svn rev #25807: trunk/ doc/rst_source/krb_admins/admin_commands/ src/kdc/ src/tests/

ghudson@MIT.EDU ghudson at MIT.EDU
Mon Apr 16 23:19:12 EDT 2012 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25807
Commit By: ghudson
Log Message:
Add clock skew tests

Add a KDC option (-T) to run with a time offset, and use that to
test kdc_timesync behavior.


Changed Files:
U   trunk/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst
U   trunk/src/kdc/main.c
U   trunk/src/tests/Makefile.in
A   trunk/src/tests/t_skew.py
Modified: trunk/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst	2012-04-17 03:19:07 UTC (rev 25806)
+++ trunk/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst	2012-04-17 03:19:12 UTC (rev 25807)
@@ -17,6 +17,7 @@
 [**-n**]
 [**-w** *numworkers*]
 [**-P** *pid_file*]
+[**-T** *time_offset*]
 
 
 DESCRIPTION
@@ -99,6 +100,8 @@
         password using the **stashsrvpw** command of
         :ref:`kdb5_ldap_util(8)`.
 
+The **-T** *offset* option specifies a time offset, in seconds, which
+the KDC will operate under.  It is intended only for testing purposes.
 
 EXAMPLE
 -------

Modified: trunk/src/kdc/main.c
===================================================================
--- trunk/src/kdc/main.c	2012-04-17 03:19:07 UTC (rev 25806)
+++ trunk/src/kdc/main.c	2012-04-17 03:19:12 UTC (rev 25807)
@@ -86,6 +86,7 @@
 
 static int nofork = 0;
 static int workers = 0;
+static int time_offset = 0;
 static const char *pid_file = NULL;
 static int rkey_init_done = 0;
 static volatile int signal_received = 0;
@@ -293,6 +294,8 @@
         kdc_err(NULL, kret, _("while getting context for realm %s"), realm);
         goto whoops;
     }
+    if (time_offset != 0)
+        (void)krb5_set_time_offsets(rdp->realm_context, time_offset, 0);
 
     kret = krb5_read_realm_params(rdp->realm_context, rdp->realm_name,
                                   &rparams);
@@ -733,7 +736,7 @@
      * Loop through the option list.  Each time we encounter a realm name,
      * use the previously scanned options to fill in for defaults.
      */
-    while ((c = getopt(argc, argv, "x:r:d:mM:k:R:e:P:p:s:nw:4:X3")) != -1) {
+    while ((c = getopt(argc, argv, "x:r:d:mM:k:R:e:P:p:s:nw:4:T:X3")) != -1) {
         switch(c) {
         case 'x':
             db_args_size++;
@@ -845,6 +848,9 @@
             default_tcp_ports = strdup(optarg);
 #endif
             break;
+        case 'T':
+            time_offset = atoi(optarg);
+            break;
         case '4':
             break;
         case 'X':

Modified: trunk/src/tests/Makefile.in
===================================================================
--- trunk/src/tests/Makefile.in	2012-04-17 03:19:07 UTC (rev 25806)
+++ trunk/src/tests/Makefile.in	2012-04-17 03:19:12 UTC (rev 25807)
@@ -71,6 +71,7 @@
 	$(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS)
 #	$(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS)
 
 clean::

Added: trunk/src/tests/t_skew.py
===================================================================
--- trunk/src/tests/t_skew.py	                        (rev 0)
+++ trunk/src/tests/t_skew.py	2012-04-17 03:19:12 UTC (rev 25807)
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+from k5test import *
+
+# Create a realm with the KDC one hour in the past.
+realm = K5Realm(start_kadmind=False, start_kdc=False)
+realm.start_kdc(['-T', '-3600'])
+
+# kinit (no preauth) should work, and should set a clock skew allowing
+# kvno to work, with or without FAST.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ])
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
+realm.run_as_client([kvno, realm.host_princ])
+realm.run_as_client([kdestroy])
+
+# kinit (with preauth) should fail.
+realm.run_kadminl('modprinc +requires_preauth user')
+realm.kinit(realm.user_princ, password('user'), expected_code=1)
+
+realm.stop()
+
+# Repeat the above tests with kdc_timesync disabled.
+conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}}
+realm = K5Realm(start_kadmind=False, start_kdc=False, krb5_conf=conf)
+realm.start_kdc(['-T', '-3600'])
+
+# kinit (no preauth) should work, but kvno should not.  kinit with
+# FAST should also fail since the armor AP-REQ won't be valid.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ], expected_code=1)
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache],
+            expected_code=1)
+
+# kinit (with preauth) should fail.
+realm.run_kadminl('modprinc +requires_preauth user')
+realm.kinit(realm.user_princ, password('user'), expected_code=1)
+
+success('Clock skew tests')

More information about the cvs-krb5 mailing list