krb5 commit: Simplify k5test.py environments
Greg Hudson
ghudson at MIT.EDU
Thu Dec 20 11:52:14 EST 2012
https://github.com/krb5/krb5/commit/966547dfeb011800d4b78b8e5d494813bc80559c
commit 966547dfeb011800d4b78b8e5d494813bc80559c
Author: Greg Hudson <ghudson at mit.edu>
Date: Sun Dec 16 16:55:29 2012 -0500
Simplify k5test.py environments
The initial k5test.py design, copied from the dejagnu suite, is to
create config files and environments for four expected roles: client,
server, master, and slave. This approach exaggerates the complexity
of the common case, where the configurations don't need to vary, and
limits us to having just one slave for kprop/iprop tests.
Instead, create just one configuration by default, and add a
special_env() method which sets up a differently configured
environment for the few test cases which need one. The run_as_*()
methods are collapsed into just run(), which accepts an optional
argument for the environment returned by special_env().
src/appl/gss-sample/t_gss_sample.py | 4 +-
src/appl/user_user/t_user2user.py | 2 +-
src/kdc/t_emptytgt.py | 2 +-
src/lib/kdb/t_stringattr.py | 2 +-
src/lib/krb5/ccache/t_cccol.py | 14 +-
src/lib/krb5/krb/t_expire_warn.py | 12 +-
src/lib/krb5/krb/t_in_ccache_patypes.py | 50 ++--
src/lib/krb5/krb/t_vfy_increds.py | 45 ++--
src/tests/gssapi/t_ccselect.py | 41 ++--
src/tests/gssapi/t_client_keytab.py | 76 +++---
src/tests/gssapi/t_export_cred.py | 4 +-
src/tests/gssapi/t_gssapi.py | 89 +++----
src/tests/gssapi/t_s4u.py | 23 +-
src/tests/t_allowed_keysalts.py | 3 +-
src/tests/t_anonpkinit.py | 25 +--
src/tests/t_ccache.py | 39 ++--
src/tests/t_crossrealm.py | 39 ++--
src/tests/t_general.py | 18 +-
src/tests/t_iprop.py | 89 ++++----
src/tests/t_kadm5_hook.py | 10 +-
src/tests/t_kadmin_acl.py | 2 +-
src/tests/t_kdb.py | 36 ++--
src/tests/t_kdb_locking.py | 8 +-
src/tests/t_keyrollover.py | 20 +-
src/tests/t_keytab.py | 24 +-
src/tests/t_lockout.py | 8 +-
src/tests/t_pwhist.py | 4 +-
src/tests/t_referral.py | 8 +-
src/tests/t_sesskeynego.py | 44 ++--
src/tests/t_skew.py | 14 +-
src/util/gss-kernel-lib/t_kgss.py | 2 +-
src/util/k5test.py | 416 +++++++++++++------------------
src/util/testrealm.py | 2 +-
33 files changed, 517 insertions(+), 658 deletions(-)
diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py
index 211da97..faec8a0 100644
--- a/src/appl/gss-sample/t_gss_sample.py
+++ b/src/appl/gss-sample/t_gss_sample.py
@@ -35,8 +35,8 @@ def server_client_test(realm, options):
portstr = str(realm.server_port())
server = realm.start_server([gss_server, '-port', portstr, 'host'],
'starting...')
- output = realm.run_as_client([gss_client, '-port', portstr] + options +
- [hostname, 'host', 'testmsg'])
+ output = realm.run([gss_client, '-port', portstr] + options +
+ [hostname, 'host', 'testmsg'])
if 'Signature verified.' not in output:
fail('Expected message not seen in gss-client output')
stop_daemon(server)
diff --git a/src/appl/user_user/t_user2user.py b/src/appl/user_user/t_user2user.py
index abd6641..8bdef8e 100644
--- a/src/appl/user_user/t_user2user.py
+++ b/src/appl/user_user/t_user2user.py
@@ -10,7 +10,7 @@ for realm in multipass_realms():
else:
srv_output = realm.start_server(['./uuserver', '9999'], 'Server started')
- output = realm.run_as_client(['./uuclient', hostname, 'testing message', '9999'])
+ output = realm.run(['./uuclient', hostname, 'testing message', '9999'])
if 'uu-client: server says \"Hello, other end of connection.\"' not in output:
fail('Message not echoed back.')
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
index d532deb..8f7717a 100644
--- a/src/kdc/t_emptytgt.py
+++ b/src/kdc/t_emptytgt.py
@@ -2,7 +2,7 @@
from k5test import *
realm = K5Realm(create_host=False)
-output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+output = realm.run([kvno, 'krbtgt/'], expected_code=1)
if 'not found in Kerberos database' not in output:
fail('TGT lookup for empty realm failed in unexpected way')
success('Empty tgt lookup.')
diff --git a/src/lib/kdb/t_stringattr.py b/src/lib/kdb/t_stringattr.py
index f520370..085e179 100644
--- a/src/lib/kdb/t_stringattr.py
+++ b/src/lib/kdb/t_stringattr.py
@@ -2,5 +2,5 @@
from k5test import *
realm = K5Realm(create_kdb=False)
-realm.run_as_master(['./t_stringattr'])
+realm.run(['./t_stringattr'])
success('String attribute unit tests')
diff --git a/src/lib/krb5/ccache/t_cccol.py b/src/lib/krb5/ccache/t_cccol.py
index 8c459dd..acd2b6e 100644
--- a/src/lib/krb5/ccache/t_cccol.py
+++ b/src/lib/krb5/ccache/t_cccol.py
@@ -16,7 +16,7 @@ realm.kinit('alice', password('alice'), flags=['-c', dalice])
realm.kinit('bob', password('bob'), flags=['-c', dbob])
def cursor_test(testname, args, expected):
- outlines = realm.run_as_client(['./t_cccursor'] + args).splitlines()
+ outlines = realm.run(['./t_cccursor'] + args).splitlines()
outlines.sort()
expected.sort()
if outlines != expected:
@@ -37,14 +37,14 @@ cursor_test('filemem', [fccname, mfoo, mbar], [fccname, mfoo, mbar])
cursor_test('dirmem', [dccname, mfoo], [duser, dalice, dbob, mfoo])
# Test krb5_cccol_have_content.
-realm.run_as_client(['./t_cccursor', dccname, 'CONTENT'])
-realm.run_as_client(['./t_cccursor', fccname, 'CONTENT'])
-realm.run_as_client(['./t_cccursor', realm.ccache, 'CONTENT'])
-realm.run_as_client(['./t_cccursor', mfoo, 'CONTENT'], expected_code=1)
+realm.run(['./t_cccursor', dccname, 'CONTENT'])
+realm.run(['./t_cccursor', fccname, 'CONTENT'])
+realm.run(['./t_cccursor', realm.ccache, 'CONTENT'])
+realm.run(['./t_cccursor', mfoo, 'CONTENT'], expected_code=1)
# Make sure FILE doesn't yield a nonexistent default cache.
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
cursor_test('noexist', [], [])
-realm.run_as_client(['./t_cccursor', fccname, 'CONTENT'], expected_code=1)
+realm.run(['./t_cccursor', fccname, 'CONTENT'], expected_code=1)
success('Renewing credentials')
diff --git a/src/lib/krb5/krb/t_expire_warn.py b/src/lib/krb5/krb/t_expire_warn.py
index f803b45..4c9b5cc 100644
--- a/src/lib/krb5/krb/t_expire_warn.py
+++ b/src/lib/krb5/krb/t_expire_warn.py
@@ -34,28 +34,28 @@ realm.run_kadminl('addprinc -pw pass -pwexpire "12 hours" hours')
realm.run_kadminl('addprinc -pw pass -pwexpire "3 days" days')
# Check for expected prompter warnings when no expire callback is used.
-output = realm.run_as_client(['./t_expire_warn', 'noexpire', 'pass', '0'])
+output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '0'])
if output:
fail('Unexpected output for noexpire')
-output = realm.run_as_client(['./t_expire_warn', 'minutes', 'pass', '0'])
+output = realm.run(['./t_expire_warn', 'minutes', 'pass', '0'])
if ' less than one hour on ' not in output:
fail('Expected warning not seen for minutes')
-output = realm.run_as_client(['./t_expire_warn', 'hours', 'pass', '0'])
+output = realm.run(['./t_expire_warn', 'hours', 'pass', '0'])
if ' hours on ' not in output:
fail('Expected warning not seen for hours')
-output = realm.run_as_client(['./t_expire_warn', 'days', 'pass', '0'])
+output = realm.run(['./t_expire_warn', 'days', 'pass', '0'])
if ' days on ' not in output:
fail('Expected warning not seen for days')
# Check for expected expire callback behavior. These tests are
# carefully agnostic about whether the KDC supports last_req fields,
# and could be made more specific if last_req support is added.
-output = realm.run_as_client(['./t_expire_warn', 'noexpire', 'pass', '1'])
+output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '1'])
if 'password_expiration = 0\n' not in output or \
'account_expiration = 0\n' not in output or \
'is_last_req = ' not in output:
fail('Expected callback output not seen for noexpire')
-output = realm.run_as_client(['./t_expire_warn', 'days', 'pass', '1'])
+output = realm.run(['./t_expire_warn', 'days', 'pass', '1'])
if 'password_expiration = ' not in output or \
'password_expiration = 0\n' in output:
fail('Expected non-zero password expiration not seen for days')
diff --git a/src/lib/krb5/krb/t_in_ccache_patypes.py b/src/lib/krb5/krb/t_in_ccache_patypes.py
index f040b8e..7e3c7b0 100644
--- a/src/lib/krb5/krb/t_in_ccache_patypes.py
+++ b/src/lib/krb5/krb/t_in_ccache_patypes.py
@@ -33,58 +33,52 @@ realm.run_kadminl('addprinc -pw pass +requires_preauth preauth')
# Check that we can get creds without preauth without an in_ccache. This is
# the default behavior for kinit.
-realm.run_as_client(['./t_in_ccache', 'nopreauth', 'pass'])
+realm.run(['./t_in_ccache', 'nopreauth', 'pass'])
# Check that we can get creds with preauth without an in_ccache. This is the
# default behavior for kinit.
-realm.run_as_client(['./t_in_ccache', 'preauth', 'pass'])
+realm.run(['./t_in_ccache', 'preauth', 'pass'])
# Check that we can get creds while supplying a now-populated input ccache that
# doesn't contain any relevant configuration.
-realm.run_as_client(['./t_in_ccache', 'nopreauth', 'pass'])
-realm.run_as_client(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'])
+realm.run(['./t_in_ccache', 'nopreauth', 'pass'])
+realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'])
# Check that we can get creds while supplying a now-populated input ccache.
-realm.run_as_client(['./t_in_ccache', 'preauth', 'pass'])
-realm.run_as_client(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'])
+realm.run(['./t_in_ccache', 'preauth', 'pass'])
+realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'])
# Check that we can't get creds while specifying patypes that aren't available
# in a FAST tunnel while using a FAST tunnel. Expect the client-end
# preauth-failed error.
-realm.run_as_client(['./t_in_ccache', 'nopreauth', 'pass'])
-realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ,
- 'pa_type', '2'])
-realm.run_as_client(['./t_in_ccache', '-A', realm.ccache, '-I', realm.ccache,
- 'preauth', 'pass'], expected_code=210)
+realm.run(['./t_in_ccache', 'nopreauth', 'pass'])
+realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '2'])
+realm.run(['./t_in_ccache', '-A', realm.ccache, '-I', realm.ccache,
+ 'preauth', 'pass'], expected_code=210)
# Check that we can't get creds while specifying patypes that are only
# available in a FAST tunnel while not using a FAST tunnel. Expect the
# client-end preauth-failed error.
-realm.run_as_client(['./t_in_ccache', 'nopreauth', 'pass'])
-realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ,
- 'pa_type', '138'])
-realm.run_as_client(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'],
- expected_code=210)
+realm.run(['./t_in_ccache', 'nopreauth', 'pass'])
+realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '138'])
+realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'],
+ expected_code=210)
# Check that we can get creds using FAST, and that we end up using
# encrypted_challenge when we do.
-realm.run_as_client(['./t_in_ccache', 'preauth', 'pass'])
-realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ,
- 'pa_type', '138'])
-realm.run_as_client(['./t_in_ccache', '-A', realm.ccache, 'preauth', 'pass'])
-output = realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ,
- 'pa_type'])
+realm.run(['./t_in_ccache', 'preauth', 'pass'])
+realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '138'])
+realm.run(['./t_in_ccache', '-A', realm.ccache, 'preauth', 'pass'])
+output = realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type'])
# We should have selected and used encrypted_challenge.
if output != '138':
fail('Unexpected pa_type value in out_ccache: "%s"' % output)
# Check that we can get creds while specifying the right patypes.
-realm.run_as_client(['./t_in_ccache', 'nopreauth', 'pass'])
-realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ,
- 'pa_type', '2'])
-realm.run_as_client(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'])
-output = realm.run_as_client(['./t_cc_config', '-p', realm.krbtgt_princ,
- 'pa_type'])
+realm.run(['./t_in_ccache', 'nopreauth', 'pass'])
+realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '2'])
+realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'])
+output = realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type'])
# We should have selected and used encrypted_timestamp.
if output != '2':
fail('Unexpected pa_type value in out_ccache')
diff --git a/src/lib/krb5/krb/t_vfy_increds.py b/src/lib/krb5/krb/t_vfy_increds.py
index a06b740..a17b478 100644
--- a/src/lib/krb5/krb/t_vfy_increds.py
+++ b/src/lib/krb5/krb/t_vfy_increds.py
@@ -27,20 +27,20 @@ from k5test import *
realm = K5Realm()
# Verify the default test realm credentials with the default keytab.
-realm.run_as_server(['./t_vfy_increds'])
-realm.run_as_server(['./t_vfy_increds', '-n'])
+realm.run(['./t_vfy_increds'])
+realm.run(['./t_vfy_increds', '-n'])
# Verify after updating the keytab (so the keytab contains an outdated
# version 1 key followed by an up-to-date version 2 key).
realm.run_kadminl('ktadd ' + realm.host_princ)
-realm.run_as_server(['./t_vfy_increds'])
-realm.run_as_server(['./t_vfy_increds', '-n'])
+realm.run(['./t_vfy_increds'])
+realm.run(['./t_vfy_increds', '-n'])
# Bump the host key without updating the keytab and make sure that
# verification fails as we expect it to.
realm.run_kadminl('change_password -randkey ' + realm.host_princ)
-realm.run_as_server(['./t_vfy_increds'], expected_code=1)
-realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
+realm.run(['./t_vfy_increds'], expected_code=1)
+realm.run(['./t_vfy_increds', '-n'], expected_code=1)
# Simulate a system where the hostname has changed and the keytab
# contains host service principals with a hostname that no longer
@@ -49,14 +49,14 @@ realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
# test. Verify should succeed, with or without nofail.
realm.run_kadminl('addprinc -randkey host/wrong.hostname')
realm.run_kadminl('ktadd host/wrong.hostname')
-realm.run_as_server(['./t_vfy_increds'])
-realm.run_as_server(['./t_vfy_increds', '-n'])
+realm.run(['./t_vfy_increds'])
+realm.run(['./t_vfy_increds', '-n'])
# Remove the keytab and verify again. This should succeed if nofail
# is not set, and fail if it is set.
os.remove(realm.keytab)
-realm.run_as_server(['./t_vfy_increds'])
-realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
+realm.run(['./t_vfy_increds'])
+realm.run(['./t_vfy_increds', '-n'], expected_code=1)
# Create an empty keytab file and verify again. This simulates a
# system where an admin ran "touch krb5.keytab" to work around a
@@ -66,8 +66,8 @@ realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
# causing a KRB5_KEYTAB_BADVNO error, so any tightening of the
# krb5_verify_init_creds semantics needs to take this into account.)
open(realm.keytab, 'w').close()
-realm.run_as_server(['./t_vfy_increds'])
-realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
+realm.run(['./t_vfy_increds'])
+realm.run(['./t_vfy_increds', '-n'], expected_code=1)
os.remove(realm.keytab)
# Add an NFS service principal to keytab. Verify should ignore it by
@@ -75,27 +75,26 @@ os.remove(realm.keytab)
# when it is specifically requested.
realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ)
realm.run_kadminl('ktadd ' + realm.nfs_princ)
-realm.run_as_server(['./t_vfy_increds'])
-realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
-realm.run_as_server(['./t_vfy_increds', realm.nfs_princ])
-realm.run_as_server(['./t_vfy_increds', '-n', realm.nfs_princ])
+realm.run(['./t_vfy_increds'])
+realm.run(['./t_vfy_increds', '-n'], expected_code=1)
+realm.run(['./t_vfy_increds', realm.nfs_princ])
+realm.run(['./t_vfy_increds', '-n', realm.nfs_princ])
# Invalidating the NFS keys in the keytab. We should get the same
# results with the default principal argument, but verification should
# now fail if we request it specifically.
realm.run_kadminl('change_password -randkey ' + realm.nfs_princ)
-realm.run_as_server(['./t_vfy_increds'])
-realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
-realm.run_as_server(['./t_vfy_increds', realm.nfs_princ], expected_code=1)
-realm.run_as_server(['./t_vfy_increds', '-n', realm.nfs_princ],
- expected_code=1)
+realm.run(['./t_vfy_increds'])
+realm.run(['./t_vfy_increds', '-n'], expected_code=1)
+realm.run(['./t_vfy_increds', realm.nfs_princ], expected_code=1)
+realm.run(['./t_vfy_increds', '-n', realm.nfs_princ], expected_code=1)
# Spot-check that verify_ap_req_nofail works equivalently to the
# programmatic nofail option.
realm.stop()
-conf = { 'server' : { 'libdefaults' : { 'verify_ap_req_nofail' : 'true' } } }
+conf = {'libdefaults': {'verify_ap_req_nofail': 'true'}}
realm = K5Realm(krb5_conf=conf)
os.remove(realm.keytab)
-realm.run_as_server(['./t_vfy_increds'], expected_code=1)
+realm.run(['./t_vfy_increds'], expected_code=1)
success('krb5_verify_init_creds tests')
diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
index 6b7bce6..8858fa8 100644
--- a/src/tests/gssapi/t_ccselect.py
+++ b/src/tests/gssapi/t_ccselect.py
@@ -42,27 +42,21 @@ gssserver = 'h:host@' + hostname
# .k5identity rules since it has unknown type.
refserver = 'p:host/' + hostname + '@'
-# Make each realm's keytab contain entries for both realm's servers.
-#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' %
-# (r2.keytab, r1.keytab, ktutil)])
-#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' %
-# (r1.keytab, r2.keytab, ktutil)])
-
# Verify that we can't get initiator creds with no credentials in the
# collection.
-output = r1.run_as_client(['./t_ccselect', host1, '-'], expected_code=1)
+output = r1.run(['./t_ccselect', host1, '-'], expected_code=1)
if 'No Kerberos credentials available' not in output:
fail('Expected error not seen in output when no credentials available')
# Make a directory collection and use it for client commands in both realms.
ccdir = os.path.join(r1.testdir, 'cc')
ccname = 'DIR:' + ccdir
-r1.env_client['KRB5CCNAME'] = ccname
-r2.env_client['KRB5CCNAME'] = ccname
+r1.env['KRB5CCNAME'] = ccname
+r2.env['KRB5CCNAME'] = ccname
# Use .k5identity from testdir and not from the tester's homedir.
-r1.env_client['HOME'] = r1.testdir
-r2.env_client['HOME'] = r1.testdir
+r1.env['HOME'] = r1.testdir
+r2.env['HOME'] = r1.testdir
# Create two users in r1 and one in r2.
alice='alice at KRBTEST.COM'
@@ -77,32 +71,32 @@ r1.kinit(alice, password('alice'))
r2.kinit(zaphod, password('zaphod'))
# Check that we can find a cache for a specified client principal.
-output = r1.run_as_client(['./t_ccselect', host1, 'p:' + alice])
+output = r1.run(['./t_ccselect', host1, 'p:' + alice])
if output != (alice + '\n'):
fail('alice not chosen when specified')
-output = r2.run_as_client(['./t_ccselect', host2, 'p:' + zaphod])
+output = r2.run(['./t_ccselect', host2, 'p:' + zaphod])
if output != (zaphod + '\n'):
fail('zaphod not chosen when specified')
# Check that we can guess a cache based on the service realm.
-output = r1.run_as_client(['./t_ccselect', host1])
+output = r1.run(['./t_ccselect', host1])
if output != (alice + '\n'):
fail('alice not chosen as default initiator cred for server in r1')
-output = r1.run_as_client(['./t_ccselect', host1, '-'])
+output = r1.run(['./t_ccselect', host1, '-'])
if output != (alice + '\n'):
fail('alice not chosen as default initiator name for server in r1')
-output = r2.run_as_client(['./t_ccselect', host2])
+output = r2.run(['./t_ccselect', host2])
if output != (zaphod + '\n'):
fail('zaphod not chosen as default initiator cred for server in r1')
-output = r2.run_as_client(['./t_ccselect', host2, '-'])
+output = r2.run(['./t_ccselect', host2, '-'])
if output != (zaphod + '\n'):
fail('zaphod not chosen as default initiator name for server in r1')
# Check that primary cache is used if server realm is unknown.
-output = r2.run_as_client(['./t_ccselect', gssserver])
+output = r2.run(['./t_ccselect', gssserver])
if output != (zaphod + '\n'):
fail('zaphod not chosen via primary cache for unknown server realm')
-r1.run_as_client(['./t_ccselect', gssserver], expected_code=1)
+r1.run(['./t_ccselect', gssserver], expected_code=1)
# Get a second cred in r1 (bob will be primary).
r1.kinit(bob, password('bob'))
@@ -113,17 +107,16 @@ k5id.write('%s realm=%s\n' % (alice, r1.realm))
k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname))
k5id.write('noprinc service=bogus')
k5id.close()
-output = r1.run_as_client(['./t_ccselect', host1])
+output = r1.run(['./t_ccselect', host1])
if output != (alice + '\n'):
fail('alice not chosen via .k5identity realm line.')
-output = r2.run_as_client(['./t_ccselect', gssserver])
+output = r2.run(['./t_ccselect', gssserver])
if output != (zaphod + '\n'):
fail('zaphod not chosen via .k5identity service/host line.')
-output = r1.run_as_client(['./t_ccselect', refserver])
+output = r1.run(['./t_ccselect', refserver])
if output != (bob + '\n'):
fail('bob not chosen via primary cache when no .k5identity line matches.')
-output = r1.run_as_client(['./t_ccselect', 'h:bogus@' + hostname],
- expected_code=1)
+output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1)
if 'Can\'t find client principal noprinc' not in output:
fail('Expected error not seen when k5identity selects bad principal.')
diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
index 71566a5..484aacd 100644
--- a/src/tests/gssapi/t_client_keytab.py
+++ b/src/tests/gssapi/t_client_keytab.py
@@ -9,126 +9,126 @@ phost = 'p:' + realm.host_princ
puser = 'p:' + realm.user_princ
pbob = 'p:' + bob
gssserver = 'h:host@' + hostname
-realm.env_client['HOME'] = realm.testdir
+realm.env['HOME'] = realm.testdir
realm.addprinc(bob, password('bob'))
realm.extract_keytab(realm.user_princ, realm.client_keytab)
realm.extract_keytab(bob, realm.client_keytab)
# Test 1: no name/cache specified, pick first principal from client keytab
-out = realm.run_as_client(['./t_ccselect', phost])
+out = realm.run(['./t_ccselect', phost])
if realm.user_princ not in out:
fail('Authenticated as wrong principal')
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
# Test 2: no name/cache specified, pick principal from k5identity
k5idname = os.path.join(realm.testdir, '.k5identity')
k5id = open(k5idname, 'w')
k5id.write('%s service=host host=%s\n' % (bob, hostname))
k5id.close()
-out = realm.run_as_client(['./t_ccselect', gssserver])
+out = realm.run(['./t_ccselect', gssserver])
if bob not in out:
fail('Authenticated as wrong principal')
os.remove(k5idname)
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
# Test 3: no name/cache specified, default ccache has name but no creds
-realm.run_as_client(['./ccinit', realm.ccache, bob])
-out = realm.run_as_client(['./t_ccselect', phost])
+realm.run(['./ccinit', realm.ccache, bob])
+out = realm.run(['./t_ccselect', phost])
if bob not in out:
fail('Authenticated as wrong principal')
# Leave tickets for next test.
# Test 4: name specified, non-collectable default cache doesn't match
-out = realm.run_as_client(['./t_ccselect', phost, puser], expected_code=1)
+out = realm.run(['./t_ccselect', phost, puser], expected_code=1)
if 'Principal in credential cache does not match desired name' not in out:
fail('Expected error not seen')
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
# Test 5: name specified, nonexistent default cache
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+out = realm.run(['./t_ccselect', phost, pbob])
if bob not in out:
fail('Authenticated as wrong principal')
# Leave tickets for next test.
# Test 6: name specified, matches default cache, time to refresh
-realm.run_as_client(['./ccrefresh', realm.ccache, '1'])
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+realm.run(['./ccrefresh', realm.ccache, '1'])
+out = realm.run(['./t_ccselect', phost, pbob])
if bob not in out:
fail('Authenticated as wrong principal')
-out = realm.run_as_client(['./ccrefresh', realm.ccache])
+out = realm.run(['./ccrefresh', realm.ccache])
if int(out) < 1000:
fail('Credentials apparently not refreshed')
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
# Test 7: empty ccache specified, pick first principal from client keytab
-realm.run_as_client(['./t_imp_cred', phost])
+realm.run(['./t_imp_cred', phost])
realm.klist(realm.user_princ)
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
# Test 8: ccache specified with name but no creds; name not in client keytab
-realm.run_as_client(['./ccinit', realm.ccache, realm.host_princ])
-out = realm.run_as_client(['./t_imp_cred', phost], expected_code=1)
+realm.run(['./ccinit', realm.ccache, realm.host_princ])
+out = realm.run(['./t_imp_cred', phost], expected_code=1)
if 'Credential cache is empty' not in out:
fail('Expected error not seen')
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
# Test 9: ccache specified with name but no creds; name in client keytab
-realm.run_as_client(['./ccinit', realm.ccache, bob])
-realm.run_as_client(['./t_imp_cred', phost])
+realm.run(['./ccinit', realm.ccache, bob])
+realm.run(['./t_imp_cred', phost])
realm.klist(bob)
# Leave tickets for next test.
# Test 10: ccache specified with creds, time to refresh
-realm.run_as_client(['./ccrefresh', realm.ccache, '1'])
-realm.run_as_client(['./t_imp_cred', phost])
+realm.run(['./ccrefresh', realm.ccache, '1'])
+realm.run(['./t_imp_cred', phost])
realm.klist(bob)
-out = realm.run_as_client(['./ccrefresh', realm.ccache])
+out = realm.run(['./ccrefresh', realm.ccache])
if int(out) < 1000:
fail('Credentials apparently not refreshed')
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
# Use a cache collection for the remaining tests.
ccdir = os.path.join(realm.testdir, 'cc')
ccname = 'DIR:' + ccdir
os.mkdir(ccdir)
-realm.env_client['KRB5CCNAME'] = ccname
+realm.env['KRB5CCNAME'] = ccname
# Test 11: name specified, matching cache in collection with no creds
bobcache = os.path.join(ccdir, 'tktbob')
-realm.run_as_client(['./ccinit', bobcache, bob])
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+realm.run(['./ccinit', bobcache, bob])
+out = realm.run(['./t_ccselect', phost, pbob])
if bob not in out:
fail('Authenticated as wrong principal')
# Leave tickets for next test.
# Test 12: name specified, matching cache in collection, time to refresh
-realm.run_as_client(['./ccrefresh', bobcache, '1'])
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+realm.run(['./ccrefresh', bobcache, '1'])
+out = realm.run(['./t_ccselect', phost, pbob])
if bob not in out:
fail('Authenticated as wrong principal')
-out = realm.run_as_client(['./ccrefresh', bobcache])
+out = realm.run(['./ccrefresh', bobcache])
if int(out) < 1000:
fail('Credentials apparently not refreshed')
-realm.run_as_client([kdestroy, '-A'])
+realm.run([kdestroy, '-A'])
# Test 13: name specified, collection has default for different principal
realm.kinit(realm.user_princ, password('user'))
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+out = realm.run(['./t_ccselect', phost, pbob])
if bob not in out:
fail('Authenticated as wrong principal')
-out = realm.run_as_client([klist])
+out = realm.run([klist])
if 'Default principal: %s\n' % realm.user_princ not in out:
fail('Default cache overwritten by acquire_cred')
-realm.run_as_client([kdestroy, '-A'])
+realm.run([kdestroy, '-A'])
# Test 14: name specified, collection has no default cache
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+out = realm.run(['./t_ccselect', phost, pbob])
if bob not in out:
fail('Authenticated as wrong principal')
# Make sure the tickets we acquired didn't become the default
-out = realm.run_as_client([klist], expected_code=1)
+out = realm.run([klist], expected_code=1)
if 'No credentials cache found' not in out:
fail('Expected error not seen')
-realm.run_as_client([kdestroy, '-A'])
+realm.run([kdestroy, '-A'])
success('Client keytab tests')
diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py
index 3f7b657..53dd13c 100644
--- a/src/tests/gssapi/t_export_cred.py
+++ b/src/tests/gssapi/t_export_cred.py
@@ -19,8 +19,8 @@ def ccache_restore(realm):
# forwarded cred into the default ccache.
def check(realm, args):
ccache_restore(realm)
- realm.run_as_client(['./t_export_cred'] + args)
- output = realm.run_as_client([klist, '-f'])
+ realm.run(['./t_export_cred'] + args)
+ output = realm.run([klist, '-f'])
if 'Flags: Ff' not in output:
fail('Forwarded tickets not found in ccache after t_export_cred')
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index e453b71..5f1d5d1 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -3,7 +3,7 @@ from k5test import *
# Test krb5 negotiation under SPNEGO for all enctype configurations.
for realm in multipass_realms():
- realm.run_as_client(['./t_spnego','p:' + realm.host_princ, realm.keytab])
+ realm.run(['./t_spnego','p:' + realm.host_princ, realm.keytab])
### Test acceptor name behavior.
@@ -24,79 +24,75 @@ realm.run_kadminl('renprinc -force service1/abraham service1/andrew')
# Test with no acceptor name, including client/keytab principal
# mismatch (non-fatal) and missing keytab entry (fatal).
-output = realm.run_as_client(['./t_accname', 'p:service1/andrew'])
+output = realm.run(['./t_accname', 'p:service1/andrew'])
if 'service1/abraham' not in output:
fail('Expected service1/abraham in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service1/barack'])
+output = realm.run(['./t_accname', 'p:service1/barack'])
if 'service1/barack' not in output:
fail('Expected service1/barack in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service2/calvin'])
+output = realm.run(['./t_accname', 'p:service2/calvin'])
if 'service2/calvin' not in output:
fail('Expected service1/barack in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service2/dwight'],
- expected_code=1)
+output = realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1)
if 'Wrong principal in request' not in output:
fail('Expected error message not seen in t_accname output')
# Test with acceptor name containing service only, including
# client/keytab hostname mismatch (non-fatal) and service name
# mismatch (fatal).
-output = realm.run_as_client(['./t_accname', 'p:service1/andrew',
- 'h:service1'])
+output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service1'])
if 'service1/abraham' not in output:
fail('Expected service1/abraham in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service1/andrew',
- 'h:service2'], expected_code=1)
+output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'],
+ expected_code=1)
if 'Wrong principal in request' not in output:
fail('Expected error message not seen in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service2/calvin',
- 'h:service2'])
+output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'])
if 'service2/calvin' not in output:
fail('Expected service2/calvin in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service2/calvin',
- 'h:service1'], expected_code=1)
+output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'],
+ expected_code=1)
if 'Wrong principal in request' not in output:
fail('Expected error message not seen in t_accname output')
# Test with acceptor name containing service and host. Use the
# client's un-canonicalized hostname as acceptor input to mirror what
# many servers do.
-output = realm.run_as_client(['./t_accname', 'p:' + realm.host_princ,
- 'h:host@%s' % socket.gethostname()])
+output = realm.run(['./t_accname', 'p:' + realm.host_princ,
+ 'h:host@%s' % socket.gethostname()])
if realm.host_princ not in output:
fail('Expected %s in t_accname output' % realm.host_princ)
-output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-',
- 'h:host@%s' % socket.gethostname()],
- expected_code=1)
+output = realm.run(['./t_accname', 'p:host/-nomatch-',
+ 'h:host@%s' % socket.gethostname()],
+ expected_code=1)
if 'Wrong principal in request' not in output:
fail('Expected error message not seen in t_accname output')
# Test krb5_gss_import_cred.
-realm.run_as_client(['./t_imp_cred', 'p:service1/barack'])
-realm.run_as_client(['./t_imp_cred', 'p:service1/barack', 'service1/barack'])
-realm.run_as_client(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham'])
-output = realm.run_as_client(['./t_imp_cred', 'p:service2/dwight'],
- expected_code=1)
+realm.run(['./t_imp_cred', 'p:service1/barack'])
+realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack'])
+realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham'])
+output = realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1)
if 'Wrong principal in request' not in output:
fail('Expected error message not seen in t_imp_cred output')
# Test credential store extension.
tmpccname = 'FILE:' + os.path.join(realm.testdir, 'def_cache')
-realm.env_client['KRB5CCNAME'] = tmpccname
+realm.env['KRB5CCNAME'] = tmpccname
storagecache = 'FILE:' + os.path.join(realm.testdir, 'user_store')
servicekeytab = os.path.join(realm.testdir, 'kt')
service_cs = 'service/cs@%s' % realm.realm
realm.addprinc(service_cs)
realm.extract_keytab(service_cs, servicekeytab)
realm.kinit(service_cs, None, ['-k', '-t', servicekeytab])
-output = realm.run_as_client(['./t_credstore', service_cs, '--cred_store',
- 'ccache', storagecache, 'keytab', servicekeytab])
+output = realm.run(['./t_credstore', service_cs, '--cred_store',
+ 'ccache', storagecache, 'keytab', servicekeytab])
if 'Cred Store Success' not in output:
fail('Expected test to succeed')
# Verify that we can't acquire acceptor creds without a keytab.
os.remove(realm.keytab)
-output = realm.run_as_client(['./t_accname', 'p:abc'], expected_code=1)
+output = realm.run(['./t_accname', 'p:abc'], expected_code=1)
if ('gss_acquire_cred: Keytab' not in output or
'nonexistent or empty' not in output):
fail('Expected error message not seen for nonexistent keytab')
@@ -105,13 +101,12 @@ realm.stop()
# Re-run the last acceptor name test with ignore_acceptor_hostname set
# and the principal for the mismatching hostname in the keytab.
-ignore_conf = { 'all' : { 'libdefaults' : {
- 'ignore_acceptor_hostname' : 'true' } } }
+ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}}
realm = K5Realm(krb5_conf=ignore_conf)
realm.run_kadminl('addprinc -randkey host/-nomatch-')
realm.run_kadminl('xst host/-nomatch-')
-output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-',
- 'h:host@%s' % socket.gethostname()])
+output = realm.run(['./t_accname', 'p:host/-nomatch-',
+ 'h:host@%s' % socket.gethostname()])
if 'host/-nomatch-' not in output:
fail('Expected host/-nomatch- in t_accname output')
@@ -122,31 +117,31 @@ realm.stop()
realm = K5Realm()
# Test deferred resolution of the default ccache for initiator creds.
-output = realm.run_as_client(['./t_inq_cred'])
+output = realm.run(['./t_inq_cred'])
if realm.user_princ not in output:
fail('Expected %s in t_inq_cred output' % realm.user_princ)
-output = realm.run_as_client(['./t_inq_cred', '-k'])
+output = realm.run(['./t_inq_cred', '-k'])
if realm.user_princ not in output:
fail('Expected %s in t_inq_cred output' % realm.user_princ)
-output = realm.run_as_client(['./t_inq_cred', '-s'])
+output = realm.run(['./t_inq_cred', '-s'])
if realm.user_princ not in output:
fail('Expected %s in t_inq_cred output' % realm.user_princ)
# Test picking a name from the keytab for acceptor creds.
-output = realm.run_as_client(['./t_inq_cred', '-a'])
+output = realm.run(['./t_inq_cred', '-a'])
if realm.host_princ not in output:
fail('Expected %s in t_inq_cred output' % realm.host_princ)
-output = realm.run_as_client(['./t_inq_cred', '-k', '-a'])
+output = realm.run(['./t_inq_cred', '-k', '-a'])
if realm.host_princ not in output:
fail('Expected %s in t_inq_cred output' % realm.host_princ)
-output = realm.run_as_client(['./t_inq_cred', '-s', '-a'])
+output = realm.run(['./t_inq_cred', '-s', '-a'])
if realm.host_princ not in output:
fail('Expected %s in t_inq_cred output' % realm.host_princ)
# Test client keytab initiation (non-deferred) with a specified name.
realm.extract_keytab(realm.user_princ, realm.client_keytab)
os.remove(realm.ccache)
-output = realm.run_as_client(['./t_inq_cred', '-k'])
+output = realm.run(['./t_inq_cred', '-k'])
if realm.user_princ not in output:
fail('Expected %s in t_inq_cred output' % realm.user_princ)
@@ -154,34 +149,34 @@ if realm.user_princ not in output:
os.remove(realm.client_keytab)
os.remove(realm.ccache)
shutil.copyfile(realm.keytab, realm.client_keytab)
-output = realm.run_as_client(['./t_inq_cred', '-k', '-b'])
+output = realm.run(['./t_inq_cred', '-k', '-b'])
if realm.host_princ not in output:
fail('Expected %s in t_inq_cred output' % realm.host_princ)
# Test gss_export_name behavior.
-out = realm.run_as_client(['./t_export_name', 'u:x'])
+out = realm.run(['./t_export_name', 'u:x'])
if out != '0401000B06092A864886F7120102020000000D78404B5242544553542E434F4D\n':
fail('Unexpected output from t_export_name (krb5 username)')
-output = realm.run_as_client(['./t_export_name', '-s', 'u:xyz'])
+output = realm.run(['./t_export_name', '-s', 'u:xyz'])
if output != '0401000806062B06010505020000000378797A\n':
fail('Unexpected output from t_export_name (SPNEGO username)')
-output = realm.run_as_client(['./t_export_name', 'p:a at b'])
+output = realm.run(['./t_export_name', 'p:a at b'])
if output != '0401000B06092A864886F71201020200000003614062\n':
fail('Unexpected output from t_export_name (krb5 principal)')
-output = realm.run_as_client(['./t_export_name', '-s', 'p:a at b'])
+output = realm.run(['./t_export_name', '-s', 'p:a at b'])
if output != '0401000806062B060105050200000003614062\n':
fail('Unexpected output from t_export_name (SPNEGO krb5 principal)')
# Test gss_inquire_mechs_for_name behavior.
krb5_mech = '{ 1 2 840 113554 1 2 2 }'
spnego_mech = '{ 1 3 6 1 5 5 2 }'
-out = realm.run_as_client(['./t_inq_mechs_name', 'p:a at b'])
+out = realm.run(['./t_inq_mechs_name', 'p:a at b'])
if krb5_mech not in out:
fail('t_inq_mechs_name (principal)')
-out = realm.run_as_client(['./t_inq_mechs_name', 'u:x'])
+out = realm.run(['./t_inq_mechs_name', 'u:x'])
if krb5_mech not in out or spnego_mech not in out:
fail('t_inq_mecs_name (user)')
-out = realm.run_as_client(['./t_inq_mechs_name', 'h:host'])
+out = realm.run(['./t_inq_mechs_name', 'h:host'])
if krb5_mech not in out or spnego_mech not in out:
fail('t_inq_mecs_name (hostbased)')
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index cd67591..67dc810 100644
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -24,17 +24,17 @@ realm.kinit(service1, None, ['-f', '-k'])
# at the S4U2Proxy step since the DB2 back end currently has no
# support for allowing it.
realm.kinit(realm.user_princ, password('user'), ['-f', '-c', usercache])
-output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache,
- '-', pservice1, pservice2], expected_code=1)
+output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+ pservice1, pservice2], expected_code=1)
if ('auth1: ' + realm.user_princ not in output or
'NOT_ALLOWED_TO_DELEGATE' not in output):
fail('krb5 -> s4u2proxy')
# Again with SPNEGO. Bug #7045 prevents us from checking the error
# message, but we can at least exercise the code.
-output = realm.run_as_server(['./t_s4u2proxy_krb5', '--spnego', usercache,
- storagecache, '-', pservice1, pservice2],
- expected_code=1)
+output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
+ '-', pservice1, pservice2],
+ expected_code=1)
if ('auth1: ' + realm.user_princ not in output):
fail('krb5 -> s4u2proxy (SPNEGO)')
@@ -42,18 +42,18 @@ if ('auth1: ' + realm.user_princ not in output):
# result in no delegated credential being created by
# accept_sec_context.
realm.kinit(realm.user_princ, password('user'), ['-c', usercache])
-output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache,
- pservice1, pservice1, pservice2])
+output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1,
+ pservice1, pservice2])
if 'no credential delegated' not in output:
fail('krb5 -> no delegated cred')
# Try S4U2Self. Ask for an S4U2Proxy step; this won't happen because
# service/1 isn't allowed to get a forwardable S4U2Self ticket.
-output = realm.run_as_server(['./t_s4u', puser, pservice2])
+output = realm.run(['./t_s4u', puser, pservice2])
if ('Warning: no delegated cred handle' not in output or
'Source name:\t' + realm.user_princ not in output):
fail('s4u2self')
-output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2])
+output = realm.run(['./t_s4u', '--spnego', puser, pservice2])
if ('Warning: no delegated cred handle' not in output or
'Source name:\t' + realm.user_princ not in output):
fail('s4u2self (SPNEGO)')
@@ -61,7 +61,7 @@ if ('Warning: no delegated cred handle' not in output or
# Correct that problem and try again. As above, the S4U2Proxy step
# won't actually succeed since we don't support that in DB2.
realm.run_kadminl('modprinc +ok_to_auth_as_delegate ' + service1)
-output = realm.run_as_server(['./t_s4u', puser, pservice2], expected_code=1)
+output = realm.run(['./t_s4u', puser, pservice2], expected_code=1)
if 'NOT_ALLOWED_TO_DELEGATE' not in output:
fail('s4u2self')
@@ -70,8 +70,7 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output:
# a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
# directly rather than saving and reacquiring it) so bug #7045 does
# not apply and we can verify the error message.
-output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2],
- expected_code=1)
+output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
if 'NOT_ALLOWED_TO_DELEGATE' not in output:
fail('s4u2self')
diff --git a/src/tests/t_allowed_keysalts.py b/src/tests/t_allowed_keysalts.py
index 8c76335..e7b7833 100644
--- a/src/tests/t_allowed_keysalts.py
+++ b/src/tests/t_allowed_keysalts.py
@@ -2,8 +2,7 @@
from k5test import *
import re
-krb5_conf1 = {'all': {'libdefaults': {
- 'supported_enctypes': 'aes256-cts'}}}
+krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}}
realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False)
diff --git a/src/tests/t_anonpkinit.py b/src/tests/t_anonpkinit.py
index 7ae955d..03b2fdd 100644
--- a/src/tests/t_anonpkinit.py
+++ b/src/tests/t_anonpkinit.py
@@ -12,29 +12,22 @@ ca_pem = os.path.join(certs, 'ca.pem')
kdc_pem = os.path.join(certs, 'kdc.pem')
privkey_pem = os.path.join(certs, 'privkey.pem')
pkinit_krb5_conf = {
- 'all' : {
- 'libdefaults' : {
- 'pkinit_anchors' : 'FILE:' + ca_pem
- },
- 'realms' : {
- '$realm' : {
- 'pkinit_anchors' : 'FILE:%s' % ca_pem,
- 'pkinit_identity' : 'FILE:%s,%s' % (kdc_pem, privkey_pem),
- }
- }
- }
-}
+ 'libdefaults': {
+ 'pkinit_anchors': 'FILE:' + ca_pem},
+ 'realms': {'$realm': {
+ 'pkinit_anchors': 'FILE:%s' % ca_pem,
+ 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}}
restrictive_kdc_conf = {
- 'all': { 'realms' : { '$realm' : {
- 'restrict_anonymous_to_tgt' : 'true' } } } }
+ 'realms': {'$realm' : {
+ 'restrict_anonymous_to_tgt': 'true' }}}
# In the basic test, anonymous is not restricted, so kvno should succeed.
realm = K5Realm(krb5_conf=pkinit_krb5_conf, create_user=False)
realm.addprinc('WELLKNOWN/ANONYMOUS')
realm.kinit('@%s' % realm.realm, flags=['-n'])
realm.klist('WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS')
-realm.run_as_client([kvno, realm.host_princ])
+realm.run([kvno, realm.host_princ])
realm.stop()
# Now try again with anonymous restricted; kvno should fail.
@@ -44,6 +37,6 @@ realm.addprinc('WELLKNOWN/ANONYMOUS')
realm.kinit('@%s' % realm.realm, flags=['-n'])
# now try FAST
realm.kinit('@%s' % realm.realm, flags=['-n', '-T', realm.ccache])
-realm.run_as_client([kvno, realm.host_princ], expected_code=1)
+realm.run([kvno, realm.host_princ], expected_code=1)
success('Anonymous PKINIT')
diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py
index e85d009..a761d48 100644
--- a/src/tests/t_ccache.py
+++ b/src/tests/t_ccache.py
@@ -26,66 +26,65 @@ from k5test import *
realm = K5Realm(create_host=False)
# Test kdestroy and klist of a non-existent ccache.
-realm.run_as_client([kdestroy])
-output = realm.run_as_client([klist], expected_code=1)
+realm.run([kdestroy])
+output = realm.run([klist], expected_code=1)
if 'No credentials cache found' not in output:
fail('Expected error message not seen in klist output')
# Make a directory collection and use it for client commands.
ccname = 'DIR:' + os.path.join(realm.testdir, 'cc')
-realm.env_client['KRB5CCNAME'] = ccname
+realm.env['KRB5CCNAME'] = ccname
realm.addprinc('alice', password('alice'))
realm.addprinc('bob', password('bob'))
realm.addprinc('carol', password('carol'))
realm.kinit('alice', password('alice'))
-output = realm.run_as_client([klist])
+output = realm.run([klist])
if 'Default principal: alice@' not in output:
fail('Initial kinit failed to get credentials for alice.')
-realm.run_as_client([kdestroy])
-output = realm.run_as_client([klist], expected_code=1)
+realm.run([kdestroy])
+output = realm.run([klist], expected_code=1)
if 'No credentials cache found' not in output:
fail('Initial kdestroy failed to destroy primary cache.')
-output = realm.run_as_client([klist, '-l'], expected_code=1)
+output = realm.run([klist, '-l'], expected_code=1)
if not output.endswith('---\n') or output.count('\n') != 2:
fail('Initial kdestroy failed to empty cache collection.')
realm.kinit('alice', password('alice'))
realm.kinit('carol', password('carol'))
-output = realm.run_as_client([klist, '-l'])
+output = realm.run([klist, '-l'])
if '---\ncarol@' not in output or '\nalice@' not in output:
fail('klist -l did not show expected output after two kinits.')
realm.kinit('alice', password('alice'))
-output = realm.run_as_client([klist, '-l'])
+output = realm.run([klist, '-l'])
if '---\nalice@' not in output or output.count('\n') != 4:
fail('klist -l did not show expected output after re-kinit for alice.')
realm.kinit('bob', password('bob'))
-output = realm.run_as_client([klist, '-A'])
+output = realm.run([klist, '-A'])
if 'bob@' not in output.splitlines()[1] or 'alice@' not in output or \
'carol' not in output or output.count('Default principal:') != 3:
fail('klist -A did not show expected output after kinit for bob.')
-realm.run_as_client([kswitch, '-p', 'carol'])
-output = realm.run_as_client([klist, '-l'])
+realm.run([kswitch, '-p', 'carol'])
+output = realm.run([klist, '-l'])
if '---\ncarol@' not in output or output.count('\n') != 5:
fail('klist -l did not show expected output after kswitch to carol.')
-realm.run_as_client([kdestroy])
-output = realm.run_as_client([klist, '-l'])
+realm.run([kdestroy])
+output = realm.run([klist, '-l'])
if 'carol@' in output or 'bob@' not in output or output.count('\n') != 4:
fail('kdestroy failed to remove only primary ccache.')
-realm.run_as_client([kdestroy, '-A'])
-output = realm.run_as_client([klist, '-l'], expected_code=1)
+realm.run([kdestroy, '-A'])
+output = realm.run([klist, '-l'], expected_code=1)
if not output.endswith('---\n') or output.count('\n') != 2:
fail('kdestroy -a failed to empty cache collection.')
# Test parameter expansion in default_ccache_name
realm.stop()
-conf = {'client': {'libdefaults': {
- 'default_ccache_name': 'testdir/%{null}abc%{uid}'}}}
+conf = {'libdefaults': {'default_ccache_name': 'testdir/%{null}abc%{uid}'}}
realm = K5Realm(krb5_conf=conf, create_kdb=False)
-del realm.env_client['KRB5CCNAME']
+del realm.env['KRB5CCNAME']
uidstr = str(os.getuid())
-out = realm.run_as_client([klist], expected_code=1)
+out = realm.run([klist], expected_code=1)
if 'FILE:testdir/abc%s' % uidstr not in out:
fail('Wrong ccache in klist')
diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py
index c0c3ccb..0d967b8 100644
--- a/src/tests/t_crossrealm.py
+++ b/src/tests/t_crossrealm.py
@@ -24,8 +24,8 @@
from k5test import *
-def test_kvno(r, princ, test):
- output = r.run_as_client([kvno, princ])
+def test_kvno(r, princ, test, env=None):
+ output = r.run([kvno, princ], env=env)
if princ not in output:
fail('%s: principal %s not in kvno output' % (test, princ))
@@ -58,26 +58,23 @@ stop(r1, r2, r3)
# transited checks, including a capaths for A->C.
capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}}}
r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)),
- args=({'realm': 'A',
- 'krb5_conf': {'client': capaths}},
+ args=({'realm': 'A'},
{'realm': 'B'},
- {'realm': 'C',
- 'krb5_conf': {'master': capaths}},
- {'realm': 'D',
- 'krb5_conf': {'master': capaths}}))
-test_kvno(r1, r4.host_princ, 'client capaths')
+ {'realm': 'C', 'krb5_conf': capaths},
+ {'realm': 'D', 'krb5_conf': capaths}))
+r1client = r1.special_env('client', False, krb5_conf=capaths)
+test_kvno(r1, r4.host_princ, 'client capaths', r1client)
stop(r1, r2, r3, r4)
# Test KDC capaths. The KDCs for A and B have appropriate capaths
# settings to determine intermediate TGTs to return, but the client
# has no idea.
capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}, 'B': {'D': 'C'}}}
-conf = {'master': capaths}
r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)),
- args=({'realm': 'A', 'krb5_conf': conf},
- {'realm': 'B', 'krb5_conf': conf},
- {'realm': 'C', 'krb5_conf': conf},
- {'realm': 'D', 'krb5_conf': conf}))
+ args=({'realm': 'A', 'krb5_conf': capaths},
+ {'realm': 'B', 'krb5_conf': capaths},
+ {'realm': 'C', 'krb5_conf': capaths},
+ {'realm': 'D', 'krb5_conf': capaths}))
test_kvno(r1, r4.host_princ, 'KDC capaths')
stop(r1, r2, r3, r4)
@@ -86,10 +83,9 @@ stop(r1, r2, r3, r4)
# ticket.
capaths = {'capaths': {'A': {'C': 'B'}}}
r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
- args=({'realm': 'A',
- 'krb5_conf': {'client': capaths}},
+ args=({'realm': 'A', 'krb5_conf': capaths},
{'realm': 'B'}, {'realm': 'C'}))
-output = r1.run_as_client([kvno, r3.host_princ], expected_code=1)
+output = r1.run([kvno, r3.host_princ], expected_code=1)
if 'KDC policy rejects request' not in output:
fail('transited 1: Expected error message not in output')
stop(r1, r2, r3)
@@ -98,13 +94,12 @@ stop(r1, r2, r3)
# recognize B as an intermediate realm for A->C, so it refuses to
# verify the krbtgt/C at B ticket in the TGS AP-REQ.
capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}, 'B': {'D': 'C'}}}
-conf = {'master': capaths}
r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)),
- args=({'realm': 'A', 'krb5_conf': conf},
- {'realm': 'B', 'krb5_conf': conf},
- {'realm': 'C', 'krb5_conf': conf},
+ args=({'realm': 'A', 'krb5_conf': capaths},
+ {'realm': 'B', 'krb5_conf': capaths},
+ {'realm': 'C', 'krb5_conf': capaths},
{'realm': 'D'}))
-output = r1.run_as_client([kvno, r4.host_princ], expected_code=1)
+output = r1.run([kvno, r4.host_princ], expected_code=1)
if 'Illegal cross-realm ticket' not in output:
fail('transited 2: Expected error message not in output')
stop(r1, r2, r3, r4)
diff --git a/src/tests/t_general.py b/src/tests/t_general.py
index 77246d5..1ba95dc 100755
--- a/src/tests/t_general.py
+++ b/src/tests/t_general.py
@@ -3,8 +3,8 @@ from k5test import *
for realm in multipass_realms(create_host=False):
# Check that kinit fails appropriately with the wrong password.
- output = realm.run_as_client([kinit, realm.user_princ], input='wrong\n',
- expected_code=1)
+ output = realm.run([kinit, realm.user_princ], input='wrong\n',
+ expected_code=1)
if 'Password incorrect while getting initial credentials' not in output:
fail('Expected error message not seen in kinit output')
@@ -20,29 +20,29 @@ for realm in multipass_realms(create_host=False):
realm.klist('user/fast@%s' % realm.realm)
# Test kinit against kdb keytab
- realm.run_as_master([kinit, "-k", "-t", "KDB:", realm.user_princ])
+ realm.run([kinit, "-k", "-t", "KDB:", realm.user_princ])
realm = K5Realm(create_host=False)
# Create a policy and see if it survives a dump/load.
realm.run_kadminl('addpol fred')
dumpfile = os.path.join(realm.testdir, 'dump')
-realm.run_as_master([kdb5_util, 'dump', dumpfile])
+realm.run([kdb5_util, 'dump', dumpfile])
f = open('testdir/dump', 'a')
f.write('policy barney 0 0 1 1 1 0 '
'0 0 0 0 0 0 - 1 '
'2 28 '
'fd100f5064625f6372656174696f6e404b5242544553542e434f4d00')
f.close()
-realm.run_as_master([kdb5_util, 'load', dumpfile])
+realm.run([kdb5_util, 'load', dumpfile])
output = realm.run_kadminl('getpols')
if 'fred\n' not in output:
fail('Policy not preserved across dump/load.')
if 'barney\n' not in output:
fail('Policy not loaded.')
-realm.run_as_master([kdb5_util, 'dump', dumpfile])
-realm.run_as_master([kdb5_util, 'load', dumpfile])
+realm.run([kdb5_util, 'dump', dumpfile])
+realm.run([kdb5_util, 'load', dumpfile])
output = realm.run_kadminl('getpols')
if 'fred\n' not in output:
fail('Policy not preserved across dump/load.')
@@ -51,8 +51,8 @@ if 'barney\n' not in output:
# Spot-check KRB5_TRACE output
tracefile = os.path.join(realm.testdir, 'trace')
-realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kinit,
- realm.user_princ], input=(password('user') + "\n"))
+realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ],
+ input=(password('user') + "\n"))
f = open(tracefile, 'r')
trace = f.read()
f.close()
diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py
index 7a96a7c..df97b92 100644
--- a/src/tests/t_iprop.py
+++ b/src/tests/t_iprop.py
@@ -7,11 +7,11 @@ from k5test import *
# Read lines from kpropd output until we are synchronized. Error if
# full_expected is true and we didn't see a full propagation or vice
# versa.
-def wait_for_prop(realm, full_expected):
+def wait_for_prop(kpropd, full_expected):
output('*** Waiting for sync from kpropd\n')
full_seen = False
while True:
- line = realm.read_from_kpropd()
+ line = kpropd.stdout.readline()
if line == '':
fail('kpropd process exited unexpectedly')
output('kpropd: ' + line)
@@ -29,7 +29,7 @@ def wait_for_prop(realm, full_expected):
# kpropd's child process has finished a DB load; make the parent
# do another iprop request. This will be unnecessary if kpropd
# is simplified to use a single process.
- realm.prod_kpropd()
+ kpropd.send_signal(signal.SIGUSR1)
# Detect some failure conditions.
if 'Rejected connection' in line:
@@ -43,22 +43,19 @@ def wait_for_prop(realm, full_expected):
if 'invalid return' in line:
fail('kadmind returned invalid result')
+conf = {
+ 'realms': {'$realm': {
+ 'iprop_enable': 'true',
+ 'iprop_logfile' : '$testdir/db.ulog'}}}
-iprop_kdc_conf = {
- 'all' : { 'libdefaults' : { 'default_realm' : 'KRBTEST.COM'},
- 'realms' : { '$realm' : {
- 'iprop_enable' : 'true',
- 'iprop_slave_poll' : '600'
- }}},
- 'master' : { 'realms' : { '$realm' : {
- 'iprop_logfile' : '$testdir/db.ulog'
- }}},
- 'slave' : { 'realms' : { '$realm' : {
- 'iprop_logfile' : '$testdir/slave-db.ulog'
- }}}
-}
+conf_slave = {
+ 'realms': {'$realm': {
+ 'iprop_slave_poll': '600',
+ 'iprop_logfile' : '$testdir/db.slave.ulog'}},
+ 'dbmodules': {'db': {'database_name': '$testdir/db.slave'}}}
-realm = K5Realm(kdc_conf=iprop_kdc_conf, create_user=False, start_kadmind=True)
+realm = K5Realm(kdc_conf=conf, create_user=False, start_kadmind=True)
+slave = realm.special_env('slave', True, kdc_conf=conf_slave)
ulog = os.path.join(realm.testdir, 'db.ulog')
if not os.path.exists(ulog):
@@ -71,9 +68,9 @@ realm.extract_keytab(kiprop_princ, realm.keytab)
# Create the slave db.
dumpfile = os.path.join(realm.testdir, 'dump')
-realm.run_as_master([kdb5_util, 'dump', dumpfile])
-realm.run_as_slave([kdb5_util, 'load', dumpfile])
-realm.run_as_slave([kdb5_util, 'stash', '-P', 'master'])
+realm.run([kdb5_util, 'dump', dumpfile])
+realm.run([kdb5_util, 'load', dumpfile], slave)
+realm.run([kdb5_util, 'stash', '-P', 'master'], slave)
# Make some changes to the master db.
realm.addprinc('wakawaka')
@@ -87,7 +84,7 @@ realm.addprinc('w')
realm.run_kadminl('modprinc -allow_tix w')
realm.run_kadminl('modprinc +allow_tix w')
-out = realm.run_as_master([kproplog, '-h'])
+out = realm.run([kproplog, '-h'])
if 'Last serial # : 7' not in out:
fail('Update log on master has incorrect last serial number')
@@ -98,76 +95,76 @@ acl.write(realm.host_princ + '\n')
acl.close()
# Start kpropd and get a full dump from master.
-realm.start_kpropd(['-d'])
-wait_for_prop(realm, True)
+kpropd = realm.start_kpropd(slave, ['-d'])
+wait_for_prop(kpropd, True)
realm.run_kadminl('modprinc -allow_tix w')
-out = realm.run_as_master([kproplog, '-h'])
+out = realm.run([kproplog, '-h'])
if 'Last serial # : 8' not in out:
fail('Update log on master has incorrect last serial number')
# Get an incremental update and check that it happened.
-realm.prod_kpropd()
-wait_for_prop(realm, False)
-out = realm.run_as_slave([kproplog, '-h'])
+kpropd.send_signal(signal.SIGUSR1)
+wait_for_prop(kpropd, False)
+out = realm.run([kproplog, '-h'], slave)
if 'Last serial # : 8' not in out:
fail('Update log on slave has incorrect last serial number')
# Make another change.
realm.run_kadminl('modprinc +allow_tix w')
-out = realm.run_as_master([kproplog, '-h'])
+out = realm.run([kproplog, '-h'])
if 'Last serial # : 9' not in out:
fail('Update log on master has incorrect last serial number')
# Get an update and check that we're at sno 9 on the slave side too.
-realm.prod_kpropd()
-wait_for_prop(realm, False)
-out = realm.run_as_slave([kproplog, '-h'])
+kpropd.send_signal(signal.SIGUSR1)
+wait_for_prop(kpropd, False)
+out = realm.run([kproplog, '-h'], slave)
if 'Last serial # : 9' not in out:
fail('Update log on slave has incorrect last serial number')
# Reset the ulog on the slave side to force a full resync to the slave.
-realm.run_as_slave([kproplog, '-R'])
-out = realm.run_as_slave([kproplog, '-h'])
+realm.run([kproplog, '-R'], slave)
+out = realm.run([kproplog, '-h'], slave)
if 'Last serial # : None' not in out:
fail('Reset of update log on slave failed')
# Get a full resync and check the result.
-realm.prod_kpropd()
-wait_for_prop(realm, True)
-out = realm.run_as_slave([kproplog, '-h'])
+kpropd.send_signal(signal.SIGUSR1)
+wait_for_prop(kpropd, True)
+out = realm.run([kproplog, '-h'], slave)
if 'Last serial # : 9' not in out:
fail('Update log on slave has incorrect last serial number')
# Make another change.
realm.run_kadminl('modprinc +allow_tix w')
-out = realm.run_as_master([kproplog, '-h'])
+out = realm.run([kproplog, '-h'])
if 'Last serial # : 10' not in out:
fail('Update log on master has incorrect last serial number')
# Get and check an incremental update.
-realm.prod_kpropd()
-wait_for_prop(realm, False)
-out = realm.run_as_slave([kproplog, '-h'])
+kpropd.send_signal(signal.SIGUSR1)
+wait_for_prop(kpropd, False)
+out = realm.run([kproplog, '-h'], slave)
if 'Last serial # : 10' not in out:
fail('Update log on slave has incorrect last serial number')
# Reset the ulog on the master side to force a full resync to all slaves.
# XXX Note that we only have one slave in this test, so we can't really
# test this.
-realm.run_as_master([kproplog, '-R'])
-out = realm.run_as_master([kproplog, '-h'])
+realm.run([kproplog, '-R'])
+out = realm.run([kproplog, '-h'])
if 'Last serial # : None' not in out:
fail('Reset of update log on master failed')
realm.run_kadminl('modprinc -allow_tix w')
-out = realm.run_as_master([kproplog, '-h'])
+out = realm.run([kproplog, '-h'])
if 'Last serial # : 1' not in out:
fail('Update log on master has incorrect last serial number')
# Get and check a full resync.
-realm.prod_kpropd()
-wait_for_prop(realm, True)
-out = realm.run_as_slave([kproplog, '-h'])
+kpropd.send_signal(signal.SIGUSR1)
+wait_for_prop(kpropd, True)
+out = realm.run([kproplog, '-h'], slave)
if 'Last serial # : 1' not in out:
fail('Update log on slave has incorrect last serial number')
diff --git a/src/tests/t_kadm5_hook.py b/src/tests/t_kadm5_hook.py
index 0c8b19d..1f023ea 100644
--- a/src/tests/t_kadm5_hook.py
+++ b/src/tests/t_kadm5_hook.py
@@ -4,15 +4,7 @@ from k5test import *
plugin = os.path.join(buildtop, "plugins", "kadm5_hook", "test",
"kadm5_hook_test.so")
-hook_krb5_conf = {
- 'all' : {
- "plugins" : {
- "kadm5_hook" : {
- "module" : "test:" + plugin
- }
- }
- }
-}
+hook_krb5_conf = {'plugins': {'kadm5_hook': { 'module': 'test:' + plugin}}}
realm = K5Realm(krb5_conf=hook_krb5_conf, create_user=False, create_host=False)
output = realm.run_kadminl ('addprinc -randkey test')
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index 3d36ad0..1d7b1d0 100644
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -14,7 +14,7 @@ def make_client(name):
def kadmin_as(client, query):
global realm
- return realm.run_as_client([kadmin, '-c', client, '-q', query])
+ return realm.run([kadmin, '-c', client, '-q', query])
def delprinc(name):
global realm
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 2f0d6fd..3c664f0 100644
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -13,7 +13,7 @@ def which(progname):
# Run kdbtest against the BDB module.
realm = K5Realm(create_kdb=False)
-realm.run_as_master(['./kdbtest'])
+realm.run(['./kdbtest'])
# Set up an OpenLDAP test server if we can.
@@ -87,24 +87,22 @@ output('*** Started slapd (pid %d, output in %s)\n' % (slapd_pid, slapd_out))
time.sleep(1)
# Run kdbtest against the LDAP module.
-kdc_conf = {'all': {
- 'realms': {'$realm': {'database_module': 'ldap'}},
- 'dbmodules': {'ldap': {
- 'db_library': 'kldap',
- 'ldap_kerberos_container_dn': top_dn,
- 'ldap_kdc_dn': admin_dn,
- 'ldap_kadmind_dn': admin_dn,
- 'ldap_service_password_file': ldap_pwfile,
- 'ldap_servers': ldap_uri}}}}
-realm = K5Realm(create_kdb=False, kdc_conf=kdc_conf)
+conf = {'realms': {'$realm': {'database_module': 'ldap'}},
+ 'dbmodules': {'ldap': {'db_library': 'kldap',
+ 'ldap_kerberos_container_dn': top_dn,
+ 'ldap_kdc_dn': admin_dn,
+ 'ldap_kadmind_dn': admin_dn,
+ 'ldap_service_password_file': ldap_pwfile,
+ 'ldap_servers': ldap_uri}}}
+realm = K5Realm(create_kdb=False, kdc_conf=conf)
input = admin_pw + '\n' + admin_pw + '\n'
-realm.run_as_master([kdb5_ldap_util, 'stashsrvpw', admin_dn], input=input)
-realm.run_as_master(['./kdbtest'])
+realm.run([kdb5_ldap_util, 'stashsrvpw', admin_dn], input=input)
+realm.run(['./kdbtest'])
# Run a kdb5_ldap_util command using the test server's admin DN and password.
def kldaputil(args, **kw):
- return realm.run_as_master([kdb5_ldap_util, '-D', admin_dn, '-w',
- admin_pw] + args, **kw)
+ return realm.run([kdb5_ldap_util, '-D', admin_dn, '-w', admin_pw] + args,
+ **kw)
# kdbtest can't currently clean up after itself since the LDAP module
# doesn't support krb5_db_destroy. So clean up after it with
@@ -243,17 +241,17 @@ realm.addprinc(realm.user_princ, password('user'))
realm.addprinc(realm.host_princ)
realm.extract_keytab(realm.host_princ, realm.keytab)
realm.kinit(realm.user_princ, password('user'))
-realm.run_as_client([kvno, realm.host_princ])
+realm.run([kvno, realm.host_princ])
realm.klist(realm.user_princ, realm.host_princ)
realm.stop()
# Briefly test dump and load.
dumpfile = os.path.join(realm.testdir, 'dump')
-realm.run_as_master([kdb5_util, 'dump', dumpfile])
-out = realm.run_as_master([kdb5_util, 'load', dumpfile], expected_code=1)
+realm.run([kdb5_util, 'dump', dumpfile])
+out = realm.run([kdb5_util, 'load', dumpfile], expected_code=1)
if 'plugin requires -update argument' not in out:
fail('Unexpected error from kdb5_util load without -update')
-realm.run_as_master([kdb5_util, 'load', '-update', dumpfile])
+realm.run([kdb5_util, 'load', '-update', dumpfile])
# Destroy the realm.
kldaputil(['destroy', '-f'])
diff --git a/src/tests/t_kdb_locking.py b/src/tests/t_kdb_locking.py
index 89da97b..7c0755e 100644
--- a/src/tests/t_kdb_locking.py
+++ b/src/tests/t_kdb_locking.py
@@ -12,15 +12,11 @@ import os
from k5test import *
-kdc_conf = {
- 'all' : { 'libdefaults' : { 'default_realm' : 'KRBTEST.COM'}}
-}
-
p = 'foo'
-realm = K5Realm(kdc_conf=kdc_conf, create_user=False)
+realm = K5Realm(create_user=False)
realm.addprinc(p, p)
-kadm5_lock = os.path.join(realm.testdir, 'master-db.kadm5.lock')
+kadm5_lock = os.path.join(realm.testdir, 'db.kadm5.lock')
if not os.path.exists(kadm5_lock):
fail('kadm5 lock file not created: ' + kadm5_lock)
os.unlink(kadm5_lock)
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
index 9f9346a..29d1291 100644
--- a/src/tests/t_keyrollover.py
+++ b/src/tests/t_keyrollover.py
@@ -1,7 +1,7 @@
#!/usr/bin/python
from k5test import *
-rollover_krb5_conf = {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}}
+rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}}
realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal',
krb5_conf=rollover_krb5_conf)
@@ -11,19 +11,19 @@ princ2 = 'host/test2@%s' % (realm.realm,)
realm.addprinc(princ1)
realm.addprinc(princ2)
-realm.run_as_client([kvno, realm.host_princ])
+realm.run([kvno, realm.host_princ])
# Change key for TGS, keeping old key.
realm.run_kadminl('cpw -randkey -e aes256-cts:normal -keepold krbtgt/%s@%s' %
(realm.realm, realm.realm))
# Ensure that kvno still works with an old TGT.
-realm.run_as_client([kvno, princ1])
+realm.run([kvno, princ1])
realm.run_kadminl('purgekeys krbtgt/%s@%s' % (realm.realm, realm.realm))
# Make sure an old TGT fails after purging old TGS key.
-realm.run_as_client([kvno, princ2], expected_code=1)
-output = realm.run_as_client([klist, '-e'])
+realm.run([kvno, princ2], expected_code=1)
+output = realm.run([klist, '-e'])
expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \
(realm.realm, realm.realm)
@@ -33,8 +33,8 @@ if expected not in output:
# Check that new key actually works.
realm.kinit(realm.user_princ, password('user'))
-realm.run_as_client([kvno, realm.host_princ])
-output = realm.run_as_client([klist, '-e'])
+realm.run([kvno, realm.host_princ])
+output = realm.run([klist, '-e'])
expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \
@@ -60,7 +60,7 @@ output = realm.run_kadminl('getprinc krbtgt/%s' % realm.realm)
if 'vno 1, aes256' not in output or 'vno 1, des3' not in output:
fail('keyrollover: setup for TGS enctype test failed')
# Now present the DES3 ticket to the KDC and make sure it's rejected.
-realm.run_as_client([kvno, realm.host_princ], expected_code=1)
+realm.run([kvno, realm.host_princ], expected_code=1)
realm.stop()
@@ -72,10 +72,10 @@ realm.stop()
# multiple keys.
r1, r2 = cross_realms(2)
r1.run_kadminl('modprinc -kvno 0 krbtgt/%s' % r2.realm)
-r1.run_as_client([kvno, r2.host_princ])
+r1.run([kvno, r2.host_princ])
r2.run_kadminl('cpw -pw newcross -keepold krbtgt/%s@%s' % (r2.realm, r1.realm))
r1.run_kadminl('cpw -pw newcross krbtgt/%s' % r2.realm)
r1.run_kadminl('modprinc -kvno 0 krbtgt/%s' % r2.realm)
-r1.run_as_client([kvno, r2.user_princ])
+r1.run([kvno, r2.user_princ])
success('keyrollover')
diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
index bc547d9..3008911 100644
--- a/src/tests/t_keytab.py
+++ b/src/tests/t_keytab.py
@@ -9,8 +9,8 @@ realm = K5Realm(get_creds=False)
# Test kinit with a partial keytab.
pkeytab = realm.keytab + '.partial'
-realm.run_as_master([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' %
- (realm.keytab, pkeytab)))
+realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' %
+ (realm.keytab, pkeytab)))
realm.kinit(realm.host_princ, flags=['-k', '-t', pkeytab])
# Test kinit with no keys for client in keytab.
@@ -22,17 +22,17 @@ if 'no suitable keys' not in output:
realm.extract_keytab(realm.user_princ, realm.client_keytab);
realm.kinit(realm.user_princ, flags=['-k', '-i'])
realm.klist(realm.user_princ)
-out = realm.run_as_client([klist, '-k', '-i'])
+out = realm.run([klist, '-k', '-i'])
if realm.client_keytab not in out or realm.user_princ not in out:
fail('Expected output not seen from klist -k -i')
# Test implicit request for keytab (-i or -t without -k)
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
output = realm.kinit(realm.host_princ, flags=['-t', realm.keytab])
if 'keytab specified, forcing -k' not in output:
fail('Expected output not seen from kinit -t keytab')
realm.klist(realm.host_princ)
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
output = realm.kinit(realm.user_princ, flags=['-i'])
if 'keytab specified, forcing -k' not in output:
fail('Expected output not seen from kinit -i')
@@ -54,17 +54,17 @@ if 'Key: vno 258,' not in output:
# Test parameter expansion in profile variables
realm.stop()
-conf = {'client': {'libdefaults': {
- 'default_keytab_name': 'testdir/%{null}abc%{uid}',
- 'default_client_keytab_name': 'testdir/%{null}xyz%{uid}'}}}
+conf = {'libdefaults': {
+ 'default_keytab_name': 'testdir/%{null}abc%{uid}',
+ 'default_client_keytab_name': 'testdir/%{null}xyz%{uid}'}}
realm = K5Realm(krb5_conf=conf, create_kdb=False)
-del realm.env_client['KRB5_KTNAME']
-del realm.env_client['KRB5_CLIENT_KTNAME']
+del realm.env['KRB5_KTNAME']
+del realm.env['KRB5_CLIENT_KTNAME']
uidstr = str(os.getuid())
-out = realm.run_as_client([klist, '-k'], expected_code=1)
+out = realm.run([klist, '-k'], expected_code=1)
if 'FILE:testdir/abc%s' % uidstr not in out:
fail('Wrong keytab in klist -k output')
-out = realm.run_as_client([klist, '-ki'], expected_code=1)
+out = realm.run([klist, '-ki'], expected_code=1)
if 'FILE:testdir/xyz%s' % uidstr not in out:
fail('Wrong keytab in klist -ki output')
diff --git a/src/tests/t_lockout.py b/src/tests/t_lockout.py
index e3d1dd4..8da8c57 100644
--- a/src/tests/t_lockout.py
+++ b/src/tests/t_lockout.py
@@ -29,17 +29,15 @@ realm.run_kadminl('addpol -maxfailure 2 -failurecountinterval 5m lockout')
realm.run_kadminl('modprinc +requires_preauth -policy lockout user')
# kinit twice with the wrong password.
-output = realm.run_as_client([kinit, realm.user_princ], input='wrong\n',
- expected_code=1)
+output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
if 'Password incorrect while getting initial credentials' not in output:
fail('Expected error message not seen in kinit output')
-output = realm.run_as_client([kinit, realm.user_princ], input='wrong\n',
- expected_code=1)
+output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
if 'Password incorrect while getting initial credentials' not in output:
fail('Expected error message not seen in kinit output')
# Now the account should be locked out.
-output = realm.run_as_client([kinit, realm.user_princ], expected_code=1)
+output = realm.run([kinit, realm.user_princ], expected_code=1)
if 'Clients credentials have been revoked while getting initial credentials' \
not in output:
fail('Expected lockout error message not seen in kinit output')
diff --git a/src/tests/t_pwhist.py b/src/tests/t_pwhist.py
index bfb9f00..3d8c7c1 100644
--- a/src/tests/t_pwhist.py
+++ b/src/tests/t_pwhist.py
@@ -6,12 +6,12 @@ from k5test import *
# first one to create history entries.
realm = K5Realm(start_kdc=False)
# Create a history principal with two keys.
-realm.run_as_master(['./hist', 'make'])
+realm.run(['./hist', 'make'])
realm.run_kadminl('addpol -history 2 pol')
realm.run_kadminl('modprinc -policy pol user')
realm.run_kadminl('cpw -pw pw2 user')
# Swap the keys, simulating older kadmin having chosen the second entry.
-realm.run_as_master(['./hist', 'swap'])
+realm.run(['./hist', 'swap'])
# Make sure we can read the history entry.
output = realm.run_kadminl('cpw -pw %s user' % password('user'))
if 'Cannot reuse password' not in output:
diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
index 6654d71..985f9da 100644
--- a/src/tests/t_referral.py
+++ b/src/tests/t_referral.py
@@ -6,12 +6,12 @@ from k5test import *
# have a regression test for #7483.
# A KDC should not return a host referral to its own realm.
-krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}}
-kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}}
+krb5_conf = {'domain_realm': {'y': 'KRBTEST.COM'}}
+kdc_conf = {'realms': {'$realm': {'host_based_services': 'x'}}}
realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False)
tracefile = os.path.join(realm.testdir, 'trace')
-realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'],
- expected_code=1)
+realm.run(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'],
+ expected_code=1)
f = open(tracefile, 'r')
trace = f.read()
f.close()
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
index 9239e12..3a4a814 100644
--- a/src/tests/t_sesskeynego.py
+++ b/src/tests/t_sesskeynego.py
@@ -8,8 +8,8 @@ etypes_re = re.compile(r'server@[^\n]+\n\tEtype \(skey, tkt\): '
'([^,]+), ([^\s]+)')
def test_kvno(realm, expected_skey, expected_tkt):
realm.kinit(realm.user_princ, password('user'))
- realm.run_as_client([kvno, 'server'])
- output = realm.run_as_client([klist, '-e'])
+ realm.run([kvno, 'server'])
+ output = realm.run([klist, '-e'])
m = etypes_re.search(output)
if not m:
fail('could not parse etypes from klist -e output')
@@ -19,29 +19,21 @@ def test_kvno(realm, expected_skey, expected_tkt):
if tkt != expected_tkt:
fail('got ticket key type %s, expected %s' % (tkt, expected_tkt))
-krb5_conf1 = {'all': {'libdefaults': {
- 'default_tgs_enctypes': 'aes128-cts,aes256-cts'}}}
-
-krb5_conf2 = {'all': {'libdefaults': {
- 'default_tgs_enctypes': 'aes256-cts,aes128-cts'}}}
-
-krb5_conf3 = {'all': {'libdefaults': {
- 'allow_weak_crypto': 'true',
- 'default_tkt_enctypes': 'aes128-cts',
- 'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}}}
-
-krb5_conf4 = {'all' :{
- 'libdefaults': {
- 'allow_weak_crypto': 'true',
- 'default_tkt_enctypes': 'aes256-cts',
- 'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts'
- },
- 'realms': {'$realm': {
- 'des_crc_session_supported' : 'false'}}}}
+conf1 = {'libdefaults': {'default_tgs_enctypes': 'aes128-cts,aes256-cts'}}
+conf2 = {'libdefaults': {'default_tgs_enctypes': 'aes256-cts,aes128-cts'}}
+conf3 = {'libdefaults': {
+ 'allow_weak_crypto': 'true',
+ 'default_tkt_enctypes': 'aes128-cts',
+ 'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}}
+conf4 = {'libdefaults': {
+ 'allow_weak_crypto': 'true',
+ 'default_tkt_enctypes': 'aes256-cts',
+ 'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts'},
+ 'realms': {'$realm': {'des_crc_session_supported': 'false'}}}
# Test with client request and session_enctypes preferring aes128, but
# aes256 long-term key.
-realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False)
+realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server')
realm.run_kadminl('setstr server session_enctypes aes128-cts,aes256-cts')
test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
@@ -50,14 +42,14 @@ realm.stop()
# Second go, almost same as first, but resulting session key must be aes256
# because of the difference in default_tgs_enctypes order. This tests that
# session_enctypes doesn't change the order in which we negotiate.
-realm = K5Realm(krb5_conf=krb5_conf2, create_host=False, get_creds=False)
+realm = K5Realm(krb5_conf=conf2, create_host=False, get_creds=False)
realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server')
realm.run_kadminl('setstr server session_enctypes aes128-cts,aes256-cts')
test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
realm.stop()
-# Next we use krb5_conf3 and try various things.
-realm = K5Realm(krb5_conf=krb5_conf3, create_host=False, get_creds=False)
+# Next we use conf3 and try various things.
+realm = K5Realm(krb5_conf=conf3, create_host=False, get_creds=False)
realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server')
# 3a: Negotiate aes128 session key when principal only has aes256 long-term.
@@ -75,7 +67,7 @@ test_kvno(realm, 'des-cbc-crc', 'aes256-cts-hmac-sha1-96')
realm.stop()
# Last go: test that we can disable the des-cbc-crc assumption
-realm = K5Realm(krb5_conf=krb5_conf4, get_creds=False)
+realm = K5Realm(krb5_conf=conf4, get_creds=False)
realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server')
test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
realm.stop()
diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py
index 18bd922..aa91471 100644
--- a/src/tests/t_skew.py
+++ b/src/tests/t_skew.py
@@ -8,23 +8,23 @@ realm.start_kdc(['-T', '-3600'])
# kinit (no preauth) should work, and should set a clock skew allowing
# kvno to work, with or without FAST.
realm.kinit(realm.user_princ, password('user'))
-realm.run_as_client([kvno, realm.host_princ])
+realm.run([kvno, realm.host_princ])
realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
-realm.run_as_client([kvno, realm.host_princ])
-realm.run_as_client([kdestroy])
+realm.run([kvno, realm.host_princ])
+realm.run([kdestroy])
# kinit (with preauth) should work, with or without FAST.
realm.run_kadminl('modprinc +requires_preauth user')
realm.kinit(realm.user_princ, password('user'))
-realm.run_as_client([kvno, realm.host_princ])
+realm.run([kvno, realm.host_princ])
realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
-realm.run_as_client([kvno, realm.host_princ])
-realm.run_as_client([kdestroy])
+realm.run([kvno, realm.host_princ])
+realm.run([kdestroy])
realm.stop()
# Repeat the above tests with kdc_timesync disabled.
-conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}}
+conf = {'libdefaults': {'kdc_timesync': '0'}}
realm = K5Realm(start_kdc=False, krb5_conf=conf)
realm.start_kdc(['-T', '-3600'])
diff --git a/src/util/gss-kernel-lib/t_kgss.py b/src/util/gss-kernel-lib/t_kgss.py
index 52d1da2..00eab05 100644
--- a/src/util/gss-kernel-lib/t_kgss.py
+++ b/src/util/gss-kernel-lib/t_kgss.py
@@ -25,6 +25,6 @@ from k5test import *
# Test krb5 negotiation under SPNEGO for all enctype configurations.
for realm in multipass_realms():
- realm.run_as_client(['./t_kgss_user', realm.host_princ])
+ realm.run(['./t_kgss_user', realm.host_princ])
success('Kernel GSSAPI subset tests')
diff --git a/src/util/k5test.py b/src/util/k5test.py
index 37e8929..6c2d091 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -34,12 +34,12 @@ A sample test script:
# Run a test program under a variety of configurations:
for realm in multipass_realms():
- realm.run_as_client(['./testprog', 'arg'])
+ realm.run(['./testprog', 'arg'])
# Run a test server and client under just the default configuration:
realm = K5Realm()
realm.start_server(['./serverprog'], 'starting...')
- realm.run_as_client(['./clientprog', realm.host_princ])
+ realm.run(['./clientprog', realm.host_princ])
# Inform framework that tests completed successfully.
success('World peace and cure for cancer')
@@ -48,10 +48,7 @@ By default, the realm will have:
* The name KRBTEST.COM
* Listener ports starting at 61000
-* Four different krb5.conf files for the client, server, master KDC,
- and slave KDC, specifying only the variables necessary for
- self-contained test operation
-* Two different kdc.conf files for the master and slave KDCs
+* krb5.conf and kdc.conf files
* A fresh DB2 KDB
* Running krb5kdc (but not kadmind)
* Principals named realm.user_princ and realm.admin_princ; call
@@ -73,15 +70,12 @@ keyword arguments:
(path may be specified relative to the current working dir)
* krb5_conf={ ... }: krb5.conf options, expressed as a nested
- dictionary, to be merged with the default krb5.conf settings. The
- top level keys of the dictionary should be 'all' to apply to all
- four krb5.conf files, and/or 'client'/'server'/'master'/'slave' to
- apply to a particular one. A key may be mapped to None to delete a
- setting from the defaults. A key may be mapped to a list in order
- to create multiple settings for the same variable name. Keys and
- values undergo the following template substitutions:
-
- - $type: The configuration type (client/server/master/slave)
+ dictionary, to be merged with the default krb5.conf settings. A key
+ may be mapped to None to delete a setting from the defaults. A key
+ may be mapped to a list in order to create multiple settings for the
+ same variable name. Keys and values undergo the following template
+ substitutions:
+
- $realm: The realm name
- $testdir: The realm storage directory (absolute path)
- $buildtop: The root of the build directory
@@ -102,9 +96,8 @@ keyword arguments:
- port5 is the return value of realm.server_port()
* kdc_conf={...}: kdc.conf options, expressed as a nested dictionary,
- to be merged with the default kdc.conf settings. The top level keys
- should be 'all' or 'master'/'slave'. The same conventions and
- substitutions for krb5_conf apply.
+ to be merged with the default kdc.conf settings. The same
+ conventions and substitutions for krb5_conf apply.
* create_kdb=False: Don't create a KDB. Implicitly disables all of
the other options since they all require a KDB.
@@ -123,8 +116,6 @@ keyword arguments:
* start_kadmind=True: Start kadmind.
-* start_kpropd=True: Start kpropd.
-
* get_creds=False: Don't get user credentials.
Scripts may use the following functions and variables:
@@ -210,66 +201,45 @@ Scripts may use the following functions and variables:
Scripts may use the following realm methods and attributes:
-* realm.run_as_client(args, **keywords): Run a command with an
- environment pointing at the client krb5.conf, obeying the
+* realm.run(args, env=None, **keywords): Run a command in a specified
+ environment (or the realm's environment by default), obeying the
command-line debugging options. Fail if the command does not return
0. Log the command output appropriately, and return it as a single
multi-line string. Keyword arguments can contain input='string' to
send an input string to the command, and expected_code=N to expect a
return code other than 0.
-* Similar methods for the server, master KDC, and slave KDC
- environments:
- - realm.run_as_server
- - realm.run_as_master
- - realm.run_as_slave
-
* realm.server_port(): Returns a port number based on realm.portbase
intended for use by server processes.
-* realm.start_server(args, sentinel): Start a process in the server
- environment. Wait until sentinel appears as a substring of a line
- in the server process's stdout or stderr (which are folded
- together). Returns a subprocess.Popen object which can be passed to
+* realm.start_server(args, sentinel, env=None): Start a daemon
+ process. Wait until sentinel appears as a substring of a line in
+ the server process's stdout or stderr (which are folded together).
+ Returns a subprocess.Popen object which can be passed to
stop_daemon() to stop the server, or used to read from the server's
output.
-* realm.start_in_inetd(args, port=None): Begin a t_inetd process which
- will spawn a server process within the server environment after
- accepting a client connection. If port is not specified,
- realm.server_port() will be used. Returns a process object which
- can be passed to stop_daemon() to stop the server.
+* realm.start_in_inetd(args, port=None, env=None): Begin a t_inetd
+ process which will spawn a server process after accepting a client
+ connection. If port is not specified, realm.server_port() will be
+ used. Returns a process object which can be passed to stop_daemon()
+ to stop the server.
-* realm.create_kdb(): Create a new master KDB.
+* realm.create_kdb(): Create a new KDB.
-* realm.start_kdc(args=[]): Start a krb5kdc with the realm's master
- KDC environment. Errors if a KDC is already running. If args is
- given, it contains a list of additional krb5kdc arguments.
+* realm.start_kdc(args=[]): Start a krb5kdc process. Errors if a KDC
+ is already running. If args is given, it contains a list of
+ additional krb5kdc arguments.
* realm.stop_kdc(): Stop the krb5kdc process. Errors if no KDC is
running.
-* realm.start_kadmind(): Start a kadmind with the realm's master KDC
- environment. Errors if a kadmind is already running.
+* realm.start_kadmind(): Start a kadmind process. Errors if a kadmind
+ is already running.
* realm.stop_kadmind(): Stop the kadmind process. Errors if no
kadmind is running.
-* realm.start_kpropd(args=[]): Start a kpropd with the realm's slave
- KDC environment. Errors if a kpropd is already running. If args is
- given, it contains a list of additional kpropd arguments.
-
-* realm.stop_kpropd(): Stop the kpropd process. Errors if no kpropd
- is running.
-
-* realm.read_from_kpropd(): Read a line from the stdout or stderr of
- the kpropd process. Most useful if kpropd is started with the -d
- option.
-
-* realm.prod_kpropd(): Send a USR1 signal to a kpropd to make it stop
- sleeping and perform an iprop request. kpropd must be running in
- iprop mode or a USR1 will simply terminate it.
-
* realm.stop(): Stop any daemon processes running on behalf of the
realm.
@@ -306,7 +276,20 @@ Scripts may use the following realm methods and attributes:
* realm.run_kadmin(query, **keywords): Run the specified query in
kadmin, using realm.kadmin_ccache to authenticate. Accepts the same
- keyword arguments as run_as_client.
+ keyword arguments as run.
+
+* realm.special_env(name, has_kdc_conf, krb5_conf=None,
+ kdc_conf=None): Create an environment with a modified krb5.conf
+ and/or kdc.conf. The specified krb5_conf and kdc_conf fragments, if
+ any, will be merged with the realm's existing configuration. If
+ has_kdc_conf is false, the new environment will have no kdc.conf.
+ The environment returned by this method can be used with realm.run()
+ or similar methods.
+
+* realm.start_kpropd(env, args=[]): Start a kpropd process. Pass an
+ environment created with realm.special_env() for the slave. If args
+ is given, it contains a list of additional kpropd arguments.
+ Returns a handle to the kpropd process.
* realm.realm: The realm's name.
@@ -339,12 +322,8 @@ Scripts may use the following realm methods and attributes:
* realm.kadmin_ccache: The ccache file initialized by prep_kadmin and
used by run_kadmin.
-* Attributes for the client, server, master, and slave environments.
- These environments are extensions of os.environ.
- - realm.env_client
- - realm.env_server
- - realm.env_master
- - realm.env_slave
+* env: The realm's environment, extended from os.environ to point at
+ the realm's config files and the build tree's shared libraries.
When the test script is run, its behavior can be modified with
command-line flags. These are documented in the --help output.
@@ -737,23 +716,17 @@ class K5Realm(object):
self._kdc_conf = _cfg_merge(_default_kdc_conf, kdc_conf)
self._kdc_proc = None
self._kadmind_proc = None
- self._kpropd_proc = None
+ self._kpropd_procs = []
+ krb5_conf_path = os.path.join(self.testdir, 'krb5.conf')
+ kdc_conf_path = os.path.join(self.testdir, 'kdc.conf')
+ self.env = self._make_env(krb5_conf_path, kdc_conf_path)
self._create_empty_dir()
- self._create_krb5_conf('client')
- self._create_krb5_conf('server')
- self._create_krb5_conf('master')
- self._create_krb5_conf('slave')
- self._create_kdc_conf('master')
- self._create_kdc_conf('slave')
+ self._create_conf(self._krb5_conf, krb5_conf_path)
+ self._create_conf(self._kdc_conf, kdc_conf_path)
self._create_acl()
self._create_dictfile()
- self.env_client = self._make_env('client', False)
- self.env_server = self._make_env('server', False)
- self.env_master = self._make_env('master', True)
- self.env_slave = self._make_env('slave', True)
-
if create_kdb:
self.create_kdb()
if krbtgt_keysalt and create_kdb:
@@ -769,8 +742,6 @@ class K5Realm(object):
self.start_kdc()
if start_kadmind and create_kdb:
self.start_kadmind()
- if start_kpropd and create_kdb:
- self.start_kpropd()
if get_creds and create_kdb and create_user and start_kdc:
self.kinit(self.user_princ, password('user'))
self.klist(self.user_princ)
@@ -782,50 +753,38 @@ class K5Realm(object):
fail('Cannot remove %s to create test realm.' % dir)
os.mkdir(dir)
- def _create_krb5_conf(self, type):
- filename = os.path.join(self.testdir, 'krb5.%s.conf' % type)
+ def _create_conf(self, profile, filename):
file = open(filename, 'w')
- profile = _cfg_merge(self._krb5_conf['all'], self._krb5_conf.get(type))
for section, contents in profile.items():
file.write('[%s]\n' % section)
- self._write_cfg_section(file, type, contents, 1)
+ self._write_cfg_section(file, contents, 1)
file.close()
- def _create_kdc_conf(self, type):
- filename = os.path.join(self.testdir, 'kdc.%s.conf' % type)
- file = open(filename, 'w')
- profile = _cfg_merge(self._kdc_conf['all'], self._kdc_conf.get(type))
- for section, contents in profile.items():
- file.write('[%s]\n' % section)
- self._write_cfg_section(file, type, contents, 1)
- file.close()
-
- def _write_cfg_section(self, file, type, contents, indent_level):
+ def _write_cfg_section(self, file, contents, indent_level):
indent = '\t' * indent_level
for name, value in contents.items():
- name = self._subst_cfg_value(name, type)
+ name = self._subst_cfg_value(name)
if isinstance(value, dict):
# A dictionary value yields a list subsection.
file.write('%s%s = {\n' % (indent, name))
- self._write_cfg_section(file, type, value, indent_level + 1)
+ self._write_cfg_section(file, value, indent_level + 1)
file.write('%s}\n' % indent)
elif isinstance(value, list):
# A list value yields multiple values for the same name.
for item in value:
- item = self._subst_cfg_value(item, type)
+ item = self._subst_cfg_value(item)
file.write('%s%s = %s\n' % (indent, name, item))
elif isinstance(value, str):
# A string value yields a straightforward variable setting.
- value = self._subst_cfg_value(value, type)
+ value = self._subst_cfg_value(value)
file.write('%s%s = %s\n' % (indent, name, value))
elif value is not None:
raise TypeError()
- def _subst_cfg_value(self, value, type):
+ def _subst_cfg_value(self, value):
global buildtop, srctop, hostname
template = string.Template(value)
- return template.substitute(type=type,
- realm=self.realm,
+ return template.substitute(realm=self.realm,
testdir=self.testdir,
buildtop=buildtop,
srctop=srctop,
@@ -856,12 +815,10 @@ class K5Realm(object):
file.write('weak_password\n')
file.close()
- def _make_env(self, type, has_kdc_conf):
+ def _make_env(self, krb5_conf_path, kdc_conf_path):
env = _build_env()
- env['KRB5_CONFIG'] = os.path.join(self.testdir, 'krb5.%s.conf' % type)
- if has_kdc_conf:
- filename = os.path.join(self.testdir, 'kdc.%s.conf' % type)
- env['KRB5_KDC_PROFILE'] = filename
+ env['KRB5_CONFIG'] = krb5_conf_path
+ env['KRB5_KDC_PROFILE'] = kdc_conf_path or os.devnull
env['KRB5CCNAME'] = self.ccache
env['KRB5_KTNAME'] = self.keytab
env['KRB5_CLIENT_KTNAME'] = self.client_keytab
@@ -870,38 +827,35 @@ class K5Realm(object):
env['KPROP_PORT'] = str(self.portbase + 3)
return env
- def run_as_client(self, args, **keywords):
- return _run_cmd(args, self.env_client, **keywords)
-
- def run_as_server(self, args, **keywords):
- return _run_cmd(args, self.env_server, **keywords)
-
- def run_as_master(self, args, **keywords):
- return _run_cmd(args, self.env_master, **keywords)
-
- def run_as_slave(self, args, **keywords):
- return _run_cmd(args, self.env_slave, **keywords)
+ def run(self, args, env=None, **keywords):
+ if env is None:
+ env = self.env
+ return _run_cmd(args, env, **keywords)
def server_port(self):
return self.portbase + 5
- def start_server(self, args, sentinel):
- return _start_daemon(args, self.env_server, sentinel)
+ def start_server(self, args, sentinel, env=None):
+ if env is None:
+ env = self.env
+ return _start_daemon(args, env, sentinel)
- def start_in_inetd(self, args, port=None):
+ def start_in_inetd(self, args, port=None, env=None):
if not port:
port = self.server_port()
+ if env is None:
+ env = self.env
inetd_args = [t_inetd, str(port)] + args
- return _start_daemon(inetd_args, self.env_server, 'Ready!')
+ return _start_daemon(inetd_args, env, 'Ready!')
def create_kdb(self):
global kdb5_util
- self.run_as_master([kdb5_util, 'create', '-W', '-s', '-P', 'master'])
+ self.run([kdb5_util, 'create', '-W', '-s', '-P', 'master'])
def start_kdc(self, args=[]):
global krb5kdc
assert(self._kdc_proc is None)
- self._kdc_proc = _start_daemon([krb5kdc, '-n'] + args, self.env_master,
+ self._kdc_proc = _start_daemon([krb5kdc, '-n'] + args, self.env,
'starting...')
def stop_kdc(self):
@@ -912,49 +866,35 @@ class K5Realm(object):
def start_kadmind(self):
global krb5kdc
assert(self._kadmind_proc is None)
- dump_path = os.path.join(self.testdir, 'master-dump')
+ dump_path = os.path.join(self.testdir, 'dump')
self._kadmind_proc = _start_daemon([kadmind, '-nofork', '-W',
'-p', kdb5_util, '-K', kprop,
'-F', dump_path],
- self.env_master, 'starting...')
+ self.env, 'starting...')
def stop_kadmind(self):
assert(self._kadmind_proc is not None)
stop_daemon(self._kadmind_proc)
self._kadmind_proc = None
- def start_kpropd(self, args=[]):
+ def start_kpropd(self, env, args=[]):
global krb5kdc
- assert(self._kpropd_proc is None)
slavedump_path = os.path.join(self.testdir, 'incoming-slave-datatrans')
kpropdacl_path = os.path.join(self.testdir, 'kpropd-acl')
- self._kpropd_proc = _start_daemon([kpropd, '-D', '-P',
- str(self.portbase + 3),
- '-f', slavedump_path,
- '-p', kdb5_util,
- '-a', kpropdacl_path] + args,
- self.env_slave, 'ready')
-
- def stop_kpropd(self):
- assert(self._kpropd_proc is not None)
- stop_daemon(self._kpropd_proc)
- self._kpropd_proc = None
-
- def read_from_kpropd(self):
- assert(self._kpropd_proc is not None)
- return self._kpropd_proc.stdout.readline()
-
- def prod_kpropd(self):
- assert(self._kpropd_proc is not None)
- self._kpropd_proc.send_signal(signal.SIGUSR1)
+ proc = _start_daemon([kpropd, '-D', '-P', str(self.portbase + 3),
+ '-f', slavedump_path, '-p', kdb5_util,
+ '-a', kpropdacl_path] + args, env, 'ready')
+ self._kpropd_procs.append(proc)
+ return proc
def stop(self):
if self._kdc_proc:
self.stop_kdc()
if self._kadmind_proc:
self.stop_kadmind()
- if self._kpropd_proc:
- self.stop_kpropd()
+ for p in self._kpropd_procs:
+ stop_daemon(p)
+ self._kpropd_procs = []
def addprinc(self, princname, password=None):
if password:
@@ -970,8 +910,7 @@ class K5Realm(object):
input = password + "\n"
else:
input = None
- return self.run_as_client([kinit] + flags + [princname], input=input,
- **keywords)
+ return self.run([kinit] + flags + [princname], input=input, **keywords)
def klist(self, client_princ, service_princ=None, ccache=None, **keywords):
if service_princ is None:
@@ -981,7 +920,7 @@ class K5Realm(object):
ccachestr = ccache
if len(ccachestr) < 2 or ':' not in ccachestr[2:]:
ccachestr = 'FILE:' + ccachestr
- output = self.run_as_client([klist, ccache], **keywords)
+ output = self.run([klist, ccache], **keywords)
if (('Ticket cache: %s\n' % ccachestr) not in output or
('Default principal: %s\n' % client_princ) not in output or
service_princ not in output):
@@ -990,7 +929,7 @@ class K5Realm(object):
def klist_keytab(self, princ, keytab=None, **keywords):
if keytab is None:
keytab = self.keytab
- output = self.run_as_client([klist, '-k', keytab], **keywords)
+ output = self.run([klist, '-k', keytab], **keywords)
if (('Keytab name: FILE:%s\n' % keytab) not in output or
'KVNO Principal\n----' not in output or
princ not in output):
@@ -998,7 +937,7 @@ class K5Realm(object):
def run_kadminl(self, query):
global kadmin_local
- return self.run_as_master([kadmin_local, '-q', query])
+ return self.run([kadmin_local, '-q', query])
def prep_kadmin(self, princname=None, pw=None, flags=[]):
if princname is None:
@@ -1009,8 +948,20 @@ class K5Realm(object):
'-c', self.kadmin_ccache] + flags)
def run_kadmin(self, query, **keywords):
- return self.run_as_client([kadmin, '-c', self.kadmin_ccache,
- '-q', query], **keywords)
+ return self.run([kadmin, '-c', self.kadmin_ccache, '-q', query],
+ **keywords)
+
+ def special_env(self, name, has_kdc_conf, krb5_conf=None, kdc_conf=None):
+ krb5_conf_path = os.path.join(self.testdir, 'krb5.conf.%s' % name)
+ krb5_conf = _cfg_merge(self._krb5_conf, krb5_conf)
+ self._create_conf(krb5_conf, krb5_conf_path)
+ if has_kdc_conf:
+ kdc_conf_path = os.path.join(self.testdir, 'kdc.conf.%s' % name)
+ kdc_conf = _cfg_merge(self._kdc_conf, kdc_conf)
+ self._create_conf(kdc_conf, kdc_conf_path)
+ else:
+ kdc_conf_path = None
+ return self._make_env(krb5_conf_path, kdc_conf_path)
def multipass_realms(**keywords):
@@ -1065,7 +1016,7 @@ def cross_realms(num, xtgts=None, args=None, **keywords):
'admin_server' : '$hostname:%d' % (portbase + 1),
'kpasswd_server' : '$hostname:%d' % (portbase + 2)
}
- realmscfg = { 'all' : { 'realms' : realmsection } }
+ realmscfg = {'realms': realmsection}
# Set realmsection in each realm's krb5_conf keyword argument.
for a in realm_args:
@@ -1098,65 +1049,34 @@ def cross_realms(num, xtgts=None, args=None, **keywords):
_default_krb5_conf = {
- 'all' : {
- 'libdefaults' : {
- 'default_realm' : '$realm',
- 'dns_lookup_kdc' : 'false',
- 'plugin_base_dir' : '$plugins'
- },
- 'realms' : {
- '$realm' : {
- 'kdc' : '$hostname:$port0',
- 'admin_server' : '$hostname:$port1',
- 'kpasswd_server' : '$hostname:$port2'
- }
- }
- }
-}
+ 'libdefaults': {
+ 'default_realm': '$realm',
+ 'dns_lookup_kdc': 'false',
+ 'plugin_base_dir': '$plugins'},
+ 'realms': {'$realm': {
+ 'kdc': '$hostname:$port0',
+ 'admin_server': '$hostname:$port1',
+ 'kpasswd_server': '$hostname:$port2'}}}
_default_kdc_conf = {
- 'all' : {
- 'realms' : {
- '$realm' : {
- 'database_module' : 'foo_db2',
- 'iprop_port' : '$port4'
- }
- },
- 'dbmodules' : {
- 'db_module_dir' : '$plugins/kdb',
- 'foo_db2' : {
- 'db_library' : 'db2',
- 'database_name' : '$testdir/$type-db'
- }
- },
- 'logging' : {
- 'admin_server' : 'FILE:$testdir/kadmind5.log',
- 'kdc' : 'FILE:$testdir/kdc.log',
- 'default' : 'FILE:$testdir/others.log'
- }
- },
- 'master' : {
- 'realms' : {
- '$realm' : {
- 'key_stash_file' : '$testdir/stash',
- 'acl_file' : '$testdir/acl',
- 'dictfile' : '$testdir/dictfile',
- 'kadmind_port' : '$port1',
- 'kpasswd_port' : '$port2',
- 'kdc_ports' : '$port0',
- 'kdc_tcp_ports' : '$port0'
- }
- }
- },
- 'slave' : {
- 'realms' : {
- '$realm' : {
- 'key_stash_file' : '$testdir/slave-stash',
- }
- }
- }
-}
+ 'realms': {'$realm': {
+ 'database_module': 'db',
+ 'iprop_port': '$port4',
+ 'key_stash_file': '$testdir/stash',
+ 'acl_file': '$testdir/acl',
+ 'dictfile': '$testdir/dictfile',
+ 'kadmind_port': '$port1',
+ 'kpasswd_port': '$port2',
+ 'kdc_ports': '$port0',
+ 'kdc_tcp_ports': '$port0'}},
+ 'dbmodules': {
+ 'db_module_dir': '$plugins/kdb',
+ 'db': {'db_library': 'db2', 'database_name' : '$testdir/db'}},
+ 'logging': {
+ 'admin_server': 'FILE:$testdir/kadmind5.log',
+ 'kdc': 'FILE:$testdir/kdc.log',
+ 'default': 'FILE:$testdir/others.log'}}
# A pass is a tuple of: name, krbtgt_keysalt, krb5_conf, kdc_conf.
@@ -1166,58 +1086,58 @@ _passes = [
# Exercise a DES enctype and the v4 salt type.
('desv4', None,
- {'all' : {'libdefaults' : {
- 'default_tgs_enctypes' : 'des-cbc-crc',
- 'default_tkt_enctypes' : 'des-cbc-crc',
- 'permitted_enctypes' : 'des-cbc-crc',
- 'allow_weak_crypto' : 'true'}}},
- {'master' : {'realms' : {'$realm' : {
- 'supported_enctypes' : 'des-cbc-crc:v4',
- 'master_key_type' : 'des-cbc-crc'}}}}),
+ {'libdefaults': {
+ 'default_tgs_enctypes': 'des-cbc-crc',
+ 'default_tkt_enctypes': 'des-cbc-crc',
+ 'permitted_enctypes': 'des-cbc-crc',
+ 'allow_weak_crypto': 'true'}},
+ {'realms': {'$realm': {
+ 'supported_enctypes': 'des-cbc-crc:v4',
+ 'master_key_type': 'des-cbc-crc'}}}),
# Exercise the DES3 enctype.
('des3', None,
- {'all' : {'libdefaults' : {
- 'default_tgs_enctypes' : 'des3',
- 'default_tkt_enctypes' : 'des3',
- 'permitted_enctypes' : 'des3'}}},
- {'master' : {'realms' : {'$realm' : {
- 'supported_enctypes' : 'des3-cbc-sha1:normal',
- 'master_key_type' : 'des3-cbc-sha1'}}}}),
+ {'libdefaults': {
+ 'default_tgs_enctypes': 'des3',
+ 'default_tkt_enctypes': 'des3',
+ 'permitted_enctypes': 'des3'}},
+ {'realms': {'$realm': {
+ 'supported_enctypes': 'des3-cbc-sha1:normal',
+ 'master_key_type': 'des3-cbc-sha1'}}}),
# Exercise the arcfour enctype.
('arcfour', None,
- {'all' : {'libdefaults' : {
- 'default_tgs_enctypes' : 'rc4',
- 'default_tkt_enctypes' : 'rc4',
- 'permitted_enctypes' : 'rc4'}}},
- {'master' : {'realms' : {'$realm' : {
- 'supported_enctypes' : 'arcfour-hmac:normal',
- 'master_key_type' : 'arcfour-hmac'}}}}),
+ {'libdefaults': {
+ 'default_tgs_enctypes': 'rc4',
+ 'default_tkt_enctypes': 'rc4',
+ 'permitted_enctypes': 'rc4'}},
+ {'realms': {'$realm': {
+ 'supported_enctypes': 'arcfour-hmac:normal',
+ 'master_key_type': 'arcfour-hmac'}}}),
# Exercise the AES128 enctype.
('aes128', None,
- {'all' : {'libdefaults' : {
- 'default_tgs_enctypes' : 'aes128-cts',
- 'default_tkt_enctypes' : 'aes128-cts',
- 'permitted_enctypes' : 'aes128-cts'}}},
- {'master' : {'realms' : {'$realm' : {
- 'supported_enctypes' : 'aes128-cts:normal',
- 'master_key_type' : 'aes128-cts'}}}}),
+ {'libdefaults': {
+ 'default_tgs_enctypes': 'aes128-cts',
+ 'default_tkt_enctypes': 'aes128-cts',
+ 'permitted_enctypes': 'aes128-cts'}},
+ {'realms': {'$realm': {
+ 'supported_enctypes': 'aes128-cts:normal',
+ 'master_key_type': 'aes128-cts'}}}),
# Exercise the camellia256-cts enctype.
('camellia256', None,
- {'all' : {'libdefaults' : {
- 'default_tgs_enctypes' : 'camellia256-cts',
- 'default_tkt_enctypes' : 'camellia256-cts',
- 'permitted_enctypes' : 'camellia256-cts'}}},
- {'master' : {'realms' : {'$realm' : {
- 'supported_enctypes' : 'camellia256-cts:normal',
- 'master_key_type' : 'camellia256-cts'}}}}),
+ {'libdefaults': {
+ 'default_tgs_enctypes': 'camellia256-cts',
+ 'default_tkt_enctypes': 'camellia256-cts',
+ 'permitted_enctypes': 'camellia256-cts'}},
+ {'realms': {'$realm': {
+ 'supported_enctypes': 'camellia256-cts:normal',
+ 'master_key_type': 'camellia256-cts'}}}),
# Test a setup with modern principal keys but an old TGT key.
('aes256.destgt', 'des-cbc-crc:normal',
- {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}},
+ {'libdefaults': {'allow_weak_crypto': 'true'}},
None)
]
diff --git a/src/util/testrealm.py b/src/util/testrealm.py
index 0bf976d..fba3ae0 100644
--- a/src/util/testrealm.py
+++ b/src/util/testrealm.py
@@ -60,7 +60,7 @@ if args:
realm = realms[0]
else:
realm = K5Realm(start_kadmind=True)
-env = realm.env_master.copy()
+env = realm.env.copy()
supplement_path(env)
pwfilename = os.path.join('testdir', 'passwords')
More information about the cvs-krb5
mailing list