Actually use acceptor creds when passed in

DirectXMan12 · DirectXMan12 · commit 1540fa2a2646 · 2015-03-16T15:44:20.000-04:00
Previously, the condition on acceptor credentials was inverted,
such that when `acceptor_creds` was `None`, it would attempt to use
the value of the underlying raw `gss_cred_id_t`, and when it was
not `None`, the actual credentials passed in would be
`GSS_C_NO_CREDENTIAL`.  This has been corrected.

Additionally, two new tests have been added.  One checks that passing
None for acceptor credentials is ok, and the second properly tests that
`accept_sec_context` received S4U2Proxy delegated credentials in the
appropriate circumstances.
diff --git a/gssapi/raw/sec_contexts.pyx b/gssapi/raw/sec_contexts.pyx
@@ -297,7 +297,7 @@ def accept_sec_context(input_token not None, Creds acceptor_creds=None,
         output_context = SecurityContext()
 
     cdef gss_cred_id_t act_acceptor_cred
-    if acceptor_creds is None:
+    if acceptor_creds is not None:
         act_acceptor_cred = acceptor_creds.raw_creds
     else:
         act_acceptor_cred = GSS_C_NO_CREDENTIAL
diff --git a/gssapi/tests/test_raw.py b/gssapi/tests/test_raw.py
@@ -8,7 +8,7 @@
 
 import gssapi.raw as gb
 import gssapi.raw.misc as gbmisc
-from gssapi.tests._utils import _extension_test
+from gssapi.tests._utils import _extension_test, _minversion_test
 from gssapi.tests import k5test as kt
 
 
@@ -307,6 +307,27 @@ def test_acquire_creds_impersonate_name(self):
         # no need to explicitly release any more -- we can just rely on
         # __dealloc__ (b/c cython)
 
+    @_extension_test('s4u', 'S4U')
+    @_minversion_test('1.11', 'returning delegated S4U2Proxy credentials')
+    def test_always_get_delegated_creds(self):
+        svc_princ = SERVICE_PRINCIPAL.decode("UTF-8")
+        self.realm.kinit(svc_princ, flags=['-k', '-f'])
+
+        target_name = gb.import_name(TARGET_SERVICE_NAME,
+                                     gb.NameType.hostbased_service)
+
+        client_token = gb.init_sec_context(target_name).token
+
+        # if our acceptor creds have a usage of both, we get
+        # s4u2proxy delegated credentials
+        server_creds = gb.acquire_cred(None, usage='both').creds
+        server_ctx_resp = gb.accept_sec_context(client_token,
+                                                acceptor_creds=server_creds)
+
+        server_ctx_resp.shouldnt_be_none()
+        server_ctx_resp.delegated_creds.shouldnt_be_none()
+        server_ctx_resp.delegated_creds.should_be_a(gb.Creds)
+
     @_extension_test('rfc5588', 'RFC 5588')
     def test_store_cred_acquire_cred(self):
         # we need to acquire a forwardable ticket
@@ -699,6 +720,33 @@ def tearDown(self):
         if self.server_ctx is not None:
             gb.delete_sec_context(self.server_ctx)
 
+    def test_basic_accept_context_no_acceptor_creds(self):
+        server_resp = gb.accept_sec_context(self.client_token)
+        server_resp.shouldnt_be_none()
+
+        (self.server_ctx, name, mech_type, out_token,
+         out_req_flags, out_ttl, delegated_cred, cont_needed) = server_resp
+
+        self.server_ctx.shouldnt_be_none()
+        self.server_ctx.should_be_a(gb.SecurityContext)
+
+        name.shouldnt_be_none()
+        name.should_be_a(gb.Name)
+
+        mech_type.should_be(gb.MechType.kerberos)
+
+        out_token.shouldnt_be_empty()
+
+        out_req_flags.should_be_a(collections.Set)
+        out_req_flags.should_be_at_least_length(2)
+
+        out_ttl.should_be_greater_than(0)
+
+        if delegated_cred is not None:
+            delegated_cred.should_be_a(gb.Creds)
+
+        cont_needed.should_be_a(bool)
+
     def test_basic_accept_context(self):
         server_resp = gb.accept_sec_context(self.client_token,
                                             acceptor_creds=self.server_creds)
