From e8df0458673071e56346730fa843c83aca88631f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 5 Dec 2014 14:02:04 -0500
Subject: [PATCH] Add tests for LDAP ticket/policy name misuse

ticket: 8051
---
 src/tests/t_kdb.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 83271c5567..937292643c 100644
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -240,6 +240,27 @@ if out:
 # Create another ticket policy to be destroyed with the realm.
 kldaputil(['create_policy', 'tktpol2'])
 
+# Try to create a password policy conflicting with a ticket policy.
+out = realm.run_kadminl('addpol tktpol2')
+if 'Already exists while creating policy "tktpol2"' not in out:
+    fail('Expected error not seen in kadmin.local output')
+
+# Try to create a ticket policy conflicting with a password policy.
+realm.run_kadminl('addpol pwpol')
+out = kldaputil(['create_policy', 'pwpol'], expected_code=1)
+if 'Already exists while creating policy object' not in out:
+    fail('Expected error not seen in kdb5_ldap_util output')
+
+# Try to use a password policy as a ticket policy.
+out = realm.run_kadminl('modprinc -x tktpolicy=pwpol princ4')
+if 'Object class violation' not in out:
+    fail('Expected error not seem in kadmin.local output')
+
+# Try to use a ticket policy as a password policy (CVE-2014-5353).
+out = realm.run_kadminl('modprinc -policy tktpol2 princ4')
+if 'WARNING: policy "tktpol2" does not exist' not in out:
+    fail('Expected error not seen in kadmin.local output')
+
 # Do some basic tests with a KDC against the LDAP module, exercising the
 # db_args processing code.
 realm.start_kdc(['-x', 'nconns=3', '-x', 'host=' + ldap_uri,
-- 
2.47.2