This is an automated email from the git hooks/post-receive script.
rharwood pushed a commit to branch master
in repository gssproxy.
commit 23ff75845ad7e4df03bb1bab7becadcaa28860ef
Author: Simo Sorce <simo(a)redhat.com>
Date: Fri Jan 13 12:35:31 2017 -0500
Add more impersonation tests
Sets up separate service to test multiple configurations.
Signed-off-by: Simo Sorce <simo(a)redhat.com>
Reviewed-by: Robbie Harwood <rharwood(a)redhat.com>
---
proxy/tests/t_impersonate.c | 124 ++++++++++++++++++++++++++++++++-----------
proxy/tests/t_impersonate.py | 111 +++++++++++++++++++++++++++++++++-----
proxy/tests/testlib.py | 55 ++++++++++++++++++-
3 files changed, 244 insertions(+), 46 deletions(-)
diff --git a/proxy/tests/t_impersonate.c b/proxy/tests/t_impersonate.c
index 1e54a2b..3ff463d 100644
--- a/proxy/tests/t_impersonate.c
+++ b/proxy/tests/t_impersonate.c
@@ -2,13 +2,13 @@
#include "t_utils.h"
#include <unistd.h>
+#include <stdbool.h>
int main(int argc, const char *argv[])
{
char buffer[MAX_RPC_SIZE];
uint32_t buflen;
gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL;
- gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL;
gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t init_ctx = GSS_C_NO_CONTEXT;
gss_ctx_id_t accept_ctx = GSS_C_NO_CONTEXT;
@@ -20,9 +20,13 @@ int main(int argc, const char *argv[])
uint32_t ret_maj;
uint32_t ret_min;
uint32_t time_rec;
+ uint32_t flags = GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG;
int ret = -1;
+ bool selfhalf = false;
+ bool proxyhalf = false;
+ const char *deleg_ccache = NULL;
- if (argc != 3) return -1;
+ if (argc < 3) return -1;
ret = t_string_to_name(argv[1], &user_name, GSS_C_NT_USER_NAME);
if (ret) {
@@ -39,41 +43,100 @@ int main(int argc, const char *argv[])
goto done;
}
- ret_maj = gss_acquire_cred(&ret_min,
- GSS_C_NO_NAME,
- GSS_C_INDEFINITE,
- &oid_set,
- GSS_C_BOTH,
- &impersonator_cred_handle,
- NULL, NULL);
- if (ret_maj != GSS_S_COMPLETE) {
- DEBUG("gss_acquire_cred() failed\n");
- t_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
- ret = -1;
- goto done;
+ if (argc > 3) {
+ if (strcmp(argv[3], "s4u2self") == 0) {
+ selfhalf = true;
+ } else if (strcmp(argv[3], "s4u2proxy") == 0) {
+ proxyhalf = true;
+ } else {
+ DEBUG("Invalid argument 3: %s\n", argv[3]);
+ ret = -1;
+ goto done;
+ }
+ if (argc < 5) {
+ DEBUG("Option %s requires additional arguments\n", argv[3]);
+ ret = -1;
+ goto done;
+ }
+ deleg_ccache = argv[4];
+ DEBUG("S4U2%s half [ccache %s]\n",
selfhalf?"Self":"Proxy", argv[4]);
}
- ret_maj = gss_acquire_cred_impersonate_name(&ret_min,
- impersonator_cred_handle,
- user_name,
- GSS_C_INDEFINITE,
- &oid_set,
- GSS_C_INITIATE,
- &user_cred_handle,
- NULL, NULL);
- if (ret_maj != GSS_S_COMPLETE) {
- DEBUG("gss_acquire_cred_impersonate_name() failed\n");
- t_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
- ret = -1;
+ if (proxyhalf) {
+ gss_key_value_element_desc ccelement = { "ccache", deleg_ccache };
+ gss_key_value_set_desc cred_store = { 1, &ccelement };
+
+ ret_maj = gss_acquire_cred_from(&ret_min,
+ GSS_C_NO_NAME,
+ GSS_C_INDEFINITE,
+ &oid_set,
+ GSS_C_INITIATE,
+ &cred_store,
+ &cred_handle,
+ NULL, NULL);
+ if (ret_maj != GSS_S_COMPLETE) {
+ DEBUG("gss_acquire_cred_from() [s4u2proxy] failed\n");
+ t_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
+ ret = -1;
+ goto done;
+ }
+
+ flags = GSS_C_MUTUAL_FLAG;
+ } else {
+
+ ret_maj = gss_acquire_cred(&ret_min,
+ GSS_C_NO_NAME,
+ GSS_C_INDEFINITE,
+ &oid_set,
+ GSS_C_BOTH,
+ &impersonator_cred_handle,
+ NULL, NULL);
+ if (ret_maj != GSS_S_COMPLETE) {
+ DEBUG("gss_acquire_cred() failed\n");
+ t_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
+ ret = -1;
+ goto done;
+ }
+
+ ret_maj = gss_acquire_cred_impersonate_name(&ret_min,
+ impersonator_cred_handle,
+ user_name,
+ GSS_C_INDEFINITE,
+ &oid_set,
+ GSS_C_INITIATE,
+ &cred_handle,
+ NULL, NULL);
+ if (ret_maj != GSS_S_COMPLETE) {
+ DEBUG("gss_acquire_cred_impersonate_name() failed\n");
+ t_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
+ ret = -1;
+ goto done;
+ }
+ }
+
+ if (selfhalf) {
+ gss_key_value_element_desc ccelement = { "ccache", deleg_ccache };
+ gss_key_value_set_desc cred_store = { 1, &ccelement };
+
+ ret_maj = gss_store_cred_into(&ret_min,
+ cred_handle,
+ GSS_C_INITIATE,
+ discard_const(gss_mech_krb5), 1, 0,
+ &cred_store, NULL, NULL);
+ if (ret_maj != GSS_S_COMPLETE) {
+ DEBUG("gss_store_cred_into() failed\n");
+ t_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
+ ret = -1;
+ }
goto done;
}
ret_maj = gss_init_sec_context(&ret_min,
- user_cred_handle,
+ cred_handle,
&init_ctx,
target_name,
GSS_C_NO_OID,
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
+ flags,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&in_token,
@@ -123,11 +186,11 @@ int main(int argc, const char *argv[])
gss_release_buffer(&ret_min, &out_token);
ret_maj = gss_init_sec_context(&ret_min,
- user_cred_handle,
+ cred_handle,
&init_ctx,
target_name,
GSS_C_NO_OID,
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
+ flags,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&in_token,
@@ -147,6 +210,7 @@ int main(int argc, const char *argv[])
done:
gss_release_buffer(&ret_min, &in_token);
gss_release_buffer(&ret_min, &out_token);
+ gss_release_cred(&ret_min, &impersonator_cred_handle);
gss_release_cred(&ret_min, &cred_handle);
return ret;
}
diff --git a/proxy/tests/t_impersonate.py b/proxy/tests/t_impersonate.py
old mode 100644
new mode 100755
index 43bb084..9bfd2cd
--- a/proxy/tests/t_impersonate.py
+++ b/proxy/tests/t_impersonate.py
@@ -3,21 +3,54 @@
from testlib import *
-def run(testdir, env, conf, expected_failure=False):
- print("Testing impersonate creds...", file=sys.stderr)
- logfile = conf['logfile']
+IMPERSONATE_CONF_TEMPLATE = '''
+[gssproxy]
+ debug_level = 2
- testenv = {'KRB5CCNAME': os.path.join(testdir, 't' +
conf['prefix'] +
- '_impersonate.ccache'),
- 'KRB5_KTNAME': conf['keytab'],
- 'KRB5_TRACE': os.path.join(testdir, 't' +
conf['prefix'] +
- '_impersonate.trace'),
- 'GSS_USE_PROXY': 'yes',
- 'GSSPROXY_BEHAVIOR': 'REMOTE_FIRST'}
- testenv.update(env)
+[service/impersonate]
+ socket = ${TESTDIR}/impersonate.socket
+ mechs = krb5
+ cred_store = keytab:${GSSPROXY_KEYTAB}
+ cred_store = ccache:FILE:${GSSPROXY_CLIENT_CCACHE}
+ cred_store = client_keytab:${GSSPROXY_CLIENT_KEYTAB}
+ allow_protocol_transition = yes
+ allow_constrained_delegation = yes
+ euid = ${UIDNUMBER}
- cmd = ["./tests/t_impersonate", USR_NAME, conf['svc_name']]
- print("[COMMAND]\n%s\n[ENVIRONMENT]\n%s\n" % (cmd, env), file=logfile)
+[service/selfonly]
+ socket = ${TESTDIR}/impersonate-selfonly.socket
+ mechs = krb5
+ cred_store = keytab:${GSSPROXY_KEYTAB}
+ cred_store = ccache:FILE:${GSSPROXY_CLIENT_CCACHE}
+ cred_store = client_keytab:${GSSPROXY_CLIENT_KEYTAB}
+ allow_protocol_transition = yes
+ euid = ${UIDNUMBER}
+
+[service/proxyonly]
+ socket = ${TESTDIR}/impersonate-proxyonly.socket
+ mechs = krb5
+ cred_store = keytab:${GSSPROXY_KEYTAB}
+ cred_store = ccache:FILE:${GSSPROXY_CLIENT_CCACHE}
+ cred_store = client_keytab:${GSSPROXY_CLIENT_KEYTAB}
+ allow_constrained_delegation = yes
+ euid = ${UIDNUMBER}
+
+'''
+
+def run_cmd(testdir, env, conf, name, socket, cmd, expected_failure):
+
+ logfile = conf['logfile']
+ testenv = env.copy()
+ testenv.update({'KRB5CCNAME': os.path.join(testdir, 't' +
conf['prefix'] +
+ '_impersonate.ccache'),
+ 'KRB5_KTNAME': os.path.join(testdir, PROXY_KTNAME),
+ 'KRB5_TRACE': os.path.join(testdir, 't' +
conf['prefix'] +
+ '_impersonate.trace'),
+ 'GSS_USE_PROXY': 'yes',
+ 'GSSPROXY_SOCKET': socket,
+ 'GSSPROXY_BEHAVIOR': 'REMOTE_FIRST'})
+
+ print("[COMMAND]\n%s\n[ENVIRONMENT]\n%s\n" % (cmd, testenv), file=logfile)
logfile.flush()
p1 = subprocess.Popen(cmd, stderr=subprocess.STDOUT, stdout=logfile,
@@ -27,4 +60,54 @@ def run(testdir, env, conf, expected_failure=False):
except subprocess.TimeoutExpired:
# p1.returncode is set to None here
pass
- print_return(p1.returncode, "Impersonate", expected_failure)
+ print_return(p1.returncode, name, expected_failure)
+
+
+def run(testdir, env, conf, expected_failure=False):
+ print("Testing impersonate creds...", file=sys.stderr)
+ path_prefix = os.path.join(testdir, 't' + conf['prefix'] +
'_')
+
+ # Change gssproxy conf for our test
+ keysenv = conf["keysenv"].copy()
+ keysenv['KRB5_KTNAME'] = os.path.join(testdir, PROXY_KTNAME)
+ update_gssproxy_conf(testdir, keysenv, IMPERSONATE_CONF_TEMPLATE)
+ os.kill(conf["gpid"], signal.SIGHUP)
+ time.sleep(1) #Let gssproxy reload everything
+
+ # Test all permitted
+ socket = os.path.join(testdir, 'impersonate.socket')
+ cmd = ["./tests/t_impersonate", USR_NAME, conf['svc_name']]
+ run_cmd(testdir, env, conf, "Impersonate", socket, cmd, False)
+
+ #Test fail
+ socket = os.path.join(testdir, 'impersonate-proxyonly.socket')
+ cmd = ["./tests/t_impersonate", USR_NAME, conf['svc_name']]
+ run_cmd(testdir, env, conf, "Impersonate fail self", socket, cmd, True)
+
+ #Test fail
+ socket = os.path.join(testdir, 'impersonate-selfonly.socket')
+ cmd = ["./tests/t_impersonate", USR_NAME, conf['svc_name']]
+ run_cmd(testdir, env, conf, "Impersonate fail proxy", socket, cmd, True)
+
+ #Test s4u2self half succeed
+ socket = os.path.join(testdir, 'impersonate-selfonly.socket')
+ cmd = ["./tests/t_impersonate", USR_NAME, conf['svc_name'],
's4u2self',
+ path_prefix + 'impersonate-proxy.ccache']
+ run_cmd(testdir, env, conf, "s4u2self delegation", socket, cmd, False)
+
+ #Test s4u2proxy half fail
+ socket = os.path.join(testdir, 'impersonate-selfonly.socket')
+ cmd = ["./tests/t_impersonate", USR_NAME, PROXY_GSS, 's4u2proxy',
+ path_prefix + 'impersonate-proxy.ccache']
+ run_cmd(testdir, env, conf, "s4u2proxy fail", socket, cmd, True)
+
+ #Test s4u2proxy half succeed
+ socket = os.path.join(testdir, 'impersonate-proxyonly.socket')
+ cmd = ["./tests/t_impersonate", USR_NAME, PROXY_GSS, 's4u2proxy',
+ path_prefix + 'impersonate-proxy.ccache']
+ run_cmd(testdir, env, conf, "s4u2proxy", socket, cmd, False)
+
+ # Reset back gssproxy conf
+ update_gssproxy_conf(testdir, keysenv, GSSPROXY_CONF_TEMPLATE)
+ os.kill(conf["gpid"], signal.SIGHUP)
+ time.sleep(1) #Let gssproxy reload everything
diff --git a/proxy/tests/testlib.py b/proxy/tests/testlib.py
index 84accb1..43029e8 100755
--- a/proxy/tests/testlib.py
+++ b/proxy/tests/testlib.py
@@ -344,6 +344,43 @@ USR2_PWD = "usrpwd"
MULTI_KTNAME = "multi.gssproxy.keytab"
MULTI_UPN = "multi$"
MULTI_SVC = "multi/%s" % WRAP_HOSTNAME
+HOST_SVC = "host/%s" % WRAP_HOSTNAME
+PROXY_SVC = "proxy/%s" % WRAP_HOSTNAME
+PROXY_GSS = "proxy@%s" % WRAP_HOSTNAME
+PROXY_KTNAME = "proxy.keytab"
+
+PROXY_LDIF_TEMPLATE = """
+dn:
krbPrincipalName=${HOST_SVC}@${TESTREALM},cn=${TESTREALM},cn=${KRB5_CN},${LDAP_REALM}
+changetype: modify
+add: krbAllowedToDelegateTo
+krbAllowedToDelegateTo: ${PROXY_SVC}@${TESTREALM}
+-
+"""
+
+def authorize_to_proxy(testdir, env):
+ testlog = os.path.join(testdir, 'kerbsetup.log')
+
+ t = Template(PROXY_LDIF_TEMPLATE)
+ text = t.substitute({"HOST_SVC": HOST_SVC,
+ "PROXY_SVC": PROXY_SVC,
+ "TESTREALM": TESTREALM,
+ "LDAP_REALM": LDAP_REALM,
+ "KRB5_CN": KRB5_CN})
+ ldif = os.path.join(testdir, "ldap", "k5proxy.ldif")
+ with open(ldif, "w+") as f:
+ f.write(text)
+
+ with open(testlog, "a") as logfile:
+ lmod = subprocess.Popen(["ldapmodify", "-w", LDAP_PW,
"-H",
+ "ldap://%s" % WRAP_HOSTNAME, "-D",
+ "%s,%s" % (KRB5_USER, LDAP_REALM),
+ "-f", ldif],
+ stdout=logfile, stderr=logfile, env=env,
+ preexec_fn=os.setsid)
+
+ lmod.wait()
+ if lmod.returncode != 0:
+ raise ValueError("Proxy princ setup failed")
def setup_keys(testdir, env):
@@ -351,7 +388,8 @@ def setup_keys(testdir, env):
svc_name = "host/%s" % WRAP_HOSTNAME
svc_keytab = os.path.join(testdir, SVC_KTNAME)
- cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, svc_name)
+ cmd = "addprinc -randkey -e %s +ok_to_auth_as_delegate %s" % (KEY_TYPE,
+ svc_name)
with (open(testlog, 'a')) as logfile:
kadmin_local(cmd, env, logfile)
cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, svc_name)
@@ -370,6 +408,18 @@ def setup_keys(testdir, env):
with (open(testlog, 'a')) as logfile:
kadmin_local(cmd, env, logfile)
+ proxy_keytab = os.path.join(testdir, PROXY_KTNAME)
+ cmd = "addprinc -randkey -e %s -requires_preauth %s" % (KEY_TYPE,
+ PROXY_SVC)
+ with (open(testlog, 'a')) as logfile:
+ kadmin_local(cmd, env, logfile)
+ shutil.copy(svc_keytab, proxy_keytab)
+ cmd = "ktadd -k %s -e %s %s" % (proxy_keytab, KEY_TYPE, PROXY_SVC)
+ with (open(testlog, 'a')) as logfile:
+ kadmin_local(cmd, env, logfile)
+
+ authorize_to_proxy(testdir, env)
+
keys_env = {"client_keytab": usr_keytab,
"KRB5_KTNAME": svc_keytab}
keys_env.update(env)
@@ -532,7 +582,8 @@ def update_gssproxy_conf(testdir, env, template):
'GSSPROXY_CLIENT_CCACHE': ccache,
'GSSPROXY_CLIENT_KEYTAB': ckeytab,
'UIDNUMBER': os.getuid(),
- 'SECOND_SOCKET': socket2}
+ 'SECOND_SOCKET': socket2,
+ 'TESTDIR': testdir}
if 'client_name' in env:
subs['GSSPROXY_CLIENT_PRINCIPAL'] = env['client_name']
text = t.substitute(subs)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.