diff options
| -rw-r--r-- | perl/t/data/README | 28 | ||||
| -rwxr-xr-x | perl/t/keytab.t | 191 | 
2 files changed, 219 insertions, 0 deletions
| diff --git a/perl/t/data/README b/perl/t/data/README new file mode 100644 index 0000000..bd15903 --- /dev/null +++ b/perl/t/data/README @@ -0,0 +1,28 @@ +This directory contains additional data files needed to run some tests. + +In order to run the keytab tests, you will need to grant the test +processes access to create, download, and remove principals in a test KDC. +This should not be pointed at a production KDC!  Then, create the +following files: + +    test.keytab         Keytab for an authorized user +    test.principal      Principal of the authorized user +    test.realm          Kerberos realm in which to do testing + +This realm will also need to be configured in your local krb5.conf, +including the admin_server for the realm. + +The test process will create the principals wallet/one and wallet/two and +on success will clean up after itself.  If the test fails, they may be +left behind in the KDC. + +For MIT Kerberos, to grant appropriate permissions, add the line: + +    <principal>         admci   wallet/*@<realm> + +to the kadm5.acl file for your master KDC for the test realm and restart +kadmind.  <principal> is the principal that you are using to test with, +and <realm> is the Kerberos realm. + +Again, I do not recommend using a production realm; the test doesn't need +a production realm and it's more secure to stick to a test realm. diff --git a/perl/t/keytab.t b/perl/t/keytab.t new file mode 100755 index 0000000..5e303bb --- /dev/null +++ b/perl/t/keytab.t @@ -0,0 +1,191 @@ +#!/usr/bin/perl -w +# $Id$ +# +# t/keytab.t -- Tests for the keytab object implementation. + +use Test::More tests => 23; + +use DBD::SQLite; +use Wallet::Config; +use Wallet::Object::Keytab; +use Wallet::Server; + +# Use a local SQLite database for testing. +$Wallet::Config::DB_DRIVER = 'SQLite'; +$Wallet::Config::DB_INFO = 'wallet-db'; +unlink 'wallet-db'; + +# Some global defaults to use. +my $user = 'admin@EXAMPLE.COM'; +my $host = 'localhost'; +my @trace = ($user, $host); + +# Returns the one-line contents of a file as a string, removing the newline. +sub contents { +    my ($file) = @_; +    open (FILE, '<', $file) or die "cannot open $file: $!\n"; +    my $data = <FILE>; +    close FILE; +    chomp $data; +    return $data; +} + +# Run a command and throw away the output, returning the exit status. +sub system_quiet { +    my ($command, @args) = @_; +    my $pid = fork; +    if (not defined $pid) { +        die "cannot fork: $!\n"; +    } elsif ($pid == 0) { +        open (STDIN, '<', '/dev/null') or die "cannot reopen stdin: $!\n"; +        open (STDOUT, '>', '/dev/null') or die "cannot reopen stdout: $!\n"; +        open (STDERR, '>', '/dev/null') or die "cannot reopen stderr: $!\n"; +        exec ($command, @args) or die "cannot exec $command: $!\n"; +    } else { +        waitpid ($pid, 0); +        return $?; +    } +} + +# Create a principal out of Kerberos.  Only usable once the configuration has +# been set up. +sub create { +    my ($principal) = @_; +    my @args = ('-p', $Wallet::Config::KEYTAB_PRINCIPAL, '-k', +                '-t', $Wallet::Config::KEYTAB_FILE, +                '-r', $Wallet::Config::KEYTAB_REALM, +                '-q', "addprinc -clearpolicy -randkey $principal"); +    system_quiet ($Wallet::Config::KEYTAB_KADMIN, @args); +} + +# Destroy a principal out of Kerberos.  Only usable once the configuration has +# been set up. +sub destroy { +    my ($principal) = @_; +    my @args = ('-p', $Wallet::Config::KEYTAB_PRINCIPAL, '-k', +                '-t', $Wallet::Config::KEYTAB_FILE, +                '-r', $Wallet::Config::KEYTAB_REALM, +                '-q', "delprinc -force $principal"); +    system_quiet ($Wallet::Config::KEYTAB_KADMIN, @args); +} + +# Given a keytab file, try authenticating with kinit. +sub getcreds { +    my ($file, $principal) = @_; +    my @commands = ( +        "kinit -k -t $file $principal >/dev/null </dev/null", +        "kinit -t $file $principal >/dev/null </dev/null", +        "kinit -k -K $file $principal >/dev/null </dev/null", +    ); +    for my $command (@commands) { +        if (system ($command) == 0) { +            unlink ('keytab'); +            return 1; +        } +    } +    return 0; +} + +# Check whether a principal exists. +sub created { +    my ($principal) = @_; +    $principal .= '@' . $Wallet::Config::KEYTAB_REALM; +    local $ENV{KRB5CCNAME} = 'krb5cc_temp'; +    getcreds ('t/data/test.keytab', $Wallet::Config::KEYTAB_PRINCIPAL); +    return (system_quiet ('kvno', $principal) == 0); +} + +# Given keytab data and the principal, write it to a file and try +# authenticating using kinit. +sub valid { +    my ($keytab, $principal) = @_; +    open (KEYTAB, '>', 'keytab') or die "cannot create keytab: $!\n"; +    print KEYTAB $keytab; +    close KEYTAB; +    $principal .= '@' . $Wallet::Config::KEYTAB_REALM; +    return getcreds ('keytab', $principal); +} + +SKIP: { +    skip 'no keytab configuration', 23 unless -f 't/data/test.keytab'; + +    # Set up our configuration. +    $Wallet::Config::KEYTAB_FILE      = 't/data/test.keytab'; +    $Wallet::Config::KEYTAB_PRINCIPAL = contents ('t/data/test.principal'); +    $Wallet::Config::KEYTAB_REALM     = contents ('t/data/test.realm'); +    $Wallet::Config::KEYTAB_TMP       = '.'; +    my $realm = $Wallet::Config::KEYTAB_REALM; + +    # Clean up the principals we're going to use. +    destroy ('wallet/one'); +    destroy ('wallet/two'); + +    # Don't destroy the user's Kerberos ticket cache. +    $ENV{KRB5CCNAME} = 'krb5cc_test'; + +    # Use Wallet::Server to set up the database. +    my $server = eval { Wallet::Server->initialize ($user) }; +    is ($@, '', 'Database initialization did not die'); +    ok ($server->isa ('Wallet::Server'), ' and returned the right class'); +    my $dbh = $server->dbh; + +    # Okay, now we can test.  First, create. +    $object = eval { +        Wallet::Object::Keytab->create ('keytab', "wallet\nf", $dbh, @trace) +      }; +    is ($object, undef, 'Creating malformed principal fails'); +    is ($@, "invalid principal name wallet\nf\n", ' with the right error'); +    $object = eval { +        Wallet::Object::Keytab->create ('keytab', '', $dbh, @trace) +      }; +    is ($object, undef, 'Creating empty principal fails'); +    is ($@, "invalid principal name \n", ' with the right error'); +    $object = eval { +        Wallet::Object::Keytab->create ('keytab', 'wallet/one', $dbh, @trace) +      }; +    ok (defined ($object), 'Creating good principal succeeds'); +    ok ($object->isa ('Wallet::Object::Keytab'), ' and is the right class'); +    ok (created ('wallet/one'), ' and the principal was created'); +    create ('wallet/two'); +    $object = eval { +        Wallet::Object::Keytab->create ('keytab', 'wallet/two', $dbh, @trace) +      }; +    is ($object, undef, 'Creating an existing principal fails'); +    like ($@, qr{^error adding principal wallet/two\@\Q$realm\E: }, +          ' with the right error message'); +    destroy ('wallet/two'); + +    # Now, try retrieving the keytab. +    $object = Wallet::Object::Keytab->new ('keytab', 'wallet/one', $dbh); +    ok (defined ($object), 'Retrieving the object works'); +    ok ($object->isa ('Wallet::Object::Keytab'), ' and is the right type'); +    my $data = $object->get (@trace); +    if (defined ($data)) { +        ok (defined ($data), ' and getting the keytab works'); +    } else { +        is ($object->error, '', ' and getting the keytab works'); +    } +    ok (! -f "./keytab.$$", ' and the temporary file was cleaned up'); +    ok (valid ($data, 'wallet/one'), ' and the keytab is valid'); + +    # Test error handling on keytab retrieval. +    destroy ('wallet/one'); +    $data = $object->get (@trace); +    is ($data, undef, 'Getting a keytab for a nonexistent principal fails'); +    like ($object->error, +          qr{^error creating keytab for wallet/one\@\Q$realm\E: }, +          ' with the right error'); +    is ($object->destroy (@trace), 1, ' but we can still destroy it'); + +    # Finally, test principal deletion on object destruction. +    $object = eval { +        Wallet::Object::Keytab->create ('keytab', 'wallet/one', $dbh, @trace) +      }; +    ok (defined ($object), 'Creating good principal succeeds'); +    ok (created ('wallet/one'), ' and the principal was created'); +    is ($object->destroy (@trace), 1, ' and destroying it succeeds'); +    ok (! created ('wallet/one'), ' and now it does not exist'); + +    # Clean up. +    unlink ('wallet-db', 'krb5cc_temp', 'krb5cc_test'); +} | 
