Support unchanging keytabs with Heimdal without remctl

Heimdal supports retrieving a keytab containing the existing keys over the kadmin protocol. Move the support for using remctl to retrieve an existing keytab into Wallet::Kadmin::MIT and provide two separate methods in the Wallet::Kadmin interface: one which rekeys and one which doesn't. Implement the non-rekeying interface for Heimdal. Expand the test suite for the unchanging keytabs to include tests for the Heimdal method.
author: Russ Allbery <rra@stanford.edu> 2010-02-18 21:31:10 -0800
committer: Russ Allbery <rra@stanford.edu> 2010-02-18 21:31:10 -0800
commit: a24d3ac3c7e8cb68fe2268f337a4edb599d5f881 (patch)
tree: d8666db4e54a4ebd1ae69ddfcc37d6ffb9a18e31 /perl/t
parent: 748170660e3a7b1db4320ba9b0144da2e252cd27 (diff)
2 files changed, 88 insertions, 43 deletions
diff --git a/perl/t/kadmin.t b/perl/t/kadmin.t
index 9c49995..a29cae3 100755
--- a/perl/t/kadmin.t
+++ b/perl/t/kadmin.t
@@ -91,7 +91,7 @@ SKIP: {
     is ($kadmin->create ('wallet/one'), 1, 'Creating wallet/one works');
     is ($kadmin->exists ('wallet/one'), 1, ' and it now exists');
     unlink ('./tmp.keytab');
-    is ($kadmin->keytab ('wallet/one', './tmp.keytab'), 1,
+    is ($kadmin->keytab_rekey ('wallet/one', './tmp.keytab'), 1,
         ' and retrieving a keytab works');
     ok (-s './tmp.keytab', ' and the resulting keytab is non-zero');
     is (getcreds ('./tmp.keytab', "wallet/one\@$Wallet::Config::KEYTAB_REALM"),
@@ -101,7 +101,7 @@ SKIP: {
     # Delete the principal and confirm behavior.
     is ($kadmin->destroy ('wallet/one'), 1, 'Deleting principal works');
     is ($kadmin->exists ('wallet/one'), 0, ' and now it does not exist');
-    is ($kadmin->keytab ('wallet/one', './tmp.keytab'), undef,
+    is ($kadmin->keytab_rekey ('wallet/one', './tmp.keytab'), undef,
         ' and retrieving the keytab does not work');
     ok (! -f './tmp.keytab', ' and no file was created');
     like ($kadmin->error, qr%^error creating keytab for wallet/one%,
diff --git a/perl/t/keytab.t b/perl/t/keytab.t
index a14b63e..a702c0f 100755
--- a/perl/t/keytab.t
+++ b/perl/t/keytab.t
@@ -9,7 +9,7 @@
 # See LICENSE for licensing terms.
 
 use POSIX qw(strftime);
-use Test::More tests => 125;
+use Test::More tests => 135;
 
 use Wallet::Admin;
 use Wallet::Config;
@@ -378,12 +378,7 @@ EOO
 # Tests for unchanging support.  Skip these if we don't have a keytab or if we
 # can't find remctld.
 SKIP: {
-    skip 'no keytab configuration', 17 unless -f 't/data/test.keytab';
-    my @path = (split (':', $ENV{PATH}), '/usr/local/sbin', '/usr/sbin');
-    my ($remctld) = grep { -x $_ } map { "$_/remctld" } @path;
-    skip 'remctld not found', 17 unless $remctld;
-    eval { require Net::Remctl };
-    skip 'Net::Remctl not available', 17 if $@;
+    skip 'no keytab configuration', 27 unless -f 't/data/test.keytab';
 
     # Set up our configuration.
     $Wallet::Config::KEYTAB_FILE      = 't/data/test.keytab';
@@ -406,41 +401,85 @@ SKIP: {
     ok (defined ($two), 'Creating wallet/two succeeds');
     is ($two->flag_set ('unchanging', @trace), 1, ' and setting unchanging');
 
-    # Now spawn our remctld server and get a ticket cache.
-    remctld_spawn ($remctld, $principal, 't/data/test.keytab',
-                   't/data/keytab.conf');
-    $ENV{KRB5CCNAME} = 'krb5cc_test';
-    getcreds ('t/data/test.keytab', $principal);
-    $ENV{KRB5CCNAME} = 'krb5cc_good';
+    # Finally we can test.  First the MIT Kerberos tests.
+  SKIP: {
+        skip 'skipping MIT unchanging tests for Heimdal', 12
+            if (lc ($Wallet::Config::KEYTAB_KRBTYPE) eq 'heimdal');
+
+        # We need remctld and Net::Remctl.
+        my @path = (split (':', $ENV{PATH}), '/usr/local/sbin', '/usr/sbin');
+        my ($remctld) = grep { -x $_ } map { "$_/remctld" } @path;
+        skip 'remctld not found', 12 unless $remctld;
+        eval { require Net::Remctl };
+        skip 'Net::Remctl not available', 12 if $@;
+
+        # Now spawn our remctld server and get a ticket cache.
+        remctld_spawn ($remctld, $principal, 't/data/test.keytab',
+                       't/data/keytab.conf');
+        $ENV{KRB5CCNAME} = 'krb5cc_test';
+        getcreds ('t/data/test.keytab', $principal);
+        $ENV{KRB5CCNAME} = 'krb5cc_good';
+
+        # Do the unchanging tests for MIT Kerberos.
+        is ($one->get (@trace), undef, 'Get without configuration fails');
+        is ($one->error, 'keytab unchanging support not configured',
+            ' with the right error');
+        $Wallet::Config::KEYTAB_REMCTL_CACHE = 'krb5cc_test';
+        is ($one->get (@trace), undef, ' and still fails without host');
+        is ($one->error, 'keytab unchanging support not configured',
+            ' with the right error');
+        $Wallet::Config::KEYTAB_REMCTL_HOST = 'localhost';
+        $Wallet::Config::KEYTAB_REMCTL_PRINCIPAL = $principal;
+        $Wallet::Config::KEYTAB_REMCTL_PORT = 14373;
+        is ($one->get (@trace), undef, ' and still fails without ACL');
+        is ($one->error,
+            "cannot retrieve keytab for wallet/one\@$realm: Access denied",
+            ' with the right error');
+        open (ACL, '>', 'test-acl') or die "cannot create test-acl: $!\n";
+        print ACL "$principal\n";
+        close ACL;
+        is ($one->get (@trace), 'Keytab for wallet/one', 'Now get works');
+        is ($ENV{KRB5CCNAME}, 'krb5cc_good',
+            ' and we did not nuke the cache name');
+        is ($one->get (@trace), 'Keytab for wallet/one',
+            ' and we get the same thing the second time');
+        is ($one->flag_clear ('unchanging', @trace), 1,
+            'Clearing the unchanging flag works');
+        my $data = $object->get (@trace);
+        ok (defined ($data), ' and getting the keytab works');
+        ok (valid ($data, 'wallet/one'), ' and the keytab is valid');
+        is ($two->get (@trace), undef, 'Get for wallet/two does not work');
+        is ($two->error,
+            "cannot retrieve keytab for wallet/two\@$realm: bite me",
+            ' with the right error');
+        is ($one->destroy (@trace), 1, 'Destroying wallet/one works');
+        is ($two->destroy (@trace), 1, ' as does destroying wallet/two');
+        remctld_stop;
+    }
 
-    # Finally we can test.
-    is ($one->get (@trace), undef, 'Get without configuration fails');
-    is ($one->error, 'keytab unchanging support not configured',
-        ' with the right error');
-    $Wallet::Config::KEYTAB_REMCTL_CACHE = 'krb5cc_test';
-    is ($one->get (@trace), undef, ' and still fails without host');
-    is ($one->error, 'keytab unchanging support not configured',
-        ' with the right error');
-    $Wallet::Config::KEYTAB_REMCTL_HOST = 'localhost';
-    $Wallet::Config::KEYTAB_REMCTL_PRINCIPAL = $principal;
-    $Wallet::Config::KEYTAB_REMCTL_PORT = 14373;
-    is ($one->get (@trace), undef, ' and still fails without ACL');
-    is ($one->error,
-        "cannot retrieve keytab for wallet/one\@$realm: Access denied",
-        ' with the right error');
-    open (ACL, '>', 'test-acl') or die "cannot create test-acl: $!\n";
-    print ACL "$principal\n";
-    close ACL;
-    is ($one->get (@trace), 'Keytab for wallet/one', 'Now get works');
-    is ($ENV{KRB5CCNAME}, 'krb5cc_good',
-        ' and we did not nuke the cache name');
-    is ($two->get (@trace), undef, ' but get for wallet/two does not');
-    is ($two->error,
-        "cannot retrieve keytab for wallet/two\@$realm: bite me",
-        ' with the right error');
-    is ($one->destroy (@trace), 1, 'Destroying wallet/one works');
-    is ($two->destroy (@trace), 1, ' as does destroying wallet/two');
-    remctld_stop;
+    # Now Heimdal.  Since the keytab contains timestamps, before testing for
+    # equality we have to substitute out the timestamps.
+  SKIP: {
+        skip 'skipping Heimdal unchanging tests for MIT', 10
+            if (lc ($Wallet::Config::KEYTAB_KRBTYPE) eq 'mit');
+        my $data = $one->get (@trace);
+        ok (defined $data, 'Get of unchanging keytab works');
+        ok (valid ($data, 'wallet/one'), ' and the keytab is valid');
+        my $second = $one->get (@trace);
+        ok (defined $second, ' and second retrieval also works');
+        $data =~ s/one.{8}/one\000\000\000\000\000\000\000\000/g;
+        $second =~ s/one.{8}/one\000\000\000\000\000\000\000\000/g;
+        is ($data, $second, ' and the keytab matches');
+        is ($one->flag_clear ('unchanging', @trace), 1,
+            'Clearing the unchanging flag works');
+        $data = $one->get (@trace);
+        ok (defined ($data), ' and getting the keytab works');
+        ok (valid ($data, 'wallet/one'), ' and the keytab is valid');
+        $data =~ s/one.{8}/one\000\000\000\000\000\000\000\000/g;
+        ok ($data ne $second, ' and the new keytab is different');
+        is ($one->destroy (@trace), 1, 'Destroying wallet/one works');
+        is ($two->destroy (@trace), 1, ' as does destroying wallet/two');
+    }
 
     # Check that history has been updated correctly.
     $history .= <<"EOO";
@@ -450,6 +489,12 @@ $date  set flag unchanging
     by $user from $host
 $date  get
     by $user from $host
+$date  get
+    by $user from $host
+$date  clear flag unchanging
+    by $user from $host
+$date  get
+    by $user from $host
 $date  destroy
     by $user from $host
 EOO
author	Russ Allbery <rra@stanford.edu>	2010-02-18 21:31:10 -0800
committer	Russ Allbery <rra@stanford.edu>	2010-02-18 21:31:10 -0800
commit	a24d3ac3c7e8cb68fe2268f337a4edb599d5f881 (patch)
tree	d8666db4e54a4ebd1ae69ddfcc37d6ffb9a18e31 /perl/t
parent	748170660e3a7b1db4320ba9b0144da2e252cd27 (diff)