| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
| |
Create a test module, program, and script to exercise the
krb5_aname_to_localname and krb5_k5userok functions as well as the
localauth pluggable interface.
ticket: 7583
|
| |
|
|
|
|
|
|
|
| |
Use $(COMMON_DEPS) instead of $(COMMON_DEPLIBS) for dependencies; the
latter appears to be a typo. Fixes build when using "make -j".
ticket: 7587 (new)
target_version: 1.11.2
tags: pullup
|
| |
|
|
| |
ticket: 7585
|
| |
|
|
|
|
| |
Create a K5Realm.kprop_port method so test scripts can invoke kprop
usefully, and create a simple Python test script exercising the same
kprop functionality as the dejagnu suite's kprop.exp.
|
| |
|
|
|
|
|
|
| |
Move the existing dump/load tests from t_general.py to a new script
t_dump.py. Add additional tests using pre-created dumpfiles, to
exercise the -r18, -r13, -b7, and -ov formats.
bigredbutton: whitespace
|
| |
|
|
|
|
|
|
|
|
| |
krb5_ldap_open and krb5_ldap_create contain two large, almost
identical blocks of DB option processing code. Factor it out into a
new function krb5_ldap_parse_db_params in ldap_misc.c, and simplify
the factored-out code. Create a helper function to add server entries
and use it to simplify krb5_ldap_read_server_params as well as DB
option parsing. Since the new DB option helper uses isspace instead
of isblank, we no longer require portability goop for isblank.
|
| |
|
|
|
|
|
|
| |
Since iprop cannot carry policy changes, force a full resync to happen
each time a policy change occurs. Based on a patch from
Richard Basch <basch@alum.mit.edu>.
ticket: 7522
|
| |
|
|
|
|
|
| |
In k5test.py, allow run_kadminl to take an environment argument. In
t_iprop.py, perform some queries on the slaves after each propagation
to spot-check that it got modifications from master. Use a helper
function to check serial numbers for conciseness.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the master iprop log is reinitialized to serial number 0, slaves
will need to take a full dump--but after that happens, we need to know
whether the slave has taken that full dump, we we don't offering full
dumps indefinitely.
So, record a timestamp in kdb_last_time when we reinitialize the log
header, and compare the slave timestamp to kdb_last_time whenever it
has the current serial number, even if it's 0. Test this by
performing a propagation with sno 0 in t_iprop.py and detecting
whether kpropd gets a second UPDATE_FULL_RESYNC_NEEDED response from
kadmind.
ticket: 7550 (new)
|
| |
|
|
|
|
| |
host_based_services and no_host_referral are allowed to have multiple
relations in each place they appear, so alter a couple of the test
cases to exercise that.
|
| | |
|
| |
|
|
|
|
|
| |
Test the KDC host-based referral support in t_referral.py, using a new
harness to call krb5_get_credentials with a specified server name
type. Also use this new harness for the #7483 regression test, to
avoid relying on an undocumented kvno extension.
|
| |
|
|
|
| |
Mostly this gets rid of the trailing space on line 2 after
bb76891f5386526bdf91bc790c614fc9296cb5fa.
|
| |
|
|
|
|
| |
Add tests to t_policy.py for password quality enforcement, password
history (apart from the existing #7099 regression test), and for
references to nonexistent policies.
|
| |
|
|
|
| |
Create a combined script for policy-related tests, and fold in the
existing lockout, password history, and allowed-keysalts tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.
In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.
ticket: 7385
|
| |
|
|
|
| |
KRB5_CONF_ prefix should be used for the krb5/kdc.conf parameters.
Use KRB5_CC_CONF_ prefix for cache configuration variables.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Neither function correctly handled OIDs whose second arc exceeds 47
(theoretically possible if the first arc is 2). gss_str_to_oid had
additional problems: it used scanf, it didn't consistently protect
against read overrun if the input buffer wasn't null-terminated, and
it could get confused by + or - characters in the first two arcs. Fix
gss_oid_to_str and rewrite gss_str_to_oid.
Also add a test program.
ticket: 7524 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The initial k5test.py design, copied from the dejagnu suite, is to
create config files and environments for four expected roles: client,
server, master, and slave. This approach exaggerates the complexity
of the common case, where the configurations don't need to vary, and
limits us to having just one slave for kprop/iprop tests.
Instead, create just one configuration by default, and add a
special_env() method which sets up a differently configured
environment for the few test cases which need one. The run_as_*()
methods are collapsed into just run(), which accepts an optional
argument for the environment returned by special_env().
|
| |
|
|
|
|
|
| |
Since there is no overlap between the clpreauth and kdcpreauth
interface declarations, there's no particular reason to combine them
into one header. For backward compatibility and convenience, leave
behind a preauth_plugin.h which includes both.
|
| |
|
|
|
|
|
|
|
|
| |
A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.
ticket: 7483
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify ldap_filter_correct() to quote special characters for DN
strings as well as filters, since it is already used to quote a DN
string in krb5_ldap_name_to_policydn() and there's no harm in
over-quoting. In krb5_ldap_put_principal(), quote the unparsed
principal name for use in DNs we choose. In
krb5_ldap_create_password_policy(), use the policy name for the CN of
the policy entry instead of the (possibly quoted) first element of the
DN.
Adapted from a patch by Jim Shi <hanmao_shi@apple.com>.
ticket: 7296
|
| |
|
|
|
|
|
|
|
| |
We must check that 'kinit -t keytab' and 'kinit -i' successfully
produce tickets, and have the specified warning output.
ticket: 7218
tags: pullup
target_version: 1.11
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new tests kdbtest.c and t_kdb.py. Together these exercise most of
the code in the LDAP back end. kdbtest is also run against the DB2
module, which is mostly redundant with other tests, but does exercise
the lockout logic a little more thoroughly than t_lockout.py can.
To test the LDAP back end, we look for slapd and ldapadd binaries in
the path. The system slapd is sometimes constrained by AppArmor or
the like, which we can typically work around by making a copy of the
binary. slapd detaches before listening on its server socket (this
got better in 2.4.27 but still isn't perfect), so we unfortunately
have to use a one-second sleep in the slapd setup.
|
| | |
|
| |
|
|
|
|
|
| |
We generate man pages from RST sources now; they are checked into
the tree in src/man/.
The gen-manpages directory is no longer needed.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The message "Got incremental updates from the master" precedes
actually replaying the updates on the slave. Instead look for
"Incremental updates:" (the statistics message), which happens just
after the updates are replayed.
Also, we don't need to import time now that we're not sleeping.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
After we start kpropd, read about the initial full dump before making
changes on the master. Avoid prodding kpropd for this read (by
shifting responsibility for the initial prod to the caller) since
kpropd doesn't sleep before its first request.
When waiting for sync, note whether we got a full propagation and
match that up with our expectations.
Use a long polling interval so kpropd doesn't wake up on its own and
confuse the test script with an extra incremental update.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Catch SIGUSR1 in iprop-mode kpropd so that we can use it to interrupt
sleeps and make kpropd do an iprop request immediately.
In k5test.py, add prod_kpropd and read_from_kpropd methods to allow
test scripts to send a SIGUSR1 to kpropd and to read its stdout/stderr
output; also allow the test script to specify additional arguments
when starting kpropd.
In t_iprop.py, start kpropd with -d and, instead of sleeping, read
kpropd output until we see an indication that kpropd is in sync with
the master. To avoid delays, prod kpropd before waiting for sync and
after a completed full prop.
|
| |
|
|
|
|
|
|
|
| |
Fix kpropd -S -t to actually exit after processing one connection (it
was breaking out of the switch statement, not the while loop). Use
the -t when invoking kpropd from the dejagnu test framework;
previously it was unnecessary because kpropd -S -d exited after one
connection. Clear up some confusion in the kprop.exp comments about
whether kpropd is expected to exit.
|
| |
|
|
|
|
|
|
|
|
| |
The Camellia enctypes and cksumtypes have received IANA assignments.
Add #defines using those assignments to krb5.h, remove the CAMELLIA
conditional, and enable testing code as appropriate.
The Camellia draft has not received an RFC number yet, so there is no
Doxygen markup for the enctype and cksumtype #defines. That can be
added once the RFC number is known.
|
| |
|
|
|
|
|
| |
Both the Python and dejagnu iprop tests are slow since they use sleeps
to give kpropd time to do its work (although we can fix this with some
work). Since the Python tests cover the same ground as the dejagnu
tests, we don't need both.
|
| |
|
|
| |
ticket: 7374
|
| |
|
|
|
|
|
| |
Unlike most GSS test programs, t_s4u2proxy_krb5 uses a cleanup
handler, so we have to be careful to initialize everything we clean
up--particularly service2_name, which is initialized after a possible
goto. Also, remember to release acceptor_name.
|
| |
|
|
|
|
|
|
|
| |
If the verifier cred handle is of type GSS_C_BOTH, we need to resolve
the initiator part of it in order to create a s4u2proxy delegated
credential handle. (If it's of type GSS_C_ACCEPT, kg_resolve_cred
won't do anything beyond locking and validating the credential.)
ticket: 7356
|
| | |
|
| |
|
|
|
|
| |
Declarations of gss_OID_desc mech_krb5, etc. in tests/gssapi/common.h
can result in multiple definitions when the test programs are linked.
Prefix the declarations with "extern" to prevent this.
|
| |
|
|
|
|
|
|
| |
Factor out some common functions used by multiple test programs. Use
a common argument format for importing names (p:princname,
h:hostbasedname, or u:username) and adjust the Python tests to match
it. Use more consistent conventions in test programs and fix some
coding style issues. Normalize how the test programs are built.
|
| |
|
|
|
|
| |
Test the fix for https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
Also test that krb5kdc can return svc unavailable
|
| |
|
|
| |
ticket: 7354
|
| |
|
|
|
|
|
|
|
| |
For the test-vectors target in tests/asn.1, add ASN.1 modules from RFC
4556 and draft-ietf-krb-wg-pkinit-alg-agility-06.txt, and output test
encodings for PrincipalName, KRB5PrincipalName, OtherInfo, and
PkinitSuppPubInfo. In the alg-agility module, AuthPack and DHRepInfo
are renamed, as asn1c otherwise rejects them as conflicting with the
RFC 4556 definitions.
|
| | |
|
| |
|
|
|
| |
Fix minor typos in lib/krb5/krb/Makefile.in and
tests/gssapi/Makefile.in so that "make depend" will work.
|
| |
|
|
|
|
|
| |
Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE,
PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more
thorough testing, add support for generating test encodings using
asn1c for sample objects (currently only for the OTP types).
|
| |
|
|
|
|
| |
gcc warnings that nametype may be used uninitialized, presumably
failing to deduce that usage() never returns. Initialize nametype to
make it build.
|
| |
|
|
|
| |
Exercise gss_export_name and importing of exported name tokens in
t_gssapi.py.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Now that we're doing a kind of deferred credential acquisition for
krb5, the behavior of gss_inquire_cred is a bit more subtle because
(per RFC 2743 section 2.1.4) we have to choose a credential cache or
acceptor name sooner than we would otherwise do so. Add a C program
to invoke gss_acquire_cred/gss_inquire_cred and some Python tests
using it.
|
