krb5 commit: Test KDB authdata and kinit pac options
Greg Hudson
ghudson at mit.edu
Wed Apr 27 17:02:14 EDT 2016
https://github.com/krb5/krb5/commit/12cc2b9dab45b05c13642c2b4b0ce0d3191663c7
commit 12cc2b9dab45b05c13642c2b4b0ce0d3191663c7
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Apr 5 00:23:20 2016 -0400
Test KDB authdata and kinit pac options
Add a sign_authdata method to the test KDB module. Add tests to
t_authdata.py for KDB module authdata and the kinit --request-pac and
--no-request-pac options.
ticket: 7985
src/plugins/kdb/test/kdb_test.c | 27 +++++++++++++++++++++-
src/tests/t_authdata.py | 48 ++++++++++++++++++++++++++++++---------
2 files changed, 63 insertions(+), 12 deletions(-)
diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c
index a0e4970..db939b9 100644
--- a/src/plugins/kdb/test/kdb_test.c
+++ b/src/plugins/kdb/test/kdb_test.c
@@ -71,6 +71,8 @@
#include "adm_proto.h"
#include <ctype.h>
+#define TEST_AD_TYPE -456
+
typedef struct {
void *profile;
char *section;
@@ -490,6 +492,29 @@ test_encrypt_key_data(krb5_context context, const krb5_keyblock *mkey,
}
static krb5_error_code
+test_sign_authdata(krb5_context context, unsigned int flags,
+ krb5_const_principal client_princ, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key, krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key, krb5_keyblock *session_key,
+ krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
+ krb5_authdata ***signed_auth_data)
+{
+ krb5_authdata **list, *ad;
+
+ ad = ealloc(sizeof(*ad));
+ ad->magic = KV5M_AUTHDATA;
+ ad->ad_type = TEST_AD_TYPE;
+ ad->contents = (uint8_t *)estrdup("db-authdata-test");
+ ad->length = strlen((char *)ad->contents);
+ list = ealloc(2 * sizeof(*list));
+ list[0] = ad;
+ list[1] = NULL;
+ *signed_auth_data = list;
+ return 0;
+}
+
+static krb5_error_code
test_check_allowed_to_delegate(krb5_context context,
krb5_const_principal client,
const krb5_db_entry *server,
@@ -551,7 +576,7 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_test, kdb_function_table) = {
NULL, /* promote_db */
test_decrypt_key_data,
test_encrypt_key_data,
- NULL, /* sign_authdata */
+ test_sign_authdata,
NULL, /* check_transited_realms */
NULL, /* check_policy_as */
NULL, /* check_policy_tgs */
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
index d98c3fd..20c8bc6 100644
--- a/src/tests/t_authdata.py
+++ b/src/tests/t_authdata.py
@@ -163,6 +163,7 @@ realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'a b c ind2'])
realm.run([kvno, 'restricted'])
realm.stop()
+realm2.stop()
# Load the test KDB module to allow successful S4U2Proxy
# auth-indicator requests.
@@ -170,7 +171,9 @@ testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
'krbtgt/FOREIGN': {'keys': 'aes128-cts'},
'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
'service/1': {'keys': 'aes128-cts', 'flags': '+preauth'},
- 'service/2': {'keys': 'aes128-cts'}}
+ 'service/2': {'keys': 'aes128-cts'},
+ 'noauthdata': {'keys': 'aes128-cts',
+ 'flags': '+no_auth_data_required'}}
kdcconf = {'realms': {'$realm': {'database_module': 'test'}},
'dbmodules': {'test': {'db_library': 'test',
'princs': testprincs,
@@ -182,6 +185,7 @@ realm.extract_keytab('krbtgt/FOREIGN', realm.keytab)
realm.extract_keytab(realm.user_princ, realm.keytab)
realm.extract_keytab('service/1', realm.keytab)
realm.extract_keytab('service/2', realm.keytab)
+realm.extract_keytab('noauthdata', realm.keytab)
realm.start_kdc()
# S4U2Self (should have no indicators since client did not authenticate)
@@ -199,16 +203,38 @@ out = realm.run(['./adata', '-p', realm.user_princ, 'service/2'])
if '+97: [indcl]' not in out or '[inds1]' in out:
fail('correct auth-indicator not seen for S4U2Proxy req')
-# KDB authdata is not tested here; we would need a test KDB module to
-# generate authdata, and also some additions to the test harness. The
-# current rules we would want to test are:
-#
-# * The no_auth_data_required server flag suppresses KDB authdata in
-# TGS requests.
-# * KDB authdata is also suppressed in TGS requests if the TGT
+# Test that KDB module authdata is included in an AS request, by
+# default or with an explicit PAC request.
+realm.kinit(realm.user_princ, None, ['-k'])
+out = realm.run(['./adata', realm.krbtgt_princ])
+if '-456: db-authdata-test' not in out:
+ fail('DB authdata not seen in default AS request')
+realm.kinit(realm.user_princ, None, ['-k', '--request-pac'])
+out = realm.run(['./adata', realm.krbtgt_princ])
+if '-456: db-authdata-test' not in out:
+ fail('DB authdata not seen with --request-pac')
+
+# Test that KDB module authdata is suppressed in an AS request by a
+# negative PAC request.
+realm.kinit(realm.user_princ, None, ['-k', '--no-request-pac'])
+out = realm.run(['./adata', realm.krbtgt_princ])
+if '-456: db-authdata-test' in out:
+ fail('DB authdata not suppressed by --no-request-pac')
+
+# Test that KDB authdata is included in a TGS request by default.
+out = realm.run(['./adata', 'service/1'])
+if '-456: db-authdata-test' not in out:
+ fail('DB authdata not seen in TGS request')
+
+# Test that KDB authdata is suppressed in a TGS request by the
+# +no_auth_data_required flag.
+out = realm.run(['./adata', 'noauthdata'])
+if '-456: db-authdata-test' in out:
+ fail('DB authdata not suppressed by +no_auth_data_required')
+
+# Additional KDB module authdata behavior we don't currently test:
+# * KDB module authdata is suppressed in TGS requests if the TGT
# contains no authdata and the request is not cross-realm or S4U.
-# * For AS requests, KDB authdata is suppressed if negative
-# KRB5_PADATA_PAC_REQUEST padata is present in the request.
-# * KDB authdata is suppressed for anonymous tickets.
+# * KDB module authdata is suppressed for anonymous tickets.
success('Authorization data tests')
More information about the cvs-krb5
mailing list