From 1acb961bc1080d077292d5df8a66550eae972720 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Wed, 16 Mar 2022 15:02:03 -0500
Subject: [PATCH] kdc: Implement hard and soft principal aliases

We introduced a notion of soft vs. hard aliases in the previous commit
(hdb: Distinguish soft and hard principal aliases).

This commit corrects existing test cases and adds new test cases.

Soft aliases allow for the configuration of referrals using HDB entries.

Hard aliases are like copies of the aliased HDB entries.  These are
useful for renaming principals (and realms).

See the preceding commit.
---
 tests/gss/krb5.conf.in      |  1 +
 tests/kdc/check-kdc.in      |  6 ++--
 tests/kdc/check-referral.in | 55 +++++++++++++++++++++++++++++++------
 3 files changed, 50 insertions(+), 12 deletions(-)

diff --git a/tests/gss/krb5.conf.in b/tests/gss/krb5.conf.in
index aae031db6..01c4c2e7f 100644
--- a/tests/gss/krb5.conf.in
+++ b/tests/gss/krb5.conf.in
@@ -45,6 +45,7 @@ include @srcdirabs@/include-krb5.conf
         enable_virtual_hostbased_princs = true
         virtual_hostbased_princ_mindots = 1
         virtual_hostbased_princ_maxdots = 3
+        same_realm_aliases_are_soft = true
 
 [logging]
 	kdc = 0-/FILE:@objdir@/messages.log
diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
index e53293b24..7d2f4edc7 100644
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -238,11 +238,11 @@ ${kadmin} ext -k ${keytab} ${rps} || exit 1
 
 ${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
 ${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
-${kadmin} add -p foo  --use-defaults referral-placeholder@${R5} || exit 1
-${kadmin} add_alias referral-placeholder@${R5} ${server3}@${R} || exit 1
+${kadmin} add -p foo  --use-defaults WELLKNOWN/REFERRALS/TARGET@${R5} || exit 1
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${server3}@${R} || exit 1
 ${kadmin5} add -p kaka --use-defaults ${server3}@${R5} || exit 1
 ${kadmin5} ext -k ${keytab} ${server3}@${R5} || exit 1
-${kadmin} add_alias referral-placeholder@${R5} ${namespace}@${R} || exit 1
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${namespace}@${R} || exit 1
 ${kadmin5} add -p kaka --use-defaults ${server5}@${R5} || exit 1
 ${kadmin5} ext -k ${keytab} ${server5}@${R5} || exit 1
 ${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1
diff --git a/tests/kdc/check-referral.in b/tests/kdc/check-referral.in
index 73c26c368..b62c2dc72 100644
--- a/tests/kdc/check-referral.in
+++ b/tests/kdc/check-referral.in
@@ -45,7 +45,8 @@ ${have_db} || exit 77
 R=TEST.H5L.SE
 R2=SUB.TEST.H5L.SE
 
-service=ldap/host.sub.test.h5l.se:389
+service1=ldap/host.test.h5l.se:389
+service2=ldap/host.sub.test.h5l.se:389
 
 port=@port@
 
@@ -64,6 +65,9 @@ keytab="FILE:${keytabfile}"
 KRB5_CONFIG="${objdir}/krb5.conf"
 export KRB5_CONFIG
 
+KRB5CCNAME=$cache
+export KRB5CCNAME
+
 rm -f ${keytabfile}
 rm -f current-db*
 rm -f out-*
@@ -84,11 +88,25 @@ ${kadmin} \
     --realm-max-renewable-life=1month \
     ${R2} || exit 1
 
+${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R} || exit 1
+${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R2} || exit 1
+
 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
 ${kadmin} modify --alias=alias1 --alias=alias2 foo@${R} || exit 1
+${kadmin} add_alias foo@${R} foo@${R2} || exit 1
 ${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1
 
-${kadmin} add -p foo --use-defaults  ${service}@${R2} || exit 1
+${kadmin} add -p foo --use-defaults  ${service2}@${R2} || exit 1
+${kadmin} add_alias ${service2}@${R2}  ${service1}@${R} || exit 1
+${kadmin} get ${service2}@${R2} | grep ${service1}@${R} >/dev/null || exit 1
+
+# Create two host principals in their respective realms
+${kadmin} add -p foo --use-defaults  host/foohost.test.h5l.se@${R} || exit 1
+${kadmin} add -p foo --use-defaults  host/barhost.sub.test.h5l.se@${R2} || exit 1
+
+# Create soft aliases (referrals) for them in the other realm
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R2} host/barhost.sub.test.h5l.se@${R} || exit 1
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R} host/foohost.test.h5l.se@${R2} || exit 1
 
 ${kadmin} add -p foo --use-defaults bar@${R} || exit 1
 ${kadmin} add -p foo --use-defaults 'baz\@realm.foo@'${R} || exit 1
@@ -187,6 +205,20 @@ ${klist} | grep "Principal: alias1@${R}" > /dev/null || \
 echo "checking that we got back right principal inside the PAC"
 ${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
 	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; }
+
+echo "Getting client foo@${R2} tickets (non canon case)"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@${R2} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: foo@${R2}" > /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal inside the PAC"
+${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; }
 
 echo "Getting client alias2 tickets (removed)"; > messages.log
 ${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
@@ -200,25 +232,30 @@ ${kadmin} modify --alias= foo@${R} || { ec=1 ; eval "${testfailed}"; }
 
 echo "Test server referrals"
 
-echo "Getting client for ${service}@${R} (tgs kdc referral)"
+echo "Getting client for ${service2}@${R} (tgs kdc referral)"
 > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
-${kgetcred} --canonicalize ${service}@${R} ||
-	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} --canonicalize ${service2}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} host/foohost.test.h5l.se@${R} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} host/barhost.sub.test.h5l.se@ || { ec=1 ; eval "${testfailed}"; }
 echo "checking that we got back right principal"
-${klist} | grep "${service}@${R2}" > /dev/null || \
+${klist} | grep "${service2}@${R2}" > /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+${klist} | grep "host/barhost.sub.test.h5l.se@TEST.H5L.SE" > /dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+${klist} | grep "host/barhost.sub.test.h5l.se@SUB.TEST.H5L.SE" > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}
 
-echo "Getting client for ${service}@${R2} (tgs client side guessing)"
+echo "Getting client for ${service2}@${R2} (tgs client side guessing)"
 > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
-${kgetcred} ${service}@${R2} ||
+${kgetcred} ${service2}@${R2} ||
 	{ ec=1 ; eval "${testfailed}"; }
 echo "checking that we got back right principal"
-${klist} | grep "${service}@${R2}" > /dev/null || \
+${klist} | grep "${service2}@${R2}" > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}