oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

bx509: Complete /get-tgt?cname= support

Browse Source
This commit is contained in:
Nicolas Williams
2021-04-22 17:01:49 -05:00
parent 76d6ee4abc
commit a4adb8354f
2 changed files with 54 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
tests/kdc/check-bx509.in
View File

@@ -290,6 +290,7 @@ ${kadmin} init \
--realm-max-renewable-life=1month \
${R} || exit 1
${kadmin} add -r --use-defaults foo@${R} || exit 1
${kadmin} add -r --use-defaults bar@${R} || exit 1
${kadmin} modify --pkinit-acl="CN=foo,DC=test,DC=h5l,DC=se" foo@${R} || exit 1
@@ -433,6 +434,17 @@ trap "kill -9 ${kdcpid} ${bx509pid}; echo signal killing kdc and bx509d; exit 1;
${kinit} -kt $ukeytab foo@${R} || exit 1
$klist || { echo "failed to setup kimpersonate credentials"; exit 2; }
echo "Fetch TGT (not granted for other)"
token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
if (set -vx;
curl -o "${cachefile2}" -Lgsf \
--resolve ${server}:${bx509port}:127.0.0.1 \
-H "Authorization: Negotiate $token" \
"http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8"); then
echo "Got a TGT with /get-tgt end-point when not granted!"
exit 2
fi
echo "Fetch TGT"
(set -vx; csr_grant pkinit foo@${R} foo@${R})
(set -vx; csr_grant eku 1.3.6.1.5.2.3.4 foo@${R})
@@ -465,6 +477,23 @@ ${kgetcred} -H HTTP/${server}@${R} ||
${klist} | grep Addresses:.IPv4:8.8.8.8 ||
{ echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
echo "Fetch TGT (for other)"
(set -vx; csr_grant pkinit bar@${R} foo@${R})
${kdestroy}
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
if ! (set -vx;
curl -o "${cachefile}" -Lgsf \
--resolve ${server}:${bx509port}:127.0.0.1 \
-H "Authorization: Negotiate $token" \
"http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8"); then
echo "Failed to get a TGT with /get-tgt end-point"
exit 2
fi
${kgetcred} -H HTTP/${server}@${R} ||
{ echo "Trivial offline CA test failed (TGS)"; exit 2; }
${klist} | grep Addresses:.IPv4:8.8.8.8 ||
{ echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
echo "Fetch negotiate token (pre-test)"
# Do what /bnegotiate does, roughly, prior to testing /bnegotiate
$hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \