|
 |
cb4cef |
From c76a01279bbbbcfd296d2ead8f6e2a5bee7e8443 Mon Sep 17 00:00:00 2001
|
|
|
cb4cef |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
cb4cef |
Date: Fri, 15 Jan 2021 14:43:34 -0500
|
|
|
cb4cef |
Subject: [PATCH] Add hostname canonicalization helper to k5test.py
|
|
|
cb4cef |
|
|
|
cb4cef |
To facilitate fallback tests, add a canonicalize_hostname() function
|
|
|
cb4cef |
to k5test.py which works similarly to krb5_expand_hostname(). Use it
|
|
|
cb4cef |
in t_gssapi.py for the recently-added acceptor name fallback test.
|
|
|
cb4cef |
|
|
|
cb4cef |
(cherry picked from commit 225fffe4e912772acea3a01d45bafb60bfb80948)
|
|
|
cb4cef |
---
|
|
|
cb4cef |
src/tests/gssapi/t_gssapi.py | 11 +++--------
|
|
|
cb4cef |
src/util/k5test.py | 22 ++++++++++++++++++++++
|
|
|
cb4cef |
2 files changed, 25 insertions(+), 8 deletions(-)
|
|
|
cb4cef |
|
|
|
cb4cef |
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
|
|
|
cb4cef |
index 1af6f31c2..e22cec427 100755
|
|
|
cb4cef |
--- a/src/tests/gssapi/t_gssapi.py
|
|
|
cb4cef |
+++ b/src/tests/gssapi/t_gssapi.py
|
|
|
cb4cef |
@@ -8,7 +8,7 @@ for realm in multipass_realms():
|
|
|
cb4cef |
realm.run(['./t_iov', '-s', 'p:' + realm.host_princ])
|
|
|
cb4cef |
realm.run(['./t_pcontok', 'p:' + realm.host_princ])
|
|
|
cb4cef |
|
|
|
cb4cef |
-realm = K5Realm(krb5_conf={'libdefaults': {'rdns': 'false'}})
|
|
|
cb4cef |
+realm = K5Realm()
|
|
|
cb4cef |
|
|
|
cb4cef |
# Test gss_add_cred().
|
|
|
cb4cef |
realm.run(['./t_add_cred'])
|
|
|
cb4cef |
@@ -62,13 +62,8 @@ realm.run(['./t_accname', 'p:host/-nomatch-',
|
|
|
cb4cef |
expected_msg=' not found in keytab')
|
|
|
cb4cef |
|
|
|
cb4cef |
# If possible, test with an acceptor name requiring fallback to match
|
|
|
cb4cef |
-# against a keytab entry. Forward-canonicalize the hostname, relying
|
|
|
cb4cef |
-# on the rdns=false realm setting.
|
|
|
cb4cef |
-try:
|
|
|
cb4cef |
- ai = socket.getaddrinfo(hostname, None, 0, 0, 0, socket.AI_CANONNAME)
|
|
|
cb4cef |
- (family, socktype, proto, canonname, sockaddr) = ai[0]
|
|
|
cb4cef |
-except socket.gaierror:
|
|
|
cb4cef |
- canonname = hostname
|
|
|
cb4cef |
+# against a keytab entry.
|
|
|
cb4cef |
+canonname = canonicalize_hostname(hostname)
|
|
|
cb4cef |
if canonname != hostname:
|
|
|
cb4cef |
os.rename(realm.keytab, realm.keytab + '.save')
|
|
|
cb4cef |
canonprinc = 'host/' + canonname
|
|
|
cb4cef |
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
|
|
cb4cef |
index 789b0f4b9..251d11a9d 100644
|
|
|
cb4cef |
--- a/src/util/k5test.py
|
|
|
cb4cef |
+++ b/src/util/k5test.py
|
|
|
cb4cef |
@@ -155,6 +155,10 @@ Scripts may use the following functions and variables:
|
|
|
cb4cef |
* password(name): Return a weakly random password based on name. The
|
|
|
cb4cef |
password will be consistent across calls with the same name.
|
|
|
cb4cef |
|
|
|
cb4cef |
+* canonicalize_hostname(name, rdns=True): Return the DNS
|
|
|
cb4cef |
+ canonicalization of name, optionally using reverse DNS. On error,
|
|
|
cb4cef |
+ return name converted to lowercase.
|
|
|
cb4cef |
+
|
|
|
cb4cef |
* stop_daemon(proc): Stop a daemon process started with
|
|
|
cb4cef |
realm.start_server() or realm.start_in_inetd(). Only necessary if
|
|
|
cb4cef |
the port needs to be reused; daemon processes will be stopped
|
|
|
cb4cef |
@@ -458,6 +462,24 @@ def password(name):
|
|
|
cb4cef |
return name + str(os.getpid())
|
|
|
cb4cef |
|
|
|
cb4cef |
|
|
|
cb4cef |
+def canonicalize_hostname(name, rdns=True):
|
|
|
cb4cef |
+ """Canonicalize name using DNS, optionally with reverse DNS."""
|
|
|
cb4cef |
+ try:
|
|
|
cb4cef |
+ ai = socket.getaddrinfo(name, None, 0, 0, 0, socket.AI_CANONNAME)
|
|
|
cb4cef |
+ except socket.gaierror as e:
|
|
|
cb4cef |
+ return name.lower()
|
|
|
cb4cef |
+ (family, socktype, proto, canonname, sockaddr) = ai[0]
|
|
|
cb4cef |
+
|
|
|
cb4cef |
+ if not rdns:
|
|
|
cb4cef |
+ return canonname.lower()
|
|
|
cb4cef |
+
|
|
|
cb4cef |
+ try:
|
|
|
cb4cef |
+ rname = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD)
|
|
|
cb4cef |
+ except socket.gaierror:
|
|
|
cb4cef |
+ return canonname.lower()
|
|
|
cb4cef |
+ return rname[0].lower()
|
|
|
cb4cef |
+
|
|
|
cb4cef |
+
|
|
|
cb4cef |
# Exit handler which ensures processes are cleaned up and, on failure,
|
|
|
cb4cef |
# prints messages to help developers debug the problem.
|
|
|
cb4cef |
def _onexit():
|