xref: /freebsd/crypto/krb5/src/tests/t_ccache.py (revision b670c9bafc0e31c7609969bf374b2e80bdc00211) 
1# Copyright (C) 2011 by the Massachusetts Institute of Technology.
2# All rights reserved.
3
4# Export of this software from the United States of America may
5#   require a specific license from the United States Government.
6#   It is the responsibility of any person or organization contemplating
7#   export to obtain such a license before exporting.
8#
9# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
10# distribute this software and its documentation for any purpose and
11# without fee is hereby granted, provided that the above copyright
12# notice appear in all copies and that both that copyright notice and
13# this permission notice appear in supporting documentation, and that
14# the name of M.I.T. not be used in advertising or publicity pertaining
15# to distribution of the software without specific, written prior
16# permission.  Furthermore if you modify this software you must label
17# your software as modified software and not distribute it in such a
18# fashion that it might be confused with the original M.I.T. software.
19# M.I.T. makes no representations about the suitability of
20# this software for any purpose.  It is provided "as is" without express
21# or implied warranty.
22
23from k5test import *
24import tempfile
25
26socketdir = tempfile.TemporaryDirectory()
27kcm_socket_path = os.path.join(socketdir.name, 'kcm')
28conf = {'libdefaults': {'kcm_socket': kcm_socket_path,
29                        'kcm_mach_service': '-'}}
30realm = K5Realm(krb5_conf=conf)
31
32realm.addprinc('contest')
33realm.extract_keytab('contest', realm.keytab)
34realm.run(['./conccache', realm.ccache + '.contest', 'contest',
35           realm.host_princ])
36
37keyctl = which('keyctl')
38out = realm.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1)
39test_keyring = (keyctl is not None and
40                'Unknown credential cache type' not in out)
41if not test_keyring:
42    skipped('keyring ccache tests', 'keyring support not built')
43
44# Test kdestroy and klist of a non-existent ccache.
45mark('no ccache')
46realm.run([kdestroy])
47realm.run([klist], expected_code=1, expected_msg='No credentials cache found')
48
49# Test kinit with an inaccessible ccache.
50mark('inaccessible ccache')
51realm.kinit(realm.user_princ, password('user'), flags=['-c', 'testdir/xx/yy'],
52            expected_code=1, expected_msg='Failed to store credentials')
53
54# Test klist -s with a single ccache.
55mark('klist -s single ccache')
56realm.run([klist, '-s'], expected_code=1)
57realm.kinit(realm.user_princ, password('user'))
58realm.run([klist, '-s'])
59realm.kinit(realm.user_princ, password('user'), ['-l', '-10s'])
60realm.run([klist, '-s'], expected_code=1)
61realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/admin'])
62realm.run([klist, '-s'])
63realm.run([kdestroy])
64realm.run([klist, '-s'], expected_code=1)
65
66realm.addprinc('alice', password('alice'))
67realm.addprinc('bob', password('bob'))
68realm.addprinc('carol', password('carol'))
69realm.addprinc('doug', password('doug'))
70
71def collection_test(realm, ccname):
72    cctype = ccname.partition(':')[0]
73    oldccname = realm.env['KRB5CCNAME']
74    realm.env['KRB5CCNAME'] = ccname
75
76    mark('%s collection, single cache' % cctype)
77    realm.run([klist, '-A', '-s'], expected_code=1)
78    realm.kinit('alice', password('alice'))
79    realm.run([klist], expected_msg='Default principal: alice@')
80    realm.run([klist, '-A', '-s'])
81    realm.run([kvno, realm.host_princ], expected_msg = 'kvno = 1')
82    realm.run([kvno, realm.host_princ], expected_msg = 'kvno = 1')
83    out = realm.run([klist])
84    if out.count(realm.host_princ) != 1:
85        fail('Wrong number of service tickets in cache')
86    realm.run([kdestroy])
87    output = realm.run([klist], expected_code=1)
88    if 'No credentials cache' not in output and 'not found' not in output:
89        fail('Initial kdestroy failed to destroy primary cache.')
90    output = realm.run([klist, '-l'], expected_code=1)
91    if not output.endswith('---\n') or output.count('\n') != 2:
92        fail('Initial kdestroy failed to empty cache collection.')
93    realm.run([klist, '-A', '-s'], expected_code=1)
94
95    mark('%s collection, multiple caches' % cctype)
96    realm.kinit('alice', password('alice'))
97    realm.kinit('carol', password('carol'))
98    output = realm.run([klist, '-l'])
99    if '---\ncarol@' not in output or '\nalice@' not in output:
100        fail('klist -l did not show expected output after two kinits.')
101    realm.kinit('alice', password('alice'))
102    output = realm.run([klist, '-l'])
103    if '---\nalice@' not in output or output.count('\n') != 4:
104        fail('klist -l did not show expected output after re-kinit for alice.')
105    realm.kinit('doug', password('doug'))
106    realm.kinit('bob', password('bob'))
107    output = realm.run([klist, '-A', ccname])
108    if 'bob@' not in output.splitlines()[1] or 'alice@' not in output or \
109       'carol@' not in output or 'doug@' not in output or \
110       output.count('Default principal:') != 4:
111        fail('klist -A did not show expected output after kinit doug+bob.')
112    realm.run([kswitch, '-p', 'carol'])
113    output = realm.run([klist, '-l'])
114    if '---\ncarol@' not in output or output.count('\n') != 6:
115        fail('klist -l did not show expected output after kswitch to carol.')
116
117    # Switch to specifying the collection name on the command line
118    # (only works with klist/kdestroy for now, not kinit/kswitch).
119    realm.env['KRB5CCNAME'] = oldccname
120
121    mark('%s collection, command-line specifier' % cctype)
122    realm.run([kdestroy, '-c', ccname])
123    output = realm.run([klist, '-l', ccname])
124    if 'carol@' in output or 'bob@' not in output or output.count('\n') != 5:
125        fail('kdestroy failed to remove only primary ccache.')
126    realm.run([klist, '-s', ccname], expected_code=1)
127    realm.run([klist, '-A', '-s', ccname])
128    realm.run([kdestroy, '-p', 'alice', '-c', ccname])
129    output = realm.run([klist, '-l', ccname])
130    if 'alice@' in output or 'bob@' not in output or output.count('\n') != 4:
131        fail('kdestroy -p failed to remove alice')
132    realm.run([kdestroy, '-A', '-c', ccname])
133    output = realm.run([klist, '-l', ccname], expected_code=1)
134    if not output.endswith('---\n') or output.count('\n') != 2:
135        fail('kdestroy -a failed to empty cache collection.')
136    realm.run([klist, '-A', '-s', ccname], expected_code=1)
137
138
139collection_test(realm, 'DIR:' + os.path.join(realm.testdir, 'cc'))
140
141# Test KCM with and without RETRIEVE and GET_CRED_LIST support.
142kcmserver_path = os.path.join(srctop, 'tests', 'kcmserver.py')
143kcmd = realm.start_server([sys.executable, kcmserver_path, kcm_socket_path],
144                          'starting...')
145collection_test(realm, 'KCM:')
146stop_daemon(kcmd)
147os.remove(kcm_socket_path)
148realm.start_server([sys.executable, kcmserver_path, '-f', kcm_socket_path],
149                   'starting...')
150collection_test(realm, 'KCM:')
151
152if test_keyring:
153    def cleanup_keyring(anchor, name):
154        out = realm.run(['keyctl', 'list', anchor])
155        if ('keyring: ' + name + '\n') in out:
156            keyid = realm.run(['keyctl', 'search', anchor, 'keyring', name])
157            realm.run(['keyctl', 'unlink', keyid.strip(), anchor])
158
159    # Use realm.testdir as the collection name to avoid conflicts with
160    # other build trees.
161    cname = realm.testdir
162    col_ringname = '_krb_' + cname
163
164    cleanup_keyring('@s', col_ringname)
165    collection_test(realm, 'KEYRING:session:' + cname)
166    cleanup_keyring('@s', col_ringname)
167
168    # Test legacy keyring cache linkage.
169    mark('legacy keyring cache linkage')
170    realm.env['KRB5CCNAME'] = 'KEYRING:' + cname
171    realm.run([kdestroy, '-A'])
172    realm.kinit(realm.user_princ, password('user'))
173    msg = 'KEYRING:legacy:' + cname + ':' + cname
174    realm.run([klist, '-l'], expected_msg=msg)
175    # Make sure this cache is linked to the session keyring.
176    id = realm.run([keyctl, 'search', '@s', 'keyring', cname])
177    realm.run([keyctl, 'list', id.strip()],
178              expected_msg='user: __krb5_princ__')
179    # Remove the collection keyring.  When the collection is
180    # reinitialized, the legacy cache should reappear inside it
181    # automatically as the primary cache.
182    cleanup_keyring('@s', col_ringname)
183    realm.run([klist], expected_msg=realm.user_princ)
184    coll_id = realm.run([keyctl, 'search', '@s', 'keyring', '_krb_' + cname])
185    msg = id.strip() + ':'
186    realm.run([keyctl, 'list', coll_id.strip()], expected_msg=msg)
187    # Destroy the cache and check that it is unlinked from the session keyring.
188    realm.run([kdestroy])
189    realm.run([keyctl, 'search', '@s', 'keyring', cname], expected_code=1)
190    cleanup_keyring('@s', col_ringname)
191
192# Test parameter expansion in default_ccache_name
193mark('default_ccache_name parameter expansion')
194realm.stop()
195conf = {'libdefaults': {'default_ccache_name': 'testdir/%{null}abc%{uid}'}}
196realm = K5Realm(krb5_conf=conf, create_kdb=False)
197del realm.env['KRB5CCNAME']
198uidstr = str(os.getuid())
199msg = 'testdir/abc%s' % uidstr
200realm.run([klist], expected_code=1, expected_msg=msg)
201
202success('Credential cache tests')
203