krb5: Test KCM
Finally, we have a test for KCM. It shall not break again.
This commit is contained in:
Nicolas Williams
@@ -28,6 +28,7 @@ kadmin="${TESTS_ENVIRONMENT} ${top_builddir}/kadmin/kadmin"
|
||||
kadmind="${TESTS_ENVIRONMENT} ${top_builddir}/kadmin/kadmind"
|
||||
kdc="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/kdc"
|
||||
kdc_tester="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/kdc-tester"
|
||||
kcm="${TESTS_ENVIRONMENT} ${top_builddir}/kcm/kcm"
|
||||
test_csr_authorizer="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/test_csr_authorizer"
|
||||
test_kdc_ca="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/test_kdc_ca"
|
||||
test_token_validator="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/test_token_validator"
|
||||
|
||||
@@ -4,6 +4,7 @@ noinst_DATA = \
|
||||
an2ln-db.txt \
|
||||
kdc-tester4.json \
|
||||
krb5.conf \
|
||||
krb5-kcm.conf \
|
||||
krb5-cccol.conf \
|
||||
krb5-authz.conf \
|
||||
krb5-authz2.conf \
|
||||
@@ -204,6 +205,13 @@ krb5.conf: krb5.conf.in Makefile
|
||||
-e 's,[@]kdc[@],,g' < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \
|
||||
mv krb5.conf.tmp krb5.conf
|
||||
|
||||
krb5-kcm.conf: krb5-kcm.conf.in Makefile
|
||||
$(do_subst) \
|
||||
-e 's,[@]WEAK[@],false,g' \
|
||||
-e 's,[@]dk[@],,g' \
|
||||
-e 's,[@]kdc[@],,g' < $(srcdir)/krb5-kcm.conf.in > krb5-kcm.conf.tmp && \
|
||||
mv krb5-kcm.conf.tmp krb5-kcm.conf
|
||||
|
||||
krb5-cccol.conf: krb5-cccol.conf.in Makefile
|
||||
$(do_subst) \
|
||||
-e 's,[@]WEAK[@],false,g' \
|
||||
|
||||
@@ -89,6 +89,13 @@ echo Starting kdc ; > messages.log
|
||||
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
|
||||
kdcpid=`getpid kdc`
|
||||
|
||||
echo Starting kcm ; > messages.log
|
||||
${kcm} -s ${objdir} --detach || { echo "kcm failed to start"; cat messages.log; exit 1; }
|
||||
kcmpid=`getpid kcm`
|
||||
|
||||
HEIM_IPC_DIR=${objdir}
|
||||
export HEIM_IPC_DIR
|
||||
|
||||
trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
|
||||
|
||||
ec=0
|
||||
@@ -133,6 +140,41 @@ ${klist} -l | grep foo@ >/dev/null && { ec=1 ; eval "${testfailed}"; }
|
||||
echo "check that bar is gone"
|
||||
${klist} -l | grep bar@ >/dev/null && { ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "getting tickets (KCM)"; > messages.log
|
||||
KRB5_CONFIG="${objdir}/krb5-kcm.conf"
|
||||
export KRB5_CONFIG
|
||||
unset KRB5CCNAME
|
||||
${kinit} --default-for-principal foo@${R}
|
||||
${kinit} --default-for-principal bar@${R}
|
||||
${kinit} bar@${R}
|
||||
${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} | grep foo@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -l | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -l | grep foo@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -c KCM: | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
KRB5CCNAME=KCM: ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
if [ -n "$BASH_VERSION" ]; then
|
||||
${klist} -c KCM:${UID} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -c KCM:${UID}: | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
KRB5CCNAME=KCM:${UID} ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
KRB5CCNAME=KCM:${UID}: ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
fi
|
||||
${kdestroy} -A
|
||||
${klist} 2>/dev/null && { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -l | grep bar@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -l | grep foo@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} bar@${R}
|
||||
${kinit} --default-for-principal foo@${R}
|
||||
${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} | grep foo@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -l | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -l | grep foo@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -c KCM: | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
KRB5CCNAME=KCM: ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
${kdestroy} -A
|
||||
|
||||
echo "getting tickets (DIR)"; > messages.log
|
||||
KRB5_CONFIG="${objdir}/krb5-cccol.conf"
|
||||
export KRB5_CONFIG
|
||||
@@ -150,6 +192,9 @@ ${klist} -l |
|
||||
grep "bar@TEST.H5L.SE.*FILE:${objdir}/cc_dir/tkt.bar@TEST.H5L.SE" > /dev/null ||
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "killing kcm (${kcmpid})"
|
||||
sh ${leaks_kill} kcm $kcmpid || exit 1
|
||||
|
||||
echo "killing kdc (${kdcpid})"
|
||||
sh ${leaks_kill} kdc $kdcpid || exit 1
|
||||
|
||||
|
||||
165
tests/kdc/krb5-kcm.conf.in
Normal file
165
tests/kdc/krb5-kcm.conf.in
Normal file
@@ -0,0 +1,165 @@
|
||||
[libdefaults]
|
||||
default_realm = TEST.H5L.SE TEST2.H5L.SE
|
||||
default_ccache_name = KCM:%{uid}
|
||||
no-addresses = TRUE
|
||||
allow_weak_crypto = @WEAK@
|
||||
dns_lookup_kdc = no
|
||||
dns_lookup_realm = no
|
||||
|
||||
|
||||
[appdefaults]
|
||||
pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
|
||||
reconnect-min = 2s
|
||||
reconnect-backoff = 2s
|
||||
reconnect-max = 10s
|
||||
|
||||
[realms]
|
||||
TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
admin_server = localhost:@admport@
|
||||
kpasswd_server = localhost:@pwport@
|
||||
}
|
||||
SUB.TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
TEST2.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
kpasswd_server = localhost:@pwport@
|
||||
}
|
||||
TEST3.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
TEST4.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
SOME-REALM5.FR = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
SOME-REALM6.US = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
SOME-REALM7.UK = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
SOME-REALM8.UK = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
TEST-HTTP.H5L.SE = {
|
||||
kdc = http/localhost:@port@
|
||||
}
|
||||
H1.TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
H2.TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
H3.H2.TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
H4.H2.TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
.test.h5l.se = TEST.H5L.SE
|
||||
.sub.test.h5l.se = SUB.TEST.H5L.SE
|
||||
.h1.test.h5l.se = H1.TEST.H5L.SE
|
||||
.h2.test.h5l.se = H2.TEST.H5L.SE
|
||||
.h3.h2.test.h5l.se = H3.H2.TEST.H5L.SE
|
||||
.h4.h2.test.h5l.se = H4.H2.TEST.H5L.SE
|
||||
.example.com = TEST2.H5L.SE
|
||||
localhost = TEST.H5L.SE
|
||||
.localdomain = TEST.H5L.SE
|
||||
localdomain = TEST.H5L.SE
|
||||
.localdomain6 = TEST.H5L.SE
|
||||
localdomain6 = TEST.H5L.SE
|
||||
|
||||
|
||||
[kdc]
|
||||
enable-digest = true
|
||||
allow-anonymous = true
|
||||
digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
|
||||
strict-nametypes = true
|
||||
|
||||
enable-http = true
|
||||
|
||||
enable-pkinit = true
|
||||
pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
|
||||
pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
|
||||
pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
|
||||
# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
|
||||
pkinit_mappings_file = @srcdir@/pki-mapping
|
||||
pkinit_allow_proxy_certificate = true
|
||||
|
||||
database = {
|
||||
label = {
|
||||
dbname = @db_type@:@objdir@/current-db@kdc@
|
||||
realm = TEST.H5L.SE
|
||||
mkey_file = @objdir@/mkey.file
|
||||
acl_file = @srcdir@/heimdal.acl
|
||||
log_file = @objdir@/current@kdc@.log
|
||||
}
|
||||
label2 = {
|
||||
dbname = @db_type@:@objdir@/current-db@kdc@
|
||||
realm = TEST2.H5L.SE
|
||||
mkey_file = @objdir@/mkey.file
|
||||
acl_file = @srcdir@/heimdal.acl
|
||||
log_file = @objdir@/current@kdc@.log
|
||||
}
|
||||
label3 = {
|
||||
dbname = sqlite:@objdir@/current-db@kdc@.sqlite3
|
||||
realm = SOME-REALM5.FR
|
||||
mkey_file = @objdir@/mkey.file
|
||||
acl_file = @srcdir@/heimdal.acl
|
||||
log_file = @objdir@/current@kdc@.log
|
||||
}
|
||||
}
|
||||
|
||||
signal_socket = @objdir@/signal
|
||||
iprop-stats = @objdir@/iprop-stats
|
||||
iprop-acl = @srcdir@/iprop-acl
|
||||
log-max-size = 40000
|
||||
|
||||
[hdb]
|
||||
db-dir = @objdir@
|
||||
|
||||
[logging]
|
||||
kdc = 0-/FILE:@objdir@/messages.log
|
||||
krb5 = 0-/FILE:@objdir@/messages.log
|
||||
default = 0-/FILE:@objdir@/messages.log
|
||||
|
||||
# If you are doing preformance measurements on OSX you want to change
|
||||
# the kdc LOG line from = to - below to keep the FILE open and avoid
|
||||
# open/write/close which is blocking (rdar:// ) on OSX.
|
||||
# kdc = 0-/FILE=@objdir@/messages.log
|
||||
|
||||
[kadmin]
|
||||
save-password = true
|
||||
default_key_rules = {
|
||||
*/des3-only@* = des3-cbc-sha1:pw-salt
|
||||
*/aes-only@* = aes256-cts-hmac-sha1-96:pw-salt
|
||||
}
|
||||
@dk@
|
||||
|
||||
[capaths]
|
||||
TEST.H5L.SE = {
|
||||
TEST2.H5L.SE = .
|
||||
SOME-REALM5.FR = 1
|
||||
TEST3.H5L.SE = TEST2.H5L.SE
|
||||
TEST4.H5L.SE = TEST2.H5L.SE
|
||||
TEST4.H5L.SE = TEST3.H5L.SE
|
||||
SOME-REALM6.US = SOME-REALM5.FR
|
||||
SOME-REALM7.UK = SOME-REALM6.US
|
||||
SOME-REALM7.UK = SOME-REALM5.FR
|
||||
SOME-REALM8.UK = SOME-REALM6.US
|
||||
}
|
||||
H4.H2.TEST.H5L.SE = {
|
||||
H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE
|
||||
H1.TEST.H5L.SE = H2.TEST.H5L.SE
|
||||
H1.TEST.H5L.SE = TEST.H5L.SE
|
||||
|
||||
TEST.H5L.SE = H3.H2.TEST.H5L.SE
|
||||
TEST.H5L.SE = H2.TEST.H5L.SE
|
||||
|
||||
H2.TEST.H5L.SE = H3.H2.TEST.H5L.SE
|
||||
}
|
||||
Reference in New Issue
Block a user