1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
#!/bin/bash
. ../../../prepare.inc.sh
. ../../../toolbox.inc.sh
# ---- do the actual testing ----
result=PASS
echo "++++ BEGINNING TEST" >$OUTPUTFILE
# create a keyring and attach it to the session keyring
marker "ADD KEYRING"
create_keyring --new=keyringid wibble @s
# create a key and attach it to the new keyring
marker "ADD KEY"
create_key --new=keyid user lizard gizzard $keyringid
# check that we can list the keyring
marker "LIST KEYRING"
list_keyring $keyringid
expect_keyring_rlist ringlist $keyid
# check we can read the key description
marker "CHECK VALIDATE KEY"
describe_key $keyid
expect_key_rdesc kdesc 'user@.*@lizard'
# check we can read the key's payload
marker "CHECK READ PAYLOAD"
print_key $keyid
expect_payload kpayload "gizzard"
# set a silly timeout on the key
marker "SET BIG TIMEOUT"
timeout_key $keyid 10000000
# check we can still read the key's payload
marker "CHECK READ PAYLOAD 2"
print_key $keyid
expect_payload kpayload "gizzard"
# set a small timeout on the key
marker "SET SMALL TIMEOUT"
timeout_key $keyid 2
marker "WAIT FOR TIMEOUT"
sleep_at_least 2
# check the key has expired
marker "CHECK NO READ PAYLOAD"
print_key --fail $keyid
if kernel_at_or_later_than 3.8 && kernel_older_than 3.13 &&
! rhel7_kernel_at_or_later_than 3.10.0-42.el7
then
expect_error ENOKEY
else
expect_error EKEYEXPIRED
fi
# check revocation doesn't work
marker "CHECK NO REVOKE KEY"
revoke_key --fail $keyid
expect_error EKEYEXPIRED
# check timeout setting doesn't work
marker "CHECK NO TIMEOUT KEY"
timeout_key --fail $keyid 20
expect_error EKEYEXPIRED
# remove the key we added
marker "UNLINK KEY"
unlink_key $keyid $keyringid
###############################################################################
# create a key and attach it to the new keyring
marker "ADD KEY"
create_key --new=keyid user lizard gizzard $keyringid
# set a silly timeout on the key
marker "SET BIG TIMEOUT"
timeout_key $keyid 10000000
# revoke the key
marker "REVOKE KEY"
revoke_key $keyid
# check we can no longer set the key's timeout
marker "CHECK NO SET KEY TIMEOUT"
timeout_key --fail $keyid 20
expect_error EKEYREVOKED
# remove the key we added
marker "UNLINK KEY"
unlink_key $keyid $keyringid
# revoke the keyring
marker "TIMEOUT KEYRING"
timeout_key $keyringid 1
marker "WAIT FOR KEYRING TIMEOUT"
sleep_at_least 1
# listing the session keyring should fail
marker "CHECK NO LIST SESSION KEYRING"
list_keyring --fail $keyringid
if kernel_at_or_later_than 3.8 && kernel_older_than 3.13 &&
! rhel7_kernel_at_or_later_than 3.10.0-42.el7
then
expect_error ENOKEY
else
expect_error EKEYEXPIRED
fi
# validating the new keyring's name and type should also fail
marker "CHECK NO VALIDATE KEYRING"
describe_key --fail $keyringid
expect_error EKEYEXPIRED
# validating the new keyring's name and type should also fail
marker "CHECK NO SET KEYRING TIMEOUT"
timeout_key --fail $keyringid 20
expect_error EKEYEXPIRED
# validating the new keyring's name and type should also fail
marker "CHECK NO INVALIDATE KEYRING"
invalidate_key --fail $keyringid
expect_error EKEYEXPIRED
# validating the new keyring's name and type should also fail
marker "CHECK NO REVOKE KEYRING"
revoke_key --fail $keyringid
expect_error EKEYEXPIRED
# remove the keyring we added
marker "UNLINK KEYRING"
unlink_key $keyringid @s
echo "++++ FINISHED TEST: $result" >>$OUTPUTFILE
# --- then report the results in the database ---
toolbox_report_result $TEST $result
|
