1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
#!/usr/bin/perl -w
#
# Tests for basic k5start functionality.
#
# Written by Russ Allbery <eagle@eyrie.org>
# Copyright 2021 Russ Allbery <eagle@eyrie.org>
# Copyright 2008-2010
# The Board of Trustees of the Leland Stanford Junior University
#
# SPDX-License-Identifier: MIT
use Test::More;
# The full path to the newly-built k5start client.
our $K5START = "$ENV{C_TAP_BUILD}/../commands/k5start";
# The path to our data directory, which contains the keytab to use to test.
our $DATA = "$ENV{C_TAP_BUILD}/data";
# Load our test utility programs.
require "$ENV{C_TAP_SOURCE}/libtest.pl";
# Decide whether we have the configuration to run the tests.
if (-f "$DATA/test.keytab" and -f "$DATA/test.principal") {
plan tests => 34;
} else {
plan skip_all => "no keytab configuration";
exit 0;
}
my $principal = contents ("$DATA/test.principal");
# We have to generate a local krb5.conf that gets forwardable and
# proxiable tickets by default. Try to locate the local krb5.conf that
# we're supposed to use and bail if we can't find one.
my $krb5conf = $ENV{KRB5_CONFIG};
unless ($krb5conf) {
for my $path ('/etc', '/usr/local/etc', "$ENV{C_TAP_BUILD}/data") {
if (-r "$path/krb5.conf") {
$krb5conf = "$path/krb5.conf";
last;
}
}
}
if ($krb5conf) {
open (CONF, '<', $krb5conf) or BAIL_OUT ("cannot open $krb5conf: $!");
open (NEWCONF, '>', './krb5.conf')
or BAIL_OUT ("cannot create krb5.conf: $!");
print NEWCONF <CONF>;
close CONF;
print NEWCONF "\n";
print NEWCONF "[libdefaults]\n";
print NEWCONF " forwardable = true\n";
print NEWCONF " proxiable = true\n";
close NEWCONF;
$ENV{KRB5_CONFIG} = './krb5.conf';
} else {
BAIL_OUT ("no krb5.conf found, set KRB5_CONFIG");
}
# Don't overwrite the user's ticket cache.
$ENV{KRB5CCNAME} = 'krb5cc_test';
# Basic authentication test with forwardable and proxiable tickets.
unlink 'krb5cc_test';
my ($out, $err, $status)
= command ($K5START, '-f', "$DATA/test.keytab", $principal);
is ($status, 0, 'Basic k5start command succeeds');
is ($err, '', ' with no errors');
like ($out, qr/^Kerberos initialization for \Q$principal\E(\@\S+)?\n\z/,
' and the right output');
my ($default, $service, $flags) = klist ();
like ($default, qr/^\Q$principal\E(\@\S+)?\z/, ' for the right principal');
like ($service, qr%^krbtgt/%, ' and the right service');
like ($flags, qr/F/, ' and has forwardable tickets');
like ($flags, qr/P/, ' and has proxiable tickets');
# Authentication without proxiable tickets.
unlink 'krb5cc_test';
($out, $err, $status)
= command ($K5START, '-Pf', "$DATA/test.keytab", $principal);
is ($status, 0, 'k5start -P command succeeds');
is ($err, '', ' with no errors');
like ($out, qr/^Kerberos initialization for \Q$principal\E(\@\S+)?\n\z/,
' and the right output');
($default, $service, $flags) = klist ();
like ($default, qr/^\Q$principal\E(\@\S+)?\z/, ' for the right principal');
like ($service, qr%^krbtgt/%, ' and the right service');
like ($flags, qr/F/, ' and has forwardable tickets');
unlike ($flags, qr/P/, ' but not proxiable tickets');
# Authentication without forwardable tickets.
unlink 'krb5cc_test';
($out, $err, $status)
= command ($K5START, '-F', '-f', "$DATA/test.keytab", $principal);
is ($status, 0, 'k5start -F command succeeds');
is ($err, '', ' with no errors');
like ($out, qr/^Kerberos initialization for \Q$principal\E(\@\S+)?\n\z/,
' and the right output');
($default, $service, $flags) = klist ();
like ($default, qr/^\Q$principal\E(\@\S+)?\z/, ' for the right principal');
like ($service, qr%^krbtgt/%, ' and the right service');
like ($flags, qr/P/, ' and has proxiable tickets');
unlike ($flags, qr/F/, ' but not forwardable tickets');
# Authentication with both flags flag.
unlink 'krb5cc_test';
($out, $err, $status)
= command ($K5START, '-FPf', "$DATA/test.keytab", $principal);
is ($status, 0, 'k5start -F -P command succeeds');
is ($err, '', ' with no errors');
like ($out, qr/^Kerberos initialization for \Q$principal\E(\@\S+)?\n\z/,
' and the right output');
($default, $service, $flags) = klist ();
like ($default, qr/^\Q$principal\E(\@\S+)?\z/, ' for the right principal');
like ($service, qr%^krbtgt/%, ' and the right service');
unlike ($flags, qr/P/, ' but not proxiable tickets');
unlike ($flags, qr/F/, ' and not forwardable tickets');
# Test -k with a fully-qualified ticket cache name.
unlink 'krb5cc_test', 'krb5cc_test2';
($out, $err, $status)
= command ($K5START, '-k', 'FILE:krb5cc_test2', '-f',
"$DATA/test.keytab", $principal);
is ($status, 0, 'k5start -k command with file succeeds');
is ($err, '', ' with no errors');
like ($out, qr/^Kerberos initialization for \Q$principal\E(\@\S+)?\n\z/,
' and the right output');
ok (!-f 'krb5cc_test', ' and does not use KRB5CCNAME');
$ENV{KRB5CCNAME} = 'krb5cc_test2';
($default, $service, $flags) = klist ();
like ($default, qr/^\Q$principal\E(\@\S+)?\z/, ' for the right principal');
like ($service, qr%^krbtgt/%, ' and the right service');
$ENV{KRB5CCNAME} = 'krb5cc_test';
unlink 'krb5cc_test2';
# Clean up.
unlink 'krb5cc_test', 'krb5.conf';
|
