From d172a8bd79f73f3713fe09232d22e4d1c7398615 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Wed, 23 Mar 2022 12:44:31 -0500
Subject: [PATCH] kdc: More testing of hard aliases

This is an attempt to make sure we test realm migration aliases by doing
kinit w/ a hard alias name in a different realm, and that we can get
service tickets for services in the same and other realms some of which
are hard aliases in one direction, and some in the other.
---
 tests/kdc/check-referral.in | 71 +++++++++++++++++++++++++++++++++------------
 tests/kdc/krb5.conf.in      |  3 ++
 2 files changed, 55 insertions(+), 19 deletions(-)

diff --git a/tests/kdc/check-referral.in b/tests/kdc/check-referral.in
index b62c2dc72..49f6a52e4 100644
--- a/tests/kdc/check-referral.in
+++ b/tests/kdc/check-referral.in
@@ -42,11 +42,24 @@ testfailed="echo test failed; cat messages.log; exit 1"
 # If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
+d=test.h5l.se
+d2=xtst.heim.example
 R=TEST.H5L.SE
-R2=SUB.TEST.H5L.SE
-
-service1=ldap/host.test.h5l.se:389
-service2=ldap/host.sub.test.h5l.se:389
+R2=XTST.HEIM.EXAMPLE
+
+# $service1 will be a hard alias of $service2
+service1=ldap/host.${d}:389
+service2=ldap/host.${d2}:389
+# $service3 and $service4 will have soft aliases referrals from each
+# other's realms
+service3=host/foohost.${d}
+service4=host/barhost.${d2}
+# $service5 and $service6 will be hardaliases
+service5=host/thing1.${d}
+service6=host/thing1.${d2}
+# $service7 and $service8 will be hardaliases in the opposite direction
+service7=host/thing2.${d}
+service8=host/thing2.${d2}
 
 port=@port@
 
@@ -91,22 +104,31 @@ ${kadmin} \
 ${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R} || exit 1
 ${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R2} || exit 1
 
+# User 'foo' gets two aliases in the same realm, and one in the other
 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} modify --alias=alias1 --alias=alias2 foo@${R} || exit 1
-${kadmin} add_alias foo@${R} foo@${R2} || exit 1
+${kadmin} add_alias foo@${R} foo@${R2} alias1 alias2 || exit 1
 ${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1
+${kadmin} get foo@${R} | grep alias2@${R} >/dev/null || exit 1
+${kadmin} get foo@${R} | grep foo@${R2} >/dev/null || exit 1
 
-${kadmin} add -p foo --use-defaults  ${service2}@${R2} || exit 1
-${kadmin} add_alias ${service2}@${R2}  ${service1}@${R} || exit 1
+# service1 is an alias of service2, in different realms
+${kadmin} add -p foo --use-defaults    ${service2}@${R2} || exit 1
+${kadmin} add_alias ${service2}@${R2}  ${service1}@${R}  || exit 1
 ${kadmin} get ${service2}@${R2} | grep ${service1}@${R} >/dev/null || exit 1
 
-# Create two host principals in their respective realms
-${kadmin} add -p foo --use-defaults  host/foohost.test.h5l.se@${R} || exit 1
-${kadmin} add -p foo --use-defaults  host/barhost.sub.test.h5l.se@${R2} || exit 1
+# service3 and service4 get soft aliases in each other's realms
+${kadmin} add -p foo --use-defaults  ${service3}@${R}  || exit 1
+${kadmin} add -p foo --use-defaults  ${service4}@${R2} || exit 1
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R2} ${service4}@${R} || exit 1
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R}  ${service3}@${R2} || exit 1
+
+# service6 is a hard alias of service5
+${kadmin} add -p foo --use-defaults  ${service5}@${R}  || exit 1
+${kadmin} add_alias ${service5}@${R} ${service6}@${R2} || exit 1
 
-# Create soft aliases (referrals) for them in the other realm
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R2} host/barhost.sub.test.h5l.se@${R} || exit 1
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R} host/foohost.test.h5l.se@${R2} || exit 1
+# service8 is a hard alias of service7, but in the opposite direction
+${kadmin} add -p foo --use-defaults  ${service7}@${R2} || exit 1
+${kadmin} add_alias ${service5}@${R} ${service8}@${R}  || exit 1
 
 ${kadmin} add -p foo --use-defaults bar@${R} || exit 1
 ${kadmin} add -p foo --use-defaults 'baz\@realm.foo@'${R} || exit 1
@@ -207,6 +229,7 @@ ${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; }
 ${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
 
 echo "Getting client foo@${R2} tickets (non canon case)"; > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@${R2} || \
@@ -217,8 +240,18 @@ ${klist} | grep "Principal: foo@${R2}" > /dev/null || \
 echo "checking that we got back right principal inside the PAC"
 ${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
 	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting various service tickets using foo@${R2} client"
 ${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; }
-${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service1}@${R}  || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service1}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service2}@${R}  || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service3}@      || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service4}@      || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service5}@      || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service6}@      || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service7}@      || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service8}@${R}  || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
 
 echo "Getting client alias2 tickets (removed)"; > messages.log
 ${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
@@ -237,14 +270,14 @@ echo "Getting client for ${service2}@${R} (tgs kdc referral)"
 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kgetcred} --canonicalize ${service2}@${R} || { ec=1 ; eval "${testfailed}"; }
-${kgetcred} host/foohost.test.h5l.se@${R} || { ec=1 ; eval "${testfailed}"; }
-${kgetcred} host/barhost.sub.test.h5l.se@ || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service3}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service4}@ || { ec=1 ; eval "${testfailed}"; }
 echo "checking that we got back right principal"
 ${klist} | grep "${service2}@${R2}" > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
-${klist} | grep "host/barhost.sub.test.h5l.se@TEST.H5L.SE" > /dev/null && \
+${klist} | grep "${service4}@${R}" > /dev/null && \
 	{ ec=1 ; eval "${testfailed}"; }
-${klist} | grep "host/barhost.sub.test.h5l.se@SUB.TEST.H5L.SE" > /dev/null || \
+${klist} | grep "${service4}@${R2}" > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}
 
diff --git a/tests/kdc/krb5.conf.in b/tests/kdc/krb5.conf.in
index a85836d76..5b9d644cd 100644
--- a/tests/kdc/krb5.conf.in
+++ b/tests/kdc/krb5.conf.in
@@ -31,6 +31,9 @@
 	TEST4.H5L.SE = {
 		kdc = localhost:@port@
 	}
+        XTST.HEIM.EXAMPLE = {
+		kdc = localhost:@port@
+        }
 	SOME-REALM5.FR = {
 		kdc = localhost:@port@
 	}
-- 
2.11.4.GIT