From abd065be02eba1b90faac00348ba5687aec06a93 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Tue, 6 Dec 2011 19:19:08 -0600
Subject: [PATCH] Add a test for krb5_kuserok()

---
 lib/krb5/test_kuserok.c                       |   5 +-
 tests/bin/setup-env.in                        |   1 +
 tests/kdc/Makefile.am                         |  32 ++--
 tests/kdc/check-an2ln.in                      | 116 -------------
 tests/kdc/check-authz.in                      | 153 ++++++++++++++++++
 tests/kdc/k5login/foo                         |   1 +
 ...{krb5-an2ln.conf.in => krb5-authz.conf.in} |   3 +
 tests/kdc/krb5-authz2.conf.in                 |  30 ++++
 8 files changed, 212 insertions(+), 129 deletions(-)
 delete mode 100644 tests/kdc/check-an2ln.in
 create mode 100644 tests/kdc/check-authz.in
 create mode 100644 tests/kdc/k5login/foo
 rename tests/kdc/{krb5-an2ln.conf.in => krb5-authz.conf.in} (82%)
 create mode 100644 tests/kdc/krb5-authz2.conf.in

diff --git a/lib/krb5/test_kuserok.c b/lib/krb5/test_kuserok.c
index 5beb1b757..8126ac36c 100644
--- a/lib/krb5/test_kuserok.c
+++ b/lib/krb5/test_kuserok.c
@@ -100,5 +100,8 @@ main(int argc, char **argv)
 
     printf("%s is %sallowed to login as %s\n", p, ret ? "" : "NOT ", argv[1]);
 
-    return 0;
+    if (ret)
+	return 0;
+
+    return 1;
 }
diff --git a/tests/bin/setup-env.in b/tests/bin/setup-env.in
index ef4b01d93..ae174a773 100644
--- a/tests/bin/setup-env.in
+++ b/tests/bin/setup-env.in
@@ -42,6 +42,7 @@ test_context="${TESTS_ENVIRONMENT} ${top_builddir}/lib/gssapi/test_context"
 rkpty="${TESTS_ENVIRONMENT} ${top_builddir}/lib/roken/rkpty"
 test_set_kvno0="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_set_kvno0"
 test_alname="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_alname"
+test_kuserok="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_kuserok"
 
 # misc apps
 have_db="${top_builddir}/tests/db/have-db"
diff --git a/tests/kdc/Makefile.am b/tests/kdc/Makefile.am
index ee7ba1cd1..852e3049b 100644
--- a/tests/kdc/Makefile.am
+++ b/tests/kdc/Makefile.am
@@ -1,9 +1,11 @@
 include $(top_srcdir)/Makefile.am.common
 
 noinst_DATA = \
+	an2ln-db.txt \
 	kdc-tester4.json \
 	krb5.conf \
-	krb5-an2ln.conf \
+	krb5-authz.conf \
+	krb5-authz2.conf \
 	krb5-canon.conf \
 	krb5-canon2.conf \
 	krb5-hdb-mitdb.conf \
@@ -15,7 +17,7 @@ noinst_DATA = \
 check_SCRIPTS = $(SCRIPT_TESTS) 
 
 SCRIPT_TESTS = \
-	check-an2ln \
+	check-authz \
 	check-canon \
 	check-cc \
 	check-delegation \
@@ -59,10 +61,10 @@ do_subst = sed $(do_dlopen) \
 
 LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken)
 
-check-an2ln: check-an2ln.in Makefile krb5-an2ln.conf
-	$(do_subst) < $(srcdir)/check-an2ln.in > check-an2ln.tmp
-	chmod +x check-an2ln.tmp
-	mv check-an2ln.tmp check-an2ln
+check-authz: check-authz.in Makefile krb5-authz.conf krb5-authz2.conf
+	$(do_subst) < $(srcdir)/check-authz.in > check-authz.tmp
+	chmod +x check-authz.tmp
+	mv check-authz.tmp check-authz
 
 check-canon: check-canon.in Makefile krb5-canon.conf krb5-canon2.conf
 	$(do_subst) < $(srcdir)/check-canon.in > check-canon.tmp
@@ -160,9 +162,13 @@ krb5.conf: krb5.conf.in Makefile
 	   -e 's,[@]kdc[@],,g' < $(srcdir)/krb5.conf.in > krb5.conf.tmp
 	mv krb5.conf.tmp krb5.conf
 
-krb5-an2ln.conf: krb5-an2ln.conf.in Makefile
-	$(do_subst) < $(srcdir)/krb5-an2ln.conf.in > krb5-an2ln.conf.tmp
-	mv krb5-an2ln.conf.tmp krb5-an2ln.conf
+krb5-authz.conf: krb5-authz.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5-authz.conf.in > krb5-authz.conf.tmp
+	mv krb5-authz.conf.tmp krb5-authz.conf
+
+krb5-authz2.conf: krb5-authz2.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5-authz2.conf.in > krb5-authz2.conf.tmp
+	mv krb5-authz2.conf.tmp krb5-authz2.conf
 
 krb5-canon.conf: krb5-canon.conf.in Makefile
 	$(do_subst) \
@@ -222,7 +228,8 @@ CLEANFILES= \
 	foopassword \
 	kdc-tester4.json \
 	krb5.conf \
-	krb5-an2ln.conf \
+	krb5-authz.conf \
+	krb5-authz2.conf \
 	krb5-canon.conf \
 	krb5-canon2.conf \
 	krb5-weak.conf \
@@ -259,7 +266,7 @@ CLEANFILES= \
 
 EXTRA_DIST = \
 	NTMakefile \
-	check-an2ln.in \
+	check-authz.in \
 	check-canon.in \
 	check-cc.in \
 	check-delegation.in \
@@ -285,7 +292,8 @@ EXTRA_DIST = \
 	kdc-tester4.json.in \
 	krb5-pkinit.conf.in \
 	krb5.conf.in \
-	krb5-an2ln.conf.in \
+	krb5-authz.conf.in \
+	krb5-authz2.conf.in \
 	krb5-canon.conf.in \
 	krb5-canon2.conf.in \
 	krb5-hdb-mitdb.conf.in \
diff --git a/tests/kdc/check-an2ln.in b/tests/kdc/check-an2ln.in
deleted file mode 100644
index af487b3fa..000000000
--- a/tests/kdc/check-an2ln.in
+++ /dev/null
@@ -1,116 +0,0 @@
-#!/bin/sh
-#
-# Copyright (c) 2007 Kungliga Tekniska Högskolan
-# (Royal Institute of Technology, Stockholm, Sweden). 
-# All rights reserved. 
-#
-# Redistribution and use in source and binary forms, with or without 
-# modification, are permitted provided that the following conditions 
-# are met: 
-#
-# 1. Redistributions of source code must retain the above copyright 
-#    notice, this list of conditions and the following disclaimer. 
-#
-# 2. Redistributions in binary form must reproduce the above copyright 
-#    notice, this list of conditions and the following disclaimer in the 
-#    documentation and/or other materials provided with the distribution. 
-#
-# 3. Neither the name of the Institute nor the names of its contributors 
-#    may be used to endorse or promote products derived from this software 
-#    without specific prior written permission. 
-#
-# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-# SUCH DAMAGE. 
-
-top_builddir="@top_builddir@"
-env_setup="@env_setup@"
-objdir="."
-
-. ${env_setup}
-
-srcdir="${top_srcdir}/tests/kdc"
-test_alname="${test_alname} --simple"
-
-rm -f localname
-
-check_localname() {
-    if test "$2" -ne 0; then
-	exec 2> /dev/null
-    fi
-    ${test_alname} "$1" > localname
-    status=$?
-    if test $status -ne "$2"; then
-	echo "Unexpected exit code from test_alname $1: $status"
-	exit 1
-    fi
-    if test $status -ne 0; then
-	return 0
-    fi
-    read lname < localname
-    if test "X$lname" != "X$3"; then
-	echo "Unexpected mapping of $1: $lname"
-	exit 1
-    fi
-    return 0
-}
-
-R=TEST.H5L.SE
-R2=TEST2.H5L.SE
-R3=TEST3.H5L.SE
-R4=TEST4.H5L.SE
-
-KRB5_CONFIG="${objdir}/krb5-an2ln.conf"
-export KRB5_CONFIG
-
-echo "Checking 1-component principal names in default realms"
-check_localname mapped1@${R} 0 foo
-check_localname mapped2@${R} 0 bar
-check_localname mapped1@${R2} 0 m1
-check_localname mapped2@${R2} 0 m2
-check_localname mapped1@${R3} 0 mapped1
-check_localname mapped2@${R3} 0 mapped2
-check_localname notmapped1@${R} 1
-check_localname notmapped1@${R2} 1
-check_localname notmapped1@${R3} 0 notmapped1
-
-echo "Checking 1-component principal names in non-default realm"
-check_localname mapped1@${R4} 1
-check_localname notmapped1@${R4} 1
-
-echo "Checking 2-component principal names"
-check_localname foo/mapped1@${R} 0 foo
-check_localname foo/mapped2@${R} 0 bar
-check_localname bar/mapped1@${R2} 0 foobar
-check_localname bar/mapped2@${R2} 0 foobaz
-check_localname foo/mapped1@${R3} 1
-check_localname bar/mapped1@${R3} 1
-check_localname foo/notmapped1@${R} 1
-check_localname bar/notmapped1@${R2} 1
-
-echo "Checking 2-component principal names in non-default realm"
-check_localname foo/mapped1@${R4} 1
-check_localname bar/mapped1@${R4} 1
-check_localname foo/notmapped1@${R4} 1
-check_localname bar/notmapped1@${R4} 1
-
-echo "Checking for overflow"
-test_alname="${test_alname} --simple --lname-size=1"
-check_localname mapped1@${R} 3
-check_localname mapped2@${R} 3
-check_localname mapped1@${R2} 3
-check_localname mapped2@${R2} 3
-check_localname mapped1@${R3} 3
-check_localname mapped2@${R3} 3
-
-rm -f messages.log
-
-exit 0
diff --git a/tests/kdc/check-authz.in b/tests/kdc/check-authz.in
new file mode 100644
index 000000000..c2e373a3f
--- /dev/null
+++ b/tests/kdc/check-authz.in
@@ -0,0 +1,153 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="."
+
+. ${env_setup}
+
+srcdir="${top_srcdir}/tests/kdc"
+test_alname="${test_alname} --simple"
+
+rm -f localname
+
+check_localname() {
+    stderr=
+    if test "$2" -ne 0; then
+	stderr="2>/dev/null"
+    fi
+    eval ${test_alname} "'$1'" > localname $stderr
+    status=$?
+    if test $status -ne "$2"; then
+	echo "Unexpected exit code from test_alname $1: $status"
+	exit 1
+    fi
+    if test $status -ne 0; then
+	return 0
+    fi
+    read lname < localname
+    if test "X$lname" != "X$3"; then
+	echo "Unexpected mapping of $1: $lname"
+	exit 1
+    fi
+    return 0
+}
+
+R=TEST.H5L.SE
+R2=TEST2.H5L.SE
+R3=TEST3.H5L.SE
+R4=TEST4.H5L.SE
+
+KRB5_CONFIG="${objdir}/krb5-authz.conf"
+export KRB5_CONFIG
+
+echo "Checking 1-component principal names in default realms"
+check_localname mapped1@${R} 0 foo || exit 1
+check_localname mapped2@${R} 0 bar || exit 1
+check_localname mapped1@${R2} 0 m1 || exit 1
+check_localname mapped2@${R2} 0 m2 || exit 1
+check_localname mapped1@${R3} 0 mapped1 || exit 1
+check_localname mapped2@${R3} 0 mapped2 || exit 1
+check_localname notmapped1@${R} 1 || exit 1
+check_localname notmapped1@${R2} 1 || exit 1
+check_localname notmapped1@${R3} 0 notmapped1 || exit 1
+
+echo "Checking 1-component principal names in non-default realm"
+check_localname mapped1@${R4} 1 || exit 1
+check_localname notmapped1@${R4} 1 || exit 1
+
+echo "Checking 2-component principal names"
+check_localname foo/mapped1@${R} 0 foo || exit 1
+check_localname foo/mapped2@${R} 0 bar || exit 1
+check_localname bar/mapped1@${R2} 0 foobar || exit 1
+check_localname bar/mapped2@${R2} 0 foobaz || exit 1
+check_localname foo/mapped1@${R3} 1 || exit 1
+check_localname bar/mapped1@${R3} 1 || exit 1
+check_localname foo/notmapped1@${R} 1 || exit 1
+check_localname bar/notmapped1@${R2} 1 || exit 1
+
+echo "Checking 2-component principal names in non-default realm"
+check_localname foo/mapped1@${R4} 1 || exit 1
+check_localname bar/mapped1@${R4} 1 || exit 1
+check_localname foo/notmapped1@${R4} 1 || exit 1
+check_localname bar/notmapped1@${R4} 1 || exit 1
+
+echo "Checking for overflow"
+test_alname="${test_alname} --simple --lname-size=1"
+check_localname mapped1@${R} 3 || exit 1
+check_localname mapped2@${R} 3 || exit 1
+check_localname mapped1@${R2} 3 || exit 1
+check_localname mapped2@${R2} 3 || exit 1
+check_localname mapped1@${R3} 3 || exit 1
+check_localname mapped2@${R3} 3 || exit 1
+
+echo "Checking krb5_kuserok()"
+${test_kuserok} random-princ@RANDOM-REALM foo > /dev/null || exit 1
+${test_kuserok} mapped1@${R} foo > /dev/null || exit 1
+${test_kuserok} mapped1@${R2} m1 > /dev/null || exit 1
+${test_kuserok} notmapped1@${R3} notmapped1 > /dev/null || exit 1
+${test_kuserok} this-better-not-exist@NOR-THIS foo > /dev/null && exit 1
+
+# If the user running this test has a ~/.k5login or .k5logind, test
+# based on their content
+if test -n "${HOME}" -a -n "${USER:-${LOGNAME}}" -a -s "${HOME}/.k5login"; then
+    echo "Checking ~/.k5login"
+    while read princ; do
+	${test_kuserok} "${princ}" "${USER:-${LOGNAME}}" > /dev/null || exit 1
+    done < "${HOME}/.k5login" || exit 1
+fi
+if test -n "${HOME}" -a -n "${USER:-${LOGNAME}}" -a -d "${HOME}/.k5login.d"; then
+    echo "Checking ~/.k5login.d"
+    ls -f "${HOME}/.k5login.d" | egrep -v '^(\.|\.\.|#.*|.*~|\.*.sw.)$' | while read f; do
+	f="${HOME}/.k5login.d/$f"
+	test -d "${f}" && continue
+	while read princ; do
+	    ${test_kuserok} "${princ}" "${USER:-${LOGNAME}}" > /dev/null || exit 1
+	done < "${f}" || exit 1
+    done || exit 1
+fi
+
+KRB5_CONFIG="${objdir}/krb5-authz2.conf"
+export KRB5_CONFIG
+
+echo "Checking krb5_kuserok() (with authoritative k5login files)"
+${test_kuserok} random-princ@RANDOM-REALM foo > /dev/null || exit 1
+${test_kuserok} mapped1@${R} foo > /dev/null && exit 1
+${test_kuserok} mapped1@${R2} m1 > /dev/null || exit 1
+${test_kuserok} notmapped1@${R3} notmapped1 > /dev/null || exit 1
+${test_kuserok} this-better-not-exist@NOR-THIS foo > /dev/null && exit 1
+
+rm -f messages.log
+
+exit 0
diff --git a/tests/kdc/k5login/foo b/tests/kdc/k5login/foo
new file mode 100644
index 000000000..b51a40b58
--- /dev/null
+++ b/tests/kdc/k5login/foo
@@ -0,0 +1 @@
+random-princ@RANDOM-REALM
diff --git a/tests/kdc/krb5-an2ln.conf.in b/tests/kdc/krb5-authz.conf.in
similarity index 82%
rename from tests/kdc/krb5-an2ln.conf.in
rename to tests/kdc/krb5-authz.conf.in
index 47bf71d0b..899f41740 100644
--- a/tests/kdc/krb5-an2ln.conf.in
+++ b/tests/kdc/krb5-authz.conf.in
@@ -1,6 +1,9 @@
 [libdefaults]
 	default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE
 	no-addresses = TRUE
+	kuserok = SYSTEM-K5LOGIN:@srcdir@/k5login/%{luser}
+	kuserok = USER-K5LOGIN
+	kuserok = SIMPLE
 
 [appdefaults]
 
diff --git a/tests/kdc/krb5-authz2.conf.in b/tests/kdc/krb5-authz2.conf.in
new file mode 100644
index 000000000..4179cda94
--- /dev/null
+++ b/tests/kdc/krb5-authz2.conf.in
@@ -0,0 +1,30 @@
+[libdefaults]
+	default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE
+	no-addresses = TRUE
+	k5login_authoritative = TRUE
+	k5login_directory = @srcdir@/k5login/%{luser}
+	kuserok = SYSTEM-K5LOGIN
+	kuserok = SIMPLE
+
+[appdefaults]
+
+[realms]
+	TEST.H5L.SE = {
+	    auth_to_local_names = {
+		foo/mapped1 = foo
+		foo/mapped2 = bar
+		mapped1 = foo
+		mapped2 = bar
+	    }
+	    auth_to_local = NONE
+	}
+	TEST2.H5L.SE = {
+	    auth_to_local = DB:@srcdir@/an2ln-db.txt
+	}
+	TEST3.H5L.SE = {
+	    auth_to_local = DEFAULT
+	}
+
+[logging]
+	default = 0-/FILE:@objdir@/messages.log
+