| |
@@ -34,19 +34,20 @@
|
| |
|
| |
'''
|
| |
|
| |
- def run_cmd(testdir, env, conf, name, socket, cmd, expected_failure):
|
| |
+ def run_cmd(testdir, env, conf, name, socket, cmd, keytab, expected_failure):
|
| |
|
| |
logfile = conf['logfile']
|
| |
testenv = env.copy()
|
| |
testenv.update({'KRB5CCNAME': os.path.join(testdir, 't' + conf['prefix'] +
|
| |
'_impersonate.ccache'),
|
| |
- 'KRB5_KTNAME': os.path.join(testdir, PROXY_KTNAME),
|
| |
+ 'KRB5_KTNAME': os.path.join(testdir, keytab),
|
| |
'KRB5_TRACE': os.path.join(testdir, 't' + conf['prefix'] +
|
| |
'_impersonate.trace'),
|
| |
'GSS_USE_PROXY': 'yes',
|
| |
'GSSPROXY_SOCKET': socket,
|
| |
'GSSPROXY_BEHAVIOR': 'REMOTE_FIRST'})
|
| |
|
| |
+ print("\nTesting: [%s]" % (name,), file=logfile)
|
| |
print("[COMMAND]\n%s\n[ENVIRONMENT]\n%s\n" % (cmd, testenv), file=logfile)
|
| |
logfile.flush()
|
| |
|
| |
@@ -74,45 +75,59 @@
|
| |
rets = []
|
| |
|
| |
# Test all permitted
|
| |
+ msg = "Impersonate"
|
| |
socket = os.path.join(testdir, 'impersonate.socket')
|
| |
cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
|
| |
path_prefix + 'impersonate.cache']
|
| |
- r = run_cmd(testdir, env, conf, "Impersonate", socket, cmd, False)
|
| |
+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, False)
|
| |
rets.append(r)
|
| |
|
| |
- #Test fail
|
| |
+ #Test self fail
|
| |
+ msg = "Impersonate fail self"
|
| |
socket = os.path.join(testdir, 'impersonate-proxyonly.socket')
|
| |
cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
|
| |
path_prefix + 'impersonate.cache']
|
| |
- r = run_cmd(testdir, env, conf, "Impersonate fail self", socket, cmd, True)
|
| |
+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, True)
|
| |
rets.append(r)
|
| |
|
| |
- #Test fail
|
| |
+ #Test proxy fail
|
| |
+ msg = "Impersonate fail proxy"
|
| |
socket = os.path.join(testdir, 'impersonate-selfonly.socket')
|
| |
cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
|
| |
path_prefix + 'impersonate.cache']
|
| |
- r = run_cmd(testdir, env, conf, "Impersonate fail proxy", socket, cmd, True)
|
| |
+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, True)
|
| |
rets.append(r)
|
| |
|
| |
#Test s4u2self half succeed
|
| |
+ msg = "s4u2self delegation"
|
| |
socket = os.path.join(testdir, 'impersonate-selfonly.socket')
|
| |
cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
|
| |
path_prefix + 'impersonate.cache', 's4u2self']
|
| |
- r = run_cmd(testdir, env, conf, "s4u2self delegation", socket, cmd, False)
|
| |
+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, False)
|
| |
+ rets.append(r)
|
| |
+
|
| |
+ #Test proxy to self succeed
|
| |
+ msg = "Impersonate to self"
|
| |
+ socket = os.path.join(testdir, 'impersonate-selfonly.socket')
|
| |
+ cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, HOST_GSS,
|
| |
+ path_prefix + 'impersonate.cache', 's4u2proxy']
|
| |
+ r = run_cmd(testdir, env, conf, msg, socket, cmd, SVC_KTNAME, False)
|
| |
rets.append(r)
|
| |
|
| |
#Test s4u2proxy half fail
|
| |
+ msg = "s4u2proxy fail"
|
| |
socket = os.path.join(testdir, 'impersonate-selfonly.socket')
|
| |
cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
|
| |
path_prefix + 'impersonate.cache', 's4u2proxy']
|
| |
- r = run_cmd(testdir, env, conf, "s4u2proxy fail", socket, cmd, True)
|
| |
+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, True)
|
| |
rets.append(r)
|
| |
|
| |
#Test s4u2proxy half succeed
|
| |
+ msg = "s4u2proxy"
|
| |
socket = os.path.join(testdir, 'impersonate-proxyonly.socket')
|
| |
cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
|
| |
path_prefix + 'impersonate.cache', 's4u2proxy']
|
| |
- r = run_cmd(testdir, env, conf, "s4u2proxy", socket, cmd, False)
|
| |
+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, False)
|
| |
rets.append(r)
|
| |
|
| |
# Reset back gssproxy conf
|
| |
Impersonators may need to establish context to themselves, usually to allow gssapi to get access to the ticket and export named attributes on the "client" name.
Given it is harmless to allow connections to self always allow it in the impersonator credential case.