-
Notifications
You must be signed in to change notification settings - Fork 366
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add the global variables pkinit_enabled and pkinit_certs. Add the realm flag pkinit=True. Add the realm method pkinit(). Use these facilities in t_pkinit.py, t_certauth.py, and t_authdata.py.
- Loading branch information
1 parent
872bed1
commit 7276270
Showing
4 changed files
with
76 additions
and
90 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,82 +1,65 @@ | ||
from k5test import * | ||
|
||
# Skip this test if pkinit wasn't built. | ||
if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')): | ||
if not pkinit_enabled: | ||
skip_rest('certauth tests', 'PKINIT module not built') | ||
|
||
certs = os.path.join(srctop, 'tests', 'pkinit-certs') | ||
ca_pem = os.path.join(certs, 'ca.pem') | ||
kdc_pem = os.path.join(certs, 'kdc.pem') | ||
privkey_pem = os.path.join(certs, 'privkey.pem') | ||
user_pem = os.path.join(certs, 'user.pem') | ||
|
||
modpath = os.path.join(buildtop, 'plugins', 'certauth', 'test', | ||
'certauth_test.so') | ||
pkinit_krb5_conf = {'realms': {'$realm': { | ||
'pkinit_anchors': 'FILE:%s' % ca_pem}}, | ||
'plugins': {'certauth': {'module': ['test1:' + modpath, | ||
'test2:' + modpath, | ||
'test3:' + modpath], | ||
'enable_only': ['test1', 'test2', | ||
'test3']}}} | ||
pkinit_kdc_conf = {'realms': {'$realm': { | ||
'default_principal_flags': '+preauth', | ||
'pkinit_eku_checking': 'none', | ||
'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem), | ||
'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}} | ||
|
||
file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem) | ||
krb5_conf = {'plugins': {'certauth': { | ||
'module': ['test1:' + modpath, 'test2:' + modpath, 'test3:' + modpath], | ||
'enable_only': ['test1', 'test2', 'test3']}}} | ||
kdc_conf = {'realms': {'$realm': { | ||
'default_principal_flags': '+preauth', | ||
'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}} | ||
|
||
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, | ||
get_creds=False) | ||
realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, get_creds=False, | ||
pkinit=True) | ||
realm.addprinc('nocert') | ||
|
||
def pkinit(princ, **kw): | ||
realm.kinit(princ, flags=['-X', 'X509_user_identity=%s' % file_identity], | ||
**kw) | ||
|
||
def check_indicators(inds): | ||
msg = '+97: [%s]' % inds | ||
realm.run(['./adata', realm.host_princ], expected_msg=msg) | ||
|
||
# Test that authentication fails if no module accepts. | ||
pkinit('nocert', expected_code=1, expected_msg='Client name mismatch') | ||
realm.pkinit('nocert', expected_code=1, expected_msg='Client name mismatch') | ||
|
||
# Let the test2 module match user to CN=user, with indicators. | ||
pkinit(realm.user_princ) | ||
realm.pkinit(realm.user_princ) | ||
realm.klist(realm.user_princ) | ||
check_indicators('test1, test2, user, indpkinit1, indpkinit2') | ||
|
||
# Let the test2 module mismatch with user2 to CN=user. | ||
realm.addprinc('user2@KRBTEST.COM') | ||
pkinit('user2', expected_code=1, expected_msg='kinit: Certificate mismatch') | ||
realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch') | ||
|
||
# Test the KRB5_CERTAUTH_HWAUTH return code. | ||
mark('hw-authent flag tests') | ||
# First test +requires_hwauth without causing the hw-authent ticket | ||
# flag to be set. This currently results in a preauth loop. | ||
realm.run([kadminl, 'modprinc', '+requires_hwauth', realm.user_princ]) | ||
pkinit(realm.user_princ, expected_code=1, expected_msg='Looping detected') | ||
realm.pkinit(realm.user_princ, expected_code=1, | ||
expected_msg='Looping detected') | ||
# Cause the test3 module to return KRB5_CERTAUTH_HWAUTH and try again. | ||
# Authentication should succeed whether or not another module accepts, | ||
# but not if another module rejects. | ||
realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'ok']) | ||
realm.run([kadminl, 'setstr', 'user2', 'hwauth', 'ok']) | ||
realm.run([kadminl, 'setstr', 'nocert', 'hwauth', 'ok']) | ||
pkinit(realm.user_princ) | ||
realm.pkinit(realm.user_princ) | ||
check_indicators('test1, test2, user, hwauth:ok, indpkinit1, indpkinit2') | ||
pkinit('user2', expected_code=1, expected_msg='kinit: Certificate mismatch') | ||
pkinit('nocert') | ||
realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch') | ||
realm.pkinit('nocert') | ||
check_indicators('test1, hwauth:ok, indpkinit1, indpkinit2') | ||
|
||
# Cause the test3 module to return KRB5_CERTAUTH_HWAUTH_PASS and try | ||
# again. Authentication should succeed only if another module accepts. | ||
realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'pass']) | ||
realm.run([kadminl, 'setstr', 'user2', 'hwauth', 'pass']) | ||
realm.run([kadminl, 'setstr', 'nocert', 'hwauth', 'pass']) | ||
pkinit(realm.user_princ) | ||
realm.pkinit(realm.user_princ) | ||
check_indicators('test1, test2, user, hwauth:pass, indpkinit1, indpkinit2') | ||
pkinit('user2', expected_code=1, expected_msg='kinit: Certificate mismatch') | ||
pkinit('nocert', expected_code=1, expected_msg='kinit: Client name mismatch') | ||
realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch') | ||
realm.pkinit('nocert', expected_code=1, expected_msg='Client name mismatch') | ||
|
||
success("certauth tests") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters