1#!/bin/sh 2# 3# Copyright (c) 2006 - 2011 Kungliga Tekniska Högskolan 4# (Royal Institute of Technology, Stockholm, Sweden). 5# All rights reserved. 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# 3. Neither the name of the Institute nor the names of its contributors 19# may be used to endorse or promote products derived from this software 20# without specific prior written permission. 21# 22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32# SUCH DAMAGE. 33 34env_setup="@env_setup@" 35confdir="@confdir@" 36testdir="@testdir@" 37 38. ${env_setup} 39 40KRB5_CONFIG="${1-${confdir}/krb5.conf}" 41export KRB5_CONFIG 42 43logfile=${testdir}/messages.log 44 45testfailed="echo test failed; cat ${logfile}; exit 1" 46 47# If there is no useful db support compile in, disable test 48${have_db} || exit 77 49 50mkdir -p "${testdir}" 51rm -rf "${testdir}/"* 52 53R=TEST.H5L.SE 54 55port=@port@ 56 57kadmin="${kadmin} -l -r $R" 58kdc="${kdc} --addresses=localhost -P $port" 59 60server=host/datan.test.h5l.se 61cache="FILE:${testdir}/cache.krb5" 62acache="FILE:${testdir}/acache.krb5" 63 64kinit="${kinit} -c $cache ${afs_no_afslog}" 65akinit="${kinit} -c $acache ${afs_no_afslog}" 66klist="${klist} -c $cache" 67aklist="${klist} -c $acache" 68kgetcred="${kgetcred} -c $cache" 69kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" 70 71rm -f ${testdir}/${keytabfile} 72rm -f ${testdir}/current-db* 73rm -f ${testdir}/out-* 74rm -f ${testdir}/mkey.file* 75 76> ${logfile} 77 78echo Creating database 79${kadmin} \ 80 init \ 81 --realm-max-ticket-life=1day \ 82 --realm-max-renewable-life=1month \ 83 ${R} || exit 1 84 85${kadmin} add -p foo --use-defaults foo@${R} || exit 1 86${kadmin} add -p foo --use-defaults oldname@${R} || exit 1 87${kadmin} rename oldname@${R} newname@${R}|| exit 1 88${kadmin} add -p foo --use-defaults ${server}@${R} || exit 1 89 90echo "Doing database check" 91${kadmin} check ${R} || exit 1 92 93echo foo > ${testdir}/foopassword 94 95echo Starting kdc 96env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${testdir}/malloc-log \ 97${kdc} & 98kdcpid=$! 99 100sh ${wait_kdc} KDC ${logfile} 101if [ "$?" != 0 ] ; then 102 kill -9 ${kdcpid} 103 exit 1 104fi 105 106trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT 107 108ec=0 109 110# 111# Check armor ticket 112# 113 114echo "Getting client initial tickets"; > ${logfile} 115${kinit} --password-file=${testdir}/foopassword foo@$R || \ 116 { ec=1 ; eval "${testfailed}"; } 117echo "Checking for FAST avail" 118${klist} --hidden | grep fast_avail > /dev/null || { exit 1; } 119echo "Getting tickets"; > ${logfile} 120${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 121echo "Listing tickets"; > ${logfile} 122${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } 123${kdestroy} 124 125echo "Acquire host ticket to be used as an ARMOR ticket" 126${akinit} --password-file=${testdir}/foopassword ${server}@${R} >/dev/null|| { exit 1; } 127echo "Checking for FAST avail (in the FAST armor cache)" 128${aklist} --hidden | grep fast_avail > /dev/null || { exit 1; } 129 130# 131# Client tests 132# 133 134echo "Getting client initial tickets with FAST armor ticket"; > ${logfile} 135${kinit} --fast-armor-cache=${acache} \ 136 --password-file=${testdir}/foopassword foo@$R || \ 137 { ec=1 ; eval "${testfailed}"; } 138echo "Checking for FAST avail (in the FAST acquired cache)" 139${klist} --hidden | grep fast_avail > /dev/null || { exit 1; } 140 141echo "Getting service ticket"; > ${logfile} 142${kgetcred} ${server}@${R} || { exit 1; } 143${kdestroy} 144 145echo "Getting client initial tickets (renamed -> not default salt) with FAST armor ticket" 146${kinit} --fast-armor-cache=${acache} \ 147 --password-file=${testdir}/foopassword newname@$R || \ 148 { ec=1 ; eval "${testfailed}"; } 149 150echo "Checking for FAST avail (in the FAST acquired cache)" 151${klist} --hidden | grep fast_avail > /dev/null || { exit 1; } 152 153echo "Getting service ticket"; > ${logfile} 154${kgetcred} ${server}@${R} || { exit 1; } 155${kdestroy} 156 157# 158# PKINIT/anon 159# 160 161echo "Getting anonymous initial tickets for armor use" 162${akinit} --anonymous $R || \ 163 { ec=1 ; eval "${testfailed}"; } 164echo "Checking for FAST avail (in the FAST armor cache)" 165${aklist} --hidden | grep fast_avail > /dev/null || { exit 1; } 166 167echo "Getting client initial tickets with FAST PKINIT/anon armor ticket" 168${kinit} --fast-armor-cache=${acache} \ 169 --password-file=${testdir}/foopassword foo@$R || \ 170 { ec=1 ; eval "${testfailed}"; } 171 172echo "Checking for FAST avail (in the FAST acquired cache)" 173${klist} --hidden | grep fast_avail > /dev/null || { exit 1; } 174 175 176# 177# Use MIT client tools 178# 179 180mit=/usr/local/mitkerberos/bin 181 182if [ -f ${mit}/kinit ] ; then 183 echo "Running MIT FAST tests" 184 185 KRB5_TRACE=${logfile} 186 export KRB5_TRACE 187 188 kinitpty=${testdir}/foopassword.rkpty 189cat > ${kinitpty} <<EOF 190expect Password 191password foo\n 192EOF 193 194 echo "Acquire host ticket"; > ${logfile} 195 ${rkpty} ${kinitpty} ${mit}/kinit -c ${acache} ${server}@${R} >/dev/null|| { cat ${logfile}; exit 1; } 196 (${aklist} | grep ${server} > /dev/null ) || { cat ${logfile}; exit 1; } 197 198 echo "Checking for FAST avail" 199 ${aklist} --hidden | grep fast_avail > /dev/null || { exit 1; } 200 201 echo "Using plain to get a initial ticket"; > ${logfile} 202 ${rkpty} ${kinitpty} ${mit}/kinit -c ${cache} foo@${R} >/dev/null|| { cat ${logfile}; exit 1; } 203 (${klist} | grep foo > /dev/null ) || { cat ${logfile}; exit 1; } 204 205 echo "Using FAST to get a initial ticket"; > ${logfile} 206 ${rkpty} ${kinitpty} ${mit}/kinit -c ${cache} -T ${acache} foo@${R} >/dev/null || { cat ${logfile}; exit 1; } 207 (${klist} | grep foo > /dev/null ) || { cat ${logfile}; exit 1; } 208 209 echo "Checking for FAST avail" 210 ${klist} --hidden | grep fast_avail > /dev/null || { exit 1; } 211 212 echo "Getting service ticket"; > ${logfile} 213 ${mit}/kvno -c ${cache} ${server}@${R} || { cat "${logfile}" ; exit 1; } 214 215 echo "${mit}/kinit -X X509_user_identity=${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R}" 216 217 echo "check for pkinit anonymous"; > ${logfile} 218 ${mit}/kinit -c ${acache} -n @${R} 219 (${aklist} | grep "WELLKNOWN/ANONYMOUS@${R}" > /dev/null ) || { cat "${logfile}" ; exit 1; } 220 221 echo "Checking for FAST avail"; > ${logfile} 222 ${aklist} --hidden | grep fast_avail > /dev/null || { cat "${logfile}" ; exit 1; } 223 224 echo "Using FAST/PKINIT to get a initial ticket"; > ${logfile} 225 ${rkpty} ${kinitpty} ${mit}/kinit -c ${cache} -T ${acache} foo@${R} >/dev/null || { exit 1; } 226 (${klist} | grep foo > /dev/null ) || { exit 1; } 227 228 echo "Checking for FAST avail"; > ${logfile} 229 ${klist} --hidden | grep fast_avail > /dev/null || { exit 1; } 230 231 232fi 233 234echo "killing kdc (${kdcpid})" 235sh ${leaks_kill} kdc $kdcpid || exit 1 236 237trap "" EXIT 238 239exit $ec 240