Configure Kerberos tests for CI

Install a full MIT Kerberos KDC when running CI tests with the MIT
library and generate the files required to run the full test suite.

5 files changed, 112 insertions, 0 deletions

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 1d889ea..737860c 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -33,6 +33,9 @@ jobs:
       - uses: actions/checkout@v2
       - name: install
         run: sudo ci/install
+      - name: kdc-setup-mit
+        run: sudo ci/kdc-setup-mit
+        if: matrix.kerberos == 'mit'
       - name: test
         run: ci/test
         env:
diff --git a/ci/files/mit/kadm5.acl b/ci/files/mit/kadm5.acl
new file mode 100644
index 0000000..fa14eae
--- /dev/null
+++ b/ci/files/mit/kadm5.acl
@@ -0,0 +1 @@
+test/wallet@EYRIE.ORG  admci  wallet/*@EYRIE.ORG
diff --git a/ci/files/mit/kdc.conf b/ci/files/mit/kdc.conf
new file mode 100644
index 0000000..7bf4e6a
--- /dev/null
+++ b/ci/files/mit/kdc.conf
@@ -0,0 +1,19 @@
+[kdcdefaults]
+    kdc_ports                   = 88
+    kdc_tcp_ports               = 88
+    restrict_anonymous_to_tgt   = true
+
+[realms]
+    MIT.TEST = {
+        database_name           = /var/lib/krb5kdc/principal
+        admin_keytab            = /var/lib/krb5kdc/kadm5.keytab
+        acl_file                = /etc/krb5kdc/kadm5.acl
+        key_stash_file          = /var/lib/krb5kdc/stash
+        max_life                = 1d 1h 0m 0s
+        max_renewable_life      = 7d 0h 0m 0s
+        master_key_type         = aes256-cts
+        supported_enctypes      = aes256-cts:normal
+        default_principal_flags = +preauth
+        pkinit_identity         = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
+        pkinit_anchors          = FILE:/etc/krb5kdc/cacert.pem
+    }
diff --git a/ci/files/mit/krb5.conf b/ci/files/mit/krb5.conf
new file mode 100644
index 0000000..9b0d5ab
--- /dev/null
+++ b/ci/files/mit/krb5.conf
@@ -0,0 +1,19 @@
+[libdefaults]
+    default_realm         = MIT.TEST
+    dns_lookup_kdc        = false
+    dns_lookup_realm      = false
+    rdns                  = false
+    renew_lifetime        = 7d
+    ticket_lifetime       = 25h
+
+[realms]
+    MIT.TEST = {
+        kdc               = 127.0.0.1
+        master_kdc        = 127.0.0.1
+        admin_server      = 127.0.0.1
+        pkinit_anchors    = FILE:/etc/krb5kdc/cacert.pem
+    }
+
+[logging]
+    kdc                   = SYSLOG:NOTICE
+    default               = SYSLOG:NOTICE
diff --git a/ci/kdc-setup-mit b/ci/kdc-setup-mit
new file mode 100755
index 0000000..d4bd820
--- /dev/null
+++ b/ci/kdc-setup-mit
@@ -0,0 +1,70 @@
+#!/bin/sh
+#
+# Build a Kerberos test realm for MIT Kerberos
+#
+# This script automates the process of setting up a Kerberos test realm from
+# scratch suitable for testing pam-krb5.  It is primarily intended to be run
+# from inside CI in a VM or container from the top of the wallet source tree,
+# and must be run as root.  It expects to be operating on the Debian MIT
+# Kerberos package.
+#
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: MIT
+
+set -eux
+
+# Install the KDC.
+apt-get install krb5-admin-server krb5-kdc
+
+# Install its configuration files.
+cp ci/files/mit/kadm5.acl /etc/krb5kdc/kadm5.acl
+cp ci/files/mit/kdc.conf /etc/krb5kdc/kdc.conf
+cp ci/files/mit/krb5.conf /etc/krb5.conf
+
+# Add domain-realm mappings for the local host, since otherwise Heimdal and
+# MIT Kerberos may attempt to discover the realm of the local domain, and the
+# DNS server for GitHub Actions has a habit of just not responding and causing
+# the test to hang.
+cat <<EOF >>/etc/krb5.conf
+[domain_realm]
+    $(hostname -f) = MIT.TEST
+EOF
+
+# Create the basic KDC.
+kdb5_util create -s -P 'this is a test master database password'
+
+# Create and store the keytab.
+kadmin.local -q 'add_principal +requires_preauth -randkey test/wallet@MIT.TEST'
+kadmin.local -q 'ktadd -k tests/config/keytab test/wallet@MIT.TEST'
+echo 'test/wallet@MIT.TEST' >tests/config/principal
+
+# Create a user principal with a known password.
+password="iceedKaicVevjunwiwyd"
+kadmin.local -q \
+    "add_principal +requires_preauth -pw $password testuser@MIT.TEST"
+echo 'testuser@MIT.TEST' >tests/config/password
+echo "$password" >>tests/config/password
+
+# Copy some of those files to the Perl test suite.
+cp tests/config/keytab perl/t/data/test.keytab
+cp tests/config/principal perl/t/data/test.principal
+echo 'MIT.TEST' >perl/t/data/test.realm
+echo 'MIT' >perl/t/data/test.krbtype
+
+# Fix permissions on all the newly-created files.
+chmod 644 tests/config/* perl/t/data/test.*
+
+# Restart the MIT Kerberos KDC and services.
+systemctl stop krb5-kdc krb5-admin-server
+systemctl start krb5-kdc krb5-admin-server
+
+# Ensure that the KDC is running.
+for n in $(seq 1 5); do
+    if echo "$password" | kinit testuser@MIT.TEST; then
+        break
+    fi
+    sleep 1
+done
+klist
+kdestroy