httpkadmind: Support ok-as-delegate and such

Add support for configuring the attributes of new principals created via httpkadmind. This can be done via virtual host-based service namespaces, which will provide default attributes even if disabled (but the created principals will not be disabled, naturally), or via krb5.conf.
2022-04-25 17:39:29 -05:00
parent cd2e423d10
commit a5273d18cd
3 changed files with 261 additions and 13 deletions
--- a/tests/kdc/check-httpkadmind.in
+++ b/tests/kdc/check-httpkadmind.in
@@ -133,9 +133,11 @@ fi

 # HTTP curl-opts
 HTTP() {
-    curl -g --resolve ${server}:${restport2}:127.0.0.1                  \
-            --resolve ${server}:${restport}:127.0.0.1                   \
-         -u: --negotiate $verbose "$@"
+    curl -g --resolve ${server}:${restport2}:127.0.0.1  \
+            --resolve ${server}:${restport}:127.0.0.1   \
+         -u: --negotiate $verbose                       \
+         -D response-headers                            \
+         "$@"
 }

 # get_config QPARAMS curl-opts
@@ -145,6 +147,23 @@ get_config() {
    HTTP $verbose "$@" "$url"
 }

+check_age() {
+    set -- $(grep -i ^Cache-Control: response-headers)
+    if [ $# -eq 0 ]; then
+        return 1
+    fi
+    shift
+    for param in "$@"; do
+        case "$param" in
+        no-store) true;;
+        max-age=0) return 1;;
+        max-age=*) true;;
+        *) return 1;;
+        esac
+    done
+    return 0;
+}
+
 # get_keytab QPARAMS curl-opts
 get_keytab() {
    url="http://${server}:${restport}/get-keys?$1"
@@ -163,9 +182,9 @@ get_keytab_POST() {

    get_keytab "$q" -X POST --data-binary @/dev/null -f "$@" && 
        { echo "POST succeeded w/o CSRF token!"; return 1; }
-    get_keytab "$q" -X POST --data-binary @/dev/null -D response-headers "$@"
+    get_keytab "$q" -X POST --data-binary @/dev/null "$@"
    grep ^X-CSRF-Token: response-headers >/dev/null || return 1
-    get_keytab "$q" -X POST --data-binary @/dev/null -D response-headers \
+    get_keytab "$q" -X POST --data-binary @/dev/null \
        -H "$(sed -e 's/\r//' response-headers | grep ^X-CSRF-Token:)" "$@"
    grep '^HTTP/1.1 200' response-headers >/dev/null || return $?
    return 0
@@ -174,7 +193,7 @@ get_keytab_POST() {
 get_keytab_POST_redir() {
    url="http://${server}:${restport}/get-keys?$1"
    shift
-    HTTP -X POST --data-binary @/dev/null -D response-headers "$@" "$url"
+    HTTP -X POST --data-binary @/dev/null "$@" "$url"
    grep ^X-CSRF-Token: response-headers >/dev/null ||
        { echo "POST w/o CSRF token had response w/o CSRF token!"; return 1; }
    HTTP -X POST --data-binary @/dev/null  -f                           \
@@ -292,6 +311,8 @@ ${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin
    { echo "Failed to list keytab for $p"; exit 1; }
 get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for $p with curl"; exit 1; }
+check_age
+grep -i ^Cache-Control response-headers
 ${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
    { echo "Failed to list keytab for $p"; exit 1; }
 cmp extracted_keytab.kadmin extracted_keytab.rest ||