oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

httpkadmind: Test attributes defaulting

Browse Source
This commit is contained in:
Nicolas Williams
2022-04-26 17:53:48 -05:00
parent d93f0d103d
commit c0bc8beb07
2 changed files with 138 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
tests/kdc/check-httpkadmind.in
View File

@@ -237,6 +237,9 @@ ${kadmin} add -r --use-defaults HTTP/xyz.${domain}@${R} || exit 1
${kadmin} add_ns --key-rotation-epoch=-1d --key-rotation-period=5m \ ${kadmin} add_ns --key-rotation-epoch=-1d --key-rotation-period=5m \
--max-ticket-life=1d --max-renewable-life=5d \ --max-ticket-life=1d --max-renewable-life=5d \
--attributes= HTTP/ns.${domain}@${R} || exit 1 --attributes= HTTP/ns.${domain}@${R} || exit 1
${kadmin} add_ns --key-rotation-epoch=-1d --key-rotation-period=5m \
--max-ticket-life=1d --max-renewable-life=5d \
--attributes=ok-as-delegate host/.ns2.${domain}@${R} || exit 1
${kadmin} add -r --use-defaults HTTP/${server}@${R} || exit 1 ${kadmin} add -r --use-defaults HTTP/${server}@${R} || exit 1
${kadmin} ext_keytab -r -k $keytab kadmin/admin@${R} || exit 1 ${kadmin} ext_keytab -r -k $keytab kadmin/admin@${R} || exit 1
${kadmin} ext_keytab -r -k $keytab httpkadmind/admin@${R} || exit 1 ${kadmin} ext_keytab -r -k $keytab httpkadmind/admin@${R} || exit 1
@@ -641,22 +644,21 @@ cmp extracted_keytab.rest1 extracted_keytab.rest2 > /dev/null &&
test "$(grep $p extracted_keytab.rest2 | wc -l)" -eq 3 || test "$(grep $p extracted_keytab.rest2 | wc -l)" -eq 3 ||
{ echo "Wrong number of new keys!"; exit 1; } { echo "Wrong number of new keys!"; exit 1; }
echo "Checking that host services as clients can self-serve" echo "Checking that host services as clients can self-create"
hn=synthesized.${domain} hn=synthesized.${domain}
p=host/$hn p=host/$hn
KRB5CCNAME=$admincache ${kadmin} get -s $p && KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null &&
{ echo "Internal error -- $p exists too soon"; exit 1; } { echo "Internal error -- $p exists too soon"; exit 1; }
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \ ${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
{ echo "Failed to kinit with PKINIT client cert"; exit 1; } { echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT ${kgetcred2} HTTP/localhost@$R || echo WAT
${klist2}
rm -f extracted_keytab* rm -f extracted_keytab*
KRB5CCNAME=$cache2 \ KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" || get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" ||
{ echo "Failed to create and extract host keys for self"; exit 1; } { echo "Failed to create and extract host keys for self"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list || ${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null ||
{ echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; } { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p || KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null ||
{ echo "Failed to create and extract host keys for self"; exit 1; } { echo "Failed to create and extract host keys for self"; exit 1; }
echo "Checking that host services can't get other host service principals" echo "Checking that host services can't get other host service principals"
@@ -665,8 +667,8 @@ p=host/$hn
KRB5CCNAME=$cache2 \ KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab2" && get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab2" &&
{ echo "Failed to fail to create and extract host keys for other!"; exit 1; } { echo "Failed to fail to create and extract host keys for other!"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab2" list || true ${ktutil} -k "${objdir}/extracted_keytab2" list > /dev/null || true
KRB5CCNAME=$admincache ${kadmin} get -s $p && KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null &&
{ echo "Failed to fail to create and extract host keys for other!"; exit 1; } { echo "Failed to fail to create and extract host keys for other!"; exit 1; }
echo "Checking that host services can't get keys for themselves and others" echo "Checking that host services can't get keys for themselves and others"
@@ -676,15 +678,135 @@ p2=host/nonexistent.${domain}
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \ ${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
{ echo "Failed to kinit with PKINIT client cert"; exit 1; } { echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT ${kgetcred2} HTTP/localhost@$R || echo WAT
${klist2}
rm -f extracted_keytab* rm -f extracted_keytab*
KRB5CCNAME=$cache2 \ KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&spn=$p2&create=true" -s -o "${objdir}/extracted_keytab" && get_keytab_POST "spn=$p&spn=$p2&create=true" -s -o "${objdir}/extracted_keytab" &&
{ echo "Failed to fail to create and extract host keys for other!"; exit 1; } { echo "Failed to fail to create and extract host keys for other!"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab2" list || true ${ktutil} -k "${objdir}/extracted_keytab2" list > /dev/null || true
KRB5CCNAME=$admincache ${kadmin} get -s $p2 && KRB5CCNAME=$admincache ${kadmin} get -s $p2 >/dev/null &&
{ echo "Failed to fail to create and extract host keys for other!"; exit 1; } { echo "Failed to fail to create and extract host keys for other!"; exit 1; }
echo "Checking that attributes for new principals can be configured"
hn=a-particular-hostname.test.h5l.se
p=host/$hn
${hxtool} issue-certificate \
--ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
--type="pkinit-client" \
--pk-init-principal="$p@$R" \
--req="PKCS10:req-pkinit.der" \
--lifetime=7d \
--certificate="FILE:pkinit-synthetic.crt" ||
{ echo "Failed to make PKINIT client cert"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null &&
{ echo "Internal error -- $p exists too soon"; exit 1; }
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
{ echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT
rm -f extracted_keytab*
KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" ||
{ echo "Failed to create and extract host keys for self"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null ||
{ echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null ||
{ echo "Failed to create and extract host keys for self"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
grep 'Attributes:.*ok-as-delegate' > /dev/null ||
{ echo "Failed to create with configured attributes"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
grep 'Attributes:.*no-auth-data-reqd' > /dev/null ||
{ echo "Failed to create with configured attributes"; exit 1; }
hn=other-hostname.test.h5l.se
p=host/$hn
${hxtool} issue-certificate \
--ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
--type="pkinit-client" \
--pk-init-principal="$p@$R" \
--req="PKCS10:req-pkinit.der" \
--lifetime=7d \
--certificate="FILE:pkinit-synthetic.crt" ||
{ echo "Failed to make PKINIT client cert"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null &&
{ echo "Internal error -- $p exists too soon"; exit 1; }
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
{ echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT
rm -f extracted_keytab*
KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" ||
{ echo "Failed to create and extract host keys for self"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null ||
{ echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null ||
{ echo "Failed to create and extract host keys for self"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
grep 'Attributes:.*ok-as-delegate' > /dev/null &&
{ echo "Create with unexpected attributes"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
grep 'Attributes:.*no-auth-data-reqd' > /dev/null &&
{ echo "Create with unexpected attributes"; exit 1; }
hn=a-server.prod.test.h5l.se
p=host/$hn
${hxtool} issue-certificate \
--ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
--type="pkinit-client" \
--pk-init-principal="$p@$R" \
--req="PKCS10:req-pkinit.der" \
--lifetime=7d \
--certificate="FILE:pkinit-synthetic.crt" ||
{ echo "Failed to make PKINIT client cert"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null &&
{ echo "Internal error -- $p exists too soon"; exit 1; }
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
{ echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT
rm -f extracted_keytab*
KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" ||
{ echo "Failed to create and extract host keys for self"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null ||
{ echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null ||
{ echo "Failed to create and extract host keys for self"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
grep 'Attributes:.*ok-as-delegate' > /dev/null ||
{ echo "Failed to create with configured attributes"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
grep 'Attributes:.*no-auth-data-reqd' > /dev/null ||
{ echo "Failed to create with configured attributes"; exit 1; }
hn=a-host.ns2.test.h5l.se
p=host/$hn
${hxtool} issue-certificate \
--ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
--type="pkinit-client" \
--pk-init-principal="$p@$R" \
--req="PKCS10:req-pkinit.der" \
--lifetime=7d \
--certificate="FILE:pkinit-synthetic.crt" ||
{ echo "Failed to make PKINIT client cert"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null &&
{ echo "Internal error -- $p exists too soon"; exit 1; }
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
{ echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT
rm -f extracted_keytab*
KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" ||
{ echo "Failed to create and extract host keys for self"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null ||
{ echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null ||
{ echo "Failed to create and extract host keys for self"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
grep 'Attributes:.*ok-as-delegate' > /dev/null ||
{ echo "Failed to create with namespace attributes"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
grep 'Attributes:.*no-auth-data-reqd' > /dev/null &&
{ echo "Create with unexpected attributes"; exit 1; }
grep 'Internal error' messages.log && grep 'Internal error' messages.log &&
{ echo "Internal errors in log"; exit 1; } { echo "Internal errors in log"; exit 1; }

6
tests/kdc/krb5-httpkadmind.conf.in
View File

@@ -85,6 +85,12 @@
[ext_keytab] [ext_keytab]
simple_csr_authorizer_directory = @objdir@/simple_csr_authz simple_csr_authorizer_directory = @objdir@/simple_csr_authz
new_hostbased_service_principal_attributes = {
host = {
a-particular-hostname.test.h5l.se = ok-as-delegate,no-auth-data-reqd
.prod.test.h5l.se = ok-as-delegate no-auth-data-reqd
}
}
[logging] [logging]
kdc = 0-/FILE:@objdir@/messages.log kdc = 0-/FILE:@objdir@/messages.log