Clean up PKINIT tests

Use realm.user_princ where appropriate. Re-wrap some overwrapped function calls. De-indent the PKCS11 tests using skip_rest.
krb5 · Jan 22, 2015 · b547063 · b547063
1 parent f3891f0
commit b547063
Showing 1 changed file with 93 additions and 163 deletions.
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
@@ -53,12 +53,10 @@
                 get_creds=False)
 
 # Sanity check - password-based preauth should still work.
-realm.run(['./responder',
-           '-r', 'password=%s' % password('user'),
-           'user@%s' % realm.realm])
-realm.kinit('user@%s' % realm.realm,
-            password=password('user'))
-realm.klist('user@%s' % realm.realm)
+realm.run(['./responder', '-r', 'password=%s' % password('user'),
+           realm.user_princ])
+realm.kinit(realm.user_princ, password=password('user'))
+realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
 # Test anonymous PKINIT.
@@ -99,52 +97,36 @@
 realm.run_kadminl('delprinc -force WELLKNOWN/ANONYMOUS')
 
 # Run the basic test - PKINIT with FILE: identity, with no password on the key.
-realm.run(['./responder',
-           '-x',
-           'pkinit=',
-           '-X',
-           'X509_user_identity=%s' % file_identity,
-           'user@%s' % realm.realm])
-realm.kinit('user@%s' % realm.realm,
+realm.run(['./responder', '-x', 'pkinit=',
+           '-X', 'X509_user_identity=%s' % file_identity, realm.user_princ])
+realm.kinit(realm.user_princ,
             flags=['-X', 'X509_user_identity=%s' % file_identity])
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
 # Run the basic test - PKINIT with FILE: identity, with a password on the key,
 # supplied by the prompter.
 # Expect failure if the responder does nothing, and we have no prompter.
-realm.run(['./responder',
-          '-x',
-          'pkinit={"%s": 0}' % file_enc_identity,
-          '-X',
-          'X509_user_identity=%s' % file_enc_identity,
-          'user@%s' % realm.realm],
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity,
+          '-X', 'X509_user_identity=%s' % file_enc_identity, realm.user_princ],
           expected_code=2)
-realm.kinit('user@%s' % realm.realm,
+realm.kinit(realm.user_princ,
             flags=['-X', 'X509_user_identity=%s' % file_enc_identity],
             password='encrypted')
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
 # Run the basic test - PKINIT with FILE: identity, with a password on the key,
 # supplied by the responder.
 # Supply the response in raw form.
-realm.run(['./responder',
-           '-x',
-           'pkinit={"%s": 0}' % file_enc_identity,
-           '-r',
-           'pkinit={"%s": "encrypted"}' % file_enc_identity,
-           '-X',
-           'X509_user_identity=%s' % file_enc_identity,
-           'user@%s' % realm.realm])
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity,
+           '-r', 'pkinit={"%s": "encrypted"}' % file_enc_identity,
+           '-X', 'X509_user_identity=%s' % file_enc_identity,
+           realm.user_princ])
 # Supply the response through the convenience API.
-realm.run(['./responder',
-           '-X',
-           'X509_user_identity=%s' % file_enc_identity,
-           '-p',
-           '%s=%s' % (file_enc_identity, 'encrypted'),
-           'user@%s' % realm.realm])
-realm.klist('user@%s' % realm.realm)
+realm.run(['./responder', '-X', 'X509_user_identity=%s' % file_enc_identity,
+           '-p', '%s=%s' % (file_enc_identity, 'encrypted'), realm.user_princ])
+realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
 # PKINIT with DIR: identity, with no password on the key.
@@ -154,167 +136,115 @@
 shutil.copy(privkey_enc_pem, os.path.join(path_enc, 'user.key'))
 shutil.copy(user_pem, os.path.join(path, 'user.crt'))
 shutil.copy(user_pem, os.path.join(path_enc, 'user.crt'))
-realm.run(['./responder',
-           '-x',
-           'pkinit=',
-           '-X',
-           'X509_user_identity=%s' % dir_identity,
-           'user@%s' % realm.realm])
-realm.kinit('user@%s' % realm.realm,
+realm.run(['./responder', '-x', 'pkinit=', '-X',
+           'X509_user_identity=%s' % dir_identity, realm.user_princ])
+realm.kinit(realm.user_princ,
             flags=['-X', 'X509_user_identity=%s' % dir_identity])
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
 # PKINIT with DIR: identity, with a password on the key, supplied by the
 # prompter.
 # Expect failure if the responder does nothing, and we have no prompter.
-realm.run(['./responder',
-           '-x',
-           'pkinit={"%s": 0}' %
-           dir_file_enc_identity,
-           '-X',
-           'X509_user_identity=%s' % dir_enc_identity,
-           'user@%s' % realm.realm],
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % dir_file_enc_identity,
+           '-X', 'X509_user_identity=%s' % dir_enc_identity, realm.user_princ],
            expected_code=2)
-realm.kinit('user@%s' % realm.realm,
+realm.kinit(realm.user_princ,
             flags=['-X', 'X509_user_identity=%s' % dir_enc_identity],
             password='encrypted')
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
 # PKINIT with DIR: identity, with a password on the key, supplied by the
 # responder.
 # Supply the response in raw form.
-realm.run(['./responder',
-           '-x',
-           'pkinit={"%s": 0}' %
-           dir_file_enc_identity,
-           '-r',
-           'pkinit={"%s": "encrypted"}' % dir_file_enc_identity,
-           '-X',
-           'X509_user_identity=%s' % dir_enc_identity,
-           'user@%s' % realm.realm])
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % dir_file_enc_identity,
+           '-r', 'pkinit={"%s": "encrypted"}' % dir_file_enc_identity,
+           '-X', 'X509_user_identity=%s' % dir_enc_identity, realm.user_princ])
 # Supply the response through the convenience API.
-realm.run(['./responder',
-           '-X',
-           'X509_user_identity=%s' % dir_enc_identity,
-           '-p',
-           '%s=%s' % (dir_file_enc_identity, 'encrypted'),
-           'user@%s' % realm.realm])
-realm.klist('user@%s' % realm.realm)
+realm.run(['./responder', '-X', 'X509_user_identity=%s' % dir_enc_identity,
+           '-p', '%s=%s' % (dir_file_enc_identity, 'encrypted'),
+           realm.user_princ])
+realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
 # PKINIT with PKCS12: identity, with no password on the bundle.
-realm.run(['./responder',
-           '-x',
-           'pkinit=',
-           '-X',
-           'X509_user_identity=%s' % p12_identity,
-           'user@%s' % realm.realm])
-realm.kinit('user@%s' % realm.realm,
+realm.run(['./responder', '-x', 'pkinit=',
+           '-X', 'X509_user_identity=%s' % p12_identity, realm.user_princ])
+realm.kinit(realm.user_princ,
             flags=['-X', 'X509_user_identity=%s' % p12_identity])
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
 # PKINIT with PKCS12: identity, with a password on the bundle, supplied by the
 # prompter.
 # Expect failure if the responder does nothing, and we have no prompter.
-realm.run(['./responder',
-           '-x',
-           'pkinit={"%s": 0}' % p12_enc_identity,
-           '-X',
-           'X509_user_identity=%s' % p12_enc_identity,
-           'user@%s' % realm.realm],
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p12_enc_identity,
+           '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.user_princ],
            expected_code=2)
-realm.kinit('user@%s' % realm.realm,
+realm.kinit(realm.user_princ,
             flags=['-X', 'X509_user_identity=%s' % p12_enc_identity],
             password='encrypted')
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
 # PKINIT with PKCS12: identity, with a password on the bundle, supplied by the
 # responder.
 # Supply the response in raw form.
-realm.run(['./responder',
-           '-x',
-           'pkinit={"%s": 0}' % p12_enc_identity,
-           '-r',
-           'pkinit={"%s": "encrypted"}' % p12_enc_identity,
-           '-X',
-           'X509_user_identity=%s' % p12_enc_identity,
-           'user@%s' % realm.realm])
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p12_enc_identity,
+           '-r', 'pkinit={"%s": "encrypted"}' % p12_enc_identity,
+           '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.user_princ])
 # Supply the response through the convenience API.
-realm.run(['./responder',
-           '-X',
-           'X509_user_identity=%s' % p12_enc_identity,
-           '-p',
-           '%s=%s' % (p12_enc_identity, 'encrypted'),
-           'user@%s' % realm.realm])
-realm.klist('user@%s' % realm.realm)
+realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity,
+           '-p', '%s=%s' % (p12_enc_identity, 'encrypted'),
+           realm.user_princ])
+realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
-if have_soft_pkcs11:
-    softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc')
-    realm.env['SOFTPKCS11RC'] = softpkcs11rc
-
-    # PKINIT with PKCS11: identity, with no need for a PIN.
-    conf = open(softpkcs11rc, 'w')
-    conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem,
-                                     privkey_pem))
-    conf.close()
-    # Expect to succeed without having to supply any more information.
-    realm.run(['./responder',
-               '-x',
-               'pkinit=',
-               '-X',
-               'X509_user_identity=%s' % p11_identity,
-               'user@%s' % realm.realm])
-    realm.kinit('user@%s' % realm.realm,
-                flags=['-X', 'X509_user_identity=%s' % p11_identity])
-    realm.klist('user@%s' % realm.realm)
-    realm.run([kvno, realm.host_princ])
+if not have_soft_pkcs11:
+    skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
+
+softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc')
+realm.env['SOFTPKCS11RC'] = softpkcs11rc
+
+# PKINIT with PKCS11: identity, with no need for a PIN.
+conf = open(softpkcs11rc, 'w')
+conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, privkey_pem))
+conf.close()
+# Expect to succeed without having to supply any more information.
+realm.run(['./responder', '-x', 'pkinit=',
+           '-X', 'X509_user_identity=%s' % p11_identity, realm.user_princ])
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p11_identity])
+realm.klist(realm.user_princ)
+realm.run([kvno, realm.host_princ])
 
-    # PKINIT with PKCS11: identity, with a PIN supplied by the prompter.
-    os.remove(softpkcs11rc)
-    conf = open(softpkcs11rc, 'w')
-    conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem,
-                                     privkey_enc_pem))
-    conf.close()
-    # Expect failure if the responder does nothing, and there's no prompter
-    realm.run(['./responder',
-               '-x',
-               'pkinit={"%s": 0}' % p11_token_identity,
-               '-X',
-               'X509_user_identity=%s' % p11_identity,
-               'user@%s' % realm.realm],
-               expected_code=2)
-    realm.kinit('user@%s' % realm.realm,
-                flags=['-X', 'X509_user_identity=%s' % p11_identity],
-                password='encrypted')
-    realm.klist('user@%s' % realm.realm)
-    realm.run([kvno, realm.host_princ])
+# PKINIT with PKCS11: identity, with a PIN supplied by the prompter.
+os.remove(softpkcs11rc)
+conf = open(softpkcs11rc, 'w')
+conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem,
+                                 privkey_enc_pem))
+conf.close()
+# Expect failure if the responder does nothing, and there's no prompter
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p11_token_identity,
+           '-X', 'X509_user_identity=%s' % p11_identity, realm.user_princ],
+          expected_code=2)
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p11_identity],
+            password='encrypted')
+realm.klist(realm.user_princ)
+realm.run([kvno, realm.host_princ])
 
-    # PKINIT with PKCS11: identity, with a PIN supplied by the responder.
-    # Supply the response in raw form.
-    realm.run(['./responder',
-               '-x',
-               'pkinit={"%s": 0}' % p11_token_identity,
-               '-r',
-               'pkinit={"%s": "encrypted"}' %
-               p11_token_identity,
-               '-X',
-               'X509_user_identity=%s' % p11_identity,
-               'user@%s' % realm.realm])
-    # Supply the response through the convenience API.
-    realm.run(['./responder',
-               '-X',
-               'X509_user_identity=%s' % p11_identity,
-               '-p',
-               '%s=%s' % (p11_token_identity, 'encrypted'),
-               'user@%s' % realm.realm])
-    realm.klist('user@%s' % realm.realm)
-    realm.run([kvno, realm.host_princ])
-else:
-    skipped('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
+# PKINIT with PKCS11: identity, with a PIN supplied by the responder.
+# Supply the response in raw form.
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p11_token_identity,
+           '-r', 'pkinit={"%s": "encrypted"}' % p11_token_identity,
+           '-X', 'X509_user_identity=%s' % p11_identity, realm.user_princ])
+# Supply the response through the convenience API.
+realm.run(['./responder', '-X', 'X509_user_identity=%s' % p11_identity,
+           '-p', '%s=%s' % (p11_token_identity, 'encrypted'),
+           realm.user_princ])
+realm.klist(realm.user_princ)
+realm.run([kvno, realm.host_princ])
 
-success('Authenticated PKINIT')
+success('PKINIT tests')