xref: /freebsd/crypto/krb5/src/appl/gss-sample/t_gss_sample.py (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1# Copyright (C) 2010 by the Massachusetts Institute of Technology.
2# All rights reserved.
3#
4# Export of this software from the United States of America may
5#   require a specific license from the United States Government.
6#   It is the responsibility of any person or organization contemplating
7#   export to obtain such a license before exporting.
8#
9# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
10# distribute this software and its documentation for any purpose and
11# without fee is hereby granted, provided that the above copyright
12# notice appear in all copies and that both that copyright notice and
13# this permission notice appear in supporting documentation, and that
14# the name of M.I.T. not be used in advertising or publicity pertaining
15# to distribution of the software without specific, written prior
16# permission.  Furthermore if you modify this software you must label
17# your software as modified software and not distribute it in such a
18# fashion that it might be confused with the original M.I.T. software.
19# M.I.T. makes no representations about the suitability of
20# this software for any purpose.  It is provided "as is" without express
21# or implied warranty.
22
23from k5test import *
24
25appdir = os.path.join(buildtop, 'appl', 'gss-sample')
26gss_client = os.path.join(appdir, 'gss-client')
27gss_server = os.path.join(appdir, 'gss-server')
28
29# Run a gss-server process and a gss-client process, with additional
30# gss-client flags given by options and additional gss-server flags
31# given by server_options.  Return the output of gss-client.
32def run_client_server(realm, options, server_options, **kwargs):
33    portstr = str(realm.server_port())
34    server_args = [gss_server, '-export', '-port', portstr]
35    server_args += server_options + ['host']
36    server = realm.start_server(server_args, 'starting...')
37    realm.run([gss_client, '-port', portstr] + options +
38              [hostname, 'host', 'testmsg'], **kwargs)
39
40    seen1 = seen2 = False
41    while 'expected_code' not in kwargs and not (seen1 and seen2):
42        line = server.stdout.readline()
43        if line == '':
44            fail('gss-server process exited unexpectedly')
45        if line == 'Accepted connection: "user@KRBTEST.COM"\n':
46            seen1 = True
47        if line == 'Received message: "testmsg"\n':
48            seen2 = True
49
50    stop_daemon(server)
51
52# Run a gss-server and gss-client process, and verify that gss-client
53# displayed the expected output for a successful negotiation.
54def server_client_test(realm, options, server_options):
55    run_client_server(realm, options, server_options,
56                      expected_msg='Signature verified.')
57
58# Make up a filename to hold user's initial credentials.
59def ccache_savefile(realm):
60    return os.path.join(realm.testdir, 'ccache.copy')
61
62# Move user's initial credentials into the save file.
63def ccache_save(realm):
64    os.rename(realm.ccache, ccache_savefile(realm))
65
66# Copy user's initial credentials from the save file into the ccache.
67def ccache_restore(realm):
68    shutil.copyfile(ccache_savefile(realm), realm.ccache)
69
70# Perform a regular (TGS path) test of the server and client.
71def tgs_test(realm, options, server_options=[]):
72    ccache_restore(realm)
73    server_client_test(realm, options, server_options)
74    realm.klist(realm.user_princ, realm.host_princ)
75
76# Perform a test of the server and client with initial credentials
77# obtained through gss_acquire_cred_with_password().
78def pw_test(realm, options, server_options=[]):
79    if os.path.exists(realm.ccache):
80        os.remove(realm.ccache)
81    options = options + ['-user', realm.user_princ, '-pass', password('user')]
82    server_client_test(realm, options, server_options)
83    if os.path.exists(realm.ccache):
84        fail('gss_acquire_cred_with_password created ccache')
85
86# Perform a test using the wrong password, and make sure that failure
87# occurs during the expected operation (gss_init_sec_context() for
88# IAKERB, gss_aqcuire_cred_with_password() otherwise).
89def wrong_pw_test(realm, options, server_options=[], iakerb=False):
90    options = options + ['-user', realm.user_princ, '-pass', 'wrongpw']
91    failed_op = 'initializing context' if iakerb else 'acquiring creds'
92    msg = 'GSS-API error ' + failed_op
93    run_client_server(realm, options, server_options, expected_code=1,
94                      expected_msg=msg)
95
96# Perform a test of the server and client with initial credentials
97# obtained with the client keytab
98def kt_test(realm, options, server_options=[]):
99    if os.path.exists(realm.ccache):
100        os.remove(realm.ccache)
101    server_client_test(realm, options, server_options)
102    realm.klist(realm.user_princ, realm.host_princ)
103
104for realm in multipass_realms():
105    ccache_save(realm)
106
107    mark('TGS')
108    tgs_test(realm, ['-krb5'])
109    tgs_test(realm, ['-spnego'])
110    tgs_test(realm, ['-iakerb'], ['-iakerb'])
111    # test default (i.e., krb5) mechanism with GSS_C_DCE_STYLE
112    tgs_test(realm, ['-dce'])
113
114    mark('pw')
115    pw_test(realm, ['-krb5'])
116    pw_test(realm, ['-spnego'])
117    pw_test(realm, ['-iakerb'], ['-iakerb'])
118    pw_test(realm, ['-dce'])
119
120    mark('wrong pw')
121    wrong_pw_test(realm, ['-krb5'])
122    wrong_pw_test(realm, ['-spnego'])
123    wrong_pw_test(realm, ['-iakerb'], ['-iakerb'], True)
124    wrong_pw_test(realm, ['-dce'])
125
126    mark('client keytab')
127    realm.extract_keytab(realm.user_princ, realm.client_keytab)
128    kt_test(realm, ['-krb5'])
129    kt_test(realm, ['-spnego'])
130    kt_test(realm, ['-iakerb'], ['-iakerb'])
131    kt_test(realm, ['-dce'])
132
133success('GSS sample application')
134