blob: c93b8ebe0d9c16a4dddf4b3025955d022f285704 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
#! /bin/sh
#
# Test suite for the wallet-rekey command-line client.
#
# Written by Russ Allbery <eagle@eyrie.org>
# Copyright 2006, 2007, 2008, 2010
# The Board of Trustees of the Leland Stanford Junior University
#
# See LICENSE for licensing terms.
# Load the test library.
. "$SOURCE/tap/libtap.sh"
. "$SOURCE/tap/kerberos.sh"
. "$SOURCE/tap/remctl.sh"
cd "$SOURCE"
# We need a modified krb5.conf file to test wallet configuration settings in
# krb5.conf. Despite the hard-coding of test-k5.stanford.edu, this test isn't
# Stanford-specific; it just matches the files that are distributed with the
# package.
krb5conf=
for p in /etc/krb5.conf /usr/local/etc/krb5.conf data/krb5.conf ; do
if [ -r "$p" ] ; then
krb5conf="$p"
sed -e '/^[ ]*test-k5.stanford.edu =/,/}/d' \
-e 's/\(default_realm.*=\) .*/\1 test-k5.stanford.edu/' \
-e 's/^[ ]*wallet_.*//' \
-e '/^[ ]*wallet[ ]*=[ ]*{/,/}/d' \
"$p" > ./krb5.conf
KRB5_CONFIG="./krb5.conf"
export KRB5_CONFIG
break
fi
done
if [ -z "$krb5conf" ] ; then
skip_all 'no krb5.conf found, put one in tests/data/krb5.conf'
fi
# Test setup.
kerberos_setup
if [ $? != 0 ] ; then
rm krb5.conf
skip_all 'Kerberos tests not configured'
elif [ -z '@REMCTLD@' ] ; then
rm krb5.conf
skip_all 'No remctld found'
else
plan 8
fi
remctld_start '@REMCTLD@' "$SOURCE/data/basic.conf"
wallet="$BUILD/../client/wallet-rekey"
# Rekeying should result in a merged keytab with both the old and new keys.
cp data/fake-keytab-old keytab
ok_program 'basic wallet-rekey' 0 '' \
"$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
ktutil_list keytab klist-seen
ktutil_list data/fake-keytab-rekey klist-good
ok '...and the rekeyed keytab is correct' cmp klist-seen klist-good
rm -f keytab klist-good klist-seen
# Rekeying a keytab that contains no principals in the local domain should
# produce an error message and do nothing.
cp data/fake-keytab-foreign keytab
ok_program 'foreign wallet-rekey' 1 'wallet: no rekeyable principals found' \
"$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
ok '...and the keytab was untouched' cmp keytab data/fake-keytab-foreign
rm -f keytab
# Rekeying a keytab where we can't retrieve the principal should produce an
# error message.
cp data/fake-keytab-unknown keytab
ok_program 'unknown wallet-rekey' 1 \
'wallet: Unknown keytab service/real-keytab
wallet: error rekeying for principal service/real-keytab
wallet: no rekeyable principals found' \
"$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
ok '...and the keytab was untouched' cmp keytab data/fake-keytab-unknown
rm -f keytab
# Rekeying a keytab where we can't retrieve a later principal should add the
# things we were able to download and produce a warning.
cp data/fake-keytab-partial keytab
ok_program 'partial wallet-rekey' 1 \
'wallet: Unknown keytab service/real-keytab
wallet: error rekeying for principal service/real-keytab'\
"$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
ktutil_list keytab klist-seen
ktutil_list data/fake-keytab-partial-result klist-good
ok '...and the rekeyed keytab is correct' cmp klist-seen klist-good
rm -f keytab klist-seen klist-good
# Clean up.
rm -f autocreated krb5.conf
remctld_stop
kerberos_cleanup
|
