search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
bx509d: Implement /get-tgt end-point
[heimdal.git] / tests / kdc / check-bx509.in
blob3870a38a72238d01ee279d262656d4e19c426988
1 #!/bin/sh
2 #
3 # Copyright (c) 2019 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
5 # All rights reserved.
6 #
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
9 # are met:
10 #
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
13 #
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
17 #
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
21 #
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # SUCH DAMAGE.
33
34 top_builddir="@top_builddir@"
35 env_setup="@env_setup@"
36 objdir="@objdir@"
37
38 testfailed="echo test failed; cat messages.log; exit 1"
39
40 . ${env_setup}
41
42 # If there is no useful db support compiled in, disable test
43 ${have_db} || exit 77
44
45 R=TEST.H5L.SE
46 DCs="DC=test,DC=h5l,DC=se"
47
48 port=@port@
49 bx509port=@bx509port@
50
51 kadmin="${kadmin} -l -r $R"
52 bx509d="${bx509d} --reverse-proxied -p $bx509port"
53 kdc="${kdc} --addresses=localhost -P $port"
54
55 server=datan.test.h5l.se
56 otherserver=other.test.h5l.se
57 cachefile="${objdir}/cache.krb5"
58 cache="FILE:${cachefile}"
59 cachefile2="${objdir}/cache2.krb5"
60 cache2="FILE:${cachefile2}"
61 keyfile="${hx509_data}/key.der"
62 keyfile2="${hx509_data}/key2.der"
63 kt=${objdir}/kt
64 keytab=FILE:${kt}
65 ukt=${objdir}/ukt
66 ukeytab=FILE:${ukt}
67
68 kinit="${kinit} -c $cache ${afs_no_afslog}"
69 klist2="${klist} --hidden -v -c $cache2"
70 klist="${klist} --hidden -v -c $cache"
71 kgetcred="${kgetcred} -c $cache"
72 kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
73 kx509="${kx509} -c $cache"
74
75 KRB5_CONFIG="${objdir}/krb5-bx509.conf"
76 export KRB5_CONFIG
77
78 rsa=yes
79 pkinit=no
80 if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
81 rsa=no
82 fi
83 if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
84 rsa=no
85 fi
86
87 if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
88 pkinit=yes
89 fi
90
91 # If we doesn't support pkinit and have RSA, give up
92 if test "$pkinit" != yes -o "$rsa" != yes ; then
93 exit 77
94 fi
95
96
97 rm -f current-db*
98 rm -f out-*
99 rm -f mkey.file*
100 rm -f *.pem *.crt *.der
101 rm -rf simple_csr_authz
102
103 mkdir -p simple_csr_authz
104
105 > messages.log
106
107 # We'll avoid using a KDC for now. For testing /bx509 we only need keys for
108 # Negotiate tokens, and we'll use ktutil and kimpersonate to make it possible
109 # to create and accept those without a KDC. When we test /bnegotiate, however,
110 # we'll start a KDC.
111
112 # csr_grant ext-type value grantee_principal
113 csr_grant() {
114 mkdir -p "${objdir}/simple_csr_authz/${3}"
115 touch "${objdir}/simple_csr_authz/${3}/${1}-${2}"
116 }
117
118 csr_revoke() {
119 rm -rf "${objdir}/simple_csr_authz"
120 mkdir -p "${objdir}/simple_csr_authz"
121 }
122
123 # get_cert "" curl-opts
124 # get_cert "&qparams" curl-opts
125 get_cert() {
126 url="http://${server}:${bx509port}/bx509?csr=$csr${1}"
127 shift
128 curl -g --resolve ${server}:${bx509port}:127.0.0.1 \
129 -H "Authorization: Negotiate $token" \
130 "$@" "$url"
131 }
132
133 rm -f $kt $ukt
134 $ktutil -k $keytab add -r -V 1 -e aes128-cts-hmac-sha1-96 \
135 -p HTTP/datan.test.h5l.se@${R} ||
136 { echo "failed to setup kimpersonate credentials"; exit 2; }
137 $ktutil -k $keytab list ||
138 { echo "failed to setup kimpersonate credentials"; exit 2; }
139 $kimpersonate --ccache=$cache -k $keytab -R -t aes128-cts-hmac-sha1-96 \
140 -c foo@${R} -s HTTP/datan.test.h5l.se@${R} ||
141 { echo "failed to setup kimpersonate credentials"; exit 2; }
142 $klist ||
143 { echo "failed to setup kimpersonate credentials"; exit 2; }
144
145 echo "Setting up certificates"
146 # We need:
147 #
148 # - a CA certificate for issuing client certificates
149 # - a CA certificate for issuing server certificates
150 # - a CA certificate for issuing mixed certificates
151 # - a certificate for bx509 itself (well, not in reverse proxy mode, but we'll
152 # make one anyways)
153
154 # Make the realm's user cert issuer CA certificate.
155 #
156 # NOTE WELL: We need all three KeyUsage values listed below!
157 # We also need this to be of type "pkinit-kdc",
158 # which means we'll get an appropriate EKU OID as
159 # well.
160 $hxtool ca --issue-ca --self-signed --type=pkinit-kdc \
161 --ku=digitalSignature --ku=keyCertSign --ku=cRLSign \
162 --pk-init-principal=krbtgt/${R}@${R} \
163 --generate-key=rsa --key-bits=1024 \
164 --subject="OU=Users,CN=KDC,${DCs}" \
165 --certificate=PEM-FILE:"${objdir}/user-issuer.pem" ||
166 { echo "failed to setup CA certificate"; exit 2; }
167
168 # We'll use the user cert issuer as the PKINIT anchor, allowing bx509-issued
169 # certificates to be used for PKINIT. Though we won't be testing PKINIT here
170 # -- we test kx509->PKINIT in check-pkinit.
171 cp ${objdir}/user-issuer.pem ${objdir}/pkinit-anchor.pem
172
173 # Put the cert alone in the trust anchors file
174 ex "${objdir}/pkinit-anchor.pem" <<"EOF"
175 /-----BEGIN CERTIFICATE-----
176 1,.-1 d
177 wq
178 EOF
179
180 $hxtool ca --issue-ca --self-signed \
181 --ku=digitalSignature --ku=keyCertSign --ku=cRLSign \
182 --generate-key=rsa --key-bits=1024 \
183 --subject="OU=Servers,CN=KDC,${DCs}" \
184 --certificate=PEM-FILE:"${objdir}/server-issuer.pem" ||
185 { echo "failed to setup CA certificate"; exit 2; }
186
187 $hxtool ca --issue-ca --self-signed \
188 --ku=digitalSignature --ku=keyCertSign --ku=cRLSign \
189 --generate-key=rsa --key-bits=1024 \
190 --subject="OU=Users,CN=KDC,${DCs}" \
191 --certificate=PEM-FILE:"${objdir}/mixed-issuer.pem" ||
192 { echo "failed to setup CA certificate"; exit 2; }
193
194 $hxtool ca --issue-ca --type=https-negotiate-server \
195 --ca-certificate=PEM-FILE:"${objdir}/server-issuer.pem" \
196 --ku=digitalSignature --pk-init-principal=HTTP/${server}@${R}\
197 --generate-key=rsa --key-bits=1024 --subject="" \
198 --certificate=PEM-FILE:"${objdir}/bx509.pem" ||
199 { echo "failed to setup CA certificate"; exit 2; }
200
201 # XXX Before starting bx509d let us use kdc test programs to check that:
202 #
203 # - the negotiate token validator plugin works
204 # - the simple CSR authorizer plugin works
205 # - the KDC CA tester program works
206
207 echo "Check gss-token and Negotiate token validator plugin"
208 token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server | tr A B)
209 $test_token_validator -a datan.test.h5l.se Negotiate "$token" &&
210 { echo "Negotiate token validator accepted invalid token"; exit 2; }
211 token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
212 $test_token_validator -a datan.test.h5l.se Negotiate "$token" ||
213 { echo "Negotiate token validator failed to validate valid token"; exit 2; }
214
215 echo "Making a plain CSR"
216 $hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
217 --key=FILE:"${objdir}/k.der" "${objdir}/req" ||
218 { echo "Failed to make a CSR"; exit 2; }
219
220 rm -f trivial.pem server.pem email.pem
221
222 echo "Testing plain user cert issuance KDC CA"
223 $test_kdc_ca -a bx509 -A foo@${R} PKCS10:${objdir}/req \
224 PEM-FILE:${objdir}/trivial.pem ||
225 { echo "Trivial offline CA test failed"; exit 2; }
226 $hxtool print --content PEM-FILE:${objdir}/trivial.pem ||
227 { echo "Trivial offline CA test failed"; exit 2; }
228 $hxtool acert --end-entity \
229 --expr="%{certificate.subject} == \"CN=foo,$DCs\"" \
230 -P "foo@${R}" "FILE:${objdir}/trivial.pem" ||
231 { echo "Trivial offline CA test failed"; exit 2; }
232 $hxtool acert --expr="%{certificate.subject} == \"OU=Users,CN=KDC,$DCs\"" \
233 --lacks-private-key "FILE:${objdir}/trivial.pem" ||
234 { echo "Trivial offline CA test failed (issuer private keys included!!)"; exit 2; }
235
236 echo "Testing other cert issuance KDC CA"
237 csr_revoke
238 # https server cert
239 $hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
240 --key=FILE:"${objdir}/k.der" \
241 --eku=id_pkix_kp_serverAuth \
242 --dnsname=foo.test.h5l.se "${objdir}/req" ||
243 { echo "Failed to make a CSR with a dNSName SAN request"; exit 2; }
244 $test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
245 PEM-FILE:${objdir}/server.pem &&
246 { echo "Trivial offline CA test failed: unauthorized issuance (dNSName)"; exit 2; }
247 csr_grant dnsname foo.test.h5l.se foo@${R}
248 csr_grant eku 1.3.6.1.5.5.7.3.1 foo@${R}
249 $test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
250 PEM-FILE:${objdir}/server.pem ||
251 { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
252 $hxtool print --content PEM-FILE:${objdir}/server.pem ||
253 { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
254 $hxtool acert --expr="%{certificate.subject} == \"OU=Servers,CN=KDC,$DCs\"" \
255 --lacks-private-key "FILE:${objdir}/server.pem" ||
256 { echo "Trivial offline CA test failed (issuer private keys included!!)"; exit 2; }
257 # email cert
258 $hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
259 --key=FILE:"${objdir}/k.der" \
260 --eku=id_pkix_kp_clientAuth \
261 --email=foo@test.h5l.se "${objdir}/req" ||
262 { echo "Failed to make a CSR with an rfc822Name SAN request"; exit 2; }
263 $test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
264 PEM-FILE:${objdir}/email.pem &&
265 { echo "Offline CA test failed: unauthorized issuance (dNSName)"; exit 2; }
266 csr_grant email foo@test.h5l.se foo@${R}
267 csr_grant eku 1.3.6.1.5.5.7.3.2 foo@${R}
268 $test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
269 PEM-FILE:${objdir}/email.pem ||
270 { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
271 $hxtool print --content PEM-FILE:${objdir}/email.pem ||
272 { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
273 $hxtool acert --expr="%{certificate.subject} == \"OU=Users,CN=KDC,$DCs\"" \
274 --lacks-private-key "FILE:${objdir}/email.pem" ||
275 { echo "Offline CA test failed (issuer private keys included!!)"; exit 2; }
276
277 if ! which curl; then
278 echo "curl is not available -- not testing bx509d"
279 exit 77
280 fi
281
282 if ! test -x ${objdir}/../../kdc/bx509d; then
283 echo "Configured w/o libmicrohttpd -- not testing bx509d"
284 exit 77
285 fi
286
287 echo "Creating database"
288 ${kadmin} init \
289 --realm-max-ticket-life=1day \
290 --realm-max-renewable-life=1month \
291 ${R} || exit 1
292 ${kadmin} add -r --use-defaults foo@${R} || exit 1
293 ${kadmin} modify --pkinit-acl="CN=foo,DC=test,DC=h5l,DC=se" foo@${R} || exit 1
294
295
296 echo "Starting bx509d"
297 ${bx509d} -H $server --cert=${objdir}/bx509.pem -t --daemon ||
298 { echo "bx509 failed to start"; exit 2; }
299 bx509pid=`getpid bx509d`
300
301 trap "kill -9 ${bx509pid}; echo signal killing bx509d; exit 1;" EXIT
302 ec=0
303
304 rm -f trivial.pem server.pem email.pem
305
306 echo "Making a plain CSR"
307 csr_revoke
308 $hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
309 --key=FILE:"${objdir}/k.der" "${objdir}/req" ||
310 { echo "Failed to make a CSR"; exit 2; }
311 csr=$($rkbase64 -- ${objdir}/req | $rkvis -h --stdin)
312
313 # XXX Add autoconf check for curl?
314 # Create a barebones bx509 HTTP/1.1 client test program?
315
316 echo "Fetching a trivial user certificate"
317 token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
318 if (set -vx; get_cert '' -sf -o "${objdir}/trivial.pem"); then
319 $hxtool print --content "FILE:${objdir}/trivial.pem"
320 if $hxtool acert --end-entity \
321 --expr="%{certificate.subject} == \"CN=foo,$DCs\"" \
322 -P "foo@${R}" "FILE:${objdir}/trivial.pem"; then
323 echo 'Successfully obtained a trivial client certificate!'
324 else
325 echo 'FAIL: Obtained a trivial client certificate w/o expected PKINIT SAN)'
326 exit 1
327 fi
328 if $hxtool acert --expr="%{certificate.subject} == \"OU=Users,$DCs\"" \
329 --has-private-key "FILE:${objdir}/trivial.pem"; then
330 echo 'Successfully obtained a trivial client certificate!'
331 fi
332 else
333 echo 'Failed to get a certificate!'
334 exit 1
335 fi
336
337 echo "Checking that authorization is enforced"
338 csr_revoke
339 get_cert '&rfc822Name=foo@bar.example' -vvv -o "${objdir}/bad1.pem"
340 if (set -vx; get_cert '&rfc822Name=foo@bar.example' -sf -o "${objdir}/trivial.pem"); then
341 $hxtool print --content "FILE:${objdir}/bad1.pem"
342 echo 'Obtained a client certificate for a non-granted name!'
343 exit 1
344 else
345 echo 'Correctly failed to get a client certificate for a non-granted name'
346 fi
347
348 if (set -vx; get_cert "&dNSName=$server" -sf -o "${objdir}/bad2.pem"); then
349 $hxtool print --content "FILE:${objdir}/bad2.pem"
350 echo 'Obtained a server certificate for a non-granted name!'
351 exit 1
352 else
353 echo 'Correctly failed to get a server certificate for a non-granted name'
354 fi
355
356 echo "Fetching a server certificate with one dNSName SAN"
357 csr_grant dnsname $server foo@${R}
358 if (set -vx; get_cert "&dNSName=$server" -sf -o "${objdir}/server.pem"); then
359 $hxtool print --content "FILE:${objdir}/server.pem"
360 if (set -vx; $hxtool acert --expr="%{certificate.subject} == \"\"" \
361 --end-entity -P foo@${R} \
362 "FILE:${objdir}/server.pem"); then
363 echo 'Got a broken server certificate (has PKINIT SAN)'
364 exit 1
365 elif $hxtool acert --end-entity -D $server "FILE:${objdir}/server.pem"; then
366 echo 'Successfully obtained a server certificate!'
367 else
368 echo 'Got a broken server certificate'
369 exit 1
370 fi
371 else
372 echo 'Failed to get a server certificate!'
373 exit 1
374 fi
375
376 echo "Fetching a server certificate with two dNSName SANs"
377 csr_grant dnsname "second-$server" foo@${R}
378 if (set -vx;
379 get_cert "&dNSName=${server}&dNSName=second-$server" -sf \
380 -o "${objdir}/server2.pem"); then
381 $hxtool print --content "FILE:${objdir}/server2.pem"
382 if $hxtool acert --expr="%{certificate.subject} == \"\"" \
383 --end-entity -P foo@${R} \
384 "FILE:${objdir}/server2.pem"; then
385 echo 'Got a broken server certificate (has PKINIT SAN)'
386 exit 1
387 elif $hxtool acert --end-entity -D "$server" \
388 -D "second-$server" \
389 "FILE:${objdir}/server2.pem"; then
390 echo 'Successfully obtained a server certificate with two dNSName SANs!'
391 else
392 echo 'Got a broken server certificate (wanted two dNSName SANs)'
393 exit 1
394 fi
395 else
396 echo 'Failed to get a server certificate with two dNSName SANs!'
397 exit 1
398 fi
399
400 echo "Fetching an email certificate"
401 csr_grant email foo@bar.example foo@${R}
402 if (set -vx; get_cert "&rfc822Name=foo@bar.example" -sf -o "${objdir}/email.pem"); then
403 $hxtool print --content "FILE:${objdir}/email.pem"
404 if $hxtool acert --end-entity -P "foo@${R}" "FILE:${objdir}/email.pem"; then
405 echo 'Got a broken email certificate (has PKINIT SAN)'
406 exit 1
407 elif $hxtool acert --expr="%{certificate.subject} == \"\"" \
408 --end-entity -M foo@bar.example \
409 "FILE:${objdir}/email.pem"; then
410 echo 'Successfully obtained a email certificate!'
411 else
412 echo 'Got a broken email certificate'
413 exit 1
414 fi
415 else
416 echo 'Failed to get an email certificate!'
417 exit 1
418 fi
419
420 # Need to start a KDC to test this.
421 rm -f $kt $ukt
422 ${kdestroy}
423 ${kadmin} add -r --use-defaults HTTP/${server}@${R} || exit 1
424 ${kadmin} ext_keytab -r -k $keytab HTTP/${server}@${R} || exit 1
425 ${kadmin} add -r --use-defaults HTTP/${otherserver}@${R} || exit 1
426 ${kadmin} ext_keytab -r -k $ukeytab foo@${R} || exit 1
427
428 echo "Starting kdc";
429 ${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; }
430 kdcpid=`getpid kdc`
431 trap "kill -9 ${kdcpid} ${bx509pid}; echo signal killing kdc and bx509d; exit 1;" EXIT
432
433 ${kinit} -kt $ukeytab foo@${R} || exit 1
434 $klist || { echo "failed to setup kimpersonate credentials"; exit 2; }
435
436 echo "Fetch TGT"
437 (set -vx; csr_grant pkinit foo@${R} foo@${R})
438 token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
439 if ! (set -vx;
440 curl -o "${cachefile2}" -Lgsf \
441 --resolve ${server}:${bx509port}:127.0.0.1 \
442 -H "Authorization: Negotiate $token" \
443 "http://${server}:${bx509port}/get-tgt"); then
444 echo "Failed to get a TGT with /get-tgt end-point"
445 exit 2
446 fi
447
448 echo "Fetch TGT (inception)"
449 ${kdestroy}
450 token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
451 if ! (set -vx;
452 curl -o "${cachefile}" -Lgsf \
453 --resolve ${server}:${bx509port}:127.0.0.1 \
454 -H "Authorization: Negotiate $token" \
455 "http://${server}:${bx509port}/get-tgt"); then
456 echo "Failed to get a TGT with /get-tgt end-point"
457 exit 2
458 fi
459
460 echo "Fetch negotiate token (pre-test)"
461 # Do what /bnegotiate does, roughly, prior to testing /bnegotiate
462 $hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
463 --key=PEM-FILE:"${objdir}/k.pem" "${objdir}/req" ||
464 { echo "Failed to make a CSR"; exit 2; }
465 $test_kdc_ca -a bx509 -A foo@${R} PKCS10:${objdir}/req \
466 PEM-FILE:${objdir}/pkinit-test.pem ||
467 { echo "Trivial offline CA test failed (CA)"; exit 2; }
468 cat ${objdir}/k.pem >> ${objdir}/pkinit-test.pem
469 ${kinit} -C PEM-FILE:${objdir}/pkinit-test.pem foo@${R} ||
470 { echo "Trivial offline CA test failed (PKINIT)"; exit 2; }
471 #${kgetcred} -H HTTP/${server}@${R} ||
472 # { echo "Trivial offline CA test failed (TGS)"; exit 2; }
473 KRB5CCNAME=$cache $gsstoken HTTP@$server | KRB5_KTNAME="$keytab" $gsstoken -r ||
474 { echo "Trivial offline CA test failed (gss-token)"; exit 2; }
475
476 echo "Fetching a Negotiate token"
477 token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
478 if (set -vx;
479 curl -o negotiate-token -Lgsf \
480 --resolve ${server}:${bx509port}:127.0.0.1 \
481 -H "Authorization: Negotiate $token" \
482 "http://${server}:${bx509port}/bnegotiate?target=HTTP%40${server}"); then
483 # bx509 sends us a token w/o a newline for now; we add one because
484 # gss-token expects it.
485 test -s negotiate-token && echo >> negotiate-token
486 if test -s negotiate-token && KRB5_KTNAME="$keytab" $gsstoken -Nr < negotiate-token; then
487 echo 'Successfully obtained a Negotiate token!'
488 else
489 echo 'Failed to get a Negotiate token (got an unacceptable token)!'
490 exit 1
491 fi
492 else
493 echo 'Failed to get a Negotiate token!'
494 exit 1
495 fi
496
497 referer=https://${otherserver}/blah
498 redirect=$(${rkvis} -h https://${otherserver}/blah?q=whatever)
499 if (set -vx;
500 curl -o negotiate-token -Lgsf \
501 --resolve ${server}:${bx509port}:127.0.0.1 \
502 -H "Authorization: Negotiate $token" \
503 "http://${server}:${bx509port}/bnegotiate?target=HTTP%40${server}&redirect=${redirect}"); then
504 echo "Error: /bnegotiate with target and redirect succeeded"
505 exit 1
506 fi
507
508 if (set -vx;
509 curl -o negotiate-token -Lgsf \
510 --resolve ${server}:${bx509port}:127.0.0.1 \
511 -H "Authorization: Negotiate $token" \
512 "http://${server}:${bx509port}/bnegotiate?redirect=${redirect}"); then
513 echo "Error: /bnegotiate with redirect but no Referer succeeded"
514 exit 1
515 fi
516
517 referer=http://${otherserver}/blah
518 redirect=$(${rkvis} -h http://${otherserver}/blah?q=whatever)
519 if (set -vx;
520 curl -gsf \
521 --resolve ${server}:${bx509port}:127.0.0.1 \
522 -H "Authorization: Negotiate $token" \
523 -H "Referer: $referer" \
524 "http://${server}:${bx509port}/bnegotiate?redirect=${redirect}"); then
525 echo "Error: redirect for non-https referer"
526 exit 1
527 fi
528
529 referer=https://${otherserver}/blah
530 redirect=$(${rkvis} -h https://${otherserver}/blah?q=whatever)
531 if (set -vx;
532 curl -gfs -D curlheaders \
533 --resolve ${server}:${bx509port}:127.0.0.1 \
534 -H "Authorization: Negotiate $token" \
535 -H "Referer: $referer" \
536 "http://${server}:${bx509port}/bnegotiate?redirect=${redirect}"); then
537 read junk code junk < curlheaders
538 if test "$code" = 307; then
539 echo "Got a proper redirect"
540 else
541 echo "Error: unexpected status code $code (wanted 307)"
542 fi
543 else
544 echo "Error: no redirect"
545 exit 1
546 fi
547
548 echo "killing kdc (${kdcpid}) and bx509d (${bx509pid})"
549 sh ${leaks_kill} kdc $kdcpid || ec=1
550 sh ${leaks_kill} bx509d $bx509pid || ec=1
551
552 trap "" EXIT
553
554 exit $ec
Heimdal