def test_init_with_entering_password_but_not_in_atty(
self, isatty, Credentials):
type(Credentials.return_value).lifetime = PropertyMock(
side_effect=gssapi.exceptions.ExpiredCredentialsError(1, 1))
context = krbContext(using_keytab=False, principal=self.principal)
self.assertRaises(IOError, context.init_with_password)
context = krbContext(using_keytab=False,
principal=self.principal,
password='')
self.assertRaises(IOError, context.init_with_password)
def test_init_in_given_ccache(
self, store_cred_into, acquire_cred_with_password, Credentials):
type(Credentials.return_value).lifetime = PropertyMock(
side_effect=gssapi.exceptions.ExpiredCredentialsError(1, 1))
ccache = '/tmp/mycc'
context = krbContext(using_keytab=False,
principal=self.principal,
ccache_file=ccache,
password='******')
context.init_with_password()
Credentials.assert_called_once_with(
usage='initiate',
name=self.princ_name,
store={'ccache': ccache})
acquire_cred_with_password.assert_called_once_with(
self.princ_name, 'security')
store_cred_into.assert_called_once_with(
{'ccache': '/tmp/mycc'},
acquire_cred_with_password.return_value.creds,
usage='initiate',
overwrite=True)
def test_cred_not_expired(self, Credentials):
context = krbContext(using_keytab=True,
principal=self.service_principal)
context.init_with_keytab()
self.assertEqual(1, Credentials.call_count)
Credentials.return_value.store.assert_not_called()
def test_init_with_given_keytab_and_ccache(self, exists, Credentials):
type(Credentials.return_value).lifetime = PropertyMock(
side_effect=gssapi.exceptions.ExpiredCredentialsError(1, 1))
keytab = '/etc/app/app.keytab'
ccache = '/tmp/mycc'
context = krbContext(using_keytab=True,
principal=self.service_principal,
keytab_file=keytab,
ccache_file=ccache)
context.init_with_keytab()
Credentials.assert_has_calls([
call(usage='initiate',
name=self.princ_name,
store={
'client_keytab': keytab,
'ccache': ccache
}),
call(usage='initiate',
name=self.princ_name,
store={
'client_keytab': keytab,
'ccache': self.tmp_ccache
}),
])
Credentials.return_value.store.assert_called_once_with(
store={'ccache': ccache}, usage='initiate', overwrite=True)
def assert_krbContext(self, init_creds_keytab, init):
with kctx.krbContext(using_keytab=True,
principal='HTTP/[email protected]',
keytab_file='/etc/httpd/conf/httpd.keytab',
ccache_file='/tmp/krb5cc_app') as context:
self.assertTrue(context.initialized)
self.assertEqual('/tmp/krb5cc_app', os.environ['KRB5CCNAME'])
def test_init_cred_with_need_enter_password(self, store_cred,
acquire_cred_with_password,
getpass, isatty,
Credentials):
type(Credentials.return_value).lifetime = PropertyMock(
side_effect=gssapi.exceptions.ExpiredCredentialsError(1, 1))
getpass.return_value = 'mypassword'
context = krbContext(using_keytab=False, principal=self.principal)
context.init_with_password()
isatty.assert_called_once()
# Ensure this must be called.
getpass.assert_called_once()
Credentials.assert_called_once_with(usage='initiate',
name=self.princ_name)
acquire_cred_with_password.assert_called_once_with(
self.princ_name, 'mypassword')
store_cred.assert_called_once_with(
acquire_cred_with_password.return_value.creds,
usage='initiate',
overwrite=True)
def test_init_with_default_keytab(self, Credentials):
type(Credentials.return_value).lifetime = PropertyMock(
side_effect=gssapi.exceptions.ExpiredCredentialsError(1, 1))
with krbContext(using_keytab=True,
principal='app/[email protected]',
ccache_file='/tmp/my_cc'):
self.assertEqual('/tmp/my_cc', os.environ['KRB5CCNAME'])
def test_specify_existing_keytab(self, exists):
exists.return_value = True
context = krbContext(using_keytab=True,
principal='HTTP/[email protected]',
keytab_file='/etc/app/app.keytab')
self.assertEqual('/etc/app/app.keytab',
context._cleaned_options['keytab'])
def test_init(self, Popen, get_tgt_time, stdin):
get_tgt_time.return_value = get_fake_cred_time(expired=True)
Popen.return_value.communicate.return_value = ('', '')
Popen.return_value.returncode = 0
stdin.isatty.return_value = True
with kctx.krbContext():
pass
def login():
if os.path.exists(krb5cc_file):
os.remove(krb5cc_file)
with krbContext(using_keytab=True,
principal=userPrincipal,
keytab_file=keytableFilePath,
ccache_file=krb5cc_file):
pass
def test_not_in_terminal(self, get_tgt_time, stdin):
stdin.isatty.return_value = False
get_tgt_time.return_value = get_fake_cred_time(expired=True)
try:
with kctx.krbContext():
pass
except Exception as e:
self.assertTrue(isinstance(e, IOError))
def test_no_need_init(self, get_tgt_time):
get_tgt_time.return_value = get_fake_cred_time(expired=False)
with patch.dict(os.environ, {}, clear=True):
with kctx.krbContext(using_keytab=True,
principal='HTTP/[email protected]') as context:
self.assertFalse(context.initialized)
self.assertTrue('KRB5CCNAME' not in os.environ)
self.assertTrue('KRB5CCNAME' not in os.environ)
def test_do_nothing_if_unnecessary_to_init(self, Credentials):
with krbContext(using_keytab=True,
principal='app/[email protected]'):
# Nothing is changed, but original KRB5CCNAME must be removed
# since default ccache is used.
self.assertNotIn('KRB5CCNAME', os.environ)
# Original ccache must be restored.
self.assertEqual('/tmp/my_cc', os.environ['KRB5CCNAME'])
def test_access_initialized_property(self, get_tgt_time):
get_tgt_time.return_value = get_fake_cred_time(expired=False)
with patch.dict(os.environ, {'fake_var': '1'}, clear=True):
with kctx.krbContext(using_keytab=True,
principal='HTTP/[email protected]',
keytab_file='/etc/httpd/conf/httpd.keytab',
ccache_file='/tmp/krb5cc_pid_appname') as ctx:
self.assertFalse(ctx.initialized)
def test_no_need_init_if_not_expired(
self, store_cred_into, acquire_cred_with_password, Credentials):
context = krbContext(using_keytab=False,
principal=self.principal,
password='******')
context.init_with_password()
self.assertEqual(1, Credentials.call_count)
store_cred_into.assert_not_called()
acquire_cred_with_password.assert_not_called()
def test_init_command_fails(self, Popen, stdin):
Popen.return_value.returncode = 1
Popen.return_value.communicate.return_value = ('', 'something goes wrong.')
stdin.isatty.return_value = True
try:
with kctx.krbContext():
pass
except Exception as e:
self.assertTrue(isinstance(e, KRB5InitError))
def test_init_in_default_ccache_with_password(
self, store_cred, acquire_cred_with_password, Credentials):
type(Credentials.return_value).lifetime = PropertyMock(
side_effect=gssapi.exceptions.ExpiredCredentialsError(1, 1))
with krbContext(using_keytab=False,
principal='cqi',
password='******'):
self.assertNotIn('KRB5CCNAME', os.environ)
self.assertNotIn('KRB5CCNAME', os.environ)
def test_all_defaults(self, get_login):
get_login.return_value = 'cqi'
context = krbContext()
expected_princ = gssapi.names.Name(get_login.return_value,
gssapi.names.NameType.user)
self.assertEqual(expected_princ, context._cleaned_options['principal'])
self.assertEqual(kctx.DEFAULT_CCACHE,
context._cleaned_options['ccache'])
self.assertFalse(context._cleaned_options['using_keytab'])
def test_init_in_default_ccache_without_original_krb5ccname_is_set(
self, Credentials):
type(Credentials.return_value).lifetime = PropertyMock(
side_effect=gssapi.exceptions.ExpiredCredentialsError(1, 1))
with krbContext(using_keytab=True,
principal='app/[email protected]'):
self.assertNotIn('KRB5CCNAME', os.environ)
# Originally, no KRB5CCNAME is set, it should be cleaned after exit.
self.assertNotIn('KRB5CCNAME', os.environ)
def test_init_in_default_ccache_and_original_krb5ccname_is_set(
self, Credentials):
type(Credentials.return_value).lifetime = PropertyMock(
side_effect=gssapi.exceptions.ExpiredCredentialsError(1, 1))
with krbContext(using_keytab=True,
principal='app/[email protected]'):
self.assertNotIn('KRB5CCNAME', os.environ)
self.assertIn('KRB5CCNAME', os.environ)
self.assertEqual('/tmp/my_cc', os.environ['KRB5CCNAME'])
def test_original_ccache_should_be_restored(self, Credentials):
type(Credentials.return_value).lifetime = PropertyMock(
side_effect=gssapi.exceptions.ExpiredCredentialsError(1, 1))
with krbContext(using_keytab=True,
principal='app/[email protected]',
ccache_file='/tmp/app_pid_cc'):
# Inside context, given ccache should be used.
self.assertEqual('/tmp/app_pid_cc', os.environ['KRB5CCNAME'])
self.assertIn('KRB5CCNAME', os.environ)
self.assertEqual('/tmp/my_cc', os.environ['KRB5CCNAME'])
def test_all_defaults(self):
context = krbContext(using_keytab=True,
principal='HTTP/[email protected]')
self.assertTrue(context._cleaned_options['using_keytab'])
expected_princ = gssapi.names.Name(
'HTTP/[email protected]',
gssapi.names.NameType.kerberos_principal)
self.assertEqual(expected_princ, context._cleaned_options['principal'])
self.assertEqual(kctx.DEFAULT_CCACHE,
context._cleaned_options['ccache'])
self.assertEqual(kctx.DEFAULT_KEYTAB,
context._cleaned_options['keytab'])
def test_init_in_default_ccache_with_default_keytab(self, Credentials):
type(Credentials.return_value).lifetime = PropertyMock(
side_effect=gssapi.exceptions.ExpiredCredentialsError(1, 1))
context = krbContext(using_keytab=True,
principal=self.service_principal)
context.init_with_keytab()
Credentials.assert_has_calls([
call(usage='initiate', name=self.princ_name),
call(usage='initiate',
name=self.princ_name,
store={'ccache': self.tmp_ccache}),
])
Credentials.return_value.store.assert_called_once_with(
store=None, usage='initiate', overwrite=True)
def test_init_in_default_ccache(self, store_cred,
acquire_cred_with_password, Credentials):
type(Credentials.return_value).lifetime = PropertyMock(
side_effect=gssapi.exceptions.ExpiredCredentialsError(1, 1))
context = krbContext(using_keytab=False,
principal=self.principal,
password='******')
context.init_with_password()
acquire_cred_with_password.assert_called_once_with(
self.princ_name, 'security')
store_cred.assert_called_once_with(
acquire_cred_with_password.return_value.creds,
usage='initiate',
overwrite=True)
def test_specify_principal(self):
context = krbContext(principal='cqi')
expected_princ = gssapi.names.Name('cqi', gssapi.names.NameType.user)
self.assertEqual(expected_princ, context._cleaned_options['principal'])
def test_specify_ccache(self):
context = krbContext(principal='cqi',
ccache_file='/var/app/krb5_ccache')
self.assertEqual('/var/app/krb5_ccache',
context._cleaned_options['ccache'])
def test_specify_ccache(self):
context = krbContext(using_keytab=True,
principal='HTTP/[email protected]',
ccache_file='/var/app/krb5_ccache')
self.assertEqual('/var/app/krb5_ccache',
context._cleaned_options['ccache'])
