Add clock skew tests

Add a KDC option (-T) to run with a time offset, and use that to
test kdc_timesync behavior.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25807 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 46 insertions, 1 deletions

diff --git a/src/kdc/main.c b/src/kdc/main.c
index c2c3e4e0e..5b31bd3cd 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -86,6 +86,7 @@ static void finish_realms (void);
 
 static int nofork = 0;
 static int workers = 0;
+static int time_offset = 0;
 static const char *pid_file = NULL;
 static int rkey_init_done = 0;
 static volatile int signal_received = 0;
@@ -293,6 +294,8 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname,
         kdc_err(NULL, kret, _("while getting context for realm %s"), realm);
         goto whoops;
     }
+    if (time_offset != 0)
+        (void)krb5_set_time_offsets(rdp->realm_context, time_offset, 0);
 
     kret = krb5_read_realm_params(rdp->realm_context, rdp->realm_name,
                                   &rparams);
@@ -733,7 +736,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
      * Loop through the option list.  Each time we encounter a realm name,
      * use the previously scanned options to fill in for defaults.
      */
-    while ((c = getopt(argc, argv, "x:r:d:mM:k:R:e:P:p:s:nw:4:X3")) != -1) {
+    while ((c = getopt(argc, argv, "x:r:d:mM:k:R:e:P:p:s:nw:4:T:X3")) != -1) {
         switch(c) {
         case 'x':
             db_args_size++;
@@ -845,6 +848,9 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
             default_tcp_ports = strdup(optarg);
 #endif
             break;
+        case 'T':
+            time_offset = atoi(optarg);
+            break;
         case '4':
             break;
         case 'X':
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index b5bcdf01c..47ca131ec 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -71,6 +71,7 @@ check-pytests::
 	$(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS)
 #	$(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS)
 
 clean::
diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py
new file mode 100644
index 000000000..f00c2f920
--- /dev/null
+++ b/src/tests/t_skew.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+from k5test import *
+
+# Create a realm with the KDC one hour in the past.
+realm = K5Realm(start_kadmind=False, start_kdc=False)
+realm.start_kdc(['-T', '-3600'])
+
+# kinit (no preauth) should work, and should set a clock skew allowing
+# kvno to work, with or without FAST.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ])
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
+realm.run_as_client([kvno, realm.host_princ])
+realm.run_as_client([kdestroy])
+
+# kinit (with preauth) should fail.
+realm.run_kadminl('modprinc +requires_preauth user')
+realm.kinit(realm.user_princ, password('user'), expected_code=1)
+
+realm.stop()
+
+# Repeat the above tests with kdc_timesync disabled.
+conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}}
+realm = K5Realm(start_kadmind=False, start_kdc=False, krb5_conf=conf)
+realm.start_kdc(['-T', '-3600'])
+
+# kinit (no preauth) should work, but kvno should not.  kinit with
+# FAST should also fail since the armor AP-REQ won't be valid.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ], expected_code=1)
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache],
+            expected_code=1)
+
+# kinit (with preauth) should fail.
+realm.run_kadminl('modprinc +requires_preauth user')
+realm.kinit(realm.user_princ, password('user'), expected_code=1)
+
+success('Clock skew tests')