tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds

This allows us to require encryption keys in the case that a password
would not be required, such as for the krbtgt account.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6a77c2b93315503008627ce786388f281bd6bb87)

python/samba/tests/krb5/as_req_tests.py

@@ -58,7 +58,7 @@ class AsReqKerberosTests(RawKerberosTest):
         client_creds = self.get_client_creds()
         client_account = client_creds.get_username()
         client_as_etypes = client_creds.get_as_krb5_etypes()
-        krbtgt_creds = self.get_krbtgt_creds()
+        krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
         krbtgt_account = krbtgt_creds.get_username()
         realm = krbtgt_creds.get_realm()
 

python/samba/tests/krb5/raw_testcase.py

@@ -444,6 +444,7 @@ class RawKerberosTest(TestCaseInTempDir):
     def _get_krb5_creds(self, prefix,
                         default_username=None,
                         allow_missing_password=False,
+                        allow_missing_keys=True,
                         require_strongest_key=False):
         c = KerberosCredentials()
         c.guess()
@@ -486,8 +487,8 @@ class RawKerberosTest(TestCaseInTempDir):
             else:
                 aes256_allow_missing = True
         else:
-            kvno_allow_missing = True
-            aes256_allow_missing = True
+            kvno_allow_missing = allow_missing_keys
+            aes256_allow_missing = allow_missing_keys
         kvno = self.env_get_var('KVNO', prefix,
                                 fallback_default=False,
                                 allow_missing=kvno_allow_missing)
@@ -506,37 +507,63 @@ class RawKerberosTest(TestCaseInTempDir):
                                    fallback_default=False, allow_missing=True)
         if rc4_key is not None:
             c.set_forced_key(kcrypto.Enctype.RC4, rc4_key)
+
+        if not allow_missing_keys:
+            self.assertTrue(c.forced_keys,
+                            'Please supply %s encryption keys '
+                            'in environment' % prefix)
+
         return c
 
-    def get_user_creds(self, allow_missing_password=False):
+    def get_user_creds(self,
+                       allow_missing_password=False,
+                       allow_missing_keys=True):
         c = self._get_krb5_creds(prefix=None,
-                                 allow_missing_password=allow_missing_password)
+                                 allow_missing_password=allow_missing_password,
+                                 allow_missing_keys=allow_missing_keys)
         return c
 
-    def get_service_creds(self, allow_missing_password=False):
+    def get_service_creds(self,
+                          allow_missing_password=False,
+                          allow_missing_keys=True):
         c = self._get_krb5_creds(prefix='SERVICE',
-                                 allow_missing_password=allow_missing_password)
+                                 allow_missing_password=allow_missing_password,
+                                 allow_missing_keys=allow_missing_keys)
         return c
 
-    def get_client_creds(self, allow_missing_password=False):
+    def get_client_creds(self,
+                         allow_missing_password=False,
+                         allow_missing_keys=True):
         c = self._get_krb5_creds(prefix='CLIENT',
-                                 allow_missing_password=allow_missing_password)
+                                 allow_missing_password=allow_missing_password,
+                                 allow_missing_keys=allow_missing_keys)
         return c
 
-    def get_server_creds(self, allow_missing_password=False):
+    def get_server_creds(self,
+                         allow_missing_password=False,
+                         allow_missing_keys=True):
         c = self._get_krb5_creds(prefix='SERVER',
-                                 allow_missing_password=allow_missing_password)
+                                 allow_missing_password=allow_missing_password,
+                                 allow_missing_keys=allow_missing_keys)
         return c
 
-    def get_admin_creds(self, allow_missing_password=False):
+    def get_admin_creds(self,
+                        allow_missing_password=False,
+                        allow_missing_keys=True):
         c = self._get_krb5_creds(prefix='ADMIN',
-                                 allow_missing_password=allow_missing_password)
+                                 allow_missing_password=allow_missing_password,
+                                 allow_missing_keys=allow_missing_keys)
         return c
 
-    def get_krbtgt_creds(self, require_strongest_key=False):
+    def get_krbtgt_creds(self,
+                         require_keys=True,
+                         require_strongest_key=False):
+        if require_strongest_key:
+            self.assertTrue(require_keys)
         c = self._get_krb5_creds(prefix='KRBTGT',
                                  default_username='krbtgt',
                                  allow_missing_password=True,
+                                 allow_missing_keys=not require_keys,
                                  require_strongest_key=require_strongest_key)
         return c
 

python/samba/tests/krb5/simple_tests.py

@@ -44,7 +44,7 @@ class SimpleKerberosTests(RawKerberosTest):
     def test_simple(self):
         user_creds = self.get_user_creds()
         user = user_creds.get_username()
-        krbtgt_creds = self.get_krbtgt_creds()
+        krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
         krbtgt_account = krbtgt_creds.get_username()
         realm = krbtgt_creds.get_realm()