Restrict test KDB to local principals

Ignoring the lookup realm for principal matching could cause the test
KDB module to successfully look up entries (with the correct key data)
for principals that a real KDB wouldn't have, such as krbtgt/B@A
within realm C.  Add a realm check to test_get_principal(), allowing
only local principal names or incoming cross-TGS names.

[ghudson@mit.edu: changed error code; rewrote commit message]

src/plugins/kdb/test/kdb_test.c

@@ -332,6 +332,27 @@ tgtname(krb5_context context, const krb5_data *tgs_realm,
     return princ;
 }
 
+/* Return true if search_for is within context's default realm or is an
+ * incoming cross-realm TGS name. */
+static krb5_boolean
+request_for_us(krb5_context context, krb5_const_principal search_for)
+{
+    char *defrealm;
+    krb5_data realm;
+    krb5_boolean for_us;
+    krb5_principal local_tgs;
+
+    check(krb5_get_default_realm(context, &defrealm));
+    realm = string2data(defrealm);
+    local_tgs = tgtname(context, &realm, &realm);
+    krb5_free_default_realm(context, defrealm);
+
+    for_us = krb5_realm_compare(context, local_tgs, search_for) ||
+        krb5_principal_compare_any_realm(context, local_tgs, search_for);
+    krb5_free_principal(context, local_tgs);
+    return for_us;
+}
+
 static krb5_error_code
 test_get_principal(krb5_context context, krb5_const_principal search_for,
                    unsigned int flags, krb5_db_entry **entry)
@@ -346,6 +367,9 @@ test_get_principal(krb5_context context, krb5_const_principal search_for,
 
     *entry = NULL;
 
+    if (!request_for_us(context, search_for))
+        return KRB5_KDB_NOENTRY;
+
     check(krb5_unparse_name_flags(context, search_for,
                                   KRB5_PRINCIPAL_UNPARSE_NO_REALM,
                                   &search_name));
@@ -449,7 +473,8 @@ lookup_princ_by_cert(krb5_context context, const krb5_data *client_cert,
     cert_princ_name = k5memdup0(client_cert->data, client_cert->length, &ret);
     check(ret);
 
-    check(krb5_parse_name(context, cert_princ_name, princ));
+    check(krb5_parse_name_flags(context, cert_princ_name,
+                                KRB5_PRINCIPAL_PARSE_ENTERPRISE, princ));
     free(cert_princ_name);
 }
 

src/tests/gssapi/t_s4u.py

@@ -163,11 +163,13 @@
 kdcconf1 = {'realms': {'$realm': {'database_module': 'test'}},
             'dbmodules': {'test': {'db_library': 'test',
                                    'princs': testprincs,
-                                   'alias': {'enterprise@abc': '@UREALM'}}}}
+                                   'alias': {'enterprise@abc': '@UREALM',
+                                             'user@UREALM': '@UREALM'}}}}
 kdcconf2 = {'realms': {'$realm': {'database_module': 'test'}},
             'dbmodules': {'test': {'db_library': 'test',
                                    'princs': testprincs,
                                    'alias': {'user@SREALM': '@SREALM',
+                                             'user@UREALM': 'user',
                                              'enterprise@abc': 'user'}}}}
 r1, r2 = cross_realms(2, xtgts=(),
                       args=({'realm': 'SREALM', 'kdc_conf': kdcconf1},