projects / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 07b2ae7)
Add clock skew tests
authorGreg Hudson <ghudson@mit.edu>
Tue, 17 Apr 2012 03:19:12 +0000 (03:19 +0000)
committerGreg Hudson <ghudson@mit.edu>
Tue, 17 Apr 2012 03:19:12 +0000 (03:19 +0000)
Add a KDC option (-T) to run with a time offset, and use that to
test kdc_timesync behavior.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25807 dc483132-0cff-0310-8789-dd5450dbe970

doc/rst_source/krb_admins/admin_commands/krb5kdc.rst patch | blob | history
src/kdc/main.c patch | blob | history
src/tests/Makefile.in patch | blob | history
src/tests/t_skew.py [new file with mode: 0644] patch | blob

diff --git a/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst b/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst
index 6ed7ea954b9c81b5a445fa90f4cf02769078110d..62afca4ee6f040b475c22a2c3d8303eee502bb78 100644 (file)
--- a/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst
+++ b/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst
@@ -17,6 +17,7 @@ SYNOPSIS
 [**-n**]
 [**-w** *numworkers*]
 [**-P** *pid_file*]
+[**-T** *time_offset*]
 
 
 DESCRIPTION
@@ -99,6 +100,8 @@ Options supported for the LDAP database module are:
         password using the **stashsrvpw** command of
         :ref:`kdb5_ldap_util(8)`.
 
+The **-T** *offset* option specifies a time offset, in seconds, which
+the KDC will operate under.  It is intended only for testing purposes.
 
 EXAMPLE
 -------
diff --git a/src/kdc/main.c b/src/kdc/main.c
index c2c3e4e0e23a043955b486e9297307df7ede269c..5b31bd3cd39a8f175ad338d39059eb4324c25614 100644 (file)
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -86,6 +86,7 @@ static void finish_realms (void);
 
 static int nofork = 0;
 static int workers = 0;
+static int time_offset = 0;
 static const char *pid_file = NULL;
 static int rkey_init_done = 0;
 static volatile int signal_received = 0;
@@ -293,6 +294,8 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname,
         kdc_err(NULL, kret, _("while getting context for realm %s"), realm);
         goto whoops;
     }
+    if (time_offset != 0)
+        (void)krb5_set_time_offsets(rdp->realm_context, time_offset, 0);
 
     kret = krb5_read_realm_params(rdp->realm_context, rdp->realm_name,
                                   &rparams);
@@ -733,7 +736,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
      * Loop through the option list.  Each time we encounter a realm name,
      * use the previously scanned options to fill in for defaults.
      */
-    while ((c = getopt(argc, argv, "x:r:d:mM:k:R:e:P:p:s:nw:4:X3")) != -1) {
+    while ((c = getopt(argc, argv, "x:r:d:mM:k:R:e:P:p:s:nw:4:T:X3")) != -1) {
         switch(c) {
         case 'x':
             db_args_size++;
@@ -845,6 +848,9 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
             default_tcp_ports = strdup(optarg);
 #endif
             break;
+        case 'T':
+            time_offset = atoi(optarg);
+            break;
         case '4':
             break;
         case 'X':
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index b5bcdf01c5f4b524c5b13daace8b8fc203bddb33..47ca131ecbd08b8e27d10d4a8aaec50f08556b1c 100644 (file)
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -71,6 +71,7 @@ check-pytests::
        $(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS)
+       $(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS)
 #      $(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS)
 
 clean::
diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py
new file mode 100644 (file)
index 0000000..f00c2f9
--- /dev/null
+++ b/src/tests/t_skew.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+from k5test import *
+
+# Create a realm with the KDC one hour in the past.
+realm = K5Realm(start_kadmind=False, start_kdc=False)
+realm.start_kdc(['-T', '-3600'])
+
+# kinit (no preauth) should work, and should set a clock skew allowing
+# kvno to work, with or without FAST.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ])
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
+realm.run_as_client([kvno, realm.host_princ])
+realm.run_as_client([kdestroy])
+
+# kinit (with preauth) should fail.
+realm.run_kadminl('modprinc +requires_preauth user')
+realm.kinit(realm.user_princ, password('user'), expected_code=1)
+
+realm.stop()
+
+# Repeat the above tests with kdc_timesync disabled.
+conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}}
+realm = K5Realm(start_kadmind=False, start_kdc=False, krb5_conf=conf)
+realm.start_kdc(['-T', '-3600'])
+
+# kinit (no preauth) should work, but kvno should not.  kinit with
+# FAST should also fail since the armor AP-REQ won't be valid.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ], expected_code=1)
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache],
+            expected_code=1)
+
+# kinit (with preauth) should fail.
+realm.run_kadminl('modprinc +requires_preauth user')
+realm.kinit(realm.user_princ, password('user'), expected_code=1)
+
+success('Clock skew tests')
MIT implementation of the Kerberos network authentication protocol. This repo may be rebased, so don't base your work on it. Use git://github.com/krb5/krb5 instead.