xref: /freebsd/crypto/krb5/src/tests/t_certauth.py (revision b670c9bafc0e31c7609969bf374b2e80bdc00211) 
1from k5test import *
2
3# Skip this test if pkinit wasn't built.
4if not pkinit_enabled:
5    skip_rest('certauth tests', 'PKINIT module not built')
6
7modpath = os.path.join(buildtop, 'plugins', 'certauth', 'test',
8                       'certauth_test.so')
9krb5_conf = {'plugins': {'certauth': {
10    'module': ['test1:' + modpath, 'test2:' + modpath, 'test3:' + modpath],
11    'enable_only': ['test1', 'test2', 'test3']}}}
12kdc_conf = {'realms': {'$realm': {
13    'default_principal_flags': '+preauth',
14    'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}}
15
16realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, get_creds=False,
17                pkinit=True)
18realm.addprinc('nocert')
19
20def check_indicators(inds):
21    msg = '+97: [%s]' % inds
22    realm.run(['./adata', realm.host_princ], expected_msg=msg)
23
24# Test that authentication fails if no module accepts.
25realm.pkinit('nocert', expected_code=1, expected_msg='Client name mismatch')
26
27# Let the test2 module match user to CN=user, with indicators.
28realm.pkinit(realm.user_princ)
29realm.klist(realm.user_princ)
30check_indicators('test1, test2, user, indpkinit1, indpkinit2')
31
32# Let the test2 module mismatch with user2 to CN=user.
33realm.addprinc('user2@KRBTEST.COM')
34realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch')
35
36# Test the KRB5_CERTAUTH_HWAUTH return code.
37mark('hw-authent flag tests')
38# First test +requires_hwauth without causing the hw-authent ticket
39# flag to be set.  This currently results in a preauth loop.
40realm.run([kadminl, 'modprinc', '+requires_hwauth', realm.user_princ])
41realm.pkinit(realm.user_princ, expected_code=1,
42             expected_msg='Looping detected')
43# Cause the test3 module to return KRB5_CERTAUTH_HWAUTH and try again.
44# Authentication should succeed whether or not another module accepts,
45# but not if another module rejects.
46realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'ok'])
47realm.run([kadminl, 'setstr', 'user2', 'hwauth', 'ok'])
48realm.run([kadminl, 'setstr', 'nocert', 'hwauth', 'ok'])
49realm.pkinit(realm.user_princ)
50check_indicators('test1, test2, user, hwauth:ok, indpkinit1, indpkinit2')
51realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch')
52realm.pkinit('nocert')
53check_indicators('test1, hwauth:ok, indpkinit1, indpkinit2')
54
55# Cause the test3 module to return KRB5_CERTAUTH_HWAUTH_PASS and try
56# again.  Authentication should succeed only if another module accepts.
57realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'pass'])
58realm.run([kadminl, 'setstr', 'user2', 'hwauth', 'pass'])
59realm.run([kadminl, 'setstr', 'nocert', 'hwauth', 'pass'])
60realm.pkinit(realm.user_princ)
61check_indicators('test1, test2, user, hwauth:pass, indpkinit1, indpkinit2')
62realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch')
63realm.pkinit('nocert', expected_code=1, expected_msg='Client name mismatch')
64
65success("certauth tests")
66