3 # Skip this test if we're missing proxy functionality or parts of the proxy.
4 if runenv.tls_impl == 'no':
5 skip_rest('HTTP proxy tests', 'TLS build support not enabled')
7 from paste import httpserver
9 skip_rest('HTTP proxy tests', 'Python paste module not found')
13 skip_rest('HTTP proxy tests', 'Python kdcproxy module not found')
15 # Construct a krb5.conf fragment configuring the client to use a local proxy
17 proxysubjectpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
19 proxysanpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
21 proxyidealpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
23 proxywrongpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
25 proxybadpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
27 proxyca = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', 'ca.pem')
28 proxyurl = 'https://localhost:$port5/KdcProxy'
29 proxyurlupcase = 'https://LocalHost:$port5/KdcProxy'
30 proxyurl4 = 'https://127.0.0.1:$port5/KdcProxy'
31 proxyurl6 = 'https://[::1]:$port5/KdcProxy'
33 unanchored_krb5_conf = {'realms': {'$realm': {
35 'kpasswd_server': proxyurl}}}
36 anchored_name_krb5_conf = {'realms': {'$realm': {
38 'kpasswd_server': proxyurl,
39 'http_anchors': 'FILE:%s' % proxyca}}}
40 anchored_upcasename_krb5_conf = {'realms': {'$realm': {
41 'kdc': proxyurlupcase,
42 'kpasswd_server': proxyurlupcase,
43 'http_anchors': 'FILE:%s' % proxyca}}}
44 anchored_kadmin_krb5_conf = {'realms': {'$realm': {
46 'admin_server': proxyurl,
47 'http_anchors': 'FILE:%s' % proxyca}}}
48 anchored_ipv4_krb5_conf = {'realms': {'$realm': {
50 'kpasswd_server': proxyurl4,
51 'http_anchors': 'FILE:%s' % proxyca}}}
52 kpasswd_input = (password('user') + '\n' + password('user') + '\n' +
53 password('user') + '\n')
55 def start_proxy(realm, keycertpem):
56 proxy_conf_path = os.path.join(realm.testdir, 'kdcproxy.conf')
57 proxy_exec_path = os.path.join(srctop, 'util', 'paste-kdcproxy.py')
58 conf = open(proxy_conf_path, 'w')
59 conf.write('[%s]\n' % realm.realm)
60 conf.write('kerberos = kerberos://localhost:%d\n' % realm.portbase)
61 conf.write('kpasswd = kpasswd://localhost:%d\n' % (realm.portbase + 2))
63 realm.env['KDCPROXY_CONFIG'] = proxy_conf_path
64 cmd = [sys.executable, proxy_exec_path, str(realm.server_port()),
66 return realm.start_server(cmd, sentinel='proxy server ready')
68 # Fail: untrusted issuer and hostname doesn't match.
69 mark('untrusted issuer, hostname mismatch')
70 output("running pass 1: issuer not trusted and hostname doesn't match\n")
71 realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
73 proxy = start_proxy(realm, proxywrongpem)
74 realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
78 # Fail: untrusted issuer, host name matches subject.
79 mark('untrusted issuer, hostname subject match')
80 output("running pass 2: subject matches, issuer not trusted\n")
81 realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
83 proxy = start_proxy(realm, proxysubjectpem)
84 realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
88 # Fail: untrusted issuer, host name matches subjectAltName.
89 mark('untrusted issuer, hostname SAN match')
90 output("running pass 3: subjectAltName matches, issuer not trusted\n")
91 realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
93 proxy = start_proxy(realm, proxysanpem)
94 realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
98 # Fail: untrusted issuer, certificate signature is bad.
99 mark('untrusted issuer, bad signature')
100 output("running pass 4: subject matches, issuer not trusted\n")
101 realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
103 proxy = start_proxy(realm, proxybadpem)
104 realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
108 # Fail: trusted issuer but hostname doesn't match.
109 mark('trusted issuer, hostname mismatch')
110 output("running pass 5: issuer trusted but hostname doesn't match\n")
111 realm = K5Realm(krb5_conf=anchored_name_krb5_conf, get_creds=False,
113 proxy = start_proxy(realm, proxywrongpem)
114 realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
118 # Succeed: trusted issuer and host name matches subject.
119 mark('trusted issuer, hostname subject match')
120 output("running pass 6: issuer trusted, subject matches\n")
121 realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True,
123 proxy = start_proxy(realm, proxysubjectpem)
124 realm.kinit(realm.user_princ, password=password('user'))
125 realm.run([kvno, realm.host_princ])
126 realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
130 # Succeed: trusted issuer and host name matches subjectAltName.
131 mark('trusted issuer, hostname SAN match')
132 output("running pass 7: issuer trusted, subjectAltName matches\n")
133 realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True,
135 proxy = start_proxy(realm, proxysanpem)
136 realm.kinit(realm.user_princ, password=password('user'))
137 realm.run([kvno, realm.host_princ])
138 realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
142 # Fail: certificate signature is bad.
143 mark('bad signature')
144 output("running pass 8: issuer trusted and subjectAltName matches, sig bad\n")
145 realm = K5Realm(krb5_conf=anchored_name_krb5_conf,
148 proxy = start_proxy(realm, proxybadpem)
149 realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
153 # Fail: trusted issuer but IP doesn't match.
154 mark('trusted issuer, IP mismatch')
155 output("running pass 9: issuer trusted but no name matches IP\n")
156 realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
158 proxy = start_proxy(realm, proxywrongpem)
159 realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
163 # Fail: trusted issuer, but subject does not match.
164 mark('trusted issuer, IP mismatch (hostname in subject)')
165 output("running pass 10: issuer trusted, but subject does not match IP\n")
166 realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
168 proxy = start_proxy(realm, proxysubjectpem)
169 realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
173 # Succeed: trusted issuer and host name matches subjectAltName.
174 mark('trusted issuer, IP SAN match')
175 output("running pass 11: issuer trusted, subjectAltName matches IP\n")
176 realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, start_kadmind=True,
178 proxy = start_proxy(realm, proxysanpem)
179 realm.kinit(realm.user_princ, password=password('user'))
180 realm.run([kvno, realm.host_princ])
181 realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
185 # Fail: certificate signature is bad.
186 mark('bad signature (IP hostname)')
187 output("running pass 12: issuer trusted, names don't match, signature bad\n")
188 realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
190 proxy = start_proxy(realm, proxybadpem)
191 realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
195 # Succeed: trusted issuer and host name matches subject, using kadmin
196 # configuration to find kpasswdd.
197 mark('trusted issuer, hostname subject match (kadmin)')
198 output("running pass 13: issuer trusted, subject matches\n")
199 realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True,
200 get_creds=False, create_host=False)
201 proxy = start_proxy(realm, proxysubjectpem)
202 realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
206 # Succeed: trusted issuer and host name matches subjectAltName, using
207 # kadmin configuration to find kpasswdd.
208 mark('trusted issuer, hostname SAN match (kadmin)')
209 output("running pass 14: issuer trusted, subjectAltName matches\n")
210 realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True,
211 get_creds=False, create_host=False)
212 proxy = start_proxy(realm, proxysanpem)
213 realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
217 # Succeed: trusted issuer and host name matches subjectAltName (give or take
219 mark('trusted issuer, hostname SAN case-insensitive match')
220 output("running pass 15: issuer trusted, subjectAltName case-insensitive\n")
221 realm = K5Realm(krb5_conf=anchored_upcasename_krb5_conf, start_kadmind=True,
222 get_creds=False, create_host=False)
223 proxy = start_proxy(realm, proxysanpem)
224 realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
228 success('MS-KKDCP proxy')