search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Windows: Skip policy assembly for now
[heimdal.git] / tests / gss / check-context.in
blob9ada5949c6f8de584d6e1deb0ae6d3ff4bf95ab4
1 #!/bin/sh
2 #
3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
5 # All rights reserved.
6 #
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
9 # are met:
10 #
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
13 #
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
17 #
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
21 #
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # SUCH DAMAGE.
33 #
34 # $Id$
35 #
36
37 srcdir="@srcdir@"
38 objdir="@objdir@"
39
40 # If there is no useful db support compile in, disable test
41 ../db/have-db || exit 77
42
43 R=TEST.H5L.SE
44
45 port=@port@
46
47 keytabfile=${objdir}/server.keytab
48 keytab="FILE:${keytabfile}"
49 nokeytab="FILE:no-such-keytab"
50 cache="FILE:krb5ccfile"
51
52 kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
53 klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
54 kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
55 kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
56 kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
57 ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
58
59 context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
60
61 KRB5_CONFIG="${objdir}/krb5.conf"
62 export KRB5_CONFIG
63
64 KRB5CCNAME=${cache}
65 export KRB5CCNAME
66
67 rm -f ${keytabfile}
68 rm -f current-db*
69 rm -f out-*
70 rm -f mkey.file*
71
72 > messages.log
73
74 echo Creating database
75 ${kadmin} \
76 init \
77 --realm-max-ticket-life=1day \
78 --realm-max-renewable-life=1month \
79 ${R} || exit 1
80
81 # add both lucid and lucid.test.h5l.se to simulate aliases
82 ${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
83 ${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
84
85 ${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
86 ${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
87 ${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
88
89
90 ${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
91 ${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
92 # XXX ext should ext aliases too
93 ${kadmin} ext -k ${keytab} host/short@${R} || exit 1
94 ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
95
96 ${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
97
98 ${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
99
100 # Create a server principal with no AES
101 ${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
102 ${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
103 ${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
104 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
105 ${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
106
107 echo "Doing database check"
108 ${kadmin} check ${R} || exit 1
109
110 echo u1 > ${objdir}/foopassword
111
112 echo Starting kdc
113 ${kdc} &
114 kdcpid=$!
115
116 sh ${srcdir}/../kdc/wait-kdc.sh
117 if [ "$?" != 0 ] ; then
118 kill ${kdcpid}
119 exit 1
120 fi
121
122 trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
123
124 testfailed="echo test failed; cat messages.log; exit 1"
125
126 echo "Getting client initial tickets" ; > messages.log
127 ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \
128 { eval "$testfailed"; }
129
130 echo "======test unreadable/non existant keytab and its error message" ; > messages.log
131 ${context} --mech-type=krb5 host@lucid.test.h5l.se || \
132 { eval "$testfailed"; }
133
134 mv ${keytabfile} ${keytabfile}.no
135
136 echo "checking non existant keytabfile (krb5)" ; > messages.log
137 ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \
138 { eval "$testfailed"; }
139 grep ${keytabfile} test_context.log > /dev/null || \
140 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
141 echo "checking non existant keytabfile (spengo)" ; > messages.log
142 ${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \
143 { eval "$testfailed"; }
144 grep ${keytabfile} test_context.log > /dev/null || \
145 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
146
147 mv ${keytabfile}.no ${keytabfile}
148
149 echo "======test naming combinations"
150 echo "plain" ; > messages.log
151 ${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
152 { eval "$testfailed"; }
153 echo "plain w/ short-form hostname" ; > messages.log
154 ${context} --name-type=hostbased-service host@lucid || \
155 { eval "$testfailed"; }
156 echo "plain (krb5)" ; > messages.log
157 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
158 { eval "$testfailed"; }
159 echo "plain (krb5 realmless)" ; > messages.log
160 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
161 { eval "$testfailed"; }
162 echo "plain (krb5 realmless short-form should fail)" ; > messages.log
163 ${context} --name-type=krb5-principal-name host/lucid 2>/dev/null && \
164 { eval "$testfailed"; }
165 echo "creating short-form princ"
166 ${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
167 ${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
168 echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log
169 #${context} --dns-canon host@lucid.test.h5l.se || \
170 # { eval "$testfailed"; }
171 echo "dns canon off (long name)" ; > messages.log
172 ${context} --no-dns-canon host@lucid.test.h5l.se || \
173 { eval "$testfailed"; }
174 echo "dns canon off (short name)" ; > messages.log
175 ${context} --no-dns-canon host@lucid || \
176 { eval "$testfailed"; }
177 echo "dns canon off (short name, krb5)" ; > messages.log
178 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
179 { eval "$testfailed"; }
180 echo "dns canon off (short name, krb5)" ; > messages.log
181 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \
182 { eval "$testfailed"; }
183
184 echo "======test context building"
185 for mech in krb5 krb5iov spnego spnegoiov; do
186 if [ "$mech" = "krb5iov" ] ; then
187 mech="krb5"
188 iov="--iov"
189 fi
190 if [ "$mech" = "spnegoiov" ] ; then
191 mech="spnego"
192 iov="--iov"
193 fi
194
195 echo "${mech} no-mutual ${iov}" ; > messages.log
196 ${context} --mech-type=${mech} \
197 --wrapunwrap ${iov} \
198 --name-type=hostbased-service host@lucid.test.h5l.se || \
199 { eval "$testfailed"; }
200
201 echo "${mech} mutual ${iov}" ; > messages.log
202 ${context} --mech-type=${mech} \
203 --mutual \
204 --wrapunwrap ${iov} \
205 --name-type=hostbased-service host@lucid.test.h5l.se || \
206 { eval "$testfailed"; }
207
208 echo "${mech} delegate ${iov}" ; > messages.log
209 ${context} --mech-type=${mech} \
210 --delegate \
211 --wrapunwrap ${iov} \
212 --name-type=hostbased-service host@lucid.test.h5l.se || \
213 { eval "$testfailed"; }
214
215 echo "${mech} mutual delegate ${iov}" ; > messages.log
216 ${context} --mech-type=${mech} \
217 --mutual --delegate \
218 --wrapunwrap ${iov} \
219 --name-type=hostbased-service host@lucid.test.h5l.se || \
220 { eval "$testfailed"; }
221 done
222
223 echo "======dce-style"
224 for mech in krb5 krb5iov spnego; do
225 iov=""
226 if [ "$mech" = "krb5iov" ] ; then
227 mech="krb5"
228 iov="--iov"
229 fi
230 if [ "$mech" = "spnegoiov" ] ; then
231 mech="spnego"
232 iov="--iov"
233 fi
234
235 echo "${mech}: dce-style ${iov}" ; > messages.log
236 ${context} \
237 --mech-type=${mech} \
238 --mutual \
239 --dce-style \
240 --wrapunwrap ${iov} \
241 --name-type=hostbased-service host@lucid.test.h5l.se || \
242 { eval "$testfailed"; }
243
244 done
245
246 echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
247
248 cp ${keytabfile} ${keytabfile}.new
249 for mech in krb5 spnego; do
250 echo "${mech}: acceptor_identity positive" ; > messages.log
251 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
252 --mech-type=$mech host@lucid.test.h5l.se || \
253 { eval "$testfailed"; }
254
255 echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log
256 ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \
257 --mech-type=$mech host@lucid.test.h5l.se || \
258 { eval "$testfailed"; }
259
260 echo "${mech}: acceptor_identity negative" ; > messages.log
261 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
262 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
263 { eval "$testfailed"; }
264 done
265
266 rm ${keytabfile}.new
267
268
269 #echo "sasl-digest-md5"
270 #${context} --mech-type=sasl-digest-md5 \
271 # --name-type=hostbased-service \
272 # host@lucid.test.h5l.se || \
273 # { eval "$testfailed"; }
274
275
276 echo "====== gss-api session key check"
277
278 # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
279 coolenctype="aes256-cts-hmac-sha1-96"
280 limit_enctype="des3-cbc-sha1"
281
282 echo "Getting client initial tickets" ; > messages.log
283 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
284 { eval "$testfailed"; }
285
286
287 echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log
288 ${context} \
289 --mech-type=krb5 \
290 --mutual-auth \
291 --session-enctype=${coolenctype} \
292 --name-type=hostbased-service host@no-aes.test.h5l.se || \
293 { eval "$testfailed"; }
294
295 echo "Building context on cred, check if its limited still" ; > messages.log
296 ${context} \
297 --mech-type=krb5 \
298 --client-name=user1@${R} \
299 --limit-enctype="${limit_enctype}" \
300 --mutual-auth \
301 --name-type=hostbased-service host@no-aes.test.h5l.se || \
302 { eval "$testfailed"; }
303
304
305 echo "====== ok-as-delegate"
306
307 echo "Getting client initial tickets" ; > messages.log
308 ${kinit} --forwardable \
309 --password-file=${objdir}/foopassword user1@${R} || \
310 { eval "$testfailed"; }
311
312 echo "ok-as-delegate not used" ; > messages.log
313 ${context} \
314 --mech-type=krb5 \
315 --delegate \
316 --name-type=hostbased-service host@lucid.test.h5l.se || \
317 { eval "$testfailed"; }
318
319 echo "host without ok-as-delegate with policy-delegate" ; > messages.log
320 ${context} \
321 --mech-type=krb5 \
322 --policy-delegate \
323 --server-no-delegate \
324 --name-type=hostbased-service host@lucid.test.h5l.se || \
325 { eval "$testfailed"; }
326
327 echo "ok-as-delegate used by policy" ; > messages.log
328 ${context} \
329 --mech-type=krb5 \
330 --policy-delegate \
331 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
332 { eval "$testfailed"; }
333
334 echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log
335 ${kinit} --ok-as-delegate --forwardable \
336 --password-file=${objdir}/foopassword user1@${R} || \
337 { eval "$testfailed"; }
338
339 echo "policy delegate to non delegate host" ; > messages.log
340 ${context} \
341 --mech-type=krb5 \
342 --policy-delegate \
343 --server-no-delegate \
344 --name-type=hostbased-service host@lucid.test.h5l.se || \
345 { eval "$testfailed"; }
346
347 echo "ok-as-delegate" ; > messages.log
348 ${context} \
349 --mech-type=krb5 \
350 --delegate \
351 --name-type=hostbased-service host@lucid.test.h5l.se || \
352 { eval "$testfailed"; }
353
354 echo "======export/import cred"
355
356 echo "export-import cred (krb5)" ; > messages.log
357 ${context} \
358 --mech-type=krb5 \
359 --delegate \
360 --export-import-cred \
361 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
362 { eval "$testfailed"; }
363
364 echo "export-import cred (spnego)" ; > messages.log
365 ${context} \
366 --mech-type=spnego \
367 --delegate \
368 --export-import-cred \
369 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
370 { eval "$testfailed"; }
371
372
373 echo "======time diffs between client and server"
374
375 echo "Getting client initial ticket" ; > messages.log
376 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
377 { eval "$testfailed"; }
378
379 echo "No time offset" ; > messages.log
380 ${context} \
381 --mech-type=krb5 \
382 --name-type=hostbased-service host@lucid.test.h5l.se || \
383 { eval "$testfailed"; }
384
385 echo "Getting client initial ticket" ; > messages.log
386 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
387 { eval "$testfailed"; }
388
389 echo "Server time offset" ; > messages.log
390 ${context} \
391 --mech-type=krb5 \
392 --mutual-auth \
393 --server-time-offset=3600 \
394 --max-loops=3 \
395 --name-type=hostbased-service host@lucid.test.h5l.se || \
396 { eval "$testfailed"; }
397
398 echo "Server time offset (cached ?)" ; > messages.log
399 ${context} \
400 --mech-type=krb5 \
401 --mutual-auth \
402 --server-time-offset=3600 \
403 --max-loops=2 \
404 --name-type=hostbased-service host@lucid.test.h5l.se || \
405 { eval "$testfailed"; }
406
407 echo "Getting client initial ticket" ; > messages.log
408 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
409 { eval "$testfailed"; }
410 # Pre-poplute the cache since tgs-req will fail since our time is wrong
411 ${kgetcred} host/lucid.test.h5l.se@${R} || \
412 { eval "$testfailed"; }
413
414 echo "Client time offset" ; > messages.log
415 ${context} \
416 --mech-type=krb5 \
417 --mutual-auth \
418 --client-time-offset=3600 \
419 --name-type=hostbased-service host@lucid.test.h5l.se || \
420 { eval "$testfailed"; }
421
422 echo "Getting client initial tickets (use-referrals)" ; > messages.log
423 ${kinit} \
424 --password-file=${objdir}/foopassword \
425 --use-referrals user1@${R} || \
426 { eval "$testfailed"; }
427
428 # XXX these tests really need to use somethat that resolve to something
429 ${context} \
430 --mech-type=krb5 \
431 host@short || \
432 { eval "$testfailed"; }
433
434 ${context} \
435 --mech-type=krb5 \
436 --name-type=krb5-principal-name host/short || \
437 { eval "$testfailed"; }
438
439 ${context} \
440 --mech-type=krb5 \
441 host@long.test.h5l.se || \
442 { eval "$testfailed"; }
443
444 ${context} \
445 --mech-type=krb5 \
446 --name-type=krb5-principal-name \
447 host/long.test.h5l.se || \
448 { eval "$testfailed"; }
449
450 trap "" EXIT
451
452 echo "killing kdc (${kdcpid})"
453 kill ${kdcpid} 2> /dev/null
454
455 exit 0
456
Heimdal