1 files changed, 43 insertions, 0 deletions

diff --git a/crypto/krb5/src/kdc/t_sockact.py b/crypto/krb5/src/kdc/t_sockact.py
new file mode 100644
index 000000000000..2a4aeb9edf8c
--- /dev/null
+++ b/crypto/krb5/src/kdc/t_sockact.py
@@ -0,0 +1,43 @@
+from k5test import *
+
+if not which('systemd-socket-activate'):
+    skip_rest('socket activation tests', 'systemd-socket-activate not found')
+
+# Configure listeners for two UNIX domain sockets and two ports.
+kdc_conf = {'realms': {'$realm': {
+    'kdc_listen': '$testdir/sock1 $testdir/sock2',
+    'kdc_tcp_listen': '$port7 $port8'}}}
+realm = K5Realm(kdc_conf=kdc_conf, start_kdc=False)
+
+# Create socket activation fds for just one of the UNIX domain sockets
+# and one of the ports.
+realm.start_server(['./t_sockact', os.path.join(realm.testdir, 'sock1'),
+                    str(realm.portbase + 8), '--', krb5kdc, '-n'],
+                   'starting...')
+
+mark('UNIX socket 1')
+cconf1 = {'realms': {'$realm': {'kdc': '$testdir/sock1'}}}
+env1 = realm.special_env('sock1', False, krb5_conf=cconf1)
+realm.kinit(realm.user_princ, password('user'), env=env1)
+
+mark('port8')
+cconf2 = {'realms': {'$realm': {'kdc': '$hostname:$port8'}}}
+env2 = realm.special_env('sock1', False, krb5_conf=cconf2)
+realm.kinit(realm.user_princ, password('user'), env=env2)
+
+# Test that configured listener addresses are ignored if they don't
+# match caller-provided sockets.
+
+mark('UNIX socket 2')
+cconf3 = {'realms': {'$realm': {'kdc': '$testdir/sock2'}}}
+env3 = realm.special_env('sock2', False, krb5_conf=cconf3)
+realm.kinit(realm.user_princ, password('user'), env=env3, expected_code=1,
+            expected_msg='Cannot contact any KDC')
+
+mark('port7')
+cconf4 = {'realms': {'$realm': {'kdc': '$hostname:$port7'}}}
+env4 = realm.special_env('sock1', False, krb5_conf=cconf4)
+realm.kinit(realm.user_princ, password('user'), env=env3, expected_code=1,
+            expected_msg='Cannot contact any KDC')
+
+success('systemd socket activation tests')