From 129ab34baf0b1554dea3d93506b95439bffcb30f Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 6 Sep 2018 12:58:42 +0200
Subject: [PATCH] tests/ntlm_auth: Port ntlm_auth_krb5 tests to python

Port ntlm_auth_krb5 bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 python/samba/tests/ntlm_auth_krb5.py        | 83 +++++++++++++++++++++
 source3/script/tests/test_ntlm_auth_krb5.sh | 32 --------
 source3/selftest/tests.py                   |  5 --
 source4/selftest/tests.py                   |  3 +
 4 files changed, 86 insertions(+), 37 deletions(-)
 create mode 100644 python/samba/tests/ntlm_auth_krb5.py
 delete mode 100755 source3/script/tests/test_ntlm_auth_krb5.sh

diff --git a/python/samba/tests/ntlm_auth_krb5.py b/python/samba/tests/ntlm_auth_krb5.py
new file mode 100644
index 00000000000..d1957d68a0b
--- /dev/null
+++ b/python/samba/tests/ntlm_auth_krb5.py
@@ -0,0 +1,83 @@
+# Unix SMB/CIFS implementation.
+#
+# Copyright (C) Samuel Cabrero <scabrero@suse.de> 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import samba
+from subprocess import Popen, PIPE
+from samba.tests.ntlm_auth_base import NTLMAuthTestCase
+
+class NTLMAuthKerberosTests(NTLMAuthTestCase):
+
+    def setUp(self):
+        super(NTLMAuthKerberosTests, self).setUp()
+        self.old_ccache = os.path.join(os.environ["SELFTEST_PREFIX"],
+                                       "ktest", "krb5_ccache-2")
+        self.ccache = os.path.join(os.environ["SELFTEST_PREFIX"],
+                                   "ktest", "krb5_ccache-3")
+
+    def test_krb5_gss_spnego_client_gss_spnego_server(self):
+        """ ntlm_auth with krb5 gss-spnego-client and gss-spnego server """
+
+        os.environ["KRB5CCNAME"] = self.old_ccache
+        ret = self.run_helper(client_username="foo",
+                              client_password="secret",
+                              client_domain="FOO",
+                              target_hostname=os.environ["SERVER"],
+                              target_service="host",
+                              client_helper="gss-spnego-client",
+                              server_helper="gss-spnego",
+                              server_use_winbind=True)
+        self.assertTrue(ret)
+
+        os.environ["KRB5CCNAME"] = self.ccache
+        ret = self.run_helper(client_username="foo",
+                              client_password="secret",
+                              client_domain="FOO",
+                              target_hostname=os.environ["SERVER"],
+                              target_service="host",
+                              client_helper="gss-spnego-client",
+                              server_helper="gss-spnego",
+                              server_use_winbind=True)
+        self.assertTrue(ret)
+
+    def test_krb5_invalid_keytab(self):
+        """ ntlm_auth with krb5 and an invalid keytab """
+
+        dedicated_keytab = "FILE:%s.%s" % (
+                self.old_ccache, "keytab-does-not-exists")
+        proc = Popen([self.ntlm_auth_path,
+                      "--helper-protocol", "gss-spnego",
+                      "--option", "security=ads",
+                      "--option", "kerberosmethod=dedicatedkeytab",
+                      "--option", "dedicatedkeytabfile=%s" % dedicated_keytab],
+                      stdout=PIPE, stdin=PIPE, stderr=PIPE)
+        buf = "YR\n"
+        (out, err) = proc.communicate(input=buf.encode('utf-8'))
+        self.assertEqual(proc.returncode, 0)
+
+        dedicated_keytab = "FILE:%s.%s" % (
+                self.ccache, "keytab-does-not-exists")
+        proc = Popen([self.ntlm_auth_path,
+                      "--helper-protocol", "gss-spnego",
+                      "--option", "security=ads",
+                      "--option", "kerberosmethod=dedicatedkeytab",
+                      "--option", "dedicatedkeytabfile=%s" % dedicated_keytab],
+                      stdout=PIPE, stdin=PIPE, stderr=PIPE)
+        buf = "YR\n"
+        (out, err) = proc.communicate(input=buf.encode('utf-8'))
+        self.assertEqual(proc.returncode, 0)
diff --git a/source3/script/tests/test_ntlm_auth_krb5.sh b/source3/script/tests/test_ntlm_auth_krb5.sh
deleted file mode 100755
index 773cb575811..00000000000
--- a/source3/script/tests/test_ntlm_auth_krb5.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/sh
-
-if [ $# -lt 2 ]; then
-cat <<EOF
-Usage: test_ntlm_auth_s3.sh PYTHON SRC3DIR NTLM_AUTH CCACHE SERVER
-EOF
-exit 1;
-fi
-
-PYTHON=$1
-SRC3DIR=$2
-NTLM_AUTH=$3
-CCACHE=$4
-SERVER=$5
-shift 5
-ADDARGS="$*"
-
-incdir=`dirname $0`/../../../testprogs/blackbox
-. $incdir/subunit.sh
-
-failed=0
-
-KRB5CCNAME=$CCACHE
-export KRB5CCNAME
-
-# --server-use-winbindd is set so we know it isn't cheating and using the hard-coded passwords
-
-testit "ntlm_auth with krb5 gss-spnego-client and gss-spnego server" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --target-hostname=$SERVER --target-service=host --client-helper=gss-spnego-client --server-helper=gss-spnego --server-use-winbindd || failed=`expr $failed + 1`
-
-echo YR| testit "ntlm_auth with krb5 and an invalid keytab" $NTLM_AUTH --helper-protocol=gss-spnego --option=security=ads --option=kerberosmethod='dedicatedkeytab' --option=dedicatedkeytabfile=FILE:`pwd`/$CCACHE.keytab-does-not-exist || failed=`expr $failed + 1`
-
-testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index e7b4ebdbd8d..a3bb1c4feac 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -267,11 +267,6 @@ t = "WBCLIENT-MULTI-PING"
 plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""])
 plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"])
 
-plantestsuite("samba3.ntlm_auth.krb5 with old ccache(ktest:local)", "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_krb5.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$PREFIX/ktest/krb5_ccache-2', '$SERVER', configuration])
-
-plantestsuite("samba3.ntlm_auth.krb5(ktest:local)", "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_krb5.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$PREFIX/ktest/krb5_ccache-3', '$SERVER', configuration])
-
-
 for env in ["maptoguest", "simpleserver"]:
     plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) local creds" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', smbclient3, configuration + " --option=clientntlmv2auth=no --option=clientlanmanauth=yes"])
 
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 64dd580b82b..98c2ea89b01 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -592,6 +592,9 @@ for env in ["nt4_dc", "nt4_member", "ad_dc", "ad_member", "s4member", "chgdcpass
 
     planpythontestsuite(env + ":local", "samba.tests.ntlm_auth", py3_compatible=True)
 
+for env in ["ktest"]:
+    planpythontestsuite(env + ":local", "samba.tests.ntlm_auth_krb5", py3_compatible=True)
+
 for env in ["s4member_dflt_domain", "s4member"]:
     for cmd in ["id", "getent"]:
         users = ["$DC_USERNAME", "$DC_USERNAME@$REALM"]