1# Copyright (C) 2010 by the Massachusetts Institute of Technology. 2# All rights reserved. 3# 4# Export of this software from the United States of America may 5# require a specific license from the United States Government. 6# It is the responsibility of any person or organization contemplating 7# export to obtain such a license before exporting. 8# 9# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 10# distribute this software and its documentation for any purpose and 11# without fee is hereby granted, provided that the above copyright 12# notice appear in all copies and that both that copyright notice and 13# this permission notice appear in supporting documentation, and that 14# the name of M.I.T. not be used in advertising or publicity pertaining 15# to distribution of the software without specific, written prior 16# permission. Furthermore if you modify this software you must label 17# your software as modified software and not distribute it in such a 18# fashion that it might be confused with the original M.I.T. software. 19# M.I.T. makes no representations about the suitability of 20# this software for any purpose. It is provided "as is" without express 21# or implied warranty. 22 23from k5test import * 24 25appdir = os.path.join(buildtop, 'appl', 'gss-sample') 26gss_client = os.path.join(appdir, 'gss-client') 27gss_server = os.path.join(appdir, 'gss-server') 28 29# Run a gss-server process and a gss-client process, with additional 30# gss-client flags given by options and additional gss-server flags 31# given by server_options. Return the output of gss-client. 32def run_client_server(realm, options, server_options, **kwargs): 33 portstr = str(realm.server_port()) 34 server_args = [gss_server, '-export', '-port', portstr] 35 server_args += server_options + ['host'] 36 server = realm.start_server(server_args, 'starting...') 37 realm.run([gss_client, '-port', portstr] + options + 38 [hostname, 'host', 'testmsg'], **kwargs) 39 40 seen1 = seen2 = False 41 while 'expected_code' not in kwargs and not (seen1 and seen2): 42 line = server.stdout.readline() 43 if line == '': 44 fail('gss-server process exited unexpectedly') 45 if line == 'Accepted connection: "user@KRBTEST.COM"\n': 46 seen1 = True 47 if line == 'Received message: "testmsg"\n': 48 seen2 = True 49 50 stop_daemon(server) 51 52# Run a gss-server and gss-client process, and verify that gss-client 53# displayed the expected output for a successful negotiation. 54def server_client_test(realm, options, server_options): 55 run_client_server(realm, options, server_options, 56 expected_msg='Signature verified.') 57 58# Make up a filename to hold user's initial credentials. 59def ccache_savefile(realm): 60 return os.path.join(realm.testdir, 'ccache.copy') 61 62# Move user's initial credentials into the save file. 63def ccache_save(realm): 64 os.rename(realm.ccache, ccache_savefile(realm)) 65 66# Copy user's initial credentials from the save file into the ccache. 67def ccache_restore(realm): 68 shutil.copyfile(ccache_savefile(realm), realm.ccache) 69 70# Perform a regular (TGS path) test of the server and client. 71def tgs_test(realm, options, server_options=[]): 72 ccache_restore(realm) 73 server_client_test(realm, options, server_options) 74 realm.klist(realm.user_princ, realm.host_princ) 75 76# Perform a test of the server and client with initial credentials 77# obtained through gss_acquire_cred_with_password(). 78def pw_test(realm, options, server_options=[]): 79 if os.path.exists(realm.ccache): 80 os.remove(realm.ccache) 81 if '-iakerb' in options: 82 # Use IAKERB realm discovery. 83 user = realm.user_princ.split('@')[0] 84 else: 85 user = realm.user_princ 86 options = options + ['-user', user, '-pass', password('user')] 87 server_client_test(realm, options, server_options) 88 if os.path.exists(realm.ccache): 89 fail('gss_acquire_cred_with_password created ccache') 90 91# Perform a test using the wrong password, and make sure that failure 92# occurs during the expected operation (gss_init_sec_context() for 93# IAKERB, gss_aqcuire_cred_with_password() otherwise). 94def wrong_pw_test(realm, options, server_options=[], iakerb=False): 95 options = options + ['-user', realm.user_princ, '-pass', 'wrongpw'] 96 failed_op = 'initializing context' if iakerb else 'acquiring creds' 97 msg = 'GSS-API error ' + failed_op 98 run_client_server(realm, options, server_options, expected_code=1, 99 expected_msg=msg) 100 101# Perform a test of the server and client with initial credentials 102# obtained with the client keytab 103def kt_test(realm, options, server_options=[]): 104 if os.path.exists(realm.ccache): 105 os.remove(realm.ccache) 106 server_client_test(realm, options, server_options) 107 realm.klist(realm.user_princ, realm.host_princ) 108 109for realm in multipass_realms(): 110 ccache_save(realm) 111 112 mark('TGS') 113 tgs_test(realm, ['-krb5']) 114 tgs_test(realm, ['-spnego']) 115 tgs_test(realm, ['-iakerb'], ['-iakerb']) 116 # test default (i.e., krb5) mechanism with GSS_C_DCE_STYLE 117 tgs_test(realm, ['-dce']) 118 119 mark('AP') 120 ccache_save(realm) 121 tgs_test(realm, ['-krb5']) 122 tgs_test(realm, ['-spnego']) 123 tgs_test(realm, ['-iakerb'], ['-iakerb']) 124 tgs_test(realm, ['-dce']) 125 126 mark('pw') 127 pw_test(realm, ['-krb5']) 128 pw_test(realm, ['-spnego']) 129 pw_test(realm, ['-iakerb'], ['-iakerb']) 130 pw_test(realm, ['-dce']) 131 132 mark('wrong pw') 133 wrong_pw_test(realm, ['-krb5']) 134 wrong_pw_test(realm, ['-spnego']) 135 wrong_pw_test(realm, ['-iakerb'], ['-iakerb'], True) 136 wrong_pw_test(realm, ['-dce']) 137 138 mark('client keytab') 139 realm.extract_keytab(realm.user_princ, realm.client_keytab) 140 kt_test(realm, ['-krb5']) 141 kt_test(realm, ['-spnego']) 142 kt_test(realm, ['-iakerb'], ['-iakerb']) 143 kt_test(realm, ['-dce']) 144 145success('GSS sample application') 146