Restrict test KDB to local principals

author Isaac Boukris <iboukris@gmail.com>

Sun, 12 Jan 2020 17:57:10 +0000 (18:57 +0100)

committer Greg Hudson <ghudson@mit.edu>

Mon, 13 Jan 2020 20:36:40 +0000 (15:36 -0500)
author Isaac Boukris <iboukris@gmail.com>
Sun, 12 Jan 2020 17:57:10 +0000 (18:57 +0100)
committer Greg Hudson <ghudson@mit.edu>
Mon, 13 Jan 2020 20:36:40 +0000 (15:36 -0500)
diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c

index 69a4663f20706485399c08fc139fb983fcf69938..76974df0057bbe313a6c1ba7831085069d70bdae 100644 (file)
--- a/src/plugins/kdb/test/kdb_test.c
+++ b/src/plugins/kdb/test/kdb_test.c
@@ -332,6 +332,27 @@ tgtname(krb5_context context, const krb5_data *tgs_realm,
      return princ;
  }
  
+/* Return true if search_for is within context's default realm or is an
+ * incoming cross-realm TGS name. */
+static krb5_boolean
+request_for_us(krb5_context context, krb5_const_principal search_for)
+{
+    char *defrealm;
+    krb5_data realm;
+    krb5_boolean for_us;
+    krb5_principal local_tgs;
+
+    check(krb5_get_default_realm(context, &defrealm));
+    realm = string2data(defrealm);
+    local_tgs = tgtname(context, &realm, &realm);
+    krb5_free_default_realm(context, defrealm);
+
+    for_us = krb5_realm_compare(context, local_tgs, search_for) ||
+        krb5_principal_compare_any_realm(context, local_tgs, search_for);
+    krb5_free_principal(context, local_tgs);
+    return for_us;
+}
+
  static krb5_error_code
  test_get_principal(krb5_context context, krb5_const_principal search_for,
                     unsigned int flags, krb5_db_entry **entry)
@@ -346,6 +367,9 @@ test_get_principal(krb5_context context, krb5_const_principal search_for,
  
      *entry = NULL;
  
+    if (!request_for_us(context, search_for))
+        return KRB5_KDB_NOENTRY;
+
      check(krb5_unparse_name_flags(context, search_for,
                                    KRB5_PRINCIPAL_UNPARSE_NO_REALM,
                                    &search_name));
@@ -449,7 +473,8 @@ lookup_princ_by_cert(krb5_context context, const krb5_data *client_cert,
      cert_princ_name = k5memdup0(client_cert->data, client_cert->length, &ret);
      check(ret);
  
-    check(krb5_parse_name(context, cert_princ_name, princ));
+    check(krb5_parse_name_flags(context, cert_princ_name,
+                                KRB5_PRINCIPAL_PARSE_ENTERPRISE, princ));
      free(cert_princ_name);
  }
  
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py

index 1a395c3ad72e34210fe35956d14d3083369484ae..e1747272ce516de3fb4c204209fcd369cba802a2 100755 (executable)
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -163,11 +163,13 @@ testprincs = {'krbtgt/SREALM': {'keys': 'aes128-cts'},
  kdcconf1 = {'realms': {'$realm': {'database_module': 'test'}},
              'dbmodules': {'test': {'db_library': 'test',
                                     'princs': testprincs,
-                                   'alias': {'enterprise@abc': '@UREALM'}}}}
+                                   'alias': {'enterprise@abc': '@UREALM',
+                                             'user@UREALM': '@UREALM'}}}}
  kdcconf2 = {'realms': {'$realm': {'database_module': 'test'}},
              'dbmodules': {'test': {'db_library': 'test',
                                     'princs': testprincs,
                                     'alias': {'user@SREALM': '@SREALM',
+                                             'user@UREALM': 'user',
                                               'enterprise@abc': 'user'}}}}
  r1, r2 = cross_realms(2, xtgts=(),
                        args=({'realm': 'SREALM', 'kdc_conf': kdcconf1},
author	Isaac Boukris <iboukris@gmail.com>
	Sun, 12 Jan 2020 17:57:10 +0000 (18:57 +0100)
committer	Greg Hudson <ghudson@mit.edu>
	Mon, 13 Jan 2020 20:36:40 +0000 (15:36 -0500)
src/plugins/kdb/test/kdb_test.c		patch \| blob \| blame \| history
src/tests/gssapi/t_s4u.py		patch \| blob \| blame \| history