#!/bin/sh
#
# Copyright (c) 2020 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden). 
# All rights reserved. 
#
# Redistribution and use in source and binary forms, with or without 
# modification, are permitted provided that the following conditions 
# are met: 
#
# 1. Redistributions of source code must retain the above copyright 
#    notice, this list of conditions and the following disclaimer. 
#
# 2. Redistributions in binary form must reproduce the above copyright 
#    notice, this list of conditions and the following disclaimer in the 
#    documentation and/or other materials provided with the distribution. 
#
# 3. Neither the name of the Institute nor the names of its contributors 
#    may be used to endorse or promote products derived from this software 
#    without specific prior written permission. 
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
# SUCH DAMAGE. 

top_builddir="@top_builddir@"
env_setup="@env_setup@"
objdir="@objdir@"

testfailed="echo test failed; cat messages.log; exit 1"

. ${env_setup}

# If there is no useful db support compiled in, disable test
${have_db} || exit 77

if ! which curl > /dev/null; then
    echo "curl is not available -- not testing httpkadmind"
    exit 77
fi
if ! test -x ${objdir}/../../kdc/httpkadmind; then
    echo "Configured w/o libmicrohttpd -- not testing httpkadmind"
    exit 77
fi

R=TEST.H5L.SE
domain=test.h5l.se

port=@port@
admport=@admport@
admport1=@admport@
admport2=@admport2@
restport=@restport@
restport1=@restport@
restport2=@restport2@

server=datan.test.h5l.se
otherserver=other.test.h5l.se
cache="FILE:${objdir}/cache.krb5"
cache2="FILE:${objdir}/cache2.krb5"
admincache="FILE:${objdir}/cache3.krb5"
keyfile="${hx509_data}/key.der"
keyfile2="${hx509_data}/key2.der"
kt=${objdir}/kt
keytab=FILE:${kt}
ukt=${objdir}/ukt
ukeytab=FILE:${ukt}

kdc="${kdc} --addresses=localhost -P $port"
kadminr="${kadmin} -r $R -a $(uname -n)"
kadmin="${kadmin} -l -r $R"
kadmind2="${kadmind} --keytab=${keytab} --detach -p $admport2 --read-only"
kadmind="${kadmind} --keytab=${keytab} --detach -p $admport"
httpkadmind2="${httpkadmind} --reverse-proxied -T Negotiate -p $restport2"
httpkadmind="${httpkadmind} --reverse-proxied -T Negotiate -p $restport1"

kinit2="${kinit} -c $cache2 ${afs_no_afslog}"
kinit="${kinit} -c $cache ${afs_no_afslog}"
adminklist="${klist} --hidden -v -c $admincache"
klist2="${klist} --hidden -v -c $cache2"
klist="${klist} --hidden -v -c $cache"
kgetcred2="${kgetcred} -c $cache2"
kgetcred="${kgetcred} -c $cache"
kdestroy2="${kdestroy} -c $cache2 ${afs_no_unlog}"
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
kx509="${kx509} -c $cache"

KRB5_CONFIG="${objdir}/krb5-httpkadmind.conf"
export KRB5_CONFIG
KRB5CCNAME=$cache
export KRB5CCNAME
HEIM_PIDFILE_DIR=$objdir
export HEIM_PIDFILE_DIR
HEIM_IPC_DIR=$objdir
export HEIM_IPC_DIR

rm -f current-db*
rm -f out-*
rm -f mkey.file*
rm -f *.pem *.crt *.der
rm -rf authz_dir
rm -f extracted_keytab*

mkdir -p authz_dir

> messages.log

# We'll avoid using a KDC for now.  For testing /httpkadmind we only need keys
# for Negotiate tokens, and we'll use ktutil and kimpersonate to make it
# possible to create and accept those without a KDC.

# grant ext-type value grantee_principal
grant() {
    mkdir -p "${objdir}/authz_dir/${3}"
    touch "${objdir}/authz_dir/${3}/${1}=${2}"
}

revoke() {
    rm -rf "${objdir}/authz_dir"
    mkdir -p "${objdir}/authz_dir"
}

if set -o|grep 'verbose.*on' > /dev/null ||
   set -o|grep 'xtrace.*on' > /dev/null; then
    verbose=-vvv
else
    verbose=
fi

# HTTP curl-opts
HTTP() {
    curl -g --resolve ${server}:${restport2}:127.0.0.1  \
            --resolve ${server}:${restport}:127.0.0.1   \
         -u: --negotiate $verbose                       \
         -D response-headers                            \
         "$@"
}

# get_config QPARAMS curl-opts
get_config() {
    url="http://${server}:${restport}/get-config?$1"
    shift
    HTTP $verbose "$@" "$url"
}

check_age() {
    set -- $(grep -i ^Cache-Control: response-headers)
    if [ $# -eq 0 ]; then
        return 1
    fi
    shift
    for param in "$@"; do
        case "$param" in
        no-store) true;;
        max-age=0) return 1;;
        max-age=*) true;;
        *) return 1;;
        esac
    done
    return 0;
}

# get_keytab QPARAMS curl-opts
get_keytab() {
    url="http://${server}:${restport}/get-keys?$1"
    shift
    HTTP $verbose "$@" "$url"
}

# get_keytab_POST QPARAMS curl-opts
get_keytab_POST() {
    # Curl is awful, so if you don't use -f, you don't get non-zero exit codes on
    # error responses, but if you do use -f then -D doesn't work.  Ugh.
    #
    # So first we check that POST w/o CSRF token fails:
    q=$1
    shift

    get_keytab "$q" -X POST --data-binary @/dev/null -f "$@" && 
        { echo "POST succeeded w/o CSRF token!"; return 1; }
    get_keytab "$q" -X POST --data-binary @/dev/null "$@"
    grep ^X-CSRF-Token: response-headers >/dev/null || return 1
    get_keytab "$q" -X POST --data-binary @/dev/null \
        -H "$(sed -e 's/\r//' response-headers | grep ^X-CSRF-Token:)" "$@"
    grep '^HTTP/1.1 200' response-headers >/dev/null || return $?
    return 0
}

get_keytab_POST_redir() {
    url="http://${server}:${restport}/get-keys?$1"
    shift
    HTTP -X POST --data-binary @/dev/null "$@" "$url"
    grep ^X-CSRF-Token: response-headers >/dev/null ||
        { echo "POST w/o CSRF token had response w/o CSRF token!"; return 1; }
    HTTP -X POST --data-binary @/dev/null  -f                           \
        -H "$(sed -e 's/\r//' response-headers | grep ^X-CSRF-Token:)"  \
        --location --location-trusted "$@" "$url"
}

kdcpid=
httpkadmindpid=
httpkadmind2pid=
test_csr_authorizer_pid=
kadmindpid=
kadmind2pid=
cleanup() {
    test -n "$kdcpid" &&
        { echo signal killing kdc; kill -9 "$kdcpid"; }
    test -n "$test_csr_authorizer_pid" &&
        { echo signal killing test_csr_authorizer; kill -9 "$test_csr_authorizer_pid"; }
    test -n "$httpkadmindpid" &&
        { echo signal killing httpkadmind; kill -9 "$httpkadmindpid"; }
    test -n "$httpkadmind2pid" &&
        { echo signal killing second httpkadmind; kill -9 "$httpkadmind2pid"; }
    test -n "$kadmindpid" &&
        { echo signal killing kadmind; kill -9 "$kadmindpid"; }
    test -n "$kadmind2pid" &&
        { echo signal killing kadmind; kill -9 "$kadmind2pid"; }
}
trap cleanup EXIT

rm -f extracted_keytab

echo "Creating database"
rm -f $kt $ukt
${kadmin} <<EOF || exit 1
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
add -r --use-defaults foo@${R}
add -r --use-defaults httpkadmind/admin@${R}
add -r --use-defaults WELLKNOWN/CSRFTOKEN@${R}
add -r --use-defaults HTTP/localhost@${R}
add -r --use-defaults host/xyz.${domain}@${R}
add -r --use-defaults HTTP/xyz.${domain}@${R}
add_ns --key-rotation-epoch=-1d --key-rotation-period=5m  \
       --max-ticket-life=1d --max-renewable-life=5d       \
       --attributes= HTTP/ns.${domain}@${R}
add_ns --key-rotation-epoch=-1d --key-rotation-period=5m  \
       --max-ticket-life=1d --max-renewable-life=5d       \
       --attributes=ok-as-delegate host/.ns2.${domain}@${R}
add -r --use-defaults HTTP/${server}@${R}
ext_keytab -r -k $keytab  kadmin/admin@${R}
ext_keytab -r -k $keytab  httpkadmind/admin@${R}
ext_keytab -r -k $keytab  HTTP/${server}@${R}
ext_keytab -r -k $keytab  HTTP/localhost@${R}
add -r --use-defaults HTTP/${otherserver}@${R}
ext_keytab -r -k $ukeytab foo@${R}
EOF
${kdestroy}

# For a while let's not bother with a KDC
$kimpersonate --ccache=$cache -k $keytab -R -t aes128-cts-hmac-sha1-96  \
   -c foo@${R} -s HTTP/datan.test.h5l.se@${R} ||
    { echo "failed to setup kimpersonate credentials"; exit 2; }
$kimpersonate -A --ccache=$cache -k $keytab -R -t aes128-cts-hmac-sha1-96  \
   -c foo@${R} -s HTTP/localhost@${R} ||
    { echo "failed to setup kimpersonate credentials"; exit 2; }
$klist -t >/dev/null ||
    { echo "failed to setup kimpersonate credentials"; exit 2; }

echo "Starting test_csr_authorizer"
${test_csr_authorizer} -A $objdir/authz_dir -S $objdir --server --daemon ||
    { echo "test_csr_authorizer failed to start"; exit 2; }
test_csr_authorizer_pid=`getpid test_csr_authorizer`
ec=0

echo "Starting httpkadmind"
${httpkadmind} -H $server -H localhost --local -t --daemon ||
    { echo "httpkadmind failed to start"; exit 2; }
httpkadmindpid=`getpid httpkadmind`
ec=0

echo "Checking that concrete principal exists"
${kadmin} get HTTP/xyz.${domain} > /dev/null ||
    { echo "Failed to create HTTP/xyz.${domain}"; exit 1; }
echo "Checking that virtual principal exists"
${kadmin} get HTTP/foo.ns.${domain} > /dev/null ||
    { echo "Virtual principals not working"; exit 1; }

hn=xyz.${domain}
p=HTTP/$hn
echo "Fetching krb5.conf for $p"
get_config "princ=$p" -sf -o "${objdir}/extracted_config" ||
    { echo "Failed to get config for $p"; exit 1; }
read config < "${objdir}/extracted_config"
test "$config" = "include /etc/krb5.conf" ||
    { echo "Got unexpected default config for $p"; exit 1; }
${kadmin} mod --krb5-config-file="$KRB5_CONFIG" $p ||
    { echo "Failed to set config for $p"; exit 1; }
get_config "princ=$p" -sf -o "${objdir}/extracted_config" ||
    { echo "Failed to get config for $p"; exit 1; }
cmp "${objdir}/extracted_config" "$KRB5_CONFIG" ||
    { echo "Got unexpected config for $p"; exit 1; }

hn=xyz.${domain}
p=HTTP/$hn
echo "Fetching keytab for concrete principal $p"
rm -f extracted_keytab*
grant san_dnsname $hn foo@${R}
${kadmin} ext_keytab -k extracted_keytab $p ||
    { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
    { echo "Failed to list keytab for $p"; exit 1; }
get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for $p with curl"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.kadmin extracted_keytab.rest ||
    { echo "Keytabs for $p don't match!"; exit 1; }

hn=foo.ns.${domain}
p=HTTP/$hn
echo "Fetching keytab for virtual principal $p"
rm -f extracted_keytab*
grant san_dnsname $hn foo@${R}
${kadmin} ext_keytab -k extracted_keytab $p ||
    { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
    { echo "Failed to list keytab for $p"; exit 1; }
get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for $p with curl"; exit 1; }
check_age
grep -i ^Cache-Control response-headers
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.kadmin extracted_keytab.rest ||
    { echo "Keytabs for $p don't match!"; exit 1; }

hn1=foo.ns.${domain}
hn2=foobar.ns.${domain}
hn3=xyz.${domain}
p1=HTTP/$hn1
p2=HTTP/$hn2
p3=HTTP/$hn3
echo "Fetching keytabs for more than one principal"
rm -f extracted_keytab*
grant san_dnsname $hn1 foo@${R}
grant san_dnsname $hn2 foo@${R}
grant san_dnsname $hn3 foo@${R}
# Note that httpkadmind will first process dNSName q-params, then the spn
# q-params.
${kadmin} ext_keytab -k extracted_keytab $p1 ||
    { echo "Failed to get a keytab for $p1 with kadmin"; exit 1; }
${kadmin} ext_keytab -k extracted_keytab $p3 ||
    { echo "Failed to get a keytab for $p3 with kadmin"; exit 1; }
${kadmin} ext_keytab -k extracted_keytab $p2 ||
    { echo "Failed to get a keytab for $p2 with kadmin"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
    { echo "Failed to list keytab for multiple principals"; exit 1; }
get_keytab "dNSName=${hn1}&spn=${p2}&dNSName=${hn3}" -sf -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for multiple principals with curl"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.kadmin extracted_keytab.rest ||
    { echo "Keytabs for $p don't match!"; exit 1; }
grep $hn1 extracted_keytab.rest > /dev/null ||
    { echo "Keytab does not include keys for $p1"; exit 1; }
grep $hn2 extracted_keytab.rest > /dev/null ||
    { echo "Keytab does not include keys for $p2"; exit 1; }
grep $hn3 extracted_keytab.rest > /dev/null ||
    { echo "Keytab does not include keys for $p3"; exit 1; }

p=host/foo.ns.${domain}
echo "Checking that $p doesn't exist (no namespace for host service)"
get_keytab "svc=host&dNSName=foo.ns.${domain}" -sf -o "${objdir}/extracted_keytab.rest" &&
    { echo "Got a keytab for host/foo.ns.${domain} when not namespaced!"; }

echo "Checking that authorization is enforced"
revoke
get_keytab "dNSName=xyz.${domain}" -sf -o "${objdir}/extracted_keytab" &&
    { echo "Got a keytab for HTTP/xyz.${domain} when not authorized!"; exit 1; }
get_keytab "dNSName=foo.ns.${domain}" -sf -o "${objdir}/extracted_keytab" &&
    { echo "Got a keytab for HTTP/foo.ns.${domain} when not authorized!"; exit 1; } 

echo "Checking that host service keys are not served"
hn=xyz.${domain}
p=host/$hn
echo "Fetching keytab for virtual principal $p"
rm -f extracted_keytab*
grant san_dnsname $hn foo@${R}
get_keytab "service=host&dNSName=xyz.${domain}" -sf -o "${objdir}/extracted_keytab" &&
    { echo "Got a keytab for $p even though it is a host service!"; exit 1; }
get_keytab "spn=host/xyz.${domain}" -sf -o "${objdir}/extracted_keytab" &&
    { echo "Got a keytab for $p even though it is a host service!"; exit 1; }
revoke

hn=xyz.${domain}
p=HTTP/$hn
echo "Checking key rotation for concrete principal $p"
rm -f extracted_keytab*
grant san_dnsname $hn foo@${R}
get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for $p with curl"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
    { echo "Failed to list keytab for $p"; exit 1; }
test "$(grep $p extracted_keytab.rest1 | wc -l)" -eq 1 ||
    { echo "Wrong number of new keys!"; exit 1; }
get_keytab "dNSName=${hn}&rotate=true" -sf -o "${objdir}/extracted_keytab" &&
    { echo "GET succeeded for write operation!"; exit 1; }
get_keytab_POST "dNSName=${hn}&rotate=true" -s -o "${objdir}/extracted_keytab" ||
    { echo "Failed to rotate keys for $p"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest2 ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.rest1 extracted_keytab.rest2 > /dev/null &&
    { echo "Keys for $p did not change!"; exit 1; }
test "$(grep $p extracted_keytab.rest2 | wc -l)" -eq 2 ||
    { echo "Wrong number of new keys!"; exit 1; }

hn=xyz.${domain}
p=HTTP/$hn
echo "Checking key rotation w/ revocation for concrete principal $p"
rm -f extracted_keytab*
grant san_dnsname $hn foo@${R}
get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for $p with curl"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
    { echo "Failed to list keytab for $p"; exit 1; }
get_keytab "dNSName=${hn}&revoke=true" -sf -o "${objdir}/extracted_keytab" &&
    { echo "GET succeeded for write operation!"; exit 1; }
get_keytab_POST "dNSName=${hn}&revoke=true" -s -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for $p with curl"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest2 ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.rest1 extracted_keytab.rest2 > /dev/null &&
    { echo "Keys for $p did not change!"; exit 1; }
test "$(grep $p extracted_keytab.rest2 | wc -l)" -eq 1 ||
    { echo "Wrong number of new keys!"; exit 1; }

hn=abc.${domain}
p=HTTP/$hn
echo "Checking concrete principal creation ($p)"
rm -f extracted_keytab
grant san_dnsname $hn foo@${R}
get_keytab "dNSName=${hn}&create=true" -sf -o "${objdir}/extracted_keytab" &&
    { echo "GET succeeded for write operation!"; exit 1; }
get_keytab_POST "dNSName=${hn}&create=true" -s -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for $p with curl"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
    { echo "Failed to list keytab for $p"; exit 1; }
rm -f extracted_keytab
${kadmin} ext_keytab -k extracted_keytab $p ||
    { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.kadmin extracted_keytab.rest ||
    { echo "Keytabs for $p don't match!"; exit 1; }

hn=bar.ns.${domain}
p=HTTP/$hn
echo "Checking materialization of virtual principal ($p)"
rm -f extracted_keytab
grant san_dnsname $hn foo@${R}
get_keytab "dNSName=${hn}&materialize=true" -sf -o "${objdir}/extracted_keytab" &&
    { echo "GET succeeded for write operation!"; exit 1; }
get_keytab_POST "dNSName=${hn}&materialize=true" -s -o "${objdir}/extracted_keytab" ||
    { echo "Failed to materialize and get a keytab for $p with curl"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
    { echo "Failed to list keytab for $p"; exit 1; }
rm -f extracted_keytab
${kadmin} ext_keytab -k extracted_keytab $p ||
    { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.kadmin extracted_keytab.rest ||
    { echo "Keytabs for $p don't match!"; exit 1; }

echo "Starting secondary httpkadmind to test HTTP redirection"
${httpkadmind2} --primary-server-uri=http://localhost:$restport         \
    -H $server --local --local-read-only -t --daemon ||
    { echo "httpkadmind failed to start"; exit 2; }
httpkadmind2pid=`getpid httpkadmind`
ec=0

hn=def.${domain}
p=HTTP/$hn
restport=$restport2
echo "Checking principal creation at secondary yields redirect"
rm -f extracted_keytab
grant san_dnsname $hn foo@${R}
get_keytab_POST_redir "dNSName=${hn}&create=true"                           \
    -s -o "${objdir}/extracted_keytab"
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
    { echo "Failed to list keytab for $p"; exit 1; }
rm -f extracted_keytab
${kadmin} ext_keytab -k extracted_keytab $p ||
    { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.kadmin extracted_keytab.rest ||
    { echo "Keytabs for $p don't match!"; exit 1; }

echo "killing httpkadmind (${httpkadmindpid} ${httpkadmind2pid})"
sh ${leaks_kill} httpkadmind $httpkadmindpid || ec=1
sh ${leaks_kill} httpkadmind $httpkadmind2pid || ec=1
httpkadmindpid=
httpkadmind2pid=
test $ec = 1 &&
    { echo "Error killing httpkadmind instances or memory errors found"; exit 1; }

echo "Starting primary kadmind for testing httpkadmind with remote HDB"
${kadmind} ||
    { echo "Read-write kadmind failed to start"; exit 2; }
kadmindpid=`getpid kadmind`
echo "Starting secondray (read-only) kadmind for testing httpkadmind with remote HDB"
${kadmind2} ||
    { echo "Read-only kadmind failed to start"; exit 2; }
kadmind2pid=`getpid kadmind`

# Make a ccache for use with kadmin(1)
$kimpersonate --ticket-flags=initial --ccache=$admincache -k $keytab -t aes128-cts-hmac-sha1-96  \
   -c httpkadmind/admin@${R} -s kadmin/admin@${R} ||
    { echo "failed to setup kimpersonate credentials"; exit 2; }
$adminklist -t >/dev/null ||
    { echo "failed to setup kimpersonate credentials"; exit 2; }


echo "Making PKINIT certs for KDC"
${hxtool} issue-certificate \
          --self-signed \
          --issue-ca \
          --ca-private-key=FILE:${keyfile} \
          --subject="CN=CA,DC=test,DC=h5l,DC=se" \
          --certificate="FILE:ca.crt" || exit 1
${hxtool} request-create \
         --subject="CN=kdc,DC=test,DC=h5l,DC=se" \
         --key=FILE:${keyfile2} \
         req-kdc.der || exit 1
${hxtool} issue-certificate \
          --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
          --type="pkinit-kdc" \
          --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
          --req="PKCS10:req-kdc.der" \
          --certificate="FILE:kdc.crt" || exit 1
${hxtool} request-create \
         --subject="CN=bar,DC=test,DC=h5l,DC=se" \
         --key=FILE:${keyfile2} \
         req-pkinit.der ||
         { echo "Failed to make CSR for PKINIT client cert"; exit 1; }
${hxtool} issue-certificate \
          --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
          --type="pkinit-client" \
          --pk-init-principal="host/synthesized.${domain}@$R" \
          --req="PKCS10:req-pkinit.der" \
          --lifetime=7d \
          --certificate="FILE:pkinit-synthetic.crt" ||
         { echo "Failed to make PKINIT client cert"; exit 1; }

echo "Starting kdc needed for httpkadmind authentication to kadmind"
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`

echo "Starting httpkadmind with remote HDBs only"
restport=$restport1
${httpkadmind} -H $server -H localhost -t --daemon              \
    --writable-admin-server=$(uname -n):$admport                \
    --read-only-admin-server=$(uname -n):$admport2              \
    --kadmin-client-name=httpkadmind/admin@${R}                 \
    --kadmin-client-keytab=$keytab ||
    { echo "httpkadmind failed to start"; exit 2; }
httpkadmindpid=`getpid httpkadmind`
ec=0

hn=xyz.${domain}
p=HTTP/$hn
echo "Fetching keytab for concrete principal $p using remote HDB"
rm -f extracted_keytab*
grant san_dnsname $hn httpkadmind/admin@${R}
KRB5CCNAME=$admincache ${kadmin} ext_keytab -k extracted_keytab $p ||
    { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
    { echo "Failed to list keytab for $p"; exit 1; }
get_keytab "spn=${p}" -sf -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for $p with curl"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.kadmin extracted_keytab.rest ||
    { echo "Keytabs for $p don't match!"; exit 1; }

hn=xyz.${domain}
p=HTTP/$hn
echo "Checking key rotation for concrete principal $p using remote HDB"
rm -f extracted_keytab*
grant san_dnsname $hn foo@${R}
get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for $p with curl"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
    { echo "Failed to list keytab for $p"; exit 1; }
test "$(grep $p extracted_keytab.rest1 | wc -l)" -eq 1 ||
    { echo "Wrong number of new keys!"; exit 1; }
get_keytab "dNSName=${hn}&rotate=true" -sf -o "${objdir}/extracted_keytab" &&
    { echo "GET succeeded for write operation!"; exit 1; }
get_keytab_POST "dNSName=${hn}&rotate=true" -s -o "${objdir}/extracted_keytab" ||
    { echo "Failed to rotate keys for $p"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest2 ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.rest1 extracted_keytab.rest2 > /dev/null &&
    { echo "Keys for $p did not change!"; exit 1; }
test "$(grep $p extracted_keytab.rest2 | wc -l)" -eq 2 ||
    { echo "Wrong number of new keys!"; exit 1; }

sh ${leaks_kill} httpkadmind $httpkadmindpid || ec=1
httpkadmindpid=

echo "Starting httpkadmind with local read-only HDB and remote read-write HDB"
${httpkadmind} -H $server -H localhost -t --daemon              \
    --local-read-only                                           \
    --writable-admin-server=$(uname -n):$admport                \
    --kadmin-client-name=httpkadmind/admin@${R}                 \
    --kadmin-client-keytab=$keytab ||
    { echo "httpkadmind failed to start"; exit 2; }
httpkadmindpid=`getpid httpkadmind`
ec=0

hn=xyz.${domain}
p=HTTP/$hn
echo "Fetching keytab for concrete principal $p using local read-only HDB"
rm -f extracted_keytab*
grant san_dnsname $hn httpkadmind/admin@${R}
KRB5CCNAME=$admincache ${kadmin} ext_keytab -k extracted_keytab $p ||
    { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
    { echo "Failed to list keytab for $p"; exit 1; }
get_keytab "spn=${p}" -sf -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for $p with curl"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.kadmin extracted_keytab.rest ||
    { echo "Keytabs for $p don't match!"; exit 1; }

hn=xyz.${domain}
p=HTTP/$hn
echo "Checking key rotation for concrete principal $p using local read-only HDB and remote HDB"
rm -f extracted_keytab*
grant san_dnsname $hn foo@${R}
get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
    { echo "Failed to get a keytab for $p with curl"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
    { echo "Failed to list keytab for $p"; exit 1; }
test "$(grep $p extracted_keytab.rest1 | wc -l)" -eq 2 ||
    { echo "Wrong number of new keys!"; exit 1; }
get_keytab "dNSName=${hn}&rotate=true" -sf -o "${objdir}/extracted_keytab" &&
    { echo "GET succeeded for write operation!"; exit 1; }
get_keytab_POST "dNSName=${hn}&rotate=true" -s -o "${objdir}/extracted_keytab" ||
    { echo "Failed to rotate keys for $p"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest2 ||
    { echo "Failed to list keytab for $p"; exit 1; }
cmp extracted_keytab.rest1 extracted_keytab.rest2 > /dev/null &&
    { echo "Keys for $p did not change!"; exit 1; }
test "$(grep $p extracted_keytab.rest2 | wc -l)" -eq 3 ||
    { echo "Wrong number of new keys!"; exit 1; }

echo "Checking that host services as clients can self-create"
hn=synthesized.${domain}
p=host/$hn
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null &&
    { echo "Internal error -- $p exists too soon"; exit 1; }
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
    { echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT
rm -f extracted_keytab*
KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" ||
    { echo "Failed to create and extract host keys for self"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null ||
    { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null ||
    { echo "Failed to create and extract host keys for self"; exit 1; }

echo "Checking that host services can't get other host service principals"
hn=nonexistent.${domain}
p=host/$hn
KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab2" &&
    { echo "Failed to fail to create and extract host keys for other!"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab2" list > /dev/null || true
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null &&
    { echo "Failed to fail to create and extract host keys for other!"; exit 1; }

echo "Checking that host services can't get keys for themselves and others"
hn=synthesized.${domain}
p=host/$hn
p2=host/nonexistent.${domain}
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
    { echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT
rm -f extracted_keytab*
KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&spn=$p2&create=true" -s -o "${objdir}/extracted_keytab" &&
    { echo "Failed to fail to create and extract host keys for other!"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab2" list > /dev/null || true
KRB5CCNAME=$admincache ${kadmin} get -s $p2 >/dev/null &&
    { echo "Failed to fail to create and extract host keys for other!"; exit 1; }

echo "Checking that attributes for new principals can be configured"
hn=a-particular-hostname.test.h5l.se
p=host/$hn
${hxtool} issue-certificate \
          --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
          --type="pkinit-client" \
          --pk-init-principal="$p@$R" \
          --req="PKCS10:req-pkinit.der" \
          --lifetime=7d \
          --certificate="FILE:pkinit-synthetic.crt" ||
         { echo "Failed to make PKINIT client cert"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null 2>&1 &&
    { echo "Internal error -- $p exists too soon"; exit 1; }
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
    { echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT
rm -f extracted_keytab*
KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" ||
    { echo "Failed to create and extract host keys for self"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null ||
    { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null ||
    { echo "Failed to create and extract host keys for self"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
    grep 'Attributes:.*ok-as-delegate' > /dev/null ||
    { echo "Failed to create with configured attributes"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
    grep 'Attributes:.*no-auth-data-reqd' > /dev/null ||
    { echo "Failed to create with configured attributes"; exit 1; }

hn=other-hostname.test.h5l.se
p=host/$hn
${hxtool} issue-certificate \
          --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
          --type="pkinit-client" \
          --pk-init-principal="$p@$R" \
          --req="PKCS10:req-pkinit.der" \
          --lifetime=7d \
          --certificate="FILE:pkinit-synthetic.crt" ||
         { echo "Failed to make PKINIT client cert"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null 2>&1 &&
    { echo "Internal error -- $p exists too soon"; exit 1; }
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
    { echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT
rm -f extracted_keytab*
KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" ||
    { echo "Failed to create and extract host keys for self"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null ||
    { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null ||
    { echo "Failed to create and extract host keys for self"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
    grep 'Attributes:.*ok-as-delegate' > /dev/null &&
    { echo "Create with unexpected attributes"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
    grep 'Attributes:.*no-auth-data-reqd' > /dev/null &&
    { echo "Create with unexpected attributes"; exit 1; }

hn=a-server.prod.test.h5l.se
p=host/$hn
${hxtool} issue-certificate \
          --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
          --type="pkinit-client" \
          --pk-init-principal="$p@$R" \
          --req="PKCS10:req-pkinit.der" \
          --lifetime=7d \
          --certificate="FILE:pkinit-synthetic.crt" ||
         { echo "Failed to make PKINIT client cert"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null 2>&1 &&
    { echo "Internal error -- $p exists too soon"; exit 1; }
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
    { echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT
rm -f extracted_keytab*
KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" ||
    { echo "Failed to create and extract host keys for self"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null ||
    { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null ||
    { echo "Failed to create and extract host keys for self"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
    grep 'Attributes:.*ok-as-delegate' > /dev/null ||
    { echo "Failed to create with configured attributes"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
    grep 'Attributes:.*no-auth-data-reqd' > /dev/null ||
    { echo "Failed to create with configured attributes"; exit 1; }

hn=a-host.ns2.test.h5l.se
p=host/$hn
${hxtool} issue-certificate \
          --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
          --type="pkinit-client" \
          --pk-init-principal="$p@$R" \
          --req="PKCS10:req-pkinit.der" \
          --lifetime=7d \
          --certificate="FILE:pkinit-synthetic.crt" ||
         { echo "Failed to make PKINIT client cert"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null 2>&1 &&
    { echo "Internal error -- $p exists too soon"; exit 1; }
${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
    { echo "Failed to kinit with PKINIT client cert"; exit 1; }
${kgetcred2} HTTP/localhost@$R || echo WAT
rm -f extracted_keytab*
KRB5CCNAME=$cache2 \
get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" ||
    { echo "Failed to create and extract host keys for self"; exit 1; }
${ktutil} -k "${objdir}/extracted_keytab" list > /dev/null ||
    { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get -s $p >/dev/null ||
    { echo "Failed to create and extract host keys for self"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
    grep 'Attributes:.*ok-as-delegate' > /dev/null ||
    { echo "Failed to create with namespace attributes"; exit 1; }
KRB5CCNAME=$admincache ${kadmin} get $p |
    grep 'Attributes:.*no-auth-data-reqd' > /dev/null &&
    { echo "Create with unexpected attributes"; exit 1; }

grep 'Internal error' messages.log &&
    { echo "Internal errors in log"; exit 1; }

sh ${leaks_kill} test_csr_authorizer $test_csr_authorizer_pid || ec=1
sh ${leaks_kill} httpkadmind $httpkadmindpid || ec=1
sh ${leaks_kill} kadmind $kadmindpid || ec=1
sh ${leaks_kill} kadmind $kadmind2pid || ec=1
sh ${leaks_kill} kdc $kdcpid || ec=1

if [ $ec = 0 ]; then
    trap "" EXIT
    echo "Success"
fi

# TODO
#
#  - implement and test that we can materialize a principal yet leave it with
#    virtual keys
#  - test new key delay?  this one is tricky

exit $ec