krb5 commit: Add tests for AD-SIGNTICKET corner cases

Mon Jun 15 16:44:01 EDT 2015

https://github.com/krb5/krb5/commit/1f2060ee1793f1acea81acefa6a8b1e0da4203ce
commit 1f2060ee1793f1acea81acefa6a8b1e0da4203ce
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Mar 2 19:19:19 2015 -0500

    Add tests for AD-SIGNTICKET corner cases
    
    Test situations where the previous AD-SIGNTICKET logic would not use
    the same key to create and verify the AD-SIGNTICKET data.  Also test a
    case which forces the new verification logic to try multiple krbtgt
    versions.
    
    ticket: 8139

 src/tests/gssapi/t_s4u.py |   31 +++++++++++++++++++++++++++++++
 1 files changed, 31 insertions(+), 0 deletions(-)

diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 2ac2fa7..5a2b807 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -111,4 +111,35 @@ if 'auth1: user@' not in out or 'auth2: user@' not in out:
 # Successful S4U2Self -> S4U2Proxy.
 out = realm.run(['./t_s4u', puser, pservice2])
 
+# Regression test for #8139: get a user ticket directly for service1 and
+# try krb5 -> S4U2Proxy.
+realm.kinit(realm.user_princ, None, ['-f', '-k', '-c', usercache,
+                                     '-t', userkeytab, '-S', service1])
+out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+                 pservice1, pservice2])
+if 'auth1: user@' not in out or 'auth2: user@' not in out:
+    fail('krb5 -> s4u2proxy')
+
+# Simulate a krbtgt rollover and verify that the user ticket can still
+# be validated.
+realm.stop_kdc()
+newtgt_keys = ['2 aes128-cts', '1 aes128-cts']
+newtgt_princs = {'krbtgt/KRBTEST.COM': {'keys': newtgt_keys}}
+newtgt_conf = {'dbmodules': {'test': {'princs': newtgt_princs}}}
+newtgt_env = realm.special_env('newtgt', True, kdc_conf=newtgt_conf)
+realm.start_kdc(env=newtgt_env)
+out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+                 pservice1, pservice2])
+if 'auth1: user@' not in out or 'auth2: user@' not in out:
+    fail('krb5 -> s4u2proxy')
+
+# Get a user ticket after the krbtgt rollover and verify that
+# S4U2Proxy delegation works (also a #8139 regression test).
+realm.kinit(realm.user_princ, None, ['-f', '-k', '-c', usercache,
+                                     '-t', userkeytab])
+out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+                 pservice1, pservice2])
+if 'auth1: user@' not in out or 'auth2: user@' not in out:
+    fail('krb5 -> s4u2proxy')
+
 success('S4U test cases')
