diff options
Diffstat (limited to 'src/tests/t_crossrealm.py')
| -rwxr-xr-x | src/tests/t_crossrealm.py | 49 |
1 files changed, 40 insertions, 9 deletions
diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py index 0d967b8a50f2..e7ddb05254d8 100755 --- a/src/tests/t_crossrealm.py +++ b/src/tests/t_crossrealm.py @@ -25,9 +25,7 @@ from k5test import * def test_kvno(r, princ, test, env=None): - output = r.run([kvno, princ], env=env) - if princ not in output: - fail('%s: principal %s not in kvno output' % (test, princ)) + r.run([kvno, princ], env=env, expected_msg=princ) def stop(*realms): @@ -35,10 +33,39 @@ def stop(*realms): r.stop() +# Verify that the princs appear as the service principals in the klist +# output for the realm r, in order. +def check_klist(r, princs): + out = r.run([klist]) + count = 0 + seen_header = False + for l in out.split('\n'): + if l.startswith('Valid starting'): + seen_header = True + continue + if not seen_header or l == '': + continue + if count >= len(princs): + fail('too many entries in klist output') + svcprinc = l.split()[4] + if svcprinc != princs[count]: + fail('saw service princ %s in klist output, expected %s' % + (svcprinc, princs[count])) + count += 1 + if count != len(princs): + fail('not enough entries in klist output') + + +def tgt(r1, r2): + return 'krbtgt/%s@%s' % (r1.realm, r2.realm) + + # Basic two-realm test with cross TGTs in both directions. r1, r2 = cross_realms(2) test_kvno(r1, r2.host_princ, 'basic r1->r2') +check_klist(r1, (tgt(r1, r1), tgt(r2, r1), r2.host_princ)) test_kvno(r2, r1.host_princ, 'basic r2->r1') +check_klist(r2, (tgt(r2, r2), tgt(r1, r2), r1.host_princ)) stop(r1, r2) # Test the KDC domain walk for hierarchically arranged realms. The @@ -49,6 +76,7 @@ r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)), args=({'realm': 'A.X'}, {'realm': 'X'}, {'realm': 'B.X'})) test_kvno(r1, r3.host_princ, 'KDC domain walk') +check_klist(r1, (tgt(r1, r1), r3.host_princ)) stop(r1, r2, r3) # Test client capaths. The client in A will ask for a cross TGT to D, @@ -64,6 +92,8 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), {'realm': 'D', 'krb5_conf': capaths})) r1client = r1.special_env('client', False, krb5_conf=capaths) test_kvno(r1, r4.host_princ, 'client capaths', r1client) +check_klist(r1, (tgt(r1, r1), tgt(r2, r1), tgt(r3, r2), tgt(r4, r3), + r4.host_princ)) stop(r1, r2, r3, r4) # Test KDC capaths. The KDCs for A and B have appropriate capaths @@ -76,6 +106,7 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), {'realm': 'C', 'krb5_conf': capaths}, {'realm': 'D', 'krb5_conf': capaths})) test_kvno(r1, r4.host_princ, 'KDC capaths') +check_klist(r1, (tgt(r1, r1), tgt(r4, r3), r4.host_princ)) stop(r1, r2, r3, r4) # Test transited error. The KDC for C does not recognize B as an @@ -85,9 +116,9 @@ capaths = {'capaths': {'A': {'C': 'B'}}} r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)), args=({'realm': 'A', 'krb5_conf': capaths}, {'realm': 'B'}, {'realm': 'C'})) -output = r1.run([kvno, r3.host_princ], expected_code=1) -if 'KDC policy rejects request' not in output: - fail('transited 1: Expected error message not in output') +r1.run([kvno, r3.host_princ], expected_code=1, + expected_msg='KDC policy rejects request') +check_klist(r1, (tgt(r1, r1), tgt(r3, r2))) stop(r1, r2, r3) # Test a different kind of transited error. The KDC for D does not @@ -99,9 +130,9 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), {'realm': 'B', 'krb5_conf': capaths}, {'realm': 'C', 'krb5_conf': capaths}, {'realm': 'D'})) -output = r1.run([kvno, r4.host_princ], expected_code=1) -if 'Illegal cross-realm ticket' not in output: - fail('transited 2: Expected error message not in output') +r1.run([kvno, r4.host_princ], expected_code=1, + expected_msg='Illegal cross-realm ticket') +check_klist(r1, (tgt(r1, r1), tgt(r4, r3))) stop(r1, r2, r3, r4) success('Cross-realm tests') |