1#!/bin/sh 2# 3# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan 4# (Royal Institute of Technology, Stockholm, Sweden). 5# All rights reserved. 6# 7# Portions Copyright (c) 2009 Apple Inc. All rights reserved. 8# 9# Redistribution and use in source and binary forms, with or without 10# modification, are permitted provided that the following conditions 11# are met: 12# 13# 1. Redistributions of source code must retain the above copyright 14# notice, this list of conditions and the following disclaimer. 15# 16# 2. Redistributions in binary form must reproduce the above copyright 17# notice, this list of conditions and the following disclaimer in the 18# documentation and/or other materials provided with the distribution. 19# 20# 3. Neither the name of the Institute nor the names of its contributors 21# may be used to endorse or promote products derived from this software 22# without specific prior written permission. 23# 24# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 25# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 28# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34# SUCH DAMAGE. 35 36env_setup="@env_setup@" 37confdir="@confdir@" 38testdir="@testdir@" 39 40. ${env_setup} 41 42KRB5_CONFIG="${1-${confdir}/krb5.conf}" 43export KRB5_CONFIG 44 45logfile=${testdir}/messages.log 46 47testfailed="echo test failed; cat ${logfile}; exit 1" 48 49# If there is no useful db support compile in, disable test 50${have_db} || exit 77 51 52mkdir -p "${testdir}" 53rm -rf "${testdir}/"* 54 55R=TEST.H5L.SE 56R2=TEST2.H5L.SE 57R3=TEST-HTTP.H5L.SE 58 59port=@port@ 60 61kadmin="${kadmin} -l -r $R" 62kdc="${kdc} --addresses=localhost -P $port" 63 64server=host/datan.test.h5l.se 65server2=host/computer.example.com 66serverip=host/10.11.12.13 67serveripname=host/ip.test.h5l.org 68serveripname2=host/10.11.12.14 69alias1=host/datan.example.com 70alias2=host/datan 71aliaskeytab=host/datan 72cache="FILE:${testdir}/cache.krb5" 73ocache="FILE:${testdir}/ocache.krb5" 74o2cache="FILE:${testdir}/o2cache.krb5" 75icache="FILE:${testdir}/icache.krb5" 76keytabfile=${testdir}/server.keytab 77keytab="FILE:${keytabfile}" 78ps="proxy-service@${R}" 79aesenctype="aes256-cts-hmac-sha1-96" 80 81kinit="${kinit} -c $cache ${afs_no_afslog}" 82klistA="${klist} -A" 83klist="${klist} -c $cache" 84kgetcred="${kgetcred} -c $cache" 85kgetcred_imp="${kgetcred} --out-cache=${ocache}" 86kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" 87kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}" 88 89rm -f ${testdir}/${keytabfile} 90rm -f ${testdir}/current-db* 91rm -f ${testdir}/out-* 92rm -f ${testdir}/mkey.file* 93 94> ${logfile} 95 96echo Creating database 97${kadmin} \ 98 init \ 99 --realm-max-ticket-life=1day \ 100 --realm-max-renewable-life=1month \ 101 ${R} || exit 1 102 103${kadmin} \ 104 init \ 105 --realm-max-ticket-life=1day \ 106 --realm-max-renewable-life=1month \ 107 ${R2} || exit 1 108 109${kadmin} \ 110 init \ 111 --realm-max-ticket-life=1day \ 112 --realm-max-renewable-life=1month \ 113 ${R3} || exit 1 114 115${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 116${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 117${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 118${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 119 120${kadmin} add -p foo --use-defaults foo@${R} || exit 1 121${kadmin} add -p bar --use-defaults bar@${R} || exit 1 122${kadmin} add -p foo --use-defaults remove@${R} || exit 1 123${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 124${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1 125${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1 126${kadmin} add -p foo --use-defaults ${ps} || exit 1 127${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1 128${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1 129${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 130${kadmin} ext -k ${keytab} ${ps} || exit 1 131 132${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1 133${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1 134${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1 135${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1 136${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1 137${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1 138${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R} 139${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1 140 141${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1 142${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1 143${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R} 144 145${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 146${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 147 148${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1 149${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1 150 151${kadmin} add -p foo --use-defaults foo@${R3} || exit 1 152 153echo "Check parser" 154${kadmin} add -p foo --use-defaults -- -p || exit 1 155${kadmin} delete -- -p || exit 1 156 157echo "Doing database check" 158${kadmin} check ${R} || exit 1 159${kadmin} check ${R2} || exit 1 160 161echo "Extracting enctypes" 162${ktutil} -k ${keytab} list > ${testdir}/tempfile || exit 1 163${EGREP} -v '^FILE:' ${testdir}/tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ 164 awk '$1 !~ /1/ { exit 1 }' || exit 1 165 166${kadmin} get foo@${R} > tempfile || exit 1 167enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'` 168 169enctype_sans_aes=`echo $enctypes | sed 's/aes256[^ ]*//g'` 170enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'` 171 172echo "deleting all but des3 enctypes on kt-des3 in keytab" 173${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1 174for a in ${enctype_sans_des3} ; do 175 ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a 176done 177 178echo foo > ${testdir}/foopassword 179 180echo Starting kdc 181env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${testdir}/malloc-log \ 182${kdc} & 183kdcpid=$! 184 185sh ${wait_kdc} KDC ${logfile} 186if [ "$?" != 0 ] ; then 187 kill -9 ${kdcpid} 188 exit 1 189fi 190 191trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT 192 193ec=0 194 195echo "Getting client initial tickets"; > ${logfile} 196${kinit} --password-file=${testdir}/foopassword foo@$R || \ 197 { ec=1 ; eval "${testfailed}"; } 198echo "Doing krbtgt key rollover"; > messages.log 199${kadmin} cpw -r --keepold krbtgt/${R}@${R} || exit 1 200echo "Getting tickets"; > messages.log 201${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 202echo "Listing tickets"; > ${logfile} 203${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } 204${klist} -s > /dev/null || { ec=1 ; eval "${testfailed}"; } 205${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 206 { ec=1 ; eval "${testfailed}"; } 207${kdestroy} 208 209echo "Getting client initial tickets (http transport)"; > ${logfile} 210${kinit} --password-file=${testdir}/foopassword foo@${R3} || \ 211 { ec=1 ; eval "${testfailed}"; } 212${kdestroy} 213 214echo "Specific enctype"; > ${logfile} 215${kinit} --password-file=${testdir}/foopassword \ 216 -e ${aesenctype} -e ${aesenctype} \ 217 foo@$R || \ 218 { ec=1 ; eval "${testfailed}"; } 219 220for a in $enctypes; do 221 echo "Getting client initial tickets ($a)"; > ${logfile} 222 ${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 223 echo "Getting tickets"; > ${logfile} 224 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 225 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; } 226 ${kdestroy} 227done 228 229 230echo "Interactive kinit" 231 kinitpty=${testdir}/foopassword.rkpty 232cat > ${kinitpty} <<EOF 233expect Password 234password foo\n 235EOF 236 ${rkpty} ${kinitpty} ${kinit} foo@${R} >/dev/null|| { ec=1 ; eval "${testfailed}"; } 237${kdestroy} 238 239echo "Getting client initial tickets"; > ${logfile} 240${kinit} --password-file=${testdir}/foopassword foo@$R || \ 241 { ec=1 ; eval "${testfailed}"; } 242for a in $enctypes; do 243 echo "Getting tickets ($a)"; > ${logfile} 244 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 245 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 246 { ec=1 ; eval "${testfailed}"; } 247 ${kdestroy} --credential=${server}@${R} 248done 249${kdestroy} 250 251echo "Getting client initial tickets for cross realm case"; > ${logfile} 252${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 253for a in $enctypes; do 254 echo "Getting cross realm tickets ($a)"; > ${logfile} 255 ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 256 echo " checking we we got back right ticket" 257 ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 258 echo " checking if ticket is useful" 259 ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \ 260 { ec=1 ; eval "${testfailed}"; } 261 ${kdestroy} --credential=${server2}@${R2} 262done 263${kdestroy} 264 265echo "try all permutations"; > ${logfile} 266for a in $enctypes; do 267 echo "Getting client initial tickets ($a)"; > ${logfile} 268 ${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@$R || \ 269 { ec=1 ; eval "${testfailed}"; } 270 for b in $enctypes; do 271 echo "Getting tickets ($a -> $b)"; > ${logfile} 272 ${kgetcred} -e $b ${server}@${R} || \ 273 { ec=1 ; eval "${testfailed}"; } 274 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 275 { ec=1 ; eval "${testfailed}"; } 276 ${kdestroy} --credential=${server}@${R} 277 done 278 ${kdestroy} 279done 280 281echo "Getting client initial tickets ip based name"; > ${logfile} 282${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 283echo "Getting ip based name tickets"; > ${logfile} 284${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; } 285echo " checking we we got back right ticket" 286${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 287echo " checking if ticket is useful" 288${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \ 289 { ec=1 ; eval "${testfailed}"; } 290${kdestroy} 291 292echo "Getting client initial tickets ip based name (alias)"; > ${logfile} 293${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 294for a in ${serveripname} ${serveripname2} ; do 295 echo "Getting ip based name tickets (alias) $a"; > ${logfile} 296 ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; } 297 echo " checking we we got back right ticket" 298 ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 299 echo " checking if ticket is useful" 300 ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \ 301 { ec=1 ; eval "${testfailed}"; } 302done 303${kdestroy} 304 305echo "Getting server initial tickets"; > ${logfile} 306${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; } 307echo "Listing tickets"; > ${logfile} 308${klist} | grep "Principal: ${server}" > /dev/null || \ 309 { ec=1 ; eval "${testfailed}"; } 310${kdestroy} 311 312echo "Getting key for key that are a subset in keytab compared to kdb" 313${kinit} --keytab=${keytab} kt-des3@${R} || { ec=1; eval "${testfailed}"; } 314${klist} | grep "Principal: kt-des3" > /dev/null || \ 315 { ec=1 ; eval "${testfailed}"; } 316${kdestroy} 317 318echo "initial tickets for deleted user test case"; > ${logfile} 319${kinit} --password-file=${testdir}/foopassword remove@$R || \ 320 { ec=1 ; eval "${testfailed}"; } 321${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; } 322echo "try getting ticket with deleted user"; > ${logfile} 323${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; } 324${kdestroy} 325 326echo "cross realm case (deleted user)"; > ${logfile} 327${kinit} --password-file=${testdir}/foopassword remove2@$R2 || \ 328 { ec=1 ; eval "${testfailed}"; } 329${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \ 330 { ec=1 ; eval "${testfailed}"; } 331${kadmin} delete remove2@${R2} || exit 1 332${kgetcred} ${server}@${R} 2> /dev/null || \ 333 { ec=1 ; eval "${testfailed}"; } 334${kdestroy} 335 336echo "rename user"; > ${logfile} 337${kadmin} add -p foo --use-defaults rename@${R} || exit 1 338${kinit} --password-file=${testdir}/foopassword rename@${R} || \ 339 { ec=1 ; eval "${testfailed}"; } 340${kadmin} rename rename@${R} rename2@${R} || exit 1 341${kinit} --password-file=${testdir}/foopassword rename2@${R} || \ 342 { ec=1 ; eval "${testfailed}"; } 343${kdestroy} 344${kadmin} delete rename2@${R} || exit 1 345 346echo "rename user to another realm"; > ${logfile} 347${kadmin} add -p foo --use-defaults rename@${R} || exit 1 348${kinit} --password-file=${testdir}/foopassword rename@${R} || \ 349 { ec=1 ; eval "${testfailed}"; } 350${kadmin} rename rename@${R} rename@${R2} || exit 1 351${kinit} --password-file=${testdir}/foopassword rename@${R2} || \ 352 { ec=1 ; eval "${testfailed}"; } 353${kdestroy} 354${kadmin} delete rename@${R2} || exit 1 355 356echo deleting all but aes enctypes on krbtgt 357${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1 358 359echo deleting all but des enctypes on server-des3 360${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1 361${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1 362 363echo "try all permutations (only aes)"; > ${logfile} 364for a in $enctypes; do 365 echo "Getting client initial tickets ($a)"; > ${logfile} 366 ${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@${R} ||\ 367 { ec=1 ; eval "${testfailed}"; } 368 for b in $enctypes; do 369 echo "Getting tickets ($a -> $b)"; > ${logfile} 370 ${kgetcred} -e $b ${server}@${R} || \ 371 { ec=1 ; eval "${testfailed}"; } 372 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 373 { ec=1 ; eval "${testfailed}"; } 374 375 echo "Getting tickets ($a -> $b) (server des3 only)"; > ${logfile} 376 ${kgetcred} ${server}-des3@${R} || \ 377 { ec=1 ; eval "${testfailed}"; } 378 ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \ 379 { ec=1 ; eval "${testfailed}"; } 380 381 ${kdestroy} --credential=${server}@${R} 382 ${kdestroy} --credential=${server}-des3@${R} 383 done 384 ${kdestroy} 385done 386 387echo deleting all enctypes on krbtgt 388${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 389 { ec=1 ; eval "${testfailed}"; } 390echo "try initial ticket w/o and keys on krbtgt" 391${kinit} --password-file=${testdir}/foopassword foo@${R} 2>/dev/null && \ 392 { ec=1 ; eval "${testfailed}"; } 393echo "adding random aes key" 394${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 395 { ec=1 ; eval "${testfailed}"; } 396echo "try initial ticket with random aes key on krbtgt" 397${kinit} --password-file=${testdir}/foopassword foo@${R} || \ 398 { ec=1 ; eval "${testfailed}"; } 399${kdestroy} 400 401rsa=yes 402ecdsa=yes 403pkinit=no 404if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then 405 rsa=no 406fi 407if ${hxtool} info | grep 'rand: not available' > /dev/null ; then 408 rsa=no 409fi 410if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then 411 pkinit=yes 412fi 413 414if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then 415 ecdsa=no 416fi 417 418 419# If we support pkinit and have RSA, lets try that 420if test "$pkinit" = yes -a "$rsa" = yes ; then 421 422 echo "try anonymous pkinit"; > ${logfile} 423 ${kinit} --anonymous ${R} || \ 424 { ec=1 ; eval "${testfailed}"; } 425 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 426 ${kdestroy} 427 428 for type in "" "--pk-use-enckey"; do 429 echo "Trying pk-init (principal in certificate) $type"; > ${logfile} 430 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \ 431 { ec=1 ; eval "${testfailed}"; } 432 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 433 ${kdestroy} 434 435 echo "Trying pk-init (principal in pki-mapping) $type"; > ${logfile} 436 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \ 437 { ec=1 ; eval "${testfailed}"; } 438 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 439 ${kdestroy} 440 441 echo "Trying pk-init (password protected key) $type"; > ${logfile} 442 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${testdir}/foopassword foo@${R} || \ 443 { ec=1 ; eval "${testfailed}"; } 444 ${kgetcred} ${server}@${R} || \ 445 { ec=1 ; eval "${testfailed}"; } 446 ${kdestroy} 447 448 echo "Trying pk-init (proxy cert) $type"; > ${logfile} 449 ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \ 450 { ec=1 ; eval "${testfailed}"; } 451 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 452 ${kdestroy} 453 454 done 455 456 if test "$ecdsa" = yes > /dev/null ; then 457 echo "Trying pk-init (ec certificate)" 458 > ${logfile} 459 ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \ 460 { ec=1 ; eval "${testfailed}"; } 461 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 462 ${kdestroy} 463 grep 'PK-INIT using ecdh' ${logfile} > /dev/null || \ 464 { ec=1 ; eval "${testfailed}"; } 465 fi 466 467else 468 echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > ${logfile} 469fi 470 471#echo "tickets for impersonate test case"; > ${logfile} 472#${kinit} --forwardable --password-file=${testdir}/foopassword ${ps} || \ 473# { ec=1 ; eval "${testfailed}"; } 474#${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ 475# { ec=1 ; eval "${testfailed}"; } 476#${test_ap_req} ${ps} ${keytab} ${ocache} || \ 477# { ec=1 ; eval "${testfailed}"; } 478#echo " negative check" 479#${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \ 480# { ec=1 ; eval "${testfailed}"; } 481# 482#echo "test constrained delegation"; > ${logfile} 483#${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \ 484# { ec=1 ; eval "${testfailed}"; } 485#${kgetcred} \ 486# --out-cache=${o2cache} \ 487# --delegation-credential-cache=${ocache} \ 488# ${server}@${R} || \ 489# { ec=1 ; eval "${testfailed}"; } 490#echo " try using the credential" 491#${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \ 492# { ec=1 ; eval "${testfailed}"; } 493#echo " negative check" 494#${kgetcred} \ 495# --out-cache=${o2cache} \ 496# --delegation-credential-cache=${ocache} \ 497# bar@${R} 2>/dev/null && \ 498# { ec=1 ; eval "${testfailed}"; } 499# 500#echo "test constrained delegation impersonation (non forward)"; > ${logfile} 501#rm -f ocache.krb5 502#${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \ 503# { ec=1 ; eval "${testfailed}"; } 504#${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 505# { ec=1 ; eval "${testfailed}"; } 506# 507#echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > ${logfile} 508#rm -f ocache.krb5 509#${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \ 510# { ec=1 ; eval "${testfailed}"; } 511#${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 512# { ec=1 ; eval "${testfailed}"; } 513# 514#${kdestroy} 515 516echo "check renewing" > ${logfile} 517${kinit} --renewable --password-file=${testdir}/foopassword foo@$R || \ 518 { ec=1 ; eval "${testfailed}"; } 519echo "kinit -R" 520${kinit} -R || \ 521 { ec=1 ; eval "${testfailed}"; } 522echo "check renewing MIT interface" > ${logfile} 523${kinit} --renewable --password-file=${testdir}/foopassword foo@$R || \ 524 { ec=1 ; eval "${testfailed}"; } 525echo "test_renew" 526env KRB5CCNAME=${cache} ${test_renew} || \ 527 { ec=1 ; eval "${testfailed}"; } 528${kdestroy} 529 530echo "checking server aliases"; > ${logfile} 531${kinit} --password-file=${testdir}/foopassword foo@$R || \ 532 { ec=1 ; eval "${testfailed}"; } 533echo "Getting tickets"; > ${logfile} 534${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; } 535${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; } 536echo " verify entry in keytab" 537${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \ 538 { ec=1 ; eval "${testfailed}"; } 539echo " verify entry in keytab with any" 540${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \ 541 { ec=1 ; eval "${testfailed}"; } 542echo " verify failure with alias entry" 543${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \ 544 { ec=1 ; eval "${testfailed}"; } 545echo " verify alias entry in keytab with any" 546${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \ 547 { ec=1 ; eval "${testfailed}"; } 548${kdestroy} 549 550echo "testing removal of keytab" 551${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; } 552test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; } 553 554echo "Getting client pw expire"; > ${logfile} 555${kinit} --password-file=${testdir}/foopassword \ 556 pw-expire@${R} 2>${testdir}/kinit-log.tmp|| \ 557 { ec=1 ; eval "${testfailed}"; } 558grep 'Your password will expire' ${testdir}/kinit-log.tmp > /dev/null || \ 559 { ec=1 ; eval "${testfailed}"; } 560echo " kinit passes" 561${test_gic} --client=pw-expire@${R} --password=foo \ 562 --last-request > ${testdir}/kinit-log.tmp 2>/dev/null 563${EGREP} "^e type: 6" ${testdir}/kinit-log.tmp > /dev/null || \ 564 { ec=1 ; eval "${testfailed}"; } 565echo " test_gic passes" 566${kdestroy} 567 568echo "testing klist -A with KRB5CCNAME set" 569${kinit} --password-file=${testdir}/foopassword foo@$R || \ 570 { ec=1 ; eval "${testfailed}"; } 571export KRB5CCNAME=${cache} 572${klistA} > ${testdir}/klist-log.tmp 573grep 'Issued' ${testdir}/klist-log.tmp &> /dev/null || \ 574 { ec=1 ; eval "${testfailed}"; } 575 576echo "checking klist --json" 577KCC="${kcc_binary}" 578export KCC 579 580echo "checking klist --json" 581python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "--json"]))' || \ 582 { ec=1 ; eval "${testfailed}"; } 583 584echo "checking klist --json --list" 585python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "--list", "--json"]))' || \ 586 { ec=1 ; eval "${testfailed}"; } 587 588echo "checking klist --json -a" 589python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "-a", "--json"]))' || \ 590 { ec=1 ; eval "${testfailed}"; } 591 592echo "checking klist --json --verbose -a" 593python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "-a", "--verbose", "--json"]))' || \ 594 { ec=1 ; eval "${testfailed}"; } 595 596echo "checking klist --json -A" 597python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "-a", "--verbose", "--json"]))' || \ 598 { ec=1 ; eval "${testfailed}"; } 599 600 601${kdestroy} 602 603echo "checking klist --json" 604python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "--json"]))' || \ 605 { ec=1 ; eval "${testfailed}"; } 606 607echo "checking klist --json -l" 608python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "--list", "--json"]))' || \ 609 { ec=1 ; eval "${testfailed}"; } 610 611echo "checking klist --json --verbose" 612python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "--verbose", "--json"]))' || \ 613 { ec=1 ; eval "${testfailed}"; } 614 615 616echo "testing sendto" 617${test_sendto} --realm=${R} || \ 618 { ec=1 ; eval "${testfailed}"; } 619 620echo "testing sendto (use-large)" 621${test_sendto} --use-large --realm=${R} || \ 622 { ec=1 ; eval "${testfailed}"; } 623 624 625rm ${testdir}/kinit-log.tmp ${testdir}/klist-log.tmp 626 627echo "killing kdc (${kdcpid})" 628sh ${leaks_kill} kdc $kdcpid || exit 1 629 630trap "" EXIT 631 632exit $ec 633