-
Notifications
You must be signed in to change notification settings - Fork 369
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refactor KDC renewable ticket handling
Create a new helper to compute the renewable lifetime for AS and TGS requests. This has some minor behavior differences: * We only issue a renewable ticket if the renewable lifetime is greater than the normal ticket lifetime. * We give RENEWABLE precedence over RENEWABLE-OK in determining the requested renewable lifetime, instead of sometimes doing the reverse. * We use the client's maximum renewable life for TGS requests if we have looked up its DB entry. * Instead of rejecting requests for renewable tickets (if the client or server principal doesn't allow it, or a TGS request's TGT isn't renewable), issue non-renewable tickets. ticket: 7661 (new)
- Loading branch information
1 parent
6936d27
commit 4f551a7
Showing
6 changed files
with
124 additions
and
64 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,74 @@ | ||
#!/usr/bin/python | ||
from k5test import * | ||
|
||
realm = K5Realm(create_host=False, get_creds=False) | ||
conf = {'realms': {'$realm': {'max_life': '20h', 'max_renewable_life': '20h'}}} | ||
realm = K5Realm(create_host=False, get_creds=False, kdc_conf=conf) | ||
|
||
# Configure the realm to allow renewable tickets and acquire some. | ||
realm.run_kadminl('modprinc -maxrenewlife "2 days" user') | ||
realm.run_kadminl('modprinc -maxrenewlife "2 days" %s' % realm.krbtgt_princ) | ||
realm.kinit(realm.user_princ, password('user'), flags=['-r', '2d']) | ||
def test(testname, life, rlife, expect_renewable, env=None): | ||
global realm | ||
flags = ['-l', life] | ||
if rlife is not None: | ||
flags += ['-r', rlife] | ||
realm.kinit(realm.user_princ, password('user'), flags=flags, env=env) | ||
out = realm.run([klist]) | ||
if ('Default principal: %s\n' % realm.user_princ) not in out: | ||
fail('%s: did not get tickets' % testname) | ||
renewable = 'renew until' in out | ||
if renewable and not expect_renewable: | ||
fail('%s: tickets unexpectedly renewable' % testname) | ||
elif not renewable and expect_renewable: | ||
fail('%s: tickets unexpectedly non-renewable' % testname) | ||
|
||
# Get renewable tickets. | ||
test('simple', '1h', '2h', True) | ||
|
||
# Renew twice, to test that renewed tickets are renewable. | ||
realm.kinit(realm.user_princ, flags=['-R']) | ||
realm.kinit(realm.user_princ, flags=['-R']) | ||
realm.klist(realm.user_princ) | ||
|
||
# Make sure we can't renew non-renewable tickets. | ||
test('non-renewable', '1h', '1h', False) | ||
out = realm.kinit(realm.user_princ, flags=['-R'], expected_code=1) | ||
if "KDC can't fulfill requested option" not in out: | ||
fail('expected error not seen renewing non-renewable ticket') | ||
|
||
# Test that -allow_reneable on the client principal works. | ||
realm.run_kadminl('modprinc -allow_renewable user') | ||
test('disallowed client', '1h', '2h', False) | ||
realm.run_kadminl('modprinc +allow_renewable user') | ||
|
||
# Test that -allow_reneable on the server principal works. | ||
realm.run_kadminl('modprinc -allow_renewable %s' % realm.krbtgt_princ) | ||
test('disallowed server', '1h', '2h', False) | ||
realm.run_kadminl('modprinc +allow_renewable %s' % realm.krbtgt_princ) | ||
|
||
# Test that non-renewable tickets are issued if renew_till < till. | ||
test('short', '2h', '1h', False) | ||
|
||
# Test that renewable tickets are issued if till > max life by | ||
# default, but not if we configure away the RENEWABLE-OK option. | ||
no_opts_conf = {'libdefaults': {'kdc_default_options': '0'}} | ||
no_opts = realm.special_env('no_opts', False, krb5_conf=no_opts_conf) | ||
realm.run_kadminl('modprinc -maxlife "10 hours" user') | ||
test('long', '15h', None, True) | ||
test('long noopts', '15h', None, False, env=no_opts) | ||
realm.run_kadminl('modprinc -maxlife "20 hours" user') | ||
|
||
# Test maximum renewable life on the client principal. | ||
realm.run_kadminl('modprinc -maxrenewlife "5 hours" user') | ||
test('maxrenewlife client yes', '4h', '5h', True) | ||
test('maxrenewlife client no', '5h', '10h', False) | ||
|
||
# Test maximum renewable life on the server principal. | ||
realm.run_kadminl('modprinc -maxrenewlife "4 hours" %s' % realm.krbtgt_princ) | ||
test('maxrenewlife server yes', '3h', '4h', True) | ||
test('maxrenewlife server no', '4h', '8h', False) | ||
|
||
# Test realm maximum life. | ||
realm.run_kadminl('modprinc -maxrenewlife "40 hours" user') | ||
realm.run_kadminl('modprinc -maxrenewlife "40 hours" %s' % realm.krbtgt_princ) | ||
test('maxrenewlife realm yes', '10h', '20h', True) | ||
test('maxrenewlife realm no', '20h', '40h', False) | ||
|
||
success('Renewing credentials') |