#! /bin/sh
#
# Test suite for the wallet-rekey command-line client.
#
# Written by Russ Allbery <eagle@eyrie.org>
# Copyright 2018 Russ Allbery <eagle@eyrie.org>
# Copyright 2006-2008, 2010
#     The Board of Trustees of the Leland Stanford Junior University
#
# SPDX-License-Identifier: MIT

# Load the test library.
. "$C_TAP_SOURCE/tap/libtap.sh"
. "$C_TAP_SOURCE/tap/kerberos.sh"
. "$C_TAP_SOURCE/tap/remctl.sh"
cd "$C_TAP_SOURCE"

# We need a modified krb5.conf file to test wallet configuration settings in
# krb5.conf.  Despite the hard-coding of test-k5.stanford.edu, this test isn't
# Stanford-specific; it just matches the files that are distributed with the
# package.
krb5conf=
for p in /etc/krb5.conf /usr/local/etc/krb5.conf data/krb5.conf ; do
    if [ -r "$p" ] ; then
        krb5conf="$p"
        sed -e '/^[ 	]*test-k5.stanford.edu =/,/}/d' \
            -e 's/\(default_realm.*=\) .*/\1 test-k5.stanford.edu/' \
            -e 's/^[ 	]*wallet_.*//' \
            -e '/^[ 	]*wallet[ 	]*=[ 	]*{/,/}/d' \
            "$p" > ./krb5.conf
        KRB5_CONFIG="./krb5.conf"
        export KRB5_CONFIG
        break
    fi
done
if [ -z "$krb5conf" ] ; then
    skip_all 'no krb5.conf found, put one in tests/data/krb5.conf'
fi

# Test setup.
kerberos_setup
if [ $? != 0 ] ; then
    rm krb5.conf
    skip_all 'Kerberos tests not configured'
elif [ -z '@REMCTLD@' ] ; then
    rm krb5.conf
    skip_all 'No remctld found'
else
    plan 8
fi
remctld_start '@REMCTLD@' "$C_TAP_SOURCE/data/basic.conf"
wallet="$C_TAP_BUILD/../client/wallet-rekey"

# Rekeying should result in a merged keytab with both the old and new keys.
cp data/fake-keytab-old keytab
ok_program 'basic wallet-rekey' 0 '' \
    "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
ktutil_list keytab klist-seen
ktutil_list data/fake-keytab-rekey klist-good
ok '...and the rekeyed keytab is correct' cmp klist-seen klist-good
rm -f keytab klist-good klist-seen

# Rekeying a keytab that contains no principals in the local domain should
# produce an error message and do nothing.
cp data/fake-keytab-foreign keytab
ok_program 'foreign wallet-rekey' 1 'wallet: no rekeyable principals found' \
    "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
ok '...and the keytab was untouched' cmp keytab data/fake-keytab-foreign
rm -f keytab

# Rekeying a keytab where we can't retrieve the principal should produce an
# error message.
cp data/fake-keytab-unknown keytab
ok_program 'unknown wallet-rekey' 1 \
'wallet: Unknown keytab service/real-keytab
wallet: error rekeying for principal service/real-keytab
wallet: no rekeyable principals found' \
    "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
ok '...and the keytab was untouched' cmp keytab data/fake-keytab-unknown
rm -f keytab

# Rekeying a keytab where we can't retrieve a later principal should add the
# things we were able to download and produce a warning.
cp data/fake-keytab-partial keytab
ok_program 'partial wallet-rekey' 1 \
'wallet: Unknown keytab service/real-keytab
wallet: error rekeying for principal service/real-keytab'\
    "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
ktutil_list keytab klist-seen
ktutil_list data/fake-keytab-partial-result klist-good
ok '...and the rekeyed keytab is correct' cmp klist-seen klist-good
rm -f keytab klist-seen klist-good

# Clean up.
rm -f autocreated krb5.conf
remctld_stop
kerberos_cleanup