Use kadmin script mode in Python tests

In k5test, rename kadmin_local to kadminl and remove the run_kadminl() K5Realm method. Update all scripts to use realm.run([kadminl, 'cmd', ...]). run_kadmin() still exists but takes an argument array instead of a query string. Where we touch test code, rename "output" to "out" (since "output" is a function name exported by k5test.py), elide ":normal" from salt strings, and use expressions like realm.krbtgt_princ instead of manually composed principal names where appropriate. In t_kadmin_acl.py, get rid of the delprinc() helper since the equivalent is now concise enough to be written out each time. In t_policy.py, remove some inoperative getprinc invocations and reorder some tests which didn't correspond to their comment headers.
krb5 · Feb 19, 2015 · 60516bb · 60516bb
1 parent 040fe97
commit 60516bb
Show file tree

Hide file tree

Showing 33 changed files with 459 additions and 543 deletions.
diff --git a/src/lib/krb5/krb/t_expire_warn.py b/src/lib/krb5/krb/t_expire_warn.py
@@ -28,10 +28,12 @@
 realm = K5Realm(create_user=False, create_host=False)
 
 # Create principals with various password expirations.
-realm.run_kadminl('addprinc -pw pass noexpire')
-realm.run_kadminl('addprinc -pw pass -pwexpire "30 minutes" minutes')
-realm.run_kadminl('addprinc -pw pass -pwexpire "12 hours" hours')
-realm.run_kadminl('addprinc -pw pass -pwexpire "3 days" days')
+realm.run([kadminl, 'addprinc', '-pw', 'pass', 'noexpire'])
+realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '30 minutes',
+           'minutes'])
+realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '12 hours',
+           'hours'])
+realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '3 days', 'days'])
 
 # Check for expected prompter warnings when no expire callback is used.
 output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '0'])

diff --git a/src/lib/krb5/krb/t_in_ccache_patypes.py b/src/lib/krb5/krb/t_in_ccache_patypes.py
@@ -28,8 +28,8 @@
 realm = K5Realm(create_user=False, create_host=False)
 
 # Create principals with various password expirations.
-realm.run_kadminl('addprinc -pw pass nopreauth')
-realm.run_kadminl('addprinc -pw pass +requires_preauth preauth')
+realm.run([kadminl, 'addprinc', '-pw', 'pass', 'nopreauth'])
+realm.run([kadminl, 'addprinc', '-pw', 'pass', '+requires_preauth', 'preauth'])
 
 # Check that we can get creds without preauth without an in_ccache.  This is
 # the default behavior for kinit.

diff --git a/src/lib/krb5/krb/t_vfy_increds.py b/src/lib/krb5/krb/t_vfy_increds.py
@@ -32,13 +32,13 @@
 
 # Verify after updating the keytab (so the keytab contains an outdated
 # version 1 key followed by an up-to-date version 2 key).
-realm.run_kadminl('ktadd ' + realm.host_princ)
+realm.run([kadminl, 'ktadd', realm.host_princ])
 realm.run(['./t_vfy_increds'])
 realm.run(['./t_vfy_increds', '-n'])
 
 # Bump the host key without updating the keytab and make sure that
 # verification fails as we expect it to.
-realm.run_kadminl('change_password -randkey ' + realm.host_princ)
+realm.run([kadminl, 'change_password', '-randkey', realm.host_princ])
 realm.run(['./t_vfy_increds'], expected_code=1)
 realm.run(['./t_vfy_increds', '-n'], expected_code=1)
 
@@ -47,8 +47,8 @@
 # matches.  Verify after updating the keytab with a host service
 # principal that has hostname that doesn't match the host running the
 # test.  Verify should succeed, with or without nofail.
-realm.run_kadminl('addprinc -randkey host/wrong.hostname')
-realm.run_kadminl('ktadd host/wrong.hostname')
+realm.run([kadminl, 'addprinc', '-randkey', 'host/wrong.hostname'])
+realm.run([kadminl, 'ktadd', 'host/wrong.hostname'])
 realm.run(['./t_vfy_increds'])
 realm.run(['./t_vfy_increds', '-n'])
 
@@ -73,8 +73,8 @@
 # Add an NFS service principal to keytab.  Verify should ignore it by
 # default (succeeding unless nofail is set), but should verify with it
 # when it is specifically requested.
-realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ)
-realm.run_kadminl('ktadd ' + realm.nfs_princ)
+realm.run([kadminl, 'addprinc', '-randkey', realm.nfs_princ])
+realm.run([kadminl, 'ktadd', realm.nfs_princ])
 realm.run(['./t_vfy_increds'])
 realm.run(['./t_vfy_increds', '-n'], expected_code=1)
 realm.run(['./t_vfy_increds', realm.nfs_princ])
@@ -83,7 +83,7 @@
 # Invalidating the NFS keys in the keytab.  We should get the same
 # results with the default principal argument, but verification should
 # now fail if we request it specifically.
-realm.run_kadminl('change_password -randkey ' + realm.nfs_princ)
+realm.run([kadminl, 'change_password', '-randkey', realm.nfs_princ])
 realm.run(['./t_vfy_increds'])
 realm.run(['./t_vfy_increds', '-n'], expected_code=1)
 realm.run(['./t_vfy_increds', realm.nfs_princ], expected_code=1)

diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
@@ -99,7 +99,7 @@ def test_err(msg, ienc, aenc, expected_err):
 
 # Force the ticket session key to be rc4, so we can test some subkey
 # upgrade cases.  The ticket encryption key remains aes256.
-realm.run_kadminl('setstr %s session_enctypes rc4' % realm.host_princ)
+realm.run([kadminl, 'setstr', realm.host_princ, 'session_enctypes', 'rc4'])
 
 # With no arguments, the initiator should send an upgrade list of
 # [aes256 aes128 des3] and the acceptor should upgrade to an aes256

diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
@@ -16,15 +16,15 @@
 # Create some host-based principals and put most of them into the
 # keytab.  Rename one principal so that the keytab name matches the
 # key but not the client name.
-realm.run_kadminl('addprinc -randkey service1/abraham')
-realm.run_kadminl('addprinc -randkey service1/barack')
-realm.run_kadminl('addprinc -randkey service2/calvin')
-realm.run_kadminl('addprinc -randkey service2/dwight')
-realm.run_kadminl('addprinc -randkey host/-nomatch-')
-realm.run_kadminl('xst service1/abraham')
-realm.run_kadminl('xst service1/barack')
-realm.run_kadminl('xst service2/calvin')
-realm.run_kadminl('renprinc -force service1/abraham service1/andrew')
+realm.run([kadminl, 'addprinc', '-randkey', 'service1/abraham'])
+realm.run([kadminl, 'addprinc', '-randkey', 'service1/barack'])
+realm.run([kadminl, 'addprinc', '-randkey', 'service2/calvin'])
+realm.run([kadminl, 'addprinc', '-randkey', 'service2/dwight'])
+realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-'])
+realm.run([kadminl, 'xst', 'service1/abraham'])
+realm.run([kadminl, 'xst', 'service1/barack'])
+realm.run([kadminl, 'xst', 'service2/calvin'])
+realm.run([kadminl, 'renprinc', 'service1/abraham', 'service1/andrew'])
 
 # Test with no acceptor name, including client/keytab principal
 # mismatch (non-fatal) and missing keytab entry (fatal).
@@ -114,8 +114,8 @@
 # and the principal for the mismatching hostname in the keytab.
 ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}}
 realm = K5Realm(krb5_conf=ignore_conf)
-realm.run_kadminl('addprinc -randkey host/-nomatch-')
-realm.run_kadminl('xst host/-nomatch-')
+realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-'])
+realm.run([kadminl, 'xst', 'host/-nomatch-'])
 output = realm.run(['./t_accname', 'p:host/-nomatch-',
                     'h:host@%s' % socket.gethostname()])
 if 'host/-nomatch-' not in output:

diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
@@ -60,7 +60,7 @@
 
 # Correct that problem and try again.  As above, the S4U2Proxy step
 # won't actually succeed since we don't support that in DB2.
-realm.run_kadminl('modprinc +ok_to_auth_as_delegate ' + service1)
+realm.run([kadminl, 'modprinc', '+ok_to_auth_as_delegate', service1])
 output = realm.run(['./t_s4u', puser, pservice2], expected_code=1)
 if 'NOT_ALLOWED_TO_DELEGATE' not in output:
     fail('s4u2self')

diff --git a/src/tests/t_audit.py b/src/tests/t_audit.py
@@ -6,7 +6,7 @@
 
 realm = K5Realm(krb5_conf=conf, get_creds=False)
 realm.addprinc('target')
-realm.run_kadminl('modprinc +ok_to_auth_as_delegate ' + realm.host_princ)
+realm.run([kadminl, 'modprinc', '+ok_to_auth_as_delegate', realm.host_princ])
 
 # Make normal AS and TGS requests so they will be audited.
 realm.kinit(realm.host_princ, flags=['-k', '-f'])

diff --git a/src/tests/t_changepw.py b/src/tests/t_changepw.py
@@ -7,12 +7,12 @@
 realm = K5Realm(create_host=False, get_creds=False, start_kadmind=True)
 
 # Mark a principal as expired and change its password through kinit.
-realm.run_kadminl('modprinc -pwexpire "1 day ago" user')
+realm.run([kadminl, 'modprinc', '-pwexpire', '1 day ago', 'user'])
 pwinput = password('user') + '\nabcd\nabcd\n'
 realm.run([kinit, realm.user_princ], input=pwinput)
 
 # Do the same thing with FAST, with tracing turned on.
-realm.run_kadminl('modprinc -pwexpire "1 day ago" user')
+realm.run([kadminl, 'modprinc', '-pwexpire', '1 day ago', 'user'])
 pwinput = 'abcd\nefgh\nefgh\n'
 tracefile = os.path.join(realm.testdir, 'trace')
 realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-T', realm.ccache,

diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py
@@ -6,7 +6,7 @@
 # principals and policies survive a dump/load cycle.
 
 realm = K5Realm(start_kdc=False)
-realm.run_kadminl('addpol fred')
+realm.run([kadminl, 'addpol', 'fred'])
 
 # Create a dump file.
 dumpfile = os.path.join(realm.testdir, 'dump')
@@ -24,26 +24,26 @@
 # Spot-check principal and policy fields.
 realm.run([kdb5_util, 'destroy', '-f'])
 realm.run([kdb5_util, 'load', dumpfile])
-out = realm.run_kadminl('getprincs')
+out = realm.run([kadminl, 'getprincs'])
 if realm.user_princ not in out or realm.host_princ not in out:
     fail('Missing principal after load')
-out = realm.run_kadminl('getprinc %s' % realm.user_princ)
+out = realm.run([kadminl, 'getprinc', realm.user_princ])
 if 'Expiration date: [never]' not in out or 'MKey: vno 1' not in out:
     fail('Principal has wrong value after load')
-out = realm.run_kadminl('getpols')
+out = realm.run([kadminl, 'getpols'])
 if 'fred\n' not in out or 'barney\n' not in out:
     fail('Missing policy after load')
-out = realm.run_kadminl('getpol barney')
+out = realm.run([kadminl, 'getpol', 'barney'])
 if 'Number of old keys kept: 1' not in out:
     fail('Policy has wrong value after load')
 
 # Dump/load again, and make sure everything is still there.
 realm.run([kdb5_util, 'dump', dumpfile])
 realm.run([kdb5_util, 'load', dumpfile])
-out = realm.run_kadminl('getprincs')
+out = realm.run([kadminl, 'getprincs'])
 if realm.user_princ not in out or realm.host_princ not in out:
     fail('Missing principal after load')
-out = realm.run_kadminl('getpols')
+out = realm.run([kadminl, 'getpols'])
 if 'fred\n' not in out or 'barney\n' not in out:
     fail('Missing policy after second load')
 
@@ -75,13 +75,13 @@ def dump_compare(realm, opt, srcfile):
 def load_dump_check_compare(realm, opt, srcfile):
     realm.run([kdb5_util, 'destroy', '-f'])
     realm.run([kdb5_util, 'load'] + opt + [srcfile])
-    out = realm.run_kadminl('getprincs')
+    out = realm.run([kadminl, 'getprincs'])
     if 'user@' not in out:
         fail('Loaded dumpfile missing user principal')
-    out = realm.run_kadminl('getprinc nokeys')
+    out = realm.run([kadminl, 'getprinc', 'nokeys'])
     if 'Number of keys: 0' not in out:
         fail('Loading dumpfile did not process zero-key principal')
-    out = realm.run_kadminl('getpols')
+    out = realm.run([kadminl, 'getpols'])
     if 'testpol' not in out:
         fail('Loaded dumpfile missing test policy')
     dump_compare(realm, opt, srcfile)
@@ -93,11 +93,11 @@ def load_dump_check_compare(realm, opt, srcfile):
 
 # Loading the last (-b7 format) dump won't have loaded the
 # per-principal kadm data.  Load that incrementally with -ov.
-out = realm.run_kadminl('getprinc user')
+out = realm.run([kadminl, 'getprinc', 'user'])
 if 'Policy: [none]' not in out:
     fail('Loaded b7 dump unexpectedly contains user policy reference')
 realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov])
-out = realm.run_kadminl('getprinc user')
+out = realm.run([kadminl, 'getprinc', 'user'])
 if 'Policy: testpol' not in out:
     fail('Loading ov dump did not add user policy reference')
 

diff --git a/src/tests/t_general.py b/src/tests/t_general.py
@@ -14,7 +14,8 @@
 
     # Test FAST kinit.
     fastpw = password('fast')
-    realm.run_kadminl('ank -pw %s +requires_preauth user/fast' % fastpw)
+    realm.run([kadminl, 'ank', '-pw', fastpw, '+requires_preauth',
+               'user/fast'])
     realm.kinit('user/fast', fastpw)
     realm.kinit('user/fast', fastpw, flags=['-T', realm.ccache])
     realm.klist('user/fast@%s' % realm.realm)
@@ -27,7 +28,7 @@
 # principal with an empty password.  (Regression test for #7642.)
 conf={'plugins': {'pwqual': {'disable': 'empty'}}}
 realm = K5Realm(create_user=False, create_host=False, krb5_conf=conf)
-realm.run_kadminl('addprinc -pw "" user')
+realm.run([kadminl, 'addprinc', '-pw', '', 'user'])
 realm.run(['./t_init_creds', 'user', ''])
 realm.stop()