From: Greg Hudson Date: Wed, 20 Jul 2011 05:12:10 +0000 (+0000) Subject: Add automated tests for krb5_gss_import_cred X-Git-Tag: krb5-1.10-alpha1~353 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=c70991d2de28f5f19ab0a9c1262d25c89c359725;p=krb5.git Add automated tests for krb5_gss_import_cred git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25022 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in index fe6a78ba0..2bf390106 100644 --- a/src/tests/gssapi/Makefile.in +++ b/src/tests/gssapi/Makefile.in @@ -4,19 +4,23 @@ DEFINES = -DUSE_AUTOCONF_H PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) -SRCS= $(srcdir)/t_accname.c $(srcdir)/t_imp_name.c $(srcdir)/t_s4u.c \ - $(srcdir)/t_namingexts.c $(srcdir)/t_gssexts.c $(srcdir)/t_saslname.c +SRCS= $(srcdir)/t_accname.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \ + $(srcdir)/t_s4u.c $(srcdir)/t_namingexts.c $(srcdir)/t_gssexts.c \ + $(srcdir)/t_saslname.c -OBJS= t_accname.o t_imp_name.o t_s4u.o t_namingexts.o t_gssexts.o \ - t_spnego.o t_saslname.o +OBJS= t_accname.o t_imp_cred.o t_imp_name.o t_s4u.o t_namingexts.o \ + t_gssexts.o t_spnego.o t_saslname.o -all:: t_accname t_imp_name t_s4u t_namingexts t_gssexts t_spnego t_saslname +all:: t_accname t_imp_cred t_imp_name t_s4u t_namingexts t_gssexts t_spnego \ + t_saslname -check-pytests:: t_accname t_spnego +check-pytests:: t_accname t_imp_cred t_spnego $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS) t_accname: t_accname.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_accname t_accname.o $(GSS_LIBS) $(KRB5_BASE_LIBS) +t_imp_cred: t_imp_cred.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o t_imp_cred t_imp_cred.o $(GSS_LIBS) $(KRB5_BASE_LIBS) t_imp_name: t_imp_name.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_imp_name t_imp_name.o $(GSS_LIBS) $(KRB5_BASE_LIBS) t_s4u: t_s4u.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) @@ -31,6 +35,6 @@ t_saslname: t_saslname.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_saslname t_saslname.o $(GSS_LIBS) $(KRB5_BASE_LIBS) clean:: - $(RM) t_accname t_imp_name t_s4u t_namingexts t_gssexts \ + $(RM) t_accname t_imp_cred t_imp_name t_s4u t_namingexts t_gssexts \ t_spnego t_saslname diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index f4dd9e3cb..32485d03b 100644 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -69,10 +69,19 @@ output = realm.run_as_client(['./t_accname', 'host/-nomatch-', if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') +# Test krb5_gss_import_cred. +realm.run_as_client(['./t_imp_cred', 'service1/barack']) +realm.run_as_client(['./t_imp_cred', 'service1/barack', 'service1/barack']) +realm.run_as_client(['./t_imp_cred', 'service1/andrew', 'service1/abraham']) +output = realm.run_as_client(['./t_imp_cred', 'service2/dwight'], + expected_code=1) +if 'Wrong principal in request' not in output: + fail('Expected error message not seen in t_imp_cred output') + realm.stop() -# Re-run that last test with ignore_acceptor_hostname set and the -# principal for the mismatching hostname in the keytab. +# Re-run the last acceptor name test with ignore_acceptor_hostname set +# and the principal for the mismatching hostname in the keytab. ignore_conf = { 'all' : { 'libdefaults' : { 'ignore_acceptor_hostname' : 'true' } } } realm = K5Realm(krb5_conf=ignore_conf, start_kadmind=False) @@ -81,6 +90,6 @@ realm.run_kadminl('xst host/-nomatch-') output = realm.run_as_client(['./t_accname', 'host/-nomatch-', 'host@%s' % socket.gethostname()]) if 'host/-nomatch-' not in output: - fail('Expected error message not seen in t_accname output') + fail('Expected host/-nomatch- in t_accname output') success('GSSAPI tests.') diff --git a/src/tests/gssapi/t_imp_cred.c b/src/tests/gssapi/t_imp_cred.c new file mode 100644 index 000000000..063fd9ff6 --- /dev/null +++ b/src/tests/gssapi/t_imp_cred.c @@ -0,0 +1,172 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* tests/gssapi/t_imp_cred.c - krb5_gss_import_cred test harness */ +/* + * Copyright 2011 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +/* + * Test program for krb5_gss_import_cred, intended to be run from a Python test + * script. Creates an initiator credential for the default ccache and an + * acceptor principal for the default keytab (possibly using a specified keytab + * principal), and performs a one-token context exchange using a specified + * target principal. If the exchange is successful, queries the context for + * the acceptor name and prints it. If any call is unsuccessful, displays an + * error message. Exits with status 0 if all operations are successful, or 1 + * if not. + * + * Usage: ./t_imp_cred target-princ [keytab-princ] + */ + +#include "k5-platform.h" +#include +#include + +static void +display_status(const char *m, OM_uint32 code, int type) +{ + OM_uint32 maj_stat, min_stat; + gss_buffer_desc msg; + OM_uint32 msg_ctx; + + msg_ctx = 0; + while (1) { + maj_stat = gss_display_status(&min_stat, code, + type, GSS_C_NULL_OID, + &msg_ctx, &msg); + fprintf(stderr, "%s: %s\n", m, (char *)msg.value); + (void) gss_release_buffer(&min_stat, &msg); + + if (!msg_ctx) + break; + } +} + +static void +exit_gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) +{ + display_status(msg, maj_stat, GSS_C_GSS_CODE); + display_status(msg, min_stat, GSS_C_MECH_CODE); + exit(1); +} + +static void +exit_kerr(krb5_context context, const char *msg, krb5_error_code code) +{ + const char *errmsg; + + errmsg = krb5_get_error_message(context, code); + printf("%s: %s\n", msg, errmsg); + krb5_free_error_message(context, errmsg); + exit(1); +} + +int +main(int argc, char *argv[]) +{ + OM_uint32 minor, major; + gss_cred_id_t initiator_cred, acceptor_cred; + gss_buffer_desc buf, token, tmp; + gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; + gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; + gss_name_t target_name; + krb5_context context; + krb5_ccache cc; + krb5_keytab kt; + krb5_principal princ = NULL; + krb5_error_code ret; + + if (argc < 2 || argc > 3) { + fprintf(stderr, "Usage: %s targetprinc [acceptorprinc]\n", argv[0]); + return 1; + } + + /* Import the target name as a krb5 principal name. */ + buf.value = argv[1]; + buf.length = strlen((char *)buf.value); + major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, + &target_name); + if (GSS_ERROR(major)) { + display_status("gss_import_name", major, minor); + return 1; + } + + /* Acquire the krb5 objects we need. */ + ret = krb5_init_context(&context); + if (ret) + exit_kerr(NULL, "krb5_init_context", ret); + ret = krb5_cc_default(context, &cc); + if (ret) + exit_kerr(context, "krb5_cc_default", ret); + ret = krb5_kt_default(context, &kt); + if (ret) + exit_kerr(context, "krb5_kt_default", ret); + if (argc >= 3) { + ret = krb5_parse_name(context, argv[2], &princ); + if (ret) + exit_kerr(context, "krb5_parse_name", ret); + } + + /* Get initiator cred. */ + major = gss_krb5_import_cred(&minor, cc, NULL, NULL, &initiator_cred); + if (GSS_ERROR(major)) + exit_gsserr("gss_krb5_import_cred (initiator)", major, minor); + + /* Get acceptor cred. */ + major = gss_krb5_import_cred(&minor, NULL, princ, kt, &acceptor_cred); + if (GSS_ERROR(major)) + exit_gsserr("gss_krb5_import_cred (acceptor)", major, minor); + + /* Create krb5 initiator context and get the first token. */ + token.value = NULL; + token.length = 0; + major = gss_init_sec_context(&minor, initiator_cred, + &initiator_context, target_name, + (gss_OID)gss_mech_krb5, + GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, + GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, + GSS_C_NO_BUFFER, NULL, &token, NULL, NULL); + if (GSS_ERROR(major)) + exit_gsserr("gss_init_sec_context", major, minor); + + /* Pass the token to gss_accept_sec_context. */ + tmp.value = NULL; + tmp.length = 0; + major = gss_accept_sec_context(&minor, &acceptor_context, acceptor_cred, + &token, GSS_C_NO_CHANNEL_BINDINGS, + NULL, NULL, &tmp, NULL, NULL, NULL); + if (major != GSS_S_COMPLETE) + exit_gsserr("gss_accept_sec_context", major, minor); + + krb5_cc_close(context, cc); + krb5_kt_close(context, kt); + krb5_free_principal(context, princ); + krb5_free_context(context); + (void)gss_release_name(&minor, &target_name); + (void)gss_release_cred(&minor, &initiator_cred); + (void)gss_release_cred(&minor, &acceptor_cred); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); + (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); + (void)gss_release_buffer(&minor, &token); + (void)gss_release_buffer(&minor, &tmp); + return 0; +}