oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
e99cae2284da547a74ffbbd64b40efbfb03db665
heimdal/tests/kdc/check-kdc.in
Love Hörnquist Åstrand 2a2b91e51b Check for cross realm case where remove user doesn't exists in the 
database, this is ok assuming the cross realm isn't local. In the
general case this isn't true.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17807 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-07-06 15:50:31 +00:00

265 lines
8.8 KiB
Bash
Raw Blame History

#!/bin/sh
#
# Copyright (c) 2006 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
srcdir="@srcdir@"
objdir="@objdir@"
R=EXAMPLE.ORG
R2=EXAMPLE.COM
port=8888
kadmin="../../kadmin/kadmin -l -r $R"
kdc="../../kdc/kdc --addresses=localhost -P $port"
server=host/datan.example.org
server2=host/computer.example.com
cache="FILE:${objdir}/cache.krb5"
ocache="FILE:${objdir}/ocache.krb5"
o2cache="FILE:${objdir}/o2cache.krb5"
keytabfile=${objdir}/server.keytab
keytab="FILE:${keytabfile}"
ps="proxy-service@${R}"
kinit="../../kuser/kinit -c $cache --no-afslog"
klist="../../kuser/klist -c $cache"
kgetcred="../../kuser/kgetcred -c $cache"
kgetcred_imp="../../kuser/kgetcred -c $cache --out-cache=${ocache}"
kdestroy="../../kuser/kdestroy -c $cache"
ktutil="../../admin/ktutil"
hxtool="../../lib/hx509/hxtool"
KRB5_CONFIG="${objdir}/krb5.conf"
export KRB5_CONFIG
rm -f ${keytabfile}
rm -f current-db*
rm -f out-*
rm -f mkey.file*
echo Creating database
${kadmin} \
init \
--realm-max-ticket-life=1day \
--realm-max-renewable-life=1month \
${R} || exit 1
${kadmin} \
init \
--realm-max-ticket-life=1day \
--realm-max-renewable-life=1month \
${R2} || exit 1
${kadmin} add -p foo --use-defaults foo@${R} || exit 1
${kadmin} add -p bar --use-defaults bar@${R} || exit 1
${kadmin} add -p foo --use-defaults remove@${R} || exit 1
${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
${kadmin} add -p foo --use-defaults ${ps} || exit 1
${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
${kadmin} ext -k ${keytab} ${ps} || exit 1
${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1
${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
echo "Doing database check"
${kadmin} check ${R} || exit 1
${kadmin} check ${R2} || exit 1
echo "Extracting enctypes"
${ktutil} -k ${keytab} list > tempfile || exit 1
grep -ve '^FILE:' tempfile | grep -ve '^Vno' | \
awk '/1/ !~ $1 { exit 1 }' || exit 1
${kadmin} get foo@${R} > tempfile || exit 1
enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://'`
enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'`
echo foo > ${objdir}/foopassword
echo Starting kdc
${kdc} &
kdcpid=$!
sleep 2
if tail -1 messages.log | grep "No sockets" ; then
echo "The KDC failed to bind to any sockets, another KDC running ?"
exit 1
fi
exitcode=0
echo "Getting client initial tickets"
${kinit} --password-file=${objdir}/foopassword foo@$R || exitcode=1
echo "Getting tickets"
${kgetcred} ${server}@${R} || exitcode=1
echo "Listing tickets"
${klist} > /dev/null || exitcode=1
./ap-req ${server}@${R} ${keytab} ${cache} || exitcode=1
${kdestroy}
for a in $enctypes; do
echo "Getting client initial tickets ($a)"
${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || exitcode=1
echo "Getting tickets"
${kgetcred} ${server}@${R} || exitcode=1
./ap-req ${server}@${R} ${keytab} ${cache} || exitcode=1
${kdestroy}
done
echo "Getting client initial tickets"
${kinit} --password-file=${objdir}/foopassword foo@$R || exitcode=1
for a in $enctypes; do
echo "Getting tickets ($a)"
${kgetcred} -e $a ${server}@${R} || exitcode=1
./ap-req ${server}@${R} ${keytab} ${cache} || exitcode=1
${kdestroy} --credential=${server}@${R}
done
${kdestroy}
echo "Getting client initial tickets for cross realm case"
${kinit} --password-file=${objdir}/foopassword foo@$R || exitcode=1
for a in $enctypes; do
echo "Getting cross realm tickets ($a)"
${kgetcred} -e $a ${server2}@${R2} || exitcode=1
./ap-req ${server2}@${R2} ${keytab} ${cache} || exitcode=1
${kdestroy} --credential=${server2}@${R2}
done
${kdestroy}
echo "try all permutations"
for a in $enctypes; do
echo "Getting client initial tickets ($a)"
${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || exitcode=1
for b in $enctypes; do
echo "Getting tickets ($a -> $b)"
${kgetcred} -e $b ${server}@${R} || exitcode=1
./ap-req ${server}@${R} ${keytab} ${cache} || exitcode=1
${kdestroy} --credential=${server}@${R}
done
${kdestroy}
done
echo "Getting server initial tickets"
${kinit} --keytab=${keytab} ${server}@$R || exitcode=1
echo "Listing tickets"
${klist} | grep "Principal: ${server}" > /dev/null || exitcode=1
${kdestroy}
echo "initial tickets for deleted user test case"
${kinit} --password-file=${objdir}/foopassword remove@$R || exitcode=1
${kadmin} delete remove@${R} || exit 1
echo "try getting ticket with deleted user"
${kgetcred} ${server}@${R} 2> /dev/null && exitcode=1
${kdestroy}
echo "cross realm case (removed user)"
${kinit} --password-file=${objdir}/foopassword remove2@$R2 || exitcode=1
${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || exitcode=1
${kadmin} delete remove2@${R2} || exit 1
${kgetcred} ${server}@${R} 2> /dev/null || exitcode=1
${kdestroy}
#echo deleting all but aes enctypes on krbtgt
#${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1
#
#echo "try all permutations (only aes)"
#for a in $enctypes; do
# echo "Getting client initial tickets ($a)"
# ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} || exitcode=1
# for b in $enctypes; do
# echo "Getting tickets ($a -> $b)"
# ${kgetcred} -e $b ${server}@${R} || exitcode=1
# ./ap-req ${server}@${R} ${keytab} ${cache} || exitcode=1
# ${kdestroy} --credential=${server}@${R}
# done
# ${kdestroy}
#done
rsa=yes
pkinit=no
if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
rsa=no
fi
if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
pkinit=yes
fi
# If we support pkinit and have RSA, lets try that
if test "$pkinit" = yes -a "$rsa" = yes ; then
echo "Trying pk-init (principal in certificate)"
base="${srcdir}/../../lib/hx509/data"
${kinit} -C FILE:${base}/pkinit.crt,${base}/pkinit.key bar@${R} || exitcode=1
${kgetcred} ${server}@${R} || exitcode=1
${kdestroy}
echo "Trying pk-init (principal in pki-mapping)"
${kinit} -C FILE:${base}/pkinit.crt,${base}/pkinit.key foo@${R} || exitcode=1
${kgetcred} ${server}@${R} || exitcode=1
${kdestroy}
echo "Trying pk-init (password protected key)"
${kinit} -C FILE:${base}/pkinit.crt,${base}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || exitcode=1
${kgetcred} ${server}@${R} || exitcode=1
${kdestroy}
else
echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"
fi
echo "tickets for impersonate test case"
${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || exitcode=1
${kgetcred_imp} --impersonate=bar@${R} ${ps} || exitcode=1
./ap-req ${ps} ${keytab} ${ocache} || exitcode=1
${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && exitcode=1
echo test constrained delegation
${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || exitcode=1
${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} || exitcode=1
./ap-req ${server}@${R} ${keytab} ${o2cache} || exitcode=1
${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} bar@${R} 2>/dev/null && exitcode=1
${kdestroy}
echo "killing kdc (${kdcpid})"
kill $kdcpid || exit 1
exit $exitcode
Reference in New Issue View Git Blame Copy Permalink