1 files changed, 139 insertions, 0 deletions
diff --git a/src/tests/t_princflags.py b/src/tests/t_princflags.py
new file mode 100755
index 000000000000..6378ef94fce2
--- /dev/null
+++ b/src/tests/t_princflags.py
@@ -0,0 +1,139 @@
+#!/usr/bin/python
+from k5test import *
+from princflags import *
+import re
+
+realm = K5Realm(create_host=False, get_creds=False)
+
+# Regex pattern to match an empty attribute line from kadmin getprinc
+emptyattr = re.compile('^Attributes:$', re.MULTILINE)
+
+
+# Regex pattern to match a kadmin getprinc output for a flag tuple
+def attr_pat(ftuple):
+    return re.compile('^Attributes: ' + ftuple.flagname() + '$',
+                      re.MULTILINE)
+
+
+# Test one flag tuple for kadmin ank.
+def one_kadmin_flag(ftuple):
+    pat = attr_pat(ftuple)
+    realm.run([kadminl, 'ank', ftuple.setspec(),
+               '-pw', 'password', 'test'])
+    out = realm.run([kadminl, 'getprinc', 'test'])
+    if not pat.search(out):
+        fail('Failed to set flag ' + ftuple.flagname())
+
+    realm.run([kadminl, 'modprinc', ftuple.clearspec(), 'test'])
+    out = realm.run([kadminl, 'getprinc', 'test'])
+    if not emptyattr.search(out):
+        fail('Failed to clear flag ' + ftuple.flagname())
+    realm.run([kadminl, 'delprinc', 'test'])
+
+
+# Generate a custom kdc.conf with default_principal_flags set
+# according to ftuple.
+def genkdcconf(ftuple):
+    d = { 'realms': { '$realm': {
+                'default_principal_flags': ftuple.setspec()
+                }}}
+    return realm.special_env('tmp', True, kdc_conf=d)
+
+
+# Test one ftuple for kdc.conf default_principal_flags.
+def one_kdcconf(ftuple):
+    e = genkdcconf(ftuple)
+    pat = attr_pat(ftuple)
+    realm.run([kadminl, 'ank', '-pw', 'password', 'test'], env=e)
+    out = realm.run([kadminl, 'getprinc', 'test'])
+    if not pat.search(out):
+        fail('Failed to set flag ' + ftuple.flagname() + ' via kdc.conf')
+
+    realm.run([kadminl, 'delprinc', 'test'])
+
+
+# Principal name for kadm5.acl line
+def ftuple2pname(ftuple, doset):
+    pname = 'set_' if doset else 'clear_'
+    return pname + ftuple.flagname()
+
+
+# Translate a strconv ftuple to a spec string for kadmin.
+def ftuple2kadm_spec(ftuple, doset):
+    ktuple = kadmin_itable[ftuple.flag]
+    if ktuple.invert != ftuple.invert:
+        # Could do:
+        # doset = not doset
+        # but this shouldn't happen.
+        raise ValueError
+    return ktuple.spec(doset)
+
+
+# Generate a line for kadm5.acl.
+def acl_line(ftuple, doset):
+    pname = ftuple2pname(ftuple, doset)
+    spec = ftuple.spec(doset)
+    return "%s * %s %s\n" % (realm.admin_princ, pname, spec)
+
+
+# Test one kadm5.acl line for a ftuple.
+def one_aclcheck(ftuple, doset):
+    pname = ftuple2pname(ftuple, doset)
+    pat = attr_pat(ftuple)
+    outname = ftuple.flagname()
+    # Create the principal and check that the flag is correctly set or
+    # cleared.
+    realm.run_kadmin(['ank', '-pw', 'password', pname])
+    out = realm.run([kadminl, 'getprinc', pname])
+    if doset:
+        if not pat.search(out):
+            fail('Failed to set flag ' + outname + ' via kadm5.acl')
+    else:
+        if not emptyattr.search(out):
+            fail('Failed to clear flag ' + outname + ' via kadm5.acl')
+    # If acl forces flag to be set, try to clear it, and vice versa.
+    spec = ftuple2kadm_spec(ftuple, not doset)
+    realm.run_kadmin(['modprinc', spec, pname])
+    out = realm.run([kadminl, 'getprinc', pname])
+    if doset:
+        if not pat.search(out):
+            fail('Failed to keep flag ' + outname + ' set')
+    else:
+        if not emptyattr.search(out):
+            fail('Failed to keep flag ' + outname + ' clear')
+
+
+# Set all flags simultaneously, even the ones that aren't defined yet.
+def lamptest():
+    pat = re.compile('^Attributes: ' +
+                     ' '.join(flags2namelist(0xffffffff)) +
+                     '$', re.MULTILINE)
+    realm.run([kadminl, 'ank', '-pw', 'password', '+0xffffffff', 'test'])
+    out = realm.run([kadminl, 'getprinc', 'test'])
+    if not pat.search(out):
+        fail('Failed to simultaenously set all flags')
+    realm.run([kadminl, 'delprinc', 'test'])
+
+
+for ftuple in kadmin_ftuples:
+    one_kadmin_flag(ftuple)
+
+for ftuple in strconv_ftuples:
+    one_kdcconf(ftuple)
+
+f = open(os.path.join(realm.testdir, 'acl'), 'w')
+for ftuple in strconv_ftuples:
+    f.write(acl_line(ftuple, True))
+    f.write(acl_line(ftuple, False))
+f.close()
+
+realm.start_kadmind()
+realm.prep_kadmin()
+
+for ftuple in strconv_ftuples:
+    one_aclcheck(ftuple, True)
+    one_aclcheck(ftuple, False)
+
+lamptest()
+
+success('KDB principal flags')