Policy extensions + new policy: allowed ks types

This simply adds KADM5_API_VERSION_4 and various fields to the policy structures: - attributes (policy-ish principal attributes) - max_life (max ticket life) - max_renewable_life (max ticket renewable life) - allowed_keysalts (allowed key/salt types) - TL data (future policy extensions) Of these only allowed_keysalts is currently implemented. Some refactoring of TL data handling is also done. ticket: 7223 (new)
author: Nicolas Williams <nico@cryptonector.com> 2012-07-18 16:27:35 -0500
committer: Greg Hudson <ghudson@mit.edu> 2012-07-30 19:11:28 -0400
commit: 5829ca2b348974e52a67b553afc7f7491007c33a (patch)
tree: 3fdbcdfc56a26445c2f2fce9fb72b6deddb28d0f /src/tests
parent: 796366a03ea170efb937913acae36a2083a5329e (diff)
download: krb5-5829ca2b348974e52a67b553afc7f7491007c33a.tar.gz
krb5-5829ca2b348974e52a67b553afc7f7491007c33a.tar.xz
krb5-5829ca2b348974e52a67b553afc7f7491007c33a.zip
4 files changed, 111 insertions, 1 deletions
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 210bd8d7c..39a047ec1 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -69,6 +69,7 @@ check-pytests:: hist
 	$(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_allowed_keysalts.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_renprinc.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_ccache.py $(PYTESTFLAGS)
diff --git a/src/tests/hist.c b/src/tests/hist.c
index c0b2b978c..3d9e29e36 100644
--- a/src/tests/hist.c
+++ b/src/tests/hist.c
@@ -72,7 +72,7 @@ main(int argc, char **argv)
     params.mask |= KADM5_CONFIG_REALM;
     params.realm = realm;
     check(kadm5_init(ctx, "user", "", "", &params, KADM5_STRUCT_VERSION,
-                     KADM5_API_VERSION_3, NULL, &handle));
+                     KADM5_API_VERSION_4, NULL, &handle));
     if (strcmp(argv[1], "make") == 0) {
         memset(&kent, 0, sizeof(kent));
         kent.principal = hprinc;
diff --git a/src/tests/t_allowed_keysalts.py b/src/tests/t_allowed_keysalts.py
new file mode 100644
index 000000000..8c763358a
--- /dev/null
+++ b/src/tests/t_allowed_keysalts.py
@@ -0,0 +1,93 @@
+#!/usr/bin/python
+from k5test import *
+import re
+
+krb5_conf1 = {'all': {'libdefaults': {
+            'supported_enctypes': 'aes256-cts'}}}
+
+realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False)
+
+# Add policy.
+realm.run_kadminl('addpol -allowedkeysalts aes256-cts:normal ak')
+realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server')
+
+# Test with one-enctype allowed_keysalts.
+realm.run_kadminl('modprinc -policy ak server')
+realm.run_kadminl('getprinc server')
+output = realm.run_kadminl('cpw -randkey -e aes128-cts:normal server')
+if not 'Invalid key/salt tuples' in output:
+    fail('allowed_keysalts policy not applied properly')
+realm.run_kadminl('getprinc server')
+output = realm.run_kadminl('cpw -randkey -e aes256-cts:normal server')
+if 'Invalid key/salt tuples' in output:
+    fail('allowed_keysalts policy not applied properly')
+realm.run_kadminl('getprinc server')
+
+# Now test a multi-enctype allowed_keysalts.  Test that subsets are allowed,
+# the the complete set is allowed, that order doesn't matter, and that
+# enctypes outside the set are not allowed.
+
+# Test modpol.
+realm.run_kadminl('modpol -allowedkeysalts '
+                  'aes256-cts:normal,rc4-hmac:normal ak')
+output = realm.run_kadminl('getpol ak')
+if not 'Allowed key/salt types: aes256-cts:normal,rc4-hmac:normal' in output:
+    fail('getpol does not implement allowedkeysalts?')
+
+# Test one subset.
+output = realm.run_kadminl('cpw -randkey -e rc4-hmac:normal server')
+if 'Invalid key/salt tuples' in output:
+    fail('allowed_keysalts policy not applied properly')
+realm.run_kadminl('getprinc server')
+
+# Test another subset.
+output = realm.run_kadminl('cpw -randkey -e aes256-cts:normal server')
+if 'Invalid key/salt tuples' in output:
+    fail('allowed_keysalts policy not applied properly')
+realm.run_kadminl('getprinc server')
+output = realm.run_kadminl('cpw -randkey -e '
+                           'rc4-hmac:normal,aes256-cts:normal server')
+if 'Invalid key/salt tuples' in output:
+    fail('allowed_keysalts policy not applied properly')
+realm.run_kadminl('getprinc server')
+
+# Test full set.
+output = realm.run_kadminl('cpw -randkey -e aes256-cts:normal,rc4-hmac:normal '
+                           'server')
+if 'Invalid key/salt tuples' in output:
+    fail('allowed_keysalts policy not applied properly')
+realm.run_kadminl('getprinc server')
+output = realm.run_kadminl('cpw -randkey -e rc4-hmac:normal,aes128-cts:normal '
+                           'server')
+if not 'Invalid key/salt tuples' in output:
+    fail('allowed_keysalts policy not applied properly')
+realm.run_kadminl('getprinc server')
+output = realm.run_kadminl('getprinc -terse server')
+if not '2\t1\t6\t18\t0\t1\t6\t23\t0' in output:
+    fail('allowed_keysalts policy did not preserve order')
+
+# Test full set in opposite order.
+output = realm.run_kadminl('cpw -randkey -e rc4-hmac:normal,aes256-cts:normal,'
+                           'aes128-cts:normal server')
+if not 'Invalid key/salt tuples' in output:
+    fail('allowed_keysalts policy not applied properly')
+
+# Check that the order we got is the one from the policy.
+realm.run_kadminl('getprinc server')
+output = realm.run_kadminl('getprinc -terse server')
+if not '2\t1\t6\t18\t0\t1\t6\t23\t0' in output:
+    fail('allowed_keysalts policy did not preserve order')
+
+# Test reset of allowedkeysalts.
+realm.run_kadminl('modpol -allowedkeysalts - ak')
+output = realm.run_kadminl('getpol ak')
+if 'Allowed key/salt types' in output:
+    fail('failed to clear allowedkeysalts')
+output = realm.run_kadminl('cpw -randkey -e aes128-cts:normal server')
+if 'Invalid key/salt tuples' in output:
+    fail('key change rejected that should have been permitted')
+realm.run_kadminl('getprinc server')
+
+realm.stop()
+
+success('allowed_keysalts')
diff --git a/src/tests/t_general.py b/src/tests/t_general.py
index 2b04b8eae..77246d52f 100755
--- a/src/tests/t_general.py
+++ b/src/tests/t_general.py
@@ -28,10 +28,26 @@ realm = K5Realm(create_host=False)
 realm.run_kadminl('addpol fred')
 dumpfile = os.path.join(realm.testdir, 'dump')
 realm.run_as_master([kdb5_util, 'dump', dumpfile])
+f = open('testdir/dump', 'a')
+f.write('policy	barney	0	0	1	1	1	0	'
+        '0	0	0	0	0	0	-	1	'
+        '2	28	'
+        'fd100f5064625f6372656174696f6e404b5242544553542e434f4d00')
+f.close()
+realm.run_as_master([kdb5_util, 'load', dumpfile])
+output = realm.run_kadminl('getpols')
+if 'fred\n' not in output:
+    fail('Policy not preserved across dump/load.')
+if 'barney\n' not in output:
+    fail('Policy not loaded.')
+
+realm.run_as_master([kdb5_util, 'dump', dumpfile])
 realm.run_as_master([kdb5_util, 'load', dumpfile])
 output = realm.run_kadminl('getpols')
 if 'fred\n' not in output:
     fail('Policy not preserved across dump/load.')
+if 'barney\n' not in output:
+    fail('Policy not preserved across dump/load.')
 
 # Spot-check KRB5_TRACE output
 tracefile = os.path.join(realm.testdir, 'trace')
author	Nicolas Williams <nico@cryptonector.com>	2012-07-18 16:27:35 -0500
committer	Greg Hudson <ghudson@mit.edu>	2012-07-30 19:11:28 -0400
commit	5829ca2b348974e52a67b553afc7f7491007c33a (patch)
tree	3fdbcdfc56a26445c2f2fce9fb72b6deddb28d0f /src/tests
parent	796366a03ea170efb937913acae36a2083a5329e (diff)
download	krb5-5829ca2b348974e52a67b553afc7f7491007c33a.tar.gz krb5-5829ca2b348974e52a67b553afc7f7491007c33a.tar.xz krb5-5829ca2b348974e52a67b553afc7f7491007c33a.zip