diff --git a/tests/gss/Makefile.am b/tests/gss/Makefile.am index 6dc7f78da..35a75e0c2 100644 --- a/tests/gss/Makefile.am +++ b/tests/gss/Makefile.am @@ -17,6 +17,7 @@ port = 49188 do_subst = srcdirabs=`cd "$(srcdir)"; pwd`; objdirabs=`pwd`; sed \ -e 's,[@]srcdir[@],$(srcdir),g' \ -e "s,[@]srcdirabs[@],$${srcdirabs},g" \ + -e 's,[@]top_srcdir[@],$(top_srcdir),g' \ -e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \ -e 's,[@]port[@],$(port),g' \ -e 's,[@]objdir[@],$(top_builddir)/tests/gss,g' \ @@ -86,13 +87,15 @@ CLEANFILES= \ mech \ current-db* \ *.log \ + *.pid \ tempfile \ check-basic.tmp \ check-nodns.tmp \ check-gss.tmp \ check-gssmask.tmp \ check-spnego.tmp \ - check-context.tmp + check-context.tmp \ + check-negoex.tmp EXTRA_DIST = \ NTMakefile \ @@ -104,6 +107,7 @@ EXTRA_DIST = \ check-context.in \ check-negoex.in \ krb5.conf.in \ + krb5-nodns.conf.in \ include-krb5.conf \ new_clients_k5.conf.in \ mech.in diff --git a/tests/gss/check-basic.in b/tests/gss/check-basic.in index 0821208e2..b130196cd 100644 --- a/tests/gss/check-basic.in +++ b/tests/gss/check-basic.in @@ -1,44 +1,46 @@ -#!/bin/sh +#!/bin/bash # # Copyright (c) 2007 Kungliga Tekniska Högskolan -# (Royal Institute of Technology, Stockholm, Sweden). -# All rights reserved. +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. # -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: # -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. # -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. # -# 3. Neither the name of the Institute nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. # -# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. # # $Id$ # +top_srcdir="@top_srcdir@" env_setup="@env_setup@" srcdir="@srcdir@" objdir="@objdir@" . ${env_setup} +. ${top_srcdir}/tests/bin/test-lib.sh # If there is no useful db support compiled in, disable test ../db/have-db || exit 77 @@ -74,12 +76,10 @@ rm -f current-db* rm -f out-* rm -f mkey.file* -> messages.log +test_init -echo upw > ${objdir}/foopassword - -echo Creating database -${kadmin} < ${objdir}/foopassword -echo "initial ticket" -${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1 +test_section "initial ticket" +test_run ${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R} -echo "copy ccache with gss_store_cred" +test_section "copy ccache with gss_store_cred" # Note we test that the ccache used for storing is token-expanded -${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}" || exit 1 -${klist} -c ${cache2} || exit 1 +test_run ${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}" +test_run ${klist} -c ${cache2} -echo "keytab" -${acquire_cred} \ +test_section "keytab" +test_run ${acquire_cred} \ --acquire-type=accept \ - --acquire-name=host@host.test.h5l.se || exit 1 + --acquire-name=host@host.test.h5l.se -echo "keytab w/ short-form name and name canon rules" -${acquire_cred} \ +test_section "keytab w/ short-form name and name canon rules" +test_run ${acquire_cred} \ --acquire-type=accept \ - --acquire-name=host@host || exit 1 + --acquire-name=host@host -echo "keytab w/o name" -${acquire_cred} \ - --acquire-type=accept || exit 1 +test_section "keytab w/o name" +test_run ${acquire_cred} \ + --acquire-type=accept -echo "keytab w/ wrong name" -${acquire_cred} \ +test_section "keytab w/ wrong name (expected failure)" +# This should fail - wrong name +test_run not ${acquire_cred} \ --acquire-type=accept --kerberos \ - --acquire-name=host@host2.test.h5l.se 2>/dev/null && exit 1 + --acquire-name=host@host2.test.h5l.se -echo "init using keytab" -${acquire_cred} \ +test_section "init using keytab" +test_run ${acquire_cred} \ --kerberos \ --acquire-type=initiate \ - --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using keytab (loop 10)" -${acquire_cred} \ +test_section "init using keytab (loop 10)" +test_run ${acquire_cred} \ --kerberos \ --acquire-type=initiate \ --loops=10 \ - --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using keytab (loop 10, target)" -${acquire_cred} \ +test_section "init using keytab (loop 10, target)" +test_run ${acquire_cred} \ --kerberos \ --acquire-type=initiate \ --loops=10 \ --target=host@host.test.h5l.se \ - --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using keytab (loop 10, kerberos)" -${acquire_cred} \ +test_section "init using keytab (loop 10, kerberos)" +test_run ${acquire_cred} \ --acquire-type=initiate \ --loops=10 \ --kerberos \ - --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using keytab (loop 10, target, kerberos)" -${acquire_cred} \ +test_section "init using keytab (loop 10, target, kerberos)" +test_run ${acquire_cred} \ --acquire-type=initiate \ --loops=10 \ --kerberos \ --target=host@host.test.h5l.se \ - --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using existing cc" -${acquire_cred} \ +test_section "init using existing cc" +test_run ${acquire_cred} \ --kerberos \ --name-type=user-name \ --acquire-type=initiate \ - --acquire-name=user || exit 1 + --acquire-name=user KRB5CCNAME=${nocache} -echo "fail init using existing cc" -${acquire_cred} \ +test_section "fail init using existing cc (expected failure)" +# This should fail - no such cache +test_run not ${acquire_cred} \ --kerberos \ --name-type=user-name \ --acquire-type=initiate \ - --acquire-name=user 2>/dev/null && exit 1 + --acquire-name=user -echo "use gss_krb5_ccache_name for user" -${acquire_cred} \ +test_section "use gss_krb5_ccache_name for user" +test_run ${acquire_cred} \ --kerberos \ --name-type=user-name \ --ccache=${cache} \ --acquire-type=initiate \ - --acquire-name=user >/dev/null || exit 1 + --acquire-name=user KRB5CCNAME=${cache} KRB5_KTNAME=${nokeytab} -echo "kcred" -${test_kcred} || exit 1 +test_section "kcred" +test_run ${test_kcred} -${kdestroy} -c ${cache} +${kdestroy} -c ${cache} 2>/dev/null || true KRB5_KTNAME="${keytab}" -echo "init using keytab" -${acquire_cred} \ +test_section "init using keytab (after kdestroy)" +test_run ${acquire_cred} \ --kerberos \ --acquire-type=initiate \ - --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using keytab (ccache)" -${acquire_cred} \ +test_section "init using keytab (ccache)" +test_run ${acquire_cred} \ --kerberos \ --acquire-type=initiate \ --ccache=${cache} \ - --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1 + --acquire-name=host@host.test.h5l.se trap "" EXIT echo "killing kdc (${kdcpid})" kill ${kdcpid} 2> /dev/null -exit $exitcode +test_finish +exit $? diff --git a/tests/gss/check-context.in b/tests/gss/check-context.in index 8888a0e7d..f6d2dac18 100644 --- a/tests/gss/check-context.in +++ b/tests/gss/check-context.in @@ -1,44 +1,46 @@ -#!/bin/sh +#!/bin/bash # # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan -# (Royal Institute of Technology, Stockholm, Sweden). -# All rights reserved. +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. # -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: # -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. # -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. # -# 3. Neither the name of the Institute nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. # -# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. # # $Id$ # +top_srcdir="@top_srcdir@" env_setup="@env_setup@" srcdir="@srcdir@" objdir="@objdir@" . ${env_setup} +. ${top_srcdir}/tests/bin/test-lib.sh # If there is no useful db support compiled in, disable test ../db/have-db || exit 77 @@ -73,12 +75,12 @@ rm -f current-db* rm -f out-* rm -f mkey.file* -> messages.log +test_init -echo Creating database +test_section "Creating database" # add both lucid and lucid.test.h5l.se to simulate aliases # XXX ext should ext aliases too -${kadmin} < tempfile || exit 1 +test_run ${kadmin} get host/no-aes.test.h5l.se@${R} echo u1 > ${objdir}/foopassword -echo Starting kdc -${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +test_section "Starting kdc" +test_run ${kdc} --detach --testing kdcpid=`getpid kdc` cleanup() { @@ -120,88 +122,82 @@ cleanup() { } trap cleanup EXIT INT TERM -testfailed="echo test failed; cat messages.log; exit 1" - -echo "Test gss_acquire_cred_with_password" ; > messages.log -${kdestroy} -${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \ - host@lucid.test.h5l.se || { eval "$testfailed"; } -${klist} && { eval "$testfailed"; } +test_section "gss_acquire_cred_with_password" +${kdestroy} 2>/dev/null || true +test_run ${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \ + host@lucid.test.h5l.se +# klist should fail (no tickets saved) +test_run not ${klist} # These must fail (because wrong password) -${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \ - host@lucid.test.h5l.se && { eval "$testfailed"; } -${klist} && { eval "$testfailed"; } -${context} --client-name=user1@${R} --client-password=u2 --mech-types='' \ - --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } -${klist} && { eval "$testfailed"; } -${context} --client-name=user1@${R} --client-password=u2 --mech-types=krb5 \ - --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } -${klist} && { eval "$testfailed"; } -${context} --client-name=user1@${R} --client-password=u2 --mech-types=all \ - --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } -${klist} && { eval "$testfailed"; } -${context} --client-name=user1@${R} --client-password=u2 \ - --mech-types=krb5 --mech-type=krb5 host@lucid.test.h5l.se \ - && { eval "$testfailed"; } +test_run not ${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \ + host@lucid.test.h5l.se +test_run not ${klist} +test_run not ${context} --client-name=user1@${R} --client-password=u2 --mech-types='' \ + --mech-type=krb5 host@lucid.test.h5l.se +test_run not ${klist} +test_run not ${context} --client-name=user1@${R} --client-password=u2 --mech-types=krb5 \ + --mech-type=krb5 host@lucid.test.h5l.se +test_run not ${klist} +test_run not ${context} --client-name=user1@${R} --client-password=u2 --mech-types=all \ + --mech-type=krb5 host@lucid.test.h5l.se +test_run not ${klist} +test_run not ${context} --client-name=user1@${R} --client-password=u2 \ + --mech-types=krb5 --mech-type=krb5 host@lucid.test.h5l.se # gss_acquire_cred_with_password() must not have side-effects -${klist} && { eval "$testfailed"; } +test_run not ${klist} -echo "Getting client initial tickets" ; > messages.log -${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \ - { eval "$testfailed"; } +test_section "Getting client initial tickets" +test_run ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} -echo "======test unreadable/non existant keytab and its error message" ; > messages.log -${context} --mech-type=krb5 host@lucid.test.h5l.se || \ - { eval "$testfailed"; } +test_section "test unreadable/non existant keytab and its error message" +test_run ${context} --mech-type=krb5 host@lucid.test.h5l.se mv ${keytabfile} ${keytabfile}.no -echo "checking non existant keytabfile (krb5)" ; > messages.log -${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \ - { eval "$testfailed"; } -echo "checking non existant keytabfile (spengo)" ; > messages.log -${context} --mech-type=spnego --mech-types=spnego,krb5 \ - host@lucid.test.h5l.se > test_context.log 2>&1 && \ - { eval "$testfailed"; } +test_section "checking non existant keytabfile (krb5)" +test_run not ${context} --mech-type=krb5 host@lucid.test.h5l.se + +test_section "checking non existant keytabfile (spnego)" +test_run not ${context} --mech-type=spnego --mech-types=spnego,krb5 \ + host@lucid.test.h5l.se mv ${keytabfile}.no ${keytabfile} -echo "======test naming combinations" -echo "plain" ; > messages.log -${context} --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } -echo "plain w/ short-form hostname" ; > messages.log -${context} --name-type=hostbased-service host@lucid || \ - { eval "$testfailed"; } -echo "plain (krb5)" ; > messages.log -${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \ - { eval "$testfailed"; } -echo "plain (krb5 realmless)" ; > messages.log -${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \ - { eval "$testfailed"; } -echo "plain (krb5 realmless short-form)" ; > messages.log -${context} --name-type=krb5-principal-name host/lucid 2>/dev/null || \ - { eval "$testfailed"; } -echo "creating short-form princ" -${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1 -${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1 -echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log -#${context} --dns-canon host@lucid.test.h5l.se || \ -# { eval "$testfailed"; } -echo "dns canon off (long name)" ; > messages.log -${context} --no-dns-canon host@lucid.test.h5l.se || \ - { eval "$testfailed"; } -echo "dns canon off (short name)" ; > messages.log -${context} --no-dns-canon host@lucid || \ - { eval "$testfailed"; } -echo "dns canon off (short name, krb5)" ; > messages.log -${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \ - { eval "$testfailed"; } -echo "dns canon off (short name, krb5)" ; > messages.log -${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \ - { eval "$testfailed"; } +test_section "test naming combinations - plain" +test_run ${context} --name-type=hostbased-service host@lucid.test.h5l.se -echo "======test context building" +test_section "test naming combinations - plain w/ short-form hostname" +test_run ${context} --name-type=hostbased-service host@lucid + +test_section "test naming combinations - plain (krb5)" +test_run ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} + +test_section "test naming combinations - plain (krb5 realmless)" +test_run ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se + +test_section "test naming combinations - plain (krb5 realmless short-form)" +test_run ${context} --name-type=krb5-principal-name host/lucid + +test_section "creating short-form princ" +test_run ${kadmin} add -p p1 --use-defaults host/lucid@${R} +test_run ${kadmin} ext -k ${keytab} host/lucid@${R} + +#test_section "dns canon on (long name) OFF, need dns_wrapper" +#test_run ${context} --dns-canon host@lucid.test.h5l.se + +test_section "dns canon off (long name)" +test_run ${context} --no-dns-canon host@lucid.test.h5l.se + +test_section "dns canon off (short name)" +test_run ${context} --no-dns-canon host@lucid + +test_section "dns canon off (short name, krb5)" +test_run ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} + +test_section "dns canon off (short name, krb5, no realm)" +test_run ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid + +test_section "test context building" for mech in krb5 krb5iov spnego spnegoiov; do if [ "$mech" = "krb5iov" ] ; then mech="krb5" @@ -212,44 +208,39 @@ for mech in krb5 krb5iov spnego spnegoiov; do iov="--iov" fi - echo "${mech} no-mutual ${iov}" ; > messages.log - ${context} --mech-type=${mech} \ + test_section "${mech} no-mutual ${iov}" + test_run ${context} --mech-type=${mech} \ --wrapunwrap ${iov} \ --localname=mapped_user1 \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se - echo "${mech} mutual ${iov}" ; > messages.log - ${context} --mech-type=${mech} \ + test_section "${mech} mutual ${iov}" + test_run ${context} --mech-type=${mech} \ --mutual \ --wrapunwrap ${iov} \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se - echo "${mech} delegate ${iov}" ; > messages.log - ${context} --mech-type=${mech} \ + test_section "${mech} delegate ${iov}" + test_run ${context} --mech-type=${mech} \ --delegate \ --wrapunwrap ${iov} \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se - echo "${mech} mutual delegate ${iov}" ; > messages.log - ${context} --mech-type=${mech} \ + test_section "${mech} mutual delegate ${iov}" + test_run ${context} --mech-type=${mech} \ --mutual --delegate \ --wrapunwrap ${iov} \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se done -echo "======test authz-data (krb5)" -${context} --mech-type=krb5 \ +test_section "test authz-data (krb5)" +test_run ${context} --mech-type=krb5 \ --mutual \ --wrapunwrap \ --on-behalf-of=foo@BAR.TEST.H5L.SE \ - --name-type=hostbased-service host@lucid.test.h5l.se || - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se -echo "======dce-style" +test_section "dce-style" for mech in krb5 krb5iov spnego; do iov="" if [ "$mech" = "krb5iov" ] ; then @@ -261,18 +252,16 @@ for mech in krb5 krb5iov spnego; do iov="--iov" fi - echo "${mech}: dce-style ${iov}" ; > messages.log - ${context} \ + test_section "${mech}: dce-style ${iov}" + test_run ${context} \ --mech-type=${mech} \ --mutual \ --dce-style \ --wrapunwrap ${iov} \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } - + --name-type=hostbased-service host@lucid.test.h5l.se done -echo "======export-import-context" +test_section "export-import-context" for mech in krb5 krb5iov spnego spnegoiov; do iov="" if [ "$mech" = "krb5iov" ] ; then @@ -284,329 +273,295 @@ for mech in krb5 krb5iov spnego spnegoiov; do iov="--iov" fi - echo "${mech}: export-import-context ${iov}" ; > messages.log - ${context} \ + test_section "${mech}: export-import-context ${iov}" + test_run ${context} \ --mech-type=${mech} \ --mutual \ --export-import-context \ --wrapunwrap ${iov} \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } - + --name-type=hostbased-service host@lucid.test.h5l.se done -echo "test gsskrb5_register_acceptor_identity (both positive and negative)" +test_section "test gsskrb5_register_acceptor_identity" cp ${keytabfile} ${keytabfile}.new for mech in krb5 spnego; do - echo "${mech}: acceptor_identity positive" ; > messages.log - ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \ - --mech-type=$mech host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + test_section "${mech}: acceptor_identity positive" + test_run ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \ + --mech-type=$mech host@lucid.test.h5l.se - echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log - ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \ - --mech-type=$mech host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + test_section "${mech}: acceptor_identity positive (prefix)" + test_run ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \ + --mech-type=$mech host@lucid.test.h5l.se - echo "${mech}: acceptor_identity negative" ; > messages.log - ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \ - --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ - { eval "$testfailed"; } + test_section "${mech}: acceptor_identity negative (expected failure)" + test_run not ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \ + --mech-type=$mech host@lucid.test.h5l.se done rm ${keytabfile}.new -echo "====== test PAC-based name canonicalization" +test_section "test PAC-based name canonicalization" -${kdestroy} -${kinit} --password-file=${objdir}/foopassword user1.alias@${R} || \ - { eval "$testfailed"; } +${kdestroy} 2>/dev/null || true +test_run ${kinit} --password-file=${objdir}/foopassword user1.alias@${R} for mech in krb5 spnego; do + test_section "${mech}: PAC name canonicalization" KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \ - --mech-type=$mech host@lucid.test.h5l.se > name-canon.log || \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se > name-canon.log 2>&1 || \ + { echo "context failed"; exit 1; } grep "client name:" name-canon.log | grep "user1.alias@TEST.H5L.SE" > /dev/null && \ - { echo "client name not canonicalized"; eval "$testfailed"; } + { echo "client name not canonicalized"; exit 1; } grep "client name:" name-canon.log | grep "user1@TEST.H5L.SE" > /dev/null || \ - { echo "wrong client name"; eval "$testfailed"; } + { echo "wrong client name"; exit 1; } done -echo "====== test channel-bindings." +test_section "test channel-bindings" for mech in krb5 spnego; do - echo "${mech}: initiator only bindings" ; > messages.log + test_section "${mech}: initiator only bindings" ${context} -v --i-channel-bindings=abc \ - --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \ + { echo "context failed"; exit 1; } grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \ - { echo "channel-bound flag unexpected"; eval "$testfailed"; } + { echo "channel-bound flag unexpected"; exit 1; } - echo "${mech}: acceptor only bindings" ; > messages.log + test_section "${mech}: acceptor only bindings" ${context} -v --a-channel-bindings=abc \ - --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \ + { echo "context failed"; exit 1; } grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \ - { echo "channel-bound flag unexpected"; eval "$testfailed"; } + { echo "channel-bound flag unexpected"; exit 1; } - echo "${mech}: matching bindings" ; > messages.log + test_section "${mech}: matching bindings" ${context} -v --i-channel-bindings=abc --a-channel-bindings=abc \ - --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \ + { echo "context failed"; exit 1; } grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \ - { echo "no channel-bound flag"; eval "$testfailed"; } + { echo "no channel-bound flag"; exit 1; } - echo "${mech}: non matching bindings" ; > messages.log - ${context} --i-channel-bindings=abc --a-channel-bindings=xyz \ - --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ - { eval "$testfailed"; } + test_section "${mech}: non matching bindings (expected failure)" + test_run not ${context} --i-channel-bindings=abc --a-channel-bindings=xyz \ + --mech-type=$mech host@lucid.test.h5l.se - echo "${mech}: initiator only bindings (client-aware)" ; > messages.log + test_section "${mech}: initiator only bindings (client-aware)" KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \ --i-channel-bindings=abc \ - --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \ + { echo "context failed"; exit 1; } grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \ - { echo "channel-bound flag unexpected"; eval "$testfailed"; } + { echo "channel-bound flag unexpected"; exit 1; } - echo "${mech}: acceptor only bindings (client-aware)" ; > messages.log - KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \ + test_section "${mech}: acceptor only bindings (client-aware, expected failure)" + test_run not env KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \ --a-channel-bindings=abc \ - --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se - echo "${mech}: matching bindings (client-aware)" ; > messages.log + test_section "${mech}: matching bindings (client-aware)" KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \ --i-channel-bindings=abc --a-channel-bindings=abc \ - --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \ + { echo "context failed"; exit 1; } grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \ - { echo "no channel-bound flag"; eval "$testfailed"; } + { echo "no channel-bound flag"; exit 1; } - echo "${mech}: non matching bindings (client-aware)" ; > messages.log - KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \ + test_section "${mech}: non matching bindings (client-aware, expected failure)" + test_run not env KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \ --i-channel-bindings=abc --a-channel-bindings=xyz \ - --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se - echo "${mech}: initiator null bindings bound (client-aware-flag)" ; > messages.log + test_section "${mech}: initiator null bindings bound (client-aware-flag)" ${context} -v --i-channel-bound \ - --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \ + { echo "context failed"; exit 1; } grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \ - { echo "channel-bound flag unexpected"; eval "$testfailed"; } + { echo "channel-bound flag unexpected"; exit 1; } - echo "${mech}: initiator only bindings (client-aware-flag)" ; > messages.log + test_section "${mech}: initiator only bindings (client-aware-flag)" ${context} -v --i-channel-bound \ --i-channel-bindings=abc \ - --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \ + { echo "context failed"; exit 1; } grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \ - { echo "channel-bound flag unexpected"; eval "$testfailed"; } + { echo "channel-bound flag unexpected"; exit 1; } - echo "${mech}: acceptor only bindings (client-aware-flag)" ; > messages.log - ${context} -v --i-channel-bound \ + test_section "${mech}: acceptor only bindings (client-aware-flag, expected failure)" + test_run not ${context} --i-channel-bound \ --a-channel-bindings=abc \ - --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se - echo "${mech}: matching bindings (client-aware-flag)" ; > messages.log + test_section "${mech}: matching bindings (client-aware-flag)" ${context} -v --i-channel-bound \ --i-channel-bindings=abc --a-channel-bindings=abc \ - --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ - { eval "$testfailed"; } + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \ + { echo "context failed"; exit 1; } grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \ - { echo "no channel-bound flag"; eval "$testfailed"; } + { echo "no channel-bound flag"; exit 1; } - echo "${mech}: non matching bindings (client-aware-flag)" ; > messages.log - ${context} -v --i-channel-bound \ + test_section "${mech}: non matching bindings (client-aware-flag, expected failure)" + test_run not ${context} --i-channel-bound \ --i-channel-bindings=abc --a-channel-bindings=xyz \ - --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ - { eval "$testfailed"; } - + --mech-type=$mech host@lucid.test.h5l.se done #echo "sasl-digest-md5" #${context} --mech-type=sasl-digest-md5 \ # --name-type=hostbased-service \ -# host@lucid.test.h5l.se || \ -# { eval "$testfailed"; } +# host@lucid.test.h5l.se || exit 1 -echo "====== gss-api session key check" +test_section "gss-api session key check" # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96 coolenctype="aes256-cts-hmac-sha384-192" limit_enctype="aes256-cts-hmac-sha1-96" -echo "Getting client initial tickets" ; > messages.log -${kinit} --password-file=${objdir}/foopassword user1@${R} || \ - { eval "$testfailed"; } +test_section "Getting client initial tickets for session key tests" +test_run ${kinit} --password-file=${objdir}/foopassword user1@${R} - -echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log -${context} \ +test_section "Building context on cred w/o aes, but still ${coolenctype} session key" +test_run ${context} \ --mech-type=krb5 \ --mutual-auth \ --session-enctype=${coolenctype} \ - --name-type=hostbased-service host@no-aes.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@no-aes.test.h5l.se -echo "Building context on cred, check if its limited still" ; > messages.log -${context} \ +test_section "Building context on cred, check if its limited still" +test_run ${context} \ --mech-type=krb5 \ --client-name=user1@${R} \ --limit-enctype="${limit_enctype}" \ --mutual-auth \ - --name-type=hostbased-service host@no-aes.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@no-aes.test.h5l.se -echo "====== ok-as-delegate" +test_section "ok-as-delegate" -echo "Getting client initial tickets" ; > messages.log -${kinit} --forwardable \ - --password-file=${objdir}/foopassword user1@${R} || \ - { eval "$testfailed"; } +test_section "Getting client initial tickets (forwardable)" +test_run ${kinit} --forwardable \ + --password-file=${objdir}/foopassword user1@${R} -echo "ok-as-delegate not used" ; > messages.log -${context} \ +test_section "ok-as-delegate not used" +test_run ${context} \ --mech-type=krb5 \ --delegate \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se -echo "host without ok-as-delegate with policy-delegate" ; > messages.log -${context} \ +test_section "host without ok-as-delegate with policy-delegate" +test_run ${context} \ --mech-type=krb5 \ --policy-delegate \ --server-no-delegate \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se -echo "ok-as-delegate used by policy" ; > messages.log -${context} \ +test_section "ok-as-delegate used by policy" +test_run ${context} \ --mech-type=krb5 \ --policy-delegate \ - --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@ok-delegate.test.h5l.se -echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log -${kinit} --ok-as-delegate --forwardable \ - --password-file=${objdir}/foopassword user1@${R} || \ - { eval "$testfailed"; } +test_section "Getting client initial tickets with --ok-as-delegate" +test_run ${kinit} --ok-as-delegate --forwardable \ + --password-file=${objdir}/foopassword user1@${R} -echo "policy delegate to non delegate host" ; > messages.log -${context} \ +test_section "policy delegate to non delegate host" +test_run ${context} \ --mech-type=krb5 \ --policy-delegate \ --server-no-delegate \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se -echo "ok-as-delegate" ; > messages.log -${context} \ +test_section "ok-as-delegate" +test_run ${context} \ --mech-type=krb5 \ --delegate \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se -echo "======export/import cred" +test_section "export/import cred" -echo "export-import cred (krb5)" ; > messages.log -${context} \ +test_section "export-import cred (krb5)" +test_run ${context} \ --mech-type=krb5 \ --delegate \ --export-import-cred \ - --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@ok-delegate.test.h5l.se -echo "export-import cred (spnego)" ; > messages.log -${context} \ +test_section "export-import cred (spnego)" +test_run ${context} \ --mech-type=spnego \ --delegate \ --export-import-cred \ - --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@ok-delegate.test.h5l.se -echo "======time diffs between client and server" +test_section "time diffs between client and server" -echo "Getting client initial ticket" ; > messages.log -${kinit} --password-file=${objdir}/foopassword user1@${R} || \ - { eval "$testfailed"; } +test_section "Getting client initial ticket for time offset tests" +test_run ${kinit} --password-file=${objdir}/foopassword user1@${R} -echo "No time offset" ; > messages.log -${context} \ +test_section "No time offset" +test_run ${context} \ --mech-type=krb5 \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se -echo "Getting client initial ticket" ; > messages.log -${kinit} --password-file=${objdir}/foopassword user1@${R} || \ - { eval "$testfailed"; } +test_section "Getting client initial ticket" +test_run ${kinit} --password-file=${objdir}/foopassword user1@${R} -echo "Server time offset" ; > messages.log -${context} \ +test_section "Server time offset" +test_run ${context} \ --mech-type=krb5 \ --mutual-auth \ --server-time-offset=3600 \ --max-loops=3 \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se -echo "Server time offset (cached ?)" ; > messages.log -${context} \ +test_section "Server time offset (cached ?)" +test_run ${context} \ --mech-type=krb5 \ --mutual-auth \ --server-time-offset=3600 \ --max-loops=2 \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se -echo "Getting client initial ticket" ; > messages.log -${kinit} --password-file=${objdir}/foopassword user1@${R} || \ - { eval "$testfailed"; } +test_section "Getting client initial ticket for client time offset" +test_run ${kinit} --password-file=${objdir}/foopassword user1@${R} # Pre-poplute the cache since tgs-req will fail since our time is wrong -${kgetcred} host/lucid.test.h5l.se@${R} || \ - { eval "$testfailed"; } +test_run ${kgetcred} host/lucid.test.h5l.se@${R} -echo "Client time offset" ; > messages.log -${context} \ +test_section "Client time offset" +test_run ${context} \ --mech-type=krb5 \ --mutual-auth \ --client-time-offset=3600 \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se -echo "Getting client initial tickets (use-referrals)" ; > messages.log -${kinit} \ +test_section "Getting client initial tickets (use-referrals)" +test_run ${kinit} \ --password-file=${objdir}/foopassword \ - --use-referrals user1@${R} || \ - { eval "$testfailed"; } + --use-referrals user1@${R} # XXX these tests really need to use somethat that resolve to something -${context} \ +test_section "host@short" +test_run ${context} \ --mech-type=krb5 \ - host@short || \ - { eval "$testfailed"; } + host@short -${context} \ +test_section "host/short (krb5-principal-name)" +test_run ${context} \ --mech-type=krb5 \ - --name-type=krb5-principal-name host/short || \ - { eval "$testfailed"; } + --name-type=krb5-principal-name host/short -${context} \ +test_section "host@long.test.h5l.se" +test_run ${context} \ --mech-type=krb5 \ - host@long.test.h5l.se || \ - { eval "$testfailed"; } + host@long.test.h5l.se -${context} \ +test_section "host/long.test.h5l.se (krb5-principal-name)" +test_run ${context} \ --mech-type=krb5 \ --name-type=krb5-principal-name \ - host/long.test.h5l.se || \ - { eval "$testfailed"; } + host/long.test.h5l.se test_section "threaded context establishment" test_section "Getting client initial tickets for threaded test" @@ -633,5 +588,5 @@ trap "" EXIT echo "killing kdc (${kdcpid})" kill ${kdcpid} 2> /dev/null -exit 0 - +test_finish +exit $? diff --git a/tests/gss/check-gss.in b/tests/gss/check-gss.in index f5254a1fc..6cade1b58 100644 --- a/tests/gss/check-gss.in +++ b/tests/gss/check-gss.in @@ -1,50 +1,60 @@ -#!/bin/sh +#!/bin/bash # # Copyright (c) 2006 Kungliga Tekniska Högskolan -# (Royal Institute of Technology, Stockholm, Sweden). -# All rights reserved. +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. # -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: # -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. # -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. # -# 3. Neither the name of the Institute nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. # -# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. # # $Id$ # +top_srcdir="@top_srcdir@" env_setup="@env_setup@" confdir="@confdir@" testdir="@testdir@" . ${env_setup} +. ${top_srcdir}/tests/bin/test-lib.sh -${TESTS_ENVIRONMENT} ${gsstool} help > /dev/null || exit 1 -${TESTS_ENVIRONMENT} ${gsstool} supported-mechanisms > /dev/null || exit 1 -${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --all > /dev/null || exit 1 -${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --mech=Kerberos > /dev/null || exit 1 +test_init -exit 0 +test_section "gsstool help" +test_run ${TESTS_ENVIRONMENT} ${gsstool} help +test_section "gsstool supported-mechanisms" +test_run ${TESTS_ENVIRONMENT} ${gsstool} supported-mechanisms +test_section "gsstool attrs-for-mech --all" +test_run ${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --all + +test_section "gsstool attrs-for-mech --mech=Kerberos" +test_run ${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --mech=Kerberos + +test_finish +exit $? diff --git a/tests/gss/check-gssmask.in b/tests/gss/check-gssmask.in index b0a3e2464..7deb69f3d 100644 --- a/tests/gss/check-gssmask.in +++ b/tests/gss/check-gssmask.in @@ -1,44 +1,46 @@ -#!/bin/sh +#!/bin/bash # # Copyright (c) 2006 Kungliga Tekniska Högskolan -# (Royal Institute of Technology, Stockholm, Sweden). -# All rights reserved. +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. # -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: # -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. # -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. # -# 3. Neither the name of the Institute nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. # -# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. # # $Id$ # +top_srcdir="@top_srcdir@" env_setup="@env_setup@" srcdir="@srcdir@" objdir="@objdir@" . ${env_setup} +. ${top_srcdir}/tests/bin/test-lib.sh # If there is no useful db support compiled in, disable test ../db/have-db || exit 77 @@ -53,9 +55,9 @@ keytabfile=${objdir}/server.keytab keytab="FILE:${keytabfile}" gssmask="${TESTS_ENVIRONMENT} ../../appl/gssmask/gssmask" -gssmaskn1="${gssmask} -p 8889 --spn=host/n1.test.h5l.se@${R} --logfile=n1.log" -gssmaskn2="${gssmask} -p 8890 --spn=host/n2.test.h5l.se@${R} --logfile=n2.log" -gssmaskn3="${gssmask} -p 8891 --spn=host/n3.test.h5l.se@${R} --logfile=n3.log" +gssmaskn1="${gssmask} -p 8889 --spn=host/n1.test.h5l.se@${R} --logfile=n1.log --detach --pidfile=n1.pid" +gssmaskn2="${gssmask} -p 8890 --spn=host/n2.test.h5l.se@${R} --logfile=n2.log --detach --pidfile=n2.pid" +gssmaskn3="${gssmask} -p 8891 --spn=host/n3.test.h5l.se@${R} --logfile=n3.log --detach --pidfile=n3.pid" gssmaestro="../../appl/gssmask/gssmaestro" KRB5_CONFIG="${objdir}/krb5.conf" @@ -66,12 +68,13 @@ rm -f ${keytabfile} rm -f current-db* rm -f out-* rm -f mkey.file* +rm -f n1.pid n2.pid n3.pid -> messages.log +test_init -echo Creating database +test_section "Creating database" # Test virtual principals, why not -${kadmin} </dev/null` -echo "Starting client 1" -${gssmaskn1} --moniker=n1 & -n1pid=$! -#echo $n1pid -#xterm -display :0 -e g ${gssmaskn1} & -#read x +test_section "Starting client 2" +test_run ${gssmaskn2} --moniker=n2 +n2pid=`cat n2.pid 2>/dev/null` -echo "Starting client 2" -${gssmaskn2} --moniker=n2 & -n2pid=$! - -#echo "Starting client 3" -#${gssmaskn3} --moniker=n3 & -#n3pid=$! - -sleep 10 +#test_section "Starting client 3" +#${gssmaskn3} --moniker=n3 || { echo "gssmask n3 failed to start"; exit 1; } +#n3pid=`cat n3.pid 2>/dev/null` # XXX Make --wrap-ext work (seems to fail) # # Add --slaves=localhost:8891 if re-enabling client 3 -${gssmaestro} \ +test_section "Running gssmaestro" +test_run ${gssmaestro} \ --slaves=localhost:8889 \ --slaves=localhost:8890 \ - --principals=user1@${R}:u1 || exitcode=1 + --principals=user1@${R}:u1 trap "" EXIT echo "killing kdc and clients (${kdcpid}, ${n1pid}, ${n2pid}, ${n3pid})" kill ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2> /dev/null -exit $exitcode - - +test_finish +exit $? diff --git a/tests/gss/check-negoex.in b/tests/gss/check-negoex.in index 4d9146e79..797c1ced9 100644 --- a/tests/gss/check-negoex.in +++ b/tests/gss/check-negoex.in @@ -1,44 +1,46 @@ -#!/bin/sh +#!/bin/bash # # Copyright (c) 2006 Kungliga Tekniska Högskolan -# (Royal Institute of Technology, Stockholm, Sweden). -# All rights reserved. +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. # -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: # -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. # -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. # -# 3. Neither the name of the Institute nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. # -# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. # # $Id$ # +top_srcdir="@top_srcdir@" env_setup="@env_setup@" srcdir="@srcdir@" objdir="@objdir@" . ${env_setup} +. ${top_srcdir}/tests/bin/test-lib.sh R=TEST.H5L.SE @@ -59,126 +61,111 @@ export KRB5_KTNAME KRB5CCNAME="${cache}-no" export KRB5CCNAME +KRB5_TRACE="0-/FILE:${objdir}/messages.log" + GSSAPI_SPNEGO_NAME=host@host.test.h5l.se export GSSAPI_SPNEGO_NAME GSS_MECH_CONFIG="${objdir}/mech" export GSS_MECH_CONFIG -> messages.log +test_init -exitcode=0 - -echo "======context building for negoex" +test_section "context building for negoex" for HOPS in 1 2 3 4 5 do - echo "test_negoex_1 $HOPS hops" - ${context} \ + test_section "test_negoex_1 $HOPS hops" + test_run env HOPS=$HOPS ${context} \ --mech-type=spnego --ret-mech-type=test_negoex_1 \ --name-type=hostbased-service \ - host@host.test.h5l.se || \ - { exitcode=1 ; echo test failed; } + host@host.test.h5l.se done for HOPS in 1 2 3 4 5 do - echo "test_negoex_1 $HOPS hops early keys" - KEY=always ${context} \ + test_section "test_negoex_1 $HOPS hops early keys" + test_run env HOPS=$HOPS KEY=always ${context} \ --mech-type=spnego --ret-mech-type=test_negoex_1 \ --name-type=hostbased-service \ - host@host.test.h5l.se || \ - { exitcode=1 ; echo test failed; } + host@host.test.h5l.se done -HOPS=1 -echo "test_negoex_1 no keys" - KEY=never ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_1 \ - --name-type=hostbased-service \ - host@host.test.h5l.se 2>/dev/null && \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 no keys (expected failure)" +test_run not env HOPS=1 KEY=never ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se -echo "test_negoex_1 no optimistic token" - NEGOEX_NO_OPTIMISTIC_TOKEN=1 ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_1 \ - --name-type=hostbased-service \ - host@host.test.h5l.se || \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 no optimistic token" +test_run env HOPS=1 NEGOEX_NO_OPTIMISTIC_TOKEN=1 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se -echo "test_negoex_1 initiator query fail, test_negoex_2 pass" - INIT_QUERY_FAIL=102 ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_2 \ - --name-type=hostbased-service \ - host@host.test.h5l.se 2>/dev/null || \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 initiator query fail, test_negoex_2 pass" +test_run env INIT_QUERY_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_2 \ + --name-type=hostbased-service \ + host@host.test.h5l.se -echo "test_negoex_1 acceptor query fail, test_negoex_2 pass" - ACCEPT_QUERY_FAIL=102 ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_2 \ - --name-type=hostbased-service \ - host@host.test.h5l.se 2>/dev/null || \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 acceptor query fail, test_negoex_2 pass" +test_run env ACCEPT_QUERY_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_2 \ + --name-type=hostbased-service \ + host@host.test.h5l.se -echo "test_negoex_1 acceptor exchange fail, test_negoex_2 pass" - ACCEPT_EXCHANGE_FAIL=102 ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_2 \ - --name-type=hostbased-service \ - host@host.test.h5l.se 2>/dev/null || \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 acceptor exchange fail, test_negoex_2 pass" +test_run env ACCEPT_EXCHANGE_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_2 \ + --name-type=hostbased-service \ + host@host.test.h5l.se -echo "test_negoex_1 first mech initiator exchange fail" - INIT_EXCHANGE_FAIL=102 ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_1 \ - --name-type=hostbased-service \ - host@host.test.h5l.se 2>/dev/null && \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 first mech initiator exchange fail (expected failure)" +test_run not env INIT_EXCHANGE_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se -echo "test_negoex_1 first mech initiator exchange fail, two hops" - HOPS=2 INIT_EXCHANGE_FAIL=102 ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_1 \ - --name-type=hostbased-service \ - host@host.test.h5l.se 2>/dev/null && \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 first mech initiator exchange fail, two hops (expected failure)" +test_run not env HOPS=2 INIT_EXCHANGE_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se -echo "test_negoex_1 first mech initiator exchange fail, two hops, early keys" - HOPS=2 KEY=always INIT_EXCHANGE_FAIL=102 ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_1 \ - --name-type=hostbased-service \ - host@host.test.h5l.se 2>/dev/null && \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 first mech initiator exchange fail, two hops, early keys (expected failure)" +test_run not env HOPS=2 KEY=always INIT_EXCHANGE_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se -echo "test_negoex_1 first mech init_sec_context fail" - INIT_FAIL=102 ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_1 \ - --name-type=hostbased-service \ - host@host.test.h5l.se 2>/dev/null && \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 first mech init_sec_context fail (expected failure)" +test_run not env INIT_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se -echo "test_negoex_1 first mech accept_sec_context fail" - HOPS=2 ACCEPT_FAIL=102 ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_1 \ - --name-type=hostbased-service \ - host@host.test.h5l.se 2>/dev/null && \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 first mech accept_sec_context fail (expected failure)" +test_run not env HOPS=2 ACCEPT_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se -echo "test_negoex_1 alert from acceptor to initiator" - HOPS=3 KEY=init-always ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_1 \ - --name-type=hostbased-service \ - host@host.test.h5l.se || \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 alert from acceptor to initiator" +test_run env HOPS=3 KEY=init-always ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se -echo "test_negoex_1 alert from initiator to acceptor" - HOPS=4 KEY=accept-always ${context} \ - --mech-type=spnego --ret-mech-type=test_negoex_1 \ - --name-type=hostbased-service \ - host@host.test.h5l.se || \ - { exitcode=1 ; echo test failed; } +test_section "test_negoex_1 alert from initiator to acceptor" +test_run env HOPS=4 KEY=accept-always ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se unset GSS_MECH_CONFIG -echo "======test context building for sanon-x25519" +test_section "test context building for sanon-x25519" for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do iov="" if [ "$mech" = "sanon-x25519iov" ] ; then @@ -190,37 +177,36 @@ for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do iov="--iov" fi - echo "${mech} anon-flag ${iov}" ; > messages.log - ${context} --mech-type=${mech} \ + test_section "${mech} anon-flag ${iov}" + test_run ${context} --mech-type=${mech} \ --anonymous \ --ret-mech-type=sanon-x25519 \ --i-channel-bindings=negoex_sanon_test_h5l_se \ --a-channel-bindings=negoex_sanon_test_h5l_se \ --wrapunwrap ${iov} \ - host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + host@lucid.test.h5l.se - echo "${mech} anon-initiator ${iov}" ; > messages.log - ${context} --mech-type=${mech} \ + test_section "${mech} anon-initiator ${iov}" + test_run env KRB5_TRACE=0-/FILE:/dev/stderr ${context} --mech-type=${mech} \ + --anonymous \ --client-name=WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS \ --ret-mech-type=sanon-x25519 \ --i-channel-bindings=negoex_sanon_test_h5l_se \ --a-channel-bindings=negoex_sanon_test_h5l_se \ --wrapunwrap ${iov} \ - host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + host@lucid.test.h5l.se - echo "${mech} anon-acceptor ${iov}" ; > messages.log - ${context} --mech-type=${mech} \ + test_section "${mech} anon-acceptor ${iov}" + test_run env KRB5_TRACE=0-/FILE:/dev/stderr ${context} --mech-type=${mech} \ + --anonymous \ --ret-mech-type=sanon-x25519 \ --i-channel-bindings=negoex_sanon_test_h5l_se \ --a-channel-bindings=negoex_sanon_test_h5l_se \ --wrapunwrap ${iov} \ - WELLKNOWN@ANONYMOUS || \ - { eval "$testfailed"; } + WELLKNOWN@ANONYMOUS done -echo "======export-import-context for sanon-x25519" +test_section "export-import-context for sanon-x25519" for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do iov="" if [ "$mech" = "sanon-x25519iov" ] ; then @@ -232,28 +218,26 @@ for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do iov="--iov" fi - echo "${mech}: export-import-context ${iov}" ; > messages.log - ${context} \ + test_section "${mech}: export-import-context ${iov}" + test_run ${context} \ --mech-type=${mech} \ --anonymous \ --export-import-context \ --wrapunwrap ${iov} \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se - echo "${mech}: export-import-context ${iov} (split tokens)" ; > messages.log - ${context} \ + test_section "${mech}: export-import-context ${iov} (split tokens)" + test_run ${context} \ --mech-type=${mech} \ --anonymous \ --export-import-context \ --wrapunwrap ${iov} \ --token-split=128 \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se done -echo "======dce-style for sanon-x25519" +test_section "dce-style for sanon-x25519" for mech in spnego spnegoiov; do iov="" if [ "$mech" = "spnegoiov" ] ; then @@ -261,14 +245,14 @@ for mech in spnego spnegoiov; do iov="--iov" fi - echo "${mech}: dce-style ${iov}" ; > messages.log - ${context} \ + test_section "${mech}: dce-style ${iov}" + test_run ${context} \ --mech-type=${mech} \ --anonymous --dce-style \ --wrapunwrap ${iov} \ - --name-type=hostbased-service host@lucid.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@lucid.test.h5l.se done -exit $exitcode +test_finish +exit $? diff --git a/tests/gss/check-nodns.in b/tests/gss/check-nodns.in index e9ac14225..9d629e5c3 100644 --- a/tests/gss/check-nodns.in +++ b/tests/gss/check-nodns.in @@ -1,44 +1,46 @@ -#!/bin/sh +#!/bin/bash # # Copyright (c) 2007 Kungliga Tekniska Högskolan -# (Royal Institute of Technology, Stockholm, Sweden). -# All rights reserved. +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. # -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: # -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. # -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. # -# 3. Neither the name of the Institute nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. # -# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. # # $Id$ # +top_srcdir="@top_srcdir@" env_setup="@env_setup@" srcdir="@srcdir@" objdir="@objdir@" . ${env_setup} +. ${top_srcdir}/tests/bin/test-lib.sh # If there is no useful db support compiled in, disable test ../db/have-db || exit 77 @@ -74,11 +76,12 @@ rm -f current-db* rm -f out-* rm -f mkey.file* -> messages.log +test_init -echo Creating database -echo upw > ${objdir}/foopassword -${kadmin} < ${objdir}/foopassword + +test_section "Creating database" +test_run ${kadmin} </dev/null && exit 1 + --acquire-name=host@host2.test.h5l.se -echo "init using keytab" -${acquire_cred} \ +test_section "init using keytab" +test_run ${acquire_cred} \ --kerberos \ --acquire-type=initiate \ - --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using keytab (loop 10)" -${acquire_cred} \ +test_section "init using keytab (loop 10)" +test_run ${acquire_cred} \ --kerberos \ --acquire-type=initiate \ --loops=10 \ - --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using keytab (loop 10, target)" -${acquire_cred} \ +test_section "init using keytab (loop 10, target)" +test_run ${acquire_cred} \ --kerberos \ --acquire-type=initiate \ --loops=10 \ --target=host@host.test.h5l.se \ - --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using keytab (loop 10, kerberos)" -${acquire_cred} \ +test_section "init using keytab (loop 10, kerberos)" +test_run ${acquire_cred} \ --acquire-type=initiate \ --loops=10 \ --kerberos \ - --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using keytab (loop 10, target, kerberos)" -${acquire_cred} \ +test_section "init using keytab (loop 10, target, kerberos)" +test_run ${acquire_cred} \ --acquire-type=initiate \ --loops=10 \ --kerberos \ --target=host@host.test.h5l.se \ - --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using existing cc" -${acquire_cred} \ +test_section "init using existing cc" +test_run ${acquire_cred} \ --kerberos \ --name-type=user-name \ --acquire-type=initiate \ - --acquire-name=user || exit 1 + --acquire-name=user KRB5CCNAME=${nocache} -echo "fail init using existing cc" -${acquire_cred} \ +test_section "fail init using existing cc (expected failure)" +# This should fail - no such cache +test_run not ${acquire_cred} \ --kerberos \ --name-type=user-name \ --acquire-type=initiate \ - --acquire-name=user 2>/dev/null && exit 1 + --acquire-name=user -echo "use gss_krb5_ccache_name for user" -${acquire_cred} \ +test_section "use gss_krb5_ccache_name for user" +test_run ${acquire_cred} \ --kerberos \ --name-type=user-name \ --ccache=${cache} \ --acquire-type=initiate \ - --acquire-name=user >/dev/null || exit 1 + --acquire-name=user KRB5CCNAME=${cache} KRB5_KTNAME=${nokeytab} -echo "kcred" -${test_kcred} || exit 1 +test_section "kcred" +test_run ${test_kcred} -${kdestroy} -c ${cache} +${kdestroy} -c ${cache} 2>/dev/null || true KRB5_KTNAME="${keytab}" -echo "init using keytab" -${acquire_cred} \ +test_section "init using keytab (after kdestroy)" +test_run ${acquire_cred} \ --kerberos \ --acquire-type=initiate \ - --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1 + --acquire-name=host@host.test.h5l.se -echo "init using keytab (ccache)" -${acquire_cred} \ +test_section "init using keytab (ccache)" +test_run ${acquire_cred} \ --kerberos \ --acquire-type=initiate \ --ccache=${cache} \ - --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1 + --acquire-name=host@host.test.h5l.se trap "" EXIT echo "killing kdc (${kdcpid})" kill ${kdcpid} 2> /dev/null -exit $exitcode +test_finish +exit $? diff --git a/tests/gss/check-spnego.in b/tests/gss/check-spnego.in index 8e4884432..422640a8f 100644 --- a/tests/gss/check-spnego.in +++ b/tests/gss/check-spnego.in @@ -1,44 +1,46 @@ -#!/bin/sh +#!/bin/bash # # Copyright (c) 2006 Kungliga Tekniska Högskolan -# (Royal Institute of Technology, Stockholm, Sweden). -# All rights reserved. +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. # -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: # -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. # -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. # -# 3. Neither the name of the Institute nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. # -# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. # # $Id$ # +top_srcdir="@top_srcdir@" env_setup="@env_setup@" srcdir="@srcdir@" objdir="@objdir@" . ${env_setup} +. ${top_srcdir}/tests/bin/test-lib.sh # If there is no useful db support compiled in, disable test ../db/have-db || exit 77 @@ -69,17 +71,15 @@ export KRB5CCNAME GSSAPI_SPNEGO_NAME=host@host.test.h5l.se export GSSAPI_SPNEGO_NAME -testfailed="exitcode=1; echo test failed; cat messages.log; exit 1" - rm -f ${keytabfile} rm -f current-db* rm -f out-* rm -f mkey.file* -> messages.log +test_init -echo Creating database -${kadmin} < ${objdir}/foopassword echo ds > ${objdir}/barpassword -echo Starting kdc -${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +test_section "Starting kdc" +test_run ${kdc} --detach --testing kdcpid=`getpid kdc` cleanup() { @@ -106,56 +106,48 @@ cleanup() { } trap cleanup EXIT INT TERM -exitcode=0 +test_section "Getting client initial tickets" +test_run ${kinit} --password-file=${objdir}/foopassword user1@${R} -echo "Getting client initial tickets" -${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1 -echo "Getting digestserver initial tickets" +test_section "context building for each mech" -echo "======context building for each mech" - -for mech in krb5 ; do - echo "${mech}" - ${context} --mech-type=${mech} --ret-mech-type=${mech} \ +for mech in krb5 ; do + test_section "${mech}" + test_run ${context} --mech-type=${mech} --ret-mech-type=${mech} \ --client-ccache="${cache}" \ --gsskrb5-acceptor-identity="${keytab}" \ - --name-type=hostbased-service host@host.test.h5l.se || \ - { eval "$testfailed"; } + --name-type=hostbased-service host@host.test.h5l.se done -echo "spnego" -${context} \ +test_section "spnego" +test_run ${context} \ --client-ccache="${cache}" \ --mech-type=spnego \ --ret-mech-type=krb5 \ --name-type=hostbased-service \ --export-import-context \ - host@host.test.h5l.se || \ - { eval "$testfailed"; } + host@host.test.h5l.se -echo "spnego (split tokens)" -${context} \ +test_section "spnego (split tokens)" +test_run ${context} \ --token-split=128 \ --client-ccache="${cache}" \ --mech-type=spnego \ --ret-mech-type=krb5 \ --name-type=hostbased-service \ --export-import-context \ - host@host.test.h5l.se || \ - { eval "$testfailed"; } + host@host.test.h5l.se -echo "test failure cases" -${context} --mech-type=sanon-x25519 --ret-mech-type=krb5 \ +test_section "test failure cases" +test_run not ${context} --mech-type=sanon-x25519 --ret-mech-type=krb5 \ --client-ccache="${cache}" \ - --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \ - { eval "$testfailed"; } + --name-type=hostbased-service host@host.test.h5l.se -${context} --mech-type=krb5 --ret-mech-type=sanon-x25519 \ +test_run not ${context} --mech-type=krb5 --ret-mech-type=sanon-x25519 \ --client-ccache="${cache}" \ - --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \ - { eval "$testfailed"; } + --name-type=hostbased-service host@host.test.h5l.se -echo "======spnego variants context building" +test_section "spnego variants context building" for arg in \ "" \ @@ -166,55 +158,46 @@ for arg in \ "--mutual --getverifymic --wrapunwrap" \ ; do - echo "with krb5 creds ${arg}" - ${context} --mech-type=spnego \ + test_section "with krb5 creds ${arg}" + test_run ${context} --mech-type=spnego \ $arg \ --name-type=hostbased-service \ --ret-mech-type=krb5 \ - host@host.test.h5l.se || \ - { eval "$testfailed"; } + host@host.test.h5l.se - echo "no krb5 acceptor cred ${arg}" + test_section "no krb5 acceptor cred ${arg} (expected failure)" KRB5_KTNAME="${keytab}-no" - ${context} --mech-type=spnego \ + test_run not ${context} --mech-type=spnego \ $arg \ --server-no-delegate \ --name-type=hostbased-service \ - --ret-mech-type=sanon-x25519 \ - host@host.test.h5l.se && \ - { eval "$testfailed"; } + host@host.test.h5l.se KRB5_KTNAME="${keytab}" - echo "no explicit krb5 acceptor cred ${arg}" - ${context} --mech-type=spnego \ + test_section "no explicit krb5 acceptor cred ${arg} (expected failure)" + test_run not ${context} --mech-type=spnego \ $arg \ --gsskrb5-acceptor-identity="${keytab}-no" \ --server-no-delegate \ --name-type=hostbased-service \ - --ret-mech-type=krb5 \ - host@host.test.h5l.se 2>/dev/null && \ - { eval "$testfailed"; } + host@host.test.h5l.se - echo "no krb5 initiator cred ${arg}" + test_section "no krb5 initiator cred ${arg} (expected failure)" KRB5CCNAME="${cache}-no" - ${context} --mech-type=spnego \ + test_run not ${context} --mech-type=spnego \ $arg \ --server-no-delegate \ --name-type=hostbased-service \ - --ret-mech-type=sanon-x25519 \ - host@host.test.h5l.se && \ - { eval "$testfailed"; } + host@host.test.h5l.se KRB5CCNAME="${cache}" - echo "no explicit krb5 initiator cred ${arg}" - ${context} --mech-type=spnego \ + test_section "no explicit krb5 initiator cred ${arg} (expected failure)" + test_run not ${context} --mech-type=spnego \ $arg \ --client-ccache="${cache}-no" \ --server-no-delegate \ --name-type=hostbased-service \ - --ret-mech-type=krb5 \ - host@host.test.h5l.se 2>/dev/null && \ - { eval "$testfailed"; } + host@host.test.h5l.se done @@ -223,6 +206,5 @@ trap "" EXIT echo "killing kdc (${kdcpid})" kill ${kdcpid} 2> /dev/null -exit $exitcode - - +test_finish +exit $?