From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 23 Feb 2015 20:48:00 +0000 (-0500)
Subject: Add successful S4U2Proxy test cases
X-Git-Tag: krb5-1.14-alpha1~156
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e732d9dc3f2e7b01ff3c8305d58a3a754c9e9ec5;p=thirdparty%2Fkrb5.git

Add successful S4U2Proxy test cases

In t_s4u.py, use the test KDB module to test successful S4U2Proxy
delegations.
---

diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 0e3842918b..2ac2fa7169 100644
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -73,4 +73,42 @@ output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
 if 'NOT_ALLOWED_TO_DELEGATE' not in output:
     fail('s4u2self')
 
+realm.stop()
+
+# Set up a realm using the test KDB module so that we can do
+# successful S4U2Proxy delegations.
+testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
+              'user': {'keys': 'aes128-cts'},
+              'service/1': {'flags': '+ok-to-auth-as-delegate',
+                            'keys': 'aes128-cts'},
+              'service/2': {'keys': 'aes128-cts'}}
+conf = {'realms': {'$realm': {'database_module': 'test'}},
+        'dbmodules': {'test': {'db_library': 'test',
+                               'princs': testprincs,
+                               'delegation': {'service/1': 'service/2'}}}}
+realm = K5Realm(create_kdb=False, kdc_conf=conf)
+userkeytab = 'FILE:' + os.path.join(realm.testdir, 'userkeytab')
+realm.extract_keytab(realm.user_princ, userkeytab)
+realm.extract_keytab(service1, realm.keytab)
+realm.extract_keytab(service2, realm.keytab)
+realm.start_kdc()
+
+# Get forwardable creds for service1 in the default cache.
+realm.kinit(service1, None, ['-f', '-k'])
+
+# Successful krb5 -> S4U2Proxy, with krb5 and SPNEGO mechs.
+realm.kinit(realm.user_princ, None, ['-f', '-k', '-c', usercache,
+                                     '-t', userkeytab])
+out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+                 pservice1, pservice2])
+if 'auth1: user@' not in out or 'auth2: user@' not in out:
+    fail('krb5 -> s4u2proxy')
+out = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
+                 '-', pservice1, pservice2])
+if 'auth1: user@' not in out or 'auth2: user@' not in out:
+    fail('krb5 -> s4u2proxy')
+
+# Successful S4U2Self -> S4U2Proxy.
+out = realm.run(['./t_s4u', puser, pservice2])
+
 success('S4U test cases')