def test_eq(self):
name1 = Name(self.user, C_NT_USER_NAME)
name2 = Name(self.user, C_NT_USER_NAME)
self.assertEqual(name1, name2)
name3 = Name("*****@*****.**", C_NT_HOSTBASED_SERVICE)
self.assertNotEqual(name1, name3)
self.assertNotEqual("not a real name", name1)
self.assertFalse(name1 == 10101)
def test_compare_canonicalized(self):
name1 = Name(self.user, C_NT_USER_NAME)
canon1 = name1.canonicalize(self.krb5mech)
self.assertEqual(name1, canon1)
name2 = Name("notarealusername", C_NT_USER_NAME)
canon2 = name2.canonicalize(self.krb5mech)
self.assertEqual(name2, canon2)
self.assertNotEqual(canon1, canon2)
def test_display_name(self):
self.assertEqual("spam", str(Name("spam")))
self.assertEqual(self.user, str(Name(self.user, C_NT_USER_NAME)))
self.assertEqual("*****@*****.**",
str(Name("*****@*****.**", C_NT_HOSTBASED_SERVICE)))
self.assertEqual("HTTP", str(Name("HTTP", C_NT_HOSTBASED_SERVICE)))
if not self.is_heimdal_mac:
self.assertEqual(str(self.uid),
str(Name(str(self.uid), C_NT_STRING_UID_NAME)))
def test_export_import(self):
for name in (Name("spam"), Name(self.user, C_NT_USER_NAME),
Name("*****@*****.**", C_NT_HOSTBASED_SERVICE),
Name("HTTP", C_NT_HOSTBASED_SERVICE)):
name_canon = name.canonicalize(self.krb5mech)
name_exp = name_canon.export()
name_imp = Name(name_exp, C_NT_EXPORT_NAME)
self.assertIsInstance(name_imp, MechName)
self.assertEqual(name_imp, name_canon)
def test_cred_with_password(self):
cred = Credential(Name('*****@*****.**'),
usage=C_INITIATE,
password=b'userpassword')
ctx = InitContext(
Name("*****@*****.**", C_NT_HOSTBASED_SERVICE),
cred)
self._handshake(self.sockfile, ctx)
self._writeline(b'!MYNAME')
self.assertEqual(self.sockfile.readline().strip(),
b'*****@*****.**')
def __init__(self, host, usage):
if '@' in host:
self._host = Name(host)
else:
self._host = Name('host@' + host, NameType.hostbased_service)
if usage == 'initiate':
self._creds = Credentials(usage=usage)
else:
self._creds = Credentials(name=self._host, usage=usage)
self._mechs = [_mech_to_oid(mech) for mech in self._creds.mechs]
self._ctx = None
def test_replay(self):
ctx = InitContext(Name("*****@*****.**",
C_NT_HOSTBASED_SERVICE),
req_flags=(C_REPLAY_FLAG, ))
self._handshake(self.sockfile, ctx)
self._writeline(b'!REPLAYTEST')
msg1 = ctx.wrap(b'msg_from_client1')
msg2 = ctx.wrap(b'msg_from_client2')
self._writeline(base64.b64encode(msg1))
self._writeline(base64.b64encode(msg2))
self._writeline(base64.b64encode(msg1))
in1 = self.sockfile.readline()
in2 = self.sockfile.readline()
in3 = self.sockfile.readline()
msg1, supp1 = ctx.unwrap(base64.b64decode(in1), supplementary=True)
msg2, supp2 = ctx.unwrap(base64.b64decode(in2), supplementary=True)
msg3, supp3 = ctx.unwrap(base64.b64decode(in3), supplementary=True)
self.assertEqual(msg1, b'msg_from_server1')
self.assertEqual(msg2, b'msg_from_server2')
self.assertEqual(msg3, b'msg_from_server1')
self.assertIn(S_DUPLICATE_TOKEN, supp3)
try:
ctx.unwrap(base64.b64decode(in3))
except GSSCException as exc:
self.assertEqual(S_DUPLICATE_TOKEN,
(S_DUPLICATE_TOKEN & exc.maj_status))
else:
self.fail("Detecting a dupe token must raise GSSCException")
try:
ctx.unwrap(base64.b64decode(in2))
except GSSCException as exc:
self.assertEqual(S_DUPLICATE_TOKEN,
(S_DUPLICATE_TOKEN & exc.maj_status))
else:
self.fail("Detecting a dupe token must raise GSSCException")
def test_unseq_raises(self):
ctx = InitContext(Name("*****@*****.**",
C_NT_HOSTBASED_SERVICE),
req_flags=(C_SEQUENCE_FLAG, ))
self._handshake(self.sockfile, ctx)
self._writeline(b'!UNSEQTEST')
msg1 = ctx.wrap(b'msg_from_client1')
msg2 = ctx.wrap(b'msg_from_client2')
msg3 = ctx.wrap(b'msg_from_client3')
self._writeline(base64.b64encode(msg1))
self._writeline(base64.b64encode(msg3))
self._writeline(base64.b64encode(msg2))
in1 = self.sockfile.readline()
in2 = self.sockfile.readline()
in3 = self.sockfile.readline()
msg1 = ctx.unwrap(base64.b64decode(in1))
self.assertEqual(msg1, b'msg_from_server1')
try:
ctx.unwrap(base64.b64decode(in2))
except GSSCException as exc:
self.assertEqual(S_GAP_TOKEN, (S_GAP_TOKEN & exc.maj_status))
else:
self.fail("Detecting a gap token must raise GSSCException")
try:
ctx.unwrap(base64.b64decode(in3))
except GSSCException as exc:
self.assertEqual(S_UNSEQ_TOKEN, (S_UNSEQ_TOKEN & exc.maj_status))
else:
self.fail("Detecting an unseq token must raise GSSCException")
def test_basic_handshake(self):
ctx = InitContext(
Name("*****@*****.**", C_NT_HOSTBASED_SERVICE))
self._handshake(self.sockfile, ctx)
self._writeline(b'!MYNAME')
self.assertEqual(self.sockfile.readline().strip(),
b'*****@*****.**')
def test_lifetime(self):
ctx = InitContext(
Name("*****@*****.**", C_NT_HOSTBASED_SERVICE))
self._handshake(self.sockfile, ctx)
self._writeline(b'!LIFETIME')
self.assertLess(
abs(int(self.sockfile.readline().strip()) - ctx.lifetime), 10)
def test_mech_type(self):
ctx = InitContext(
Name("*****@*****.**", C_NT_HOSTBASED_SERVICE))
self._handshake(self.sockfile, ctx)
self._writeline(b'!MECHTYPE')
self.assertEqual(self.sockfile.readline().strip().decode('utf-8'),
str(ctx.mech_type))
def test_store_deleg_cred(self):
cred = Credential(usage=C_INITIATE)
ctx = InitContext(Name("*****@*****.**",
C_NT_HOSTBASED_SERVICE),
cred,
req_flags=(C_DELEG_FLAG, ))
self._handshake(self.sockfile, ctx)
self._writeline(b'!DELEGSTORE')
self.assertEqual(self.sockfile.readline().strip(), b'!OK')
def test_doublefree(self, mocked):
name = Name("spam", C_NT_USER_NAME)
backing_struct = name._name
_release_gss_name_t(backing_struct)
_release_gss_name_t(backing_struct)
del name
gc.collect()
self.assertEqual(mocked.call_count, 1)
self.assertEqual(mocked.call_args[0][1], backing_struct)
def tearDownClass(cls):
cls.logger.info("*** client starting shutdown ***")
sock, sockfile = cls._connect()
ctx = InitContext(
Name("*****@*****.**", C_NT_HOSTBASED_SERVICE))
cls._handshake(sockfile, ctx)
cls.logger.info("*** client sending SHUTDOWN command ***")
sockfile.write(b'!SHUTDOWN\n')
sockfile.close()
sock.close()
def test_get_wrap_size_limit(self):
ctx = InitContext(Name("*****@*****.**",
C_NT_HOSTBASED_SERVICE),
req_flags=(C_CONF_FLAG, ))
self._handshake(self.sockfile, ctx)
assert ctx.confidentiality_negotiated
wrap_size_limit = ctx.get_wrap_size_limit(512)
self.assertLessEqual(wrap_size_limit, 512)
msg = b'*' * wrap_size_limit
self.assertLessEqual(len(ctx.wrap(msg)), 512)
self._writeline(b'!NOOP')
def test_wrapping(self):
ctx = InitContext(Name("*****@*****.**",
C_NT_HOSTBASED_SERVICE),
req_flags=(C_CONF_FLAG, ))
self._handshake(self.sockfile, ctx)
assert ctx.confidentiality_negotiated
self._writeline(b'!WRAPTEST')
self._writeline(base64.b64encode(ctx.wrap(b'msg_from_client')))
self.assertEqual(self.sockfile.readline().strip(), b'!OK')
self.assertEqual(
ctx.unwrap(base64.b64decode(self.sockfile.readline())),
b'msg_from_server')
def test_canonicalize(self):
self.assertRegexpMatches(str(Name("spam").canonicalize(self.krb5mech)),
'spam@.+')
self.assertRegexpMatches(
str(Name(self.user, C_NT_USER_NAME).canonicalize(self.krb5mech)),
re.escape(self.user) + '@.+')
self.assertRegexpMatches(
str(
Name("host@{0}".format(self.fqdn),
C_NT_HOSTBASED_SERVICE).canonicalize(self.krb5mech)),
'host/' + re.escape(self.fqdn) + '@.+')
if not self.is_heimdal_mac:
self.assertRegexpMatches(
str(
Name(str(self.uid),
C_NT_STRING_UID_NAME).canonicalize(self.krb5mech)),
'.+@.+')
self.assertRegexpMatches(
str(
Name(self.uid,
C_NT_MACHINE_UID_NAME).canonicalize(self.krb5mech)),
'.+@.+')
self.assertRaises(
GSSException,
Name("spam").canonicalize(self.krb5mech).canonicalize,
(self.krb5mech, ))
def test_export(self):
name1exp = Name("spam").canonicalize(self.krb5mech).export()
self.assertIsInstance(name1exp, bytes)
self.assertGreater(len(name1exp), 0)
user_name_exp = Name(self.user, C_NT_USER_NAME).canonicalize(
self.krb5mech).export()
self.assertIsInstance(user_name_exp, bytes)
self.assertGreater(len(user_name_exp), 0)
svc_name_exp = Name("*****@*****.**",
C_NT_HOSTBASED_SERVICE).canonicalize(
self.krb5mech).export()
self.assertIsInstance(svc_name_exp, bytes)
self.assertGreater(len(svc_name_exp), 0)
bare_svc_name_exp = Name("HTTP", C_NT_HOSTBASED_SERVICE).canonicalize(
self.krb5mech).export()
self.assertIsInstance(bare_svc_name_exp, bytes)
self.assertGreater(len(bare_svc_name_exp), 0)
if not self.is_heimdal_mac:
str_uid_name_exp = Name(str(self.uid),
C_NT_STRING_UID_NAME).canonicalize(
self.krb5mech).export()
self.assertIsInstance(str_uid_name_exp, bytes)
self.assertGreater(len(str_uid_name_exp), 0)
machine_uid_name_exp = Name(self.uid,
C_NT_MACHINE_UID_NAME).canonicalize(
self.krb5mech).export()
self.assertIsInstance(machine_uid_name_exp, bytes)
self.assertGreater(len(machine_uid_name_exp), 0)
def test_deleg_cred(self):
cred = Credential(usage=C_INITIATE)
ctx = InitContext(Name("*****@*****.**",
C_NT_HOSTBASED_SERVICE),
cred,
req_flags=(C_DELEG_FLAG, ))
self._handshake(self.sockfile, ctx)
self._writeline(b'!DELEGTEST')
self.assertEqual(self.sockfile.readline().strip(), b'!OK')
self.assertEqual(self.sockfile.readline().strip(),
b'*****@*****.**')
self.assertLess(
abs(int(self.sockfile.readline().strip()) - cred.lifetime), 10)
def test_mic(self):
ctx = InitContext(Name("*****@*****.**",
C_NT_HOSTBASED_SERVICE),
req_flags=(C_INTEG_FLAG, ))
self._handshake(self.sockfile, ctx)
assert ctx.integrity_negotiated
self._writeline(b'!MICTEST')
self._writeline(b'msg_from_client')
self._writeline(base64.b64encode(ctx.get_mic(b'msg_from_client')))
self.assertEqual(self.sockfile.readline().strip(), b'!OK')
self.assertEqual(self.sockfile.readline().strip(), b'msg_from_server')
ctx.verify_mic(b'msg_from_server',
base64.b64decode(self.sockfile.readline()))
def test_import_name(self):
Name("spam")
Name(self.user, C_NT_USER_NAME)
Name("*****@*****.**", C_NT_HOSTBASED_SERVICE)
Name("HTTP", C_NT_HOSTBASED_SERVICE)
if not self.is_heimdal_mac:
Name(str(self.uid), C_NT_STRING_UID_NAME)
Name(self.uid, C_NT_MACHINE_UID_NAME)
def test_compare_canonicalized(self):
name1 = Name(self.user, C_NT_USER_NAME)
canon1 = name1.canonicalize(self.krb5mech)
self.assertEqual(name1, canon1)
name2 = Name("notarealusername", C_NT_USER_NAME)
canon2 = name2.canonicalize(self.krb5mech)
self.assertEqual(name2, canon2)
self.assertNotEqual(canon1, canon2)
def test_gap(self):
ctx = InitContext(Name("*****@*****.**",
C_NT_HOSTBASED_SERVICE),
req_flags=(C_REPLAY_FLAG, C_SEQUENCE_FLAG))
self._handshake(self.sockfile, ctx)
self._writeline(b'!GAPTEST')
msg1 = ctx.wrap(b'msg_from_client1')
msg2 = ctx.wrap(b'msg_from_client2')
msg3 = ctx.wrap(b'msg_from_client3')
self._writeline(base64.b64encode(msg1))
self._writeline(base64.b64encode(msg3))
msg1, supp1 = ctx.unwrap(base64.b64decode(self.sockfile.readline()),
supplementary=True)
msg2, supp2 = ctx.unwrap(base64.b64decode(self.sockfile.readline()),
supplementary=True)
self.assertEqual(msg1, b'msg_from_server1')
self.assertEqual(msg2, b'msg_from_server3')
self.assertIn(S_GAP_TOKEN, supp2)
def test_unseq(self):
ctx = InitContext(Name("*****@*****.**",
C_NT_HOSTBASED_SERVICE),
req_flags=(C_SEQUENCE_FLAG, ))
self._handshake(self.sockfile, ctx)
self._writeline(b'!UNSEQTEST')
msg1 = ctx.wrap(b'msg_from_client1')
msg2 = ctx.wrap(b'msg_from_client2')
msg3 = ctx.wrap(b'msg_from_client3')
self._writeline(base64.b64encode(msg1))
self._writeline(base64.b64encode(msg3))
self._writeline(base64.b64encode(msg2))
in1 = self.sockfile.readline()
in2 = self.sockfile.readline()
in3 = self.sockfile.readline()
msg1, supp1 = ctx.unwrap(base64.b64decode(in1), supplementary=True)
msg2, supp2 = ctx.unwrap(base64.b64decode(in2), supplementary=True)
msg3, supp3 = ctx.unwrap(base64.b64decode(in3), supplementary=True)
self.assertEqual(msg1, b'msg_from_server1')
self.assertEqual(msg2, b'msg_from_server3')
self.assertEqual(msg3, b'msg_from_server2')
self.assertIn(S_UNSEQ_TOKEN, supp3)
def test_bad_canonicalize(self):
host_name = Name("*****@*****.**", C_NT_HOSTBASED_SERVICE)
self.assertRaises(TypeError, host_name.canonicalize, ("not an OID"))
def test_no_deleg_cred(self):
ctx = InitContext(
Name("*****@*****.**", C_NT_HOSTBASED_SERVICE))
self._handshake(self.sockfile, ctx)
self._writeline(b'!DELEGTEST')
self.assertEqual(self.sockfile.readline().strip(), b'!NOCRED')