def test_store_into_add_from(self):
CCACHE = 'FILE:{tmpdir}/other_ccache'.format(tmpdir=self.realm.tmpdir)
KT = '{tmpdir}/other_keytab'.format(tmpdir=self.realm.tmpdir)
store = {'ccache': CCACHE, 'keytab': KT}
princ_name = 'service/cs@' + self.realm.realm
self.realm.addprinc(princ_name)
self.realm.extract_keytab(princ_name, KT)
self.realm.kinit(princ_name, None, ['-k', '-t', KT])
initial_creds = gsscreds.Credentials(name=None, usage='initiate')
store_res = initial_creds.store(store, overwrite=True)
store_res.mechs.shouldnt_be_none()
store_res.mechs.shouldnt_be_empty()
store_res.usage.should_be('initiate')
name = gssnames.Name(princ_name)
input_creds = gsscreds.Credentials(gb.Creds())
retrieved_creds = input_creds.add(name,
gb.MechType.kerberos,
store=store)
retrieved_creds.shouldnt_be_none()
retrieved_creds.should_be_a(gsscreds.Credentials)
def test_add_with_impersonate(self):
server_name = gssnames.Name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
password = self.realm.password("user")
self.realm.kinit(self.realm.user_princ,
password=password,
flags=["-f"])
client_ctx = gssctx.SecurityContext(
name=server_name, flags=gb.RequirementFlag.delegate_to_peer)
client_token = client_ctx.step()
self.realm.kinit(SERVICE_PRINCIPAL.decode("utf-8"), flags=["-k"])
server_creds = gsscreds.Credentials(usage="both")
server_ctx = gssctx.SecurityContext(creds=server_creds)
server_ctx.step(client_token)
self.assertTrue(server_ctx.complete)
# use empty creds to test here
input_creds = gsscreds.Credentials(gb.Creds())
new_creds = input_creds.add(server_name,
gb.MechType.kerberos,
impersonator=server_ctx.delegated_creds,
usage='initiate')
self.assertIsInstance(new_creds, gsscreds.Credentials)
def test_import_by_init(self):
creds = gsscreds.Credentials(name=self.name)
token = creds.export()
imported_creds = gsscreds.Credentials(token=token)
self.assertEqual(imported_creds.lifetime, creds.lifetime)
self.assertEqual(imported_creds.name, creds.name)
def test_store_acquire(self):
# we need to acquire a forwardable ticket
svc_princ = SERVICE_PRINCIPAL.decode("UTF-8")
self.realm.kinit(svc_princ, flags=['-k', '-f'])
target_name = gssnames.Name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
client_creds = gsscreds.Credentials(usage='initiate')
client_ctx = gssctx.SecurityContext(
name=target_name,
creds=client_creds,
flags=gb.RequirementFlag.delegate_to_peer)
client_token = client_ctx.step()
server_creds = gsscreds.Credentials(usage='accept')
server_ctx = gssctx.SecurityContext(creds=server_creds)
server_ctx.step(client_token)
deleg_creds = server_ctx.delegated_creds
deleg_creds.shouldnt_be_none()
store_res = deleg_creds.store(usage='initiate',
set_default=True,
overwrite=True)
store_res.usage.should_be('initiate')
store_res.mechs.should_include(gb.MechType.kerberos)
reacquired_creds = gsscreds.Credentials(name=deleg_creds.name,
usage='initiate')
reacquired_creds.shouldnt_be_none()
def test_import_by_init(self):
creds = gsscreds.Credentials(name=self.name)
token = creds.export()
imported_creds = gsscreds.Credentials(token=token)
imported_creds.lifetime.should_be(creds.lifetime)
imported_creds.name.should_be(creds.name)
def setUp(self):
super(SecurityContextTestCase, self).setUp()
gssctx.SecurityContext.__DEFER_STEP_ERRORS__ = False
self.client_name = gssnames.Name(self.USER_PRINC)
self.client_creds = gsscreds.Credentials(name=None, usage='initiate')
self.target_name = gssnames.Name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
self.server_name = gssnames.Name(SERVICE_PRINCIPAL)
self.server_creds = gsscreds.Credentials(name=self.server_name,
usage='accept')
def test_pickle_unpickle(self):
creds = gsscreds.Credentials(name=self.name)
pickled_creds = pickle.dumps(creds)
unpickled_creds = pickle.loads(pickled_creds)
self.assertEqual(unpickled_creds.lifetime, creds.lifetime)
self.assertEqual(unpickled_creds.name, creds.name)
def test_add(self):
input_creds = gsscreds.Credentials(gb.Creds())
name = gssnames.Name(SERVICE_PRINCIPAL)
new_creds = input_creds.add(name,
gb.MechType.kerberos,
usage='initiate')
self.assertIsInstance(new_creds, gsscreds.Credentials)
def test_pickle_unpickle(self):
creds = gsscreds.Credentials(name=self.name)
pickled_creds = pickle.dumps(creds)
unpickled_creds = pickle.loads(pickled_creds)
unpickled_creds.lifetime.should_be(creds.lifetime)
unpickled_creds.name.should_be(creds.name)
def test_add(self):
input_creds = gsscreds.Credentials(gb.Creds())
name = gssnames.Name(SERVICE_PRINCIPAL)
new_creds = input_creds.add(name,
gb.MechType.kerberos,
usage='initiate')
new_creds.shouldnt_be_none()
new_creds.should_be_a(gsscreds.Credentials)
def test_add_with_impersonate(self):
target_name = gssnames.Name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
client_ctx = gssctx.SecurityContext(name=target_name)
client_token = client_ctx.step()
server_creds = gsscreds.Credentials(usage='both')
server_ctx = gssctx.SecurityContext(creds=server_creds, usage='accept')
server_ctx.step(client_token)
# use empty creds to test here
input_creds = gsscreds.Credentials(gb.Creds())
new_creds = input_creds.add(server_ctx.initiator_name,
gb.MechType.kerberos,
impersonator=server_creds,
usage='initiate')
new_creds.shouldnt_be(None)
new_creds.should_be_a(gsscreds.Credentials)
def test_store_into_acquire_from(self):
CCACHE = 'FILE:{tmpdir}/other_ccache'.format(tmpdir=self.realm.tmpdir)
KT = '{tmpdir}/other_keytab'.format(tmpdir=self.realm.tmpdir)
store = {'ccache': CCACHE, 'keytab': KT}
princ_name = 'service/cs@' + self.realm.realm
self.realm.addprinc(princ_name)
self.realm.extract_keytab(princ_name, KT)
self.realm.kinit(princ_name, None, ['-k', '-t', KT])
initial_creds = gsscreds.Credentials(name=None, usage='initiate')
store_res = initial_creds.store(store, overwrite=True)
self.assertIsNotNone(store_res.mechs)
self.assertGreater(len(store_res.mechs), 0)
self.assertEqual(store_res.usage, "initiate")
name = gssnames.Name(princ_name)
retrieved_creds = gsscreds.Credentials(name=name, store=store)
self.assertIsNotNone(retrieved_creds)
def check(self, token):
log("check(%s)", repr(token))
assert self.challenge_sent
try:
from gssapi import creds as gsscreds
from gssapi import sec_contexts as gssctx
except ImportError as e:
log("check(..)", exc_info=True)
log.warn("Warning: cannot use gss authentication:")
log.warn(" %s", e)
return False
server_creds = gsscreds.Credentials(usage='accept')
server_ctx = gssctx.SecurityContext(creds=server_creds)
server_ctx.step(token)
return server_ctx.complete
def test_impersonate(self, str_name, kwargs):
target_name = gssnames.Name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
# TODO(directxman12): make this use the high-level SecurityContext
client_ctx_resp = gb.init_sec_context(target_name)
client_token = client_ctx_resp[3]
del client_ctx_resp # free everything but the token
server_name = self.name
server_creds = gsscreds.Credentials(name=server_name, usage='both')
server_ctx_resp = gb.accept_sec_context(client_token,
acceptor_creds=server_creds)
imp_creds = server_creds.impersonate(server_ctx_resp[1], **kwargs)
imp_creds.shouldnt_be_none()
imp_creds.should_be_a(gsscreds.Credentials)
def test_impersonate(self, str_name, kwargs):
server_name = gssnames.Name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
password = self.realm.password("user")
self.realm.kinit(self.realm.user_princ,
password=password,
flags=["-f"])
client_ctx = gssctx.SecurityContext(
name=server_name, flags=gb.RequirementFlag.delegate_to_peer)
client_token = client_ctx.step()
self.realm.kinit(SERVICE_PRINCIPAL.decode("utf-8"), flags=["-k"])
server_creds = gsscreds.Credentials(usage="both")
server_ctx = gssctx.SecurityContext(creds=server_creds)
server_ctx.step(client_token)
self.assertTrue(server_ctx.complete)
imp_creds = server_ctx.delegated_creds.impersonate(
server_name, **kwargs)
self.assertIsInstance(imp_creds, gsscreds.Credentials)
def test_inquire(self, str_name, kwargs):
creds = gsscreds.Credentials(name=self.name)
resp = creds.inquire(**kwargs)
if kwargs['name']:
self.assertEqual(resp.name, self.name)
else:
self.assertIsNone(resp.name)
if kwargs['lifetime']:
self.assertIsInstance(resp.lifetime, int)
else:
self.assertIsNone(resp.lifetime)
if kwargs['usage']:
self.assertEqual(resp.usage, "both")
else:
self.assertIsNone(resp.usage)
if kwargs['mechs']:
self.assertIn(gb.MechType.kerberos, resp.mechs)
else:
self.assertIsNone(resp.mechs)
def test_inquire_by_mech(self, str_name, kwargs):
creds = gsscreds.Credentials(name=self.name)
resp = creds.inquire_by_mech(mech=gb.MechType.kerberos, **kwargs)
if kwargs['name']:
self.assertEqual(resp.name, self.name)
else:
self.assertIsNone(resp.name)
if kwargs['init_lifetime']:
self.assertIsInstance(resp.init_lifetime, int)
else:
self.assertIsNone(resp.init_lifetime)
if kwargs['accept_lifetime']:
self.assertIsInstance(resp.accept_lifetime, int)
else:
self.assertIsNone(resp.accept_lifetime)
if kwargs['usage']:
self.assertEqual(resp.usage, "both")
else:
self.assertIsNone(resp.usage)
def test_inquire_by_mech(self, str_name, kwargs):
creds = gsscreds.Credentials(name=self.name)
resp = creds.inquire_by_mech(mech=gb.MechType.kerberos, **kwargs)
if kwargs['name']:
resp.name.should_be(self.name)
else:
resp.name.should_be_none()
if kwargs['init_lifetime']:
resp.init_lifetime.should_be_an_integer()
else:
resp.init_lifetime.should_be_none()
if kwargs['accept_lifetime']:
resp.accept_lifetime.should_be_an_integer()
else:
resp.accept_lifetime.should_be_none()
if kwargs['usage']:
resp.usage.should_be('both')
else:
resp.usage.should_be_none()
def test_inquire(self, str_name, kwargs):
creds = gsscreds.Credentials(name=self.name)
resp = creds.inquire(**kwargs)
if kwargs['name']:
resp.name.should_be(self.name)
else:
resp.name.should_be_none()
if kwargs['lifetime']:
resp.lifetime.should_be_an_integer()
else:
resp.lifetime.should_be_none()
if kwargs['usage']:
resp.usage.should_be('both')
else:
resp.usage.should_be_none()
if kwargs['mechs']:
resp.mechs.shouldnt_be_empty()
resp.mechs.should_include(gb.MechType.kerberos)
else:
resp.mechs.should_be_none()
def test_acquire_by_init(self, str_name, kwargs):
creds = gsscreds.Credentials(name=self.name, **kwargs)
self.assertIsInstance(creds.lifetime, int)
del creds
def test_create_from_other(self):
raw_creds = gb.acquire_cred(None, usage='accept').creds
high_level_creds = gsscreds.Credentials(raw_creds)
self.assertEqual(high_level_creds.usage, "accept")
def test_export(self):
creds = gsscreds.Credentials(name=self.name)
token = creds.export()
self.assertIsInstance(token, bytes)
def test_export(self):
creds = gsscreds.Credentials(name=self.name)
token = creds.export()
token.should_be_a(bytes)
def test_acquire_by_init(self, str_name, kwargs):
creds = gsscreds.Credentials(name=self.name, **kwargs)
creds.lifetime.should_be_an_integer()
del creds
def test_create_from_other(self):
raw_creds = gb.acquire_cred(None, usage='accept').creds
high_level_creds = gsscreds.Credentials(raw_creds)
high_level_creds.usage.should_be('accept')
