From eb2d1029c27d5f8f2b9463cae31f875f699b05f4 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Wed, 14 Apr 2021 19:27:09 -0500
Subject: [PATCH] kdc: Test warn_ticket_addresses and /get-tgt w/ addresses

---
 tests/kdc/check-bx509.in     | 18 ++++++++++++++----
 tests/kdc/krb5-bx509.conf.in |  6 +++++-
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/tests/kdc/check-bx509.in b/tests/kdc/check-bx509.in
index 3870a38a7..60070277e 100644
--- a/tests/kdc/check-bx509.in
+++ b/tests/kdc/check-bx509.in
@@ -440,11 +440,14 @@ if ! (set -vx;
     curl -o "${cachefile2}" -Lgsf                                       \
          --resolve ${server}:${bx509port}:127.0.0.1                     \
          -H "Authorization: Negotiate $token"                           \
-         "http://${server}:${bx509port}/get-tgt"); then
+         "http://${server}:${bx509port}/get-tgt?address=8.8.8.8"); then
     echo "Failed to get a TGT with /get-tgt end-point"
     exit 2
 fi
 
+${klist2} | grep Addresses:.IPv4:8.8.8.8 ||
+    { echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
+
 echo "Fetch TGT (inception)"
 ${kdestroy}
 token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
@@ -452,10 +455,14 @@ if ! (set -vx;
     curl -o "${cachefile}" -Lgsf                                        \
          --resolve ${server}:${bx509port}:127.0.0.1                     \
          -H "Authorization: Negotiate $token"                           \
-         "http://${server}:${bx509port}/get-tgt"); then
+         "http://${server}:${bx509port}/get-tgt?address=8.8.8.8"); then
     echo "Failed to get a TGT with /get-tgt end-point"
     exit 2
 fi
+${kgetcred} -H HTTP/${server}@${R} ||
+    { echo "Trivial offline CA test failed (TGS)"; exit 2; }
+${klist} | grep Addresses:.IPv4:8.8.8.8 ||
+    { echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
 
 echo "Fetch negotiate token (pre-test)"
 # Do what /bnegotiate does, roughly, prior to testing /bnegotiate
@@ -468,11 +475,14 @@ $test_kdc_ca -a bx509 -A foo@${R} PKCS10:${objdir}/req       \
 cat ${objdir}/k.pem >> ${objdir}/pkinit-test.pem
 ${kinit} -C PEM-FILE:${objdir}/pkinit-test.pem foo@${R} ||
     { echo "Trivial offline CA test failed (PKINIT)"; exit 2; }
-#${kgetcred} -H HTTP/${server}@${R} ||
-#    { echo "Trivial offline CA test failed (TGS)"; exit 2; }
+${kgetcred} -H HTTP/${server}@${R} ||
+    { echo "Trivial offline CA test failed (TGS)"; exit 2; }
 KRB5CCNAME=$cache $gsstoken HTTP@$server | KRB5_KTNAME="$keytab" $gsstoken -r ||
     { echo "Trivial offline CA test failed (gss-token)"; exit 2; }
 
+grep 'Request from wrong address .ignoring' ${objdir}/messages.log ||
+    { echo "KDC not warning about requests from wrong address"; exit 2; }
+
 echo "Fetching a Negotiate token"
 token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
 if (set -vx;
diff --git a/tests/kdc/krb5-bx509.conf.in b/tests/kdc/krb5-bx509.conf.in
index f55679a42..f089cefcd 100644
--- a/tests/kdc/krb5-bx509.conf.in
+++ b/tests/kdc/krb5-bx509.conf.in
@@ -17,6 +17,8 @@
 	}
 
 [kdc]
+        check-ticket-addresses = no
+        warn_ticket_addresses = yes
         num-kdc-processes = 1
         strict-nametypes = true
 	enable-pkinit = true
@@ -121,7 +123,9 @@
                 }
         }
 
-[getTGT]
+[get-tgt]
+        no_addresses = true
+        allow_addresses = true
         simple_csr_authorizer_directory = @objdir@/simple_csr_authz
         realms = {
                 TEST.H5L.SE = {