From c0bc8beb07d9733d4c8c17d120916552fe172f50 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Tue, 26 Apr 2022 17:53:48 -0500 Subject: [PATCH] httpkadmind: Test attributes defaulting --- tests/kdc/check-httpkadmind.in | 142 +++++++++++++++++++++++++++-- tests/kdc/krb5-httpkadmind.conf.in | 6 ++ 2 files changed, 138 insertions(+), 10 deletions(-) diff --git a/tests/kdc/check-httpkadmind.in b/tests/kdc/check-httpkadmind.in index b35e2837c..5b295906c 100644 --- a/tests/kdc/check-httpkadmind.in +++ b/tests/kdc/check-httpkadmind.in @@ -237,6 +237,9 @@ ${kadmin} add -r --use-defaults HTTP/xyz.${domain}@${R} || exit 1 ${kadmin} add_ns --key-rotation-epoch=-1d --key-rotation-period=5m \ --max-ticket-life=1d --max-renewable-life=5d \ --attributes= HTTP/ns.${domain}@${R} || exit 1 +${kadmin} add_ns --key-rotation-epoch=-1d --key-rotation-period=5m \ + --max-ticket-life=1d --max-renewable-life=5d \ + --attributes=ok-as-delegate host/.ns2.${domain}@${R} || exit 1 ${kadmin} add -r --use-defaults HTTP/${server}@${R} || exit 1 ${kadmin} ext_keytab -r -k $keytab kadmin/admin@${R} || exit 1 ${kadmin} ext_keytab -r -k $keytab httpkadmind/admin@${R} || exit 1 @@ -641,22 +644,21 @@ cmp extracted_keytab.rest1 extracted_keytab.rest2 > /dev/null && test "$(grep $p extracted_keytab.rest2 | wc -l)" -eq 3 || { echo "Wrong number of new keys!"; exit 1; } -echo "Checking that host services as clients can self-serve" +echo "Checking that host services as clients can self-create" hn=synthesized.${domain} p=host/$hn -KRB5CCNAME=$admincache ${kadmin} get -s $p && +KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null && { echo "Internal error -- $p exists too soon"; exit 1; } ${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \ { echo "Failed to kinit with PKINIT client cert"; exit 1; } ${kgetcred2} HTTP/localhost@$R || echo WAT -${klist2} rm -f extracted_keytab* KRB5CCNAME=$cache2 \ get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" || { echo "Failed to create and extract host keys for self"; exit 1; } -${ktutil} -k "${objdir}/extracted_keytab" list || +${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null || { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; } -KRB5CCNAME=$admincache ${kadmin} get -s $p || +KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null || { echo "Failed to create and extract host keys for self"; exit 1; } echo "Checking that host services can't get other host service principals" @@ -665,8 +667,8 @@ p=host/$hn KRB5CCNAME=$cache2 \ get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab2" && { echo "Failed to fail to create and extract host keys for other!"; exit 1; } -${ktutil} -k "${objdir}/extracted_keytab2" list || true -KRB5CCNAME=$admincache ${kadmin} get -s $p && +${ktutil} -k "${objdir}/extracted_keytab2" list > /dev/null || true +KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null && { echo "Failed to fail to create and extract host keys for other!"; exit 1; } echo "Checking that host services can't get keys for themselves and others" @@ -676,15 +678,135 @@ p2=host/nonexistent.${domain} ${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \ { echo "Failed to kinit with PKINIT client cert"; exit 1; } ${kgetcred2} HTTP/localhost@$R || echo WAT -${klist2} rm -f extracted_keytab* KRB5CCNAME=$cache2 \ get_keytab_POST "spn=$p&spn=$p2&create=true" -s -o "${objdir}/extracted_keytab" && { echo "Failed to fail to create and extract host keys for other!"; exit 1; } -${ktutil} -k "${objdir}/extracted_keytab2" list || true -KRB5CCNAME=$admincache ${kadmin} get -s $p2 && +${ktutil} -k "${objdir}/extracted_keytab2" list > /dev/null || true +KRB5CCNAME=$admincache ${kadmin} get -s $p2 >/dev/null && { echo "Failed to fail to create and extract host keys for other!"; exit 1; } +echo "Checking that attributes for new principals can be configured" +hn=a-particular-hostname.test.h5l.se +p=host/$hn +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --pk-init-principal="$p@$R" \ + --req="PKCS10:req-pkinit.der" \ + --lifetime=7d \ + --certificate="FILE:pkinit-synthetic.crt" || + { echo "Failed to make PKINIT client cert"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null && + { echo "Internal error -- $p exists too soon"; exit 1; } +${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \ + { echo "Failed to kinit with PKINIT client cert"; exit 1; } +${kgetcred2} HTTP/localhost@$R || echo WAT +rm -f extracted_keytab* +KRB5CCNAME=$cache2 \ +get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" || + { echo "Failed to create and extract host keys for self"; exit 1; } +${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null || + { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null || + { echo "Failed to create and extract host keys for self"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get $p | + grep 'Attributes:.*ok-as-delegate' > /dev/null || + { echo "Failed to create with configured attributes"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get $p | + grep 'Attributes:.*no-auth-data-reqd' > /dev/null || + { echo "Failed to create with configured attributes"; exit 1; } + +hn=other-hostname.test.h5l.se +p=host/$hn +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --pk-init-principal="$p@$R" \ + --req="PKCS10:req-pkinit.der" \ + --lifetime=7d \ + --certificate="FILE:pkinit-synthetic.crt" || + { echo "Failed to make PKINIT client cert"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null && + { echo "Internal error -- $p exists too soon"; exit 1; } +${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \ + { echo "Failed to kinit with PKINIT client cert"; exit 1; } +${kgetcred2} HTTP/localhost@$R || echo WAT +rm -f extracted_keytab* +KRB5CCNAME=$cache2 \ +get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" || + { echo "Failed to create and extract host keys for self"; exit 1; } +${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null || + { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null || + { echo "Failed to create and extract host keys for self"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get $p | + grep 'Attributes:.*ok-as-delegate' > /dev/null && + { echo "Create with unexpected attributes"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get $p | + grep 'Attributes:.*no-auth-data-reqd' > /dev/null && + { echo "Create with unexpected attributes"; exit 1; } + +hn=a-server.prod.test.h5l.se +p=host/$hn +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --pk-init-principal="$p@$R" \ + --req="PKCS10:req-pkinit.der" \ + --lifetime=7d \ + --certificate="FILE:pkinit-synthetic.crt" || + { echo "Failed to make PKINIT client cert"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null && + { echo "Internal error -- $p exists too soon"; exit 1; } +${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \ + { echo "Failed to kinit with PKINIT client cert"; exit 1; } +${kgetcred2} HTTP/localhost@$R || echo WAT +rm -f extracted_keytab* +KRB5CCNAME=$cache2 \ +get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" || + { echo "Failed to create and extract host keys for self"; exit 1; } +${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null || + { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null || + { echo "Failed to create and extract host keys for self"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get $p | + grep 'Attributes:.*ok-as-delegate' > /dev/null || + { echo "Failed to create with configured attributes"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get $p | + grep 'Attributes:.*no-auth-data-reqd' > /dev/null || + { echo "Failed to create with configured attributes"; exit 1; } + +hn=a-host.ns2.test.h5l.se +p=host/$hn +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --pk-init-principal="$p@$R" \ + --req="PKCS10:req-pkinit.der" \ + --lifetime=7d \ + --certificate="FILE:pkinit-synthetic.crt" || + { echo "Failed to make PKINIT client cert"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null && + { echo "Internal error -- $p exists too soon"; exit 1; } +${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \ + { echo "Failed to kinit with PKINIT client cert"; exit 1; } +${kgetcred2} HTTP/localhost@$R || echo WAT +rm -f extracted_keytab* +KRB5CCNAME=$cache2 \ +get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" || + { echo "Failed to create and extract host keys for self"; exit 1; } +${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null || + { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null || + { echo "Failed to create and extract host keys for self"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get $p | + grep 'Attributes:.*ok-as-delegate' > /dev/null || + { echo "Failed to create with namespace attributes"; exit 1; } +KRB5CCNAME=$admincache ${kadmin} get $p | + grep 'Attributes:.*no-auth-data-reqd' > /dev/null && + { echo "Create with unexpected attributes"; exit 1; } + grep 'Internal error' messages.log && { echo "Internal errors in log"; exit 1; } diff --git a/tests/kdc/krb5-httpkadmind.conf.in b/tests/kdc/krb5-httpkadmind.conf.in index 4882d52f5..f887e82c4 100644 --- a/tests/kdc/krb5-httpkadmind.conf.in +++ b/tests/kdc/krb5-httpkadmind.conf.in @@ -85,6 +85,12 @@ [ext_keytab] simple_csr_authorizer_directory = @objdir@/simple_csr_authz + new_hostbased_service_principal_attributes = { + host = { + a-particular-hostname.test.h5l.se = ok-as-delegate,no-auth-data-reqd + .prod.test.h5l.se = ok-as-delegate no-auth-data-reqd + } + } [logging] kdc = 0-/FILE:@objdir@/messages.log