tests: add S4U2Proxy tests with TGS evidence ticket

This was broken with KRB5SignedPath but now that we switch to PAC we get it fixed without KDC changes, so we can just test it. See also PR #599 from where these tests were taken.
2019-06-09 22:51:55 +00:00
parent b2f9bb67d7
commit 7645f3c086
1 changed files with 22 additions and 1 deletions
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -835,7 +835,7 @@ ${kgetcred} \
 	${server}@${R} && \
 	{ ec=1 ; eval "${testfailed}"; }

-echo "test constrained delegation"; > messages.log
+echo "test constrained delegation (evidence from impersonation)"; > messages.log
 ${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kgetcred} \
@@ -853,6 +853,27 @@ ${kgetcred} \
 	bar@${R} 2>/dev/null && \
 	{ ec=1 ; eval "${testfailed}"; }

+echo "test constrained delegation evidence (evidence from TGS)"; > messages.log
+echo bar > ${objdir}/barpassword
+${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \
+        { ec=1 ; eval "${testfailed}"; }
+${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} \
+	--out-cache=${o2cache} \
+	--delegation-credential-cache=${ocache} \
+	${server}@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "  try using the credential"
+${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "  negative check"
+${kgetcred} \
+	--out-cache=${o2cache} \
+	--delegation-credential-cache=${ocache} \
+	bar@${R} 2>/dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+
 echo "test constrained delegation impersonation (non forward)"; > messages.log
 rm -f ocache.krb5
 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \