diff options
Diffstat (limited to 'src/tests/t_allowed_keysalts.py')
-rw-r--r-- | src/tests/t_allowed_keysalts.py | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/src/tests/t_allowed_keysalts.py b/src/tests/t_allowed_keysalts.py new file mode 100644 index 000000000..8c763358a --- /dev/null +++ b/src/tests/t_allowed_keysalts.py @@ -0,0 +1,93 @@ +#!/usr/bin/python +from k5test import * +import re + +krb5_conf1 = {'all': {'libdefaults': { + 'supported_enctypes': 'aes256-cts'}}} + +realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False) + +# Add policy. +realm.run_kadminl('addpol -allowedkeysalts aes256-cts:normal ak') +realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') + +# Test with one-enctype allowed_keysalts. +realm.run_kadminl('modprinc -policy ak server') +realm.run_kadminl('getprinc server') +output = realm.run_kadminl('cpw -randkey -e aes128-cts:normal server') +if not 'Invalid key/salt tuples' in output: + fail('allowed_keysalts policy not applied properly') +realm.run_kadminl('getprinc server') +output = realm.run_kadminl('cpw -randkey -e aes256-cts:normal server') +if 'Invalid key/salt tuples' in output: + fail('allowed_keysalts policy not applied properly') +realm.run_kadminl('getprinc server') + +# Now test a multi-enctype allowed_keysalts. Test that subsets are allowed, +# the the complete set is allowed, that order doesn't matter, and that +# enctypes outside the set are not allowed. + +# Test modpol. +realm.run_kadminl('modpol -allowedkeysalts ' + 'aes256-cts:normal,rc4-hmac:normal ak') +output = realm.run_kadminl('getpol ak') +if not 'Allowed key/salt types: aes256-cts:normal,rc4-hmac:normal' in output: + fail('getpol does not implement allowedkeysalts?') + +# Test one subset. +output = realm.run_kadminl('cpw -randkey -e rc4-hmac:normal server') +if 'Invalid key/salt tuples' in output: + fail('allowed_keysalts policy not applied properly') +realm.run_kadminl('getprinc server') + +# Test another subset. +output = realm.run_kadminl('cpw -randkey -e aes256-cts:normal server') +if 'Invalid key/salt tuples' in output: + fail('allowed_keysalts policy not applied properly') +realm.run_kadminl('getprinc server') +output = realm.run_kadminl('cpw -randkey -e ' + 'rc4-hmac:normal,aes256-cts:normal server') +if 'Invalid key/salt tuples' in output: + fail('allowed_keysalts policy not applied properly') +realm.run_kadminl('getprinc server') + +# Test full set. +output = realm.run_kadminl('cpw -randkey -e aes256-cts:normal,rc4-hmac:normal ' + 'server') +if 'Invalid key/salt tuples' in output: + fail('allowed_keysalts policy not applied properly') +realm.run_kadminl('getprinc server') +output = realm.run_kadminl('cpw -randkey -e rc4-hmac:normal,aes128-cts:normal ' + 'server') +if not 'Invalid key/salt tuples' in output: + fail('allowed_keysalts policy not applied properly') +realm.run_kadminl('getprinc server') +output = realm.run_kadminl('getprinc -terse server') +if not '2\t1\t6\t18\t0\t1\t6\t23\t0' in output: + fail('allowed_keysalts policy did not preserve order') + +# Test full set in opposite order. +output = realm.run_kadminl('cpw -randkey -e rc4-hmac:normal,aes256-cts:normal,' + 'aes128-cts:normal server') +if not 'Invalid key/salt tuples' in output: + fail('allowed_keysalts policy not applied properly') + +# Check that the order we got is the one from the policy. +realm.run_kadminl('getprinc server') +output = realm.run_kadminl('getprinc -terse server') +if not '2\t1\t6\t18\t0\t1\t6\t23\t0' in output: + fail('allowed_keysalts policy did not preserve order') + +# Test reset of allowedkeysalts. +realm.run_kadminl('modpol -allowedkeysalts - ak') +output = realm.run_kadminl('getpol ak') +if 'Allowed key/salt types' in output: + fail('failed to clear allowedkeysalts') +output = realm.run_kadminl('cpw -randkey -e aes128-cts:normal server') +if 'Invalid key/salt tuples' in output: + fail('key change rejected that should have been permitted') +realm.run_kadminl('getprinc server') + +realm.stop() + +success('allowed_keysalts') |