From 9c8ceada75c365417c074bf639727d5465fd8b3e Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Thu, 20 Oct 2011 18:23:40 -0500 Subject: [PATCH] Fix test bug, add test of DNS resolver searchlist name canon rule --- tests/kdc/Makefile.am | 12 ++++- tests/kdc/check-canon.in | 56 +++++++++++++++++++-- tests/kdc/krb5-canon.conf.in | 3 +- tests/kdc/krb5-canon2.conf.in | 93 +++++++++++++++++++++++++++++++++++ 4 files changed, 157 insertions(+), 7 deletions(-) create mode 100644 tests/kdc/krb5-canon2.conf.in diff --git a/tests/kdc/Makefile.am b/tests/kdc/Makefile.am index 9bd674b8f..2be4b03d4 100644 --- a/tests/kdc/Makefile.am +++ b/tests/kdc/Makefile.am @@ -3,6 +3,7 @@ include $(top_srcdir)/Makefile.am.common noinst_DATA = \ krb5.conf \ krb5-canon.conf \ + krb5-canon2.conf \ krb5-hdb-mitdb.conf.in \ krb5-weak.conf \ krb5-pkinit.conf \ @@ -52,7 +53,7 @@ do_subst = sed $(do_dlopen) \ LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken) -check-canon: check-canon.in Makefile krb5-canon.conf +check-canon: check-canon.in Makefile krb5-canon.conf krb5-canon2.conf $(do_subst) < $(srcdir)/check-canon.in > check-canon.tmp chmod +x check-canon.tmp mv check-canon.tmp check-canon @@ -141,6 +142,13 @@ krb5-canon.conf: krb5-canon.conf.in Makefile -e 's,[@]kdc[@],,g' < $(srcdir)/krb5-canon.conf.in > krb5-canon.conf.tmp mv krb5-canon.conf.tmp krb5-canon.conf +krb5-canon2.conf: krb5-canon2.conf.in Makefile + $(do_subst) \ + -e 's,[@]WEAK[@],false,g' \ + -e 's,[@]dk[@],,g' \ + -e 's,[@]kdc[@],,g' < $(srcdir)/krb5-canon2.conf.in > krb5-canon2.conf.tmp + mv krb5-canon2.conf.tmp krb5-canon2.conf + krb5-hdb-mitdb.conf: krb5-hdb-mitdb.conf.in Makefile $(do_subst) \ -e 's,[@]WEAK[@],false,g' \ @@ -185,6 +193,7 @@ CLEANFILES= \ foopassword \ krb5.conf \ krb5-canon.conf \ + krb5-canon2.conf \ krb5-weak.conf \ krb5.conf.keys \ krb5-cc.conf \ @@ -240,6 +249,7 @@ EXTRA_DIST = \ krb5-pkinit.conf.in \ krb5.conf.in \ krb5-canon.conf.in \ + krb5-canon2.conf.in \ krb5.conf.keys.in \ ntlm-user-file.txt \ leaks-kill.sh \ diff --git a/tests/kdc/check-canon.in b/tests/kdc/check-canon.in index 8665242e6..7aeae24b1 100644 --- a/tests/kdc/check-canon.in +++ b/tests/kdc/check-canon.in @@ -56,7 +56,7 @@ kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" KRB5_CONFIG="${objdir}/krb5-canon.conf" export KRB5_CONFIG -testfailed="echo test failed; ${klist} -v ; exit 1" +testfailed="echo test failed; ${klist}; exit 1" rm -f ${keytabfile} rm -f current-db* @@ -88,7 +88,7 @@ ${kadmin} add -p foo --use-defaults host/t11.test1.h5l.se@${R1} || exit 1 ${kadmin} add -p foo --use-defaults host/t12.test1.h5l.se@${R2} || exit 1 ${kadmin} add -p foo --use-defaults host/t22.test2.h5l.se@${R2} || exit 1 ${kadmin} add -p foo --use-defaults host/t23.test2.h5l.se@${R3} || exit 1 -${kadmin} add -p foo --use-defaults host/t33.test2.h5l.se@${R3} || exit 1 +${kadmin} add -p foo --use-defaults host/t33.test3.h5l.se@${R3} || exit 1 echo "Doing database check" @@ -123,7 +123,7 @@ ${kgetcred} --name-type=SRV_HST host t3 || { ec=1 ; eval "${testfailed}"; } ${kgetcred} --name-type=SRV_HST host t11 || { ec=1 ; eval "${testfailed}"; } ${kgetcred} --name-type=SRV_HST host t12 || { ec=1 ; eval "${testfailed}"; } ${kgetcred} --name-type=SRV_HST host t22 || { ec=1 ; eval "${testfailed}"; } -${kgetcred} --name-type=SRV_HST host t23 && { ec=1 ; eval "${testfailed}"; } +${kgetcred} --name-type=SRV_HST host t23 2> /dev/null && { ec=1 ; eval "${testfailed}"; } ${kgetcred} --name-type=SRV_HST host t33 || { ec=1 ; eval "${testfailed}"; } echo "check result" @@ -141,7 +141,7 @@ ${klist} | grep "host/t3@${R3}" > /dev/null || { ec=1 ; echo "canonicalized t3 entry not present"; eval "${testfailed}"; } ${klist} | grep 'host/t11@$' > /dev/null || { ec=1 ; echo "t11 referral entry not present"; eval "${testfailed}"; } -${klist} | grep "host/t11.test1.h5l.se@${R2}" > /dev/null || +${klist} | grep "host/t11.test1.h5l.se@${R1}" > /dev/null || { ec=1 ; echo "canonicalized t11 entry not present"; eval "${testfailed}"; } ${klist} | grep 'host/t12@$' > /dev/null || { ec=1 ; echo "t12 referral entry not present"; eval "${testfailed}"; } @@ -153,10 +153,56 @@ ${klist} | grep "host/t22.test2.h5l.se@${R2}" > /dev/null || { ec=1 ; echo "canonicalized t22 entry not present"; eval "${testfailed}"; } ${klist} | grep 'host/t33@$' > /dev/null || { ec=1 ; echo "t33 referral entry not present"; eval "${testfailed}"; } -${klist} | grep "host/t33.test2.h5l.se@${R2}" > /dev/null || +${klist} | grep "host/t33.test3.h5l.se@${R3}" > /dev/null || { ec=1 ; echo "canonicalized t33 entry not present"; eval "${testfailed}"; } +${kdestroy} + +# This may not be portable. It'd be nice to be able to set more of the +# resolver configuration via the environment! +LOCALDOMAIN=test1.h5l.se +export LOCALDOMAIN +KRB5_CONFIG="${objdir}/krb5-canon2.conf" +export KRB5_CONFIG + +echo "Getting client initial tickets (round 2)"; +${kinit} --password-file=${objdir}/foopassword foo@${R1} || \ + { ec=1 ; eval "${testfailed}"; } + +echo "get service tickets" +${kgetcred} --name-type=SRV_HST host t1 || { ec=1 ; eval "${testfailed}"; } +${kgetcred} --name-type=SRV_HST host t2 || { ec=1 ; eval "${testfailed}"; } +${kgetcred} --name-type=SRV_HST host t3 || { ec=1 ; eval "${testfailed}"; } +${kgetcred} --name-type=SRV_HST host t11 || { ec=1 ; eval "${testfailed}"; } +${kgetcred} --name-type=SRV_HST host t12 2> /dev/null && + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --name-type=SRV_HST host t22 2> /dev/null && + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --name-type=SRV_HST host t23 2> /dev/null && + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --name-type=SRV_HST host t33 2> /dev/null && + { ec=1 ; eval "${testfailed}"; } + +echo "check result" +${klist} | grep 'host/t1@$' > /dev/null || + { ec=1 ; echo "t1 referral entry not present"; eval "${testfailed}"; } +${klist} | grep "host/t1@${R1}" > /dev/null || + { ec=1 ; echo "canonicalized t1 entry not present"; eval "${testfailed}"; } +${klist} | grep 'host/t2@$' > /dev/null || + { ec=1 ; echo "t2 referral entry not present"; eval "${testfailed}"; } +${klist} | grep "host/t2@${R2}" > /dev/null || + { ec=1 ; echo "canonicalized t2 entry not present"; eval "${testfailed}"; } +${klist} | grep 'host/t3@$' > /dev/null || + { ec=1 ; echo "t3 referral entry not present"; eval "${testfailed}"; } +${klist} | grep "host/t3@${R3}" > /dev/null || + { ec=1 ; echo "canonicalized t3 entry not present"; eval "${testfailed}"; } +${klist} | grep 'host/t11@$' > /dev/null || + { ec=1 ; echo "t11 referral entry not present"; eval "${testfailed}"; } +${klist} | grep "host/t11.test1.h5l.se@${R1}" > /dev/null || + { ec=1 ; echo "canonicalized t11 entry not present"; eval "${testfailed}"; } + + ${kdestroy} echo "killing kdc (${kdcpid})" diff --git a/tests/kdc/krb5-canon.conf.in b/tests/kdc/krb5-canon.conf.in index b2989bf05..f8cbc3e20 100644 --- a/tests/kdc/krb5-canon.conf.in +++ b/tests/kdc/krb5-canon.conf.in @@ -1,13 +1,14 @@ [libdefaults] default_realm = TEST.H5L.SE TEST2.H5L.SE no-addresses = TRUE + dns_lookup_realm = no name_canon_rules = as-is:realm=TEST.H5L.SE name_canon_rules = as-is:realm=TEST2.H5L.SE name_canon_rules = as-is:realm=TEST3.H5L.SE name_canon_rules = qualify:domain=test1.h5l.se:realm=TEST.H5L.SE name_canon_rules = qualify:domain=test1.h5l.se:realm=TEST2.H5L.SE name_canon_rules = qualify:domain=test2.h5l.se:realm=TEST2.H5L.SE - name_canon_rules = qualify:domain=test2.h5l.se:realm=TEST2.H5L.SE + name_canon_rules = qualify:domain=test3.h5l.se:realm=TEST3.H5L.SE [appdefaults] pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt diff --git a/tests/kdc/krb5-canon2.conf.in b/tests/kdc/krb5-canon2.conf.in new file mode 100644 index 000000000..63a11f4e4 --- /dev/null +++ b/tests/kdc/krb5-canon2.conf.in @@ -0,0 +1,93 @@ +[libdefaults] + default_realm = TEST.H5L.SE TEST2.H5L.SE + no-addresses = TRUE + dns_lookup_realm = no + name_canon_rules = as-is:realm=TEST.H5L.SE + name_canon_rules = as-is:realm=TEST2.H5L.SE + name_canon_rules = as-is:realm=TEST3.H5L.SE + name_canon_rules = use-resolver-searchlist + +[appdefaults] + pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt + reconnect-min = 2s + reconnect-backoff = 2s + reconnect-max = 10s + +[realms] + TEST.H5L.SE = { + kdc = localhost:@port@ + admin_server = localhost:@admport@ + kpasswd_server = localhost:@pwport@ + } + TEST2.H5L.SE = { + kdc = localhost:@port@ + kpasswd_server = localhost:@pwport@ + } + TEST3.H5L.SE = { + kdc = localhost:@port@ + } + +[domain_realm] + .test1.h5l.se = TEST.H5L.SE + .test2.h5l.se = TEST2.H5L.SE + .test3.h5l.se = TEST3.H5L.SE + localhost = TEST.H5L.SE + + +[kdc] + enable-digest = true + allow-anonymous = true + digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2 + + enable-http = true + + enable-pkinit = true + pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key + pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt + pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt +# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl + pkinit_mappings_file = @srcdir@/pki-mapping + pkinit_allow_proxy_certificate = true + + database = { + label = { + dbname = @objdir@/current-db@kdc@ + realm = TEST.H5L.SE + mkey_file = @objdir@/mkey.file + acl_file = @srcdir@/heimdal.acl + log_file = @objdir@/current@kdc@.log + } + label2 = { + dbname = @objdir@/current-db@kdc@ + realm = TEST2.H5L.SE + mkey_file = @objdir@/mkey.file + acl_file = @srcdir@/heimdal.acl + log_file = @objdir@/current@kdc@.log + } + } + + signal_socket = @objdir@/signal + iprop-stats = @objdir@/iprop-stats + iprop-acl = @srcdir@/iprop-acl + +[logging] + kdc = 0-/FILE:@objdir@/messages.log + default = 0-/FILE:@objdir@/messages.log + +[kadmin] + save-password = true + @dk@ + +[capaths] + TEST.H5L.SE = { + TEST3.H5L.SE = . + TEST2.H5L.SE = . + } + TEST2.H5L.SE = { + TEST.H5L.SE = . + TEST3.H5L.SE = . + } + TEST3.H5L.SE = { + TEST.H5L.SE = . + TEST2.H5L.SE = . + }