3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 top_builddir
="@top_builddir@"
35 env_setup
="@env_setup@"
41 # If there is no useful db support compiled in, disable test
50 cache
="FILE:${objdir}/cache.krb5"
52 kadmin
="${kadmin} -r $R"
53 kdc
="${kdc} --addresses=localhost -P $port"
54 kadmind
="${kadmind} -p $admport"
56 server
=host
/datan.
test.h5l.se
58 kinit
="${kinit} -c $cache ${afs_no_afslog}"
59 kgetcred
="${kgetcred} -c $cache"
60 kdestroy
="${kdestroy} -c $cache ${afs_no_unlog}"
62 foopassword
="fooLongPasswordYo123;"
64 KRB5_CONFIG
="${objdir}/krb5.conf"
75 echo Creating database
76 ${kadmin} -l <<EOF || exit 1
77 init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
78 add -p "$foopassword" --use-defaults foo/admin@${R}
79 add -p "$foopassword" --use-defaults bar@${R}
80 add -p "$foopassword" --use-defaults baz@${R}
81 add -p "$foopassword" --use-defaults bez@${R}
82 add -p "$foopassword" --use-defaults fez@${R}
83 add -p "$foopassword" --use-defaults hasalias@${R}
84 add -p "$foopassword" --use-defaults pkinit@${R}
85 modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" pkinit@${R}
86 add -p "$foopassword" --use-defaults prune@${R}
87 cpw --keepold --random-key prune@${R}
88 cpw --keepold --random-key prune@${R}
89 add -p "$foopassword" --use-defaults pruneall@${R}
90 cpw --pruneall --random-key pruneall@${R}
91 cpw --pruneall --random-key pruneall@${R}
94 echo "$foopassword" > ${objdir}/foopassword
96 echo Starting kdc
; > messages.log
97 ${kdc} --detach --testing ||
{ echo "kdc failed to start"; cat messages.log
; exit 1; }
100 echo Starting kadmind
101 ${kadmind} --detach --list-chunk-size=1 \
102 ||
{ echo "kadmind failed to start"; cat messages.log
; exit 1; }
103 kadmpid
=`getpid kadmind`
106 echo signal killing kdc
107 kill -9 ${kdcpid} ${kadmpid} 2>/dev
/null
108 trap '' EXIT INT TERM
112 trap cleanup EXIT INT TERM
114 #----------------------------------
115 echo "kinit (no admin); test mod --alias authorization"
116 ${kinit} --password-file=${objdir}/foopassword \
117 -S kadmin
/admin@
${R} hasalias@
${R} ||
exit 1
119 # Check that one non-permitted alias -> failure
120 env KRB5CCNAME
=${cache} \
121 ${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=badalias@${R} hasalias@${R} &&
122 { echo "kadmin failed $?"; cat messages.log
; exit 1; }
124 # Check that all permitted aliases -> success
125 env KRB5CCNAME
=${cache} \
126 ${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=goodalias2@${R} hasalias@${R} ||
127 { echo "kadmin failed $?"; cat messages.log
; exit 1; }
129 # Check that we can drop aliases
130 env KRB5CCNAME
=${cache} \
131 ${kadmin} -p hasalias@${R} modify --alias=goodalias3@${R} hasalias@${R} ||
132 { echo "kadmin failed $?"; cat messages.log
; exit 1; }
133 ${kadmin} -l get hasalias@
${R} |
grep Aliases
: > kadmin.tmp
134 read junk aliases
< kadmin.tmp
136 [ "$aliases" != "goodalias3@${R}" ] && { echo "kadmind failed $?"; cat messages.log
; exit 1; }
138 env KRB5CCNAME
=${cache} \
139 ${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=goodalias2@${R} --alias=goodalias3@${R} hasalias@${R} ||
140 { echo "kadmin failed $?"; cat messages.log
; exit 1; }
141 ${kadmin} -l get hasalias@
${R} |
grep Aliases
: > kadmin.tmp
142 read junk aliases
< kadmin.tmp
144 [ "$aliases" != "goodalias1@${R} goodalias2@${R} goodalias3@${R}" ] && { echo "FOO failed $?"; cat messages.log ; exit 1; }
146 #----------------------------------
147 echo "kinit
(no admin
)"
148 ${kinit} --password-file=${objdir}/foopassword \
149 -S kadmin/admin@${R} bar@${R} || exit 1
151 env KRB5CCNAME=${cache} \
152 ${kadmin} -p bar@${R} add -p "$foopassword" --use-defaults kaka2@${R} ||
153 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
155 ${kadmin} -l get kaka2@${R} > /dev/null ||
156 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
158 #----------------------------------
159 echo "kinit
(no admin
)"
160 ${kinit} --password-file=${objdir}/foopassword \
161 -S kadmin/admin@${R} baz@${R} || exit 1
162 echo "kadmin globacl
"
163 env KRB5CCNAME=${cache} \
164 ${kadmin} -p baz@${R} get bar@${R} > /dev/null ||
165 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
167 #----------------------------------
168 echo "kinit
(no admin
)"
169 ${kinit} --password-file=${objdir}/foopassword \
170 -S kadmin/admin@${R} baz@${R} || exit 1
171 echo "kadmin globacl
, negative
"
172 env KRB5CCNAME=${cache} \
173 ${kadmin} -p baz@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null &&
174 { echo "kadmin succesded $?
"; cat messages.log ; exit 1; }
176 #----------------------------------
177 echo "kinit
(no admin
)"
178 ${kinit} --password-file=${objdir}/foopassword \
179 -S kadmin/admin@${R} baz@${R} || exit 1
180 echo "kadmin globacl
"
181 env KRB5CCNAME=${cache} \
182 ${kadmin} -p baz@${R} get bar@${R} > /dev/null ||
183 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
185 #----------------------------------
186 echo "kinit
(no admin
)"
187 ${kinit} --password-file=${objdir}/foopassword \
188 -S kadmin/admin@${R} bez@${R} || exit 1
189 echo "kadmin globacl
, negative
"
190 env KRB5CCNAME=${cache} \
191 ${kadmin} -p bez@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null &&
192 { echo "kadmin succesded $?
"; cat messages.log ; exit 1; }
194 #----------------------------------
195 echo "kinit
(no admin
)"
196 ${kinit} --password-file=${objdir}/foopassword \
197 -S kadmin/admin@${R} fez@${R} || exit 1
198 echo "kadmin globacl
"
199 env KRB5CCNAME=${cache} \
200 ${kadmin} -p fez@${R} get bar@${R} > /dev/null ||
201 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
203 #----------------------------------
204 echo "kinit
(no admin
)"
205 ${kinit} --password-file=${objdir}/foopassword \
206 -S kadmin/admin@${R} fez@${R} || exit 1
207 echo "kadmin globacl
, negative
"
208 env KRB5CCNAME=${cache} \
209 ${kadmin} -p fez@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null &&
210 { echo "kadmin succesded $?
"; cat messages.log ; exit 1; }
212 #----------------------------------
214 ${kinit} --password-file=${objdir}/foopassword \
215 -S kadmin/admin@${R} foo/admin@${R} || exit 1
218 env KRB5CCNAME=${cache} \
219 ${kadmin} -p foo/admin@${R} add -p "$foopassword" --use-defaults kaka@${R} ||
220 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
223 env KRB5CCNAME=${cache} \
224 ${kadmin} -p foo/admin@${R} add -p abc --use-defaults kaka@${R} &&
225 { echo "kadmin succeeded $?
"; cat messages.log ; exit 1; }
227 #----------------------------------
228 echo "kadmin get doesnotexists
"
229 env KRB5CCNAME=${cache} \
230 ${kadmin} -p foo/admin@${R} get -s doesnotexists@${R} \
231 > /dev/null 2>kadmin.tmp && \
232 { echo "kadmin passed
"; cat messages.log ; exit 1; }
234 # evil hack to support libtool
235 sed 's/lt-kadmin:/kadmin:/' < kadmin.tmp > kadmin2.tmp
236 mv kadmin2.tmp kadmin.tmp
238 # If client tried IPv6, but service only listened on IPv4
239 grep -v ': connect' kadmin.tmp > kadmin2.tmp
240 mv kadmin2.tmp kadmin.tmp
242 diff kadmin.tmp ${srcdir}/donotexists.txt || \
243 { echo "wrong response
"; exit 1;}
245 #----------------------------------
246 echo "kadmin get pkinit-acl
"
247 env KRB5CCNAME=${cache} \
248 ${kadmin} -p foo/admin@${R} get -o pkinit-acl pkinit@${R} \
250 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
252 #----------------------------------
253 echo "kadmin get
-o principal
"
254 env KRB5CCNAME=${cache} \
255 ${kadmin} -p foo/admin@${R} get -o principal bar@${R} \
256 > kadmin.tmp 2>&1 || \
257 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
258 if test "`cat kadmin.tmp`" != "Principal
: bar@TEST.H5L.SE
" ; then
259 cat kadmin.tmp ; cat messages.log ; exit 1 ;
263 #----------------------------------
264 echo "kadmin get
-o kvno
"
265 env KRB5CCNAME=${cache} \
266 ${kadmin} -p foo/admin@${R} get -o kvno bar@${R} \
267 > kadmin.tmp 2>&1 || \
268 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
269 if test "`cat kadmin.tmp`" != "Kvno
: 1" ; then
270 cat kadmin.tmp ; cat messages.log ; exit 1 ;
274 #----------------------------------
275 echo "kadmin get
-o princ_expire_time
"
276 env KRB5CCNAME=${cache} \
277 ${kadmin} -p foo/admin@${R} get -o princ_expire_time bar@${R} \
278 > kadmin.tmp 2>&1 || \
279 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
280 if test "`cat kadmin.tmp`" != "Principal expires
: never
" ; then
281 cat kadmin.tmp ; cat messages.log ; exit 1 ;
284 #----------------------------------
285 echo "kadmin get
-s -o attributes
"
286 env KRB5CCNAME=${cache} \
287 ${kadmin} -p foo/admin@${R} get -s -o attributes bar@${R} \
289 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
290 if test "`cat kadmin.tmp`" != "Attributes
" ; then
291 cat kadmin.tmp ; cat messages.log ; exit 1 ;
294 #----------------------------------
296 env KRB5CCNAME=${cache} \
297 ${kadmin} prune --kvno=2 prune@${R} \
298 > kadmin.tmp 2>&1 || \
299 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
300 env KRB5CCNAME=${cache} \
301 ${kadmin} get prune@${R} \
302 > kadmin.tmp 2>&1 || \
303 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
304 cat kadmin.tmp | ${EGREP} Keytypes: | cut -d: -f2 | tr ' ' '
305 ' | sed 's/^.*[[]\(.*\)[]].*$/\1/' | grep '[0-9]' | sort -nu | tr -d '
306 ' | ${EGREP} '^13$' > /dev/null || \
307 { echo "kadmin prune failed $?
"; cat messages.log ; exit 1; }
309 #----------------------------------
310 echo "kadmin pruneall
"
311 env KRB5CCNAME=${cache} \
312 ${kadmin} get pruneall@${R} \
313 > kadmin.tmp 2>&1 || \
314 { echo "kadmin failed $?
"; cat messages.log ; exit 1; }
315 cat kadmin.tmp | ${EGREP} Keytypes: | cut -d: -f2 | tr ' ' '
316 ' | sed 's/^.*[[]\(.*\)[]].*$/\1/' | grep '[0-9]' | sort -nu | tr -d '
317 ' | ${EGREP} '^3$' > /dev/null || \
318 { echo "kadmin pruneall failed $?
"; cat messages.log ; exit 1; }
320 env KRB5CCNAME=${cache} \
321 ${kadmin} -p foo/admin@${R} list --upto=3 '*' > kadmin.tmp
322 [ `wc -l < kadmin.tmp` -eq 3 ] ||
323 { echo "kadmin list
--upto 3 produced
`wc -l < kadmin.tmp` results
!"; exit 1; }
325 #----------------------------------
326 echo "kadmin get
'*' (re-entrance
)"; > messages.log
327 ${kadmin} -l get '*' > kadmin.tmp ||
328 { echo "failed to list principals
"; cat messages.log ; exit 1; }
330 env KRB5CCNAME=${cache} \
331 ${kadmin} -p foo/admin@${R} get '*' > kadmin.tmp2 ||
332 { echo "failed to list principals
"; cat messages.log ; exit 1; }
333 diff -u kadmin.tmp kadmin.tmp2 ||
334 { echo "local and remote get all differ
"; exit 1; }
336 #----------------------------------
337 # We have 20 principals in the DB. Test two chunks of 1 (since that's how we
338 # started kadmind above.
340 echo "kadmin list all
(chunk size
1)"
341 # Check that list produces the same output locally and remote.
342 env KRB5CCNAME=${cache} \
343 ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp ||
344 { echo "failed to list principals
"; cat messages.log ; exit 1; }
345 ${kadmin} -l list '*' | sort > kadmin.tmp2
346 diff kadmin.tmp kadmin.tmp2 ||
347 { echo "failed to list all principals
"; cat messages.log ; exit 1; }
348 # kadmin dump does not use kadm5_iter_principals, so this is a good way to
349 # double check the above results. This time we drop the realm part because
350 # kadmin doesn't show us the realm for principals in the default realm.
351 ${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp
352 ${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2
353 diff kadmin.tmp kadmin.tmp2 ||
354 { echo "failed to list all principals
(dump
)"; cat messages.log ; exit 1; }
355 ${kadmin} -l > kadmin.tmp <<"EOF"
359 grep Attributes kadmin.tmp > /dev/null ||
360 { echo "failed to execute
command after list
"; cat messages.log ; exit 1; }
361 env KRB5CCNAME=${cache} \
362 ${kadmin} -p foo/admin@${R} > kadmin.tmp <<"EOF"
366 grep Attributes kadmin.tmp > /dev/null ||
367 { echo "failed to execute
command after list
"; cat messages.log ; exit 1; }
369 #----------------------------------
370 # We have 20 principals in the DB. Test two chunks of 10.
371 sh ${leaks_kill} kadmind $kadmpid || exit 1
372 ${kadmind} --list-chunk-size=10 --detach
373 kadmpid=`getpid kadmind`
376 echo "kadmin list all
(chunk size
10)"
377 # Check that list produces the same output locally and remote.
378 env KRB5CCNAME=${cache} \
379 ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp ||
380 { echo "failed to list principals
"; cat messages.log ; exit 1; }
381 ${kadmin} -l list '*' | sort > kadmin.tmp2
382 diff kadmin.tmp kadmin.tmp2 ||
383 { echo "failed to list all principals
"; cat messages.log ; exit 1; }
384 # kadmin dump does not use kadm5_iter_principals, so this is a good way to
385 # double check the above results. This time we drop the realm part because
386 # kadmin doesn't show us the realm for principals in the default realm.
387 ${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp
388 ${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2
389 diff kadmin.tmp kadmin.tmp2 ||
390 { echo "failed to list all principals
(dump
)"; cat messages.log ; exit 1; }
391 env KRB5CCNAME=${cache} \
392 ${kadmin} -p foo/admin@${R} > kadmin.tmp <<"EOF"
396 grep Attributes kadmin.tmp > /dev/null ||
397 { echo "failed to execute
command after list
"; cat messages.log ; exit 1; }
399 #----------------------------------
400 # We have 20 principals in the DB. Test one chunk of 50.
401 sh ${leaks_kill} kadmind $kadmpid || exit 1
402 ${kadmind} --list-chunk-size=50 --detach
403 kadmpid=`getpid kadmind`
406 echo "kadmin list all
(chunk size
50)"
407 # Check that list produces the same output locally and remote.
408 env KRB5CCNAME=${cache} \
409 ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp ||
410 { echo "failed to list principals
"; cat messages.log ; exit 1; }
411 ${kadmin} -l list '*' | sort > kadmin.tmp2
412 diff kadmin.tmp kadmin.tmp2 ||
413 { echo "failed to list all principals
"; cat messages.log ; exit 1; }
414 # kadmin dump does not use kadm5_iter_principals, so this is a good way to
415 # double check the above results. This time we drop the realm part because
416 # kadmin doesn't show us the realm for principals in the default realm.
417 ${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp
418 ${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2
419 diff kadmin.tmp kadmin.tmp2 ||
420 { echo "failed to list all principals
(dump
)"; cat messages.log ; exit 1; }
421 env KRB5CCNAME=${cache} \
422 ${kadmin} -p foo/admin@${R} > kadmin.tmp <<"EOF"
426 grep Attributes kadmin.tmp > /dev/null ||
427 { echo "failed to execute
command after list
"; cat messages.log ; exit 1; }
429 #----------------------------------
430 # We have 20 principals in the DB. Test 3 chunks of up to 7.
431 sh ${leaks_kill} kadmind $kadmpid || exit 1
432 ${kadmind} --list-chunk-size=7 --detach
433 kadmpid=`getpid kadmind`
436 echo "kadmin list all
(chunk size
7)"
437 # Check that list produces the same output locally and remote.
438 env KRB5CCNAME=${cache} \
439 ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp ||
440 { echo "failed to list principals
"; cat messages.log ; exit 1; }
441 ${kadmin} -l list '*' | sort > kadmin.tmp2
442 diff kadmin.tmp kadmin.tmp2 ||
443 { echo "failed to list all principals
"; cat messages.log ; exit 1; }
444 # kadmin dump does not use kadm5_iter_principals, so this is a good way to
445 # double check the above results. This time we drop the realm part because
446 # kadmin doesn't show us the realm for principals in the default realm.
447 ${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp
448 ${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2
449 diff kadmin.tmp kadmin.tmp2 ||
450 { echo "failed to list all principals
(dump
)"; cat messages.log ; exit 1; }
452 #----------------------------------
454 echo "killing kdc
(${kdcpid} ${kadmpid})"
455 sh ${leaks_kill} kdc $kdcpid || exit 1
456 sh ${leaks_kill} kadmind $kadmpid || exit 1