check-context.in revision 1.1
1 #!/bin/sh 2 # 3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Hgskolan 4 # (Royal Institute of Technology, Stockholm, Sweden). 5 # All rights reserved. 6 # 7 # Redistribution and use in source and binary forms, with or without 8 # modification, are permitted provided that the following conditions 9 # are met: 10 # 11 # 1. Redistributions of source code must retain the above copyright 12 # notice, this list of conditions and the following disclaimer. 13 # 14 # 2. Redistributions in binary form must reproduce the above copyright 15 # notice, this list of conditions and the following disclaimer in the 16 # documentation and/or other materials provided with the distribution. 17 # 18 # 3. Neither the name of the Institute nor the names of its contributors 19 # may be used to endorse or promote products derived from this software 20 # without specific prior written permission. 21 # 22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 # SUCH DAMAGE. 33 # 34 # $Id: check-context.in,v 1.1 2011/04/13 18:16:01 elric Exp $ 35 # 36 37 srcdir="@srcdir@" 38 objdir="@objdir@" 39 40 # If there is no useful db support compile in, disable test 41 ../db/have-db || exit 77 42 43 R=TEST.H5L.SE 44 45 port=@port@ 46 47 keytabfile=${objdir}/server.keytab 48 keytab="FILE:${keytabfile}" 49 nokeytab="FILE:no-such-keytab" 50 cache="FILE:krb5ccfile" 51 52 kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}" 53 klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache" 54 kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" 55 kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" 56 kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" 57 ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil" 58 59 context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context" 60 61 KRB5_CONFIG="${objdir}/krb5.conf" 62 export KRB5_CONFIG 63 64 KRB5CCNAME=${cache} 65 export KRB5CCNAME 66 67 rm -f ${keytabfile} 68 rm -f current-db* 69 rm -f out-* 70 rm -f mkey.file* 71 72 > messages.log 73 74 echo Creating database 75 ${kadmin} \ 76 init \ 77 --realm-max-ticket-life=1day \ 78 --realm-max-renewable-life=1month \ 79 ${R} || exit 1 80 81 # add both lucid and lucid.test.h5l.se to simulate aliases 82 ${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1 83 ${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1 84 ${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1 85 ${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1 86 87 ${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1 88 ${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1 89 ${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1 90 91 92 ${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1 93 ${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1 94 # XXX ext should ext aliases too 95 ${kadmin} ext -k ${keytab} host/short@${R} || exit 1 96 ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1 97 98 ${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1 99 100 ${kadmin} add -p u1 --use-defaults user1@${R} || exit 1 101 102 # Create a server principal with no AES 103 ${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1 104 ${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1 105 ${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \ 106 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1 107 ${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1 108 109 echo "Doing database check" 110 ${kadmin} check ${R} || exit 1 111 112 echo u1 > ${objdir}/foopassword 113 114 echo Starting kdc 115 ${kdc} & 116 kdcpid=$! 117 118 sh ${srcdir}/../kdc/wait-kdc.sh 119 if [ "$?" != 0 ] ; then 120 kill ${kdcpid} 121 exit 1 122 fi 123 124 trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT 125 126 testfailed="echo test failed; cat messages.log; exit 1" 127 128 echo "Getting client initial tickets" ; > messages.log 129 ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \ 130 { eval "$testfailed"; } 131 132 echo "======test unreadable/non existant keytab and its error message" ; > messages.log 133 ${context} --mech-type=krb5 host@lucid.test.h5l.se || \ 134 { eval "$testfailed"; } 135 136 mv ${keytabfile} ${keytabfile}.no 137 138 echo "checking non existant keytabfile (krb5)" ; > messages.log 139 ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \ 140 { eval "$testfailed"; } 141 grep ${keytabfile} test_context.log > /dev/null || \ 142 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } 143 echo "checking non existant keytabfile (spengo)" ; > messages.log 144 ${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \ 145 { eval "$testfailed"; } 146 grep ${keytabfile} test_context.log > /dev/null || \ 147 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } 148 149 mv ${keytabfile}.no ${keytabfile} 150 151 echo "======test naming combinations" 152 echo "plain" ; > messages.log 153 ${context} --name-type=hostbased-service host@lucid.test.h5l.se || \ 154 { eval "$testfailed"; } 155 echo "plain (krb5)" ; > messages.log 156 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \ 157 { eval "$testfailed"; } 158 echo "plain (krb5 realmless)" ; > messages.log 159 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \ 160 { eval "$testfailed"; } 161 echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log 162 #${context} --dns-canon host (at] lucid.test.h5l.se || \ 163 # { eval "$testfailed"; } 164 echo "dns canon off (long name)" ; > messages.log 165 ${context} --no-dns-canon host@lucid.test.h5l.se || \ 166 { eval "$testfailed"; } 167 echo "dns canon off (short name)" ; > messages.log 168 ${context} --no-dns-canon host@lucid || \ 169 { eval "$testfailed"; } 170 echo "dns canon off (short name, krb5)" ; > messages.log 171 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \ 172 { eval "$testfailed"; } 173 echo "dns canon off (short name, krb5)" ; > messages.log 174 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \ 175 { eval "$testfailed"; } 176 177 echo "======test context building" 178 for mech in krb5 krb5iov spnego spnegoiov; do 179 if [ "$mech" = "krb5iov" ] ; then 180 mech="krb5" 181 iov="--iov" 182 fi 183 if [ "$mech" = "spnegoiov" ] ; then 184 mech="spnego" 185 iov="--iov" 186 fi 187 188 echo "${mech} no-mutual ${iov}" ; > messages.log 189 ${context} --mech-type=${mech} \ 190 --wrapunwrap ${iov} \ 191 --name-type=hostbased-service host@lucid.test.h5l.se || \ 192 { eval "$testfailed"; } 193 194 echo "${mech} mutual ${iov}" ; > messages.log 195 ${context} --mech-type=${mech} \ 196 --mutual \ 197 --wrapunwrap ${iov} \ 198 --name-type=hostbased-service host@lucid.test.h5l.se || \ 199 { eval "$testfailed"; } 200 201 echo "${mech} delegate ${iov}" ; > messages.log 202 ${context} --mech-type=${mech} \ 203 --delegate \ 204 --wrapunwrap ${iov} \ 205 --name-type=hostbased-service host@lucid.test.h5l.se || \ 206 { eval "$testfailed"; } 207 208 echo "${mech} mutual delegate ${iov}" ; > messages.log 209 ${context} --mech-type=${mech} \ 210 --mutual --delegate \ 211 --wrapunwrap ${iov} \ 212 --name-type=hostbased-service host@lucid.test.h5l.se || \ 213 { eval "$testfailed"; } 214 done 215 216 echo "======dce-style" 217 for mech in krb5 krb5iov spnego; do 218 iov="" 219 if [ "$mech" = "krb5iov" ] ; then 220 mech="krb5" 221 iov="--iov" 222 fi 223 if [ "$mech" = "spnegoiov" ] ; then 224 mech="spnego" 225 iov="--iov" 226 fi 227 228 echo "${mech}: dce-style ${iov}" ; > messages.log 229 ${context} \ 230 --mech-type=${mech} \ 231 --mutual \ 232 --dce-style \ 233 --wrapunwrap ${iov} \ 234 --name-type=hostbased-service host@lucid.test.h5l.se || \ 235 { eval "$testfailed"; } 236 237 done 238 239 echo "test gsskrb5_register_acceptor_identity (both positive and negative)" 240 241 cp ${keytabfile} ${keytabfile}.new 242 for mech in krb5 spnego; do 243 echo "${mech}: acceptor_identity positive" ; > messages.log 244 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \ 245 --mech-type=$mech host@lucid.test.h5l.se || \ 246 { eval "$testfailed"; } 247 248 echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log 249 ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \ 250 --mech-type=$mech host@lucid.test.h5l.se || \ 251 { eval "$testfailed"; } 252 253 echo "${mech}: acceptor_identity negative" ; > messages.log 254 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \ 255 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ 256 { eval "$testfailed"; } 257 done 258 259 rm ${keytabfile}.new 260 261 262 #echo "sasl-digest-md5" 263 #${context} --mech-type=sasl-digest-md5 \ 264 # --name-type=hostbased-service \ 265 # host (at] lucid.test.h5l.se || \ 266 # { eval "$testfailed"; } 267 268 269 echo "====== gss-api session key check" 270 271 # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96 272 coolenctype="aes256-cts-hmac-sha1-96" 273 limit_enctype="des3-cbc-sha1" 274 275 echo "Getting client initial tickets" ; > messages.log 276 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 277 { eval "$testfailed"; } 278 279 280 echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log 281 ${context} \ 282 --mech-type=krb5 \ 283 --mutual-auth \ 284 --session-enctype=${coolenctype} \ 285 --name-type=hostbased-service host@no-aes.test.h5l.se || \ 286 { eval "$testfailed"; } 287 288 echo "Building context on cred, check if its limited still" ; > messages.log 289 ${context} \ 290 --mech-type=krb5 \ 291 --client-name=user1@${R} \ 292 --limit-enctype="${limit_enctype}" \ 293 --mutual-auth \ 294 --name-type=hostbased-service host@no-aes.test.h5l.se || \ 295 { eval "$testfailed"; } 296 297 298 echo "====== ok-as-delegate" 299 300 echo "Getting client initial tickets" ; > messages.log 301 ${kinit} --forwardable \ 302 --password-file=${objdir}/foopassword user1@${R} || \ 303 { eval "$testfailed"; } 304 305 echo "ok-as-delegate not used" ; > messages.log 306 ${context} \ 307 --mech-type=krb5 \ 308 --delegate \ 309 --name-type=hostbased-service host@lucid.test.h5l.se || \ 310 { eval "$testfailed"; } 311 312 echo "host without ok-as-delegate with policy-delegate" ; > messages.log 313 ${context} \ 314 --mech-type=krb5 \ 315 --policy-delegate \ 316 --server-no-delegate \ 317 --name-type=hostbased-service host@lucid.test.h5l.se || \ 318 { eval "$testfailed"; } 319 320 echo "ok-as-delegate used by policy" ; > messages.log 321 ${context} \ 322 --mech-type=krb5 \ 323 --policy-delegate \ 324 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 325 { eval "$testfailed"; } 326 327 echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log 328 ${kinit} --ok-as-delegate --forwardable \ 329 --password-file=${objdir}/foopassword user1@${R} || \ 330 { eval "$testfailed"; } 331 332 echo "policy delegate to non delegate host" ; > messages.log 333 ${context} \ 334 --mech-type=krb5 \ 335 --policy-delegate \ 336 --server-no-delegate \ 337 --name-type=hostbased-service host@lucid.test.h5l.se || \ 338 { eval "$testfailed"; } 339 340 echo "ok-as-delegate" ; > messages.log 341 ${context} \ 342 --mech-type=krb5 \ 343 --delegate \ 344 --name-type=hostbased-service host@lucid.test.h5l.se || \ 345 { eval "$testfailed"; } 346 347 echo "======export/import cred" 348 349 echo "export-import cred (krb5)" ; > messages.log 350 ${context} \ 351 --mech-type=krb5 \ 352 --delegate \ 353 --export-import-cred \ 354 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 355 { eval "$testfailed"; } 356 357 echo "export-import cred (spnego)" ; > messages.log 358 ${context} \ 359 --mech-type=spnego \ 360 --delegate \ 361 --export-import-cred \ 362 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 363 { eval "$testfailed"; } 364 365 366 echo "======time diffs between client and server" 367 368 echo "Getting client initial ticket" ; > messages.log 369 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 370 { eval "$testfailed"; } 371 372 echo "No time offset" ; > messages.log 373 ${context} \ 374 --mech-type=krb5 \ 375 --name-type=hostbased-service host@lucid.test.h5l.se || \ 376 { eval "$testfailed"; } 377 378 echo "Getting client initial ticket" ; > messages.log 379 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 380 { eval "$testfailed"; } 381 382 echo "Server time offset" ; > messages.log 383 ${context} \ 384 --mech-type=krb5 \ 385 --mutual-auth \ 386 --server-time-offset=3600 \ 387 --max-loops=3 \ 388 --name-type=hostbased-service host@lucid.test.h5l.se || \ 389 { eval "$testfailed"; } 390 391 echo "Server time offset (cached ?)" ; > messages.log 392 ${context} \ 393 --mech-type=krb5 \ 394 --mutual-auth \ 395 --server-time-offset=3600 \ 396 --max-loops=2 \ 397 --name-type=hostbased-service host@lucid.test.h5l.se || \ 398 { eval "$testfailed"; } 399 400 echo "Getting client initial ticket" ; > messages.log 401 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 402 { eval "$testfailed"; } 403 # Pre-poplute the cache since tgs-req will fail since our time is wrong 404 ${kgetcred} host/lucid.test.h5l.se@${R} || \ 405 { eval "$testfailed"; } 406 407 echo "Client time offset" ; > messages.log 408 ${context} \ 409 --mech-type=krb5 \ 410 --mutual-auth \ 411 --client-time-offset=3600 \ 412 --name-type=hostbased-service host@lucid.test.h5l.se || \ 413 { eval "$testfailed"; } 414 415 echo "Getting client initial tickets (use-referrals)" ; > messages.log 416 ${kinit} \ 417 --password-file=${objdir}/foopassword \ 418 --use-referrals user1@${R} || \ 419 { eval "$testfailed"; } 420 421 # XXX these tests really need to use somethat that resolve to something 422 ${context} \ 423 --mech-type=krb5 \ 424 host@short || \ 425 { eval "$testfailed"; } 426 427 ${context} \ 428 --mech-type=krb5 \ 429 --name-type=krb5-principal-name host/short || \ 430 { eval "$testfailed"; } 431 432 ${context} \ 433 --mech-type=krb5 \ 434 host@long.test.h5l.se || \ 435 { eval "$testfailed"; } 436 437 ${context} \ 438 --mech-type=krb5 \ 439 --name-type=krb5-principal-name \ 440 host/long.test.h5l.se || \ 441 { eval "$testfailed"; } 442 443 trap "" EXIT 444 445 echo "killing kdc (${kdcpid})" 446 kill ${kdcpid} 2> /dev/null 447 448 exit 0 449 450
Indexes created Sun Mar 01 05:31:48 UTC 2026