From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 8 Apr 2015 16:09:09 +0000 (-0400)
Subject: Add tests for client principal aliases
X-Git-Tag: krb5-1.14-alpha1~145
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F269%2Fhead;p=thirdparty%2Fkrb5.git

Add tests for client principal aliases

Augment the LDAP KDB module tests to include client principal aliases
as well as server principal aliases.  Also revise the server principal
alias tests to include an AS-REQ case.  (This requires adjusting the
subsequent test not to assume a ccache containing a TGT.)
---

diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 56595db704..28c672ce34 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -274,7 +274,7 @@ realm.run([kvno, realm.host_princ])
 realm.klist(realm.user_princ, realm.host_princ)
 
 # Test service principal aliases.
-realm.addprinc('canon')
+realm.addprinc('canon', password('canon'))
 ldap_modify('dn: krbPrincipalName=canon@KRBTEST.COM,cn=t1,cn=krb5\n'
             'changetype: modify\n'
             'add: krbPrincipalName\n'
@@ -293,6 +293,8 @@ realm.run([kvno, 'canon'])
 out = realm.run([klist])
 if 'alias@KRBTEST.COM\n' not in out or 'canon@KRBTEST.COM' not in out:
     fail('After fetching alias and canon, klist is missing one or both')
+realm.kinit(realm.user_princ, password('user'), ['-S', 'alias'])
+realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
 
 # Make sure an alias to the local TGS is still treated like an alias.
 ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM@KRBTEST.COM,'
@@ -306,10 +308,9 @@ ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM@KRBTEST.COM,'
 out = realm.run([kadminl, 'getprinc', 'tgtalias'])
 if 'Principal: krbtgt/KRBTEST.COM@KRBTEST.COM' not in out:
     fail('Could not fetch krbtgt through tgtalias')
+realm.kinit(realm.user_princ, password('user'))
 realm.run([kvno, 'tgtalias'])
-out = realm.run([klist])
-if 'tgtalias@KRBTEST.COM\n' not in out:
-    fail('After fetching tgtalias, klist is missing it')
+realm.klist(realm.user_princ, 'tgtalias@KRBTEST.COM')
 
 # Make sure aliases work in header tickets.
 realm.run([kadminl, 'modprinc', '-maxrenewlife', '3 hours', 'user'])
@@ -320,6 +321,18 @@ realm.run([kvno, 'alias'])
 realm.kinit(realm.user_princ, flags=['-R', '-S', 'alias'])
 realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
 
+# Test client principal aliases, with and without preauth.
+realm.kinit('canon', password('canon'))
+out = realm.kinit('alias', password('canon'), expected_code=1)
+if 'not found in Kerberos database' not in out:
+    fail('Wrong error message for kinit to alias without -C flag')
+realm.kinit('alias', password('canon'), ['-C'])
+realm.run([kvno, 'alias'])
+realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')
+realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon'])
+realm.kinit('canon', password('canon'))
+realm.kinit('alias', password('canon'), ['-C'])
+
 # Regression test for #7980 (fencepost when dividing keys up by kvno).
 realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts,aes128-cts',
            'kvnoprinc'])