diff options
Diffstat (limited to '')
-rw-r--r-- | third_party/heimdal/tests/kdc/check-referral.in | 301 |
1 files changed, 301 insertions, 0 deletions
diff --git a/third_party/heimdal/tests/kdc/check-referral.in b/third_party/heimdal/tests/kdc/check-referral.in new file mode 100644 index 0000000..49f6a52 --- /dev/null +++ b/third_party/heimdal/tests/kdc/check-referral.in @@ -0,0 +1,301 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +top_builddir="@top_builddir@" +env_setup="@env_setup@" +objdir="@objdir@" + +. ${env_setup} + +testfailed="echo test failed; cat messages.log; exit 1" + +# If there is no useful db support compiled in, disable test +${have_db} || exit 77 + +d=test.h5l.se +d2=xtst.heim.example +R=TEST.H5L.SE +R2=XTST.HEIM.EXAMPLE + +# $service1 will be a hard alias of $service2 +service1=ldap/host.${d}:389 +service2=ldap/host.${d2}:389 +# $service3 and $service4 will have soft aliases referrals from each +# other's realms +service3=host/foohost.${d} +service4=host/barhost.${d2} +# $service5 and $service6 will be hardaliases +service5=host/thing1.${d} +service6=host/thing1.${d2} +# $service7 and $service8 will be hardaliases in the opposite direction +service7=host/thing2.${d} +service8=host/thing2.${d2} + +port=@port@ + +kadmin="${kadmin} -l -r $R" +kdc="${kdc} --addresses=localhost -P $port" + +cache="FILE:${objdir}/cache.krb5" + +kinit="${kinit} -c $cache ${afs_no_afslog}" +klist="${klist} -c $cache" +kgetcred="${kgetcred} -c $cache" +kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +KRB5CCNAME=$cache +export KRB5CCNAME + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R2} || exit 1 + +${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R} || exit 1 +${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R2} || exit 1 + +# User 'foo' gets two aliases in the same realm, and one in the other +${kadmin} add -p foo --use-defaults foo@${R} || exit 1 +${kadmin} add_alias foo@${R} foo@${R2} alias1 alias2 || exit 1 +${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1 +${kadmin} get foo@${R} | grep alias2@${R} >/dev/null || exit 1 +${kadmin} get foo@${R} | grep foo@${R2} >/dev/null || exit 1 + +# service1 is an alias of service2, in different realms +${kadmin} add -p foo --use-defaults ${service2}@${R2} || exit 1 +${kadmin} add_alias ${service2}@${R2} ${service1}@${R} || exit 1 +${kadmin} get ${service2}@${R2} | grep ${service1}@${R} >/dev/null || exit 1 + +# service3 and service4 get soft aliases in each other's realms +${kadmin} add -p foo --use-defaults ${service3}@${R} || exit 1 +${kadmin} add -p foo --use-defaults ${service4}@${R2} || exit 1 +${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R2} ${service4}@${R} || exit 1 +${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R} ${service3}@${R2} || exit 1 + +# service6 is a hard alias of service5 +${kadmin} add -p foo --use-defaults ${service5}@${R} || exit 1 +${kadmin} add_alias ${service5}@${R} ${service6}@${R2} || exit 1 + +# service8 is a hard alias of service7, but in the opposite direction +${kadmin} add -p foo --use-defaults ${service7}@${R2} || exit 1 +${kadmin} add_alias ${service5}@${R} ${service8}@${R} || exit 1 + +${kadmin} add -p foo --use-defaults bar@${R} || exit 1 +${kadmin} add -p foo --use-defaults 'baz\@realm.foo@'${R} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 + +${kadmin} ext -k ${keytab} krbtgt/${R}@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 +${kadmin} check ${R2} || exit 1 + +echo foo > ${objdir}/foopassword + +echo Starting kdc ; > messages.log +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT + +ec=0 + + +echo "Getting client bar"; > messages.log +${kinit} --password-file=${objdir}/foopassword bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: bar@${R}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client baz"; > messages.log +${kinit} --password-file=${objdir}/foopassword 'baz\@realm.foo@'${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep 'Principal: baz' > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + + + +echo "Test AS-REQ" + +echo "Getting client (no canon)"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: foo@${R}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client client tickets (default realm, enterprisename)"; > messages.log +${kinit} --canonicalize --enterprise \ + --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: foo@${R}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal inside the PAC" +${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client alias1 tickets"; > messages.log +${kinit} --canonicalize --enterprise \ + --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: foo@${R}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal inside the PAC" +${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + + +echo "Getting client alias2 tickets"; > messages.log +${kinit} --canonicalize --enterprise \ + --password-file=${objdir}/foopassword alias2@${R}@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: foo@${R}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal inside the PAC" +${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client alias1 tickets (non canon case)"; > messages.log +${kinit} --password-file=${objdir}/foopassword alias1@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: alias1@${R}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal inside the PAC" +${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client foo@${R2} tickets (non canon case)"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@${R2} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: foo@${R2}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal inside the PAC" +${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +echo "Getting various service tickets using foo@${R2} client" +${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service1}@${R2} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service2}@${R} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service3}@ || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service4}@ || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service5}@ || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service6}@ || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service7}@ || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service8}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client alias2 tickets (removed)"; > messages.log +${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; } +${kinit} --canonicalize --enterprise \ + --password-file=${objdir}/foopassword \ + alias2@${R}@${R} > /dev/null 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "Remove alias" +${kadmin} modify --alias= foo@${R} || { ec=1 ; eval "${testfailed}"; } + +echo "Test server referrals" + +echo "Getting client for ${service2}@${R} (tgs kdc referral)" +> messages.log +${kinit} --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --canonicalize ${service2}@${R} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service3}@${R} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service4}@ || { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "${service2}@${R2}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${klist} | grep "${service4}@${R}" > /dev/null && \ + { ec=1 ; eval "${testfailed}"; } +${klist} | grep "${service4}@${R2}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client for ${service2}@${R2} (tgs client side guessing)" +> messages.log +${kinit} --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service2}@${R2} || + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "${service2}@${R2}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + + +echo "killing kdc (${kdcpid})" +sh ${leaks_kill} kdc $kdcpid || exit 1 + +trap "" EXIT + +exit $ec |