From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 3 Mar 2015 00:19:19 +0000 (-0500)
Subject: Add tests for AD-SIGNTICKET corner cases
X-Git-Tag: krb5-1.14-alpha1~101
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F257%2Fhead;p=thirdparty%2Fkrb5.git

Add tests for AD-SIGNTICKET corner cases

Test situations where the previous AD-SIGNTICKET logic would not use
the same key to create and verify the AD-SIGNTICKET data.  Also test a
case which forces the new verification logic to try multiple krbtgt
versions.

ticket: 8139
---

diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 2ac2fa7169..5a2b80751a 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -111,4 +111,35 @@ if 'auth1: user@' not in out or 'auth2: user@' not in out:
 # Successful S4U2Self -> S4U2Proxy.
 out = realm.run(['./t_s4u', puser, pservice2])
 
+# Regression test for #8139: get a user ticket directly for service1 and
+# try krb5 -> S4U2Proxy.
+realm.kinit(realm.user_princ, None, ['-f', '-k', '-c', usercache,
+                                     '-t', userkeytab, '-S', service1])
+out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+                 pservice1, pservice2])
+if 'auth1: user@' not in out or 'auth2: user@' not in out:
+    fail('krb5 -> s4u2proxy')
+
+# Simulate a krbtgt rollover and verify that the user ticket can still
+# be validated.
+realm.stop_kdc()
+newtgt_keys = ['2 aes128-cts', '1 aes128-cts']
+newtgt_princs = {'krbtgt/KRBTEST.COM': {'keys': newtgt_keys}}
+newtgt_conf = {'dbmodules': {'test': {'princs': newtgt_princs}}}
+newtgt_env = realm.special_env('newtgt', True, kdc_conf=newtgt_conf)
+realm.start_kdc(env=newtgt_env)
+out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+                 pservice1, pservice2])
+if 'auth1: user@' not in out or 'auth2: user@' not in out:
+    fail('krb5 -> s4u2proxy')
+
+# Get a user ticket after the krbtgt rollover and verify that
+# S4U2Proxy delegation works (also a #8139 regression test).
+realm.kinit(realm.user_princ, None, ['-f', '-k', '-c', usercache,
+                                     '-t', userkeytab])
+out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+                 pservice1, pservice2])
+if 'auth1: user@' not in out or 'auth2: user@' not in out:
+    fail('krb5 -> s4u2proxy')
+
 success('S4U test cases')