oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: Test warn_ticket_addresses and /get-tgt w/ addresses

Browse Source
This commit is contained in:
Nicolas Williams
2021-04-14 19:27:09 -05:00
parent 6ff3dbf297
commit eb2d1029c2
2 changed files with 19 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
tests/kdc/check-bx509.in
View File

@@ -440,11 +440,14 @@ if ! (set -vx;
curl -o "${cachefile2}" -Lgsf \ curl -o "${cachefile2}" -Lgsf \
--resolve ${server}:${bx509port}:127.0.0.1 \ --resolve ${server}:${bx509port}:127.0.0.1 \
-H "Authorization: Negotiate $token" \ -H "Authorization: Negotiate $token" \
"http://${server}:${bx509port}/get-tgt"); then "http://${server}:${bx509port}/get-tgt?address=8.8.8.8"); then
echo "Failed to get a TGT with /get-tgt end-point" echo "Failed to get a TGT with /get-tgt end-point"
exit 2 exit 2
fi fi
${klist2} | grep Addresses:.IPv4:8.8.8.8 ||
{ echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
echo "Fetch TGT (inception)" echo "Fetch TGT (inception)"
${kdestroy} ${kdestroy}
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server) token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
@@ -452,10 +455,14 @@ if ! (set -vx;
curl -o "${cachefile}" -Lgsf \ curl -o "${cachefile}" -Lgsf \
--resolve ${server}:${bx509port}:127.0.0.1 \ --resolve ${server}:${bx509port}:127.0.0.1 \
-H "Authorization: Negotiate $token" \ -H "Authorization: Negotiate $token" \
"http://${server}:${bx509port}/get-tgt"); then "http://${server}:${bx509port}/get-tgt?address=8.8.8.8"); then
echo "Failed to get a TGT with /get-tgt end-point" echo "Failed to get a TGT with /get-tgt end-point"
exit 2 exit 2
fi fi
${kgetcred} -H HTTP/${server}@${R} ||
{ echo "Trivial offline CA test failed (TGS)"; exit 2; }
${klist} | grep Addresses:.IPv4:8.8.8.8 ||
{ echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
echo "Fetch negotiate token (pre-test)" echo "Fetch negotiate token (pre-test)"
# Do what /bnegotiate does, roughly, prior to testing /bnegotiate # Do what /bnegotiate does, roughly, prior to testing /bnegotiate
@@ -468,11 +475,14 @@ $test_kdc_ca -a bx509 -A foo@${R} PKCS10:${objdir}/req \
cat ${objdir}/k.pem >> ${objdir}/pkinit-test.pem cat ${objdir}/k.pem >> ${objdir}/pkinit-test.pem
${kinit} -C PEM-FILE:${objdir}/pkinit-test.pem foo@${R} || ${kinit} -C PEM-FILE:${objdir}/pkinit-test.pem foo@${R} ||
{ echo "Trivial offline CA test failed (PKINIT)"; exit 2; } { echo "Trivial offline CA test failed (PKINIT)"; exit 2; }
#${kgetcred} -H HTTP/${server}@${R} || ${kgetcred} -H HTTP/${server}@${R} ||
# { echo "Trivial offline CA test failed (TGS)"; exit 2; } { echo "Trivial offline CA test failed (TGS)"; exit 2; }
KRB5CCNAME=$cache $gsstoken HTTP@$server | KRB5_KTNAME="$keytab" $gsstoken -r || KRB5CCNAME=$cache $gsstoken HTTP@$server | KRB5_KTNAME="$keytab" $gsstoken -r ||
{ echo "Trivial offline CA test failed (gss-token)"; exit 2; } { echo "Trivial offline CA test failed (gss-token)"; exit 2; }
grep 'Request from wrong address .ignoring' ${objdir}/messages.log ||
{ echo "KDC not warning about requests from wrong address"; exit 2; }
echo "Fetching a Negotiate token" echo "Fetching a Negotiate token"
token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server) token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
if (set -vx; if (set -vx;

6
tests/kdc/krb5-bx509.conf.in
View File

@@ -17,6 +17,8 @@
} }
[kdc] [kdc]
check-ticket-addresses = no
warn_ticket_addresses = yes
num-kdc-processes = 1 num-kdc-processes = 1
strict-nametypes = true strict-nametypes = true
enable-pkinit = true enable-pkinit = true
@@ -121,7 +123,9 @@
} }
} }
[getTGT] [get-tgt]
no_addresses = true
allow_addresses = true
simple_csr_authorizer_directory = @objdir@/simple_csr_authz simple_csr_authorizer_directory = @objdir@/simple_csr_authz
realms = { realms = {
TEST.H5L.SE = { TEST.H5L.SE = {