Add marks to longer Python test scripts

src/appl/gss-sample/t_gss_sample.py

@@ -95,22 +95,26 @@ def kt_test(realm, options, server_options=[]):
 for realm in multipass_realms():
     ccache_save(realm)
 
+    mark('TGS')
     tgs_test(realm, ['-krb5'])
     tgs_test(realm, ['-spnego'])
     tgs_test(realm, ['-iakerb'], ['-iakerb'])
     # test default (i.e., krb5) mechanism with GSS_C_DCE_STYLE
     tgs_test(realm, ['-dce'])
 
+    mark('pw')
     pw_test(realm, ['-krb5'])
     pw_test(realm, ['-spnego'])
     pw_test(realm, ['-iakerb'], ['-iakerb'])
     pw_test(realm, ['-dce'])
 
+    mark('wrong pw')
     wrong_pw_test(realm, ['-krb5'])
     wrong_pw_test(realm, ['-spnego'])
     wrong_pw_test(realm, ['-iakerb'], ['-iakerb'], True)
     wrong_pw_test(realm, ['-dce'])
 
+    mark('client keytab')
     realm.extract_keytab(realm.user_princ, realm.client_keytab)
     kt_test(realm, ['-krb5'])
     kt_test(realm, ['-spnego'])

src/lib/krb5/ccache/t_cccol.py

@@ -81,20 +81,24 @@ def cursor_test(testname, args, expected):
              'Expected output:\n\n' + '\n'.join(expected) + '\n\n' +
              'Actual output:\n\n' + '\n'.join(outlines))
 
+mark('FILE cursor')
 fccname = 'FILE:%s' % realm.ccache
 cursor_test('file-default', [], [fccname])
 cursor_test('file-default2', [realm.ccache], [fccname])
 cursor_test('file-default3', [fccname], [fccname])
 
+mark('DIR cursor')
 cursor_test('dir', [dccname], [duser, dalice, dbob])
 cursor_test('dir-subsidiary', [duser], [duser])
 cursor_test('dir-nofile', [dnoent], [])
 
 if test_keyring:
+    mark('KEYRING cursor')
     cursor_test('keyring', [krccname], [kruser, kralice, krbob])
     cursor_test('keyring-subsidiary', [kruser], [kruser])
     cursor_test('keyring-noent', [krnoent], [])
 
+mark('MEMORY cursor')
 mfoo = 'MEMORY:foo'
 mbar = 'MEMORY:bar'
 cursor_test('filemem', [fccname, mfoo, mbar], [fccname, mfoo, mbar])
@@ -103,6 +107,7 @@ def cursor_test(testname, args, expected):
     cursor_test('keyringmem', [krccname, mfoo], [kruser, kralice, krbob, mfoo])
 
 # Test krb5_cccol_have_content.
+mark('krb5_cccol_have_content')
 realm.run(['./t_cccursor', dccname, 'CONTENT'])
 realm.run(['./t_cccursor', fccname, 'CONTENT'])
 realm.run(['./t_cccursor', realm.ccache, 'CONTENT'])
@@ -112,6 +117,7 @@ def cursor_test(testname, args, expected):
     cleanup_keyring('@s', col_ringname)
 
 # Make sure FILE doesn't yield a nonexistent default cache.
+mark('FILE nonexistent')
 realm.run([kdestroy])
 cursor_test('noexist', [], [])
 realm.run(['./t_cccursor', fccname, 'CONTENT'], expected_code=1)

src/lib/krb5/krb/t_vfy_increds.py

@@ -27,17 +27,20 @@
 realm = K5Realm()
 
 # Verify the default test realm credentials with the default keytab.
+mark('default keytab')
 realm.run(['./t_vfy_increds'])
 realm.run(['./t_vfy_increds', '-n'])
 
 # Verify after updating the keytab (so the keytab contains an outdated
 # version 1 key followed by an up-to-date version 2 key).
+mark('updated keytab')
 realm.run([kadminl, 'ktadd', realm.host_princ])
 realm.run(['./t_vfy_increds'])
 realm.run(['./t_vfy_increds', '-n'])
 
 # Bump the host key without updating the keytab and make sure that
 # verification fails as we expect it to.
+mark('outdated keytab')
 realm.run([kadminl, 'change_password', '-randkey', realm.host_princ])
 realm.run(['./t_vfy_increds'], expected_code=1)
 realm.run(['./t_vfy_increds', '-n'], expected_code=1)
@@ -47,13 +50,15 @@
 # matches.  Verify after updating the keytab with a host service
 # principal that has hostname that doesn't match the host running the
 # test.  Verify should succeed, with or without nofail.
+mark('hostname mismatch')
 realm.run([kadminl, 'addprinc', '-randkey', 'host/wrong.hostname'])
 realm.run([kadminl, 'ktadd', 'host/wrong.hostname'])
 realm.run(['./t_vfy_increds'])
 realm.run(['./t_vfy_increds', '-n'])
 
 # Remove the keytab and verify again.  This should succeed if nofail
 # is not set, and fail if it is set.
+mark('no keytab')
 os.remove(realm.keytab)
 realm.run(['./t_vfy_increds'])
 realm.run(['./t_vfy_increds', '-n'], expected_code=1)
@@ -65,6 +70,7 @@
 # set.  (An empty keytab file appears as corrupt to keytab calls,
 # causing a KRB5_KEYTAB_BADVNO error, so any tightening of the
 # krb5_verify_init_creds semantics needs to take this into account.)
+mark('empty keytab')
 open(realm.keytab, 'w').close()
 realm.run(['./t_vfy_increds'])
 realm.run(['./t_vfy_increds', '-n'], expected_code=1)
@@ -73,6 +79,7 @@
 # Add an NFS service principal to keytab.  Verify should ignore it by
 # default (succeeding unless nofail is set), but should verify with it
 # when it is specifically requested.
+mark('keytab with NFS principal')
 realm.run([kadminl, 'addprinc', '-randkey', realm.nfs_princ])
 realm.run([kadminl, 'ktadd', realm.nfs_princ])
 realm.run(['./t_vfy_increds'])
@@ -83,6 +90,7 @@
 # Invalidating the NFS keys in the keytab.  We should get the same
 # results with the default principal argument, but verification should
 # now fail if we request it specifically.
+mark('keytab with outdated NFS principal')
 realm.run([kadminl, 'change_password', '-randkey', realm.nfs_princ])
 realm.run(['./t_vfy_increds'])
 realm.run(['./t_vfy_increds', '-n'], expected_code=1)
@@ -91,6 +99,7 @@
 
 # Spot-check that verify_ap_req_nofail works equivalently to the
 # programmatic nofail option.
+mark('verify_ap_req_nofail')
 realm.stop()
 conf = {'libdefaults': {'verify_ap_req_nofail': 'true'}}
 realm = K5Realm(krb5_conf=conf)

src/tests/t_authdata.py

@@ -10,12 +10,14 @@
 # With no requested authdata, we expect to see SIGNTICKET (512) in an
 # if-relevant container and the greet authdata in a kdc-issued
 # container.
+mark('baseline authdata')
 out = realm.run(['./adata', realm.host_princ])
 if '?512: ' not in out or '^-42: Hello' not in out:
     fail('expected authdata not seen for basic request')
 
 # Requested authdata is copied into the ticket, with KDC-only types
 # filtered out.  (128 is win2k-pac, which should be filtered.)
+mark('request authdata')
 out = realm.run(['./adata', realm.host_princ, '-5', 'test1', '?-6', 'test2',
                  '128', 'fakepac', '?128', 'ifrelfakepac',
                  '^-8', 'fakekdcissued', '?^-8', 'ifrelfakekdcissued'])
@@ -24,11 +26,13 @@
 if 'fake' in out:
     fail('KDC-only authdata not filtered for request with authdata')
 
+mark('AD-MANDATORY-FOR-KDC')
 realm.run(['./adata', realm.host_princ, '!-1', 'mandatoryforkdc'],
           expected_code=1, expected_msg='KDC policy rejects request')
 
 # The no_auth_data_required server flag should suppress SIGNTICKET,
 # but not module or request authdata.
+mark('no_auth_data_required server flag')
 realm.run([kadminl, 'ank', '-randkey', '+no_auth_data_required', 'noauth'])
 realm.extract_keytab('noauth', realm.keytab)
 out = realm.run(['./adata', 'noauth', '-2', 'test'])
@@ -39,6 +43,7 @@
 
 # Cross-realm TGT requests should also suppress SIGNTICKET, but not
 # module or request authdata.
+mark('cross-realm')
 realm.addprinc('krbtgt/XREALM')
 realm.extract_keytab('krbtgt/XREALM', realm.keytab)
 out = realm.run(['./adata', 'krbtgt/XREALM', '-3', 'test'])
@@ -67,6 +72,7 @@
 
     # SIGNTICKET and module authdata should be suppressed for
     # anonymous tickets, but not request authdata.
+    mark('anonymous')
     out = realm.run(['./adata', realm.host_princ, '-4', 'test'])
     if ' -4: test' not in out:
         fail('expected authdata not seen for anonymous request')
@@ -95,37 +101,45 @@
 realm2.extract_keytab('krbtgt/LOCAL', realm.keytab)
 
 # AS request to local-realm service
+mark('AS-REQ to local service auth indicator')
 realm.kinit(realm.user_princ, password('user'),
             ['-X', 'indicators=indcl', '-r', '2d', '-S', realm.host_princ])
 realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
 
 # Ticket modification request
+mark('ticket modification auth indicator')
 realm.kinit(realm.user_princ, None, ['-R', '-S', realm.host_princ])
 realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
 
 # AS request to cross TGT
+mark('AS-REQ to cross TGT auth indicator')
 realm.kinit(realm.user_princ, password('user'),
             ['-X', 'indicators=indcl', '-S', 'krbtgt/FOREIGN'])
 realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]')
 
 # Multiple indicators
+mark('AS multiple indicators')
 realm.kinit(realm.user_princ, password('user'),
             ['-X', 'indicators=indcl indcl2 indcl3'])
 realm.run(['./adata', realm.krbtgt_princ],
           expected_msg='+97: [indcl, indcl2, indcl3]')
 
 # AS request to local TGT (resulting creds are used for TGS tests)
+mark('AS-REQ to local TGT auth indicator')
 realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=indcl'])
 realm.run(['./adata', realm.krbtgt_princ], expected_msg='+97: [indcl]')
 
 # Local TGS request for local realm service
+mark('TGS-REQ to local service auth indicator')
 realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
 
 # Local TGS request for cross TGT service
+mark('TGS-REQ to cross TGT auth indicator')
 realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]')
 
 # We don't yet have support for passing auth indicators across realms,
 # so just verify that indicators don't survive cross-realm requests.
+mark('TGS-REQ to foreign service auth indicator')
 out = realm.run(['./adata', realm2.krbtgt_princ])
 if '97:' in out:
     fail('auth-indicator seen in cross TGT request to local TGT')
@@ -137,10 +151,12 @@
     fail('auth-indicator seen in cross TGT request to service')
 
 # Test that the CAMMAC signature still works during a krbtgt rollover.
+mark('CAMMAC signature across krbtgt rollover')
 realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.krbtgt_princ])
 realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
 
 # Test indicator enforcement.
+mark('auth indicator enforcement')
 realm.addprinc('restricted')
 realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'superstrong'])
 realm.run([kvno, 'restricted'], expected_code=1,
@@ -155,13 +171,15 @@
 # Regression test for one manifestation of #8139: ensure that
 # forwarded TGTs obtained across a TGT re-key still work when the
 # preferred krbtgt enctype changes.
+mark('#8139 regression test')
 realm.kinit(realm.user_princ, password('user'), ['-f'])
 realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'des3-cbc-sha1',
            realm.krbtgt_princ])
 realm.run(['./forward'])
 realm.run([kvno, realm.host_princ])
 
 # Repeat the above test using a renewed TGT.
+mark('#8139 regression test (renewed TGT)')
 realm.kinit(realm.user_princ, password('user'), ['-r', '2d'])
 realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes128-cts',
            realm.krbtgt_princ])
@@ -195,13 +213,15 @@
 realm.start_kdc()
 
 # S4U2Self (should have no indicators since client did not authenticate)
+mark('S4U2Self (no auth indicators expected)')
 realm.kinit('service/1', None, ['-k', '-f', '-X', 'indicators=inds1'])
 realm.run([kvno, '-U', 'user', 'service/1'])
 out = realm.run(['./adata', '-p', realm.user_princ, 'service/1'])
 if '97:' in out:
     fail('auth-indicator present in S4U2Self response')
 
 # S4U2Proxy (indicators should come from evidence ticket, not TGT)
+mark('S4U2Proxy (auth indicators from evidence ticket expected)')
 realm.kinit(realm.user_princ, None, ['-k', '-f', '-X', 'indicators=indcl',
                                      '-S', 'service/1', '-c', usercache])
 realm.run(['./s4u2proxy', usercache, 'service/2'])
@@ -211,6 +231,7 @@
 
 # Test that KDB module authdata is included in an AS request, by
 # default or with an explicit PAC request.
+mark('AS-REQ KDB module authdata')
 realm.kinit(realm.user_princ, None, ['-k'])
 realm.run(['./adata', realm.krbtgt_princ],
           expected_msg='-456: db-authdata-test')
@@ -220,16 +241,19 @@
 
 # Test that KDB module authdata is suppressed in an AS request by a
 # negative PAC request.
+mark('AS-REQ KDB module authdata client supression')
 realm.kinit(realm.user_princ, None, ['-k', '--no-request-pac'])
 out = realm.run(['./adata', realm.krbtgt_princ])
 if '-456: db-authdata-test' in out:
     fail('DB authdata not suppressed by --no-request-pac')
 
 # Test that KDB authdata is included in a TGS request by default.
+mark('TGS-REQ KDB authdata')
 realm.run(['./adata', 'service/1'], expected_msg='-456: db-authdata-test')
 
 # Test that KDB authdata is suppressed in a TGS request by the
 # +no_auth_data_required flag.
+mark('TGS-REQ KDB authdata service suppression')
 out = realm.run(['./adata', 'noauthdata'])
 if '-456: db-authdata-test' in out:
     fail('DB authdata not suppressed by +no_auth_data_required')

src/tests/t_ccache.py

@@ -34,14 +34,17 @@
     skipped('keyring ccache tests', 'keyring support not built')
 
 # Test kdestroy and klist of a non-existent ccache.
+mark('no ccache')
 realm.run([kdestroy])
 realm.run([klist], expected_code=1, expected_msg='No credentials cache found')
 
 # Test kinit with an inaccessible ccache.
+mark('inaccessible ccache')
 realm.kinit(realm.user_princ, password('user'), flags=['-c', 'testdir/xx/yy'],
             expected_code=1, expected_msg='Failed to store credentials')
 
 # Test klist -s with a single ccache.
+mark('klist -s single ccache')
 realm.run([klist, '-s'], expected_code=1)
 realm.kinit(realm.user_princ, password('user'))
 realm.run([klist, '-s'])
@@ -57,9 +60,11 @@
 realm.addprinc('carol', password('carol'))
 
 def collection_test(realm, ccname):
+    cctype = ccname.partition(':')[0]
     oldccname = realm.env['KRB5CCNAME']
     realm.env['KRB5CCNAME'] = ccname
 
+    mark('%s collection, single cache' % cctype)
     realm.run([klist, '-A', '-s'], expected_code=1)
     realm.kinit('alice', password('alice'))
     realm.run([klist], expected_msg='Default principal: alice@')
@@ -73,6 +78,7 @@ def collection_test(realm, ccname):
         fail('Initial kdestroy failed to empty cache collection.')
     realm.run([klist, '-A', '-s'], expected_code=1)
 
+    mark('%s collection, multiple caches' % cctype)
     realm.kinit('alice', password('alice'))
     realm.kinit('carol', password('carol'))
     output = realm.run([klist, '-l'])
@@ -96,6 +102,7 @@ def collection_test(realm, ccname):
     # (only works with klist/kdestroy for now, not kinit/kswitch).
     realm.env['KRB5CCNAME'] = oldccname
 
+    mark('%s collection, command-line specifier' % cctype)
     realm.run([kdestroy, '-c', ccname])
     output = realm.run([klist, '-l', ccname])
     if 'carol@' in output or 'bob@' not in output or output.count('\n') != 4:
@@ -127,6 +134,7 @@ def cleanup_keyring(anchor, name):
     cleanup_keyring('@s', col_ringname)
 
     # Test legacy keyring cache linkage.
+    mark('legacy keyring cache linkage')
     realm.env['KRB5CCNAME'] = 'KEYRING:' + cname
     realm.run([kdestroy, '-A'])
     realm.kinit(realm.user_princ, password('user'))
@@ -150,6 +158,7 @@ def cleanup_keyring(anchor, name):
     cleanup_keyring('@s', col_ringname)
 
 # Test parameter expansion in default_ccache_name
+mark('default_ccache_name parameter expansion')
 realm.stop()
 conf = {'libdefaults': {'default_ccache_name': 'testdir/%{null}abc%{uid}'}}
 realm = K5Realm(krb5_conf=conf, create_kdb=False)