freeipa/ipatests/test_ipalib_install/test_kinit.py
Rob Crittenden 33af154b7f validate_principal: Don't try to verify that the realm is known
The actual value is less important than whether it matches the
regular expression. A number of legal but difficult to know in
context realms could be passed in here (trust for example).

This fixes CVE-2024-1481

Fixes: https://pagure.io/freeipa/issue/9541

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-02-22 14:35:59 -05:00

33 lines
976 B
Python

#
# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
#
"""Tests for ipalib.install.kinit module
"""
import pytest
from ipalib.install.kinit import validate_principal
# None means no exception is expected
@pytest.mark.parametrize('principal, exception', [
('testuser', None),
('testuser@EXAMPLE.TEST', None),
('test/ipa.example.test', None),
('test/ipa.example.test@EXAMPLE.TEST', None),
('test/ipa@EXAMPLE.TEST', RuntimeError),
('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
('test/ipa.1example.test@EXAMPLE.TEST', None),
('test /ipa.example,test', RuntimeError),
('testuser@OTHER.TEST', None),
('test/ipa.example.test@OTHER.TEST', None)
])
def test_validate_principal(principal, exception):
try:
validate_principal(principal)
except Exception as e:
assert e.__class__ == exception
else:
if exception is not None:
raise RuntimeError('Test should have failed')