krb5 commit: Add tests for client principal aliases
Greg Hudson
ghudson at mit.edu
Mon Apr 13 17:43:42 EDT 2015
https://github.com/krb5/krb5/commit/2098124705cdc7abd5321e1dee32dc843547eab3
commit 2098124705cdc7abd5321e1dee32dc843547eab3
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed Apr 8 12:09:09 2015 -0400
Add tests for client principal aliases
Augment the LDAP KDB module tests to include client principal aliases
as well as server principal aliases. Also revise the server principal
alias tests to include an AS-REQ case. (This requires adjusting the
subsequent test not to assume a ccache containing a TGT.)
src/tests/t_kdb.py | 21 +++++++++++++++++----
1 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 56595db..28c672c 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -274,7 +274,7 @@ realm.run([kvno, realm.host_princ])
realm.klist(realm.user_princ, realm.host_princ)
# Test service principal aliases.
-realm.addprinc('canon')
+realm.addprinc('canon', password('canon'))
ldap_modify('dn: krbPrincipalName=canon at KRBTEST.COM,cn=t1,cn=krb5\n'
'changetype: modify\n'
'add: krbPrincipalName\n'
@@ -293,6 +293,8 @@ realm.run([kvno, 'canon'])
out = realm.run([klist])
if 'alias at KRBTEST.COM\n' not in out or 'canon at KRBTEST.COM' not in out:
fail('After fetching alias and canon, klist is missing one or both')
+realm.kinit(realm.user_princ, password('user'), ['-S', 'alias'])
+realm.klist(realm.user_princ, 'alias at KRBTEST.COM')
# Make sure an alias to the local TGS is still treated like an alias.
ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM at KRBTEST.COM,'
@@ -306,10 +308,9 @@ ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM at KRBTEST.COM,'
out = realm.run([kadminl, 'getprinc', 'tgtalias'])
if 'Principal: krbtgt/KRBTEST.COM at KRBTEST.COM' not in out:
fail('Could not fetch krbtgt through tgtalias')
+realm.kinit(realm.user_princ, password('user'))
realm.run([kvno, 'tgtalias'])
-out = realm.run([klist])
-if 'tgtalias at KRBTEST.COM\n' not in out:
- fail('After fetching tgtalias, klist is missing it')
+realm.klist(realm.user_princ, 'tgtalias at KRBTEST.COM')
# Make sure aliases work in header tickets.
realm.run([kadminl, 'modprinc', '-maxrenewlife', '3 hours', 'user'])
@@ -320,6 +321,18 @@ realm.run([kvno, 'alias'])
realm.kinit(realm.user_princ, flags=['-R', '-S', 'alias'])
realm.klist(realm.user_princ, 'alias at KRBTEST.COM')
+# Test client principal aliases, with and without preauth.
+realm.kinit('canon', password('canon'))
+out = realm.kinit('alias', password('canon'), expected_code=1)
+if 'not found in Kerberos database' not in out:
+ fail('Wrong error message for kinit to alias without -C flag')
+realm.kinit('alias', password('canon'), ['-C'])
+realm.run([kvno, 'alias'])
+realm.klist('canon at KRBTEST.COM', 'alias at KRBTEST.COM')
+realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon'])
+realm.kinit('canon', password('canon'))
+realm.kinit('alias', password('canon'), ['-C'])
+
# Regression test for #7980 (fencepost when dividing keys up by kvno).
realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts,aes128-cts',
'kvnoprinc'])
More information about the cvs-krb5
mailing list