tests: Use here-doc kadmin in Java test

[heimdal.git] / tests / kdc / check-kadmin.in

#!/bin/sh
#
# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden). 
# All rights reserved. 
#
# Redistribution and use in source and binary forms, with or without 
# modification, are permitted provided that the following conditions 
# are met: 
#
# 1. Redistributions of source code must retain the above copyright 
#    notice, this list of conditions and the following disclaimer. 
#
# 2. Redistributions in binary form must reproduce the above copyright 
#    notice, this list of conditions and the following disclaimer in the 
#    documentation and/or other materials provided with the distribution. 
#
# 3. Neither the name of the Institute nor the names of its contributors 
#    may be used to endorse or promote products derived from this software 
#    without specific prior written permission. 
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
# SUCH DAMAGE. 

top_builddir="@top_builddir@"
env_setup="@env_setup@"
objdir="@objdir@"
srcdir="@srcdir@"

. ${env_setup}

# If there is no useful db support compiled in, disable test
${have_db} || exit 77

R=TEST.H5L.SE
R2=TEST2.H5L.SE

port=@port@
admport=@admport@

cache="FILE:${objdir}/cache.krb5"

kadmin="${kadmin} -r $R"
kdc="${kdc} --addresses=localhost -P $port"
kadmind="${kadmind} -p $admport"

server=host/datan.test.h5l.se

kinit="${kinit} -c $cache ${afs_no_afslog}"
kgetcred="${kgetcred} -c $cache"
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"

foopassword="fooLongPasswordYo123;"

KRB5_CONFIG="${objdir}/krb5.conf"
export KRB5_CONFIG

rm -f ${keytabfile}
rm -f current-db*
rm -f out-*
rm -f mkey.file*
rm -f messages.log

> messages.log

echo Creating database
${kadmin} -l <<EOF || exit 1
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
add -p "$foopassword" --use-defaults foo/admin@${R}
add -p "$foopassword" --use-defaults bar@${R}
add -p "$foopassword" --use-defaults baz@${R}
add -p "$foopassword" --use-defaults bez@${R}
add -p "$foopassword" --use-defaults fez@${R}
add -p "$foopassword" --use-defaults hasalias@${R}
add -p "$foopassword" --use-defaults pkinit@${R}
modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" pkinit@${R}
add -p "$foopassword" --use-defaults prune@${R}
cpw --keepold --random-key prune@${R}
cpw --keepold --random-key prune@${R}
add -p "$foopassword" --use-defaults pruneall@${R}
cpw --pruneall --random-key pruneall@${R}
cpw --pruneall --random-key pruneall@${R}
EOF

echo "$foopassword" > ${objdir}/foopassword

echo Starting kdc ; > messages.log
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`

echo Starting kadmind
${kadmind} --detach --list-chunk-size=1 \
    || { echo "kadmind failed to start"; cat messages.log; exit 1; }
kadmpid=`getpid kadmind`

cleanup() {
    echo signal killing kdc
    kill -9 ${kdcpid} ${kadmpid} 2>/dev/null
    trap '' EXIT INT TERM
    cat messages.log
    exit 1
}
trap cleanup EXIT INT TERM

#----------------------------------
echo "kinit (no admin); test mod --alias authorization"
${kinit} --password-file=${objdir}/foopassword \
    -S kadmin/admin@${R} hasalias@${R} || exit 1

# Check that one non-permitted alias -> failure
env KRB5CCNAME=${cache} \
${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=badalias@${R} hasalias@${R} &&
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }

# Check that all permitted aliases -> success
env KRB5CCNAME=${cache} \
${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=goodalias2@${R} hasalias@${R} ||
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }

# Check that we can drop aliases
env KRB5CCNAME=${cache} \
${kadmin} -p hasalias@${R} modify --alias=goodalias3@${R} hasalias@${R} ||
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }
${kadmin} -l get hasalias@${R} | grep Aliases: > kadmin.tmp
read junk aliases < kadmin.tmp
rm kadmin.tmp
[ "$aliases" != "goodalias3@${R}" ] && { echo "kadmind failed $?"; cat messages.log ; exit 1; }

env KRB5CCNAME=${cache} \
${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=goodalias2@${R} --alias=goodalias3@${R} hasalias@${R} ||
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }
${kadmin} -l get hasalias@${R} | grep Aliases: > kadmin.tmp
read junk aliases < kadmin.tmp
rm kadmin.tmp
[ "$aliases" != "goodalias1@${R} goodalias2@${R} goodalias3@${R}" ] && { echo "FOO failed $?"; cat messages.log ; exit 1; }

#----------------------------------
echo "kinit (no admin)"
${kinit} --password-file=${objdir}/foopassword \
    -S kadmin/admin@${R} bar@${R} || exit 1
echo "kadmin"
env KRB5CCNAME=${cache} \
${kadmin} -p bar@${R} add -p "$foopassword" --use-defaults kaka2@${R} || 
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }

${kadmin} -l get kaka2@${R} > /dev/null ||
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }

#----------------------------------
echo "kinit (no admin)"
${kinit} --password-file=${objdir}/foopassword \
    -S kadmin/admin@${R} baz@${R} || exit 1
echo "kadmin globacl"
env KRB5CCNAME=${cache} \
${kadmin} -p baz@${R} get bar@${R} > /dev/null || 
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }

#----------------------------------
echo "kinit (no admin)"
${kinit} --password-file=${objdir}/foopassword \
    -S kadmin/admin@${R} baz@${R} || exit 1
echo "kadmin globacl, negative"
env KRB5CCNAME=${cache} \
${kadmin} -p baz@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null && 
        { echo "kadmin succesded $?"; cat messages.log ; exit 1; }

#----------------------------------
echo "kinit (no admin)"
${kinit} --password-file=${objdir}/foopassword \
    -S kadmin/admin@${R} baz@${R} || exit 1
echo "kadmin globacl"
env KRB5CCNAME=${cache} \
${kadmin} -p baz@${R} get bar@${R} > /dev/null || 
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }

#----------------------------------
echo "kinit (no admin)"
${kinit} --password-file=${objdir}/foopassword \
    -S kadmin/admin@${R} bez@${R} || exit 1
echo "kadmin globacl, negative"
env KRB5CCNAME=${cache} \
${kadmin} -p bez@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null && 
        { echo "kadmin succesded $?"; cat messages.log ; exit 1; }

#----------------------------------
echo "kinit (no admin)"
${kinit} --password-file=${objdir}/foopassword \
    -S kadmin/admin@${R} fez@${R} || exit 1
echo "kadmin globacl"
env KRB5CCNAME=${cache} \
${kadmin} -p fez@${R} get bar@${R} > /dev/null || 
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }

#----------------------------------
echo "kinit (no admin)"
${kinit} --password-file=${objdir}/foopassword \
    -S kadmin/admin@${R} fez@${R} || exit 1
echo "kadmin globacl, negative"
env KRB5CCNAME=${cache} \
${kadmin} -p fez@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null && 
        { echo "kadmin succesded $?"; cat messages.log ; exit 1; }

#----------------------------------
echo "kinit (admin)"
${kinit} --password-file=${objdir}/foopassword \
    -S kadmin/admin@${R} foo/admin@${R} || exit 1

echo "kadmin"
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} add -p "$foopassword" --use-defaults kaka@${R} || 
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }

echo "kadmin"
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} add -p abc --use-defaults kaka@${R} &&
        { echo "kadmin succeeded $?"; cat messages.log ; exit 1; }

#----------------------------------
echo "kadmin get doesnotexists"
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} get -s doesnotexists@${R} \
        > /dev/null 2>kadmin.tmp && \
        { echo "kadmin passed"; cat messages.log ; exit 1; }

# evil hack to support libtool
sed 's/lt-kadmin:/kadmin:/' < kadmin.tmp > kadmin2.tmp
mv kadmin2.tmp kadmin.tmp

# If client tried IPv6, but service only listened on IPv4
grep -v ': connect' kadmin.tmp > kadmin2.tmp
mv kadmin2.tmp kadmin.tmp

diff kadmin.tmp ${srcdir}/donotexists.txt || \
    { echo "wrong response"; exit 1;}

#----------------------------------
echo "kadmin get pkinit-acl"
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} get -o pkinit-acl pkinit@${R} \
        > /dev/null || \
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }

#----------------------------------
echo "kadmin get -o principal"
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} get -o principal bar@${R} \
        > kadmin.tmp 2>&1 || \
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }
if test "`cat kadmin.tmp`" != "Principal: bar@TEST.H5L.SE" ; then
   cat kadmin.tmp ; cat messages.log ; exit 1 ;
fi


#----------------------------------
echo "kadmin get -o kvno"
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} get -o kvno bar@${R} \
        > kadmin.tmp 2>&1 || \
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }
if test "`cat kadmin.tmp`" != "Kvno: 1" ; then
   cat kadmin.tmp ; cat messages.log ; exit 1 ;
fi


#----------------------------------
echo "kadmin get -o princ_expire_time"
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} get -o princ_expire_time bar@${R} \
        > kadmin.tmp 2>&1 || \
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }
if test "`cat kadmin.tmp`" != "Principal expires: never" ; then
   cat kadmin.tmp ; cat messages.log ; exit 1 ;
fi

#----------------------------------
echo "kadmin get -s -o attributes"
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} get -s -o attributes bar@${R} \
        > kadmin.tmp || \
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }
if test "`cat kadmin.tmp`" != "Attributes" ; then
   cat kadmin.tmp ; cat messages.log ; exit 1 ;
fi

#----------------------------------
echo "kadmin prune"
env KRB5CCNAME=${cache} \
${kadmin} prune --kvno=2 prune@${R} \
        > kadmin.tmp 2>&1 || \
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }
env KRB5CCNAME=${cache} \
${kadmin} get prune@${R} \
        > kadmin.tmp 2>&1 || \
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }
cat kadmin.tmp | ${EGREP} Keytypes: | cut -d: -f2 | tr ' ' '
' | sed 's/^.*[[]\(.*\)[]].*$/\1/' | grep '[0-9]' | sort -nu | tr -d '
' | ${EGREP} '^13$' > /dev/null || \
        { echo "kadmin prune failed $?"; cat messages.log ; exit 1; }

#----------------------------------
echo "kadmin pruneall"
env KRB5CCNAME=${cache} \
${kadmin} get pruneall@${R} \
        > kadmin.tmp 2>&1 || \
        { echo "kadmin failed $?"; cat messages.log ; exit 1; }
cat kadmin.tmp | ${EGREP} Keytypes: | cut -d: -f2 | tr ' ' '
' | sed 's/^.*[[]\(.*\)[]].*$/\1/' | grep '[0-9]' | sort -nu | tr -d '
' | ${EGREP} '^3$' > /dev/null || \
        { echo "kadmin pruneall failed $?"; cat messages.log ; exit 1; }

env KRB5CCNAME=${cache} \
    ${kadmin} -p foo/admin@${R} list --upto=3 '*' > kadmin.tmp
[ `wc -l < kadmin.tmp` -eq 3 ] ||
        { echo "kadmin list --upto 3 produced `wc -l < kadmin.tmp` results!"; exit 1; }

#----------------------------------
echo "kadmin get '*' (re-entrance)"; > messages.log
${kadmin} -l get '*' > kadmin.tmp ||
    { echo "failed to list principals"; cat messages.log ; exit 1; }
> messages.log
env KRB5CCNAME=${cache} \
    ${kadmin} -p foo/admin@${R} get '*' > kadmin.tmp2 ||
        { echo "failed to list principals"; cat messages.log ; exit 1; }
diff -u kadmin.tmp kadmin.tmp2 ||
    { echo "local and remote get all differ"; exit 1; }

#----------------------------------
# We have 20 principals in the DB.  Test two chunks of 1 (since that's how we
# started kadmind above.
> messages.log
echo "kadmin list all (chunk size 1)"
# Check that list produces the same output locally and remote.
env KRB5CCNAME=${cache} \
    ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp ||
        { echo "failed to list principals"; cat messages.log ; exit 1; }
${kadmin} -l list '*' | sort > kadmin.tmp2
diff kadmin.tmp kadmin.tmp2 ||
        { echo "failed to list all principals"; cat messages.log ; exit 1; }
# kadmin dump does not use kadm5_iter_principals, so this is a good way to
# double check the above results.  This time we drop the realm part because
# kadmin doesn't show us the realm for principals in the default realm.
${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp
${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2
diff kadmin.tmp kadmin.tmp2 ||
        { echo "failed to list all principals (dump)"; cat messages.log ; exit 1; }
${kadmin} -l > kadmin.tmp <<"EOF"
list *
get foo/admin
EOF
grep Attributes kadmin.tmp > /dev/null ||
        { echo "failed to execute command after list"; cat messages.log ; exit 1; }
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} > kadmin.tmp <<"EOF"
list *
get foo/admin
EOF
grep Attributes kadmin.tmp > /dev/null ||
        { echo "failed to execute command after list"; cat messages.log ; exit 1; }

#----------------------------------
# We have 20 principals in the DB.  Test two chunks of 10.
sh ${leaks_kill} kadmind $kadmpid || exit 1
${kadmind} --list-chunk-size=10 --detach
kadmpid=`getpid kadmind`

> messages.log
echo "kadmin list all (chunk size 10)"
# Check that list produces the same output locally and remote.
env KRB5CCNAME=${cache} \
    ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp ||
        { echo "failed to list principals"; cat messages.log ; exit 1; }
${kadmin} -l list '*' | sort > kadmin.tmp2
diff kadmin.tmp kadmin.tmp2 ||
        { echo "failed to list all principals"; cat messages.log ; exit 1; }
# kadmin dump does not use kadm5_iter_principals, so this is a good way to
# double check the above results.  This time we drop the realm part because
# kadmin doesn't show us the realm for principals in the default realm.
${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp
${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2
diff kadmin.tmp kadmin.tmp2 ||
        { echo "failed to list all principals (dump)"; cat messages.log ; exit 1; }
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} > kadmin.tmp <<"EOF"
list *
get foo/admin
EOF
grep Attributes kadmin.tmp > /dev/null ||
        { echo "failed to execute command after list"; cat messages.log ; exit 1; }

#----------------------------------
# We have 20 principals in the DB.  Test one chunk of 50.
sh ${leaks_kill} kadmind $kadmpid || exit 1
${kadmind} --list-chunk-size=50 --detach
kadmpid=`getpid kadmind`

> messages.log
echo "kadmin list all (chunk size 50)"
# Check that list produces the same output locally and remote.
env KRB5CCNAME=${cache} \
    ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp ||
        { echo "failed to list principals"; cat messages.log ; exit 1; }
${kadmin} -l list '*' | sort > kadmin.tmp2
diff kadmin.tmp kadmin.tmp2 ||
        { echo "failed to list all principals"; cat messages.log ; exit 1; }
# kadmin dump does not use kadm5_iter_principals, so this is a good way to
# double check the above results.  This time we drop the realm part because
# kadmin doesn't show us the realm for principals in the default realm.
${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp
${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2
diff kadmin.tmp kadmin.tmp2 ||
        { echo "failed to list all principals (dump)"; cat messages.log ; exit 1; }
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} > kadmin.tmp <<"EOF"
list *
get foo/admin
EOF
grep Attributes kadmin.tmp > /dev/null ||
        { echo "failed to execute command after list"; cat messages.log ; exit 1; }

#----------------------------------
# We have 20 principals in the DB.  Test 3 chunks of up to 7.
sh ${leaks_kill} kadmind $kadmpid || exit 1
${kadmind} --list-chunk-size=7 --detach
kadmpid=`getpid kadmind`

> messages.log
echo "kadmin list all (chunk size 7)"
# Check that list produces the same output locally and remote.
env KRB5CCNAME=${cache} \
    ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp ||
        { echo "failed to list principals"; cat messages.log ; exit 1; }
${kadmin} -l list '*' | sort > kadmin.tmp2
diff kadmin.tmp kadmin.tmp2 ||
        { echo "failed to list all principals"; cat messages.log ; exit 1; }
# kadmin dump does not use kadm5_iter_principals, so this is a good way to
# double check the above results.  This time we drop the realm part because
# kadmin doesn't show us the realm for principals in the default realm.
${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp
${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2
diff kadmin.tmp kadmin.tmp2 ||
        { echo "failed to list all principals (dump)"; cat messages.log ; exit 1; }

#----------------------------------

echo "killing kdc (${kdcpid} ${kadmpid})"
sh ${leaks_kill} kdc $kdcpid || exit 1
sh ${leaks_kill} kadmind $kadmpid || exit 1

trap "" EXIT

exit $ec