1from k5test import *
2from datetime import datetime
3import re
4
5testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
6testpolicy = os.path.join(buildtop, 'plugins', 'kdcpolicy', 'test',
7                          'kdcpolicy_test.so')
8krb5_conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
9                         'clpreauth': {'module': 'test:' + testpreauth},
10                         'kdcpolicy': {'module': 'test:' + testpolicy}}}
11kdc_conf = {'realms': {'$realm': {'default_principal_flags': '+preauth',
12                                  'max_renewable_life': '1d'}}}
13realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf)
14
15realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail'])
16
17def verify_time(out, target_time):
18    times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
19    times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
20    divisor = 1
21    while len(times) > 0:
22        starttime = times.pop(0)
23        endtime = times.pop(0)
24        renewtime = times.pop(0)
25
26        if str((endtime - starttime) * divisor) != target_time:
27            fail('unexpected lifetime value')
28        if str((renewtime - endtime) * divisor) != target_time:
29            fail('unexpected renewable value')
30
31        # Service tickets should have half the lifetime of initial
32        # tickets.
33        divisor = 2
34
35rflags = ['-r', '1d', '-l', '12h']
36
37# Test AS+TGS success path.
38realm.kinit(realm.user_princ, password('user'),
39            rflags + ['-X', 'indicators=SEVEN_HOURS'])
40realm.run([kvno, realm.host_princ])
41realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]')
42out = realm.run([klist, '-e', realm.ccache])
43verify_time(out, '7:00:00')
44
45# Test AS+TGS success path with different values.
46realm.kinit(realm.user_princ, password('user'),
47            rflags + ['-X', 'indicators=ONE_HOUR'])
48realm.run([kvno, realm.host_princ])
49realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]')
50out = realm.run([klist, '-e', realm.ccache])
51verify_time(out, '1:00:00')
52
53# Test TGS failure path (using previous creds).
54realm.run([kvno, 'fail@%s' % realm.realm], expected_code=1,
55          expected_msg='KDC policy rejects request')
56
57# Test AS failure path.
58realm.kinit('fail@%s' % realm.realm, password('fail'),
59            expected_code=1, expected_msg='KDC policy rejects request')
60
61success('kdcpolicy tests')
62