def test_store_cred_acquire_cred(self):
# we need to acquire a forwardable ticket
svc_princ = SERVICE_PRINCIPAL.decode("UTF-8")
self.realm.kinit(svc_princ, flags=['-k', '-f'])
target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
client_creds = gb.acquire_cred(None, usage='initiate').creds
client_ctx_resp = gb.init_sec_context(
target_name,
creds=client_creds,
flags=gb.RequirementFlag.delegate_to_peer)
client_token = client_ctx_resp[3]
server_creds = gb.acquire_cred(None, usage='accept').creds
server_ctx_resp = gb.accept_sec_context(client_token,
acceptor_creds=server_creds)
deleg_creds = server_ctx_resp.delegated_creds
deleg_creds.shouldnt_be_none()
store_res = gb.store_cred(deleg_creds,
usage='initiate',
set_default=True)
store_res.shouldnt_be_none()
store_res.usage.should_be('initiate')
store_res.mechs.should_include(gb.MechType.kerberos)
deleg_name = gb.inquire_cred(deleg_creds).name
acq_resp = gb.acquire_cred(deleg_name, usage='initiate')
acq_resp.shouldnt_be_none()
def test_add_cred(self):
target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
client_ctx_resp = gb.init_sec_context(target_name)
client_token = client_ctx_resp[3]
del client_ctx_resp # free all the things (except the token)!
server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
server_creds = gb.acquire_cred(server_name, usage='both')[0]
server_ctx_resp = gb.accept_sec_context(client_token,
acceptor_creds=server_creds)
input_creds = gb.Creds()
imp_resp = gb.add_cred(input_creds, server_ctx_resp[1],
gb.MechType.kerberos)
imp_resp.shouldnt_be_none()
new_creds, actual_mechs, output_init_ttl, output_accept_ttl = imp_resp
actual_mechs.shouldnt_be_empty()
actual_mechs.should_include(gb.MechType.kerberos)
output_init_ttl.should_be_a(int)
output_accept_ttl.should_be_a(int)
new_creds.should_be_a(gb.Creds)
def test_add_cred(self):
target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
client_ctx_resp = gb.init_sec_context(target_name)
client_token = client_ctx_resp[3]
del client_ctx_resp # free all the things (except the token)!
server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
server_creds = gb.acquire_cred(server_name, usage='both')[0]
server_ctx_resp = gb.accept_sec_context(client_token,
acceptor_creds=server_creds)
input_creds = gb.Creds()
imp_resp = gb.add_cred(input_creds,
server_ctx_resp[1],
gb.MechType.kerberos)
imp_resp.shouldnt_be_none()
new_creds, actual_mechs, output_init_ttl, output_accept_ttl = imp_resp
actual_mechs.shouldnt_be_empty()
actual_mechs.should_include(gb.MechType.kerberos)
output_init_ttl.should_be_a(int)
output_accept_ttl.should_be_a(int)
new_creds.should_be_a(gb.Creds)
def test_store_cred_acquire_cred(self):
# we need to acquire a forwardable ticket
svc_princ = SERVICE_PRINCIPAL.decode("UTF-8")
self.realm.kinit(svc_princ, flags=['-k', '-f'])
target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
client_creds = gb.acquire_cred(None, usage='initiate').creds
client_ctx_resp = gb.init_sec_context(
target_name, creds=client_creds,
flags=gb.RequirementFlag.delegate_to_peer)
client_token = client_ctx_resp[3]
server_creds = gb.acquire_cred(None, usage='accept').creds
server_ctx_resp = gb.accept_sec_context(client_token,
acceptor_creds=server_creds)
deleg_creds = server_ctx_resp.delegated_creds
deleg_creds.shouldnt_be_none()
store_res = gb.store_cred(deleg_creds, usage='initiate',
set_default=True, overwrite=True)
store_res.shouldnt_be_none()
store_res.usage.should_be('initiate')
store_res.mechs.should_include(gb.MechType.kerberos)
deleg_name = gb.inquire_cred(deleg_creds).name
acq_resp = gb.acquire_cred(deleg_name, usage='initiate')
acq_resp.shouldnt_be_none()
def test_inquire_context(self):
target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
ctx_resp = gb.init_sec_context(target_name)
client_token1 = ctx_resp[3]
client_ctx = ctx_resp[0]
server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
server_creds = gb.acquire_cred(server_name)[0]
server_resp = gb.accept_sec_context(client_token1,
acceptor_creds=server_creds)
server_tok = server_resp[3]
client_resp2 = gb.init_sec_context(target_name,
context=client_ctx,
input_token=server_tok)
ctx = client_resp2[0]
inq_resp = gb.inquire_context(ctx)
inq_resp.shouldnt_be_none()
(src_name, target_name, ttl, mech_type,
flags, local_est, is_open) = inq_resp
src_name.shouldnt_be_none()
src_name.should_be_a(gb.Name)
target_name.shouldnt_be_none()
target_name.should_be_a(gb.Name)
ttl.should_be_an_integer()
mech_type.shouldnt_be_none()
mech_type.should_be(gb.MechType.kerberos)
flags.shouldnt_be_none()
flags.should_be_a(collections.Set)
flags.shouldnt_be_empty()
local_est.should_be_a(bool)
local_est.should_be_true()
is_open.should_be_a(bool)
is_open.should_be_true()
def test_inquire_context(self):
target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
ctx_resp = gb.init_sec_context(target_name)
client_token1 = ctx_resp[3]
client_ctx = ctx_resp[0]
server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
server_creds = gb.acquire_cred(server_name)[0]
server_resp = gb.accept_sec_context(client_token1,
acceptor_creds=server_creds)
server_tok = server_resp[3]
client_resp2 = gb.init_sec_context(target_name,
context=client_ctx,
input_token=server_tok)
ctx = client_resp2[0]
inq_resp = gb.inquire_context(ctx)
inq_resp.shouldnt_be_none()
(src_name, target_name, ttl, mech_type, flags, local_est,
is_open) = inq_resp
src_name.shouldnt_be_none()
src_name.should_be_a(gb.Name)
target_name.shouldnt_be_none()
target_name.should_be_a(gb.Name)
ttl.should_be_an_integer()
mech_type.shouldnt_be_none()
mech_type.should_be(gb.MechType.kerberos)
flags.shouldnt_be_none()
flags.should_be_a(collections.Set)
flags.shouldnt_be_empty()
local_est.should_be_a(bool)
local_est.should_be_true()
is_open.should_be_a(bool)
is_open.should_be_true()
def setUp(self):
self.target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
ctx_resp = gb.init_sec_context(self.target_name)
self.client_token1 = ctx_resp[3]
self.client_ctx = ctx_resp[0]
self.server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
self.server_creds = gb.acquire_cred(self.server_name)[0]
server_resp = gb.accept_sec_context(self.client_token1,
acceptor_creds=self.server_creds)
self.server_ctx = server_resp[0]
self.server_tok = server_resp[3]
client_resp2 = gb.init_sec_context(self.target_name,
context=self.client_ctx,
input_token=self.server_tok)
self.client_token2 = client_resp2[3]
self.client_ctx = client_resp2[0]
def setUp(self):
self.target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
ctx_resp = gb.init_sec_context(self.target_name)
self.client_token1 = ctx_resp[3]
self.client_ctx = ctx_resp[0]
self.server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
self.server_creds = gb.acquire_cred(self.server_name)[0]
server_resp = gb.accept_sec_context(self.client_token1,
acceptor_creds=self.server_creds)
self.server_ctx = server_resp[0]
self.server_tok = server_resp[3]
client_resp2 = gb.init_sec_context(self.target_name,
context=self.client_ctx,
input_token=self.server_tok)
self.client_token2 = client_resp2[3]
self.client_ctx = client_resp2[0]
def test_context_time(self):
target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
ctx_resp = gb.init_sec_context(target_name)
client_token1 = ctx_resp[3]
client_ctx = ctx_resp[0]
server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
server_creds = gb.acquire_cred(server_name)[0]
server_resp = gb.accept_sec_context(client_token1,
acceptor_creds=server_creds)
server_tok = server_resp[3]
client_resp2 = gb.init_sec_context(target_name,
context=client_ctx,
input_token=server_tok)
ctx = client_resp2[0]
ttl = gb.context_time(ctx)
ttl.should_be_an_integer()
ttl.should_be_greater_than(0)
def setUp(self):
self.target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
ctx_resp = gb.init_sec_context(self.target_name)
self.client_token = ctx_resp[3]
self.client_ctx = ctx_resp[0]
self.client_ctx.shouldnt_be_none()
self.server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
self.server_creds = gb.acquire_cred(self.server_name)[0]
self.server_ctx = None
def test_context_time(self):
target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
ctx_resp = gb.init_sec_context(target_name)
client_token1 = ctx_resp[3]
client_ctx = ctx_resp[0]
server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
server_creds = gb.acquire_cred(server_name)[0]
server_resp = gb.accept_sec_context(client_token1,
acceptor_creds=server_creds)
server_tok = server_resp[3]
client_resp2 = gb.init_sec_context(target_name,
context=client_ctx,
input_token=server_tok)
ctx = client_resp2[0]
ttl = gb.context_time(ctx)
ttl.should_be_an_integer()
ttl.should_be_greater_than(0)
def setUp(self):
self.target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
ctx_resp = gb.init_sec_context(self.target_name)
self.client_token = ctx_resp[3]
self.client_ctx = ctx_resp[0]
self.client_ctx.shouldnt_be_none()
self.server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
self.server_creds = gb.acquire_cred(self.server_name)[0]
self.server_ctx = None
def test_impersonate(self, str_name, kwargs):
target_name = gssnames.Name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
# TODO(directxman12): make this use the high-level SecurityContext
client_ctx_resp = gb.init_sec_context(target_name)
client_token = client_ctx_resp[3]
del client_ctx_resp # free everything but the token
server_name = self.name
server_creds = gsscreds.Credentials(name=server_name, usage='both')
server_ctx_resp = gb.accept_sec_context(client_token,
acceptor_creds=server_creds)
imp_creds = server_creds.impersonate(server_ctx_resp[1], **kwargs)
imp_creds.shouldnt_be_none()
imp_creds.should_be_a(gsscreds.Credentials)
def test_impersonate(self, str_name, kwargs):
target_name = gssnames.Name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
# TODO(directxman12): make this use the high-level SecurityContext
client_ctx_resp = gb.init_sec_context(target_name)
client_token = client_ctx_resp[3]
del client_ctx_resp # free everything but the token
server_name = self.name
server_creds = gsscreds.Credentials(name=server_name,
usage='both')
server_ctx_resp = gb.accept_sec_context(client_token,
acceptor_creds=server_creds)
imp_creds = server_creds.impersonate(server_ctx_resp[1], **kwargs)
imp_creds.shouldnt_be_none()
imp_creds.should_be_a(gsscreds.Credentials)
def test_always_get_delegated_creds(self):
svc_princ = SERVICE_PRINCIPAL.decode("UTF-8")
self.realm.kinit(svc_princ, flags=['-k', '-f'])
target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
client_token = gb.init_sec_context(target_name).token
# if our acceptor creds have a usage of both, we get
# s4u2proxy delegated credentials
server_creds = gb.acquire_cred(None, usage='both').creds
server_ctx_resp = gb.accept_sec_context(client_token,
acceptor_creds=server_creds)
server_ctx_resp.shouldnt_be_none()
server_ctx_resp.delegated_creds.shouldnt_be_none()
server_ctx_resp.delegated_creds.should_be_a(gb.Creds)
def test_always_get_delegated_creds(self):
svc_princ = SERVICE_PRINCIPAL.decode("UTF-8")
self.realm.kinit(svc_princ, flags=['-k', '-f'])
target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
client_token = gb.init_sec_context(target_name).token
# if our acceptor creds have a usage of both, we get
# s4u2proxy delegated credentials
server_creds = gb.acquire_cred(None, usage='both').creds
server_ctx_resp = gb.accept_sec_context(client_token,
acceptor_creds=server_creds)
server_ctx_resp.shouldnt_be_none()
server_ctx_resp.delegated_creds.shouldnt_be_none()
server_ctx_resp.delegated_creds.should_be_a(gb.Creds)
def test_basic_init_default_ctx(self):
ctx_resp = gb.init_sec_context(self.target_name)
ctx_resp.shouldnt_be_none()
(ctx, out_mech_type, out_req_flags, out_token, out_ttl,
cont_needed) = ctx_resp
ctx.shouldnt_be_none()
ctx.should_be_a(gb.SecurityContext)
out_mech_type.should_be(gb.MechType.kerberos)
out_req_flags.should_be_a(collections.Set)
out_req_flags.should_be_at_least_length(2)
out_token.shouldnt_be_empty()
out_ttl.should_be_greater_than(0)
cont_needed.should_be_a(bool)
gb.delete_sec_context(ctx)
def test_basic_init_default_ctx(self):
ctx_resp = gb.init_sec_context(self.target_name)
ctx_resp.shouldnt_be_none()
(ctx, out_mech_type,
out_req_flags, out_token, out_ttl, cont_needed) = ctx_resp
ctx.shouldnt_be_none()
ctx.should_be_a(gb.SecurityContext)
out_mech_type.should_be(gb.MechType.kerberos)
out_req_flags.should_be_a(collections.Set)
out_req_flags.should_be_at_least_length(2)
out_token.shouldnt_be_empty()
out_ttl.should_be_greater_than(0)
cont_needed.should_be_a(bool)
gb.delete_sec_context(ctx)
def test_bad_channel_binding_raises_error(self):
bdgs = gb.ChannelBindings(application_data=b'abcxyz',
initiator_address_type=gb.AddressType.ip,
initiator_address=b'127.0.0.1',
acceptor_address_type=gb.AddressType.ip,
acceptor_address=b'127.0.0.1')
self.target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
ctx_resp = gb.init_sec_context(self.target_name, channel_bindings=bdgs)
self.client_token = ctx_resp[3]
self.client_ctx = ctx_resp[0]
self.client_ctx.shouldnt_be_none()
self.server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
self.server_creds = gb.acquire_cred(self.server_name)[0]
bdgs.acceptor_address = b'127.0.1.0'
gb.accept_sec_context.should_raise(gb.GSSError,
self.client_token,
acceptor_creds=self.server_creds,
channel_bindings=bdgs)
def test_bad_channel_binding_raises_error(self):
bdgs = gb.ChannelBindings(application_data=b'abcxyz',
initiator_address_type=gb.AddressType.ip,
initiator_address=b'127.0.0.1',
acceptor_address_type=gb.AddressType.ip,
acceptor_address=b'127.0.0.1')
self.target_name = gb.import_name(TARGET_SERVICE_NAME,
gb.NameType.hostbased_service)
ctx_resp = gb.init_sec_context(self.target_name,
channel_bindings=bdgs)
self.client_token = ctx_resp[3]
self.client_ctx = ctx_resp[0]
self.client_ctx.shouldnt_be_none()
self.server_name = gb.import_name(SERVICE_PRINCIPAL,
gb.NameType.kerberos_principal)
self.server_creds = gb.acquire_cred(self.server_name)[0]
bdgs.acceptor_address = b'127.0.1.0'
gb.accept_sec_context.should_raise(gb.GSSError, self.client_token,
acceptor_creds=self.server_creds,
channel_bindings=bdgs)