1*7f2fe78bSCy Schubertfrom k5test import * 2*7f2fe78bSCy Schubert 3*7f2fe78bSCy Schubert# Test authentication indicators. Load the test preauth module so we 4*7f2fe78bSCy Schubert# can control the indicators asserted. 5*7f2fe78bSCy Schuberttestpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so') 6*7f2fe78bSCy Schubertconf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth}, 7*7f2fe78bSCy Schubert 'clpreauth': {'module': 'test:' + testpreauth}}} 8*7f2fe78bSCy Schubertrealm = K5Realm(krb5_conf=conf) 9*7f2fe78bSCy Schubertrealm.run([kadminl, 'addprinc', '-randkey', 'service/1']) 10*7f2fe78bSCy Schubertrealm.run([kadminl, 'addprinc', '-randkey', 'service/2']) 11*7f2fe78bSCy Schubertrealm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ]) 12*7f2fe78bSCy Schubertrealm.run([kadminl, 'setstr', 'service/1', 'require_auth', 'superstrong']) 13*7f2fe78bSCy Schubertrealm.run([kadminl, 'setstr', 'service/2', 'require_auth', 'one two']) 14*7f2fe78bSCy Schubertrealm.run([kadminl, 'xst', 'service/1']) 15*7f2fe78bSCy Schubertrealm.run([kadminl, 'xst', 'service/2']) 16*7f2fe78bSCy Schubert 17*7f2fe78bSCy Schubertrealm.kinit(realm.user_princ, password('user'), 18*7f2fe78bSCy Schubert ['-X', 'indicators=superstrong']) 19*7f2fe78bSCy Schubertout = realm.run(['./t_srcattrs', 'p:service/1']) 20*7f2fe78bSCy Schubertif ('Attribute auth-indicators Authenticated Complete') not in out: 21*7f2fe78bSCy Schubert fail('Expected attribute type data not seen') 22*7f2fe78bSCy Schubert# UTF8 "superstrong" 23*7f2fe78bSCy Schubertif '73757065727374726f6e67' not in out: 24*7f2fe78bSCy Schubert fail('Expected auth indicator not seen in name attributes') 25*7f2fe78bSCy Schubert 26*7f2fe78bSCy Schubertmsg = 'gss_init_sec_context: KDC policy rejects request' 27*7f2fe78bSCy Schubertrealm.run(['./t_srcattrs', 'p:service/2'], expected_code=1, expected_msg=msg) 28*7f2fe78bSCy Schubert 29*7f2fe78bSCy Schubertrealm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=one two']) 30*7f2fe78bSCy Schubertout = realm.run(['./t_srcattrs', 'p:service/2']) 31*7f2fe78bSCy Schubert# Hexadecimal "one" and "two" 32*7f2fe78bSCy Schubertif '6f6e65' not in out or '74776f' not in out: 33*7f2fe78bSCy Schubert fail('Expected auth indicator not seen in name attributes') 34*7f2fe78bSCy Schubert 35*7f2fe78bSCy Schubertrealm.stop() 36*7f2fe78bSCy Schubert 37*7f2fe78bSCy Schubert# Test the FAST encrypted challenge auth indicator. 38*7f2fe78bSCy Schubertkdcconf = {'realms': {'$realm': {'encrypted_challenge_indicator': 'fast'}}} 39*7f2fe78bSCy Schubertrealm = K5Realm(kdc_conf=kdcconf) 40*7f2fe78bSCy Schubertrealm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ]) 41*7f2fe78bSCy Schubertrealm.run([kadminl, 'xst', realm.host_princ]) 42*7f2fe78bSCy Schubertrealm.kinit(realm.user_princ, password('user')) 43*7f2fe78bSCy Schubertrealm.kinit(realm.user_princ, password('user'), ['-T', realm.ccache]) 44*7f2fe78bSCy Schubertout = realm.run(['./t_srcattrs', 'p:' + realm.host_princ]) 45*7f2fe78bSCy Schubertif ('Attribute auth-indicators Authenticated Complete') not in out: 46*7f2fe78bSCy Schubert fail('Expected attribute type not seen') 47*7f2fe78bSCy Schubertif '66617374' not in out: 48*7f2fe78bSCy Schubert fail('Expected auth indicator not seen in name attributes') 49*7f2fe78bSCy Schubert 50*7f2fe78bSCy Schubertrealm.stop() 51*7f2fe78bSCy Schubertsuccess('GSSAPI auth indicator tests') 52