oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
ae7d6746d1c947ecdbd17dd5fd185bed8d625b9a
heimdal/tests/gss/check-basic.in
Nicolas Williams ae7d6746d1 gsstool: Add GSS-based kinit-like acquire_cred cmd 
This has most of the features needed to act as a kinit that uses GSS
APIs, specifically gss_acquire_cred_from() and gss_store_cred_into2().

It's missing some functionality, such as being able to drive prompts
from AS responses (if we add minor status codes for representing KDC
pre-auth proposals, then we do drive prompts, but we would have to
encode a lot of mechanism-specific knowledge into gsstool).

The point of this commit is to explore:

 - GSS functionality for kinit-like actions

 - credential store key/value pairs supported by the mechanisms

 - document the credential store key/value pairs (in gsstool.1)

that might lead to further enhancements.  But gsstool acquire-cred
is quite functional at this point!
2026-01-18 19:06:16 -06:00

233 lines
6.3 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Copyright (c) 2007 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
top_srcdir="@top_srcdir@"
env_setup="@env_setup@"
srcdir="@srcdir@"
objdir="@objdir@"
. ${env_setup}
. ${top_srcdir}/tests/bin/test-lib.sh
# If there is no useful db support compiled in, disable test
../db/have-db || exit 77
R=TEST.H5L.SE
port=@port@
keytabfile=${objdir}/server.keytab
keytab="FILE:${keytabfile}"
nokeytab="FILE:no-such-keytab"
cache="FILE:krb5ccfile"
cache2="FILE:krb5ccfile2"
nocache="FILE:no-such-cache"
kadmin="${kadmin} -l -A -r $R"
kdc="${kdc} --addresses=localhost -P $port"
acquire_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_acquire_cred"
acquire_cred2="${TESTS_ENVIRONMENT} $gsstool acquire-cred"
test_kcred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_kcred"
test_add_store_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_add_store_cred"
KRB5_CONFIG="${objdir}/krb5.conf"
export KRB5_CONFIG
KRB5_KTNAME="${keytab}"
export KRB5_KTNAME
KRB5CCNAME="${cache}"
export KRB5CCNAME
rm -f ${keytabfile}
rm -f current-db*
rm -f out-*
rm -f mkey.file*
test_init
test_section "Creating database"
test_run ${kadmin} <<EOF
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
add -p upw --use-defaults user@${R}
add -p upw --use-defaults another@${R}
add -p p1 --use-defaults host/host.test.h5l.se@${R}
ext -k ${keytab} host/host.test.h5l.se@${R}
check ${R}
EOF
test_section "Starting kdc"
test_run ${kdc} --detach --testing
kdcpid=`getpid kdc`
cleanup() {
echo signal killing kdc
kill -9 ${kdcpid}
trap '' EXIT INT TERM
cat messages.log
exit 1
}
trap cleanup EXIT INT TERM
echo "upw" > ${objdir}/foopassword
test_section "initial ticket"
test_run ${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R}
test_section "copy ccache with gss_store_cred"
# Note we test that the ccache used for storing is token-expanded
test_run ${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}"
test_run ${klist} -c ${cache2}
test_section "keytab"
test_run ${acquire_cred} \
--acquire-type=accept \
--acquire-name=host@host.test.h5l.se
test_section "keytab w/ short-form name and name canon rules"
test_run ${acquire_cred} \
--acquire-type=accept \
--acquire-name=host@host
test_section "keytab w/o name"
test_run ${acquire_cred} \
--acquire-type=accept
test_section "keytab w/ wrong name (expected failure)"
# This should fail - wrong name
test_run not ${acquire_cred} \
--acquire-type=accept --kerberos \
--acquire-name=host@host2.test.h5l.se
test_section "init using keytab"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--acquire-name=host@host.test.h5l.se
test_section "init using keytab (loop 10)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--loops=10 \
--acquire-name=host@host.test.h5l.se
test_section "init using keytab (loop 10, target)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--loops=10 \
--target=host@host.test.h5l.se \
--acquire-name=host@host.test.h5l.se
test_section "init using keytab (loop 10, kerberos)"
test_run ${acquire_cred} \
--acquire-type=initiate \
--loops=10 \
--kerberos \
--acquire-name=host@host.test.h5l.se
test_section "init using keytab (loop 10, target, kerberos)"
test_run ${acquire_cred} \
--acquire-type=initiate \
--loops=10 \
--kerberos \
--target=host@host.test.h5l.se \
--acquire-name=host@host.test.h5l.se
test_section "init using existing cc"
test_run ${acquire_cred} \
--kerberos \
--name-type=user-name \
--acquire-type=initiate \
--acquire-name=user
KRB5CCNAME=${nocache}
test_section "fail init using existing cc (expected failure)"
# This should fail - no such cache
test_run not ${acquire_cred} \
--kerberos \
--name-type=user-name \
--acquire-type=initiate \
--acquire-name=user
test_section "use gss_krb5_ccache_name for user"
test_run ${acquire_cred} \
--kerberos \
--name-type=user-name \
--ccache=${cache} \
--acquire-type=initiate \
--acquire-name=user
KRB5CCNAME=${cache}
KRB5_KTNAME=${nokeytab}
test_section "kcred"
test_run ${test_kcred}
${kdestroy} -c ${cache} 2>/dev/null || true
KRB5_KTNAME="${keytab}"
test_section "init using keytab (after kdestroy)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--acquire-name=host@host.test.h5l.se
test_section "init using keytab (ccache)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--ccache=${cache} \
--acquire-name=host@host.test.h5l.se
echo "test gsstool acquire-cred"
${acquire_cred2} \
--mech=krb5 \
--name=user \
--from=password=upw \
--into=unique_ccache_type=MEMORY || exit 1
trap "" EXIT
echo "killing kdc (${kdcpid})"
kill ${kdcpid} 2> /dev/null
test_finish
exit $?
Reference in New Issue View Git Blame Copy Permalink