From 1ae7c61ef73c613195c73d831fec279257aa5913 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 13 Aug 2021 14:22:43 +0300
Subject: [PATCH] tests: add S4U2Proxy test with foreign client

Add S4U2Proxy test with foreign client and evidence ticket acquired via TGS
---
 tests/kdc/check-kdc.in | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
index abaebeab1..d7471661f 100644
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -874,6 +874,22 @@ ${kgetcred} \
 	bar@${R} 2>/dev/null && \
 	{ ec=1 ; eval "${testfailed}"; }
 
+echo "test constrained delegation with foreign client (evidence from TGS)"; > messages.log
+# We can't test foreign client with evidence from S4U2Self, since Heimdal doesn't support it yet
+rm -f ocache.krb5
+${kinit} --cache=${icache} --forwardable --password-file=${objdir}/foopassword foo@${R2} || \
+        { ec=1 ; eval "${testfailed}"; }
+${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} \
+	--out-cache=${o2cache} \
+	--delegation-credential-cache=${ocache} \
+	${server}@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "  try using the credential"
+${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+
 echo "test constrained delegation impersonation (non forward)"; > messages.log
 rm -f ocache.krb5
 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \