3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 # If there is no useful db support compile in, disable test
41 ..
/db
/have-db ||
exit 77
47 keytabfile
=${objdir}/server.keytab
48 keytab
="FILE:${keytabfile}"
49 nokeytab
="FILE:no-such-keytab"
50 cache
="FILE:krb5ccfile"
52 kinit
="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
53 klist
="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
54 kgetcred
="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
55 kadmin
="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
56 kdc
="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
57 ktutil
="${TESTS_ENVIRONMENT} ../../admin/ktutil"
59 context
="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
61 KRB5_CONFIG
="${objdir}/krb5.conf"
74 echo Creating database
77 --realm-max-ticket-life=1day \
78 --realm-max-renewable-life=1month \
81 # add both lucid and lucid.test.h5l.se to simulate aliases
82 ${kadmin} add
-p p1
--use-defaults host
/lucid.
test.h5l.se@
${R} ||
exit 1
83 ${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} ||
exit 1
84 ${kadmin} add
-p p1
--use-defaults host
/lucid@
${R} ||
exit 1
85 ${kadmin} ext -k ${keytab} host/lucid@${R} ||
exit 1
87 ${kadmin} add
-p p1
--use-defaults host
/ok-delegate.
test.h5l.se@
${R} ||
exit 1
88 ${kadmin} mod
--attributes=+ok-as-delegate host
/ok-delegate.
test.h5l.se@
${R} ||
exit 1
89 ${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} ||
exit 1
92 ${kadmin} add
-p p1
--use-defaults host
/short@
${R} ||
exit 1
93 ${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} ||
exit 1
94 # XXX ext should ext aliases too
95 ${kadmin} ext -k ${keytab} host/short@${R} ||
exit 1
96 ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} ||
exit 1
98 ${kadmin} add -p kaka --use-defaults digest/${R}@${R} ||
exit 1
100 ${kadmin} add
-p u1
--use-defaults user1@
${R} ||
exit 1
102 # Create a server principal with no AES
103 ${kadmin} add
-p p1
--use-defaults host
/no-aes.
test.h5l.se@
${R} ||
exit 1
104 ${kadmin} get host
/no-aes.
test.h5l.se@
${R} > tempfile ||
exit 1
105 ${kadmin} del_enctype host
/no-aes.
test.h5l.se@
${R} \
106 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 ||
exit 1
107 ${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} ||
exit 1
109 echo "Doing database check"
110 ${kadmin} check
${R} ||
exit 1
112 echo u1
> ${objdir}/foopassword
118 sh
${srcdir}/..
/kdc
/wait-kdc.sh
119 if [ "$?" != 0 ] ; then
124 trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
128 echo "Getting client initial tickets"
129 ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || exitcode
=1
131 echo "======test unreadable/non existant keytab and its error message"
132 ${context} --mech-type=krb5
host@lucid.
test.h5l.se || \
133 { exitcode
=1 ; echo "test failed"; }
135 mv ${keytabfile} ${keytabfile}.no
137 echo "checking non existant keytabfile (krb5)"
138 ${context} --mech-type=krb5
host@lucid.
test.h5l.se
> test_context.log
2>&1 && \
139 { exitcode
=1 ; echo "test failed"; }
140 grep ${keytabfile} test_context.log
> /dev
/null || \
141 { exitcode
=1 ; echo "string missing failed"; }
142 echo "checking non existant keytabfile (spengo)"
143 ${context} --mech-type=spnego
host@lucid.
test.h5l.se
> test_context.log
2>&1 && \
144 { exitcode
=1 ; echo "test failed"; }
145 grep ${keytabfile} test_context.log
> /dev
/null || \
146 { exitcode
=1 ; echo "string missing failed"; }
148 mv ${keytabfile}.no
${keytabfile}
150 echo "======test naming combinations"
152 ${context} --name-type=hostbased-service
host@lucid.
test.h5l.se || \
153 { exitcode
=1 ; echo "test failed"; }
155 ${context} --name-type=krb5-principal-name host
/lucid.
test.h5l.se@
${R} || \
156 { exitcode
=1 ; echo "test failed"; }
157 echo "plain (krb5 realmless)"
158 ${context} --name-type=krb5-principal-name host
/lucid.
test.h5l.se || \
159 { exitcode
=1 ; echo "test failed"; }
160 echo "dns canon on (long name) OFF, need dns_wrapper"
161 #${context} --dns-canon host@lucid.test.h5l.se || \
162 # { exitcode=1 ; echo "test failed"; }
163 echo "dns canon off (long name)"
164 ${context} --no-dns-canon host@lucid.
test.h5l.se || \
165 { exitcode
=1 ; echo "test failed"; }
166 echo "dns canon off (short name)"
167 ${context} --no-dns-canon host@lucid || \
168 { exitcode
=1 ; echo "test failed"; }
169 echo "dns canon off (short name, krb5)"
170 ${context} --no-dns-canon --name-type=krb5-principal-name host
/lucid@
${R} || \
171 { exitcode
=1 ; echo "test failed"; }
172 echo "dns canon off (short name, krb5)"
173 ${context} --no-dns-canon --name-type=krb5-principal-name host
/lucid || \
174 { exitcode
=1 ; echo "test failed"; }
176 echo "======test context building"
177 for mech
in krb5 spnego
; do
179 if [ "$mech" == "krb5" ] ; then
183 echo "${mech} no-mutual"
184 ${context} --mech-type=${mech} \
185 --wrapunwrap ${iov} \
186 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
187 { exitcode
=1 ; echo "test failed"; }
189 echo "${mech} mutual"
190 ${context} --mech-type=${mech} \
192 --wrapunwrap ${iov} \
193 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
194 { exitcode
=1 ; echo "test failed"; }
196 echo "${mech} delegate"
197 ${context} --mech-type=${mech} \
199 --wrapunwrap ${iov} \
200 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
201 { exitcode
=1 ; echo "test failed"; }
203 echo "${mech} mutual delegate"
204 ${context} --mech-type=${mech} \
205 --mutual --delegate \
206 --wrapunwrap ${iov} \
207 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
208 { exitcode
=1 ; echo "test failed"; }
212 echo "======dce-style"
213 for mech
in krb5
; do
215 if [ "$mech" == "krb5" ] ; then
219 echo "${mech}: dce-style"
221 --mech-type=${mech} \
224 --wrapunwrap ${iov} \
225 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
226 { exitcode
=1 ; echo "test failed"; }
230 echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
232 cp ${keytabfile} ${keytabfile}.new
233 for mech
in krb5 spnego
; do
234 echo "${mech}: acceptor_identity positive"
235 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
236 --mech-type=$mech host@lucid.
test.h5l.se || \
237 { exitcode
=1 ; echo "test failed"; }
239 echo "${mech}: acceptor_identity negative"
240 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
241 --mech-type=$mech host@lucid.
test.h5l.se
2>/dev
/null
&& \
242 { exitcode
=1 ; echo "test failed"; }
248 #echo "sasl-digest-md5"
249 #${context} --mech-type=sasl-digest-md5 \
250 # --name-type=hostbased-service \
251 # host@lucid.test.h5l.se || \
252 # { exitcode=1 ; echo "test failed"; }
255 echo "====== gss-api session key check"
257 # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
258 coolenctype
="aes256-cts-hmac-sha1-96"
260 echo "Getting client initial tickets"
261 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
262 { echo "kinit failed"; exitcode
=1; }
264 echo "Building context on cred w/o aes, but still ${coolenctype} session key"
268 --session-enctype=${coolenctype} \
269 --name-type=hostbased-service
host@no-aes.
test.h5l.se || \
270 { exitcode
=1 ; echo "test failed"; }
272 echo "====== ok-as-delegate"
274 echo "Getting client initial tickets"
275 ${kinit} --forwardable \
276 --password-file=${objdir}/foopassword user1@
${R} || exitcode
=1
278 echo "ok-as-delegate not used"
282 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
283 { exitcode
=1 ; echo "test failed"; }
285 echo "host without ok-as-delegate with policy-delegate"
289 --server-no-delegate \
290 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
291 { exitcode
=1 ; echo "test failed"; }
293 echo "ok-as-delegate used by policy"
297 --name-type=hostbased-service
host@ok-delegate.
test.h5l.se || \
298 { exitcode
=1 ; echo "test failed"; }
300 echo "Getting client initial tickets with --ok-as-delgate"
301 ${kinit} --ok-as-delegate --forwardable \
302 --password-file=${objdir}/foopassword user1@
${R} || exitcode
=1
304 echo "policy delegate to non delegate host"
308 --server-no-delegate \
309 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
310 { exitcode
=1 ; echo "test failed"; }
312 echo "ok-as-delegate"
316 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
317 { exitcode
=1 ; echo "test failed"; }
320 echo "======time diffs between client and server"
322 echo "Getting client initial ticket"
323 ${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode
=1
325 echo "No time offset"
328 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
329 { exitcode
=1 ; echo "test failed"; }
331 echo "Getting client initial ticket"
332 ${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode
=1
334 echo "Server time offset"
338 --server-time-offset=3600 \
340 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
341 { exitcode
=1 ; echo "test failed"; }
343 echo "Server time offset (cached ?)"
347 --server-time-offset=3600 \
349 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
350 { exitcode
=1 ; echo "test failed"; }
352 echo "Getting client initial ticket"
353 ${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode
=1
354 # Pre-poplute the cache since tgs-req will fail since our time is wrong
355 ${kgetcred} host
/lucid.
test.h5l.se@
${R} || exitcode
=1
357 echo "Client time offset"
361 --client-time-offset=3600 \
362 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
363 { exitcode
=1 ; echo "test failed"; }
365 echo "Getting client initial tickets (use-referrals)"
367 --password-file=${objdir}/foopassword \
368 --use-referrals user1@
${R} || exitcode
=1
370 # XXX these tests really need to use somethat that resolve to something
374 { exitcode
=1 ; echo "test failed"; }
378 --name-type=krb5-principal-name host
/short || \
379 { exitcode
=1 ; echo "test failed"; }
383 host@long.
test.h5l.se || \
384 { exitcode
=1 ; echo "test failed"; }
388 --name-type=krb5-principal-name \
389 host
/long.
test.h5l.se || \
390 { exitcode
=1 ; echo "test failed"; }
394 echo "killing kdc (${kdcpid})"
395 kill ${kdcpid} 2> /dev
/null
397 [ "$exitcode" = 0 ] && echo "all ok"