rkerberos 0.2.1 → 0.2.3

data/spec/kadm5_spec.rb

@@ -1,12 +1,14 @@
 # spec/kadm5_spec.rb
 # RSpec tests for Kerberos::Kadm5
 
-require 'rkerberos'
+require 'spec_helper'
 require 'socket'
 
-RSpec.describe Kerberos::Kadm5 do
+RSpec.describe 'Kerberos::Kadm5', :kadm5 do
+  let(:server){ Kerberos::Kadm5::Config.new.admin_server }
+  subject(:klass){ Kerberos::Kadm5 }
+
   before(:all) do
-    @server = Kerberos::Kadm5::Config.new.admin_server
     @host = Socket.gethostname
     @user = ENV['KRB5_ADMIN_PRINCIPAL']
     @pass = ENV['KRB5_ADMIN_PASSWORD']
@@ -23,40 +25,79 @@ RSpec.describe Kerberos::Kadm5 do
 
   describe 'constructor' do
     it 'responds to .new' do
-      expect(described_class).to respond_to(:new)
+      expect(subject).to respond_to(:new)
     end
     it 'works with valid user and password' do
-      expect { described_class.new(principal: user, password: pass) }.not_to raise_error
+      expect { subject.new(principal: user, password: pass) }.not_to raise_error
     end
     it 'works with valid service' do
       expect {
-        described_class.new(principal: user, password: pass, service: 'kadmin/admin')
+        subject.new(principal: user, password: pass, service: 'kadmin/admin')
       }.not_to raise_error
     end
     it 'only accepts a hash argument' do
-      expect { described_class.new(user) }.to raise_error(TypeError)
-      expect { described_class.new(1) }.to raise_error(TypeError)
+      expect { subject.new(user) }.to raise_error(TypeError)
+      expect { subject.new(1) }.to raise_error(TypeError)
     end
     it 'accepts a block and yields itself' do
-      expect { described_class.new(principal: user, password: pass) {} }.not_to raise_error
-      described_class.new(principal: user, password: pass) { |kadm5| expect(kadm5).to be_a(described_class) }
+      expect { subject.new(principal: user, password: pass) {} }.not_to raise_error
+      subject.new(principal: user, password: pass) { |kadm5| expect(kadm5).to be_a(subject) }
     end
     it 'requires principal to be specified' do
-      expect { described_class.new({}) }.to raise_error(ArgumentError)
+      expect { subject.new({}) }.to raise_error(ArgumentError)
     end
     it 'requires principal to be a string' do
-      expect { described_class.new(principal: 1) }.to raise_error(TypeError)
+      expect { subject.new(principal: 1) }.to raise_error(TypeError)
     end
     it 'requires password to be a string' do
-      expect { described_class.new(principal: user, password: 1) }.to raise_error(TypeError)
+      expect { subject.new(principal: user, password: 1) }.to raise_error(TypeError)
     end
     it 'requires keytab to be a string or boolean' do
-      expect { described_class.new(principal: user, keytab: 1) }.to raise_error(TypeError)
+      expect { subject.new(principal: user, keytab: 1) }.to raise_error(TypeError)
     end
     it 'requires service to be a string' do
-      expect { described_class.new(principal: user, password: pass, service: 1) }.to raise_error(TypeError)
+      expect { subject.new(principal: user, password: pass, service: 1) }.to raise_error(TypeError)
     end
   end
 
-  # ... (Due to length, only a representative subset of tests is shown. The rest should be ported similarly.)
+  describe '#get_privileges' do
+    before(:each) do
+      @kadm5 = subject.new(principal: user, password: pass)
+    end
+
+    after(:each) do
+      @kadm5.close
+    end
+
+    it 'returns an integer bitmask by default' do
+      result = @kadm5.get_privileges
+      expect(result).to be_a(Integer)
+      expect(result).not_to eq(0)
+    end
+
+    it 'returns an array of strings when passed a truthy argument' do
+      result = @kadm5.get_privileges(true)
+      expect(result).to be_a(Array)
+      expect(result).not_to be_empty
+      expect(result).to all(be_a(String))
+    end
+
+    it 'only contains valid privilege names' do
+      result = @kadm5.get_privileges(true)
+      valid = %w[GET ADD MODIFY DELETE]
+      result.each do |priv|
+        expect(valid).to include(priv)
+      end
+    end
+
+    it 'does not contain UNKNOWN entries' do
+      result = @kadm5.get_privileges(true)
+      expect(result).not_to include('UNKNOWN')
+    end
+
+    it 'includes GET for an admin principal' do
+      result = @kadm5.get_privileges(true)
+      expect(result).to include('GET')
+    end
+  end
 end

data/spec/krb5_keytab_spec.rb

@@ -4,12 +4,13 @@
 require 'rkerberos'
 require 'tmpdir'
 require 'fileutils'
-require 'pty'
-require 'expect'
-
 
+unless File::ALT_SEPARATOR
+  require 'pty'
+  require 'expect'
+end
 
-RSpec.describe Kerberos::Krb5::Keytab do
+RSpec.describe Kerberos::Krb5::Keytab, :kadm5 do
   before(:all) do
     @realm = Kerberos::Kadm5::Config.new.realm
     @keytab_file = File.join(Dir.tmpdir, 'test.keytab')
@@ -29,6 +30,10 @@ RSpec.describe Kerberos::Krb5::Keytab do
     end
   end
 
+  after(:all) do
+    FileUtils.rm_f(@keytab_file)
+  end
+
   subject(:keytab) { described_class.new }
 
   describe 'constructor' do
@@ -43,4 +48,195 @@ RSpec.describe Kerberos::Krb5::Keytab do
       }.to raise_error(Kerberos::Krb5::Keytab::Exception)
     end
   end
+
+  describe '#keytab_name and #keytab_type' do
+    it 'returns the underlying name and type strings' do
+      kt = described_class.new(@keytab_name)
+      expect(kt).to respond_to(:keytab_name)
+      expect(kt).to respond_to(:keytab_type)
+
+      expect(kt.keytab_name).to be_a(String)
+      expect(kt.keytab_type).to be_a(String)
+
+      # name should include the residual portion we supplied
+      expect(kt.keytab_name).to include(File.basename(@keytab_file))
+      # type should match the scheme
+      expect(kt.keytab_type.downcase).to eq("file")
+    end
+  end
+
+  describe '#close' do
+    it 'returns true' do
+      kt = described_class.new(@keytab_name)
+      expect(kt.close).to eq(true)
+    end
+
+    it 'can be called multiple times without error' do
+      kt = described_class.new(@keytab_name)
+      kt.close
+      expect { kt.close }.not_to raise_error
+    end
+
+    it 'raises an error when calling keytab_name after close' do
+      kt = described_class.new(@keytab_name)
+      kt.close
+      expect { kt.keytab_name }.to raise_error(Kerberos::Krb5::Exception)
+    end
+
+    it 'raises an error when calling keytab_type after close' do
+      kt = described_class.new(@keytab_name)
+      kt.close
+      expect { kt.keytab_type }.to raise_error(Kerberos::Krb5::Exception)
+    end
+
+    it 'does not segfault when garbage collected after close' do
+      kt = described_class.new(@keytab_name)
+      kt.close
+      kt = nil
+      GC.start
+    end
+  end
+
+  describe '.foreach' do
+    it 'yields keytab entries for a valid keytab' do
+      entries = []
+      described_class.foreach(@keytab_name) { |entry| entries << entry }
+      expect(entries.length).to eq(2)
+      entries.each do |entry|
+        expect(entry).to be_a(Kerberos::Krb5::Keytab::Entry)
+        expect(entry.principal).to be_a(String)
+        expect(entry.principal).to match(/@#{Regexp.quote(@realm)}$/)
+        expect(entry.vno).to be_a(Integer)
+        expect(entry.timestamp).to be_a(Time)
+        expect(entry.key).to be_a(Integer)
+      end
+    end
+
+    it 'uses the default keytab when no name is provided' do
+      # The default keytab may not exist in the test container, so we
+      # just verify it attempts to use it (raises keytab-related error
+      # rather than ArgumentError or similar).
+      begin
+        described_class.foreach { |_| }
+      rescue Kerberos::Krb5::Exception
+        # Expected when default keytab is absent
+      end
+    end
+
+    it 'raises an error for a non-existent keytab file' do
+      expect {
+        described_class.foreach("FILE:/no/such/keytab") { |_| }
+      }.to raise_error(Kerberos::Krb5::Exception)
+    end
+
+    it 'raises an error for an invalid keytab type' do
+      expect {
+        described_class.foreach("BOGUS:/tmp/keytab") { |_| }
+      }.to raise_error(Kerberos::Krb5::Exception)
+    end
+
+    it 'does not leak resources when the block raises' do
+      expect {
+        described_class.foreach(@keytab_name) { |_| raise "boom" }
+      }.to raise_error(RuntimeError, "boom")
+    end
+
+    it 'does not leak resources when the block breaks' do
+      result = catch(:done) do
+        described_class.foreach(@keytab_name) { |_| throw :done, :escaped }
+        :completed
+      end
+      expect(result).to eq(:escaped)
+    end
+  end
+
+  describe '#each' do
+    it 'yields keytab entries for a valid keytab' do
+      kt = described_class.new(@keytab_name)
+      entries = []
+      kt.each { |entry| entries << entry }
+      expect(entries.length).to eq(2)
+      entries.each do |entry|
+        expect(entry).to be_a(Kerberos::Krb5::Keytab::Entry)
+        expect(entry.principal).to be_a(String)
+        expect(entry.vno).to be_a(Integer)
+        expect(entry.timestamp).to be_a(Time)
+        expect(entry.key).to be_a(Integer)
+      end
+    end
+
+    it 'does not leak resources when the block raises' do
+      kt = described_class.new(@keytab_name)
+      expect {
+        kt.each { |_| raise "boom" }
+      }.to raise_error(RuntimeError, "boom")
+    end
+
+    it 'does not leak resources when the block breaks' do
+      kt = described_class.new(@keytab_name)
+      result = catch(:done) do
+        kt.each { |_| throw :done, :escaped }
+        :completed
+      end
+      expect(result).to eq(:escaped)
+    end
+  end
+
+  describe '#get_entry' do
+    it 'finds an entry by principal name' do
+      kt = described_class.new(@keytab_name)
+      entry = kt.get_entry("testuser1@#{@realm}")
+      expect(entry).to be_a(Kerberos::Krb5::Keytab::Entry)
+      expect(entry.principal).to eq("testuser1@#{@realm}")
+      expect(entry.vno).to eq(1)
+      expect(entry.timestamp).to be_a(Time)
+      expect(entry.key).to be_a(Integer)
+    end
+
+    it 'finds an entry filtering by vno' do
+      kt = described_class.new(@keytab_name)
+      entry = kt.get_entry("testuser1@#{@realm}", 1)
+      expect(entry.principal).to eq("testuser1@#{@realm}")
+      expect(entry.vno).to eq(1)
+    end
+
+    it 'finds an entry filtering by vno and enctype' do
+      kt = described_class.new(@keytab_name)
+      # aes128-cts-hmac-sha1-96 is enctype 17
+      entry = kt.get_entry("testuser1@#{@realm}", 1, 17)
+      expect(entry.principal).to eq("testuser1@#{@realm}")
+      expect(entry.vno).to eq(1)
+      expect(entry.key).to eq(17)
+    end
+
+    it 'raises an error for a non-existent principal' do
+      kt = described_class.new(@keytab_name)
+      expect {
+        kt.get_entry("bogus@#{@realm}")
+      }.to raise_error(Kerberos::Krb5::Exception)
+    end
+
+    it 'is aliased as find' do
+      kt = described_class.new(@keytab_name)
+      expect(kt.method(:find)).to eq(kt.method(:get_entry))
+    end
+  end
+
+  describe '#dup' do
+    it 'creates an independent handle referring to same keytab' do
+      kt1 = described_class.new(@keytab_name)
+      kt2 = kt1.dup
+      expect(kt2).to be_a(described_class)
+      expect(kt2.keytab_name).to eq(kt1.keytab_name)
+
+      # closing one should not invalidate the other
+      kt1.close
+      expect { kt2.keytab_name }.not_to raise_error
+    end
+
+    it 'clone is an alias for dup' do
+      kt = described_class.new(@keytab_name)
+      expect(kt.method(:clone)).to eq(kt.method(:dup))
+    end
+  end
 end

data/spec/krb5_spec.rb

@@ -1,18 +1,20 @@
 # spec/krb5_spec.rb
 # RSpec tests for Kerberos::Krb5
 
-require 'rkerberos'
+require 'spec_helper'
 require 'open3'
-require 'pty'
-require 'expect'
+
+unless File::ALT_SEPARATOR
+  require 'pty'
+  require 'expect'
+end
 
 RSpec.describe Kerberos::Krb5 do
   before(:all) do
+    krb5_conf = RSpec.configuration.krb5_conf
     @cache_found = true
     Open3.popen3('klist') { |_, _, stderr| @cache_found = false unless stderr.gets.nil? }
-    @krb5_conf = ENV['KRB5_CONFIG'] || '/etc/krb5.conf'
-    @realm = IO.read(@krb5_conf).split("\n").grep(/default_realm/).first.split('=').last.lstrip.chomp
-
+    @realm = IO.read(krb5_conf).split("\n").grep(/default_realm/).first.split('=').last.lstrip.chomp
   end
 
   subject(:krb5) { described_class.new }
@@ -21,7 +23,7 @@ RSpec.describe Kerberos::Krb5 do
   let(:service) { 'kadmin/admin' }
 
   it 'has the correct version constant' do
-    expect(Kerberos::Krb5::VERSION).to eq('0.2.1')
+    expect(Kerberos::Krb5::VERSION).to eq('0.2.3')
   end
 
   it 'accepts a block and yields itself' do
@@ -48,7 +50,7 @@ RSpec.describe Kerberos::Krb5 do
     end
   end
 
-  describe '#verify_init_creds' do
+  describe '#verify_init_creds', :kadm5 do
     # Some KDC setups may not correctly set the initial password during
     # entrypoint startup; enforce it here via the admin API so the test is
     # deterministic.
@@ -116,7 +118,77 @@ RSpec.describe Kerberos::Krb5 do
     end
   end
 
-  describe '#get_init_creds_keytab' do
+  describe '#change_password', :kadm5 do
+    before do
+      # Ensure testuser1 has a known password before each test.
+      Kerberos::Kadm5.new(
+        principal: ENV.fetch('KRB5_ADMIN_PRINCIPAL', 'admin/admin@EXAMPLE.COM'),
+        password: ENV.fetch('KRB5_ADMIN_PASSWORD', 'adminpassword')
+      ) do |kadmin|
+        kadmin.set_password(user, 'changeme')
+      end
+    end
+
+    after do
+      # Reset to known password so later tests are not affected.
+      Kerberos::Kadm5.new(
+        principal: ENV.fetch('KRB5_ADMIN_PRINCIPAL', 'admin/admin@EXAMPLE.COM'),
+        password: ENV.fetch('KRB5_ADMIN_PASSWORD', 'adminpassword')
+      ) do |kadmin|
+        kadmin.set_password(user, 'changeme')
+      end
+    end
+
+    it 'responds to change_password' do
+      expect(krb5).to respond_to(:change_password)
+    end
+
+    it 'requires exactly two arguments' do
+      expect { krb5.change_password }.to raise_error(ArgumentError)
+      expect { krb5.change_password('old') }.to raise_error(ArgumentError)
+      expect { krb5.change_password('old', 'new', 'extra') }.to raise_error(ArgumentError)
+    end
+
+    it 'raises if no principal has been established' do
+      expect { krb5.change_password('changeme', 'newpass1A!') }.to raise_error(Kerberos::Krb5::Exception, /no principal/)
+    end
+
+    it 'changes the password successfully' do
+      krb5.get_init_creds_password(user, 'changeme')
+      expect(krb5.change_password('changeme', 'Newpass99!')).to be true
+      # Verify we can authenticate with the new password
+      krb5_check = described_class.new
+      expect(krb5_check.get_init_creds_password(user, 'Newpass99!')).to be true
+      krb5_check.close
+    end
+
+    it 'raises with a meaningful message when the old password is wrong' do
+      krb5.get_init_creds_password(user, 'changeme')
+      expect {
+        krb5.change_password('wrongpass', 'Newpass99!')
+      }.to raise_error(Kerberos::Krb5::Exception, /krb5_(get_init_creds_password|change_password)/)
+    end
+
+    it 'requires string arguments' do
+      expect { krb5.change_password(1, 'new') }.to raise_error(TypeError)
+      expect { krb5.change_password('old', 1) }.to raise_error(TypeError)
+    end
+
+    context 'when the KDC rejects the new password due to policy' do
+      let(:policy_user) { "policyuser@#{@realm}" }
+      # Password must satisfy strict_policy (minlength=8, minclasses=3).
+      let(:compliant_pw) { 'Changeme1!' }
+
+      it 'raises an exception with the KDC rejection reason' do
+        krb5.get_init_creds_password(policy_user, compliant_pw)
+        expect {
+          krb5.change_password(compliant_pw, 'a')
+        }.to raise_error(Kerberos::Krb5::Exception, /krb5_change_password/)
+      end
+    end
+  end
+
+  describe '#get_init_creds_keytab', :unix do
     before(:each) do
       @kt_file = File.join(Dir.tmpdir, "test_get_init_creds_#{Process.pid}_#{rand(10000)}.keytab")
 

data/spec/policy_spec.rb

@@ -1,10 +1,11 @@
 # spec/policy_spec.rb
 # RSpec tests for Kerberos::Kadm5::Policy
 
-require 'rkerberos'
+require 'spec_helper'
 
-RSpec.describe Kerberos::Kadm5::Policy do
-  subject(:policy) { described_class.new(name: 'test', max_life: 10000) }
+RSpec.describe 'Kerberos::Kadm5::Policy', :kadm5 do
+  subject(:klass){ Kerberos::Kadm5::Policy }
+  let(:policy) { klass.new(name: 'test', max_life: 10000) }
 
   describe 'name' do
     it 'responds to policy' do
@@ -15,10 +16,10 @@ RSpec.describe Kerberos::Kadm5::Policy do
       expect(policy.method(:name)).to eq(policy.method(:policy))
     end
     it 'must be a string' do
-      expect { described_class.new(name: 1) }.to raise_error(TypeError)
+      expect { klass.new(name: 1) }.to raise_error(TypeError)
     end
     it 'must be present' do
-      expect { described_class.new(max_life: 10000) }.to raise_error(ArgumentError)
+      expect { klass.new(max_life: 10000) }.to raise_error(ArgumentError)
     end
   end
 
@@ -28,7 +29,7 @@ RSpec.describe Kerberos::Kadm5::Policy do
       expect { policy.min_life }.not_to raise_error
     end
     it 'must be a number if not nil' do
-      expect { described_class.new(name: 'test', min_life: 'test') }.to raise_error(TypeError)
+      expect { klass.new(name: 'test', min_life: 'test') }.to raise_error(TypeError)
     end
   end
 
@@ -38,7 +39,7 @@ RSpec.describe Kerberos::Kadm5::Policy do
       expect { policy.max_life }.not_to raise_error
     end
     it 'must be a number if not nil' do
-      expect { described_class.new(name: 'test', max_life: 'test') }.to raise_error(TypeError)
+      expect { klass.new(name: 'test', max_life: 'test') }.to raise_error(TypeError)
     end
   end
 

data/spec/principal_spec.rb

@@ -12,6 +12,24 @@ RSpec.describe Kerberos::Krb5::Principal do
       expect { described_class.new(1) }.to raise_error(TypeError)
       expect { described_class.new(true) }.to raise_error(TypeError)
     end
+
+    it 'accepts an explicit nil argument' do
+      expect{ described_class.new(nil) }.not_to raise_error
+    end
+
+    it 'works as expected with a nil argument to the constructor' do
+      expect(described_class.new(nil).principal).to be_nil
+    end
+  end
+
+  describe '#realm' do
+    it 'returns the expected value' do
+      expect(subject.realm).to eq('EXAMPLE.COM')
+    end
+
+    it 'raises an error if the constructor argument was nil' do
+      expect{ described_class.new(nil).realm }.to raise_error(Kerberos::Krb5::Exception, /no principal/)
+    end
   end
 
   describe '#name' do

data/spec/spec_helper.rb

@@ -0,0 +1,34 @@
+require 'rkerberos'
+require 'rspec'
+require 'etc'
+require 'tmpdir'
+
+RSpec.configure do |config|
+  config.filter_run_excluding :kadm5 => true unless defined?(Kerberos::Kadm5::Config)
+  config.filter_run_excluding :unix => true if File::ALT_SEPARATOR
+
+  krb5_conf = ENV['KRB5_CONFIG']
+  krb5_cc_name = ENV['KRB5CCNAME']
+  login = Etc.getlogin || ENV['USER'] || (Etc.getpwuid(Process.uid).name rescue nil)
+
+  if File::ALT_SEPARATOR
+    krb5_conf ||= 'C:\\ProgramData\\MIT\\Kerberos5\\krb5.ini'
+    krb5_cc_name ||= File.join(ENV['USERPROFILE'], 'krb5cache')
+  else
+    krb5_conf ||= '/etc/krb5.conf'
+    krb5_cc_name ||= File.join(Dir.tmpdir, "krb5cc_#{Etc.getpwnam(login).uid}")
+  end
+
+  config.add_setting :krb5_conf
+  config.krb5_conf = krb5_conf
+
+  config.add_setting :krb5_cc_name
+  config.krb5_cc_name = krb5_cc_name
+
+  config.add_setting :login
+  config.login = login
+
+  unless File.exist?(krb5_conf)
+    config.filter_run_excluding :krb5_config => true
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rkerberos
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.3
 platform: ruby
 authors:
 - Daniel Berger
@@ -92,6 +92,7 @@ files:
 - spec/krb5_spec.rb
 - spec/policy_spec.rb
 - spec/principal_spec.rb
+- spec/spec_helper.rb
 homepage: http://github.com/rkerberos/rkerberos
 licenses:
 - Artistic-2.0
@@ -119,7 +120,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.6
 specification_version: 4
 summary: A Ruby interface for the the Kerberos library
 test_files: