krb5 commit: Perform complete referrals in t_referral.py

Wed Oct 9 13:44:51 EDT 2013

https://github.com/krb5/krb5/commit/69c190ed9189273a79fdb8e8d95ce970d21118b3
commit 69c190ed9189273a79fdb8e8d95ce970d21118b3
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Oct 9 12:56:13 2013 -0400

    Perform complete referrals in t_referral.py
    
    t_referral.py was written to exercise KDC host referral logic, and did
    not actually create the target realm, instead just looking at the
    error message from gcred to determine whether the KDC returned a
    referral or not.  It's only a small amount of additional work to
    actually set up the target realm and check that the client code
    successfully retrieves the referral, so do that instead.
    
    Since the referral and non-referral outcomes aren't all that similar
    any more, split test() into testref() and testfail().  Get rid of the
    message argument, since it wouldn't be output in most cases where we
    get an unexpected result.

 src/tests/t_referral.py |   75 +++++++++++++++++++++++++++-------------------
 1 files changed, 44 insertions(+), 31 deletions(-)

diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
index 884e45b..ff23073 100644
--- a/src/tests/t_referral.py
+++ b/src/tests/t_referral.py
@@ -1,21 +1,32 @@
 #!/usr/bin/python
 from k5test import *
 
-# Create a realm where the KDC has a [domain_realm] mapping for 'd'
-# and clients will not try to use DNS to look up KDC addresses.  The
-# KDC believes it has a cross-realm TGT for REFREALM, but we won't
-# actually create REFREALM.
-nodns = {'libdefaults': {'dns_lookup_kdc': 'false'}}
+# Create a pair of realms, where KRBTEST1.COM can authenticate to
+# REFREALM and has a domain-realm mapping for 'd' pointing to it.
 drealm = {'domain_realm': {'d': 'REFREALM'}}
-realm = K5Realm(krb5_conf=nodns, kdc_conf=drealm, create_host=False)
+realm, refrealm = cross_realms(2, xtgts=((0,1),),
+                               args=({'kdc_conf': drealm},
+                                     {'realm': 'REFREALM',
+                                      'create_user': False}),
+                               create_host=False)
 realm.addprinc('krbtgt/REFREALM')
+refrealm.addprinc('a/x.d')
 
-# Get credentials for a/x.d and check whether the KDC returned a referral.
-def test(realm, nametype, expected_ref, msg):
+savefile = os.path.join(realm.testdir, 'ccache.copy')
+os.rename(realm.ccache, savefile)
+
+# Get credentials and check that we got a referral to REFREALM.
+def testref(realm, nametype):
+    shutil.copyfile(savefile, realm.ccache)
+    realm.run(['./gcred', nametype, 'a/x.d'])
+    realm.klist(realm.user_princ, 'a/x.d at REFREALM')
+
+# Get credentials and check that we get an error, not a referral.
+def testfail(realm, nametype):
+    shutil.copyfile(savefile, realm.ccache)
     out = realm.run(['./gcred', nametype, 'a/x.d'], expected_code=1)
-    if ((expected_ref and 'Cannot find KDC for realm "REFREALM"' not in out) or
-        (not expected_ref and 'not found in Kerberos database' not in out)):
-        fail(msg)
+    if 'not found in Kerberos database' not in out:
+        fail('unexpected error')
 
 # Create a modified KDC environment and restart the KDC.
 def restart_kdc(realm, kdc_conf):
@@ -26,10 +37,10 @@ def restart_kdc(realm, kdc_conf):
 # With no KDC configuration besides [domain_realm], we should get a
 # referral for a NT-SRV-HST or NT-SRV-INST server name, but not an
 # NT-UNKNOWN or NT-PRINCIPAL server name.
-test(realm, 'srv-hst', True, 'srv-hst, no variables')
-test(realm, 'srv-inst', True, 'srv-inst, no variables')
-test(realm, 'principal', False, 'principal, no variables')
-test(realm, 'unknown', False, 'unknown, no variables')
+testref(realm, 'srv-hst')
+testref(realm, 'srv-inst')
+testfail(realm, 'principal')
+testfail(realm, 'unknown')
 
 # With host_based_services matching the first server name component
 # ("a"), we should get a referral for an NT-UNKNOWN server name.
@@ -38,49 +49,51 @@ test(realm, 'unknown', False, 'unknown, no variables')
 # NT-SRV-HST server names should be unaffected by host_based_services,
 # and NT-PRINCIPAL server names shouldn't get a referral regardless.
 restart_kdc(realm, {'kdcdefaults': {'host_based_services': '*'}})
-test(realm, 'unknown', True, 'unknown, kdcdefaults hostbased *')
-test(realm, 'principal', False, 'principal, kdcdefaults hostbased *')
+testref(realm, 'unknown')
+testfail(realm, 'principal')
 restart_kdc(realm, {'kdcdefaults': {'host_based_services': ['b', 'a,c']}})
-test(realm, 'unknown', True, 'unknown, kdcdefaults hostbased b and a,c')
+testref(realm, 'unknown')
 restart_kdc(realm, {'realms': {'$realm': {'host_based_services': 'a b c'}}})
-test(realm, 'unknown', True, 'unknown, realm hostbased a b c')
+testref(realm, 'unknown')
 restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'a'},
                     'realms': {'$realm': {'host_based_services': 'b c'}}})
-test(realm, 'unknown', True, 'unknown, kdcdefaults hostbased a (w/ realm)')
+testref(realm, 'unknown')
 restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'},
                     'realms': {'$realm': {'host_based_services': 'a,b'}}})
-test(realm, 'unknown', True, 'unknown, realm hostbased a,b (w/ kdcdefaults)')
+testref(realm, 'unknown')
 restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'}})
-test(realm, 'unknown', False, 'unknown, kdcdefaults hostbased b,c')
-test(realm, 'srv-hst', True, 'srv-hst, kdcdefaults hostbased b,c')
+testfail(realm, 'unknown')
+testref(realm, 'srv-hst')
 
 # With no_host_referrals matching the first server name component, we
 # should not get a referral even for NT-SRV-HOST server names
 restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*'}})
-test(realm, 'srv-hst', False, 'srv-hst, kdcdefaults nohost *')
+testfail(realm, 'srv-hst')
 restart_kdc(realm, {'kdcdefaults': {'no_host_referral': ['b', 'a,c']}})
-test(realm, 'srv-hst', False, 'srv-hst, kdcdefaults nohost b and a,c')
+testfail(realm, 'srv-hst')
 restart_kdc(realm, {'realms': {'$realm': {'no_host_referral': 'a b c'}}})
-test(realm, 'srv-hst', False, 'srv-hst, realm nohost a b c')
+testfail(realm, 'srv-hst')
 restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'a'},
                     'realms': {'$realm': {'no_host_referral': 'b c'}}})
-test(realm, 'srv-hst', False, 'srv-hst, kdcdefaults nohost a (w/ realm)')
+testfail(realm, 'srv-hst')
 restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'},
                     'realms': {'$realm': {'no_host_referral': 'a,b'}}})
-test(realm, 'srv-hst', False, 'srv-hst, realm nohost a,b (w/ kdcdefaults)')
+testfail(realm, 'srv-hst')
 restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'}})
-test(realm, 'srv-hst', True, 'srv-hst, kdcdefaults nohost b,c')
+testref(realm, 'srv-hst')
 
 # no_host_referrals should override host_based_services for NT-UNKNWON
 # server names.
 restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*',
                                     'host_based_services': '*'}})
-test(realm, 'unknown', False, 'srv-hst, kdcdefaults nohost * hostbased *')
+testfail(realm, 'unknown')
+
+realm.stop()
+refrealm.stop()
 
 # Regression test for #7483: a KDC should not return a host referral
 # to its own realm.
 drealm = {'domain_realm': {'d': 'KRBTEST.COM'}}
-realm.stop()
 realm = K5Realm(kdc_conf=drealm, create_host=False)
 tracefile = os.path.join(realm.testdir, 'trace')
 realm.run(['env', 'KRB5_TRACE=' + tracefile, './gcred', 'srv-hst', 'a/x.d@'],
