4 realm = K5Realm(create_host=False, create_user=False)
8 realm.addprinc(name, password(name))
9 ccache = os.path.join(realm.testdir,
10 'kadmin_ccache_' + name.replace('/', '_'))
11 realm.kinit(name, password(name),
12 flags=['-S', 'kadmin/admin', '-c', ccache])
15 def kadmin_as(client, query):
17 return realm.run_as_client([kadmin, '-c', client, '-q', query])
21 realm.run_kadminl('delprinc -force ' + name)
23 all_add = make_client('all_add')
24 all_changepw = make_client('all_changepw')
25 all_delete = make_client('all_delete')
26 all_inquire = make_client('all_inquire')
27 all_list = make_client('all_list')
28 all_modify = make_client('all_modify')
29 all_rename = make_client('all_rename')
30 some_add = make_client('some_add')
31 some_changepw = make_client('some_changepw')
32 some_delete = make_client('some_delete')
33 some_inquire = make_client('some_inquire')
34 some_modify = make_client('some_modify')
35 some_rename = make_client('some_rename')
36 restricted_add = make_client('restricted_add')
37 restricted_modify = make_client('restricted_modify')
38 restricted_rename = make_client('restricted_rename')
39 wctarget = make_client('wctarget')
40 admin = make_client('user/admin')
41 none = make_client('none')
42 restrictions = make_client('restrictions')
44 realm.run_kadminl('addpol -minlife "1 day" minlife')
46 f = open(os.path.join(realm.testdir, 'acl'), 'w')
56 some_changepw c selected
57 some_delete d selected
58 some_inquire i selected
59 some_modify im selected
62 restricted_add a * +preauth
63 restricted_modify im * +preauth
64 restricted_rename ad * +preauth
69 restrictions a type1 -policy minlife
70 restrictions a type2 -clearpolicy
71 restrictions a type3 -maxlife 1h -maxrenewlife 2h
77 # cpw can generate four different RPC calls depending on options.
78 realm.addprinc('selected', 'oldpw')
79 realm.addprinc('unselected', 'oldpw')
80 for pw in ('-pw newpw', '-randkey'):
81 for ks in ('', '-e aes256-cts:normal'):
83 out = kadmin_as(all_changepw, 'cpw %s unselected' % args)
84 if ('Password for "unselected@KRBTEST.COM" changed.' not in out and
85 'Key for "unselected@KRBTEST.COM" randomized.' not in out):
86 fail('cpw success (acl)')
87 out = kadmin_as(some_changepw, 'cpw %s selected' % args)
88 if ('Password for "selected@KRBTEST.COM" changed.' not in out and
89 'Key for "selected@KRBTEST.COM" randomized.' not in out):
90 fail('cpw success (target)')
91 out = kadmin_as(none, 'cpw %s selected' % args)
92 if 'Operation requires ``change-password\'\' privilege' not in out:
93 fail('cpw failure (no perms)')
94 out = kadmin_as(some_changepw, 'cpw %s unselected' % args)
95 if 'Operation requires ``change-password\'\' privilege' not in out:
96 fail('cpw failure (target)')
97 out = kadmin_as(none, 'cpw %s none' % args)
98 if ('Password for "none@KRBTEST.COM" changed.' not in out and
99 'Key for "none@KRBTEST.COM" randomized.' not in out):
100 fail('cpw success (self exemption)')
101 realm.run_kadminl('modprinc -policy minlife none')
102 out = kadmin_as(none, 'cpw %s none' % args)
103 if 'Current password\'s minimum life has not expired' not in out:
104 fail('cpw failure (minimum life)')
105 realm.run_kadminl('modprinc -clearpolicy none')
107 delprinc('unselected')
109 out = kadmin_as(all_add, 'addpol policy')
110 realm.run_kadminl('delpol -force policy')
111 if 'Operation requires' in out:
112 fail('addpol success (acl)')
113 out = kadmin_as(none, 'addpol policy')
114 if 'Operation requires ``add\'\' privilege' not in out:
115 fail('addpol failure (no perms)')
117 # addprinc can generate two different RPC calls depending on options.
118 for ks in ('', '-e aes256-cts:normal'):
119 args = '-pw pw ' + ks
120 out = kadmin_as(all_add, 'addprinc %s unselected' % args)
121 if 'Principal "unselected@KRBTEST.COM" created.' not in out:
122 fail('addprinc success (acl)')
123 delprinc('unselected')
124 out = kadmin_as(some_add, 'addprinc %s selected' % args)
125 if 'Principal "selected@KRBTEST.COM" created.' not in out:
126 fail('addprinc success(target)')
128 out = kadmin_as(restricted_add, 'addprinc %s unselected' % args)
129 if 'Principal "unselected@KRBTEST.COM" created.' not in out:
130 fail('addprinc success (restrictions) -- addprinc')
131 out = realm.run_kadminl('getprinc unselected')
132 if 'REQUIRES_PRE_AUTH' not in out:
133 fail('addprinc success (restrictions) -- restriction check')
134 delprinc('unselected')
135 out = kadmin_as(none, 'addprinc %s selected' % args)
136 if 'Operation requires ``add\'\' privilege' not in out:
137 fail('addprinc failure (no perms)')
138 out = kadmin_as(some_add, 'addprinc %s unselected' % args)
139 if 'Operation requires ``add\'\' privilege' not in out:
140 fail('addprinc failure (target)')
142 realm.addprinc('unselected', 'pw')
143 out = kadmin_as(all_delete, 'delprinc -force unselected')
144 if 'Principal "unselected@KRBTEST.COM" deleted.' not in out:
145 fail('delprinc success (acl)')
146 realm.addprinc('selected', 'pw')
147 out = kadmin_as(some_delete, 'delprinc -force selected')
148 if 'Principal "selected@KRBTEST.COM" deleted.' not in out:
149 fail('delprinc success (target)')
150 realm.addprinc('unselected', 'pw')
151 out = kadmin_as(none, 'delprinc -force unselected')
152 if 'Operation requires ``delete\'\' privilege' not in out:
153 fail('delprinc failure (no perms)')
154 out = kadmin_as(some_delete, 'delprinc -force unselected')
155 if 'Operation requires ``delete\'\' privilege' not in out:
156 fail('delprinc failure (no target)')
158 out = kadmin_as(all_inquire, 'getpol minlife')
159 if 'Policy: minlife' not in out:
160 fail('getpol success (acl)')
161 out = kadmin_as(none, 'getpol minlife')
162 if 'Operation requires ``get\'\' privilege' not in out:
163 fail('getpol failure (no perms)')
164 realm.run_kadminl('modprinc -policy minlife none')
165 out = kadmin_as(none, 'getpol minlife')
166 if 'Policy: minlife' not in out:
167 fail('getpol success (self policy exemption)')
168 realm.run_kadminl('modprinc -clearpolicy none')
170 realm.addprinc('selected', 'pw')
171 realm.addprinc('unselected', 'pw')
172 out = kadmin_as(all_inquire, 'getprinc unselected')
173 if 'Principal: unselected@KRBTEST.COM' not in out:
174 fail('getprinc success (acl)')
175 out = kadmin_as(some_inquire, 'getprinc selected')
176 if 'Principal: selected@KRBTEST.COM' not in out:
177 fail('getprinc success (target)')
178 out = kadmin_as(none, 'getprinc selected')
179 if 'Operation requires ``get\'\' privilege' not in out:
180 fail('getprinc failure (no perms)')
181 out = kadmin_as(some_inquire, 'getprinc unselected')
182 if 'Operation requires ``get\'\' privilege' not in out:
183 fail('getprinc failure (target)')
184 out = kadmin_as(none, 'getprinc none')
185 if 'Principal: none@KRBTEST.COM' not in out:
186 fail('getprinc success (self exemption)')
188 delprinc('unselected')
190 out = kadmin_as(all_list, 'listprincs')
191 if 'K/M@KRBTEST.COM' not in out:
192 fail('listprincs success (acl)')
193 out = kadmin_as(none, 'listprincs')
194 if 'Operation requires ``list\'\' privilege' not in out:
195 fail('listprincs failure (no perms)')
197 realm.addprinc('selected', 'pw')
198 realm.addprinc('unselected', 'pw')
199 realm.run_kadminl('setstr selected key value')
200 realm.run_kadminl('setstr unselected key value')
201 out = kadmin_as(all_inquire, 'getstrs unselected')
202 if 'key: value' not in out:
203 fail('getstrs success (acl)')
204 out = kadmin_as(some_inquire, 'getstrs selected')
205 if 'key: value' not in out:
206 fail('getstrs success (target)')
207 out = kadmin_as(none, 'getstrs selected')
208 if 'Operation requires ``get\'\' privilege' not in out:
209 fail('getstrs failure (no perms)')
210 out = kadmin_as(some_inquire, 'getstrs unselected')
211 if 'Operation requires ``get\'\' privilege' not in out:
212 fail('getstrs failure (target)')
213 out = kadmin_as(none, 'getstrs none')
214 if '(No string attributes.)' not in out:
215 fail('getstrs success (self exemption)')
217 delprinc('unselected')
219 out = kadmin_as(all_modify, 'modpol -maxlife "1 hour" policy')
220 if 'Operation requires' in out:
221 fail('modpol success (acl)')
222 out = kadmin_as(none, 'modpol -maxlife "1 hour" policy')
223 if 'Operation requires ``modify\'\' privilege' not in out:
224 fail('modpol failure (no perms)')
226 realm.addprinc('selected', 'pw')
227 realm.addprinc('unselected', 'pw')
228 out = kadmin_as(all_modify, 'modprinc -maxlife "1 hour" unselected')
229 if 'Principal "unselected@KRBTEST.COM" modified.' not in out:
230 fail('modprinc success (acl)')
231 out = kadmin_as(some_modify, 'modprinc -maxlife "1 hour" selected')
232 if 'Principal "selected@KRBTEST.COM" modified.' not in out:
233 fail('modprinc success (target)')
234 out = kadmin_as(restricted_modify, 'modprinc -maxlife "1 hour" unselected')
235 if 'Principal "unselected@KRBTEST.COM" modified.' not in out:
236 fail('modprinc success (restrictions) -- modprinc')
237 out = realm.run_kadminl('getprinc unselected')
238 if 'REQUIRES_PRE_AUTH' not in out:
239 fail('addprinc success (restrictions) -- restriction check')
240 out = kadmin_as(all_inquire, 'modprinc -maxlife "1 hour" selected')
241 if 'Operation requires ``modify\'\' privilege' not in out:
242 fail('addprinc failure (no perms)')
243 out = kadmin_as(some_modify, 'modprinc -maxlife "1 hour" unselected')
244 if 'Operation requires' not in out:
245 fail('modprinc failure (target)')
247 delprinc('unselected')
249 realm.addprinc('selected', 'pw')
250 realm.addprinc('unselected', 'pw')
251 out = kadmin_as(all_modify, 'purgekeys unselected')
252 if 'Old keys for principal "unselected@KRBTEST.COM" purged' not in out:
253 fail('purgekeys success (acl)')
254 out = kadmin_as(some_modify, 'purgekeys selected')
255 if 'Old keys for principal "selected@KRBTEST.COM" purged' not in out:
256 fail('purgekeys success (target)')
257 out = kadmin_as(none, 'purgekeys selected')
258 if 'Operation requires ``modify\'\' privilege' not in out:
259 fail('purgekeys failure (no perms)')
260 out = kadmin_as(some_modify, 'purgekeys unselected')
261 if 'Operation requires ``modify\'\' privilege' not in out:
262 fail('purgekeys failure (target)')
264 delprinc('unselected')
266 realm.addprinc('from', 'pw')
267 out = kadmin_as(all_rename, 'renprinc -force from to')
268 if 'Principal "from@KRBTEST.COM" renamed to "to@KRBTEST.COM".' not in out:
269 fail('renprinc success (acl)')
270 realm.run_kadminl('renprinc -force to from')
271 out = kadmin_as(some_rename, 'renprinc -force from to')
272 if 'Principal "from@KRBTEST.COM" renamed to "to@KRBTEST.COM".' not in out:
273 fail('renprinc success (target)')
274 realm.run_kadminl('renprinc -force to from')
275 out = kadmin_as(all_add, 'renprinc -force from to')
276 if 'Operation requires ``delete\'\' privilege' not in out:
277 fail('renprinc failure (no delete perms)')
278 out = kadmin_as(all_delete, 'renprinc -force from to')
279 if 'Operation requires ``add\'\' privilege' not in out:
280 fail('renprinc failure (no add perms)')
281 out = kadmin_as(some_rename, 'renprinc -force from notto')
282 if 'Operation requires ``add\'\' privilege' not in out:
283 fail('renprinc failure (new target)')
284 realm.run_kadminl('renprinc -force from notfrom')
285 out = kadmin_as(some_rename, 'renprinc -force notfrom to')
286 if 'Operation requires ``delete\'\' privilege' not in out:
287 fail('renprinc failure (old target)')
288 out = kadmin_as(restricted_rename, 'renprinc -force notfrom to')
289 if 'Operation requires ``add\'\' privilege' not in out:
290 fail('renprinc failure (restrictions)')
293 realm.addprinc('selected', 'pw')
294 realm.addprinc('unselected', 'pw')
295 out = kadmin_as(all_modify, 'setstr unselected key value')
296 if 'Attribute set for principal "unselected@KRBTEST.COM".' not in out:
297 fail('modprinc success (acl)')
298 out = kadmin_as(some_modify, 'setstr selected key value')
299 if 'Attribute set for principal "selected@KRBTEST.COM".' not in out:
300 fail('modprinc success (target)')
301 out = kadmin_as(none, 'setstr selected key value')
302 if 'Operation requires ``modify\'\' privilege' not in out:
303 fail('addprinc failure (no perms)')
304 out = kadmin_as(some_modify, 'setstr unselected key value')
305 if 'Operation requires' not in out:
306 fail('modprinc failure (target)')
308 delprinc('unselected')
310 out = kadmin_as(admin, 'addprinc -pw pw anytarget')
311 if 'Principal "anytarget@KRBTEST.COM" created.' not in out:
312 fail('addprinc success (client wildcard)')
313 delprinc('anytarget')
314 out = kadmin_as(wctarget, 'addprinc -pw pw wild/card')
315 if 'Principal "wild/card@KRBTEST.COM" created.' not in out:
316 fail('addprinc sucess (target wildcard)')
317 delprinc('wild/card')
318 out = kadmin_as(wctarget, 'addprinc -pw pw wild/card/extra')
319 if 'Operation requires' not in out:
320 fail('addprinc failure (target wildcard extra component)')
321 realm.addprinc('admin/user', 'pw')
322 out = kadmin_as(admin, 'delprinc -force admin/user')
323 if 'Principal "admin/user@KRBTEST.COM" deleted.' not in out:
324 fail('delprinc success (wildcard backreferences)')
325 out = kadmin_as(admin, 'delprinc -force none')
326 if 'Operation requires' not in out:
327 fail('delprinc failure (wildcard backreferences not matched)')
329 kadmin_as(restrictions, 'addprinc -pw pw type1')
330 out = realm.run_kadminl('getprinc type1')
331 if 'Policy: minlife' not in out:
332 fail('restriction (policy)')
334 kadmin_as(restrictions, 'addprinc -pw pw -policy minlife type2')
335 out = realm.run_kadminl('getprinc type2')
336 if 'Policy: [none]' not in out:
337 fail('restriction (clearpolicy)')
339 kadmin_as(restrictions, 'addprinc -pw pw -maxlife "1 minute" type3')
340 out = realm.run_kadminl('getprinc type3')
341 if ('Maximum ticket life: 0 days 00:01:00' not in out or
342 'Maximum renewable life: 0 days 02:00:00' not in out):
343 fail('restriction (maxlife low, maxrenewlife unspec)')
345 kadmin_as(restrictions, 'addprinc -pw pw -maxrenewlife "1 day" type3')
346 out = realm.run_kadminl('getprinc type3')
347 if 'Maximum renewable life: 0 days 02:00:00' not in out:
348 fail('restriction (maxrenewlife high)')
350 success('kadmin ACL enforcement')