3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 env_setup="@env_setup@"
43 # If there is no useful db support compiled in, disable test
44 ../db/have-db || exit 77
50 keytabfile=${objdir}/server.keytab
51 keytab="FILE:${keytabfile}"
52 nokeytab="FILE:no-such-keytab"
53 cache="FILE:krb5ccfile"
55 kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
56 kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache"
57 klist="${TESTS_ENVIRONMENT} ../../kuser/heimtools klist -c $cache"
58 kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
59 kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
60 kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
61 ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
63 context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
65 KRB5_CONFIG="${objdir}/krb5.conf"
78 echo Creating database
81 --realm-max-ticket-life=1day \
82 --realm-max-renewable-life=1month \
85 # add both lucid and lucid.test.h5l.se to simulate aliases
86 ${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
87 ${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
89 ${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
90 ${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
91 ${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
94 ${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
95 ${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
96 # XXX ext should ext aliases too
97 ${kadmin} ext -k ${keytab} host/short@${R} || exit 1
98 ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
100 ${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
102 ${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
104 # Create a server principal with no AES
105 ${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
106 ${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
107 ${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
108 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
109 ${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
111 echo "Doing database check"
112 ${kadmin} check ${R} || exit 1
114 echo u1 > ${objdir}/foopassword
117 ${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; }
120 trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
122 testfailed="echo test failed; cat messages.log; exit 1"
124 echo "Test gss_acquire_cred_with_password" ; > messages.log
126 ${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \
127 host@lucid.test.h5l.se || { eval "$testfailed"; }
128 ${klist} && { eval "$testfailed"; }
129 # These must fail (because wrong password)
130 ${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
131 host@lucid.test.h5l.se && { eval "$testfailed"; }
132 ${klist} && { eval "$testfailed"; }
133 ${context} --client-name=user1@${R} --client-password=u2 --mech-type='' \
134 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
135 ${klist} && { eval "$testfailed"; }
136 ${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
137 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
138 ${klist} && { eval "$testfailed"; }
139 ${context} --client-name=user1@${R} --client-password=u2 --mech-type=all \
140 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
141 ${klist} && { eval "$testfailed"; }
142 ${context} --client-name=user1@${R} --client-password=u2 \
143 --mech-type=krb5,ntlm --mech-types=krb5 host@lucid.test.h5l.se \
144 && { eval "$testfailed"; }
145 # gss_acquire_cred_with_password() must not have side-effects
146 ${klist} && { eval "$testfailed"; }
148 echo "Getting client initial tickets" ; > messages.log
149 ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \
150 { eval "$testfailed"; }
152 echo "======test unreadable/non existant keytab and its error message" ; > messages.log
153 ${context} --mech-type=krb5 host@lucid.test.h5l.se || \
154 { eval "$testfailed"; }
156 mv ${keytabfile} ${keytabfile}.no
158 echo "checking non existant keytabfile (krb5)" ; > messages.log
159 ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \
160 { eval "$testfailed"; }
161 grep ${keytabfile} test_context.log > /dev/null || \
162 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
163 echo "checking non existant keytabfile (spengo)" ; > messages.log
164 ${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \
165 { eval "$testfailed"; }
166 grep ${keytabfile} test_context.log > /dev/null || \
167 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
169 mv ${keytabfile}.no ${keytabfile}
171 echo "======test naming combinations"
172 echo "plain" ; > messages.log
173 ${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
174 { eval "$testfailed"; }
175 echo "plain w/ short-form hostname" ; > messages.log
176 ${context} --name-type=hostbased-service host@lucid || \
177 { eval "$testfailed"; }
178 echo "plain (krb5)" ; > messages.log
179 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
180 { eval "$testfailed"; }
181 echo "plain (krb5 realmless)" ; > messages.log
182 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
183 { eval "$testfailed"; }
184 echo "plain (krb5 realmless short-form)" ; > messages.log
185 ${context} --name-type=krb5-principal-name host/lucid 2>/dev/null || \
186 { eval "$testfailed"; }
187 echo "creating short-form princ"
188 ${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
189 ${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
190 echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log
191 #${context} --dns-canon host@lucid.test.h5l.se || \
192 # { eval "$testfailed"; }
193 echo "dns canon off (long name)" ; > messages.log
194 ${context} --no-dns-canon host@lucid.test.h5l.se || \
195 { eval "$testfailed"; }
196 echo "dns canon off (short name)" ; > messages.log
197 ${context} --no-dns-canon host@lucid || \
198 { eval "$testfailed"; }
199 echo "dns canon off (short name, krb5)" ; > messages.log
200 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
201 { eval "$testfailed"; }
202 echo "dns canon off (short name, krb5)" ; > messages.log
203 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \
204 { eval "$testfailed"; }
206 echo "======test context building"
207 for mech in krb5 krb5iov spnego spnegoiov; do
208 if [ "$mech" = "krb5iov" ] ; then
212 if [ "$mech" = "spnegoiov" ] ; then
217 echo "${mech} no-mutual ${iov}" ; > messages.log
218 ${context} --mech-type=${mech} \
219 --wrapunwrap ${iov} \
220 --name-type=hostbased-service host@lucid.test.h5l.se || \
221 { eval "$testfailed"; }
223 echo "${mech} mutual ${iov}" ; > messages.log
224 ${context} --mech-type=${mech} \
226 --wrapunwrap ${iov} \
227 --name-type=hostbased-service host@lucid.test.h5l.se || \
228 { eval "$testfailed"; }
230 echo "${mech} delegate ${iov}" ; > messages.log
231 ${context} --mech-type=${mech} \
233 --wrapunwrap ${iov} \
234 --name-type=hostbased-service host@lucid.test.h5l.se || \
235 { eval "$testfailed"; }
237 echo "${mech} mutual delegate ${iov}" ; > messages.log
238 ${context} --mech-type=${mech} \
239 --mutual --delegate \
240 --wrapunwrap ${iov} \
241 --name-type=hostbased-service host@lucid.test.h5l.se || \
242 { eval "$testfailed"; }
245 echo "======dce-style"
246 for mech in krb5 krb5iov spnego; do
248 if [ "$mech" = "krb5iov" ] ; then
252 if [ "$mech" = "spnegoiov" ] ; then
257 echo "${mech}: dce-style ${iov}" ; > messages.log
259 --mech-type=${mech} \
262 --wrapunwrap ${iov} \
263 --name-type=hostbased-service host@lucid.test.h5l.se || \
264 { eval "$testfailed"; }
268 echo "======export-import-context"
269 for mech in krb5 krb5iov spnego spnegoiov; do
271 if [ "$mech" = "krb5iov" ] ; then
275 if [ "$mech" = "spnegoiov" ] ; then
280 echo "${mech}: export-import-context ${iov}" ; > messages.log
282 --mech-type=${mech} \
284 --export-import-context \
285 --wrapunwrap ${iov} \
286 --name-type=hostbased-service host@lucid.test.h5l.se || \
287 { eval "$testfailed"; }
291 echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
293 cp ${keytabfile} ${keytabfile}.new
294 for mech in krb5 spnego; do
295 echo "${mech}: acceptor_identity positive" ; > messages.log
296 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
297 --mech-type=$mech host@lucid.test.h5l.se || \
298 { eval "$testfailed"; }
300 echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log
301 ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \
302 --mech-type=$mech host@lucid.test.h5l.se || \
303 { eval "$testfailed"; }
305 echo "${mech}: acceptor_identity negative" ; > messages.log
306 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
307 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
308 { eval "$testfailed"; }
314 #echo "sasl-digest-md5"
315 #${context} --mech-type=sasl-digest-md5 \
316 # --name-type=hostbased-service \
317 # host@lucid.test.h5l.se || \
318 # { eval "$testfailed"; }
321 echo "====== gss-api session key check"
323 # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
324 coolenctype="aes256-cts-hmac-sha1-96"
325 limit_enctype="des3-cbc-sha1"
327 echo "Getting client initial tickets" ; > messages.log
328 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
329 { eval "$testfailed"; }
332 echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log
336 --session-enctype=${coolenctype} \
337 --name-type=hostbased-service host@no-aes.test.h5l.se || \
338 { eval "$testfailed"; }
340 echo "Building context on cred, check if its limited still" ; > messages.log
343 --client-name=user1@${R} \
344 --limit-enctype="${limit_enctype}" \
346 --name-type=hostbased-service host@no-aes.test.h5l.se || \
347 { eval "$testfailed"; }
350 echo "====== ok-as-delegate"
352 echo "Getting client initial tickets" ; > messages.log
353 ${kinit} --forwardable \
354 --password-file=${objdir}/foopassword user1@${R} || \
355 { eval "$testfailed"; }
357 echo "ok-as-delegate not used" ; > messages.log
361 --name-type=hostbased-service host@lucid.test.h5l.se || \
362 { eval "$testfailed"; }
364 echo "host without ok-as-delegate with policy-delegate" ; > messages.log
368 --server-no-delegate \
369 --name-type=hostbased-service host@lucid.test.h5l.se || \
370 { eval "$testfailed"; }
372 echo "ok-as-delegate used by policy" ; > messages.log
376 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
377 { eval "$testfailed"; }
379 echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log
380 ${kinit} --ok-as-delegate --forwardable \
381 --password-file=${objdir}/foopassword user1@${R} || \
382 { eval "$testfailed"; }
384 echo "policy delegate to non delegate host" ; > messages.log
388 --server-no-delegate \
389 --name-type=hostbased-service host@lucid.test.h5l.se || \
390 { eval "$testfailed"; }
392 echo "ok-as-delegate" ; > messages.log
396 --name-type=hostbased-service host@lucid.test.h5l.se || \
397 { eval "$testfailed"; }
399 echo "======export/import cred"
401 echo "export-import cred (krb5)" ; > messages.log
405 --export-import-cred \
406 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
407 { eval "$testfailed"; }
409 echo "export-import cred (spnego)" ; > messages.log
413 --export-import-cred \
414 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
415 { eval "$testfailed"; }
418 echo "======time diffs between client and server"
420 echo "Getting client initial ticket" ; > messages.log
421 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
422 { eval "$testfailed"; }
424 echo "No time offset" ; > messages.log
427 --name-type=hostbased-service host@lucid.test.h5l.se || \
428 { eval "$testfailed"; }
430 echo "Getting client initial ticket" ; > messages.log
431 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
432 { eval "$testfailed"; }
434 echo "Server time offset" ; > messages.log
438 --server-time-offset=3600 \
440 --name-type=hostbased-service host@lucid.test.h5l.se || \
441 { eval "$testfailed"; }
443 echo "Server time offset (cached ?)" ; > messages.log
447 --server-time-offset=3600 \
449 --name-type=hostbased-service host@lucid.test.h5l.se || \
450 { eval "$testfailed"; }
452 echo "Getting client initial ticket" ; > messages.log
453 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
454 { eval "$testfailed"; }
455 # Pre-poplute the cache since tgs-req will fail since our time is wrong
456 ${kgetcred} host/lucid.test.h5l.se@${R} || \
457 { eval "$testfailed"; }
459 echo "Client time offset" ; > messages.log
463 --client-time-offset=3600 \
464 --name-type=hostbased-service host@lucid.test.h5l.se || \
465 { eval "$testfailed"; }
467 echo "Getting client initial tickets (use-referrals)" ; > messages.log
469 --password-file=${objdir}/foopassword \
470 --use-referrals user1@${R} || \
471 { eval "$testfailed"; }
473 # XXX these tests really need to use somethat that resolve to something
477 { eval "$testfailed"; }
481 --name-type=krb5-principal-name host/short || \
482 { eval "$testfailed"; }
486 host@long.test.h5l.se || \
487 { eval "$testfailed"; }
491 --name-type=krb5-principal-name \
492 host/long.test.h5l.se || \
493 { eval "$testfailed"; }
497 echo "killing kdc (${kdcpid})"
498 kill ${kdcpid} 2> /dev/null