From 0558f270b3fbb0780e2a94602d455022b89f5381 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sep 01 2017 18:26:38 +0000
Subject: TESTS: Test that ccaches can be stored after max_secrets is reached for regular non-ccache secrets


Test that even when we store the maximum number of secrets, we can still
store kerberos credentials, but only until we reach the max_secrets
limit as well.

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

---

diff --git a/src/tests/intg/test_kcm.py b/src/tests/intg/test_kcm.py
index 72a3458..b65e1d5 100644
--- a/src/tests/intg/test_kcm.py
+++ b/src/tests/intg/test_kcm.py
@@ -23,12 +23,16 @@ import pytest
 import socket
 import time
 import signal
+from requests import HTTPError
 
 import kdc
 import krb5utils
 import config
 from util import unindent
 from test_secrets import create_sssd_secrets_fixture
+from secrets import SecretsLocalClient
+
+MAX_SECRETS = 10
 
 
 class KcmTestEnv(object):
@@ -109,7 +113,7 @@ def create_sssd_kcm_fixture(sock_path, request):
     return kcm_pid
 
 
-def create_sssd_conf(kcm_path, ccache_storage):
+def create_sssd_conf(kcm_path, ccache_storage, max_secrets=MAX_SECRETS):
     return unindent("""\
         [sssd]
         domains = local
@@ -121,6 +125,9 @@ def create_sssd_conf(kcm_path, ccache_storage):
         [kcm]
         socket_path = {kcm_path}
         ccache_storage = {ccache_storage}
+
+        [secrets]
+        max_secrets = {max_secrets}
     """).format(**locals())
 
 
@@ -464,3 +471,46 @@ def test_kcm_sec_parallel_klist(setup_for_kcm_sec,
     for p in processes:
         rc = p.wait()
         assert rc == 0
+
+
+def get_secrets_socket():
+    return os.path.join(config.RUNSTATEDIR, "secrets.socket")
+
+
+@pytest.fixture
+def secrets_cli(request):
+    sock_path = get_secrets_socket()
+    cli = SecretsLocalClient(sock_path=sock_path)
+    return cli
+
+
+def test_kcm_secrets_quota(setup_for_kcm_sec,
+                           setup_secrets,
+                           secrets_cli):
+    testenv = setup_for_kcm_sec
+    cli = secrets_cli
+
+    # Make sure the secrets store is depleted first
+    sec_value = "value"
+    for i in range(MAX_SECRETS):
+        cli.set_secret(str(i), sec_value)
+
+    with pytest.raises(HTTPError) as err507:
+        cli.set_secret(str(MAX_SECRETS), sec_value)
+    assert str(err507.value).startswith("507")
+
+    # We should still be able to store KCM ccaches, but no more
+    # than MAX_SECRETS
+    for i in range(MAX_SECRETS):
+        princ = "%s%d" % ("kcmtest", i)
+        testenv.k5kdc.add_principal(princ, princ)
+
+    for i in range(MAX_SECRETS-1):
+        princ = "%s%d" % ("kcmtest", i)
+        out, _, _ = testenv.k5util.kinit(princ, princ)
+        assert out == 0
+
+    # we stored 0 to MAX_SECRETS-1, storing another one must fail
+    princ = "%s%d" % ("kcmtest", MAX_SECRETS)
+    out, _, _ = testenv.k5util.kinit(princ, princ)
+    assert out != 0