1from k5test import * 2 3realm = K5Realm() 4 5mark('gss_store_cred_into() and ccache/keytab') 6storagecache = 'FILE:' + os.path.join(realm.testdir, 'user_store') 7servicekeytab = os.path.join(realm.testdir, 'kt') 8service_cs = 'service/cs@%s' % realm.realm 9realm.addprinc(service_cs) 10realm.extract_keytab(service_cs, servicekeytab) 11realm.kinit(service_cs, None, ['-k', '-t', servicekeytab]) 12msgs = ('Storing %s -> %s in MEMORY:' % (service_cs, realm.krbtgt_princ), 13 'Moving ccache MEMORY:', 14 'Retrieving %s from FILE:%s' % (service_cs, servicekeytab)) 15realm.run(['./t_credstore', '-s', 'p:' + service_cs, 'ccache', storagecache, 16 'keytab', servicekeytab], expected_trace=msgs) 17 18mark('matching') 19scc = 'FILE:' + os.path.join(realm.testdir, 'service_cache') 20realm.kinit(realm.host_princ, flags=['-k', '-c', scc]) 21realm.run(['./t_credstore', '-i', 'p:' + realm.host_princ, 'ccache', scc]) 22realm.run(['./t_credstore', '-i', 'h:host', 'ccache', scc]) 23realm.run(['./t_credstore', '-i', 'h:host@' + hostname, 'ccache', scc]) 24realm.run(['./t_credstore', '-i', 'p:wrong', 'ccache', scc], 25 expected_code=1, expected_msg='does not match desired name') 26realm.run(['./t_credstore', '-i', 'h:host@-nomatch-', 'ccache', scc], 27 expected_code=1, expected_msg='does not match desired name') 28realm.run(['./t_credstore', '-i', 'h:svc', 'ccache', scc], 29 expected_code=1, expected_msg='does not match desired name') 30 31mark('matching (fallback)') 32canonname = canonicalize_hostname(hostname) 33if canonname != hostname: 34 canonprinc = 'host/%s@%s' % (canonname, realm.realm) 35 realm.addprinc(canonprinc) 36 realm.extract_keytab(canonprinc, realm.keytab) 37 realm.kinit(canonprinc, flags=['-k', '-c', scc]) 38 realm.run(['./t_credstore', '-i', 'h:host', 'ccache', scc]) 39 realm.run(['./t_credstore', '-i', 'h:host@' + hostname, 'ccache', scc]) 40 realm.run(['./t_credstore', '-i', 'h:host@' + canonname, 'ccache', scc]) 41 realm.run(['./t_credstore', '-i', 'p:' + canonprinc, 'ccache', scc]) 42 realm.run(['./t_credstore', '-i', 'p:' + realm.host_princ, 'ccache', scc], 43 expected_code=1, expected_msg='does not match desired name') 44 realm.run(['./t_credstore', '-i', 'h:host@-nomatch-', 'ccache', scc], 45 expected_code=1, expected_msg='does not match desired name') 46else: 47 skipped('fallback matching test', 48 '%s does not canonicalize to a different name' % hostname) 49 50mark('rcache') 51# t_credstore -r should produce a replay error normally, but not with 52# rcache set to "none:". 53realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ], 54 expected_code=1, 55 expected_msg='gss_accept_sec_context(2): Request is a replay') 56realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ, 57 'rcache', 'none:']) 58 59# Test password feature. 60mark('password') 61# Must be used with a desired name. 62realm.run(['./t_credstore', '-i', '', 'password', 'pw'], 63 expected_code=1, expected_msg='An invalid name was supplied') 64# Must not be used with a client keytab. 65realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ, 66 'password', 'pw', 'client_keytab', servicekeytab], 67 expected_code=1, expected_msg='Credential usage type is unknown') 68# Must not be used with a ccache. 69realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ, 70 'password', 'pw', 'ccache', storagecache], 71 expected_code=1, expected_msg='Credential usage type is unknown') 72# Must be acquiring initiator credentials. 73realm.run(['./t_credstore', '-a', 'u:' + realm.user_princ, 'password', 'pw'], 74 expected_code=1, expected_msg='Credential usage type is unknown') 75msgs = ('Getting initial credentials for %s' % realm.user_princ, 76 'Storing %s -> %s in MEMORY:' % (realm.user_princ, realm.krbtgt_princ), 77 'Destroying ccache MEMORY:') 78realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ, 'password', 79 password('user')], expected_trace=msgs) 80 81mark('verify') 82msgs = ('Getting initial credentials for %s' % realm.user_princ, 83 'Storing %s -> %s in MEMORY:' % (realm.user_princ, realm.krbtgt_princ), 84 'Getting credentials %s -> %s' % (realm.user_princ, service_cs), 85 'Storing %s -> %s in MEMORY:' % (realm.user_princ, service_cs)) 86realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ, 'password', 87 password('user'), 'keytab', servicekeytab, 'verify', 88 service_cs], expected_trace=msgs) 89# Try again with verification failing due to key mismatch. 90realm.run([kadminl, 'cpw', '-randkey', service_cs]) 91realm.run([kadminl, 'modprinc', '-kvno', '1', service_cs]) 92errmsg = 'Cannot decrypt ticket for %s' % service_cs 93realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ, 'password', 94 password('user'), 'keytab', servicekeytab, 'verify', 95 service_cs], expected_code=1, expected_msg=errmsg) 96 97success('Credential store tests') 98