@ -24,79 +24,75 @@ realm.run_kadminl('renprinc -force service1/abraham service1/andrew') # Test with no acceptor name, including client/keytab principal # mismatch (non-fatal) and missing keytab entry (fatal). -output = realm.run_as_client(['./t_accname', 'p:service1/andrew']) +output = realm.run(['./t_accname', 'p:service1/andrew']) if 'service1/abraham' not in output: fail('Expected service1/abraham in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service1/barack']) +output = realm.run(['./t_accname', 'p:service1/barack']) if 'service1/barack' not in output: fail('Expected service1/barack in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/calvin']) +output = realm.run(['./t_accname', 'p:service2/calvin']) if 'service2/calvin' not in output: fail('Expected service1/barack in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/dwight'], - expected_code=1) +output = realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test with acceptor name containing service only, including # client/keytab hostname mismatch (non-fatal) and service name # mismatch (fatal). -output = realm.run_as_client(['./t_accname', 'p:service1/andrew', - 'h:service1']) +output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service1']) if 'service1/abraham' not in output: fail('Expected service1/abraham in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service1/andrew', - 'h:service2'], expected_code=1) +output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], + expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/calvin', - 'h:service2']) +output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service2']) if 'service2/calvin' not in output: fail('Expected service2/calvin in t_accname output') -output = realm.run_as_client(['./t_accname', 'p:service2/calvin', - 'h:service1'], expected_code=1) +output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], + expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test with acceptor name containing service and host. Use the # client's un-canonicalized hostname as acceptor input to mirror what # many servers do. -output = realm.run_as_client(['./t_accname', 'p:' + realm.host_princ, - 'h:host@%s' % socket.gethostname()]) +output = realm.run(['./t_accname', 'p:' + realm.host_princ, + 'h:host@%s' % socket.gethostname()]) if realm.host_princ not in output: fail('Expected %s in t_accname output' % realm.host_princ) -output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-', - 'h:host@%s' % socket.gethostname()], - expected_code=1) +output = realm.run(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()], + expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test krb5_gss_import_cred. -realm.run_as_client(['./t_imp_cred', 'p:service1/barack']) -realm.run_as_client(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) -realm.run_as_client(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham']) -output = realm.run_as_client(['./t_imp_cred', 'p:service2/dwight'], - expected_code=1) +realm.run(['./t_imp_cred', 'p:service1/barack']) +realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) +realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham']) +output = realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_imp_cred output') # Test credential store extension. tmpccname = 'FILE:' + os.path.join(realm.testdir, 'def_cache') -realm.env_client['KRB5CCNAME'] = tmpccname +realm.env['KRB5CCNAME'] = tmpccname storagecache = 'FILE:' + os.path.join(realm.testdir, 'user_store') servicekeytab = os.path.join(realm.testdir, 'kt') service_cs = 'service/cs@%s' % realm.realm realm.addprinc(service_cs) realm.extract_keytab(service_cs, servicekeytab) realm.kinit(service_cs, None, ['-k', '-t', servicekeytab]) -output = realm.run_as_client(['./t_credstore', service_cs, '--cred_store', - 'ccache', storagecache, 'keytab', servicekeytab]) +output = realm.run(['./t_credstore', service_cs, '--cred_store', + 'ccache', storagecache, 'keytab', servicekeytab]) if 'Cred Store Success' not in output: fail('Expected test to succeed') # Verify that we can't acquire acceptor creds without a keytab. os.remove(realm.keytab) -output = realm.run_as_client(['./t_accname', 'p:abc'], expected_code=1) +output = realm.run(['./t_accname', 'p:abc'], expected_code=1) if ('gss_acquire_cred: Keytab' not in output or 'nonexistent or empty' not in output): fail('Expected error message not seen for nonexistent keytab') @@ -105,13 +101,12 @@ realm.stop() # Re-run the last acceptor name test with ignore_acceptor_hostname set # and the principal for the mismatching hostname in the keytab. -ignore_conf = { 'all' : { 'libdefaults' : { - 'ignore_acceptor_hostname' : 'true' } } } +ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}} realm = K5Realm(krb5_conf=ignore_conf) realm.run_kadminl('addprinc -randkey host/-nomatch-') realm.run_kadminl('xst host/-nomatch-') -output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-', - 'h:host@%s' % socket.gethostname()]) +output = realm.run(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()]) if 'host/-nomatch-' not in output: fail('Expected host/-nomatch- in t_accname output') @@ -122,31 +117,31 @@ realm.stop() realm = K5Realm() # Test deferred resolution of the default ccache for initiator creds. -output = realm.run_as_client(['./t_inq_cred']) +output = realm.run(['./t_inq_cred']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) -output = realm.run_as_client(['./t_inq_cred', '-k']) +output = realm.run(['./t_inq_cred', '-k']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) -output = realm.run_as_client(['./t_inq_cred', '-s']) +output = realm.run(['./t_inq_cred', '-s']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) # Test picking a name from the keytab for acceptor creds. -output = realm.run_as_client(['./t_inq_cred', '-a']) +output = realm.run(['./t_inq_cred', '-a']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) -output = realm.run_as_client(['./t_inq_cred', '-k', '-a']) +output = realm.run(['./t_inq_cred', '-k', '-a']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) -output = realm.run_as_client(['./t_inq_cred', '-s', '-a']) +output = realm.run(['./t_inq_cred', '-s', '-a']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) # Test client keytab initiation (non-deferred) with a specified name. realm.extract_keytab(realm.user_princ, realm.client_keytab) os.remove(realm.ccache) -output = realm.run_as_client(['./t_inq_cred', '-k']) +output = realm.run(['./t_inq_cred', '-k']) if realm.user_princ not in output: fail('Expected %s in t_inq_cred output' % realm.user_princ) @@ -154,34 +149,34 @@ if realm.user_princ not in output: os.remove(realm.client_keytab) os.remove(realm.ccache) shutil.copyfile(realm.keytab, realm.client_keytab) -output = realm.run_as_client(['./t_inq_cred', '-k', '-b']) +output = realm.run(['./t_inq_cred', '-k', '-b']) if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) # Test gss_export_name behavior. -out = realm.run_as_client(['./t_export_name', 'u:x']) +out = realm.run(['./t_export_name', 'u:x']) if out != '0401000B06092A864886F7120102020000000D78404B5242544553542E434F4D\n': fail('Unexpected output from t_export_name (krb5 username)') -output = realm.run_as_client(['./t_export_name', '-s', 'u:xyz']) +output = realm.run(['./t_export_name', '-s', 'u:xyz']) if output != '0401000806062B06010505020000000378797A\n': fail('Unexpected output from t_export_name (SPNEGO username)') -output = realm.run_as_client(['./t_export_name', 'p:a@b']) +output = realm.run(['./t_export_name', 'p:a@b']) if output != '0401000B06092A864886F71201020200000003614062\n': fail('Unexpected output from t_export_name (krb5 principal)') -output = realm.run_as_client(['./t_export_name', '-s', 'p:a@b']) +output = realm.run(['./t_export_name', '-s', 'p:a@b']) if output != '0401000806062B060105050200000003614062\n': fail('Unexpected output from t_export_name (SPNEGO krb5 principal)') # Test gss_inquire_mechs_for_name behavior. krb5_mech = '{ 1 2 840 113554 1 2 2 }' spnego_mech = '{ 1 3 6 1 5 5 2 }' -out = realm.run_as_client(['./t_inq_mechs_name', 'p:a@b']) +out = realm.run(['./t_inq_mechs_name', 'p:a@b']) if krb5_mech not in out: fail('t_inq_mechs_name (principal)') -out = realm.run_as_client(['./t_inq_mechs_name', 'u:x']) +out = realm.run(['./t_inq_mechs_name', 'u:x']) if krb5_mech not in out or spnego_mech not in out: fail('t_inq_mecs_name (user)') -out = realm.run_as_client(['./t_inq_mechs_name', 'h:host']) +out = realm.run(['./t_inq_mechs_name', 'h:host']) if krb5_mech not in out or spnego_mech not in out: fail('t_inq_mecs_name (hostbased)') diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index cd6759101..67dc81034 100644 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -24,17 +24,17 @@ realm.kinit(service1, None, ['-f', '-k']) # at the S4U2Proxy step since the DB2 back end currently has no # support for allowing it. realm.kinit(realm.user_princ, password('user'), ['-f', '-c', usercache]) -output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache, - '-', pservice1, pservice2], expected_code=1) +output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-', + pservice1, pservice2], expected_code=1) if ('auth1: ' + realm.user_princ not in output or 'NOT_ALLOWED_TO_DELEGATE' not in output): fail('krb5 -> s4u2proxy') # Again with SPNEGO. Bug #7045 prevents us from checking the error # message, but we can at least exercise the code. -output = realm.run_as_server(['./t_s4u2proxy_krb5', '--spnego', usercache, - storagecache, '-', pservice1, pservice2], - expected_code=1) +output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache, + '-', pservice1, pservice2], + expected_code=1) if ('auth1: ' + realm.user_princ not in output): fail('krb5 -> s4u2proxy (SPNEGO)') @@ -42,18 +42,18 @@ if ('auth1: ' + realm.user_princ not in output): # result in no delegated credential being created by # accept_sec_context. realm.kinit(realm.user_princ, password('user'), ['-c', usercache]) -output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache, - pservice1, pservice1, pservice2]) +output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1, + pservice1, pservice2]) if 'no credential delegated' not in output: fail('krb5 -> no delegated cred') # Try S4U2Self. Ask for an S4U2Proxy step; this won't happen because # service/1 isn't allowed to get a forwardable S4U2Self ticket. -output = realm.run_as_server(['./t_s4u', puser, pservice2]) +output = realm.run(['./t_s4u', puser, pservice2]) if ('Warning: no delegated cred handle' not in output or 'Source name:\t' + realm.user_princ not in output): fail('s4u2self') -output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2]) +output = realm.run(['./t_s4u', '--spnego', puser, pservice2]) if ('Warning: no delegated cred handle' not in output or 'Source name:\t' + realm.user_princ not in output): fail('s4u2self (SPNEGO)') @@ -61,7 +61,7 @@ if ('Warning: no delegated cred handle' not in output or # Correct that problem and try again. As above, the S4U2Proxy step # won't actually succeed since we don't support that in DB2. realm.run_kadminl('modprinc +ok_to_auth_as_delegate ' + service1) -output = realm.run_as_server(['./t_s4u', puser, pservice2], expected_code=1) +output = realm.run(['./t_s4u', puser, pservice2], expected_code=1) if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') @@ -70,8 +70,7 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output: # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred # directly rather than saving and reacquiring it) so bug #7045 does # not apply and we can verify the error message. -output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2], - expected_code=1) +output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1) if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') |