5 realm = K5Realm(create_host=False, create_user=False)
9 realm.addprinc(name, password(name))
10 ccache = os.path.join(realm.testdir,
11 'kadmin_ccache_' + name.replace('/', '_'))
12 realm.kinit(name, password(name),
13 flags=['-S', 'kadmin/admin', '-c', ccache])
16 def kadmin_as(client, query, **kwargs):
18 return realm.run([kadmin, '-c', client] + query, **kwargs)
20 all_add = make_client('all_add')
21 all_changepw = make_client('all_changepw')
22 all_delete = make_client('all_delete')
23 all_inquire = make_client('all_inquire')
24 all_list = make_client('all_list')
25 all_modify = make_client('all_modify')
26 all_rename = make_client('all_rename')
27 all_wildcard = make_client('all_wildcard')
28 all_extract = make_client('all_extract')
29 some_add = make_client('some_add')
30 some_changepw = make_client('some_changepw')
31 some_delete = make_client('some_delete')
32 some_inquire = make_client('some_inquire')
33 some_modify = make_client('some_modify')
34 some_rename = make_client('some_rename')
35 restricted_add = make_client('restricted_add')
36 restricted_modify = make_client('restricted_modify')
37 restricted_rename = make_client('restricted_rename')
38 wctarget = make_client('wctarget')
39 admin = make_client('user/admin')
40 none = make_client('none')
41 restrictions = make_client('restrictions')
42 onetwothreefour = make_client('one/two/three/four')
44 realm.run([kadminl, 'addpol', '-minlife', '1 day', 'minlife'])
46 f = open(os.path.join(realm.testdir, 'acl'), 'w')
58 some_changepw c selected
59 some_delete d selected
60 some_inquire i selected
61 some_modify im selected
64 restricted_add a * +preauth
65 restricted_modify im * +preauth
66 restricted_rename ad * +preauth
69 # The next line is a regression test for #8154; it is not used directly.
74 restrictions a type1 -policy minlife
75 restrictions a type2 -clearpolicy
76 restrictions a type3 -maxlife 1h -maxrenewlife 2h
82 # cpw can generate four different RPC calls depending on options.
83 realm.addprinc('selected', 'oldpw')
84 realm.addprinc('unselected', 'oldpw')
85 for pw in (['-pw', 'newpw'], ['-randkey']):
86 for ks in ([], ['-e', 'aes256-cts']):
88 kadmin_as(all_changepw, ['cpw'] + args + ['unselected'])
89 kadmin_as(some_changepw, ['cpw'] + args + ['selected'])
90 out = kadmin_as(none, ['cpw'] + args + ['selected'], expected_code=1)
91 if 'Operation requires ``change-password\'\' privilege' not in out:
92 fail('cpw failure (no perms)')
93 out = kadmin_as(some_changepw, ['cpw'] + args + ['unselected'],
95 if 'Operation requires ``change-password\'\' privilege' not in out:
96 fail('cpw failure (target)')
97 out = kadmin_as(none, ['cpw'] + args + ['none'])
98 realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none'])
99 out = kadmin_as(none, ['cpw'] + args + ['none'], expected_code=1)
100 if 'Current password\'s minimum life has not expired' not in out:
101 fail('cpw failure (minimum life)')
102 realm.run([kadminl, 'modprinc', '-clearpolicy', 'none'])
103 realm.run([kadminl, 'delprinc', 'selected'])
104 realm.run([kadminl, 'delprinc', 'unselected'])
106 kadmin_as(all_add, ['addpol', 'policy'])
107 realm.run([kadminl, 'delpol', 'policy'])
108 out = kadmin_as(none, ['addpol', 'policy'], expected_code=1)
109 if 'Operation requires ``add\'\' privilege' not in out:
110 fail('addpol failure (no perms)')
112 # addprinc can generate two different RPC calls depending on options.
113 for ks in ([], ['-e', 'aes256-cts']):
114 args = ['-pw', 'pw'] + ks
115 kadmin_as(all_add, ['addprinc'] + args + ['unselected'])
116 realm.run([kadminl, 'delprinc', 'unselected'])
117 kadmin_as(some_add, ['addprinc'] + args + ['selected'])
118 realm.run([kadminl, 'delprinc', 'selected'])
119 kadmin_as(restricted_add, ['addprinc'] + args + ['unselected'])
120 out = realm.run([kadminl, 'getprinc', 'unselected'])
121 if 'REQUIRES_PRE_AUTH' not in out:
122 fail('addprinc success (restrictions) -- restriction check')
123 realm.run([kadminl, 'delprinc', 'unselected'])
124 out = kadmin_as(none, ['addprinc'] + args + ['selected'], expected_code=1)
125 if 'Operation requires ``add\'\' privilege' not in out:
126 fail('addprinc failure (no perms)')
127 out = kadmin_as(some_add, ['addprinc'] + args + ['unselected'],
129 if 'Operation requires ``add\'\' privilege' not in out:
130 fail('addprinc failure (target)')
132 realm.addprinc('unselected', 'pw')
133 kadmin_as(all_delete, ['delprinc', 'unselected'])
134 realm.addprinc('selected', 'pw')
135 kadmin_as(some_delete, ['delprinc', 'selected'])
136 realm.addprinc('unselected', 'pw')
137 out = kadmin_as(none, ['delprinc', 'unselected'], expected_code=1)
138 if 'Operation requires ``delete\'\' privilege' not in out:
139 fail('delprinc failure (no perms)')
140 out = kadmin_as(some_delete, ['delprinc', 'unselected'], expected_code=1)
141 if 'Operation requires ``delete\'\' privilege' not in out:
142 fail('delprinc failure (no target)')
143 realm.run([kadminl, 'delprinc', 'unselected'])
145 out = kadmin_as(all_inquire, ['getpol', 'minlife'])
146 if 'Policy: minlife' not in out:
147 fail('getpol success (acl)')
148 out = kadmin_as(none, ['getpol', 'minlife'], expected_code=1)
149 if 'Operation requires ``get\'\' privilege' not in out:
150 fail('getpol failure (no perms)')
151 realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none'])
152 out = kadmin_as(none, ['getpol', 'minlife'])
153 if 'Policy: minlife' not in out:
154 fail('getpol success (self policy exemption)')
155 realm.run([kadminl, 'modprinc', '-clearpolicy', 'none'])
157 realm.addprinc('selected', 'pw')
158 realm.addprinc('unselected', 'pw')
159 out = kadmin_as(all_inquire, ['getprinc', 'unselected'])
160 if 'Principal: unselected@KRBTEST.COM' not in out:
161 fail('getprinc success (acl)')
162 out = kadmin_as(some_inquire, ['getprinc', 'selected'])
163 if 'Principal: selected@KRBTEST.COM' not in out:
164 fail('getprinc success (target)')
165 out = kadmin_as(none, ['getprinc', 'selected'], expected_code=1)
166 if 'Operation requires ``get\'\' privilege' not in out:
167 fail('getprinc failure (no perms)')
168 out = kadmin_as(some_inquire, ['getprinc', 'unselected'], expected_code=1)
169 if 'Operation requires ``get\'\' privilege' not in out:
170 fail('getprinc failure (target)')
171 out = kadmin_as(none, ['getprinc', 'none'])
172 if 'Principal: none@KRBTEST.COM' not in out:
173 fail('getprinc success (self exemption)')
174 realm.run([kadminl, 'delprinc', 'selected'])
175 realm.run([kadminl, 'delprinc', 'unselected'])
177 out = kadmin_as(all_list, ['listprincs'])
178 if 'K/M@KRBTEST.COM' not in out:
179 fail('listprincs success (acl)')
180 out = kadmin_as(none, ['listprincs'], expected_code=1)
181 if 'Operation requires ``list\'\' privilege' not in out:
182 fail('listprincs failure (no perms)')
184 realm.addprinc('selected', 'pw')
185 realm.addprinc('unselected', 'pw')
186 realm.run([kadminl, 'setstr', 'selected', 'key', 'value'])
187 realm.run([kadminl, 'setstr', 'unselected', 'key', 'value'])
188 out = kadmin_as(all_inquire, ['getstrs', 'unselected'])
189 if 'key: value' not in out:
190 fail('getstrs success (acl)')
191 out = kadmin_as(some_inquire, ['getstrs', 'selected'])
192 if 'key: value' not in out:
193 fail('getstrs success (target)')
194 out = kadmin_as(none, ['getstrs', 'selected'], expected_code=1)
195 if 'Operation requires ``get\'\' privilege' not in out:
196 fail('getstrs failure (no perms)')
197 out = kadmin_as(some_inquire, ['getstrs', 'unselected'], expected_code=1)
198 if 'Operation requires ``get\'\' privilege' not in out:
199 fail('getstrs failure (target)')
200 out = kadmin_as(none, ['getstrs', 'none'])
201 if '(No string attributes.)' not in out:
202 fail('getstrs success (self exemption)')
203 realm.run([kadminl, 'delprinc', 'selected'])
204 realm.run([kadminl, 'delprinc', 'unselected'])
206 out = kadmin_as(all_modify, ['modpol', '-maxlife', '1 hour', 'policy'],
208 if 'Operation requires' in out:
209 fail('modpol success (acl)')
210 out = kadmin_as(none, ['modpol', '-maxlife', '1 hour', 'policy'],
212 if 'Operation requires ``modify\'\' privilege' not in out:
213 fail('modpol failure (no perms)')
215 realm.addprinc('selected', 'pw')
216 realm.addprinc('unselected', 'pw')
217 kadmin_as(all_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'])
218 kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'selected'])
219 kadmin_as(restricted_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'])
220 out = realm.run([kadminl, 'getprinc', 'unselected'])
221 if 'REQUIRES_PRE_AUTH' not in out:
222 fail('addprinc success (restrictions) -- restriction check')
223 out = kadmin_as(all_inquire, ['modprinc', '-maxlife', '1 hour', 'selected'],
225 if 'Operation requires ``modify\'\' privilege' not in out:
226 fail('addprinc failure (no perms)')
227 out = kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'],
229 if 'Operation requires' not in out:
230 fail('modprinc failure (target)')
231 realm.run([kadminl, 'delprinc', 'selected'])
232 realm.run([kadminl, 'delprinc', 'unselected'])
234 realm.addprinc('selected', 'pw')
235 realm.addprinc('unselected', 'pw')
236 kadmin_as(all_modify, ['purgekeys', 'unselected'])
237 kadmin_as(some_modify, ['purgekeys', 'selected'])
238 out = kadmin_as(none, ['purgekeys', 'selected'], expected_code=1)
239 if 'Operation requires ``modify\'\' privilege' not in out:
240 fail('purgekeys failure (no perms)')
241 out = kadmin_as(some_modify, ['purgekeys', 'unselected'], expected_code=1)
242 if 'Operation requires ``modify\'\' privilege' not in out:
243 fail('purgekeys failure (target)')
244 kadmin_as(none, ['purgekeys', 'none'])
245 realm.run([kadminl, 'delprinc', 'selected'])
246 realm.run([kadminl, 'delprinc', 'unselected'])
248 realm.addprinc('from', 'pw')
249 kadmin_as(all_rename, ['renprinc', 'from', 'to'])
250 realm.run([kadminl, 'renprinc', 'to', 'from'])
251 kadmin_as(some_rename, ['renprinc', 'from', 'to'])
252 realm.run([kadminl, 'renprinc', 'to', 'from'])
253 out = kadmin_as(all_add, ['renprinc', 'from', 'to'], expected_code=1)
254 if 'Operation requires ``delete\'\' privilege' not in out:
255 fail('renprinc failure (no delete perms)')
256 out = kadmin_as(all_delete, ['renprinc', 'from', 'to'], expected_code=1)
257 if 'Operation requires ``add\'\' privilege' not in out:
258 fail('renprinc failure (no add perms)')
259 out = kadmin_as(some_rename, ['renprinc', 'from', 'notto'], expected_code=1)
260 if 'Operation requires ``add\'\' privilege' not in out:
261 fail('renprinc failure (new target)')
262 realm.run([kadminl, 'renprinc', 'from', 'notfrom'])
263 out = kadmin_as(some_rename, ['renprinc', 'notfrom', 'to'], expected_code=1)
264 if 'Operation requires ``delete\'\' privilege' not in out:
265 fail('renprinc failure (old target)')
266 out = kadmin_as(restricted_rename, ['renprinc', 'notfrom', 'to'],
268 if 'Operation requires ``add\'\' privilege' not in out:
269 fail('renprinc failure (restrictions)')
270 realm.run([kadminl, 'delprinc', 'notfrom'])
272 realm.addprinc('selected', 'pw')
273 realm.addprinc('unselected', 'pw')
274 kadmin_as(all_modify, ['setstr', 'unselected', 'key', 'value'])
275 kadmin_as(some_modify, ['setstr', 'selected', 'key', 'value'])
276 out = kadmin_as(none, ['setstr', 'selected', 'key', 'value'], expected_code=1)
277 if 'Operation requires ``modify\'\' privilege' not in out:
278 fail('addprinc failure (no perms)')
279 out = kadmin_as(some_modify, ['setstr', 'unselected', 'key', 'value'],
281 if 'Operation requires' not in out:
282 fail('modprinc failure (target)')
283 realm.run([kadminl, 'delprinc', 'selected'])
284 realm.run([kadminl, 'delprinc', 'unselected'])
286 kadmin_as(admin, ['addprinc', '-pw', 'pw', 'anytarget'])
287 realm.run([kadminl, 'delprinc', 'anytarget'])
288 kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card'])
289 realm.run([kadminl, 'delprinc', 'wild/card'])
290 out = kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card/extra'],
292 if 'Operation requires' not in out:
293 fail('addprinc failure (target wildcard extra component)')
294 realm.addprinc('admin/user', 'pw')
295 kadmin_as(admin, ['delprinc', 'admin/user'])
296 out = kadmin_as(admin, ['delprinc', 'none'], expected_code=1)
297 if 'Operation requires' not in out:
298 fail('delprinc failure (wildcard backreferences not matched)')
299 realm.addprinc('four/one/three', 'pw')
300 kadmin_as(onetwothreefour, ['delprinc', 'four/one/three'])
302 kadmin_as(restrictions, ['addprinc', '-pw', 'pw', 'type1'])
303 out = realm.run([kadminl, 'getprinc', 'type1'])
304 if 'Policy: minlife' not in out:
305 fail('restriction (policy)')
306 realm.run([kadminl, 'delprinc', 'type1'])
307 kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-policy', 'minlife',
309 out = realm.run([kadminl, 'getprinc', 'type2'])
310 if 'Policy: [none]' not in out:
311 fail('restriction (clearpolicy)')
312 realm.run([kadminl, 'delprinc', 'type2'])
313 kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxlife', '1 minute',
315 out = realm.run([kadminl, 'getprinc', 'type3'])
316 if ('Maximum ticket life: 0 days 00:01:00' not in out or
317 'Maximum renewable life: 0 days 02:00:00' not in out):
318 fail('restriction (maxlife low, maxrenewlife unspec)')
319 realm.run([kadminl, 'delprinc', 'type3'])
320 kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxrenewlife', '1 day',
322 out = realm.run([kadminl, 'getprinc', 'type3'])
323 if 'Maximum renewable life: 0 days 02:00:00' not in out:
324 fail('restriction (maxrenewlife high)')
326 realm.run([kadminl, 'addprinc', '-pw', 'pw', 'extractkeys'])
327 out = kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'],
329 if 'Operation requires ``extract-keys\'\' privilege' not in out:
330 fail('extractkeys failure (all_wildcard)')
331 kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
332 realm.kinit('extractkeys', flags=['-k'])
333 os.remove(realm.keytab)
335 kadmin_as(all_modify, ['modprinc', '+lockdown_keys', 'extractkeys'])
336 out = kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'],
338 if 'Operation requires ``change-password\'\' privilege' not in out:
339 fail('extractkeys failure (all_changepw)')
340 kadmin_as(all_changepw, ['cpw', '-randkey', 'extractkeys'])
341 out = kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'],
343 if 'Operation requires ``extract-keys\'\' privilege' not in out:
344 fail('extractkeys failure (all_extract)')
345 out = kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1)
346 if 'Operation requires ``delete\'\' privilege' not in out:
347 fail('extractkeys failure (all_delete)')
348 out = kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'],
350 if 'Operation requires ``delete\'\' privilege' not in out:
351 fail('extractkeys failure (all_rename)')
352 out = kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'],
354 if 'Operation requires ``modify\'\' privilege' not in out:
355 fail('extractkeys failure (all_modify)')
356 realm.run([kadminl, 'modprinc', '-lockdown_keys', 'extractkeys'])
357 kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
358 realm.kinit('extractkeys', flags=['-k'])
359 os.remove(realm.keytab)
361 success('kadmin ACL enforcement')