3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 # If there is no useful db support compile in, disable test
41 ../db/have-db || exit 77
47 keytabfile=${objdir}/server.keytab
48 keytab="FILE:${keytabfile}"
49 nokeytab="FILE:no-such-keytab"
50 cache="FILE:krb5ccfile"
52 kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
53 klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
54 kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
55 kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
56 kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
57 ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
59 context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
61 KRB5_CONFIG="${objdir}/krb5.conf"
74 echo Creating database
77 --realm-max-ticket-life=1day \
78 --realm-max-renewable-life=1month \
81 # add both lucid and lucid.test.h5l.se to simulate aliases
82 ${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
83 ${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
84 ${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
85 ${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
87 ${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
88 ${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
89 ${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
92 ${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
93 ${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
94 # XXX ext should ext aliases too
95 ${kadmin} ext -k ${keytab} host/short@${R} || exit 1
96 ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
98 ${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
100 ${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
102 # Create a server principal with no AES
103 ${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
104 ${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
105 ${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
106 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
107 ${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
109 echo "Doing database check"
110 ${kadmin} check ${R} || exit 1
112 echo u1 > ${objdir}/foopassword
118 sh ${srcdir}/../kdc/wait-kdc.sh
119 if [ "$?" != 0 ] ; then
124 trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
128 echo "Getting client initial tickets"
129 ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || exitcode=1
131 echo "======test unreadable/non existant keytab and its error message"
132 ${context} --mech-type=krb5 host@lucid.test.h5l.se || \
133 { exitcode=1 ; echo "test failed"; }
135 mv ${keytabfile} ${keytabfile}.no
137 echo "checking non existant keytabfile (krb5)"
138 ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \
139 { exitcode=1 ; echo "test failed"; }
140 grep ${keytabfile} test_context.log > /dev/null || \
141 { exitcode=1 ; echo "string missing failed"; }
142 echo "checking non existant keytabfile (spengo)"
143 ${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \
144 { exitcode=1 ; echo "test failed"; }
145 grep ${keytabfile} test_context.log > /dev/null || \
146 { exitcode=1 ; echo "string missing failed"; }
148 mv ${keytabfile}.no ${keytabfile}
150 echo "======test naming combinations"
152 ${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
153 { exitcode=1 ; echo "test failed"; }
155 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
156 { exitcode=1 ; echo "test failed"; }
157 echo "plain (krb5 realmless)"
158 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
159 { exitcode=1 ; echo "test failed"; }
160 echo "dns canon on (long name) OFF, need dns_wrapper"
161 #${context} --dns-canon host@lucid.test.h5l.se || \
162 # { exitcode=1 ; echo "test failed"; }
163 echo "dns canon off (long name)"
164 ${context} --no-dns-canon host@lucid.test.h5l.se || \
165 { exitcode=1 ; echo "test failed"; }
166 echo "dns canon off (short name)"
167 ${context} --no-dns-canon host@lucid || \
168 { exitcode=1 ; echo "test failed"; }
169 echo "dns canon off (short name, krb5)"
170 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
171 { exitcode=1 ; echo "test failed"; }
172 echo "dns canon off (short name, krb5)"
173 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \
174 { exitcode=1 ; echo "test failed"; }
176 echo "======test context building"
177 for mech in krb5 spnego ; do
178 echo "${mech} no-mutual"
179 ${context} --mech-type=${mech} \
180 --name-type=hostbased-service host@lucid.test.h5l.se || \
181 { exitcode=1 ; echo "test failed"; }
183 echo "${mech} mutual"
184 ${context} --mech-type=${mech} \
186 --name-type=hostbased-service host@lucid.test.h5l.se || \
187 { exitcode=1 ; echo "test failed"; }
189 echo "${mech} delegate"
190 ${context} --mech-type=${mech} \
192 --name-type=hostbased-service host@lucid.test.h5l.se || \
193 { exitcode=1 ; echo "test failed"; }
195 echo "${mech} mutual delegate"
196 ${context} --mech-type=${mech} \
197 --mutual --delegate \
198 --name-type=hostbased-service host@lucid.test.h5l.se || \
199 { exitcode=1 ; echo "test failed"; }
203 echo "======dce-style"
204 for mech in krb5 ; do
206 echo "${mech}: dce-style"
208 --mech-type=${mech} \
211 --name-type=hostbased-service host@lucid.test.h5l.se || \
212 { exitcode=1 ; echo "test failed"; }
216 echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
218 cp ${keytabfile} ${keytabfile}.new
219 for mech in krb5 spnego; do
220 echo "${mech}: acceptor_identity positive"
221 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
222 --mech-type=$mech host@lucid.test.h5l.se || \
223 { exitcode=1 ; echo "test failed"; }
225 echo "${mech}: acceptor_identity negative"
226 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
227 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
228 { exitcode=1 ; echo "test failed"; }
234 #echo "sasl-digest-md5"
235 #${context} --mech-type=sasl-digest-md5 \
236 # --name-type=hostbased-service \
237 # host@lucid.test.h5l.se || \
238 # { exitcode=1 ; echo "test failed"; }
241 echo "====== gss-api session key check"
243 # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
244 coolenctype="aes256-cts-hmac-sha1-96"
246 echo "Getting client initial tickets"
247 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
248 { echo "kinit failed"; exitcode=1; }
250 echo "Building context on cred w/o aes, but still ${coolenctype} session key"
254 --session-enctype=${coolenctype} \
255 --name-type=hostbased-service host@no-aes.test.h5l.se || \
256 { exitcode=1 ; echo "test failed"; }
258 echo "====== ok-as-delegate"
260 echo "Getting client initial tickets"
261 ${kinit} --forwardable \
262 --password-file=${objdir}/foopassword user1@${R} || exitcode=1
264 echo "ok-as-delegate not used"
268 --name-type=hostbased-service host@lucid.test.h5l.se || \
269 { exitcode=1 ; echo "test failed"; }
271 echo "host without ok-as-delegate with policy-delegate"
275 --server-no-delegate \
276 --name-type=hostbased-service host@lucid.test.h5l.se || \
277 { exitcode=1 ; echo "test failed"; }
279 echo "ok-as-delegate used by policy"
283 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
284 { exitcode=1 ; echo "test failed"; }
286 echo "Getting client initial tickets with --ok-as-delgate"
287 ${kinit} --ok-as-delegate --forwardable \
288 --password-file=${objdir}/foopassword user1@${R} || exitcode=1
290 echo "policy delegate to non delegate host"
294 --server-no-delegate \
295 --name-type=hostbased-service host@lucid.test.h5l.se || \
296 { exitcode=1 ; echo "test failed"; }
298 echo "ok-as-delegate"
302 --name-type=hostbased-service host@lucid.test.h5l.se || \
303 { exitcode=1 ; echo "test failed"; }
306 echo "======time diffs between client and server"
308 echo "Getting client initial ticket"
309 ${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
311 echo "No time offset"
314 --name-type=hostbased-service host@lucid.test.h5l.se || \
315 { exitcode=1 ; echo "test failed"; }
317 echo "Getting client initial ticket"
318 ${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
320 echo "Server time offset"
324 --server-time-offset=3600 \
326 --name-type=hostbased-service host@lucid.test.h5l.se || \
327 { exitcode=1 ; echo "test failed"; }
329 echo "Server time offset (cached ?)"
333 --server-time-offset=3600 \
335 --name-type=hostbased-service host@lucid.test.h5l.se || \
336 { exitcode=1 ; echo "test failed"; }
338 echo "Getting client initial ticket"
339 ${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
340 # Pre-poplute the cache since tgs-req will fail since our time is wrong
341 ${kgetcred} host/lucid.test.h5l.se@${R} || exitcode=1
343 echo "Client time offset"
347 --client-time-offset=3600 \
348 --name-type=hostbased-service host@lucid.test.h5l.se || \
349 { exitcode=1 ; echo "test failed"; }
351 echo "Getting client initial tickets (use-referrals)"
353 --password-file=${objdir}/foopassword \
354 --use-referrals user1@${R} || exitcode=1
356 # XXX these tests really need to use somethat that resolve to something
360 { exitcode=1 ; echo "test failed"; }
364 --name-type=krb5-principal-name host/short || \
365 { exitcode=1 ; echo "test failed"; }
369 host@long.test.h5l.se || \
370 { exitcode=1 ; echo "test failed"; }
374 --name-type=krb5-principal-name \
375 host/long.test.h5l.se || \
376 { exitcode=1 ; echo "test failed"; }
380 echo "killing kdc (${kdcpid})"
381 kill ${kdcpid} 2> /dev/null
383 [ "$exitcode" = 0 ] && echo "all ok"