1from k5test import * 2from datetime import datetime 3import re 4 5testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so') 6testpolicy = os.path.join(buildtop, 'plugins', 'kdcpolicy', 'test', 7 'kdcpolicy_test.so') 8krb5_conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth}, 9 'clpreauth': {'module': 'test:' + testpreauth}, 10 'kdcpolicy': {'module': 'test:' + testpolicy}}} 11kdc_conf = {'realms': {'$realm': {'default_principal_flags': '+preauth', 12 'max_renewable_life': '1d'}}} 13realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf) 14 15realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail']) 16 17def verify_time(out, target_time): 18 times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out) 19 times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times] 20 divisor = 1 21 while len(times) > 0: 22 starttime = times.pop(0) 23 endtime = times.pop(0) 24 renewtime = times.pop(0) 25 26 if str((endtime - starttime) * divisor) != target_time: 27 fail('unexpected lifetime value') 28 if str((renewtime - endtime) * divisor) != target_time: 29 fail('unexpected renewable value') 30 31 # Service tickets should have half the lifetime of initial 32 # tickets. 33 divisor = 2 34 35rflags = ['-r', '1d', '-l', '12h'] 36 37# Test AS+TGS success path. 38realm.kinit(realm.user_princ, password('user'), 39 rflags + ['-X', 'indicators=SEVEN_HOURS']) 40realm.run([kvno, realm.host_princ]) 41realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]') 42out = realm.run([klist, '-e', realm.ccache]) 43verify_time(out, '7:00:00') 44 45# Test AS+TGS success path with different values. 46realm.kinit(realm.user_princ, password('user'), 47 rflags + ['-X', 'indicators=ONE_HOUR']) 48realm.run([kvno, realm.host_princ]) 49realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]') 50out = realm.run([klist, '-e', realm.ccache]) 51verify_time(out, '1:00:00') 52 53# Test TGS failure path (using previous creds). 54realm.run([kvno, 'fail@%s' % realm.realm], expected_code=1, 55 expected_msg='KDC policy rejects request') 56 57# Test AS failure path. 58realm.kinit('fail@%s' % realm.realm, password('fail'), 59 expected_code=1, expected_msg='KDC policy rejects request') 60 61success('kdcpolicy tests') 62