krb5 commit: Add gss_import_cred_from client keytab test
Greg Hudson
ghudson at MIT.EDU
Mon Apr 1 13:26:15 EDT 2013
https://github.com/krb5/krb5/commit/f43dfa88148724fb8a9543015c69fa1b2b24bb66
commit f43dfa88148724fb8a9543015c69fa1b2b24bb66
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Apr 1 12:34:14 2013 -0400
Add gss_import_cred_from client keytab test
Modify t_credstore.c to be more flexible and adjust t_gssapi.py
accordingly. Add a test to t_client_keytab.py which acquire creds
using a programmatically specified client keytab.
ticket: 7598
src/tests/gssapi/t_client_keytab.py | 16 ++++--
src/tests/gssapi/t_credstore.c | 95 ++++++++++++++++++-----------------
src/tests/gssapi/t_gssapi.py | 6 +--
3 files changed, 63 insertions(+), 54 deletions(-)
diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
index 484aacd..ef27d5e 100644
--- a/src/tests/gssapi/t_client_keytab.py
+++ b/src/tests/gssapi/t_client_keytab.py
@@ -87,13 +87,21 @@ if int(out) < 1000:
fail('Credentials apparently not refreshed')
realm.run([kdestroy])
+# Test 11: gss_import_cred_from with client_keytab value
+store_keytab = os.path.join(realm.testdir, 'store_keytab')
+os.rename(realm.client_keytab, store_keytab)
+realm.run(['./t_credstore', '-i', 'p:' + realm.user_princ, 'client_keytab',
+ store_keytab])
+realm.klist(realm.user_princ)
+os.rename(store_keytab, realm.client_keytab)
+
# Use a cache collection for the remaining tests.
ccdir = os.path.join(realm.testdir, 'cc')
ccname = 'DIR:' + ccdir
os.mkdir(ccdir)
realm.env['KRB5CCNAME'] = ccname
-# Test 11: name specified, matching cache in collection with no creds
+# Test 12: name specified, matching cache in collection with no creds
bobcache = os.path.join(ccdir, 'tktbob')
realm.run(['./ccinit', bobcache, bob])
out = realm.run(['./t_ccselect', phost, pbob])
@@ -101,7 +109,7 @@ if bob not in out:
fail('Authenticated as wrong principal')
# Leave tickets for next test.
-# Test 12: name specified, matching cache in collection, time to refresh
+# Test 13: name specified, matching cache in collection, time to refresh
realm.run(['./ccrefresh', bobcache, '1'])
out = realm.run(['./t_ccselect', phost, pbob])
if bob not in out:
@@ -111,7 +119,7 @@ if int(out) < 1000:
fail('Credentials apparently not refreshed')
realm.run([kdestroy, '-A'])
-# Test 13: name specified, collection has default for different principal
+# Test 14: name specified, collection has default for different principal
realm.kinit(realm.user_princ, password('user'))
out = realm.run(['./t_ccselect', phost, pbob])
if bob not in out:
@@ -121,7 +129,7 @@ if 'Default principal: %s\n' % realm.user_princ not in out:
fail('Default cache overwritten by acquire_cred')
realm.run([kdestroy, '-A'])
-# Test 14: name specified, collection has no default cache
+# Test 15: name specified, collection has no default cache
out = realm.run(['./t_ccselect', phost, pbob])
if bob not in out:
fail('Authenticated as wrong principal')
diff --git a/src/tests/gssapi/t_credstore.c b/src/tests/gssapi/t_credstore.c
index 085bc79..a5b851d 100644
--- a/src/tests/gssapi/t_credstore.c
+++ b/src/tests/gssapi/t_credstore.c
@@ -33,7 +33,7 @@ static void
usage(void)
{
fprintf(stderr,
- "Usage: t_credstore principal [--cred_store {key value} ...]\n");
+ "Usage: t_credstore [-sabi] principal [{key value} ...]\n");
exit(1);
}
@@ -42,63 +42,66 @@ main(int argc, char *argv[])
{
OM_uint32 minor, major;
gss_key_value_set_desc store;
- gss_buffer_desc buf;
- gss_name_t service = GSS_C_NO_NAME;
+ gss_name_t name;
+ gss_cred_usage_t cred_usage = GSS_C_BOTH;
+ gss_OID_set mechs = GSS_C_NO_OID_SET;
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
- int i, e;
-
- if (argc < 2 || ((argc - 3) % 2))
- usage();
-
- store.count = (argc - 3) / 2;
- store.elements = calloc(store.count,
- sizeof(struct gss_key_value_element_struct));
- if (!store.elements) {
- fprintf(stderr, "OOM\n");
- exit(1);
+ krb5_boolean store_creds = FALSE;
+ char opt;
+
+ /* Parse options. */
+ for (argv++; *argv != NULL && **argv == '-'; argv++) {
+ opt = (*argv)[1];
+ if (opt == 's')
+ store_creds = TRUE;
+ else if (opt == 'a')
+ cred_usage = GSS_C_ACCEPT;
+ else if (opt == 'b')
+ cred_usage = GSS_C_BOTH;
+ else if (opt == 'i')
+ cred_usage = GSS_C_INITIATE;
+ else
+ usage();
}
- if (argc > 2) {
- if (strcmp(argv[2], "--cred_store") != 0)
+ /* Get the principal name. */
+ if (*argv == NULL)
+ usage();
+ name = import_name(*argv++);
+
+ /* Put any remaining arguments into the store. */
+ store.elements = calloc(argc, sizeof(struct gss_key_value_element_struct));
+ if (!store.elements)
+ errout("OOM");
+ store.count = 0;
+ while (*argv != NULL) {
+ if ((*argv + 1) == NULL)
usage();
-
- for (i = 3, e = 0; i < argc; i += 2, e++) {
- store.elements[e].key = argv[i];
- store.elements[e].value = argv[i + 1];
- continue;
- }
+ store.elements[store.count].key = *argv;
+ store.elements[store.count].value = *(argv + 1);
+ store.count++;
+ argv += 2;
}
- /* First acquire default creds and try to store them in the cred store. */
-
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET,
- GSS_C_INITIATE, &cred, NULL, NULL);
- check_gsserr("gss_acquire_cred", major, minor);
+ if (store_creds) {
+ /* Acquire default creds and try to store them in the cred store. */
+ major = gss_acquire_cred(&minor, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET,
+ GSS_C_INITIATE, &cred, NULL, NULL);
+ check_gsserr("gss_acquire_cred", major, minor);
- major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE,
- GSS_C_NO_OID, 1, 0, &store, NULL, NULL);
- check_gsserr("gss_store_cred_into", major, minor);
+ major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE,
+ GSS_C_NO_OID, 1, 0, &store, NULL, NULL);
+ check_gsserr("gss_store_cred_into", major, minor);
- gss_release_cred(&minor, &cred);
-
- /* Then try to acquire creds from store. */
-
- buf.value = argv[1];
- buf.length = strlen(argv[1]);
-
- major = gss_import_name(&minor, &buf,
- (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME,
- &service);
- check_gsserr("gss_import_name", major, minor);
+ gss_release_cred(&minor, &cred);
+ }
- major = gss_acquire_cred_from(&minor, service,
- 0, GSS_C_NO_OID_SET, GSS_C_BOTH,
+ /* Try to acquire creds from store. */
+ major = gss_acquire_cred_from(&minor, name, 0, mechs, cred_usage,
&store, &cred, NULL, NULL);
check_gsserr("gss_acquire_cred_from", major, minor);
- fprintf(stdout, "Cred Store Success\n");
-
- gss_release_name(&minor, &service);
+ gss_release_name(&minor, &name);
gss_release_cred(&minor, &cred);
free(store.elements);
return 0;
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 5f1d5d1..de778cc 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -85,10 +85,8 @@ service_cs = 'service/cs@%s' % realm.realm
realm.addprinc(service_cs)
realm.extract_keytab(service_cs, servicekeytab)
realm.kinit(service_cs, None, ['-k', '-t', servicekeytab])
-output = realm.run(['./t_credstore', service_cs, '--cred_store',
- 'ccache', storagecache, 'keytab', servicekeytab])
-if 'Cred Store Success' not in output:
- fail('Expected test to succeed')
+realm.run(['./t_credstore', '-s', 'p:' + service_cs, 'ccache', storagecache,
+ 'keytab', servicekeytab])
# Verify that we can't acquire acceptor creds without a keytab.
os.remove(realm.keytab)
More information about the cvs-krb5
mailing list