e172367898
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
388 lines
12 KiB
Bash
388 lines
12 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
|
|
# (Royal Institute of Technology, Stockholm, Sweden).
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions
|
|
# are met:
|
|
#
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# 2. Redistributions in binary form must reproduce the above copyright
|
|
# notice, this list of conditions and the following disclaimer in the
|
|
# documentation and/or other materials provided with the distribution.
|
|
#
|
|
# 3. Neither the name of the Institute nor the names of its contributors
|
|
# may be used to endorse or promote products derived from this software
|
|
# without specific prior written permission.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
# SUCH DAMAGE.
|
|
#
|
|
# $Id$
|
|
#
|
|
|
|
srcdir="@srcdir@"
|
|
objdir="@objdir@"
|
|
|
|
# If there is no useful db support compile in, disable test
|
|
../db/have-db || exit 77
|
|
|
|
R=TEST.H5L.SE
|
|
|
|
port=@port@
|
|
|
|
keytabfile=${objdir}/server.keytab
|
|
keytab="FILE:${keytabfile}"
|
|
nokeytab="FILE:no-such-keytab"
|
|
cache="FILE:krb5ccfile"
|
|
|
|
kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
|
|
klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
|
|
kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
|
|
kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
|
|
kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
|
|
ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
|
|
|
|
context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
|
|
|
|
KRB5_CONFIG="${objdir}/krb5.conf"
|
|
export KRB5_CONFIG
|
|
|
|
KRB5CCNAME=${cache}
|
|
export KRB5CCNAME
|
|
|
|
rm -f ${keytabfile}
|
|
rm -f current-db*
|
|
rm -f out-*
|
|
rm -f mkey.file*
|
|
|
|
> messages.log
|
|
|
|
echo Creating database
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R} || exit 1
|
|
|
|
# add both lucid and lucid.test.h5l.se to simulate aliases
|
|
${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
|
|
${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
|
|
${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
|
|
${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
|
|
|
|
${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
|
|
${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
|
|
${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
|
|
|
|
|
|
${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
|
|
${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
|
|
# XXX ext should ext aliases too
|
|
${kadmin} ext -k ${keytab} host/short@${R} || exit 1
|
|
${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
|
|
|
|
${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
|
|
|
|
${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
|
|
|
|
# Create a server principal with no AES
|
|
${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
|
|
${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
|
|
${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
|
|
aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
|
|
${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
|
|
|
|
echo "Doing database check"
|
|
${kadmin} check ${R} || exit 1
|
|
|
|
echo u1 > ${objdir}/foopassword
|
|
|
|
echo Starting kdc
|
|
${kdc} &
|
|
kdcpid=$!
|
|
|
|
sh ${srcdir}/../kdc/wait-kdc.sh
|
|
if [ "$?" != 0 ] ; then
|
|
kill ${kdcpid}
|
|
exit 1
|
|
fi
|
|
|
|
trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
|
|
|
|
exitcode=0
|
|
|
|
echo "Getting client initial tickets"
|
|
${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || exitcode=1
|
|
|
|
echo "======test unreadable/non existant keytab and its error message"
|
|
${context} --mech-type=krb5 host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
mv ${keytabfile} ${keytabfile}.no
|
|
|
|
echo "checking non existant keytabfile (krb5)"
|
|
${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
grep ${keytabfile} test_context.log > /dev/null || \
|
|
{ exitcode=1 ; echo "string missing failed"; }
|
|
echo "checking non existant keytabfile (spengo)"
|
|
${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
grep ${keytabfile} test_context.log > /dev/null || \
|
|
{ exitcode=1 ; echo "string missing failed"; }
|
|
|
|
mv ${keytabfile}.no ${keytabfile}
|
|
|
|
echo "======test naming combinations"
|
|
echo "plain"
|
|
${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
echo "plain (krb5)"
|
|
${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
echo "plain (krb5 realmless)"
|
|
${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
echo "dns canon on (long name) OFF, need dns_wrapper"
|
|
#${context} --dns-canon host@lucid.test.h5l.se || \
|
|
# { exitcode=1 ; echo "test failed"; }
|
|
echo "dns canon off (long name)"
|
|
${context} --no-dns-canon host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
echo "dns canon off (short name)"
|
|
${context} --no-dns-canon host@lucid || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
echo "dns canon off (short name, krb5)"
|
|
${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
echo "dns canon off (short name, krb5)"
|
|
${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "======test context building"
|
|
for mech in krb5 spnego ; do
|
|
echo "${mech} no-mutual"
|
|
${context} --mech-type=${mech} \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "${mech} mutual"
|
|
${context} --mech-type=${mech} \
|
|
--mutual \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "${mech} delegate"
|
|
${context} --mech-type=${mech} \
|
|
--delegate \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "${mech} mutual delegate"
|
|
${context} --mech-type=${mech} \
|
|
--mutual --delegate \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
done
|
|
|
|
#add spnego !
|
|
echo "======dce-style"
|
|
for mech in krb5 ; do
|
|
|
|
echo "${mech}: dce-style"
|
|
${context} \
|
|
--mech-type=${mech} \
|
|
--mutual \
|
|
--dce-style \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
done
|
|
|
|
echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
|
|
|
|
cp ${keytabfile} ${keytabfile}.new
|
|
for mech in krb5 spnego; do
|
|
echo "${mech}: acceptor_identity positive"
|
|
${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
|
|
--mech-type=$mech host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "${mech}: acceptor_identity negative"
|
|
${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
|
|
--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
done
|
|
|
|
rm ${keytabfile}.new
|
|
|
|
|
|
#echo "sasl-digest-md5"
|
|
#${context} --mech-type=sasl-digest-md5 \
|
|
# --name-type=hostbased-service \
|
|
# host@lucid.test.h5l.se || \
|
|
# { exitcode=1 ; echo "test failed"; }
|
|
|
|
|
|
echo "====== gss-api session key check"
|
|
|
|
# this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
|
|
coolenctype="aes256-cts-hmac-sha1-96"
|
|
|
|
echo "Getting client initial tickets"
|
|
${kinit} --password-file=${objdir}/foopassword user1@${R} || \
|
|
{ echo "kinit failed"; exitcode=1; }
|
|
|
|
echo "Building context on cred w/o aes, but still ${coolenctype} session key"
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--mutual-auth \
|
|
--session-enctype=${coolenctype} \
|
|
--name-type=hostbased-service host@no-aes.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "====== ok-as-delegate"
|
|
|
|
echo "Getting client initial tickets"
|
|
${kinit} --forwardable \
|
|
--password-file=${objdir}/foopassword user1@${R} || exitcode=1
|
|
|
|
echo "ok-as-delegate not used"
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--delegate \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "host without ok-as-delegate with policy-delegate"
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--policy-delegate \
|
|
--server-no-delegate \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "ok-as-delegate used by policy"
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--policy-delegate \
|
|
--name-type=hostbased-service host@ok-delegate.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "Getting client initial tickets with --ok-as-delgate"
|
|
${kinit} --ok-as-delegate --forwardable \
|
|
--password-file=${objdir}/foopassword user1@${R} || exitcode=1
|
|
|
|
echo "policy delegate to non delegate host"
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--policy-delegate \
|
|
--server-no-delegate \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "ok-as-delegate"
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--delegate \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
|
|
echo "======time diffs between client and server"
|
|
|
|
echo "Getting client initial ticket"
|
|
${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
|
|
|
|
echo "No time offset"
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "Getting client initial ticket"
|
|
${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
|
|
|
|
echo "Server time offset"
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--mutual-auth \
|
|
--server-time-offset=3600 \
|
|
--max-loops=3 \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "Server time offset (cached ?)"
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--mutual-auth \
|
|
--server-time-offset=3600 \
|
|
--max-loops=2 \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "Getting client initial ticket"
|
|
${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
|
|
# Pre-poplute the cache since tgs-req will fail since our time is wrong
|
|
${kgetcred} host/lucid.test.h5l.se@${R} || exitcode=1
|
|
|
|
echo "Client time offset"
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--mutual-auth \
|
|
--client-time-offset=3600 \
|
|
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
echo "Getting client initial tickets (use-referrals)"
|
|
${kinit} \
|
|
--password-file=${objdir}/foopassword \
|
|
--use-referrals user1@${R} || exitcode=1
|
|
|
|
# XXX these tests really need to use somethat that resolve to something
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
host@short || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--name-type=krb5-principal-name host/short || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
host@long.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
${context} \
|
|
--mech-type=krb5 \
|
|
--name-type=krb5-principal-name \
|
|
host/long.test.h5l.se || \
|
|
{ exitcode=1 ; echo "test failed"; }
|
|
|
|
trap "" EXIT
|
|
|
|
echo "killing kdc (${kdcpid})"
|
|
kill ${kdcpid} 2> /dev/null
|
|
|
|
[ "$exitcode" = 0 ] && echo "all ok"
|
|
|
|
exit $exitcode
|
|
|
|
|