110 lines
3.2 KiB
Diff
110 lines
3.2 KiB
Diff
From 0558f270b3fbb0780e2a94602d455022b89f5381 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
Date: Tue, 4 Apr 2017 15:34:17 +0200
|
|
Subject: [PATCH 91/93] TESTS: Test that ccaches can be stored after
|
|
max_secrets is reached for regular non-ccache secrets
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Test that even when we store the maximum number of secrets, we can still
|
|
store kerberos credentials, but only until we reach the max_secrets
|
|
limit as well.
|
|
|
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
---
|
|
src/tests/intg/test_kcm.py | 52 +++++++++++++++++++++++++++++++++++++++++++++-
|
|
1 file changed, 51 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/tests/intg/test_kcm.py b/src/tests/intg/test_kcm.py
|
|
index 72a3458c8c598bae1fe929c062990da0bcbc3063..b65e1d5300bb8014aee2493795dc39ce799e9440 100644
|
|
--- a/src/tests/intg/test_kcm.py
|
|
+++ b/src/tests/intg/test_kcm.py
|
|
@@ -23,12 +23,16 @@ import pytest
|
|
import socket
|
|
import time
|
|
import signal
|
|
+from requests import HTTPError
|
|
|
|
import kdc
|
|
import krb5utils
|
|
import config
|
|
from util import unindent
|
|
from test_secrets import create_sssd_secrets_fixture
|
|
+from secrets import SecretsLocalClient
|
|
+
|
|
+MAX_SECRETS = 10
|
|
|
|
|
|
class KcmTestEnv(object):
|
|
@@ -109,7 +113,7 @@ def create_sssd_kcm_fixture(sock_path, request):
|
|
return kcm_pid
|
|
|
|
|
|
-def create_sssd_conf(kcm_path, ccache_storage):
|
|
+def create_sssd_conf(kcm_path, ccache_storage, max_secrets=MAX_SECRETS):
|
|
return unindent("""\
|
|
[sssd]
|
|
domains = local
|
|
@@ -121,6 +125,9 @@ def create_sssd_conf(kcm_path, ccache_storage):
|
|
[kcm]
|
|
socket_path = {kcm_path}
|
|
ccache_storage = {ccache_storage}
|
|
+
|
|
+ [secrets]
|
|
+ max_secrets = {max_secrets}
|
|
""").format(**locals())
|
|
|
|
|
|
@@ -464,3 +471,46 @@ def test_kcm_sec_parallel_klist(setup_for_kcm_sec,
|
|
for p in processes:
|
|
rc = p.wait()
|
|
assert rc == 0
|
|
+
|
|
+
|
|
+def get_secrets_socket():
|
|
+ return os.path.join(config.RUNSTATEDIR, "secrets.socket")
|
|
+
|
|
+
|
|
+@pytest.fixture
|
|
+def secrets_cli(request):
|
|
+ sock_path = get_secrets_socket()
|
|
+ cli = SecretsLocalClient(sock_path=sock_path)
|
|
+ return cli
|
|
+
|
|
+
|
|
+def test_kcm_secrets_quota(setup_for_kcm_sec,
|
|
+ setup_secrets,
|
|
+ secrets_cli):
|
|
+ testenv = setup_for_kcm_sec
|
|
+ cli = secrets_cli
|
|
+
|
|
+ # Make sure the secrets store is depleted first
|
|
+ sec_value = "value"
|
|
+ for i in range(MAX_SECRETS):
|
|
+ cli.set_secret(str(i), sec_value)
|
|
+
|
|
+ with pytest.raises(HTTPError) as err507:
|
|
+ cli.set_secret(str(MAX_SECRETS), sec_value)
|
|
+ assert str(err507.value).startswith("507")
|
|
+
|
|
+ # We should still be able to store KCM ccaches, but no more
|
|
+ # than MAX_SECRETS
|
|
+ for i in range(MAX_SECRETS):
|
|
+ princ = "%s%d" % ("kcmtest", i)
|
|
+ testenv.k5kdc.add_principal(princ, princ)
|
|
+
|
|
+ for i in range(MAX_SECRETS-1):
|
|
+ princ = "%s%d" % ("kcmtest", i)
|
|
+ out, _, _ = testenv.k5util.kinit(princ, princ)
|
|
+ assert out == 0
|
|
+
|
|
+ # we stored 0 to MAX_SECRETS-1, storing another one must fail
|
|
+ princ = "%s%d" % ("kcmtest", MAX_SECRETS)
|
|
+ out, _, _ = testenv.k5util.kinit(princ, princ)
|
|
+ assert out != 0
|
|
--
|
|
2.14.1
|
|
|