kdc: More testing of hard aliases

This is an attempt to make sure we test realm migration aliases by doing kinit w/ a hard alias name in a different realm, and that we can get service tickets for services in the same and other realms some of which are hard aliases in one direction, and some in the other.
2022-03-23 12:44:31 -05:00
parent 4b9faa02b0
commit d172a8bd79
2 changed files with 54 additions and 18 deletions
--- a/tests/kdc/check-referral.in
+++ b/tests/kdc/check-referral.in
@@ -42,11 +42,24 @@ testfailed="echo test failed; cat messages.log; exit 1"
 # If there is no useful db support compiled in, disable test
 ${have_db} || exit 77

+d=test.h5l.se
+d2=xtst.heim.example
 R=TEST.H5L.SE
-R2=SUB.TEST.H5L.SE
+R2=XTST.HEIM.EXAMPLE

-service1=ldap/host.test.h5l.se:389
-service2=ldap/host.sub.test.h5l.se:389
+# $service1 will be a hard alias of $service2
+service1=ldap/host.${d}:389
+service2=ldap/host.${d2}:389
+# $service3 and $service4 will have soft aliases referrals from each
+# other's realms
+service3=host/foohost.${d}
+service4=host/barhost.${d2}
+# $service5 and $service6 will be hardaliases
+service5=host/thing1.${d}
+service6=host/thing1.${d2}
+# $service7 and $service8 will be hardaliases in the opposite direction
+service7=host/thing2.${d}
+service8=host/thing2.${d2}

 port=@port@

@@ -91,22 +104,31 @@ ${kadmin} \
 ${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R} || exit 1
 ${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R2} || exit 1

+# User 'foo' gets two aliases in the same realm, and one in the other
 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} modify --alias=alias1 --alias=alias2 foo@${R} || exit 1
-${kadmin} add_alias foo@${R} foo@${R2} || exit 1
+${kadmin} add_alias foo@${R} foo@${R2} alias1 alias2 || exit 1
 ${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1
+${kadmin} get foo@${R} | grep alias2@${R} >/dev/null || exit 1
+${kadmin} get foo@${R} | grep foo@${R2} >/dev/null || exit 1

-${kadmin} add -p foo --use-defaults  ${service2}@${R2} || exit 1
-${kadmin} add_alias ${service2}@${R2}  ${service1}@${R} || exit 1
+# service1 is an alias of service2, in different realms
+${kadmin} add -p foo --use-defaults    ${service2}@${R2} || exit 1
+${kadmin} add_alias ${service2}@${R2}  ${service1}@${R}  || exit 1
 ${kadmin} get ${service2}@${R2} | grep ${service1}@${R} >/dev/null || exit 1

-# Create two host principals in their respective realms
-${kadmin} add -p foo --use-defaults  host/foohost.test.h5l.se@${R} || exit 1
-${kadmin} add -p foo --use-defaults  host/barhost.sub.test.h5l.se@${R2} || exit 1
+# service3 and service4 get soft aliases in each other's realms
+${kadmin} add -p foo --use-defaults  ${service3}@${R}  || exit 1
+${kadmin} add -p foo --use-defaults  ${service4}@${R2} || exit 1
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R2} ${service4}@${R} || exit 1
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R}  ${service3}@${R2} || exit 1

-# Create soft aliases (referrals) for them in the other realm
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R2} host/barhost.sub.test.h5l.se@${R} || exit 1
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R} host/foohost.test.h5l.se@${R2} || exit 1
+# service6 is a hard alias of service5
+${kadmin} add -p foo --use-defaults  ${service5}@${R}  || exit 1
+${kadmin} add_alias ${service5}@${R} ${service6}@${R2} || exit 1
+
+# service8 is a hard alias of service7, but in the opposite direction
+${kadmin} add -p foo --use-defaults  ${service7}@${R2} || exit 1
+${kadmin} add_alias ${service5}@${R} ${service8}@${R}  || exit 1

 ${kadmin} add -p foo --use-defaults bar@${R} || exit 1
 ${kadmin} add -p foo --use-defaults 'baz\@realm.foo@'${R} || exit 1
@@ -207,6 +229,7 @@ ${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; }
 ${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}

 echo "Getting client foo@${R2} tickets (non canon case)"; > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@${R2} || \
@@ -217,8 +240,18 @@ ${klist} | grep "Principal: foo@${R2}" > /dev/null || \
 echo "checking that we got back right principal inside the PAC"
 ${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
 	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting various service tickets using foo@${R2} client"
 ${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; }
-${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service1}@${R}  || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service1}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service2}@${R}  || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service3}@      || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service4}@      || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service5}@      || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service6}@      || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service7}@      || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service8}@${R}  || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}

 echo "Getting client alias2 tickets (removed)"; > messages.log
 ${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
@@ -237,14 +270,14 @@ echo "Getting client for ${service2}@${R} (tgs kdc referral)"
 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kgetcred} --canonicalize ${service2}@${R} || { ec=1 ; eval "${testfailed}"; }
-${kgetcred} host/foohost.test.h5l.se@${R} || { ec=1 ; eval "${testfailed}"; }
-${kgetcred} host/barhost.sub.test.h5l.se@ || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service3}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service4}@ || { ec=1 ; eval "${testfailed}"; }
 echo "checking that we got back right principal"
 ${klist} | grep "${service2}@${R2}" > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
-${klist} | grep "host/barhost.sub.test.h5l.se@TEST.H5L.SE" > /dev/null && \
+${klist} | grep "${service4}@${R}" > /dev/null && \
 	{ ec=1 ; eval "${testfailed}"; }
-${klist} | grep "host/barhost.sub.test.h5l.se@SUB.TEST.H5L.SE" > /dev/null || \
+${klist} | grep "${service4}@${R2}" > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}

--- a/tests/kdc/krb5.conf.in
+++ b/tests/kdc/krb5.conf.in
@@ -31,6 +31,9 @@
 	TEST4.H5L.SE = {
 		kdc = localhost:@port@
 	}
+        XTST.HEIM.EXAMPLE = {
+		kdc = localhost:@port@
+        }
 	SOME-REALM5.FR = {
 		kdc = localhost:@port@
 	}