xref: /freebsd/crypto/krb5/src/tests/t_u2u.py (revision b670c9bafc0e31c7609969bf374b2e80bdc00211) 
1from k5test import *
2
3realm = K5Realm(create_host=False)
4
5# Create a second user principal and get tickets for it.
6u2u_ccache = 'FILE:' + os.path.join(realm.testdir, 'ccu2u')
7realm.addprinc('alice', password('alice'))
8realm.kinit('alice', password('alice'), ['-c', u2u_ccache])
9
10# Verify that -allow_dup_skey denies u2u requests.
11realm.run([kadminl, 'modprinc', '-allow_dup_skey', 'alice'])
12realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_code=1,
13          expected_msg='KDC policy rejects request')
14realm.run([kadminl, 'modprinc', '+allow_dup_skey', 'alice'])
15
16# Verify that -allow_svr denies regular TGS requests, but allows
17# user-to-user TGS requests.
18realm.run([kadminl, 'modprinc', '-allow_svr', 'alice'])
19realm.run([kvno, 'alice'], expected_code=1,
20          expected_msg='Server principal valid for user2user only')
21realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_msg='kvno = 0')
22realm.run([kadminl, 'modprinc', '+allow_svr', 'alice'])
23
24# Verify that normal lookups ignore the user-to-user ticket.
25realm.run([kvno, 'alice'], expected_msg='kvno = 1')
26out = realm.run([klist])
27if out.count('alice@KRBTEST.COM') != 2:
28    fail('expected two alice tickets after regular kvno')
29
30# Try u2u against the client user.
31realm.run([kvno, '--u2u', realm.ccache, realm.user_princ])
32
33realm.run([klist])
34
35realm.stop()
36
37# Load the test KDB module to test aliases
38testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
39              'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
40              'WIN10': {'keys': 'aes128-cts'}}
41kdcconf = {'realms': {'$realm': {'database_module': 'test'}},
42           'dbmodules': {'test': {'db_library': 'test',
43                                  'princs': testprincs,
44                                  'alias': {'HOST/win10': 'WIN10'}}}}
45
46realm = K5Realm(kdc_conf=kdcconf, create_kdb=False)
47realm.start_kdc()
48
49# Create a second user principal and get tickets for it.
50u2u_ccache = 'FILE:' + os.path.join(realm.testdir, 'ccu2u')
51realm.extract_keytab('WIN10', realm.keytab)
52realm.kinit('WIN10', None, ['-k', '-c', u2u_ccache])
53
54realm.extract_keytab(realm.user_princ, realm.keytab)
55realm.kinit(realm.user_princ, None, ['-k'])
56
57realm.run([kvno, '--u2u', u2u_ccache, 'HOST/win10'], expected_msg='kvno = 0')
58realm.run([kvno, '--u2u', u2u_ccache, 'WIN10'], expected_msg='kvno = 0')
59
60success('user-to-user tests')
61