diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2014-09-05 17:51:35 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@redhat.com> | 2014-09-05 18:18:58 -0400 |
commit | 888bc144da94c9bf8d2c35ab38868e748c059de3 (patch) | |
tree | 75f2892ca8e4b049bbdce82ffd200cf66dea81bc /0013-Add-tests-for-MS-KKDCP-client-support.patch | |
parent | f69697ba82697909efed00f34c51901f881e1989 (diff) | |
download | krb5-1.12.2-6.fc21.tar.gz krb5-1.12.2-6.fc21.tar.xz krb5-1.12.2-6.fc21.zip |
Add HTTPS patches from masterkrb5-1.12.2-6.fc21
Pull in a stack of patches to add support for accessing servers via
HTTPS proxies, such as python-kdcproxy or the KDC Proxy Service on a
properly-outfitted Windows box. Pull in the patch to move the logic out
of libkrb5 proper and into a loadable plugin to avoid linking our local
applications against our libkrb5 against libssl against the installed
copy of libgssapi_krb5 and our local libkrb5support. Adjust a couple of
other patches to apply correctly after them.
Diffstat (limited to '0013-Add-tests-for-MS-KKDCP-client-support.patch')
-rw-r--r-- | 0013-Add-tests-for-MS-KKDCP-client-support.patch | 259 |
1 files changed, 259 insertions, 0 deletions
diff --git a/0013-Add-tests-for-MS-KKDCP-client-support.patch b/0013-Add-tests-for-MS-KKDCP-client-support.patch new file mode 100644 index 0000000..fdb6eca --- /dev/null +++ b/0013-Add-tests-for-MS-KKDCP-client-support.patch @@ -0,0 +1,259 @@ +Tweaked context for src/tests/Makefile.in because t_salt.py hadn't yet been +added as a test in 1.12, and the rdreq and s2p helpers weren't there yet. + +From 3e2c7cc557048faac3400ae41b0228bd37a82a4c Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai <nalin@dahyabhai.net> +Date: Fri, 7 Feb 2014 18:56:10 -0500 +Subject: [PATCH 13/13] Add tests for MS-KKDCP client support + +Exercise the MS-KKDCP client support using the test proxy server, for +AS, TGS, and kpasswd requests while also checking the certificate +verification and name checks. + +ticket: 7929 +--- + src/tests/Makefile.in | 1 + + src/tests/t_proxy.py | 219 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 220 insertions(+) + create mode 100644 src/tests/t_proxy.py + +diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in +index 7347ed6..536f5cb 100644 +--- a/src/tests/Makefile.in ++++ b/src/tests/Makefile.in +@@ -134,6 +134,7 @@ check-pytests:: t_init_creds t_localauth + $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \ + -i au.log + $(RUNPYTEST) $(srcdir)/t_bogus_kdc_req.py $(PYTESTFLAGS) ++ $(RUNPYTEST) $(srcdir)/t_proxy.py $(PYTESTFLAGS) + + clean:: + $(RM) gcred hist hrealm kdbtest plugorder responder +diff --git a/src/tests/t_proxy.py b/src/tests/t_proxy.py +new file mode 100644 +index 0000000..e4e3d48 +--- /dev/null ++++ b/src/tests/t_proxy.py +@@ -0,0 +1,219 @@ ++#!/usr/bin/python ++from k5test import * ++ ++# Skip this test if we're missing proxy functionality or parts of the proxy. ++if runenv.proxy_tls_impl == 'no': ++ success('Warning: not testing proxy support because feature ' + ++ 'was not enabled') ++ exit(0) ++try: ++ from paste import httpserver ++except: ++ success('Warning: not testing proxy support because python ' + ++ 'paste.httpserver module not found') ++ exit(0) ++try: ++ import kdcproxy ++except: ++ success('Warning: not testing proxy support because python ' + ++ 'kdcproxy module not found') ++ exit(0) ++ ++# Construct a krb5.conf fragment configuring the client to use a local proxy ++# server. ++proxysubjectpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', ++ 'proxy-subject.pem') ++proxysanpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', ++ 'proxy-san.pem') ++proxyidealpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', ++ 'proxy-ideal.pem') ++proxywrongpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', ++ 'proxy-no-match.pem') ++proxybadpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', ++ 'proxy-badsig.pem') ++proxyca = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', 'ca.pem') ++proxyurl = 'https://localhost:$port5/KdcProxy' ++proxyurlupcase = 'https://LocalHost:$port5/KdcProxy' ++proxyurl4 = 'https://127.0.0.1:$port5/KdcProxy' ++proxyurl6 = 'https://[::1]:$port5/KdcProxy' ++ ++unanchored_krb5_conf = {'realms': {'$realm': { ++ 'kdc': proxyurl, ++ 'kpasswd_server': proxyurl}}} ++anchored_name_krb5_conf = {'realms': {'$realm': { ++ 'kdc': proxyurl, ++ 'kpasswd_server': proxyurl, ++ 'http_anchors': 'FILE:%s' % proxyca}}} ++anchored_upcasename_krb5_conf = {'realms': {'$realm': { ++ 'kdc': proxyurlupcase, ++ 'kpasswd_server': proxyurlupcase, ++ 'http_anchors': 'FILE:%s' % proxyca}}} ++anchored_kadmin_krb5_conf = {'realms': {'$realm': { ++ 'kdc': proxyurl, ++ 'admin_server': proxyurl, ++ 'http_anchors': 'FILE:%s' % proxyca}}} ++anchored_ipv4_krb5_conf = {'realms': {'$realm': { ++ 'kdc': proxyurl4, ++ 'kpasswd_server': proxyurl4, ++ 'http_anchors': 'FILE:%s' % proxyca}}} ++kpasswd_input = (password('user') + '\n' + password('user') + '\n' + ++ password('user') + '\n') ++ ++def start_proxy(realm, keycertpem): ++ proxy_conf_path = os.path.join(realm.testdir, 'kdcproxy.conf') ++ proxy_exec_path = os.path.join(srctop, 'util', 'paste-kdcproxy.py') ++ conf = open(proxy_conf_path, 'w') ++ conf.write('[%s]\n' % realm.realm) ++ conf.write('kerberos = kerberos://localhost:%d\n' % realm.portbase) ++ conf.write('kpasswd = kpasswd://localhost:%d\n' % (realm.portbase + 2)) ++ conf.close() ++ realm.env['KDCPROXY_CONFIG'] = proxy_conf_path ++ cmd = [proxy_exec_path, str(realm.server_port()), keycertpem] ++ return realm.start_server(cmd, sentinel='proxy server ready') ++ ++# Fail: untrusted issuer and hostname doesn't match. ++output("running pass 1: issuer not trusted and hostname doesn't match\n") ++realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, ++ create_host=False) ++proxy = start_proxy(realm, proxywrongpem) ++realm.kinit(realm.user_princ, password=password('user'), expected_code=1) ++stop_daemon(proxy) ++realm.stop() ++ ++# Fail: untrusted issuer, host name matches subject. ++output("running pass 2: subject matches, issuer not trusted\n") ++realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, ++ create_host=False) ++proxy = start_proxy(realm, proxysubjectpem) ++realm.kinit(realm.user_princ, password=password('user'), expected_code=1) ++stop_daemon(proxy) ++realm.stop() ++ ++# Fail: untrusted issuer, host name matches subjectAltName. ++output("running pass 3: subjectAltName matches, issuer not trusted\n") ++realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, ++ create_host=False) ++proxy = start_proxy(realm, proxysanpem) ++realm.kinit(realm.user_princ, password=password('user'), expected_code=1) ++stop_daemon(proxy) ++realm.stop() ++ ++# Fail: untrusted issuer, certificate signature is bad. ++output("running pass 4: subject matches, issuer not trusted\n") ++realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, ++ create_host=False) ++proxy = start_proxy(realm, proxybadpem) ++realm.kinit(realm.user_princ, password=password('user'), expected_code=1) ++stop_daemon(proxy) ++realm.stop() ++ ++# Fail: trusted issuer but hostname doesn't match. ++output("running pass 5: issuer trusted but hostname doesn't match\n") ++realm = K5Realm(krb5_conf=anchored_name_krb5_conf, get_creds=False, ++ create_host=False) ++proxy = start_proxy(realm, proxywrongpem) ++realm.kinit(realm.user_princ, password=password('user'), expected_code=1) ++stop_daemon(proxy) ++realm.stop() ++ ++# Succeed: trusted issuer and host name matches subject. ++output("running pass 6: issuer trusted, subject matches\n") ++realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True, ++ get_creds=False) ++proxy = start_proxy(realm, proxysubjectpem) ++realm.kinit(realm.user_princ, password=password('user')) ++realm.run([kvno, realm.host_princ]) ++realm.run([kpasswd, realm.user_princ], input=kpasswd_input) ++stop_daemon(proxy) ++realm.stop() ++ ++# Succeed: trusted issuer and host name matches subjectAltName. ++output("running pass 7: issuer trusted, subjectAltName matches\n") ++realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True, ++ get_creds=False) ++proxy = start_proxy(realm, proxysanpem) ++realm.kinit(realm.user_princ, password=password('user')) ++realm.run([kvno, realm.host_princ]) ++realm.run([kpasswd, realm.user_princ], input=kpasswd_input) ++stop_daemon(proxy) ++realm.stop() ++ ++# Fail: certificate signature is bad. ++output("running pass 8: issuer trusted and subjectAltName matches, sig bad\n") ++realm = K5Realm(krb5_conf=anchored_name_krb5_conf, ++ get_creds=False, ++ create_host=False) ++proxy = start_proxy(realm, proxybadpem) ++realm.kinit(realm.user_princ, password=password('user'), expected_code=1) ++stop_daemon(proxy) ++realm.stop() ++ ++# Fail: trusted issuer but IP doesn't match. ++output("running pass 9: issuer trusted but no name matches IP\n") ++realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False, ++ create_host=False) ++proxy = start_proxy(realm, proxywrongpem) ++realm.kinit(realm.user_princ, password=password('user'), expected_code=1) ++stop_daemon(proxy) ++realm.stop() ++ ++# Fail: trusted issuer, but subject does not match. ++output("running pass 10: issuer trusted, but subject does not match IP\n") ++realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False, ++ create_host=False) ++proxy = start_proxy(realm, proxysubjectpem) ++realm.kinit(realm.user_princ, password=password('user'), expected_code=1) ++stop_daemon(proxy) ++realm.stop() ++ ++# Succeed: trusted issuer and host name matches subjectAltName. ++output("running pass 11: issuer trusted, subjectAltName matches IP\n") ++realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, start_kadmind=True, ++ get_creds=False) ++proxy = start_proxy(realm, proxysanpem) ++realm.kinit(realm.user_princ, password=password('user')) ++realm.run([kvno, realm.host_princ]) ++realm.run([kpasswd, realm.user_princ], input=kpasswd_input) ++stop_daemon(proxy) ++realm.stop() ++ ++# Fail: certificate signature is bad. ++output("running pass 12: issuer trusted, names don't match, signature bad\n") ++realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False, ++ create_host=False) ++proxy = start_proxy(realm, proxybadpem) ++realm.kinit(realm.user_princ, password=password('user'), expected_code=1) ++stop_daemon(proxy) ++realm.stop() ++ ++# Succeed: trusted issuer and host name matches subject, using kadmin ++# configuration to find kpasswdd. ++output("running pass 13: issuer trusted, subject matches\n") ++realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True, ++ get_creds=False, create_host=False) ++proxy = start_proxy(realm, proxysubjectpem) ++realm.run([kpasswd, realm.user_princ], input=kpasswd_input) ++stop_daemon(proxy) ++realm.stop() ++ ++# Succeed: trusted issuer and host name matches subjectAltName, using ++# kadmin configuration to find kpasswdd. ++output("running pass 14: issuer trusted, subjectAltName matches\n") ++realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True, ++ get_creds=False, create_host=False) ++proxy = start_proxy(realm, proxysanpem) ++realm.run([kpasswd, realm.user_princ], input=kpasswd_input) ++stop_daemon(proxy) ++realm.stop() ++ ++# Succeed: trusted issuer and host name matches subjectAltName (give or take ++# case). ++output("running pass 15: issuer trusted, subjectAltName case-insensitive\n") ++realm = K5Realm(krb5_conf=anchored_upcasename_krb5_conf, start_kadmind=True, ++ get_creds=False, create_host=False) ++proxy = start_proxy(realm, proxysanpem) ++realm.run([kpasswd, realm.user_princ], input=kpasswd_input) ++stop_daemon(proxy) ++realm.stop() ++ ++success('MS-KKDCP proxy') +-- +2.1.0 + |