293 lines
10 KiB
Bash
293 lines
10 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
|
|
# (Royal Institute of Technology, Stockholm, Sweden).
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions
|
|
# are met:
|
|
#
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# 2. Redistributions in binary form must reproduce the above copyright
|
|
# notice, this list of conditions and the following disclaimer in the
|
|
# documentation and/or other materials provided with the distribution.
|
|
#
|
|
# 3. Neither the name of the Institute nor the names of its contributors
|
|
# may be used to endorse or promote products derived from this software
|
|
# without specific prior written permission.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
# SUCH DAMAGE.
|
|
|
|
top_builddir="@top_builddir@"
|
|
env_setup="@env_setup@"
|
|
objdir="@objdir@"
|
|
|
|
. ${env_setup}
|
|
|
|
testfailed="echo test failed; cat messages.log; exit 1"
|
|
|
|
# If there is no useful db support compiled in, disable test
|
|
${have_db} || exit 77
|
|
|
|
d=test.h5l.se
|
|
d2=xtst.heim.example
|
|
R=TEST.H5L.SE
|
|
R2=XTST.HEIM.EXAMPLE
|
|
|
|
# $service1 will be a hard alias of $service2
|
|
service1=ldap/host.${d}:389
|
|
service2=ldap/host.${d2}:389
|
|
# $service3 and $service4 will have soft aliases referrals from each
|
|
# other's realms
|
|
service3=host/foohost.${d}
|
|
service4=host/barhost.${d2}
|
|
# $service5 and $service6 will be hardaliases
|
|
service5=host/thing1.${d}
|
|
service6=host/thing1.${d2}
|
|
# $service7 and $service8 will be hardaliases in the opposite direction
|
|
service7=host/thing2.${d}
|
|
service8=host/thing2.${d2}
|
|
|
|
port=@port@
|
|
|
|
kadmin="${kadmin} -l -r $R"
|
|
kdc="${kdc} --addresses=localhost -P $port"
|
|
|
|
cache="FILE:${objdir}/cache.krb5"
|
|
|
|
kinit="${kinit} -c $cache ${afs_no_afslog}"
|
|
klist="${klist} -c $cache"
|
|
kgetcred="${kgetcred} -c $cache"
|
|
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
|
|
keytabfile=${objdir}/server.keytab
|
|
keytab="FILE:${keytabfile}"
|
|
|
|
KRB5_CONFIG="${objdir}/krb5.conf"
|
|
export KRB5_CONFIG
|
|
|
|
KRB5CCNAME=$cache
|
|
export KRB5CCNAME
|
|
|
|
rm -f ${keytabfile}
|
|
rm -f current-db*
|
|
rm -f out-*
|
|
rm -f mkey.file*
|
|
|
|
> messages.log
|
|
|
|
echo Creating database
|
|
# User 'foo' gets two aliases in the same realm, and one in the other
|
|
# service1 is an alias of service2, in different realms
|
|
# service3 and service4 get soft aliases in each other's realms
|
|
# service6 is a hard alias of service5
|
|
# service8 is a hard alias of service7, but in the opposite direction
|
|
${kadmin} <<EOF || exit 1
|
|
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
|
|
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R2}
|
|
add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R}
|
|
add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R2}
|
|
add -p foo --use-defaults foo@${R}
|
|
add_alias foo@${R} foo@${R2} alias1 alias2
|
|
add -p foo --use-defaults ${service2}@${R2}
|
|
add_alias ${service2}@${R2} ${service1}@${R}
|
|
add -p foo --use-defaults ${service3}@${R}
|
|
add -p foo --use-defaults ${service4}@${R2}
|
|
add_alias WELLKNOWN/REFERRALS/TARGET@${R2} ${service4}@${R}
|
|
add_alias WELLKNOWN/REFERRALS/TARGET@${R} ${service3}@${R2}
|
|
add -p foo --use-defaults ${service5}@${R}
|
|
add_alias ${service5}@${R} ${service6}@${R2}
|
|
add -p foo --use-defaults ${service7}@${R2}
|
|
add_alias ${service5}@${R} ${service8}@${R}
|
|
add -p foo --use-defaults bar@${R}
|
|
add -p cross1 --use-defaults krbtgt/${R2}@${R}
|
|
add -p cross2 --use-defaults krbtgt/${R}@${R2}
|
|
ext -k ${keytab} krbtgt/${R}@${R}
|
|
check ${R}
|
|
check ${R2}
|
|
EOF
|
|
|
|
${kadmin} add -p foo --use-defaults baz\\@realm.foo@${R} || exit 1
|
|
|
|
${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1
|
|
${kadmin} get foo@${R} | grep alias2@${R} >/dev/null || exit 1
|
|
${kadmin} get foo@${R} | grep foo@${R2} >/dev/null || exit 1
|
|
${kadmin} get ${service2}@${R2} | grep ${service1}@${R} >/dev/null || exit 1
|
|
|
|
echo foo > ${objdir}/foopassword
|
|
|
|
echo Starting kdc ; > messages.log
|
|
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
|
|
kdcpid=`getpid kdc`
|
|
|
|
cleanup() {
|
|
echo signal killing kdc
|
|
kill -9 ${kdcpid}
|
|
trap '' EXIT INT TERM
|
|
cat messages.log
|
|
exit 1
|
|
}
|
|
trap cleanup EXIT INT TERM
|
|
|
|
ec=0
|
|
|
|
|
|
echo "Getting client bar"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword bar@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal"
|
|
${klist} | grep "Principal: bar@${R}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting client baz"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword 'baz\@realm.foo@'${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal"
|
|
${klist} | grep 'Principal: baz' > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
|
|
|
|
echo "Test AS-REQ"
|
|
|
|
echo "Getting client (no canon)"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal"
|
|
${klist} | grep "Principal: foo@${R}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting client client tickets (default realm, enterprisename)"; > messages.log
|
|
${kinit} --canonicalize --enterprise \
|
|
--password-file=${objdir}/foopassword foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal"
|
|
${klist} | grep "Principal: foo@${R}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal inside the PAC"
|
|
${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting client alias1 tickets"; > messages.log
|
|
${kinit} --canonicalize --enterprise \
|
|
--password-file=${objdir}/foopassword foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal"
|
|
${klist} | grep "Principal: foo@${R}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal inside the PAC"
|
|
${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
|
|
echo "Getting client alias2 tickets"; > messages.log
|
|
${kinit} --canonicalize --enterprise \
|
|
--password-file=${objdir}/foopassword alias2@${R}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal"
|
|
${klist} | grep "Principal: foo@${R}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal inside the PAC"
|
|
${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting client alias1 tickets (non canon case)"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword alias1@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal"
|
|
${klist} | grep "Principal: alias1@${R}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal inside the PAC"
|
|
${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting client foo@${R2} tickets (non canon case)"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@${R2} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal"
|
|
${klist} | grep "Principal: foo@${R2}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal inside the PAC"
|
|
${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting various service tickets using foo@${R2} client"
|
|
${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service1}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service3}@ || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service4}@ || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service5}@ || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service6}@ || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service7}@ || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service8}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting client alias2 tickets (removed)"; > messages.log
|
|
${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kinit} --canonicalize --enterprise \
|
|
--password-file=${objdir}/foopassword \
|
|
alias2@${R}@${R} > /dev/null 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Remove alias"
|
|
${kadmin} modify --alias= foo@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Test server referrals"
|
|
|
|
echo "Getting client for ${service2}@${R} (tgs kdc referral)"
|
|
> messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} --canonicalize ${service2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service3}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service4}@ || { ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal"
|
|
${klist} | grep "${service2}@${R2}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${klist} | grep "${service4}@${R}" > /dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${klist} | grep "${service4}@${R2}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting client for ${service2}@${R2} (tgs client side guessing)"
|
|
> messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${service2}@${R2} ||
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "checking that we got back right principal"
|
|
${klist} | grep "${service2}@${R2}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
|
|
echo "killing kdc (${kdcpid})"
|
|
sh ${leaks_kill} kdc $kdcpid || exit 1
|
|
|
|
trap "" EXIT
|
|
|
|
exit $ec
|