bx509d: Add test of IPC CSR authorizer
We have a CSR authorizer plugin for calling to an IPC service. In this commit we add test implementation of such a service. We also remove the simple_csr_authorizer plugin and fold its functionality into the new test_csr_authorizer functionality.
This commit is contained in:
Nicolas Williams
committed by
Nico Williams
Nico Williams
parent
f47f15d5b9
commit
fd6597614e
@@ -311,7 +311,7 @@ krb5-pkinit-win.conf: krb5-pkinit.conf.in Makefile
|
||||
mv krb5-pkinit-win.conf.tmp krb5-pkinit-win.conf
|
||||
|
||||
clean: clean-am
|
||||
rm -rf cc_dir simple_csr_authz
|
||||
rm -rf cc_dir authz_dir
|
||||
|
||||
CLEANFILES= \
|
||||
$(TESTS) \
|
||||
|
||||
@@ -74,11 +74,18 @@ klistjson="${klist} --json -c $cache"
|
||||
klist="${klist} --hidden -v -c $cache"
|
||||
kgetcred="${kgetcred} -c $cache"
|
||||
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
|
||||
test_csr_authorizer="$test_csr_authorizer -A $objdir/authz_dir -S $objdir"
|
||||
kx509="${kx509} -c $cache"
|
||||
|
||||
KRB5_CONFIG="${objdir}/krb5-bx509.conf"
|
||||
export KRB5_CONFIG
|
||||
|
||||
HEIM_PIDFILE_DIR="${objdir}/"
|
||||
export HEIM_PIDFILE_DIR
|
||||
|
||||
HEIM_IPC_DIR=$objdir
|
||||
export HEIM_IPC_DIR
|
||||
|
||||
rsa=yes
|
||||
pkinit=no
|
||||
if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
|
||||
@@ -102,26 +109,26 @@ rm -f current-db*
|
||||
rm -f out-*
|
||||
rm -f mkey.file*
|
||||
rm -f *.pem *.crt *.der
|
||||
rm -rf simple_csr_authz
|
||||
rm -rf authz_dir
|
||||
|
||||
mkdir -p simple_csr_authz
|
||||
mkdir -p authz_dir
|
||||
|
||||
> messages.log
|
||||
|
||||
# We'll avoid using a KDC for now. For testing /bx509 we only need keys for
|
||||
# Negotiate tokens, and we'll use ktutil and kimpersonate to make it possible
|
||||
# to create and accept those without a KDC. When we test /bnegotiate, however,
|
||||
# we'll start a KDC.
|
||||
kdcpid=
|
||||
bx509pid=
|
||||
test_csr_authorizer_pid=
|
||||
trap 'kill -9 ${kdcpid} ${bx509pid} ${test_csr_authorizer_pid}; echo signal killing kdc, bx509d, and test_csr_authorizer; exit 1;' EXIT
|
||||
|
||||
# csr_grant ext-type value grantee_principal
|
||||
csr_grant() {
|
||||
mkdir -p "${objdir}/simple_csr_authz/${3}"
|
||||
touch "${objdir}/simple_csr_authz/${3}/${1}-${2}"
|
||||
mkdir -p "${objdir}/authz_dir/${3}"
|
||||
touch "${objdir}/authz_dir/${3}/${1}=${2}"
|
||||
}
|
||||
|
||||
csr_revoke() {
|
||||
rm -rf "${objdir}/simple_csr_authz"
|
||||
mkdir -p "${objdir}/simple_csr_authz"
|
||||
rm -rf "${objdir}/authz_dir"
|
||||
mkdir -p "${objdir}/authz_dir"
|
||||
}
|
||||
|
||||
# get_cert "" curl-opts
|
||||
@@ -254,7 +261,7 @@ $hxtool ca --issue-ca --type=https-negotiate-server \
|
||||
# XXX Before starting bx509d let us use kdc test programs to check that:
|
||||
#
|
||||
# - the negotiate token validator plugin works
|
||||
# - the simple CSR authorizer plugin works
|
||||
# - the authz_dir CSR authorizer plugin works
|
||||
# - the KDC CA tester program works
|
||||
|
||||
echo "Check gss-token and Negotiate token validator plugin"
|
||||
@@ -265,6 +272,64 @@ token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
|
||||
$test_token_validator -a datan.test.h5l.se Negotiate "$token" ||
|
||||
{ echo "Negotiate token validator failed to validate valid token"; exit 2; }
|
||||
|
||||
|
||||
echo "Starting CSR authorizer IPC service"
|
||||
$test_csr_authorizer --server --daemon ||
|
||||
{ echo "Failed to start test_csr_authorizer service"; exit 2; }
|
||||
test_csr_authorizer_pid=`getpid test_csr_authorizer`
|
||||
|
||||
# Make a CSR for foo@$R
|
||||
$hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
|
||||
--key=FILE:"${objdir}/k.der" --kerberos=foo@$R \
|
||||
${objdir}/req ||
|
||||
{ echo "Failed to make a CSR"; exit 2; }
|
||||
|
||||
echo "Test CSR authorizer IPC service (deny foo@$R to san_pkinit=foo@$R)"
|
||||
csr_revoke
|
||||
$test_csr_authorizer PKCS10:${objdir}/req foo@$R &&
|
||||
{ echo "CSR authorizer IPC service granted foo@$R"; exit 2; }
|
||||
|
||||
echo "Test CSR authorizer IPC service (grant foo@$R to san_pkinit=foo@$R)"
|
||||
csr_grant san_pkinit foo@$R foo@${R}
|
||||
$test_csr_authorizer PKCS10:${objdir}/req foo@$R ||
|
||||
{ echo "CSR authorizer IPC service rejected foo@$R"; exit 2; }
|
||||
|
||||
# Make a CSR for bar@$R
|
||||
$hxtool request-create --subject='' --key-bits=1024 \
|
||||
--key=FILE:"${objdir}/k.der" --kerberos=bar@$R \
|
||||
${objdir}/req ||
|
||||
{ echo "Failed to make a CSR"; exit 2; }
|
||||
|
||||
echo "Test CSR authorizer IPC service (deny foo@$R to san_pkinit=bar@$R)"
|
||||
$test_csr_authorizer PKCS10:${objdir}/req foo@$R &&
|
||||
{ echo "CSR authorizer IPC service accepted foo@$R"; exit 2; }
|
||||
|
||||
echo "Test CSR authorizer IPC service (grant foo@$R to san_pkinit=bar@$R)"
|
||||
csr_grant san_pkinit foo@$R bar@${R}
|
||||
$test_csr_authorizer PKCS10:${objdir}/req foo@$R &&
|
||||
{ echo "CSR authorizer IPC service accepted foo@$R"; exit 2; }
|
||||
|
||||
# Make a CSR for foo@$R and bar@$R
|
||||
$hxtool request-create --subject='' --key-bits=1024 \
|
||||
--key=FILE:"${objdir}/k.der" \
|
||||
--kerberos=foo@$R --kerberos=bar@$R \
|
||||
${objdir}/req ||
|
||||
{ echo "Failed to make a CSR"; exit 2; }
|
||||
|
||||
# Check that the authorizer does mark foo@$R as approved even though it denies
|
||||
# the overall request because it rejects bar@$R
|
||||
echo "Test CSR authorizer IPC service (partial authz)"
|
||||
csr_revoke
|
||||
csr_grant san_pkinit foo@$R foo@${R}
|
||||
# Check that the authorizer grants foo@$R
|
||||
$test_csr_authorizer PKCS10:${objdir}/req foo@$R san_pkinit=foo@$R ||
|
||||
{ echo "CSR authorizer IPC service partial approval check fail"; exit 2; }
|
||||
# Check that the authorizer rejects bar@$R
|
||||
$test_csr_authorizer PKCS10:${objdir}/req foo@$R san_pkinit=bar@$R &&
|
||||
{ echo "CSR authorizer IPC service partial approval check fail"; exit 2; }
|
||||
$test_csr_authorizer PKCS10:${objdir}/req foo@$R san_pkinit=foo@$R san_pkinit=bar@$R &&
|
||||
{ echo "CSR authorizer IPC service partial approval check fail"; exit 2; }
|
||||
|
||||
echo "Making a plain CSR"
|
||||
$hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
|
||||
--key=FILE:"${objdir}/k.der" "${objdir}/req" ||
|
||||
@@ -297,7 +362,7 @@ $hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
|
||||
$test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
|
||||
PEM-FILE:${objdir}/server.pem &&
|
||||
{ echo "Trivial offline CA test failed: unauthorized issuance (dNSName)"; exit 2; }
|
||||
csr_grant dnsname foo.test.h5l.se foo@${R}
|
||||
csr_grant san_dnsname foo.test.h5l.se foo@${R}
|
||||
csr_grant eku 1.3.6.1.5.5.7.3.1 foo@${R}
|
||||
$test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
|
||||
PEM-FILE:${objdir}/server.pem ||
|
||||
@@ -316,7 +381,7 @@ $hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
|
||||
$test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
|
||||
PEM-FILE:${objdir}/email.pem &&
|
||||
{ echo "Offline CA test failed: unauthorized issuance (dNSName)"; exit 2; }
|
||||
csr_grant email foo@test.h5l.se foo@${R}
|
||||
csr_grant san_email foo@test.h5l.se foo@${R}
|
||||
csr_grant eku 1.3.6.1.5.5.7.3.2 foo@${R}
|
||||
$test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
|
||||
PEM-FILE:${objdir}/email.pem ||
|
||||
@@ -338,21 +403,33 @@ if ! test -x ${objdir}/../../kdc/bx509d; then
|
||||
fi
|
||||
|
||||
echo "Creating database"
|
||||
${kadmin} init \
|
||||
--realm-max-ticket-life=1day \
|
||||
--realm-max-renewable-life=1month \
|
||||
${R} || exit 1
|
||||
${kadmin} add -r --use-defaults foo@${R} || exit 1
|
||||
${kadmin} add -r --use-defaults bar@${R} || exit 1
|
||||
${kadmin} add -r --use-defaults baz@${R} || exit 1
|
||||
${kadmin} modify --pkinit-acl="CN=foo,DC=test,DC=h5l,DC=se" foo@${R} || exit 1
|
||||
rm -f $kt $ukt
|
||||
${kadmin} <<EOF || exit 1
|
||||
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
|
||||
add -r --use-defaults foo@${R}
|
||||
add -r --use-defaults bar@${R}
|
||||
add -r --use-defaults baz@${R}
|
||||
add -r --use-defaults raz@${R}
|
||||
modify --pkinit-acl="CN=foo,DC=test,DC=h5l,DC=se" foo@${R}
|
||||
add -r --use-defaults HTTP/${server}@${R}
|
||||
ext_keytab -r -k $keytab HTTP/${server}@${R}
|
||||
add -r --use-defaults HTTP/${otherserver}@${R}
|
||||
ext_keytab -r -k $ukeytab foo@${R}
|
||||
EOF
|
||||
|
||||
echo "Starting kdc";
|
||||
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
|
||||
kdcpid=`getpid kdc`
|
||||
|
||||
${kdestroy}
|
||||
${kinit} -kt $ukeytab foo@${R} || exit 1
|
||||
$klist || { echo "failed to kinit"; exit 2; }
|
||||
|
||||
|
||||
echo "Starting bx509d"
|
||||
${bx509d} --daemon || { echo "bx509 failed to start"; exit 2; }
|
||||
bx509pid=`getpid bx509d`
|
||||
|
||||
trap 'kill -9 ${bx509pid}; echo signal killing bx509d; exit 1;' EXIT
|
||||
ec=0
|
||||
|
||||
rm -f trivial.pem server.pem email.pem
|
||||
@@ -458,7 +535,7 @@ else
|
||||
fi
|
||||
|
||||
echo "Fetching a server certificate with one dNSName SAN"
|
||||
csr_grant dnsname $server foo@${R}
|
||||
csr_grant san_dnsname $server foo@${R}
|
||||
if (set -vx; get_cert "&dNSName=$server" -sf -o "${objdir}/server.pem"); then
|
||||
$hxtool print --content "FILE:${objdir}/server.pem"
|
||||
if (set -vx; $hxtool acert --expr="%{certificate.subject} == \"\"" \
|
||||
@@ -478,7 +555,7 @@ else
|
||||
fi
|
||||
|
||||
echo "Fetching a server certificate with two dNSName SANs"
|
||||
csr_grant dnsname "second-$server" foo@${R}
|
||||
csr_grant san_dnsname "second-$server" foo@${R}
|
||||
if (set -vx;
|
||||
get_cert "&dNSName=${server}&dNSName=second-$server" -sf \
|
||||
-o "${objdir}/server2.pem"); then
|
||||
@@ -502,7 +579,7 @@ else
|
||||
fi
|
||||
|
||||
echo "Fetching an email certificate"
|
||||
csr_grant email foo@bar.example foo@${R}
|
||||
csr_grant san_email foo@bar.example foo@${R}
|
||||
if (set -vx; get_cert "&rfc822Name=foo@bar.example" -sf -o "${objdir}/email.pem"); then
|
||||
$hxtool print --content "FILE:${objdir}/email.pem"
|
||||
if $hxtool acert --end-entity -P "foo@${R}" "FILE:${objdir}/email.pem"; then
|
||||
@@ -521,22 +598,6 @@ else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Need to start a KDC to test this.
|
||||
rm -f $kt $ukt
|
||||
${kdestroy}
|
||||
${kadmin} add -r --use-defaults HTTP/${server}@${R} || exit 1
|
||||
${kadmin} ext_keytab -r -k $keytab HTTP/${server}@${R} || exit 1
|
||||
${kadmin} add -r --use-defaults HTTP/${otherserver}@${R} || exit 1
|
||||
${kadmin} ext_keytab -r -k $ukeytab foo@${R} || exit 1
|
||||
|
||||
echo "Starting kdc";
|
||||
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
|
||||
kdcpid=`getpid kdc`
|
||||
trap 'kill -9 ${kdcpid} ${bx509pid}; echo signal killing kdc and bx509d; exit 1;' EXIT
|
||||
|
||||
${kinit} -kt $ukeytab foo@${R} || exit 1
|
||||
$klist || { echo "failed to kinit"; exit 2; }
|
||||
|
||||
echo "Fetch TGT (not granted for other)"
|
||||
token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
|
||||
if (set -vx;
|
||||
@@ -549,8 +610,8 @@ if (set -vx;
|
||||
fi
|
||||
|
||||
echo "Fetch TGT"
|
||||
(set -vx; csr_grant pkinit foo@${R} foo@${R})
|
||||
(set -vx; csr_grant eku 1.3.6.1.5.2.3.4 foo@${R})
|
||||
csr_grant san_pkinit foo@${R} foo@${R}
|
||||
csr_grant eku 1.3.6.1.5.2.3.4 foo@${R}
|
||||
token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
curl -o "${cachefile2}" -Lgsf \
|
||||
@@ -581,7 +642,7 @@ ${klist} | grep Addresses:.IPv4:8.8.8.8 ||
|
||||
{ echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
|
||||
|
||||
echo "Fetch TGT (for other)"
|
||||
(set -vx; csr_grant pkinit bar@${R} foo@${R})
|
||||
csr_grant san_pkinit bar@${R} foo@${R}
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
@@ -599,7 +660,7 @@ ${klist} | grep Addresses:.IPv4:8.8.8.8 ||
|
||||
|
||||
echo "Fetch TGT (for other, w/ lifetime req under max)"
|
||||
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
|
||||
(set -vx; csr_grant pkinit bar@${R} foo@${R})
|
||||
csr_grant san_pkinit bar@${R} foo@${R}
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
@@ -625,7 +686,7 @@ fi
|
||||
|
||||
echo "Fetch TGT (for other, w/ lifetime req over max)"
|
||||
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
|
||||
(set -vx; csr_grant pkinit bar@${R} foo@${R})
|
||||
csr_grant san_pkinit bar@${R} foo@${R}
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
@@ -651,7 +712,7 @@ fi
|
||||
|
||||
echo "Fetch TGT (for other, w/ lifetime req under max)"
|
||||
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
|
||||
(set -vx; csr_grant pkinit bar@${R} foo@${R})
|
||||
csr_grant san_pkinit bar@${R} foo@${R}
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
@@ -677,22 +738,115 @@ fi
|
||||
|
||||
echo "Fetch TGTs (batch, authz fail)"
|
||||
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
|
||||
(set -vx; csr_grant pkinit bar@${R} foo@${R})
|
||||
csr_revoke
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
rm -f "${cachefile}.json"
|
||||
if (set -vx;
|
||||
curl -o "${cachefile}.json" -Lgsf \
|
||||
--resolve ${server}:${bx509port}:127.0.0.1 \
|
||||
-H "Authorization: Negotiate $token" \
|
||||
"http://${server}:${bx509port}/get-tgts?cname=bar@${R}&cname=baz@${R}"); then
|
||||
# 200 Ok is not a problem. We have to check that the result is sane.
|
||||
true
|
||||
else
|
||||
if grep ccache "${cachefile}.json"; then
|
||||
echo "Got TGTs with /get-tgts end-point that should have been denied"
|
||||
exit 2;
|
||||
fi
|
||||
if ! grep error_code "${cachefile}.json" > /dev/null; then
|
||||
cat "${cachefile}.json"
|
||||
echo "Request failed w/o error information"
|
||||
exit 2;
|
||||
fi
|
||||
fi
|
||||
cat "${cachefile}.json"
|
||||
if grep ccache "${cachefile}.json"; then
|
||||
echo "Got TGTs with /get-tgts end-point that should have been denied"
|
||||
exit 2;
|
||||
fi
|
||||
|
||||
echo "Fetch TGTs (batch, partial authz with IPC authorizer)"
|
||||
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
|
||||
csr_revoke
|
||||
csr_grant san_pkinit bar@${R} foo@${R}
|
||||
csr_grant san_pkinit baz@${R} foo@${R}
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
curl -vvvo "${cachefile}.json" -Lgsf \
|
||||
--resolve ${server}:${bx509port}:127.0.0.1 \
|
||||
-H "Authorization: Negotiate $token" \
|
||||
"http://${server}:${bx509port}/get-tgts?cname=bar@${R}&cname=raz@${R}&cname=baz@${R}"); then
|
||||
echo "Failed to get TGTs batch including non-existent principal"
|
||||
exit 2
|
||||
fi
|
||||
if which jq >/dev/null; then
|
||||
set -vx
|
||||
jq -e . "${cachefile}.json" > /dev/null ||
|
||||
{ echo "/get-tgts produced non-JSON"; exit 2; }
|
||||
jq -es '.[]|select(.name|startswith("raz@"))|(.error_code//empty)' "${cachefile}.json" > /dev/null ||
|
||||
{ echo "No error was reported for raz@${R}!"; exit 2; }
|
||||
jq -es '.[]|select(.name|startswith("raz@"))|(.ccache//"")|(length==0)' "${cachefile}.json" > /dev/null ||
|
||||
{ echo "Non-empty ccache included for raz@${R}!"; exit 2; }
|
||||
|
||||
# Check bar@$R's tickets:
|
||||
jq -r 'select(.name|startswith("bar@")).ccache' "${cachefile}.json" |
|
||||
$rkbase64 -d -- - > "${cachefile}"
|
||||
${kgetcred} -H HTTP/${server}@${R} ||
|
||||
{ echo "Fetched TGT didn't work"; exit 2; }
|
||||
${klistjson} | jq -e --arg p bar@$R '.principal == $p' > /dev/null ||
|
||||
{ echo "/get-tgts produced wrong TGTs"; exit 2; }
|
||||
|
||||
# Check baz@$R's tickets:
|
||||
jq -r 'select(.name|startswith("baz@")).ccache' "${cachefile}.json" |
|
||||
$rkbase64 -d -- - > "${cachefile}"
|
||||
${kgetcred} -H HTTP/${server}@${R} ||
|
||||
{ echo "Fetched TGT didn't work"; exit 2; }
|
||||
${klistjson} | jq -e --arg p baz@$R '.principal == $p' > /dev/null ||
|
||||
{ echo "/get-tgts produced wrong TGTs"; exit 2; }
|
||||
fi
|
||||
|
||||
echo "Fetch TGTs (batch, partial authz)"
|
||||
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
|
||||
csr_revoke
|
||||
csr_grant san_pkinit bar@${R} foo@${R}
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
curl -vvvo "${cachefile}.json" -Lgsf \
|
||||
--resolve ${server}:${bx509port}:127.0.0.1 \
|
||||
-H "Authorization: Negotiate $token" \
|
||||
"http://${server}:${bx509port}/get-tgts?cname=not@${R}&cname=bar@${R}&cname=baz@${R}"); then
|
||||
echo "Failed to get TGTs batch including non-existent principal"
|
||||
exit 2
|
||||
fi
|
||||
if which jq >/dev/null; then
|
||||
set -vx
|
||||
jq -e . "${cachefile}.json" > /dev/null ||
|
||||
{ echo "/get-tgts produced non-JSON"; exit 2; }
|
||||
jq -es '.[]|select(.name|startswith("not@"))|(.error_code//empty)' "${cachefile}.json" > /dev/null ||
|
||||
{ echo "No error was reported for not@${R}!"; exit 2; }
|
||||
jq -es '.[]|select(.name|startswith("not@"))|(.ccache//"")|(length==0)' "${cachefile}.json" > /dev/null ||
|
||||
{ echo "Non-empty ccache included for not@${R}!"; exit 2; }
|
||||
jq -es '.[]|select(.name|startswith("baz@"))|(.error_code//empty)' "${cachefile}.json" > /dev/null ||
|
||||
{ echo "No error was reported for baz@${R}!"; exit 2; }
|
||||
jq -es '.[]|select(.name|startswith("baz@"))|(.ccache//"")|(length==0)' "${cachefile}.json" > /dev/null ||
|
||||
{ echo "Non-empty ccache included for baz@${R}!"; exit 2; }
|
||||
|
||||
# Check bar@$R's tickets:
|
||||
jq -r 'select(.name|startswith("bar@")).ccache' "${cachefile}.json" |
|
||||
$rkbase64 -d -- - > "${cachefile}"
|
||||
${kgetcred} -H HTTP/${server}@${R} ||
|
||||
{ echo "Fetched TGT didn't work"; exit 2; }
|
||||
${klistjson} | jq -e --arg p bar@$R '.principal == $p' > /dev/null ||
|
||||
{ echo "/get-tgts produced wrong TGTs"; exit 2; }
|
||||
fi
|
||||
|
||||
echo "Fetch TGTs (batch, authz pass)"
|
||||
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
|
||||
(csr_grant pkinit bar@${R} foo@${R})
|
||||
(csr_grant pkinit baz@${R} foo@${R})
|
||||
csr_grant san_pkinit bar@${R} foo@${R}
|
||||
csr_grant san_pkinit baz@${R} foo@${R}
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
@@ -726,9 +880,9 @@ fi
|
||||
|
||||
echo "Fetch TGTs (batch, authz pass, one non-existent principal)"
|
||||
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
|
||||
(csr_grant pkinit bar@${R} foo@${R})
|
||||
(csr_grant pkinit baz@${R} foo@${R})
|
||||
(csr_grant pkinit not@${R} foo@${R})
|
||||
csr_grant san_pkinit bar@${R} foo@${R}
|
||||
csr_grant san_pkinit baz@${R} foo@${R}
|
||||
csr_grant san_pkinit not@${R} foo@${R}
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
@@ -913,9 +1067,10 @@ else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "killing kdc (${kdcpid}) and bx509d (${bx509pid})"
|
||||
echo "killing kdc (${kdcpid}) and bx509d (${bx509pid}) and test_csr_authorizer (${test_csr_authorizer_pid})"
|
||||
sh ${leaks_kill} kdc $kdcpid || ec=1
|
||||
sh ${leaks_kill} bx509d $bx509pid || ec=1
|
||||
sh ${leaks_kill} test_csr_authorizer $test_csr_authorizer_pid || ec=1
|
||||
|
||||
trap "" EXIT
|
||||
|
||||
|
||||
@@ -97,15 +97,19 @@ KRB5_CONFIG="${objdir}/krb5-httpkadmind.conf"
|
||||
export KRB5_CONFIG
|
||||
KRB5CCNAME=$cache
|
||||
export KRB5CCNAME
|
||||
HEIM_PIDFILE_DIR=$objdir
|
||||
export HEIM_PIDFILE_DIR
|
||||
HEIM_IPC_DIR=$objdir
|
||||
export HEIM_IPC_DIR
|
||||
|
||||
rm -f current-db*
|
||||
rm -f out-*
|
||||
rm -f mkey.file*
|
||||
rm -f *.pem *.crt *.der
|
||||
rm -rf simple_csr_authz
|
||||
rm -rf authz_dir
|
||||
rm -f extracted_keytab*
|
||||
|
||||
mkdir -p simple_csr_authz
|
||||
mkdir -p authz_dir
|
||||
|
||||
> messages.log
|
||||
|
||||
@@ -115,13 +119,13 @@ mkdir -p simple_csr_authz
|
||||
|
||||
# grant ext-type value grantee_principal
|
||||
grant() {
|
||||
mkdir -p "${objdir}/simple_csr_authz/${3}"
|
||||
touch "${objdir}/simple_csr_authz/${3}/${1}-${2}"
|
||||
mkdir -p "${objdir}/authz_dir/${3}"
|
||||
touch "${objdir}/authz_dir/${3}/${1}=${2}"
|
||||
}
|
||||
|
||||
revoke() {
|
||||
rm -rf "${objdir}/simple_csr_authz"
|
||||
mkdir -p "${objdir}/simple_csr_authz"
|
||||
rm -rf "${objdir}/authz_dir"
|
||||
mkdir -p "${objdir}/authz_dir"
|
||||
}
|
||||
|
||||
if set -o|grep 'verbose.*on' > /dev/null ||
|
||||
@@ -204,15 +208,18 @@ get_keytab_POST_redir() {
|
||||
kdcpid=
|
||||
httpkadmindpid=
|
||||
httpkadmind2pid=
|
||||
test_csr_authorizer_pid=
|
||||
kadmindpid=
|
||||
kadmind2pid=
|
||||
cleanup() {
|
||||
test -n "$kdcpid" &&
|
||||
{ echo signal killing kdc; kill -9 "$kdcpid"; }
|
||||
test -n "$test_csr_authorizer_pid" &&
|
||||
{ echo signal killing test_csr_authorizer; kill -9 "$test_csr_authorizer_pid"; }
|
||||
test -n "$httpkadmindpid" &&
|
||||
{ echo signal killing httpkadmind; kill -9 "$httpkadmindpid"; }
|
||||
test -n "$httpkadmind2pid" &&
|
||||
{ echo signal killing httpkadmind; kill -9 "$httpkadmind2pid"; }
|
||||
{ echo signal killing second httpkadmind; kill -9 "$httpkadmind2pid"; }
|
||||
test -n "$kadmindpid" &&
|
||||
{ echo signal killing kadmind; kill -9 "$kadmindpid"; }
|
||||
test -n "$kadmind2pid" &&
|
||||
@@ -224,29 +231,28 @@ rm -f extracted_keytab
|
||||
|
||||
echo "Creating database"
|
||||
rm -f $kt $ukt
|
||||
${kadmin} init \
|
||||
--realm-max-ticket-life=1day \
|
||||
--realm-max-renewable-life=1month \
|
||||
${R} || exit 1
|
||||
${kadmin} add -r --use-defaults foo@${R} || exit 1
|
||||
${kadmin} add -r --use-defaults httpkadmind/admin@${R} || exit 1
|
||||
${kadmin} add -r --use-defaults WELLKNOWN/CSRFTOKEN@${R} || exit 1
|
||||
${kadmin} add -r --use-defaults HTTP/localhost@${R} || exit 1
|
||||
${kadmin} add -r --use-defaults host/xyz.${domain}@${R} || exit 1
|
||||
${kadmin} add -r --use-defaults HTTP/xyz.${domain}@${R} || exit 1
|
||||
${kadmin} add_ns --key-rotation-epoch=-1d --key-rotation-period=5m \
|
||||
--max-ticket-life=1d --max-renewable-life=5d \
|
||||
--attributes= HTTP/ns.${domain}@${R} || exit 1
|
||||
${kadmin} add_ns --key-rotation-epoch=-1d --key-rotation-period=5m \
|
||||
--max-ticket-life=1d --max-renewable-life=5d \
|
||||
--attributes=ok-as-delegate host/.ns2.${domain}@${R} || exit 1
|
||||
${kadmin} add -r --use-defaults HTTP/${server}@${R} || exit 1
|
||||
${kadmin} ext_keytab -r -k $keytab kadmin/admin@${R} || exit 1
|
||||
${kadmin} ext_keytab -r -k $keytab httpkadmind/admin@${R} || exit 1
|
||||
${kadmin} ext_keytab -r -k $keytab HTTP/${server}@${R} || exit 1
|
||||
${kadmin} ext_keytab -r -k $keytab HTTP/localhost@${R} || exit 1
|
||||
${kadmin} add -r --use-defaults HTTP/${otherserver}@${R} || exit 1
|
||||
${kadmin} ext_keytab -r -k $ukeytab foo@${R} || exit 1
|
||||
${kadmin} <<EOF || exit 1
|
||||
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
|
||||
add -r --use-defaults foo@${R}
|
||||
add -r --use-defaults httpkadmind/admin@${R}
|
||||
add -r --use-defaults WELLKNOWN/CSRFTOKEN@${R}
|
||||
add -r --use-defaults HTTP/localhost@${R}
|
||||
add -r --use-defaults host/xyz.${domain}@${R}
|
||||
add -r --use-defaults HTTP/xyz.${domain}@${R}
|
||||
add_ns --key-rotation-epoch=-1d --key-rotation-period=5m \
|
||||
--max-ticket-life=1d --max-renewable-life=5d \
|
||||
--attributes= HTTP/ns.${domain}@${R}
|
||||
add_ns --key-rotation-epoch=-1d --key-rotation-period=5m \
|
||||
--max-ticket-life=1d --max-renewable-life=5d \
|
||||
--attributes=ok-as-delegate host/.ns2.${domain}@${R}
|
||||
add -r --use-defaults HTTP/${server}@${R}
|
||||
ext_keytab -r -k $keytab kadmin/admin@${R}
|
||||
ext_keytab -r -k $keytab httpkadmind/admin@${R}
|
||||
ext_keytab -r -k $keytab HTTP/${server}@${R}
|
||||
ext_keytab -r -k $keytab HTTP/localhost@${R}
|
||||
add -r --use-defaults HTTP/${otherserver}@${R}
|
||||
ext_keytab -r -k $ukeytab foo@${R}
|
||||
EOF
|
||||
${kdestroy}
|
||||
|
||||
# For a while let's not bother with a KDC
|
||||
@@ -259,6 +265,12 @@ $kimpersonate -A --ccache=$cache -k $keytab -R -t aes128-cts-hmac-sha1-96 \
|
||||
$klist -t >/dev/null ||
|
||||
{ echo "failed to setup kimpersonate credentials"; exit 2; }
|
||||
|
||||
echo "Starting test_csr_authorizer"
|
||||
${test_csr_authorizer} -A $objdir/authz_dir -S $objdir --server --daemon ||
|
||||
{ echo "test_csr_authorizer failed to start"; exit 2; }
|
||||
test_csr_authorizer_pid=`getpid test_csr_authorizer`
|
||||
ec=0
|
||||
|
||||
echo "Starting httpkadmind"
|
||||
${httpkadmind} -H $server -H localhost --local -t --daemon ||
|
||||
{ echo "httpkadmind failed to start"; exit 2; }
|
||||
@@ -291,7 +303,7 @@ hn=xyz.${domain}
|
||||
p=HTTP/$hn
|
||||
echo "Fetching keytab for concrete principal $p"
|
||||
rm -f extracted_keytab*
|
||||
grant dnsname $hn foo@${R}
|
||||
grant san_dnsname $hn foo@${R}
|
||||
${kadmin} ext_keytab -k extracted_keytab $p ||
|
||||
{ echo "Failed to get a keytab for $p with kadmin"; exit 1; }
|
||||
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
|
||||
@@ -307,7 +319,7 @@ hn=foo.ns.${domain}
|
||||
p=HTTP/$hn
|
||||
echo "Fetching keytab for virtual principal $p"
|
||||
rm -f extracted_keytab*
|
||||
grant dnsname $hn foo@${R}
|
||||
grant san_dnsname $hn foo@${R}
|
||||
${kadmin} ext_keytab -k extracted_keytab $p ||
|
||||
{ echo "Failed to get a keytab for $p with kadmin"; exit 1; }
|
||||
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
|
||||
@@ -329,9 +341,9 @@ p2=HTTP/$hn2
|
||||
p3=HTTP/$hn3
|
||||
echo "Fetching keytabs for more than one principal"
|
||||
rm -f extracted_keytab*
|
||||
grant dnsname $hn1 foo@${R}
|
||||
grant dnsname $hn2 foo@${R}
|
||||
grant dnsname $hn3 foo@${R}
|
||||
grant san_dnsname $hn1 foo@${R}
|
||||
grant san_dnsname $hn2 foo@${R}
|
||||
grant san_dnsname $hn3 foo@${R}
|
||||
# Note that httpkadmind will first process dNSName q-params, then the spn
|
||||
# q-params.
|
||||
${kadmin} ext_keytab -k extracted_keytab $p1 ||
|
||||
@@ -372,7 +384,7 @@ hn=xyz.${domain}
|
||||
p=host/$hn
|
||||
echo "Fetching keytab for virtual principal $p"
|
||||
rm -f extracted_keytab*
|
||||
grant dnsname $hn foo@${R}
|
||||
grant san_dnsname $hn foo@${R}
|
||||
get_keytab "service=host&dNSName=xyz.${domain}" -sf -o "${objdir}/extracted_keytab" &&
|
||||
{ echo "Got a keytab for $p even though it is a host service!"; exit 1; }
|
||||
get_keytab "spn=host/xyz.${domain}" -sf -o "${objdir}/extracted_keytab" &&
|
||||
@@ -383,7 +395,7 @@ hn=xyz.${domain}
|
||||
p=HTTP/$hn
|
||||
echo "Checking key rotation for concrete principal $p"
|
||||
rm -f extracted_keytab*
|
||||
grant dnsname $hn foo@${R}
|
||||
grant san_dnsname $hn foo@${R}
|
||||
get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
|
||||
{ echo "Failed to get a keytab for $p with curl"; exit 1; }
|
||||
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
|
||||
@@ -405,7 +417,7 @@ hn=xyz.${domain}
|
||||
p=HTTP/$hn
|
||||
echo "Checking key rotation w/ revocation for concrete principal $p"
|
||||
rm -f extracted_keytab*
|
||||
grant dnsname $hn foo@${R}
|
||||
grant san_dnsname $hn foo@${R}
|
||||
get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
|
||||
{ echo "Failed to get a keytab for $p with curl"; exit 1; }
|
||||
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
|
||||
@@ -425,7 +437,7 @@ hn=abc.${domain}
|
||||
p=HTTP/$hn
|
||||
echo "Checking concrete principal creation ($p)"
|
||||
rm -f extracted_keytab
|
||||
grant dnsname $hn foo@${R}
|
||||
grant san_dnsname $hn foo@${R}
|
||||
get_keytab "dNSName=${hn}&create=true" -sf -o "${objdir}/extracted_keytab" &&
|
||||
{ echo "GET succeeded for write operation!"; exit 1; }
|
||||
get_keytab_POST "dNSName=${hn}&create=true" -s -o "${objdir}/extracted_keytab" ||
|
||||
@@ -444,7 +456,7 @@ hn=bar.ns.${domain}
|
||||
p=HTTP/$hn
|
||||
echo "Checking materialization of virtual principal ($p)"
|
||||
rm -f extracted_keytab
|
||||
grant dnsname $hn foo@${R}
|
||||
grant san_dnsname $hn foo@${R}
|
||||
get_keytab "dNSName=${hn}&materialize=true" -sf -o "${objdir}/extracted_keytab" &&
|
||||
{ echo "GET succeeded for write operation!"; exit 1; }
|
||||
get_keytab_POST "dNSName=${hn}&materialize=true" -s -o "${objdir}/extracted_keytab" ||
|
||||
@@ -471,7 +483,7 @@ p=HTTP/$hn
|
||||
restport=$restport2
|
||||
echo "Checking principal creation at secondary yields redirect"
|
||||
rm -f extracted_keytab
|
||||
grant dnsname $hn foo@${R}
|
||||
grant san_dnsname $hn foo@${R}
|
||||
get_keytab_POST_redir "dNSName=${hn}&create=true" \
|
||||
-s -o "${objdir}/extracted_keytab"
|
||||
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
|
||||
@@ -559,7 +571,7 @@ hn=xyz.${domain}
|
||||
p=HTTP/$hn
|
||||
echo "Fetching keytab for concrete principal $p using remote HDB"
|
||||
rm -f extracted_keytab*
|
||||
grant dnsname $hn httpkadmind/admin@${R}
|
||||
grant san_dnsname $hn httpkadmind/admin@${R}
|
||||
KRB5CCNAME=$admincache ${kadmin} ext_keytab -k extracted_keytab $p ||
|
||||
{ echo "Failed to get a keytab for $p with kadmin"; exit 1; }
|
||||
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
|
||||
@@ -575,7 +587,7 @@ hn=xyz.${domain}
|
||||
p=HTTP/$hn
|
||||
echo "Checking key rotation for concrete principal $p using remote HDB"
|
||||
rm -f extracted_keytab*
|
||||
grant dnsname $hn foo@${R}
|
||||
grant san_dnsname $hn foo@${R}
|
||||
get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
|
||||
{ echo "Failed to get a keytab for $p with curl"; exit 1; }
|
||||
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
|
||||
@@ -610,7 +622,7 @@ hn=xyz.${domain}
|
||||
p=HTTP/$hn
|
||||
echo "Fetching keytab for concrete principal $p using local read-only HDB"
|
||||
rm -f extracted_keytab*
|
||||
grant dnsname $hn httpkadmind/admin@${R}
|
||||
grant san_dnsname $hn httpkadmind/admin@${R}
|
||||
KRB5CCNAME=$admincache ${kadmin} ext_keytab -k extracted_keytab $p ||
|
||||
{ echo "Failed to get a keytab for $p with kadmin"; exit 1; }
|
||||
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
|
||||
@@ -626,7 +638,7 @@ hn=xyz.${domain}
|
||||
p=HTTP/$hn
|
||||
echo "Checking key rotation for concrete principal $p using local read-only HDB and remote HDB"
|
||||
rm -f extracted_keytab*
|
||||
grant dnsname $hn foo@${R}
|
||||
grant san_dnsname $hn foo@${R}
|
||||
get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
|
||||
{ echo "Failed to get a keytab for $p with curl"; exit 1; }
|
||||
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
|
||||
@@ -810,6 +822,7 @@ KRB5CCNAME=$admincache ${kadmin} get $p |
|
||||
grep 'Internal error' messages.log &&
|
||||
{ echo "Internal errors in log"; exit 1; }
|
||||
|
||||
sh ${leaks_kill} test_csr_authorizer $test_csr_authorizer_pid || ec=1
|
||||
sh ${leaks_kill} httpkadmind $httpkadmindpid || ec=1
|
||||
sh ${leaks_kill} kadmind $kadmindpid || ec=1
|
||||
sh ${leaks_kill} kadmind $kadmind2pid || ec=1
|
||||
|
||||
@@ -64,6 +64,11 @@ kx509="${kx509} -c $cache"
|
||||
|
||||
KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
|
||||
export KRB5_CONFIG
|
||||
HEIM_PIDFILE_DIR=$objdir
|
||||
export HEIM_PIDFILE_DIR
|
||||
HEIM_IPC_DIR=$objdir
|
||||
export HEIM_IPC_DIR
|
||||
|
||||
|
||||
rsa=yes
|
||||
pkinit=no
|
||||
|
||||
@@ -29,9 +29,6 @@
|
||||
# Locate kdc plugins for testing
|
||||
plugin_dir = @objdir@/../../kdc/.libs
|
||||
|
||||
# Configure kdc plugins for testing
|
||||
simple_csr_authorizer_directory = @objdir@/simple_csr_authz
|
||||
|
||||
enable-pkinit = true
|
||||
pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
|
||||
pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
|
||||
@@ -86,7 +83,6 @@
|
||||
db-dir = @objdir@
|
||||
|
||||
[bx509]
|
||||
simple_csr_authorizer_directory = @objdir@/simple_csr_authz
|
||||
realms = {
|
||||
TEST.H5L.SE = {
|
||||
# Default (no cert exts requested)
|
||||
@@ -127,7 +123,6 @@
|
||||
[get-tgt]
|
||||
no_addresses = true
|
||||
allow_addresses = true
|
||||
simple_csr_authorizer_directory = @objdir@/simple_csr_authz
|
||||
realms = {
|
||||
TEST.H5L.SE = {
|
||||
# Default (no cert exts requested)
|
||||
|
||||
@@ -28,9 +28,6 @@
|
||||
# Locate kdc plugins for testing
|
||||
plugin_dir = @objdir@/../../kdc/.libs
|
||||
|
||||
# Configure kdc plugins for testing
|
||||
simple_csr_authorizer_directory = @objdir@/simple_csr_authz
|
||||
|
||||
database = {
|
||||
dbname = @objdir@/current-db
|
||||
realm = TEST.H5L.SE
|
||||
@@ -84,7 +81,6 @@
|
||||
virtual_hostbased_princ_svcs = HTTP host
|
||||
|
||||
[ext_keytab]
|
||||
simple_csr_authorizer_directory = @objdir@/simple_csr_authz
|
||||
new_hostbased_service_principal_attributes = {
|
||||
host = {
|
||||
a-particular-hostname.test.h5l.se = ok-as-delegate,no-auth-data-reqd
|
||||
|
||||
@@ -25,7 +25,9 @@
|
||||
|
||||
plugin_dir = @objdir@/../../kdc/.libs
|
||||
|
||||
simple_csr_authorizer_directory = @objdir@/simple_csr_authz
|
||||
ipc_csr_authorizer = {
|
||||
optional = true
|
||||
}
|
||||
|
||||
enable_kx509 = true
|
||||
require_initial_kca_tickets = false
|
||||
|
||||
Reference in New Issue
Block a user