#!/usr/bin/perl -w # # Tests for the keytab-backend dispatch code. # # Written by Russ Allbery # Copyright 2018 Russ Allbery # Copyright 2006-2007, 2010 # The Board of Trustees of the Leland Stanford Junior University # # SPDX-License-Identifier: MIT use strict; use vars qw($CONFIG $KADMIN $SYSLOG $TMP); use Test::More tests => 63; # Load the keytab-backend code and override various settings. my $OUTPUT; $SYSLOG = \$OUTPUT; eval { do "$ENV{C_TAP_SOURCE}/../server/keytab-backend" }; $CONFIG = "$ENV{C_TAP_SOURCE}/data/allow-extract"; $KADMIN = "$ENV{C_TAP_SOURCE}/data/fake-kadmin"; $TMP = '.'; # Run the keytab backend. sub run_backend { my (@args) = @_; my $result = ''; open (OUTPUT, '>', \$result) or die "cannot create output string: $!\n"; select OUTPUT; local $| = 1; eval { download (@args) }; my $error = $@; select STDOUT; return ($result, $error); } # The actual tests. $ENV{REMOTE_USER} = 'admin'; my ($out, $err) = run_backend (); is ($err, "keytab-backend: invalid arguments: \n", 'Fails with no arguments'); is ($OUTPUT, "invalid arguments: \n", ' and syslog matches'); is ($out, '', ' and produces no output'); ($out, $err) = run_backend ('foo', 'bar', 'baz'); is ($err, "keytab-backend: invalid arguments: foo bar baz\n", 'Fails with three arguments'); is ($OUTPUT, "invalid arguments: foo bar baz\n", ' and syslog matches'); is ($out, '', ' and produces no output'); for my $bad (qw{service service\*@example =@example host/foo+bar@example rcmd.foo@EXAMPLE host/foo/bar@EXAMPLE /bar@EXAMPLE.NET bar/@EXAMPLE.NET bar/bar@}) { ($out, $err) = run_backend ('keytab', $bad); is ($err, "keytab-backend: bad principal name $bad\n", "Invalid principal $bad"); is ($OUTPUT, "bad principal name $bad\n", ' and syslog matches'); is ($out, '', ' and produces no output'); } for my $bad (qw{service/foo@EXAMPLE.ORGA bar@EXAMPLE.NET host/example.net@EXAMPLE.ORG aservice/foo@EXAMPLE.ORG}) { ($out, $err) = run_backend ('keytab', $bad); is ($err, "keytab-backend: permission denied: admin may not retrieve $bad\n", "Permission denied for $bad"); is ($OUTPUT, "permission denied: admin may not retrieve $bad\n", ' and syslog matches'); is ($out, '', ' and produces no output'); } for my $good (qw{service/foo@EXAMPLE.ORG foo/bar@EXAMPLE.NET host/example.org@EXAMPLE.ORG}) { ($out, $err) = run_backend ($good); is ($err, '', "Success for good keytab $good"); is ($out, "$good\n", ' and the right output'); is ($OUTPUT, "keytab $good retrieved by admin\n", ' and syslog is right'); ok (! -f "$TMP/keytab$$", ' and the file is gone'); } ($out, $err) = run_backend ('keytab', 'error@EXAMPLE.ORG'); is ($err, "keytab-backend: retrieve of error\@EXAMPLE.ORG failed for" . " admin: kadmin.local exited with status 1\n", 'Good error on kadmin failure'); is ($OUTPUT, "retrieve of error\@EXAMPLE.ORG failed for admin: kadmin.local" . " exited with status 1\n", ' and syslog matches'); is ($out, '', ' and no output'); # Test a configuration failure. $CONFIG = '/path/to/bad/file'; ($out, $err) = run_backend ('get', 'service/foo@EXAMPLE.ORG'); like ($err, qr{^keytab-backend: cannot open /path/to/bad/file: }, 'Fails with bad configuration file'); like ($OUTPUT, qr{^cannot open /path/to/bad/file: }, ' and syslog matches'); is ($out, '', ' and produces no output');