krb5 commit: Add tests for cross-realm RBCD request authdata

Wed Jan 22 14:10:35 EST 2020

https://github.com/krb5/krb5/commit/fba01092b7beb097780f2482997c9e6cee0e7ed2
commit fba01092b7beb097780f2482997c9e6cee0e7ed2
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sat Jan 18 02:54:32 2020 +0100

    Add tests for cross-realm RBCD request authdata
    
    ticket: 8866

 src/tests/t_authdata.py |   31 ++++++++++++++++++++++++++++---
 1 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
index 378174a..76b8fcd 100644
--- a/src/tests/t_authdata.py
+++ b/src/tests/t_authdata.py
@@ -291,14 +291,19 @@ a_princs = {'krbtgt/A': {'keys': 'aes128-cts'},
 a_kconf = {'realms': {'$realm': {'database_module': 'test'}},
            'dbmodules': {'test': {'db_library': 'test',
                                   'delegation': {'impersonator' : 'resource'},
-                                  'princs': a_princs}}}
+                                  'princs': a_princs,
+                                  'alias': {'service/rb.b': '@B'}}}}
 
 b_princs = {'krbtgt/B': {'keys': 'aes128-cts'},
             'krbtgt/A': {'keys': 'aes128-cts'},
-            'user': {'keys': 'aes128-cts', 'flags': '+preauth'}}
+            'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
+            'rb': {'keys': 'aes128-cts'}}
 b_kconf = {'realms': {'$realm': {'database_module': 'test'}},
            'dbmodules': {'test': {'db_library': 'test',
-                                  'princs': b_princs}}}
+                                  'princs': b_princs,
+                                  'rbcd': {'rb at B': 'impersonator at A'},
+                                  'alias': {'service/rb.b': 'rb',
+                                            'impersonator at A': '@A'}}}}
 
 ra, rb = cross_realms(2, xtgts=(),
                           args=({'realm': 'A', 'kdc_conf': a_kconf},
@@ -318,6 +323,26 @@ rb.run([kvno, '-C', 'impersonator at A', '-c', usercache])
 ra.kinit('impersonator at A', None, ['-f', '-k', '-t', ra.keytab])
 ra.run(['./s4u2proxy', usercache, 'resource at A'])
 
+mark('Cross realm S4U authdata tests')
+
+ra.kinit('impersonator at A', None, ['-k', '-t', ra.keytab])
+ra.run(['./s4u2self', rb.user_princ, 'impersonator at A', usercache, '-2',
+        'cross_s4u_self_ad'])
+out = ra.run(['./adata', '-c', usercache, '-p', rb.user_princ,
+              'impersonator at A', '-2', 'cross_s4u_self_ad'])
+if out.count(' -2: cross_s4u_self_ad') != 1:
+    fail('expected one cross_s4u_self_ad, got: %s' % count)
+
+ra.run(['./s4u2proxy', usercache, 'service/rb.b', '-2',
+        'cross_s4u_proxy_ad'])
+rb.extract_keytab('service/rb.b', ra.keytab)
+out = ra.run(['./adata', '-p', rb.user_princ, 'service/rb.b', '-2',
+              'cross_s4u_proxy_ad'])
+if out.count(' -2: cross_s4u_self_ad') != 1:
+    fail('expected one cross_s4u_self_ad, got: %s' % count)
+if out.count(' -2: cross_s4u_proxy_ad') != 1:
+    fail('expected one cross_s4u_proxy_ad, got: %s' % count)
+
 ra.stop()
 rb.stop()
 
