|
|
e58a44 |
From d59b00fd1fdcc473739f3033c0f67eb402f20d9c Mon Sep 17 00:00:00 2001
|
|
|
e58a44 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
e58a44 |
Date: Sat, 19 Aug 2017 19:09:24 -0400
|
|
|
e58a44 |
Subject: [PATCH] Fix bugs in kdcpolicy commit
|
|
|
e58a44 |
|
|
|
e58a44 |
Commit d0969f6a8170344031ef58fd2a161190f1edfb96 added tests using
|
|
|
e58a44 |
"klist ccachname -e", which does not work with a POSIX-conformant
|
|
|
e58a44 |
getopt() implementation such as the one in Solaris. Fix
|
|
|
e58a44 |
t_kdcpolicy.py to use "klist -e ccachename" instead.
|
|
|
e58a44 |
|
|
|
e58a44 |
The tests could fail if the clock second rolled over between kinit and
|
|
|
e58a44 |
kvno. Divide service ticket maximum lifetimes by 2 in the test module
|
|
|
e58a44 |
to correctly exercise TGS policy restrictions and ensure that service
|
|
|
e58a44 |
tickets are not constrained by the TGT end time.
|
|
|
e58a44 |
|
|
|
e58a44 |
Also use the correct trace macro when a kdcpolicy module declines to
|
|
|
e58a44 |
initialize (my mistake when revising the commit, noted by rharwood).
|
|
|
e58a44 |
|
|
|
e58a44 |
ticket: 8606
|
|
|
e58a44 |
(cherry picked from commit 09acbd91efc6df54e1572285ffc94c6acb3a9113)
|
|
|
e58a44 |
---
|
|
|
e58a44 |
src/kdc/policy.c | 2 +-
|
|
|
e58a44 |
src/plugins/kdcpolicy/test/main.c | 10 +++++-----
|
|
|
e58a44 |
src/tests/t_kdcpolicy.py | 13 +++++++++----
|
|
|
e58a44 |
3 files changed, 15 insertions(+), 10 deletions(-)
|
|
|
e58a44 |
|
|
|
e58a44 |
diff --git a/src/kdc/policy.c b/src/kdc/policy.c
|
|
|
e58a44 |
index e49644e06..26c16f97c 100644
|
|
|
e58a44 |
--- a/src/kdc/policy.c
|
|
|
e58a44 |
+++ b/src/kdc/policy.c
|
|
|
e58a44 |
@@ -222,7 +222,7 @@ load_kdcpolicy_plugins(krb5_context context)
|
|
|
e58a44 |
if (h->vt.init != NULL) {
|
|
|
e58a44 |
ret = h->vt.init(context, &h->moddata);
|
|
|
e58a44 |
if (ret == KRB5_PLUGIN_NO_HANDLE) {
|
|
|
e58a44 |
- TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name);
|
|
|
e58a44 |
+ TRACE_KDCPOLICY_INIT_SKIP(context, h->vt.name);
|
|
|
e58a44 |
free(h);
|
|
|
e58a44 |
continue;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
diff --git a/src/plugins/kdcpolicy/test/main.c b/src/plugins/kdcpolicy/test/main.c
|
|
|
e58a44 |
index eb8fde053..86c808958 100644
|
|
|
e58a44 |
--- a/src/plugins/kdcpolicy/test/main.c
|
|
|
e58a44 |
+++ b/src/plugins/kdcpolicy/test/main.c
|
|
|
e58a44 |
@@ -35,7 +35,7 @@
|
|
|
e58a44 |
#include <krb5/kdcpolicy_plugin.h>
|
|
|
e58a44 |
|
|
|
e58a44 |
static krb5_error_code
|
|
|
e58a44 |
-output_from_indicator(const char *const *auth_indicators,
|
|
|
e58a44 |
+output_from_indicator(const char *const *auth_indicators, int divisor,
|
|
|
e58a44 |
krb5_deltat *lifetime_out,
|
|
|
e58a44 |
krb5_deltat *renew_lifetime_out,
|
|
|
e58a44 |
const char **status)
|
|
|
e58a44 |
@@ -46,11 +46,11 @@ output_from_indicator(const char *const *auth_indicators,
|
|
|
e58a44 |
}
|
|
|
e58a44 |
|
|
|
e58a44 |
if (strcmp(auth_indicators[0], "ONE_HOUR") == 0) {
|
|
|
e58a44 |
- *lifetime_out = 3600;
|
|
|
e58a44 |
+ *lifetime_out = 3600 / divisor;
|
|
|
e58a44 |
*renew_lifetime_out = *lifetime_out * 2;
|
|
|
e58a44 |
return 0;
|
|
|
e58a44 |
} else if (strcmp(auth_indicators[0], "SEVEN_HOURS") == 0) {
|
|
|
e58a44 |
- *lifetime_out = 7 * 3600;
|
|
|
e58a44 |
+ *lifetime_out = 7 * 3600 / divisor;
|
|
|
e58a44 |
*renew_lifetime_out = *lifetime_out * 2;
|
|
|
e58a44 |
return 0;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
@@ -71,7 +71,7 @@ test_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
|
|
e58a44 |
*status = "LOCAL_POLICY";
|
|
|
e58a44 |
return KRB5KDC_ERR_POLICY;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
- return output_from_indicator(auth_indicators, lifetime_out,
|
|
|
e58a44 |
+ return output_from_indicator(auth_indicators, 1, lifetime_out,
|
|
|
e58a44 |
renew_lifetime_out, status);
|
|
|
e58a44 |
}
|
|
|
e58a44 |
|
|
|
e58a44 |
@@ -87,7 +87,7 @@ test_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
|
|
e58a44 |
*status = "LOCAL_POLICY";
|
|
|
e58a44 |
return KRB5KDC_ERR_POLICY;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
- return output_from_indicator(auth_indicators, lifetime_out,
|
|
|
e58a44 |
+ return output_from_indicator(auth_indicators, 2, lifetime_out,
|
|
|
e58a44 |
renew_lifetime_out, status);
|
|
|
e58a44 |
}
|
|
|
e58a44 |
|
|
|
e58a44 |
diff --git a/src/tests/t_kdcpolicy.py b/src/tests/t_kdcpolicy.py
|
|
|
e58a44 |
index 6a745b959..b5d308461 100644
|
|
|
e58a44 |
--- a/src/tests/t_kdcpolicy.py
|
|
|
e58a44 |
+++ b/src/tests/t_kdcpolicy.py
|
|
|
e58a44 |
@@ -18,16 +18,21 @@ realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail'])
|
|
|
e58a44 |
def verify_time(out, target_time):
|
|
|
e58a44 |
times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
|
|
|
e58a44 |
times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
|
|
|
e58a44 |
+ divisor = 1
|
|
|
e58a44 |
while len(times) > 0:
|
|
|
e58a44 |
starttime = times.pop(0)
|
|
|
e58a44 |
endtime = times.pop(0)
|
|
|
e58a44 |
renewtime = times.pop(0)
|
|
|
e58a44 |
|
|
|
e58a44 |
- if str(endtime - starttime) != target_time:
|
|
|
e58a44 |
+ if str((endtime - starttime) * divisor) != target_time:
|
|
|
e58a44 |
fail('unexpected lifetime value')
|
|
|
e58a44 |
- if str(renewtime - endtime) != target_time:
|
|
|
e58a44 |
+ if str((renewtime - endtime) * divisor) != target_time:
|
|
|
e58a44 |
fail('unexpected renewable value')
|
|
|
e58a44 |
|
|
|
e58a44 |
+ # Service tickets should have half the lifetime of initial
|
|
|
e58a44 |
+ # tickets.
|
|
|
e58a44 |
+ divisor = 2
|
|
|
e58a44 |
+
|
|
|
e58a44 |
rflags = ['-r', '1d', '-l', '12h']
|
|
|
e58a44 |
|
|
|
e58a44 |
# Test AS+TGS success path.
|
|
|
e58a44 |
@@ -35,7 +40,7 @@ realm.kinit(realm.user_princ, password('user'),
|
|
|
e58a44 |
rflags + ['-X', 'indicators=SEVEN_HOURS'])
|
|
|
e58a44 |
realm.run([kvno, realm.host_princ])
|
|
|
e58a44 |
realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]')
|
|
|
e58a44 |
-out = realm.run([klist, realm.ccache, '-e'])
|
|
|
e58a44 |
+out = realm.run([klist, '-e', realm.ccache])
|
|
|
e58a44 |
verify_time(out, '7:00:00')
|
|
|
e58a44 |
|
|
|
e58a44 |
# Test AS+TGS success path with different values.
|
|
|
e58a44 |
@@ -43,7 +48,7 @@ realm.kinit(realm.user_princ, password('user'),
|
|
|
e58a44 |
rflags + ['-X', 'indicators=ONE_HOUR'])
|
|
|
e58a44 |
realm.run([kvno, realm.host_princ])
|
|
|
e58a44 |
realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]')
|
|
|
e58a44 |
-out = realm.run([klist, realm.ccache, '-e'])
|
|
|
e58a44 |
+out = realm.run([klist, '-e', realm.ccache])
|
|
|
e58a44 |
verify_time(out, '1:00:00')
|
|
|
e58a44 |
|
|
|
e58a44 |
# Test TGS failure path (using previous creds).
|