gssproxy

Clone
Source Code
GIT

#42 Fix impersonation tests to work properly
Closed 7 years ago by rharwood. Opened 7 years ago by simo.
simo/gssproxy fixtests  into  master

file modified
+21 -15 
@@ -6,8 +6,6 @@ 
 

  

  int main(int argc, const char *argv[])
 

  {
 

-     char buffer[MAX_RPC_SIZE];
 

-     uint32_t buflen;
 

      gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL;
 

      gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL;
 

      gss_ctx_id_t init_ctx = GSS_C_NO_CONTEXT;
 
@@ -15,18 +13,18 @@ 
 

      gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER;
 

      gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
 

      gss_name_t user_name;
 

+     gss_name_t proxy_name;
 

      gss_name_t target_name;
 

      gss_OID_set_desc oid_set = { 1, discard_const(gss_mech_krb5) };
 

      uint32_t ret_maj;
 

      uint32_t ret_min;
 

-     uint32_t time_rec;
 

      uint32_t flags = GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG;
 

      int ret = -1;
 

      bool selfhalf = false;
 

      bool proxyhalf = false;
 

      const char *deleg_ccache = NULL;
 

  

-     if (argc < 3) return -1;
 

+     if (argc < 4) return -1;
 

  

      ret = t_string_to_name(argv[1], &user_name, GSS_C_NT_USER_NAME);
 

      if (ret) {
 
@@ -35,7 +33,7 @@ 
 

          goto done;
 

      }
 

  

-     ret = t_string_to_name(argv[2], &target_name,
 

+     ret = t_string_to_name(argv[2], &proxy_name,
 

                             GSS_C_NT_HOSTBASED_SERVICE);
 

      if (ret) {
 

          DEBUG("Failed to import server name from argv[2]\n");
 
@@ -43,23 +41,31 @@ 
 

          goto done;
 

      }
 

  

-     if (argc > 3) {
 

-         if (strcmp(argv[3], "s4u2self") == 0) {
 

+     ret = t_string_to_name(argv[3], &target_name,
 

+                            GSS_C_NT_HOSTBASED_SERVICE);
 

+     if (ret) {
 

+         DEBUG("Failed to import server name from argv[2]\n");
 

+         ret = -1;
 

+         goto done;
 

+     }
 

+ 

+     if (argc > 4) {
 

+         if (strcmp(argv[4], "s4u2self") == 0) {
 

              selfhalf = true;
 

-         } else if (strcmp(argv[3], "s4u2proxy") == 0) {
 

+         } else if (strcmp(argv[4], "s4u2proxy") == 0) {
 

              proxyhalf = true;
 

          } else {
 

-             DEBUG("Invalid argument 3: %s\n", argv[3]);
 

+             DEBUG("Invalid argument 4: %s\n", argv[4]);
 

              ret = -1;
 

              goto done;
 

          }
 

-         if (argc < 5) {
 

-             DEBUG("Option %s requires additional arguments\n", argv[3]);
 

+         if (argc < 6) {
 

+             DEBUG("Option %s requires additional arguments\n", argv[4]);
 

              ret = -1;
 

              goto done;
 

          }
 

-         deleg_ccache = argv[4];
 

-         DEBUG("S4U2%s half [ccache %s]\n", selfhalf?"Self":"Proxy", argv[4]);
 

+         deleg_ccache = argv[5];
 

+         DEBUG("S4U2%s half [ccache %s]\n", selfhalf?"Self":"Proxy", argv[5]);
 

      }
 

  

      if (proxyhalf) {
 
@@ -67,7 +73,7 @@ 
 

          gss_key_value_set_desc cred_store = { 1, &ccelement };
 

  

          ret_maj = gss_acquire_cred_from(&ret_min,
 

-                                         GSS_C_NO_NAME,
 

+                                         user_name,
 

                                          GSS_C_INDEFINITE,
 

                                          &oid_set,
 

                                          GSS_C_INITIATE,
 
@@ -85,7 +91,7 @@ 
 

      } else {
 

  

          ret_maj = gss_acquire_cred(&ret_min,
 

-                                    GSS_C_NO_NAME,
 

+                                    proxy_name,
 

                                     GSS_C_INDEFINITE,
 

                                     &oid_set,
 

                                     GSS_C_BOTH,

file modified
+6 -9 
@@ -11,7 +11,6 @@ 
 

    socket = ${TESTDIR}/impersonate.socket
 

    mechs = krb5
 

    cred_store = keytab:${GSSPROXY_KEYTAB}
 

-   cred_store = ccache:FILE:${GSSPROXY_CLIENT_CCACHE}
 

    cred_store = client_keytab:${GSSPROXY_CLIENT_KEYTAB}
 

    allow_protocol_transition = yes
 

    allow_constrained_delegation = yes
 
@@ -21,7 +20,6 @@ 
 

    socket = ${TESTDIR}/impersonate-selfonly.socket
 

    mechs = krb5
 

    cred_store = keytab:${GSSPROXY_KEYTAB}
 

-   cred_store = ccache:FILE:${GSSPROXY_CLIENT_CCACHE}
 

    cred_store = client_keytab:${GSSPROXY_CLIENT_KEYTAB}
 

    allow_protocol_transition = yes
 

    euid = ${UIDNUMBER}
 
@@ -30,7 +28,6 @@ 
 

    socket = ${TESTDIR}/impersonate-proxyonly.socket
 

    mechs = krb5
 

    cred_store = keytab:${GSSPROXY_KEYTAB}
 

-   cred_store = ccache:FILE:${GSSPROXY_CLIENT_CCACHE}
 

    cred_store = client_keytab:${GSSPROXY_CLIENT_KEYTAB}
 

    allow_constrained_delegation = yes
 

    euid = ${UIDNUMBER}
 
@@ -78,39 +75,39 @@ 
 

  

      # Test all permitted
 

      socket = os.path.join(testdir, 'impersonate.socket')
 

-     cmd = ["./tests/t_impersonate", USR_NAME, conf['svc_name']]
 

+     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS]
 

      r = run_cmd(testdir, env, conf, "Impersonate", socket, cmd, False)
 

      rets.append(r)
 

  

      #Test fail
 

      socket = os.path.join(testdir, 'impersonate-proxyonly.socket')
 

-     cmd = ["./tests/t_impersonate", USR_NAME, conf['svc_name']]
 

+     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS]
 

      r = run_cmd(testdir, env, conf, "Impersonate fail self", socket, cmd, True)
 

      rets.append(r)
 

  

      #Test fail
 

      socket = os.path.join(testdir, 'impersonate-selfonly.socket')
 

-     cmd = ["./tests/t_impersonate", USR_NAME, conf['svc_name']]
 

+     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS]
 

      r = run_cmd(testdir, env, conf, "Impersonate fail proxy", socket, cmd, True)
 

      rets.append(r)
 

  

      #Test s4u2self half succeed
 

      socket = os.path.join(testdir, 'impersonate-selfonly.socket')
 

-     cmd = ["./tests/t_impersonate", USR_NAME, conf['svc_name'], 's4u2self',
 

+     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS, 's4u2self',
 

             path_prefix + 'impersonate-proxy.ccache']
 

      r = run_cmd(testdir, env, conf, "s4u2self delegation", socket, cmd, False)
 

      rets.append(r)
 

  

      #Test s4u2proxy half fail
 

      socket = os.path.join(testdir, 'impersonate-selfonly.socket')
 

-     cmd = ["./tests/t_impersonate", USR_NAME, PROXY_GSS, 's4u2proxy',
 

+     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS, 's4u2proxy',
 

             path_prefix + 'impersonate-proxy.ccache']
 

      r = run_cmd(testdir, env, conf, "s4u2proxy fail", socket, cmd, True)
 

      rets.append(r)
 

  

      #Test s4u2proxy half succeed
 

      socket = os.path.join(testdir, 'impersonate-proxyonly.socket')
 

-     cmd = ["./tests/t_impersonate", USR_NAME, PROXY_GSS, 's4u2proxy',
 

+     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS, 's4u2proxy',
 

             path_prefix + 'impersonate-proxy.ccache']
 

      r = run_cmd(testdir, env, conf, "s4u2proxy", socket, cmd, False)
 

      rets.append(r)

file modified
+1 
@@ -345,6 +345,7 @@ 
 

  MULTI_UPN = "multi$"
 

  MULTI_SVC = "multi/%s" % WRAP_HOSTNAME
 

  HOST_SVC = "host/%s" % WRAP_HOSTNAME
 

+ HOST_GSS = "host@%s" % WRAP_HOSTNAME
 

  PROXY_SVC = "proxy/%s" % WRAP_HOSTNAME
 

  PROXY_GSS = "proxy@%s" % WRAP_HOSTNAME
 

  PROXY_KTNAME = "proxy.keytab"

Current tests worked correctly only with a primed ccache, ie, by side
effect.
Fix them to work regardless of status and use the isolate memory ccache
feature of PR#38 to insure no side effects.

rebased
7 years ago

rebased
7 years ago

rebased
7 years ago

Pushed to master as 344cb6f

Pull-Request has been closed by rharwood
7 years ago
Changes Summary 3
+21 -15
file changed
proxy/tests/t_impersonate.c
+6 -9
file changed
proxy/tests/t_impersonate.py
+1 -0
file changed
proxy/tests/testlib.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.