diff options
Diffstat (limited to 'third_party/heimdal/tests/kdc/check-kadmin.in')
| -rw-r--r-- | third_party/heimdal/tests/kdc/check-kadmin.in | 456 |
1 files changed, 456 insertions, 0 deletions
diff --git a/third_party/heimdal/tests/kdc/check-kadmin.in b/third_party/heimdal/tests/kdc/check-kadmin.in new file mode 100644 index 0000000..339868b --- /dev/null +++ b/third_party/heimdal/tests/kdc/check-kadmin.in @@ -0,0 +1,456 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +top_builddir="@top_builddir@" +env_setup="@env_setup@" +objdir="@objdir@" +srcdir="@srcdir@" + +. ${env_setup} + +# If there is no useful db support compiled in, disable test +${have_db} || exit 77 + +R=TEST.H5L.SE +R2=TEST2.H5L.SE + +port=@port@ +admport=@admport@ + +cache="FILE:${objdir}/cache.krb5" + +kadmin="${kadmin} -r $R" +kdc="${kdc} --addresses=localhost -P $port" +kadmind="${kadmind} -p $admport" + +server=host/datan.test.h5l.se + +kinit="${kinit} -c $cache ${afs_no_afslog}" +kgetcred="${kgetcred} -c $cache" +kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" + +foopassword="fooLongPasswordYo123;" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* +rm -f messages.log + +> messages.log + +echo Creating database +${kadmin} -l \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} -l add -p "$foopassword" --use-defaults foo/admin@${R} || exit 1 +${kadmin} -l add -p "$foopassword" --use-defaults bar@${R} || exit 1 +${kadmin} -l add -p "$foopassword" --use-defaults baz@${R} || exit 1 +${kadmin} -l add -p "$foopassword" --use-defaults bez@${R} || exit 1 +${kadmin} -l add -p "$foopassword" --use-defaults fez@${R} || exit 1 +${kadmin} -l add -p "$foopassword" --use-defaults hasalias@${R} || exit 1 +${kadmin} -l add -p "$foopassword" --use-defaults pkinit@${R} || exit 1 +${kadmin} -l modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" pkinit@${R} || exit 1 +${kadmin} -l add -p "$foopassword" --use-defaults prune@${R} || exit 1 +${kadmin} -l cpw --keepold --random-key prune@${R} || exit 1 +${kadmin} -l cpw --keepold --random-key prune@${R} || exit 1 +${kadmin} -l add -p "$foopassword" --use-defaults pruneall@${R} || exit 1 +${kadmin} -l cpw --pruneall --random-key pruneall@${R} || exit 1 +${kadmin} -l cpw --pruneall --random-key pruneall@${R} || exit 1 + +echo "$foopassword" > ${objdir}/foopassword + +echo Starting kdc ; > messages.log +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +echo Starting kadmind +${kadmind} --detach --list-chunk-size=1 \ + || { echo "kadmind failed to start"; cat messages.log; exit 1; } +kadmpid=`getpid kadmind` + +trap "kill -9 ${kdcpid} ${kadmpid}" EXIT + +#---------------------------------- +echo "kinit (no admin); test mod --alias authorization" +${kinit} --password-file=${objdir}/foopassword \ + -S kadmin/admin@${R} hasalias@${R} || exit 1 + +# Check that one non-permitted alias -> failure +env KRB5CCNAME=${cache} \ +${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=badalias@${R} hasalias@${R} && + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +# Check that all permitted aliases -> success +env KRB5CCNAME=${cache} \ +${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=goodalias2@${R} hasalias@${R} || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +# Check that we can drop aliases +env KRB5CCNAME=${cache} \ +${kadmin} -p hasalias@${R} modify --alias=goodalias3@${R} hasalias@${R} || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } +${kadmin} -l get hasalias@${R} | grep Aliases: > kadmin.tmp +read junk aliases < kadmin.tmp +rm kadmin.tmp +[ "$aliases" != "goodalias3@${R}" ] && { echo "kadmind failed $?"; cat messages.log ; exit 1; } + +env KRB5CCNAME=${cache} \ +${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=goodalias2@${R} --alias=goodalias3@${R} hasalias@${R} || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } +${kadmin} -l get hasalias@${R} | grep Aliases: > kadmin.tmp +read junk aliases < kadmin.tmp +rm kadmin.tmp +[ "$aliases" != "goodalias1@${R} goodalias2@${R} goodalias3@${R}" ] && { echo "FOO failed $?"; cat messages.log ; exit 1; } + +#---------------------------------- +echo "kinit (no admin)" +${kinit} --password-file=${objdir}/foopassword \ + -S kadmin/admin@${R} bar@${R} || exit 1 +echo "kadmin" +env KRB5CCNAME=${cache} \ +${kadmin} -p bar@${R} add -p "$foopassword" --use-defaults kaka2@${R} || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +${kadmin} -l get kaka2@${R} > /dev/null || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +#---------------------------------- +echo "kinit (no admin)" +${kinit} --password-file=${objdir}/foopassword \ + -S kadmin/admin@${R} baz@${R} || exit 1 +echo "kadmin globacl" +env KRB5CCNAME=${cache} \ +${kadmin} -p baz@${R} get bar@${R} > /dev/null || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +#---------------------------------- +echo "kinit (no admin)" +${kinit} --password-file=${objdir}/foopassword \ + -S kadmin/admin@${R} baz@${R} || exit 1 +echo "kadmin globacl, negative" +env KRB5CCNAME=${cache} \ +${kadmin} -p baz@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null && + { echo "kadmin succesded $?"; cat messages.log ; exit 1; } + +#---------------------------------- +echo "kinit (no admin)" +${kinit} --password-file=${objdir}/foopassword \ + -S kadmin/admin@${R} baz@${R} || exit 1 +echo "kadmin globacl" +env KRB5CCNAME=${cache} \ +${kadmin} -p baz@${R} get bar@${R} > /dev/null || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +#---------------------------------- +echo "kinit (no admin)" +${kinit} --password-file=${objdir}/foopassword \ + -S kadmin/admin@${R} bez@${R} || exit 1 +echo "kadmin globacl, negative" +env KRB5CCNAME=${cache} \ +${kadmin} -p bez@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null && + { echo "kadmin succesded $?"; cat messages.log ; exit 1; } + +#---------------------------------- +echo "kinit (no admin)" +${kinit} --password-file=${objdir}/foopassword \ + -S kadmin/admin@${R} fez@${R} || exit 1 +echo "kadmin globacl" +env KRB5CCNAME=${cache} \ +${kadmin} -p fez@${R} get bar@${R} > /dev/null || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +#---------------------------------- +echo "kinit (no admin)" +${kinit} --password-file=${objdir}/foopassword \ + -S kadmin/admin@${R} fez@${R} || exit 1 +echo "kadmin globacl, negative" +env KRB5CCNAME=${cache} \ +${kadmin} -p fez@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null && + { echo "kadmin succesded $?"; cat messages.log ; exit 1; } + +#---------------------------------- +echo "kinit (admin)" +${kinit} --password-file=${objdir}/foopassword \ + -S kadmin/admin@${R} foo/admin@${R} || exit 1 + +echo "kadmin" +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} add -p "$foopassword" --use-defaults kaka@${R} || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +echo "kadmin" +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} add -p abc --use-defaults kaka@${R} && + { echo "kadmin succeeded $?"; cat messages.log ; exit 1; } + +#---------------------------------- +echo "kadmin get doesnotexists" +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} get -s doesnotexists@${R} \ + > /dev/null 2>kadmin.tmp && \ + { echo "kadmin passed"; cat messages.log ; exit 1; } + +# evil hack to support libtool +sed 's/lt-kadmin:/kadmin:/' < kadmin.tmp > kadmin2.tmp +mv kadmin2.tmp kadmin.tmp + +# If client tried IPv6, but service only listened on IPv4 +grep -v ': connect' kadmin.tmp > kadmin2.tmp +mv kadmin2.tmp kadmin.tmp + +diff kadmin.tmp ${srcdir}/donotexists.txt || \ + { echo "wrong response"; exit 1;} + +#---------------------------------- +echo "kadmin get pkinit-acl" +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} get -o pkinit-acl pkinit@${R} \ + > /dev/null || \ + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +#---------------------------------- +echo "kadmin get -o principal" +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} get -o principal bar@${R} \ + > kadmin.tmp 2>&1 || \ + { echo "kadmin failed $?"; cat messages.log ; exit 1; } +if test "`cat kadmin.tmp`" != "Principal: bar@TEST.H5L.SE" ; then + cat kadmin.tmp ; cat messages.log ; exit 1 ; +fi + + +#---------------------------------- +echo "kadmin get -o kvno" +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} get -o kvno bar@${R} \ + > kadmin.tmp 2>&1 || \ + { echo "kadmin failed $?"; cat messages.log ; exit 1; } +if test "`cat kadmin.tmp`" != "Kvno: 1" ; then + cat kadmin.tmp ; cat messages.log ; exit 1 ; +fi + + +#---------------------------------- +echo "kadmin get -o princ_expire_time" +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} get -o princ_expire_time bar@${R} \ + > kadmin.tmp 2>&1 || \ + { echo "kadmin failed $?"; cat messages.log ; exit 1; } +if test "`cat kadmin.tmp`" != "Principal expires: never" ; then + cat kadmin.tmp ; cat messages.log ; exit 1 ; +fi + +#---------------------------------- +echo "kadmin get -s -o attributes" +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} get -s -o attributes bar@${R} \ + > kadmin.tmp || \ + { echo "kadmin failed $?"; cat messages.log ; exit 1; } +if test "`cat kadmin.tmp`" != "Attributes" ; then + cat kadmin.tmp ; cat messages.log ; exit 1 ; +fi + +#---------------------------------- +echo "kadmin prune" +env KRB5CCNAME=${cache} \ +${kadmin} prune --kvno=2 prune@${R} \ + > kadmin.tmp 2>&1 || \ + { echo "kadmin failed $?"; cat messages.log ; exit 1; } +env KRB5CCNAME=${cache} \ +${kadmin} get prune@${R} \ + > kadmin.tmp 2>&1 || \ + { echo "kadmin failed $?"; cat messages.log ; exit 1; } +cat kadmin.tmp | ${EGREP} Keytypes: | cut -d: -f2 | tr ' ' ' +' | sed 's/^.*[[]\(.*\)[]].*$/\1/' | grep '[0-9]' | sort -nu | tr -d ' +' | ${EGREP} '^13$' > /dev/null || \ + { echo "kadmin prune failed $?"; cat messages.log ; exit 1; } + +#---------------------------------- +echo "kadmin pruneall" +env KRB5CCNAME=${cache} \ +${kadmin} get pruneall@${R} \ + > kadmin.tmp 2>&1 || \ + { echo "kadmin failed $?"; cat messages.log ; exit 1; } +cat kadmin.tmp | ${EGREP} Keytypes: | cut -d: -f2 | tr ' ' ' +' | sed 's/^.*[[]\(.*\)[]].*$/\1/' | grep '[0-9]' | sort -nu | tr -d ' +' | ${EGREP} '^3$' > /dev/null || \ + { echo "kadmin pruneall failed $?"; cat messages.log ; exit 1; } + +env KRB5CCNAME=${cache} \ + ${kadmin} -p foo/admin@${R} list --upto=3 '*' > kadmin.tmp +[ `wc -l < kadmin.tmp` -eq 3 ] || + { echo "kadmin list --upto 3 produced `wc -l < kadmin.tmp` results!"; exit 1; } + +#---------------------------------- +echo "kadmin get '*' (re-entrance)"; > messages.log +${kadmin} -l get '*' > kadmin.tmp || + { echo "failed to list principals"; cat messages.log ; exit 1; } +> messages.log +env KRB5CCNAME=${cache} \ + ${kadmin} -p foo/admin@${R} get '*' > kadmin.tmp2 || + { echo "failed to list principals"; cat messages.log ; exit 1; } +diff -u kadmin.tmp kadmin.tmp2 || + { echo "local and remote get all differ"; exit 1; } + +#---------------------------------- +# We have 20 principals in the DB. Test two chunks of 1 (since that's how we +# started kadmind above. +> messages.log +echo "kadmin list all (chunk size 1)" +# Check that list produces the same output locally and remote. +env KRB5CCNAME=${cache} \ + ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp || + { echo "failed to list principals"; cat messages.log ; exit 1; } +${kadmin} -l list '*' | sort > kadmin.tmp2 +diff kadmin.tmp kadmin.tmp2 || + { echo "failed to list all principals"; cat messages.log ; exit 1; } +# kadmin dump does not use kadm5_iter_principals, so this is a good way to +# double check the above results. This time we drop the realm part because +# kadmin doesn't show us the realm for principals in the default realm. +${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp +${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2 +diff kadmin.tmp kadmin.tmp2 || + { echo "failed to list all principals (dump)"; cat messages.log ; exit 1; } +${kadmin} -l > kadmin.tmp <<"EOF" +list * +get foo/admin +EOF +grep Attributes kadmin.tmp > /dev/null || + { echo "failed to execute command after list"; cat messages.log ; exit 1; } +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} > kadmin.tmp <<"EOF" +list * +get foo/admin +EOF +grep Attributes kadmin.tmp > /dev/null || + { echo "failed to execute command after list"; cat messages.log ; exit 1; } + +#---------------------------------- +# We have 20 principals in the DB. Test two chunks of 10. +sh ${leaks_kill} kadmind $kadmpid || exit 1 +${kadmind} --list-chunk-size=10 --detach +kadmpid=`getpid kadmind` + +> messages.log +echo "kadmin list all (chunk size 10)" +# Check that list produces the same output locally and remote. +env KRB5CCNAME=${cache} \ + ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp || + { echo "failed to list principals"; cat messages.log ; exit 1; } +${kadmin} -l list '*' | sort > kadmin.tmp2 +diff kadmin.tmp kadmin.tmp2 || + { echo "failed to list all principals"; cat messages.log ; exit 1; } +# kadmin dump does not use kadm5_iter_principals, so this is a good way to +# double check the above results. This time we drop the realm part because +# kadmin doesn't show us the realm for principals in the default realm. +${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp +${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2 +diff kadmin.tmp kadmin.tmp2 || + { echo "failed to list all principals (dump)"; cat messages.log ; exit 1; } +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} > kadmin.tmp <<"EOF" +list * +get foo/admin +EOF +grep Attributes kadmin.tmp > /dev/null || + { echo "failed to execute command after list"; cat messages.log ; exit 1; } + +#---------------------------------- +# We have 20 principals in the DB. Test one chunk of 50. +sh ${leaks_kill} kadmind $kadmpid || exit 1 +${kadmind} --list-chunk-size=50 --detach +kadmpid=`getpid kadmind` + +> messages.log +echo "kadmin list all (chunk size 50)" +# Check that list produces the same output locally and remote. +env KRB5CCNAME=${cache} \ + ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp || + { echo "failed to list principals"; cat messages.log ; exit 1; } +${kadmin} -l list '*' | sort > kadmin.tmp2 +diff kadmin.tmp kadmin.tmp2 || + { echo "failed to list all principals"; cat messages.log ; exit 1; } +# kadmin dump does not use kadm5_iter_principals, so this is a good way to +# double check the above results. This time we drop the realm part because +# kadmin doesn't show us the realm for principals in the default realm. +${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp +${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2 +diff kadmin.tmp kadmin.tmp2 || + { echo "failed to list all principals (dump)"; cat messages.log ; exit 1; } +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} > kadmin.tmp <<"EOF" +list * +get foo/admin +EOF +grep Attributes kadmin.tmp > /dev/null || + { echo "failed to execute command after list"; cat messages.log ; exit 1; } + +#---------------------------------- +# We have 20 principals in the DB. Test 3 chunks of up to 7. +sh ${leaks_kill} kadmind $kadmpid || exit 1 +${kadmind} --list-chunk-size=7 --detach +kadmpid=`getpid kadmind` + +> messages.log +echo "kadmin list all (chunk size 7)" +# Check that list produces the same output locally and remote. +env KRB5CCNAME=${cache} \ + ${kadmin} -p foo/admin@${R} list '*' | sort > kadmin.tmp || + { echo "failed to list principals"; cat messages.log ; exit 1; } +${kadmin} -l list '*' | sort > kadmin.tmp2 +diff kadmin.tmp kadmin.tmp2 || + { echo "failed to list all principals"; cat messages.log ; exit 1; } +# kadmin dump does not use kadm5_iter_principals, so this is a good way to +# double check the above results. This time we drop the realm part because +# kadmin doesn't show us the realm for principals in the default realm. +${kadmin} -l list '*' | cut -d'@' -f1 | sort > kadmin.tmp +${kadmin} -l dump | cut -d'@' -f1 | sort > kadmin.tmp2 +diff kadmin.tmp kadmin.tmp2 || + { echo "failed to list all principals (dump)"; cat messages.log ; exit 1; } + +#---------------------------------- + +echo "killing kdc (${kdcpid} ${kadmpid})" +sh ${leaks_kill} kdc $kdcpid || exit 1 +sh ${leaks_kill} kadmind $kadmpid || exit 1 + +trap "" EXIT + +exit $ec |