Blame SOURCES/Fix-bugs-in-kdcpolicy-commit.patch

e58a44
From d59b00fd1fdcc473739f3033c0f67eb402f20d9c Mon Sep 17 00:00:00 2001
e58a44
From: Greg Hudson <ghudson@mit.edu>
e58a44
Date: Sat, 19 Aug 2017 19:09:24 -0400
e58a44
Subject: [PATCH] Fix bugs in kdcpolicy commit
e58a44
e58a44
Commit d0969f6a8170344031ef58fd2a161190f1edfb96 added tests using
e58a44
"klist ccachname -e", which does not work with a POSIX-conformant
e58a44
getopt() implementation such as the one in Solaris.  Fix
e58a44
t_kdcpolicy.py to use "klist -e ccachename" instead.
e58a44
e58a44
The tests could fail if the clock second rolled over between kinit and
e58a44
kvno.  Divide service ticket maximum lifetimes by 2 in the test module
e58a44
to correctly exercise TGS policy restrictions and ensure that service
e58a44
tickets are not constrained by the TGT end time.
e58a44
e58a44
Also use the correct trace macro when a kdcpolicy module declines to
e58a44
initialize (my mistake when revising the commit, noted by rharwood).
e58a44
e58a44
ticket: 8606
e58a44
(cherry picked from commit 09acbd91efc6df54e1572285ffc94c6acb3a9113)
e58a44
---
e58a44
 src/kdc/policy.c                  |  2 +-
e58a44
 src/plugins/kdcpolicy/test/main.c | 10 +++++-----
e58a44
 src/tests/t_kdcpolicy.py          | 13 +++++++++----
e58a44
 3 files changed, 15 insertions(+), 10 deletions(-)
e58a44
e58a44
diff --git a/src/kdc/policy.c b/src/kdc/policy.c
e58a44
index e49644e06..26c16f97c 100644
e58a44
--- a/src/kdc/policy.c
e58a44
+++ b/src/kdc/policy.c
e58a44
@@ -222,7 +222,7 @@ load_kdcpolicy_plugins(krb5_context context)
e58a44
         if (h->vt.init != NULL) {
e58a44
             ret = h->vt.init(context, &h->moddata);
e58a44
             if (ret == KRB5_PLUGIN_NO_HANDLE) {
e58a44
-                TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name);
e58a44
+                TRACE_KDCPOLICY_INIT_SKIP(context, h->vt.name);
e58a44
                 free(h);
e58a44
                 continue;
e58a44
             }
e58a44
diff --git a/src/plugins/kdcpolicy/test/main.c b/src/plugins/kdcpolicy/test/main.c
e58a44
index eb8fde053..86c808958 100644
e58a44
--- a/src/plugins/kdcpolicy/test/main.c
e58a44
+++ b/src/plugins/kdcpolicy/test/main.c
e58a44
@@ -35,7 +35,7 @@
e58a44
 #include <krb5/kdcpolicy_plugin.h>
e58a44
 
e58a44
 static krb5_error_code
e58a44
-output_from_indicator(const char *const *auth_indicators,
e58a44
+output_from_indicator(const char *const *auth_indicators, int divisor,
e58a44
                       krb5_deltat *lifetime_out,
e58a44
                       krb5_deltat *renew_lifetime_out,
e58a44
                       const char **status)
e58a44
@@ -46,11 +46,11 @@ output_from_indicator(const char *const *auth_indicators,
e58a44
     }
e58a44
 
e58a44
     if (strcmp(auth_indicators[0], "ONE_HOUR") == 0) {
e58a44
-        *lifetime_out = 3600;
e58a44
+        *lifetime_out = 3600 / divisor;
e58a44
         *renew_lifetime_out = *lifetime_out * 2;
e58a44
         return 0;
e58a44
     } else if (strcmp(auth_indicators[0], "SEVEN_HOURS") == 0) {
e58a44
-        *lifetime_out = 7 * 3600;
e58a44
+        *lifetime_out = 7 * 3600 / divisor;
e58a44
         *renew_lifetime_out = *lifetime_out * 2;
e58a44
         return 0;
e58a44
     }
e58a44
@@ -71,7 +71,7 @@ test_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
e58a44
         *status = "LOCAL_POLICY";
e58a44
         return KRB5KDC_ERR_POLICY;
e58a44
     }
e58a44
-    return output_from_indicator(auth_indicators, lifetime_out,
e58a44
+    return output_from_indicator(auth_indicators, 1, lifetime_out,
e58a44
                                  renew_lifetime_out, status);
e58a44
 }
e58a44
 
e58a44
@@ -87,7 +87,7 @@ test_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
e58a44
         *status = "LOCAL_POLICY";
e58a44
         return KRB5KDC_ERR_POLICY;
e58a44
     }
e58a44
-    return output_from_indicator(auth_indicators, lifetime_out,
e58a44
+    return output_from_indicator(auth_indicators, 2, lifetime_out,
e58a44
                                  renew_lifetime_out, status);
e58a44
 }
e58a44
 
e58a44
diff --git a/src/tests/t_kdcpolicy.py b/src/tests/t_kdcpolicy.py
e58a44
index 6a745b959..b5d308461 100644
e58a44
--- a/src/tests/t_kdcpolicy.py
e58a44
+++ b/src/tests/t_kdcpolicy.py
e58a44
@@ -18,16 +18,21 @@ realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail'])
e58a44
 def verify_time(out, target_time):
e58a44
     times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
e58a44
     times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
e58a44
+    divisor = 1
e58a44
     while len(times) > 0:
e58a44
         starttime = times.pop(0)
e58a44
         endtime = times.pop(0)
e58a44
         renewtime = times.pop(0)
e58a44
 
e58a44
-        if str(endtime - starttime) != target_time:
e58a44
+        if str((endtime - starttime) * divisor) != target_time:
e58a44
             fail('unexpected lifetime value')
e58a44
-        if str(renewtime - endtime) != target_time:
e58a44
+        if str((renewtime - endtime) * divisor) != target_time:
e58a44
             fail('unexpected renewable value')
e58a44
 
e58a44
+        # Service tickets should have half the lifetime of initial
e58a44
+        # tickets.
e58a44
+        divisor = 2
e58a44
+
e58a44
 rflags = ['-r', '1d', '-l', '12h']
e58a44
 
e58a44
 # Test AS+TGS success path.
e58a44
@@ -35,7 +40,7 @@ realm.kinit(realm.user_princ, password('user'),
e58a44
             rflags + ['-X', 'indicators=SEVEN_HOURS'])
e58a44
 realm.run([kvno, realm.host_princ])
e58a44
 realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]')
e58a44
-out = realm.run([klist, realm.ccache, '-e'])
e58a44
+out = realm.run([klist, '-e', realm.ccache])
e58a44
 verify_time(out, '7:00:00')
e58a44
 
e58a44
 # Test AS+TGS success path with different values.
e58a44
@@ -43,7 +48,7 @@ realm.kinit(realm.user_princ, password('user'),
e58a44
             rflags + ['-X', 'indicators=ONE_HOUR'])
e58a44
 realm.run([kvno, realm.host_princ])
e58a44
 realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]')
e58a44
-out = realm.run([klist, realm.ccache, '-e'])
e58a44
+out = realm.run([klist, '-e', realm.ccache])
e58a44
 verify_time(out, '1:00:00')
e58a44
 
e58a44
 # Test TGS failure path (using previous creds).