krb5 commit: Add tests for gss_inquire_cred
Greg Hudson
ghudson at MIT.EDU
Fri Aug 10 13:06:05 EDT 2012
https://github.com/krb5/krb5/commit/90da8924df96a682eca6c43ad8e36aeb5ac7ddab
commit 90da8924df96a682eca6c43ad8e36aeb5ac7ddab
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Aug 10 13:04:06 2012 -0400
Add tests for gss_inquire_cred
Now that we're doing a kind of deferred credential acquisition for
krb5, the behavior of gss_inquire_cred is a bit more subtle because
(per RFC 2743 section 2.1.4) we have to choose a credential cache or
acceptor name sooner than we would otherwise do so. Add a C program
to invoke gss_acquire_cred/gss_inquire_cred and some Python tests
using it.
src/tests/gssapi/Makefile.in | 8 +-
src/tests/gssapi/t_gssapi.py | 43 ++++++++++
src/tests/gssapi/t_inq_cred.c | 173 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 221 insertions(+), 3 deletions(-)
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in
index 32cf7d5..9238600 100644
--- a/src/tests/gssapi/Makefile.in
+++ b/src/tests/gssapi/Makefile.in
@@ -15,8 +15,8 @@ OBJS= t_accname.o t_ccselect.o t_imp_cred.o t_imp_name.o t_s4u.o \
all:: t_accname t_ccselect t_imp_cred t_imp_name t_s4u t_s4u2proxy_krb5 \
t_namingexts t_gssexts t_spnego t_saslname t_credstore
-check-pytests:: t_accname t_ccselect t_imp_cred t_spnego t_s4u2proxy_krb5 \
- t_s4u ccinit ccrefresh
+check-pytests:: t_accname t_ccselect t_imp_cred t_inq_cred t_spnego \
+ t_s4u2proxy_krb5 t_s4u ccinit ccrefresh
$(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS)
@@ -34,6 +34,8 @@ t_imp_cred: t_imp_cred.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o t_imp_cred t_imp_cred.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
t_imp_name: t_imp_name.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o t_imp_name t_imp_name.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
+t_inq_cred: t_inq_cred.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o t_inq_cred t_inq_cred.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
t_s4u: t_s4u.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o t_s4u t_s4u.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
t_s4u2proxy_krb5: t_s4u2proxy_krb5.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
@@ -50,6 +52,6 @@ t_credstore: t_credstore.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o t_credstore t_credstore.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
clean::
- $(RM) t_accname t_ccselect t_imp_cred t_imp_name t_s4u \
+ $(RM) t_accname t_ccselect t_imp_cred t_imp_name t_inq_cred t_s4u \
t_s4u2proxy_krb5 t_namingexts t_gssexts t_spnego \
t_saslname t_credstore
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 005d2d2..4900bd6 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -113,4 +113,47 @@ output = realm.run_as_client(['./t_accname', 'host/-nomatch-',
if 'host/-nomatch-' not in output:
fail('Expected host/-nomatch- in t_accname output')
+realm.stop()
+
+### Test gss_inquire_cred behavior.
+
+realm = K5Realm()
+
+# Test deferred resolution of the default ccache for initiator creds.
+output = realm.run_as_client(['./t_inq_cred'])
+if realm.user_princ not in output:
+ fail('Expected %s in t_inq_cred output' % realm.user_princ)
+output = realm.run_as_client(['./t_inq_cred', '-k'])
+if realm.user_princ not in output:
+ fail('Expected %s in t_inq_cred output' % realm.user_princ)
+output = realm.run_as_client(['./t_inq_cred', '-s'])
+if realm.user_princ not in output:
+ fail('Expected %s in t_inq_cred output' % realm.user_princ)
+
+# Test picking a name from the keytab for acceptor creds.
+output = realm.run_as_client(['./t_inq_cred', '-a'])
+if realm.host_princ not in output:
+ fail('Expected %s in t_inq_cred output' % realm.host_princ)
+output = realm.run_as_client(['./t_inq_cred', '-k', '-a'])
+if realm.host_princ not in output:
+ fail('Expected %s in t_inq_cred output' % realm.host_princ)
+output = realm.run_as_client(['./t_inq_cred', '-s', '-a'])
+if realm.host_princ not in output:
+ fail('Expected %s in t_inq_cred output' % realm.host_princ)
+
+# Test client keytab initiation (non-deferred) with a specified name.
+realm.extract_keytab(realm.user_princ, realm.client_keytab)
+os.remove(realm.ccache)
+output = realm.run_as_client(['./t_inq_cred', '-k'])
+if realm.user_princ not in output:
+ fail('Expected %s in t_inq_cred output' % realm.user_princ)
+
+# Test deferred client keytab initiation and GSS_C_BOTH cred usage.
+os.remove(realm.client_keytab)
+os.remove(realm.ccache)
+shutil.copyfile(realm.keytab, realm.client_keytab)
+output = realm.run_as_client(['./t_inq_cred', '-k', '-b'])
+if realm.host_princ not in output:
+ fail('Expected %s in t_inq_cred output' % realm.host_princ)
+
success('GSSAPI tests')
diff --git a/src/tests/gssapi/t_inq_cred.c b/src/tests/gssapi/t_inq_cred.c
new file mode 100644
index 0000000..5070a23
--- /dev/null
+++ b/src/tests/gssapi/t_inq_cred.c
@@ -0,0 +1,173 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/gssapi/t_inq_cred.c - Test program for gss_inquire_cred behavior */
+/*
+ * Copyright 2012 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Test program for gss_inquire_cred, intended to be run from a Python test
+ * script. Acquires credentials, inquires them, and prints the resulting name
+ * and lifetime.
+ *
+ * Usage: ./t_inq_cred [-k|-s] [-a|-b|-i] [initiatorprinc|gss:service at host]
+ *
+ * By default no mechanism is specified when acquiring credentials; -k
+ * indicates the krb5 mech and -s indicates SPNEGO. By default or with -i,
+ * initiator credentials are acquired; -a indicates acceptor credentials and -b
+ * indicates credentials of both types. The credential is acquired with no
+ * name by default; a krb5 principal name or host-based name (prefixed with
+ * "gss:") may be supplied as an argument.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <gssapi/gssapi_krb5.h>
+
+static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" };
+
+static void
+display_status_1(const char *m, OM_uint32 code, int type)
+{
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc msg;
+ OM_uint32 msg_ctx;
+
+ msg_ctx = 0;
+ while (1) {
+ maj_stat = gss_display_status(&min_stat, code,
+ type, GSS_C_NULL_OID,
+ &msg_ctx, &msg);
+ fprintf(stderr, "%s: %s\n", m, (char *)msg.value);
+ (void) gss_release_buffer(&min_stat, &msg);
+
+ if (!msg_ctx)
+ break;
+ }
+}
+
+static void
+gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat)
+{
+ display_status_1(msg, maj_stat, GSS_C_GSS_CODE);
+ display_status_1(msg, min_stat, GSS_C_MECH_CODE);
+ exit(1);
+}
+
+static void
+usage(const char *progname)
+{
+ fprintf(stderr,
+ "Usage: %s [-k|-s] [-a|-b|-i] [princ|gss:service at host|-]\n",
+ progname);
+ exit(1);
+}
+
+int
+main(int argc, char *argv[])
+{
+ OM_uint32 minor, major, lifetime;
+ gss_cred_usage_t cred_usage = GSS_C_INITIATE;
+ gss_OID mech = GSS_C_NO_OID;
+ gss_OID_set_desc mechs;
+ gss_OID_set mechset = GSS_C_NO_OID_SET;
+ gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
+ gss_name_t name = GSS_C_NO_NAME;
+ gss_buffer_desc buf;
+ const char *name_arg = NULL;
+ char opt;
+
+ while (argc > 1 && argv[1][0] == '-') {
+ opt = argv[1][1];
+ argc--, argv++;
+ if (opt == 'a')
+ cred_usage = GSS_C_ACCEPT;
+ else if (opt == 'b')
+ cred_usage = GSS_C_BOTH;
+ else if (opt == 'i')
+ cred_usage = GSS_C_INITIATE;
+ else if (opt == 'k')
+ mech = (gss_OID)gss_mech_krb5;
+ else if (opt == 's')
+ mech = &spnego_mech;
+ else
+ usage(argv[0]);
+ }
+ if (argc > 2)
+ usage(argv[0]);
+ if (argc > 1)
+ name_arg = argv[1];
+
+ /* Import the name, if given. */
+ if (name_arg != NULL && strncmp(name_arg, "gss:", 4) == 0) {
+ /* Import as host-based service. */
+ buf.value = (char *)name_arg + 4;
+ buf.length = strlen((char *)buf.value);
+ major = gss_import_name(&minor, &buf,
+ (gss_OID)GSS_C_NT_HOSTBASED_SERVICE, &name);
+ if (GSS_ERROR(major))
+ gsserr("gss_import_name", major, minor);
+ } else if (name_arg != NULL) {
+ /* Import as krb5 principal name. */
+ buf.value = (char *)name_arg;
+ buf.length = strlen((char *)buf.value);
+ major = gss_import_name(&minor, &buf,
+ (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &name);
+ if (GSS_ERROR(major))
+ gsserr("gss_import_name", major, minor);
+ }
+
+ if (mech != GSS_C_NO_OID) {
+ mechs.elements = mech;
+ mechs.count = 1;
+ mechset = &mechs;
+ }
+
+ /* Acquire a credential. */
+ major = gss_acquire_cred(&minor, name, GSS_C_INDEFINITE, mechset,
+ cred_usage, &cred, NULL, NULL);
+ if (GSS_ERROR(major))
+ gsserr("gss_acquire_cred", major, minor);
+
+ /* Inquire about the credential. */
+ (void)gss_release_name(&minor, &name);
+ major = gss_inquire_cred(&minor, cred, &name, &lifetime, NULL, NULL);
+ if (GSS_ERROR(major))
+ gsserr("gss_inquire_cred", major, minor);
+
+ /* Get a display form of the name. */
+ buf.value = NULL;
+ buf.length = 0;
+ major = gss_display_name(&minor, name, &buf, NULL);
+ if (GSS_ERROR(major))
+ gsserr("gss_display_name", major, minor);
+
+ printf("name: %.*s\n", (int)buf.length, (char *)buf.value);
+ printf("lifetime: %d\n", (int)lifetime);
+
+ (void)gss_release_cred(&minor, &cred);
+ (void)gss_release_name(&minor, &name);
+ (void)gss_release_buffer(&minor, &buf);
+ return 0;
+}
More information about the cvs-krb5
mailing list