1 files changed, 100 insertions, 0 deletions

diff --git a/tests/client/rekey-t.in b/tests/client/rekey-t.in
new file mode 100644
index 0000000..390a362
--- /dev/null
+++ b/tests/client/rekey-t.in
@@ -0,0 +1,100 @@
+#! /bin/sh
+#
+# Test suite for the wallet-rekey command-line client.
+#
+# Written by Russ Allbery <rra@stanford.edu>
+# Copyright 2006, 2007, 2008, 2010
+#     Board of Trustees, Leland Stanford Jr. University
+#
+# See LICENSE for licensing terms.
+
+# Load the test library.
+. "$SOURCE/tap/libtap.sh"
+. "$SOURCE/tap/kerberos.sh"
+. "$SOURCE/tap/remctl.sh"
+cd "$SOURCE"
+
+# We need a modified krb5.conf file to test wallet configuration settings in
+# krb5.conf.  Despite the hard-coding of test-k5.stanford.edu, this test isn't
+# Stanford-specific; it just matches the files that are distributed with the
+# package.
+krb5conf=
+for p in /etc/krb5.conf /usr/local/etc/krb5.conf data/krb5.conf ; do
+    if [ -r "$p" ] ; then
+        krb5conf="$p"
+        sed -e '/^[ 	]*test-k5.stanford.edu =/,/}/d' \
+            -e 's/\(default_realm.*=\) .*/\1 test-k5.stanford.edu/' \
+            -e 's/^[ 	]*wallet_.*//' \
+            -e '/^[ 	]*wallet[ 	]*=[ 	]*{/,/}/d' \
+            "$p" > ./krb5.conf
+        KRB5_CONFIG="./krb5.conf"
+        export KRB5_CONFIG
+        break
+    fi
+done
+if [ -z "$krb5conf" ] ; then
+    skip_all 'no krb5.conf found, put one in tests/data/krb5.conf'
+fi
+
+# Test setup.
+kerberos_setup
+if [ $? != 0 ] ; then
+    rm krb5.conf
+    skip_all 'Kerberos tests not configured'
+elif [ -z '@REMCTLD@' ] ; then
+    rm krb5.conf
+    skip_all 'No remctld found'
+else
+    plan 9
+fi
+remctld_start '@REMCTLD@' "$SOURCE/data/basic.conf"
+wallet="$BUILD/../client/wallet-rekey"
+
+# Rekeying should result in a merged keytab with both the old and new keys.
+cp data/fake-keytab-old keytab
+ok_program 'basic wallet-rekey' 0 '' \
+    "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
+ktutil_list keytab klist-seen
+ktutil_list data/fake-keytab-rekey klist-good
+ok '...and the rekeyed keytab is correct' cmp klist-seen klist-good
+rm -f keytab klist-good klist-seen
+
+# Rekeying a keytab that contains no principals in the local domain should
+# produce an error message and do nothing.
+cp data/fake-keytab-foreign keytab
+ok_program 'foreign wallet-rekey' 1 'wallet: no rekeyable principals found' \
+    "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
+ok '...and the keytab was untouched' cmp keytab data/fake-keytab-foreign
+rm -f keytab
+
+# Rekeying a keytab where we can't retrieve the principal should produce an
+# error message and abort when it's the first principal.
+cp data/fake-keytab-unknown keytab
+ok_program 'unknown wallet-rekey' 1 \
+'wallet: Unknown keytab service/real-keytab
+wallet: error rekeying for principal service/real-keytab
+wallet: aborting, keytab unchanged' \
+    "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
+ok '...and the keytab was untouched' cmp keytab data/fake-keytab-unknown
+rm -f keytab
+
+# Rekeying a keytab where we can't retrieve a later principal should leave the
+# original keytab as keytab.old and store, in the new keytab, only the things
+# that it was able to rekey.
+cp data/fake-keytab-partial keytab
+ok_program 'partial wallet-rekey' 1 \
+'wallet: Unknown keytab service/real-keytab
+wallet: error rekeying for principal service/real-keytab
+wallet: partial failure to rekey keytab keytab, old keytab left in keytab.old'\
+    "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
+ktutil_list keytab klist-seen
+ktutil_list data/fake-keytab-partial-result klist-good
+ok '...and the rekeyed keytab is correct' cmp klist-seen klist-good
+ok '...and the backup keytab is correct' \
+    cmp keytab.old data/fake-keytab-partial
+rm -f keytab keytab.old klist-seen klist-good
+
+# Clean up.
+rm -f autocreated krb5.conf
+remctld_stop
+kerberos_cleanup