|
Packit |
fd8b60 |
# Basic expect script for Kerberos tests.
|
|
Packit |
fd8b60 |
# This is a DejaGnu test script.
|
|
Packit |
fd8b60 |
# Written by Ian Lance Taylor, Cygnus Support, <ian@cygnus.com>.
|
|
Packit |
fd8b60 |
# This script is automatically run by DejaGnu before running any of
|
|
Packit |
fd8b60 |
# the Kerberos test scripts.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# This file provides several functions which deal with a local
|
|
Packit |
fd8b60 |
# Kerberos database. We have to do this such that we don't interfere
|
|
Packit |
fd8b60 |
# with any existing Kerberos database. We will create all the files
|
|
Packit |
fd8b60 |
# in the directory $tmppwd, which will have been created by the
|
|
Packit |
fd8b60 |
# testsuite default script. We will use $REALMNAME as our Kerberos
|
|
Packit |
fd8b60 |
# realm name, defaulting to KRBTEST.COM.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set timeout 100
|
|
Packit |
fd8b60 |
set stty_init {erase \^h kill \^u}
|
|
Packit |
fd8b60 |
set env(TERM) dumb
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if { [string length $VALGRIND] } {
|
|
Packit |
fd8b60 |
rename spawn valgrind_aux_spawn
|
|
Packit |
fd8b60 |
proc spawn { args } {
|
|
Packit |
fd8b60 |
global VALGRIND
|
|
Packit |
fd8b60 |
upvar 1 spawn_id spawn_id
|
|
Packit |
fd8b60 |
set newargs {}
|
|
Packit |
fd8b60 |
set inflags 1
|
|
Packit |
fd8b60 |
set eatnext 0
|
|
Packit |
fd8b60 |
foreach arg $args {
|
|
Packit |
fd8b60 |
if { $arg == "-ignore" \
|
|
Packit |
fd8b60 |
|| $arg == "-open" \
|
|
Packit |
fd8b60 |
|| $arg == "-leaveopen" } {
|
|
Packit |
fd8b60 |
lappend newargs $arg
|
|
Packit |
fd8b60 |
set eatnext 1
|
|
Packit |
fd8b60 |
continue
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if [string match "-*" $arg] {
|
|
Packit |
fd8b60 |
lappend newargs $arg
|
|
Packit |
fd8b60 |
continue
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if { $eatnext } {
|
|
Packit |
fd8b60 |
set eatnext 0
|
|
Packit |
fd8b60 |
lappend newargs $arg
|
|
Packit |
fd8b60 |
continue
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if { $inflags } {
|
|
Packit |
fd8b60 |
set inflags 0
|
|
Packit |
fd8b60 |
# Only run valgrind for local programs, not
|
|
Packit |
fd8b60 |
# system ones.
|
|
Packit |
fd8b60 |
#&&![string match "/bin/sh" $arg] sh is used to start kadmind!
|
|
Packit |
fd8b60 |
if [string match "/" [string index $arg 0]]&&![string match "/bin/ls" $arg]&&![regexp {/kshd$} $arg] {
|
|
Packit |
fd8b60 |
set newargs [concat $newargs $VALGRIND]
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
lappend newargs $arg
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set pid [eval valgrind_aux_spawn $newargs]
|
|
Packit |
fd8b60 |
return $pid
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Hack around Solaris 9 kernel race condition that causes last output
|
|
Packit |
fd8b60 |
# from a pty to get dropped.
|
|
Packit |
fd8b60 |
if { $PRIOCNTL_HACK } {
|
|
Packit |
fd8b60 |
catch {exec priocntl -s -c FX -m 30 -p 30 -i pid [getpid]}
|
|
Packit |
fd8b60 |
rename spawn oldspawn
|
|
Packit |
fd8b60 |
proc spawn { args } {
|
|
Packit |
fd8b60 |
upvar 1 spawn_id spawn_id
|
|
Packit |
fd8b60 |
set newargs {}
|
|
Packit |
fd8b60 |
set inflags 1
|
|
Packit |
fd8b60 |
set eatnext 0
|
|
Packit |
fd8b60 |
foreach arg $args {
|
|
Packit |
fd8b60 |
if { $arg == "-ignore" \
|
|
Packit |
fd8b60 |
|| $arg == "-open" \
|
|
Packit |
fd8b60 |
|| $arg == "-leaveopen" } {
|
|
Packit |
fd8b60 |
lappend newargs $arg
|
|
Packit |
fd8b60 |
set eatnext 1
|
|
Packit |
fd8b60 |
continue
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if [string match "-*" $arg] {
|
|
Packit |
fd8b60 |
lappend newargs $arg
|
|
Packit |
fd8b60 |
continue
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if { $eatnext } {
|
|
Packit |
fd8b60 |
set eatnext 0
|
|
Packit |
fd8b60 |
lappend newargs $arg
|
|
Packit |
fd8b60 |
continue
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if { $inflags } {
|
|
Packit |
fd8b60 |
set inflags 0
|
|
Packit |
fd8b60 |
set newargs [concat $newargs {priocntl -e -c FX -p 0}]
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
lappend newargs $arg
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set pid [eval oldspawn $newargs]
|
|
Packit |
fd8b60 |
return $pid
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# The names of the individual passes must be unique; lots of things
|
|
Packit |
fd8b60 |
# depend on it. The PASSES variable may not contain comments; only
|
|
Packit |
fd8b60 |
# small pieces get evaluated, so comments will do strange things.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Most of the purpose of using multiple passes is to exercise the
|
|
Packit |
fd8b60 |
# dependency of various bugs on configuration file settings,
|
|
Packit |
fd8b60 |
# particularly with regards to encryption types.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set passes {
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
aes-only
|
|
Packit |
fd8b60 |
mode=udp
|
|
Packit |
fd8b60 |
{supported_enctypes=aes256-cts-hmac-sha1-96:normal}
|
|
Packit |
fd8b60 |
{permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96}
|
|
Packit |
fd8b60 |
{permitted_enctypes(client)=aes256-cts-hmac-sha1-96}
|
|
Packit |
fd8b60 |
{permitted_enctypes(server)=aes256-cts-hmac-sha1-96}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(kdc)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(replica)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(client)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(server)=false}
|
|
Packit |
fd8b60 |
{master_key_type=aes256-cts-hmac-sha1-96}
|
|
Packit |
fd8b60 |
{dummy=[verbose -log "AES enctypes"]}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
aes-sha2-only
|
|
Packit |
fd8b60 |
mode=udp
|
|
Packit |
fd8b60 |
{supported_enctypes=aes256-sha2:normal}
|
|
Packit |
fd8b60 |
{permitted_enctypes(kdc)=aes256-sha2}
|
|
Packit |
fd8b60 |
{permitted_enctypes(replica)=aes256-sha2}
|
|
Packit |
fd8b60 |
{permitted_enctypes(client)=aes256-sha2}
|
|
Packit |
fd8b60 |
{permitted_enctypes(server)=aes256-sha2}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(kdc)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(replica)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(client)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(server)=false}
|
|
Packit |
fd8b60 |
{master_key_type=aes256-sha2}
|
|
Packit |
fd8b60 |
{dummy=[verbose -log "aes256-sha2 enctype"]}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
camellia-only
|
|
Packit |
fd8b60 |
mode=udp
|
|
Packit |
fd8b60 |
{supported_enctypes=camellia256-cts:normal}
|
|
Packit |
fd8b60 |
{permitted_enctypes(kdc)=camellia256-cts}
|
|
Packit |
fd8b60 |
{permitted_enctypes(replica)=camellia256-cts}
|
|
Packit |
fd8b60 |
{permitted_enctypes(client)=camellia256-cts}
|
|
Packit |
fd8b60 |
{permitted_enctypes(server)=camellia256-cts}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(kdc)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(replica)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(client)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(server)=false}
|
|
Packit |
fd8b60 |
{master_key_type=camellia256-cts}
|
|
Packit |
fd8b60 |
{dummy=[verbose -log "Camellia-256 enctype"]}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
all-enctypes
|
|
Packit |
fd8b60 |
mode=udp
|
|
Packit |
fd8b60 |
{allow_weak_crypto(kdc)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(replica)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(client)=false}
|
|
Packit |
fd8b60 |
{allow_weak_crypto(server)=false}
|
|
Packit |
fd8b60 |
{dummy=[verbose -log "all default enctypes"]}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# This shouldn't be necessary on dejagnu-1.4 and later, but 1.3 seems
|
|
Packit |
fd8b60 |
# to need it because its runtest.exp doesn't deal with PASS at all.
|
|
Packit |
fd8b60 |
if [info exists PASS] {
|
|
Packit |
fd8b60 |
foreach pass $passes {
|
|
Packit |
fd8b60 |
if { [lsearch -exact $PASS [lindex $pass 0]] >= 0 } {
|
|
Packit |
fd8b60 |
lappend MULTIPASS $pass
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
set MULTIPASS $passes
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set last_passname_conf ""
|
|
Packit |
fd8b60 |
set last_passname_db ""
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# We do everything in a temporary directory.
|
|
Packit |
fd8b60 |
if ![info exists TMPDIR] {
|
|
Packit |
fd8b60 |
set tmppwd "[pwd]/tmpdir"
|
|
Packit |
fd8b60 |
if ![file isdirectory $tmppwd] {
|
|
Packit |
fd8b60 |
catch "exec mkdir $tmppwd" status
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
set tmppwd $TMPDIR
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
verbose "tmppwd=$tmppwd"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# On Ultrix, use /bin/sh5 in preference to /bin/sh.
|
|
Packit |
fd8b60 |
if ![info exists BINSH] {
|
|
Packit |
fd8b60 |
if [file exists /bin/sh5] {
|
|
Packit |
fd8b60 |
set BINSH /bin/sh5
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
set BINSH /bin/sh
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# For security, we must not use generally known passwords. This is
|
|
Packit |
fd8b60 |
# because some of the tests may be run as root. If the passwords were
|
|
Packit |
fd8b60 |
# generally know, then somebody could work out the appropriate
|
|
Packit |
fd8b60 |
# Kerberos ticket to use, and come in when, say, the telnetd daemon
|
|
Packit |
fd8b60 |
# was being tested by root. The window for doing this is very very
|
|
Packit |
fd8b60 |
# small, so the password does not have to be perfect, it just can't be
|
|
Packit |
fd8b60 |
# constant.
|
|
Packit |
fd8b60 |
if ![info exists KEY] {
|
|
Packit |
fd8b60 |
catch {exec $BINSH -c "echo $$"} KEY
|
|
Packit |
fd8b60 |
verbose "KEY is $KEY"
|
|
Packit |
fd8b60 |
set keyfile [open $tmppwd/KEY w]
|
|
Packit |
fd8b60 |
puts $keyfile "$KEY"
|
|
Packit |
fd8b60 |
close $keyfile
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Clear away any files left over from a previous run.
|
|
Packit |
fd8b60 |
# We can't use them now because we don't know the right KEY.
|
|
Packit |
fd8b60 |
# krb5.conf might change if running tests on another host
|
|
Packit |
fd8b60 |
file delete $tmppwd/krb5.conf $tmppwd/kdc.conf $tmppwd/replica.conf \
|
|
Packit |
fd8b60 |
$tmppwd/krb5.client.conf $tmppwd/krb5.server.conf \
|
|
Packit |
fd8b60 |
$tmppwd/krb5.kdc.conf $tmppwd/krb5.replica.conf
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc delete_db {} {
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
# Master and replica db files
|
|
Packit |
fd8b60 |
file delete $tmppwd/kdc-db $tmppwd/kdc-db.ok $tmppwd/kdc-db.kadm5 \
|
|
Packit |
fd8b60 |
$tmppwd/kdc-db.kadm5.lock $tmppwd/kdc-db.mdb $tmppwd/kdc-db.mdb-lock \
|
|
Packit |
fd8b60 |
$tmppwd/kdc-db.lockout.mdb $tmppwd/kdc-db.lockout.mdb-lock \
|
|
Packit |
fd8b60 |
$tmppwd/kdc-db.ulog \
|
|
Packit |
fd8b60 |
$tmppwd/replica-db $tmppwd/replica-db.ok $tmppwd/replica-db.kadm5 $tmppwd/replica-db.kadm5.lock \
|
|
Packit |
fd8b60 |
$tmppwd/replica-db~ $tmppwd/replica-db~.ok $tmppwd/replica-db~.kadm5 $tmppwd/replica-db~.kadm5.lock
|
|
Packit |
fd8b60 |
# Creating a new database invalidates the keytab and ccache.
|
|
Packit |
fd8b60 |
file delete $tmppwd/keytab $tmppwd/tkt
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
delete_db
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Put the installed kerberos directories on PATH.
|
|
Packit |
fd8b60 |
# This needs to be fixed for V5.
|
|
Packit |
fd8b60 |
# set env(PATH) $env(PATH):/usr/kerberos/bin:/usr/kerberos/etc
|
|
Packit |
fd8b60 |
# verbose "PATH=$env(PATH)"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Some of the tests expect $env(USER) to be set.
|
|
Packit |
fd8b60 |
if ![info exists env(USER)] {
|
|
Packit |
fd8b60 |
if [info exists env(LOGNAME)] {
|
|
Packit |
fd8b60 |
set env(USER) $env(LOGNAME)
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
if [info exists logname] {
|
|
Packit |
fd8b60 |
set env(USER) $logname
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
catch "exec whoami" env(USER)
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# set the realm. The user can override this on the runtest line.
|
|
Packit |
fd8b60 |
if ![info exists REALMNAME] {
|
|
Packit |
fd8b60 |
set REALMNAME "KRBTEST.COM"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
verbose "Test realm is $REALMNAME"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Find some programs we need. We use the binaries from the build tree
|
|
Packit |
fd8b60 |
# if they exist. If they do not, then they must be in PATH. We
|
|
Packit |
fd8b60 |
# expect $objdir to be ...tests/dejagnu.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
foreach i {
|
|
Packit |
fd8b60 |
{KDB5_UTIL $objdir/../../kadmin/dbutil/kdb5_util}
|
|
Packit |
fd8b60 |
{KRB5KDC $objdir/../../kdc/krb5kdc}
|
|
Packit |
fd8b60 |
{KADMIND $objdir/../../kadmin/server/kadmind}
|
|
Packit |
fd8b60 |
{KADMIN $objdir/../../kadmin/cli/kadmin}
|
|
Packit |
fd8b60 |
{KADMIN_LOCAL $objdir/../../kadmin/cli/kadmin.local}
|
|
Packit |
fd8b60 |
{KINIT $objdir/../../clients/kinit/kinit}
|
|
Packit |
fd8b60 |
{KTUTIL $objdir/../../kadmin/ktutil/ktutil}
|
|
Packit |
fd8b60 |
{KLIST $objdir/../../clients/klist/klist}
|
|
Packit |
fd8b60 |
{KDESTROY $objdir/../../clients/kdestroy/kdestroy}
|
|
Packit |
fd8b60 |
{RESOLVE $objdir/../resolve/resolve}
|
|
Packit |
fd8b60 |
{T_INETD $objdir/t_inetd}
|
|
Packit |
fd8b60 |
{KPROPLOG $objdir/../../kprop/kproplog}
|
|
Packit |
fd8b60 |
{KPASSWD $objdir/../../clients/kpasswd/kpasswd}
|
|
Packit |
fd8b60 |
{KPROPD $objdir/../../kprop/kpropd}
|
|
Packit |
fd8b60 |
{KPROP $objdir/../../kprop/kprop}
|
|
Packit |
fd8b60 |
} {
|
|
Packit |
fd8b60 |
set varname [lindex $i 0]
|
|
Packit |
fd8b60 |
if ![info exists $varname] {
|
|
Packit |
fd8b60 |
eval set varval [lindex $i 1]
|
|
Packit |
fd8b60 |
set varval [findfile $varval]
|
|
Packit |
fd8b60 |
set $varname $varval
|
|
Packit |
fd8b60 |
verbose "$varname=$varval"
|
|
Packit |
fd8b60 |
} {
|
|
Packit |
fd8b60 |
eval set varval \$$varname
|
|
Packit |
fd8b60 |
verbose "$varname already set to $varval"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
verbose "setting up onexit handler (old handler=[exit -onexit])"
|
|
Packit |
fd8b60 |
exit -onexit [concat {
|
|
Packit |
fd8b60 |
verbose "calling stop_kerberos_daemons (onexit handler)"
|
|
Packit |
fd8b60 |
stop_kerberos_daemons;
|
|
Packit |
fd8b60 |
} [exit -onexit]]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# run_once
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Many tests are independent of the actual enctypes used, which is
|
|
Packit |
fd8b60 |
# what our passes are (currently) all about. Use this to prevent
|
|
Packit |
fd8b60 |
# multiple invocations. If a test depends on, say, the master key
|
|
Packit |
fd8b60 |
# type but nothing else, you could also use the master key type in the
|
|
Packit |
fd8b60 |
# tag name, and avoid redundant tests in additional passes using the
|
|
Packit |
fd8b60 |
# same master key type.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc run_once { tag body } {
|
|
Packit |
fd8b60 |
global run_once_tags
|
|
Packit |
fd8b60 |
if ![info exists run_once_tags($tag)] {
|
|
Packit |
fd8b60 |
set run_once_tags($tag) 1
|
|
Packit |
fd8b60 |
uplevel 1 $body
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# check_exit_status
|
|
Packit |
fd8b60 |
# Check the exit status of a spawned program (using the caller's value
|
|
Packit |
fd8b60 |
# of spawn_id). Returns 1 if the program succeeded, 0 if it failed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc check_exit_status { testname } {
|
|
Packit |
fd8b60 |
upvar 1 spawn_id spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
verbose "about to wait ($testname)"
|
|
Packit |
fd8b60 |
set status_list [wait -i $spawn_id]
|
|
Packit |
fd8b60 |
verbose "wait -i $spawn_id returned $status_list ($testname)"
|
|
Packit |
fd8b60 |
catch "close -i $spawn_id"
|
|
Packit |
fd8b60 |
if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 0 } {
|
|
Packit |
fd8b60 |
verbose -log "exit status: $status_list"
|
|
Packit |
fd8b60 |
fail "$testname"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# ENVSTACK
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# These procedures implement an environment variable stack. They use
|
|
Packit |
fd8b60 |
# the global variable $envvars_tosave for the purpose of identifying
|
|
Packit |
fd8b60 |
# which environment variables to save. They also track which ones are
|
|
Packit |
fd8b60 |
# unset at any particular point. The stack pointer is $envstackp,
|
|
Packit |
fd8b60 |
# which is an integer. The arrays $envstack$envstackp and
|
|
Packit |
fd8b60 |
# $unenvstack$envstackp store respectively the set of old environment
|
|
Packit |
fd8b60 |
# variables/values pushed onto the stack and the set of old unset
|
|
Packit |
fd8b60 |
# environment variables for a given value of $envstackp.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Changing the value of $envvars_tosave after performing the first
|
|
Packit |
fd8b60 |
# push operation may result in strangeness.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# envstack_push
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# Push set of current environment variables.
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
proc envstack_push { } {
|
|
Packit |
fd8b60 |
global env
|
|
Packit |
fd8b60 |
global envvars_tosave
|
|
Packit |
fd8b60 |
global envstackp
|
|
Packit |
fd8b60 |
global envstack$envstackp
|
|
Packit |
fd8b60 |
global unenvstack$envstackp
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
verbose "envstack_push: starting, sp=$envstackp"
|
|
Packit |
fd8b60 |
foreach i $envvars_tosave {
|
|
Packit |
fd8b60 |
if [info exists env($i)] {
|
|
Packit |
fd8b60 |
verbose "envstack_push: saving $i=$env($i)"
|
|
Packit |
fd8b60 |
set envstack${envstackp}($i) $env($i)
|
|
Packit |
fd8b60 |
} {
|
|
Packit |
fd8b60 |
verbose "envstack_push: marking $i as unset"
|
|
Packit |
fd8b60 |
set unenvstack${envstackp}($i) unset
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
incr envstackp
|
|
Packit |
fd8b60 |
verbose "envstack_push: exiting, sp=$envstackp"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# envstack_pop
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# Pop set of current environment variables.
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
proc envstack_pop { } {
|
|
Packit |
fd8b60 |
global env
|
|
Packit |
fd8b60 |
global envstackp
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
verbose "envstack_pop: starting, sp=$envstackp"
|
|
Packit |
fd8b60 |
incr envstackp -1
|
|
Packit |
fd8b60 |
global envstack$envstackp # YUCK!!! no obvious better way though...
|
|
Packit |
fd8b60 |
global unenvstack$envstackp
|
|
Packit |
fd8b60 |
if {$envstackp < 0} {
|
|
Packit |
fd8b60 |
perror "envstack_pop: stack underflow!"
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if [info exists envstack$envstackp] {
|
|
Packit |
fd8b60 |
foreach i [array names envstack$envstackp] {
|
|
Packit |
fd8b60 |
if [info exists env($i)] {
|
|
Packit |
fd8b60 |
verbose "envstack_pop: $i was $env($i)"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eval set env($i) \$envstack${envstackp}($i)
|
|
Packit |
fd8b60 |
verbose "envstack_pop: restored $i to $env($i)"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
unset envstack$envstackp
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if [info exists unenvstack$envstackp] {
|
|
Packit |
fd8b60 |
foreach i [array names unenvstack$envstackp] {
|
|
Packit |
fd8b60 |
if [info exists env($i)] {
|
|
Packit |
fd8b60 |
verbose "envstack_pop: $i was $env($i)"
|
|
Packit |
fd8b60 |
unset env($i)
|
|
Packit |
fd8b60 |
verbose "envstack_pop: $i unset"
|
|
Packit |
fd8b60 |
} {
|
|
Packit |
fd8b60 |
verbose "envstack_pop: ignoring already unset $i"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
unset unenvstack$envstackp
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
verbose "envstack_pop: exiting, sp=$envstackp"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# Initialize the envstack
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
set envvars_tosave {
|
|
Packit |
fd8b60 |
KRB5_CONFIG KRB5CCNAME KRB5_CLIENT_KTNAME KRB5RCACHEDIR KRB5_KDC_PROFILE
|
|
Packit |
fd8b60 |
GSS_MECH_CONFIG
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set krb5_init_vars [list ]
|
|
Packit |
fd8b60 |
# XXX -- fix me later!
|
|
Packit |
fd8b60 |
foreach i $runvarlist {
|
|
Packit |
fd8b60 |
verbose "processing $i"
|
|
Packit |
fd8b60 |
if {[regexp "^(\[^=\]*)=(.*)" $i foo evar evalue]} {
|
|
Packit |
fd8b60 |
verbose "adding $evar to savelist"
|
|
Packit |
fd8b60 |
lappend envvars_tosave $evar
|
|
Packit |
fd8b60 |
verbose "savelist $envvars_tosave"
|
|
Packit |
fd8b60 |
lappend krb5_init_vars $i
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
# Make sure we don't get confused by translated messages
|
|
Packit |
fd8b60 |
# or localized times.
|
|
Packit |
fd8b60 |
lappend envvars_tosave "LC_ALL"
|
|
Packit |
fd8b60 |
lappend krb5_init_vars "LC_ALL=C"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set envstackp 0
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# setup_runtime_flags
|
|
Packit |
fd8b60 |
# Sets the proper flags for shared libraries.
|
|
Packit |
fd8b60 |
# Configuration is through a site.exp and the runvarlist variable
|
|
Packit |
fd8b60 |
# Returns 1 if variables were already set, otherwise 0
|
|
Packit |
fd8b60 |
proc setup_runtime_env { } {
|
|
Packit |
fd8b60 |
global env
|
|
Packit |
fd8b60 |
global krb5_init_vars
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Set the variables
|
|
Packit |
fd8b60 |
foreach i $krb5_init_vars {
|
|
Packit |
fd8b60 |
regexp "^(\[^=\]*)=(.*)" $i foo evar evalue
|
|
Packit |
fd8b60 |
set env($evar) "$evalue"
|
|
Packit |
fd8b60 |
verbose "$evar=$evalue"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# get_hostname
|
|
Packit |
fd8b60 |
# This procedure sets the global variable hostname to the local
|
|
Packit |
fd8b60 |
# hostname as seen by krb5_sname_to_principal. Returns 1 on success,
|
|
Packit |
fd8b60 |
# 0 on failure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc get_hostname { } {
|
|
Packit |
fd8b60 |
global RESOLVE
|
|
Packit |
fd8b60 |
global hostname
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if {[info exists hostname]} {
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
setup_runtime_env
|
|
Packit |
fd8b60 |
catch "exec $RESOLVE -q >$tmppwd/hostname" exec_output
|
|
Packit |
fd8b60 |
envstack_pop
|
|
Packit |
fd8b60 |
if ![string match "" $exec_output] {
|
|
Packit |
fd8b60 |
verbose -log $exec_output
|
|
Packit |
fd8b60 |
perror "can't get hostname"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set file [open $tmppwd/hostname r]
|
|
Packit |
fd8b60 |
if { [ gets $file hostname ] == -1 } {
|
|
Packit |
fd8b60 |
perror "no output from hostname"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
close $file
|
|
Packit |
fd8b60 |
file delete $tmppwd/hostname
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set hostname [string tolower $hostname]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# modify_principal name options...
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc modify_principal { name args } {
|
|
Packit |
fd8b60 |
global KADMIN_LOCAL
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
setup_kerberos_env kdc
|
|
Packit |
fd8b60 |
spawn $KADMIN_LOCAL -r $REALMNAME
|
|
Packit |
fd8b60 |
envstack_pop
|
|
Packit |
fd8b60 |
expect_after {
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail "modprinc (kadmin.local)"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "modprinc (kadmin.local)"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect "kadmin.local: "
|
|
Packit |
fd8b60 |
send "modprinc $args $name\r"
|
|
Packit |
fd8b60 |
expect -re "modprinc \[^\n\r\]* $name"
|
|
Packit |
fd8b60 |
expect -re "Principal .* modified."
|
|
Packit |
fd8b60 |
send "quit\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if ![check_exit_status "kadmin.local modprinc"] {
|
|
Packit |
fd8b60 |
perror "kadmin.local modprinc exited abnormally"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# kdc listens on +0..+3, depending whether we're testing reachable or not
|
|
Packit |
fd8b60 |
# client tries +1 and +6
|
|
Packit |
fd8b60 |
# kadmind +4
|
|
Packit |
fd8b60 |
# kpasswd +5
|
|
Packit |
fd8b60 |
# (nothing) +6
|
|
Packit |
fd8b60 |
# application servers (krlogind, telnetd, krshd, ftpd, etc) +8
|
|
Packit |
fd8b60 |
# iprop +9 (if enabled)
|
|
Packit |
fd8b60 |
# kpropd +10
|
|
Packit |
fd8b60 |
if [info exists PORTBASE] {
|
|
Packit |
fd8b60 |
set portbase $PORTBASE
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
set portbase 3085
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set ulog 0
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# setup_kerberos_files
|
|
Packit |
fd8b60 |
# This procedure will create some Kerberos files which must be created
|
|
Packit |
fd8b60 |
# manually before trying to run any Kerberos programs. Returns 1 on
|
|
Packit |
fd8b60 |
# success, 0 on failure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc setup_kerberos_files { } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global hostname
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
global supported_enctypes
|
|
Packit |
fd8b60 |
global last_passname_conf
|
|
Packit |
fd8b60 |
global multipass_name
|
|
Packit |
fd8b60 |
global master_key_type
|
|
Packit |
fd8b60 |
global mode
|
|
Packit |
fd8b60 |
global portbase
|
|
Packit |
fd8b60 |
global ulog
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if ![get_hostname] {
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
setup_krb5_conf client
|
|
Packit |
fd8b60 |
setup_krb5_conf server
|
|
Packit |
fd8b60 |
setup_krb5_conf kdc
|
|
Packit |
fd8b60 |
setup_krb5_conf replica
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create a kdc.conf file.
|
|
Packit |
fd8b60 |
if { ![file exists $tmppwd/kdc.conf] \
|
|
Packit |
fd8b60 |
|| $last_passname_conf != $multipass_name } {
|
|
Packit |
fd8b60 |
set conffile [open $tmppwd/kdc.conf w]
|
|
Packit |
fd8b60 |
puts $conffile "\[kdcdefaults\]"
|
|
Packit |
fd8b60 |
puts $conffile " kdc_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " kdc_tcp_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile ""
|
|
Packit |
fd8b60 |
puts $conffile "\[realms\]"
|
|
Packit |
fd8b60 |
puts $conffile " $REALMNAME = \{"
|
|
Packit |
fd8b60 |
# Testing with a colon in the name exercises default handling
|
|
Packit |
fd8b60 |
# for pathnames.
|
|
Packit |
fd8b60 |
puts $conffile " key_stash_file = $tmppwd/stash:foo"
|
|
Packit |
fd8b60 |
puts $conffile " acl_file = $tmppwd/acl"
|
|
Packit |
fd8b60 |
puts $conffile " kadmind_port = [expr 4 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " kpasswd_port = [expr 5 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " max_life = 1:00:00"
|
|
Packit |
fd8b60 |
puts $conffile " max_renewable_life = 3:00:00"
|
|
Packit |
fd8b60 |
if [info exists master_key_type] {
|
|
Packit |
fd8b60 |
puts $conffile " master_key_type = $master_key_type"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
puts $conffile " master_key_name = master/key"
|
|
Packit |
fd8b60 |
if [info exists supported_enctypes] {
|
|
Packit |
fd8b60 |
puts $conffile " supported_enctypes = $supported_enctypes"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if { $mode == "tcp" } {
|
|
Packit |
fd8b60 |
puts $conffile " kdc_listen = [expr 3 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " kdc_tcp_listen = [expr 1 + $portbase],[expr 3 + $portbase]"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
puts $conffile " kdc_listen = [expr 1 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " kdc_tcp_listen = [expr 3 + $portbase]"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
puts $conffile " default_principal_expiration = 2037.12.31.23.59.59"
|
|
Packit |
fd8b60 |
puts $conffile " default_principal_flags = -postdateable forwardable"
|
|
Packit |
fd8b60 |
puts $conffile " dict_file = $tmppwd/dictfile"
|
|
Packit |
fd8b60 |
if { $ulog != 0 } {
|
|
Packit |
fd8b60 |
puts $conffile " iprop_enable = true"
|
|
Packit |
fd8b60 |
puts $conffile " iprop_port = [expr 9 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " iprop_logfile = $tmppwd/db.ulog"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
puts $conffile "# no ulog"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
puts $conffile " \}"
|
|
Packit |
fd8b60 |
puts $conffile ""
|
|
Packit |
fd8b60 |
close $conffile
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create a config file for the replica KDC (kpropd only, no normal
|
|
Packit |
fd8b60 |
# KDC processes).
|
|
Packit |
fd8b60 |
if { ![file exists $tmppwd/replica.conf] \
|
|
Packit |
fd8b60 |
|| $last_passname_conf != $multipass_name } {
|
|
Packit |
fd8b60 |
set conffile [open $tmppwd/replica.conf w]
|
|
Packit |
fd8b60 |
puts $conffile "\[kdcdefaults\]"
|
|
Packit |
fd8b60 |
puts $conffile " kdc_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " kdc_tcp_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile ""
|
|
Packit |
fd8b60 |
puts $conffile "\[realms\]"
|
|
Packit |
fd8b60 |
puts $conffile " $REALMNAME = \{"
|
|
Packit |
fd8b60 |
# Testing with a colon in the name exercises default handling
|
|
Packit |
fd8b60 |
# for pathnames.
|
|
Packit |
fd8b60 |
puts $conffile " key_stash_file = $tmppwd/replica-stash"
|
|
Packit |
fd8b60 |
puts $conffile " acl_file = $tmppwd/replica-acl"
|
|
Packit |
fd8b60 |
puts $conffile " kadmind_port = [expr 4 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " kpasswd_port = [expr 5 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " max_life = 1:00:00"
|
|
Packit |
fd8b60 |
puts $conffile " max_renewable_life = 3:00:00"
|
|
Packit |
fd8b60 |
if [info exists master_key_type] {
|
|
Packit |
fd8b60 |
puts $conffile " master_key_type = $master_key_type"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
puts $conffile " master_key_name = master/key"
|
|
Packit |
fd8b60 |
if [info exists supported_enctypes] {
|
|
Packit |
fd8b60 |
puts $conffile " supported_enctypes = $supported_enctypes"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if { $mode == "tcp" } {
|
|
Packit |
fd8b60 |
puts $conffile " kdc_listen = [expr 3 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " kdc_tcp_listen = [expr 1 + $portbase],[expr 3 + $portbase]"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
puts $conffile " kdc_listen = [expr 1 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " kdc_tcp_listen = [expr 3 + $portbase]"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
puts $conffile " default_principal_expiration = 2037.12.31.23.59.59"
|
|
Packit |
fd8b60 |
puts $conffile " default_principal_flags = -postdateable forwardable"
|
|
Packit |
fd8b60 |
puts $conffile " dict_file = $tmppwd/dictfile"
|
|
Packit |
fd8b60 |
if { $ulog != 0 } {
|
|
Packit |
fd8b60 |
puts $conffile " iprop_enable = true"
|
|
Packit |
fd8b60 |
puts $conffile " iprop_port = [expr 9 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " iprop_logfile = $tmppwd/replica-db.ulog"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
puts $conffile "# no ulog"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
puts $conffile " \}"
|
|
Packit |
fd8b60 |
puts $conffile ""
|
|
Packit |
fd8b60 |
close $conffile
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create ACL file.
|
|
Packit |
fd8b60 |
set aclfile [open $tmppwd/acl w]
|
|
Packit |
fd8b60 |
puts $aclfile "krbtest/admin@$REALMNAME *"
|
|
Packit |
fd8b60 |
puts $aclfile "kiprop/$hostname@$REALMNAME p"
|
|
Packit |
fd8b60 |
close $aclfile
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create dictfile file.
|
|
Packit |
fd8b60 |
if ![file exists $tmppwd/dictfile] {
|
|
Packit |
fd8b60 |
set dictfile [open $tmppwd/dictfile w]
|
|
Packit |
fd8b60 |
puts $dictfile "weak_password"
|
|
Packit |
fd8b60 |
close $dictfile
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set last_passname_conf $multipass_name
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc reset_kerberos_files { } {
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
file delete $tmppwd/kdc.conf $tmppwd/replica.conf \
|
|
Packit |
fd8b60 |
$tmppwd/krb5.client.conf $tmppwd/krb5.server.conf \
|
|
Packit |
fd8b60 |
$tmppwd/krb5.kdc.conf
|
|
Packit |
fd8b60 |
setup_kerberos_files
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc setup_krb5_conf { {type client} } {
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
global hostname
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global last_passname_conf
|
|
Packit |
fd8b60 |
global multipass_name
|
|
Packit |
fd8b60 |
global default_tgs_enctypes
|
|
Packit |
fd8b60 |
global default_tkt_enctypes
|
|
Packit |
fd8b60 |
global permitted_enctypes
|
|
Packit |
fd8b60 |
global allow_weak_crypto
|
|
Packit |
fd8b60 |
global mode
|
|
Packit |
fd8b60 |
global portbase
|
|
Packit |
fd8b60 |
global srcdir
|
|
Packit |
fd8b60 |
global env
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set pkinit_certs [findfile "[pwd]/$srcdir/pkinit-certs" "[pwd]/$srcdir/pkinit-certs" "$srcdir/pkinit-certs"]
|
|
Packit |
fd8b60 |
# Create a krb5.conf file.
|
|
Packit |
fd8b60 |
if { ![file exists $tmppwd/krb5.$type.conf] \
|
|
Packit |
fd8b60 |
|| $last_passname_conf != $multipass_name } {
|
|
Packit |
fd8b60 |
set conffile [open $tmppwd/krb5.$type.conf w]
|
|
Packit |
fd8b60 |
puts $conffile "\[libdefaults\]"
|
|
Packit |
fd8b60 |
puts $conffile " default_realm = $REALMNAME"
|
|
Packit |
fd8b60 |
puts $conffile " dns_lookup_kdc = false"
|
|
Packit |
fd8b60 |
if [info exists allow_weak_crypto($type)] {
|
|
Packit |
fd8b60 |
puts $conffile " allow_weak_crypto = $allow_weak_crypto($type)"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
puts $conffile " allow_weak_crypto = true"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
puts $conffile " pkinit_anchors = FILE:$pkinit_certs/ca.pem"
|
|
Packit |
fd8b60 |
if [info exists default_tgs_enctypes($type)] {
|
|
Packit |
fd8b60 |
puts $conffile \
|
|
Packit |
fd8b60 |
" default_tgs_enctypes = $default_tgs_enctypes($type)"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if [info exists default_tkt_enctypes($type)] {
|
|
Packit |
fd8b60 |
puts $conffile \
|
|
Packit |
fd8b60 |
" default_tkt_enctypes = $default_tkt_enctypes($type)"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if [info exists permitted_enctypes($type)] {
|
|
Packit |
fd8b60 |
puts $conffile \
|
|
Packit |
fd8b60 |
" permitted_enctypes = $permitted_enctypes($type)"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if { $mode == "tcp" } {
|
|
Packit |
fd8b60 |
puts $conffile " udp_preference_limit = 1"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
puts $conffile " plugin_base_dir = $tmppwd/../../../plugins"
|
|
Packit |
fd8b60 |
puts $conffile ""
|
|
Packit |
fd8b60 |
puts $conffile "\[realms\]"
|
|
Packit |
fd8b60 |
puts $conffile " $REALMNAME = \{"
|
|
Packit |
fd8b60 |
# There's probably nothing listening here. It would be a good
|
|
Packit |
fd8b60 |
# test for the handling of a non-responsive KDC address. However,
|
|
Packit |
fd8b60 |
# on some systems, like Tru64, we often wind up with the client's
|
|
Packit |
fd8b60 |
# socket bound to this address, causing our request to appear in
|
|
Packit |
fd8b60 |
# our incoming queue as if it were a response, which causes test
|
|
Packit |
fd8b60 |
# failures. If we were running the client and KDC on different
|
|
Packit |
fd8b60 |
# hosts, this would be okay....
|
|
Packit |
fd8b60 |
#puts $conffile " kdc = $hostname:[expr 6 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " pkinit_identity = FILE:$pkinit_certs/kdc.pem,$pkinit_certs/privkey.pem"
|
|
Packit |
fd8b60 |
puts $conffile " pkinit_anchors = FILE:$pkinit_certs/ca.pem"
|
|
Packit |
fd8b60 |
puts $conffile " kdc = $hostname:[expr 1 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " admin_server = $hostname:[expr 4 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " kpasswd_server = $hostname:[expr 5 + $portbase]"
|
|
Packit |
fd8b60 |
puts $conffile " database_module = db"
|
|
Packit |
fd8b60 |
puts $conffile " \}"
|
|
Packit |
fd8b60 |
puts $conffile ""
|
|
Packit |
fd8b60 |
puts $conffile "\[domain_realm\]"
|
|
Packit |
fd8b60 |
puts $conffile " $hostname = $REALMNAME"
|
|
Packit |
fd8b60 |
puts $conffile ""
|
|
Packit |
fd8b60 |
puts $conffile "\[logging\]"
|
|
Packit |
fd8b60 |
puts $conffile " admin_server = FILE:$tmppwd/kadmind5.log"
|
|
Packit |
fd8b60 |
puts $conffile " kdc = FILE:$tmppwd/kdc.log"
|
|
Packit |
fd8b60 |
puts $conffile " default = FILE:$tmppwd/others.log"
|
|
Packit |
fd8b60 |
puts $conffile ""
|
|
Packit |
fd8b60 |
puts $conffile "\[dbmodules\]"
|
|
Packit |
fd8b60 |
puts $conffile " db_module_dir = $tmppwd/../../../plugins/kdb"
|
|
Packit |
fd8b60 |
puts $conffile " db = {"
|
|
Packit |
fd8b60 |
if [info exists env(K5TEST_LMDB)] {
|
|
Packit |
fd8b60 |
puts $conffile " db_library = klmdb"
|
|
Packit |
fd8b60 |
puts $conffile " nosync = true"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
puts $conffile " db_library = db2"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
puts $conffile " database_name = $tmppwd/$type-db"
|
|
Packit |
fd8b60 |
puts $conffile " }"
|
|
Packit |
fd8b60 |
close $conffile
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Save the original values of the environment variables we are going
|
|
Packit |
fd8b60 |
# to muck with.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# XXX deal with envstack later.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if [info exists env(KRB5_CONFIG)] {
|
|
Packit |
fd8b60 |
set orig_krb5_conf $env(KRB5_CONFIG)
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
catch "unset orig_krb5_config"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if [info exists env(KRB5CCNAME)] {
|
|
Packit |
fd8b60 |
set orig_krb5ccname $env(KRB5CCNAME)
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
catch "unset orig_krb5ccname"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if [info exists env(KRB5_CLIENT_KTNAME)] {
|
|
Packit |
fd8b60 |
set orig_krb5clientktname $env(KRB5_CLIENT_KTNAME)
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
catch "unset orig_krb5clientktname"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if [ info exists env(KRB5RCACHEDIR)] {
|
|
Packit |
fd8b60 |
set orig_krb5rcachedir $env(KRB5RCACHEDIR)
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
catch "unset orig_krb5rcachedir"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if [ info exists env(GSS_MECH_CONFIG)] {
|
|
Packit |
fd8b60 |
set orig_gss_mech_config $env(GSS_MECH_CONFIG)
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
catch "unset orig_gss_mech_config"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# setup_kerberos_env
|
|
Packit |
fd8b60 |
# Set the environment variables needed to run Kerberos programs.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc setup_kerberos_env { {type client} } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global env
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
global hostname
|
|
Packit |
fd8b60 |
global krb5_init_vars
|
|
Packit |
fd8b60 |
global portbase
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Set the environment variable KRB5_CONFIG to point to our krb5.conf file.
|
|
Packit |
fd8b60 |
# All the Kerberos tools check KRB5_CONFIG.
|
|
Packit |
fd8b60 |
# Actually, V5 doesn't currently use this.
|
|
Packit |
fd8b60 |
set env(KRB5_CONFIG) $tmppwd/krb5.$type.conf
|
|
Packit |
fd8b60 |
verbose "KRB5_CONFIG=$env(KRB5_CONFIG)"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Direct the Kerberos programs at a local ticket file.
|
|
Packit |
fd8b60 |
set env(KRB5CCNAME) $tmppwd/tkt
|
|
Packit |
fd8b60 |
verbose "KRB5CCNAME=$env(KRB5CCNAME)"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Direct the Kerberos programs at a local client keytab.
|
|
Packit |
fd8b60 |
set env(KRB5_CLIENT_KTNAME) $tmppwd/client_keytab
|
|
Packit |
fd8b60 |
verbose "KRB5_CLIENT_KTNAME=$env(KRB5_CLIENT_KTNAME)"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Direct the Kerberos server at a cache file stored in the
|
|
Packit |
fd8b60 |
# temporary directory.
|
|
Packit |
fd8b60 |
set env(KRB5RCACHEDIR) $tmppwd
|
|
Packit |
fd8b60 |
verbose "KRB5RCACHEDIR=$env(KRB5RCACHEDIR)"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Direct the GSS library at a nonexistent file in the temporary
|
|
Packit |
fd8b60 |
# directory, to avoid interference from system configuration.
|
|
Packit |
fd8b60 |
set env(GSS_MECH_CONFIG) $tmppwd/mech.conf
|
|
Packit |
fd8b60 |
verbose "GSS_MECH_CONFIG=$env(GSS_MECH_CONFIG)"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Get the run time environment variables... (including LD_LIBRARY_PATH)
|
|
Packit |
fd8b60 |
setup_runtime_env
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Set our kdc config file, if needed.
|
|
Packit |
fd8b60 |
switch $type {
|
|
Packit |
fd8b60 |
client -
|
|
Packit |
fd8b60 |
server { catch {unset env(KRB5_KDC_PROFILE)} }
|
|
Packit |
fd8b60 |
kdc { set env(KRB5_KDC_PROFILE) $tmppwd/kdc.conf }
|
|
Packit |
fd8b60 |
replica { set env(KRB5_KDC_PROFILE) $tmppwd/replica.conf }
|
|
Packit |
fd8b60 |
default { error "unknown config file type $type" }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if [info exists env(KRB5_KDC_PROFILE)] {
|
|
Packit |
fd8b60 |
verbose "KRB5_KDC_PROFILE=$env(KRB5_KDC_PROFILE)"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create an environment setup script. (For convenience)
|
|
Packit |
fd8b60 |
if ![file exists $tmppwd/$type-env.sh] {
|
|
Packit |
fd8b60 |
set envfile [open $tmppwd/$type-env.sh w]
|
|
Packit |
fd8b60 |
puts $envfile "KRB5_CONFIG=$env(KRB5_CONFIG)"
|
|
Packit |
fd8b60 |
puts $envfile "KRB5CCNAME=$env(KRB5CCNAME)"
|
|
Packit |
fd8b60 |
puts $envfile "KRB5_CLIENT_KTNAME=$env(KRB5_CLIENT_KTNAME)"
|
|
Packit |
fd8b60 |
puts $envfile "KRB5RCACHEDIR=$env(KRB5RCACHEDIR)"
|
|
Packit |
fd8b60 |
puts $envfile "GSS_MECH_CONFIG=$env(GSS_MECH_CONFIG)"
|
|
Packit |
fd8b60 |
if [info exists env(KRB5_KDC_PROFILE)] {
|
|
Packit |
fd8b60 |
puts $envfile "KRB5_KDC_PROFILE=$env(KRB5_KDC_PROFILE)"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
puts $envfile "unset KRB5_KDC_PROFILE"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
puts $envfile "export KRB5_CONFIG KRB5CCNAME KRB5RCACHEDIR"
|
|
Packit |
fd8b60 |
puts $envfile "export KRB5_KDC_PROFILE KRB5_CLIENT_KTNAME"
|
|
Packit |
fd8b60 |
puts $envfile "export GSS_MECH_CONFIG"
|
|
Packit |
fd8b60 |
foreach i $krb5_init_vars {
|
|
Packit |
fd8b60 |
regexp "^(\[^=\]*)=(.*)" $i foo evar evalue
|
|
Packit |
fd8b60 |
puts $envfile "$evar=$env($evar)"
|
|
Packit |
fd8b60 |
puts $envfile "export $evar"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
close $envfile
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if ![file exists $tmppwd/$type-env.csh] {
|
|
Packit |
fd8b60 |
set envfile [open $tmppwd/$type-env.csh w]
|
|
Packit |
fd8b60 |
puts $envfile "setenv KRB5_CONFIG $env(KRB5_CONFIG)"
|
|
Packit |
fd8b60 |
puts $envfile "setenv KRB5CCNAME $env(KRB5CCNAME)"
|
|
Packit |
fd8b60 |
puts $envfile "setenv KRB5_CLIENT_KTNAME $env(KRB5_CLIENT_KTNAME)"
|
|
Packit |
fd8b60 |
puts $envfile "setenv KRB5RCACHEDIR $env(KRB5RCACHEDIR)"
|
|
Packit |
fd8b60 |
puts $envfile "setenv GSS_MECH_CONFIG $env(GSS_MECH_CONFIG)"
|
|
Packit |
fd8b60 |
if [info exists env(KRB5_KDC_PROFILE)] {
|
|
Packit |
fd8b60 |
puts $envfile "setenv KRB5_KDC_PROFILE $env(KRB5_KDC_PROFILE)"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
puts $envfile "unsetenv KRB5_KDC_PROFILE"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
foreach i $krb5_init_vars {
|
|
Packit |
fd8b60 |
regexp "^(\[^=\]*)=(.*)" $i foo evar evalue
|
|
Packit |
fd8b60 |
puts $envfile "setenv $evar $env($evar)"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
close $envfile
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# setup_kerberos_db
|
|
Packit |
fd8b60 |
# Initialize the Kerberos database. If the argument is non-zero, call
|
|
Packit |
fd8b60 |
# pass at relevant points. Returns 1 on success, 0 on failure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc setup_kerberos_db { standalone } {
|
|
Packit |
fd8b60 |
global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY
|
|
Packit |
fd8b60 |
global tmppwd hostname
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
global multipass_name last_passname_db
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set failall 0
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if {!$standalone && [file exists $tmppwd/kdc-db.ok] \
|
|
Packit |
fd8b60 |
&& $last_passname_db == $multipass_name} {
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
delete_db
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
if { ![setup_kerberos_files] || ![setup_kerberos_env kdc] } {
|
|
Packit |
fd8b60 |
set failall 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Set up a common expect_after for use in multiple places.
|
|
Packit |
fd8b60 |
set def_exp_after {
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
set test "$test (timeout)"
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
set test "$test (eof)"
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set test "kdb5_util create"
|
|
Packit |
fd8b60 |
set body {
|
|
Packit |
fd8b60 |
if $failall {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
#exec xterm
|
|
Packit |
fd8b60 |
verbose "starting $test"
|
|
Packit |
fd8b60 |
spawn $KDB5_UTIL -r $REALMNAME create -W
|
|
Packit |
fd8b60 |
expect_after $def_exp_after
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
expect "Enter KDC database master key:"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set test "kdb5_util create (verify)"
|
|
Packit |
fd8b60 |
send "masterkey$KEY\r"
|
|
Packit |
fd8b60 |
expect "Re-enter KDC database master key to verify:"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set test "kdb5_util create"
|
|
Packit |
fd8b60 |
send "masterkey$KEY\r"
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
-re "\[Cc\]ouldn't" {
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
"Cannot find/read stored" exp_continue
|
|
Packit |
fd8b60 |
"Warning: proceeding without master key" exp_continue
|
|
Packit |
fd8b60 |
eof { }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if ![check_exit_status kdb5_util] {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set ret [catch $body]
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if $ret {
|
|
Packit |
fd8b60 |
set failall 1
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
fail $test
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
pass $test
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Stash the master key in a file.
|
|
Packit |
fd8b60 |
set test "kdb5_util stash"
|
|
Packit |
fd8b60 |
set body {
|
|
Packit |
fd8b60 |
if $failall {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
spawn $KDB5_UTIL -r $REALMNAME stash
|
|
Packit |
fd8b60 |
verbose "starting $test"
|
|
Packit |
fd8b60 |
expect_after $def_exp_after
|
|
Packit |
fd8b60 |
expect "Enter KDC database master key:"
|
|
Packit |
fd8b60 |
send "masterkey$KEY\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if ![check_exit_status kdb5_util] {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set ret [catch $body]
|
|
Packit |
fd8b60 |
catch "expect eof"
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if $ret {
|
|
Packit |
fd8b60 |
set failall 1
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
fail $test
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
delete_db
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
pass $test
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Add an admin user.
|
|
Packit |
fd8b60 |
set test "kadmin.local ank krbtest/admin"
|
|
Packit |
fd8b60 |
set body {
|
|
Packit |
fd8b60 |
if $failall {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
spawn $KADMIN_LOCAL -r $REALMNAME
|
|
Packit |
fd8b60 |
verbose "starting $test"
|
|
Packit |
fd8b60 |
expect_after $def_exp_after
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
expect "kadmin.local: "
|
|
Packit |
fd8b60 |
send "ank krbtest/admin@$REALMNAME\r"
|
|
Packit |
fd8b60 |
# It echos...
|
|
Packit |
fd8b60 |
expect "ank krbtest/admin@$REALMNAME\r"
|
|
Packit |
fd8b60 |
expect "Enter password for principal \"krbtest/admin@$REALMNAME\":"
|
|
Packit |
fd8b60 |
send "adminpass$KEY\r"
|
|
Packit |
fd8b60 |
expect "Re-enter password for principal \"krbtest/admin@$REALMNAME\":"
|
|
Packit |
fd8b60 |
send "adminpass$KEY\r"
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"Principal \"krbtest/admin@$REALMNAME\" created" { }
|
|
Packit |
fd8b60 |
"Principal or policy already exists while creating*" { }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect "kadmin.local: "
|
|
Packit |
fd8b60 |
send "quit\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if ![check_exit_status kadmin_local] {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set ret [catch $body]
|
|
Packit |
fd8b60 |
catch "expect eof"
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if $ret {
|
|
Packit |
fd8b60 |
set failall 1
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
fail $test
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
delete_db
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
pass $test
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Add an incremental-propagation service.
|
|
Packit |
fd8b60 |
set test "kadmin.local ank krbtest/fast"
|
|
Packit |
fd8b60 |
set body {
|
|
Packit |
fd8b60 |
if $failall {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
spawn $KADMIN_LOCAL -r $REALMNAME
|
|
Packit |
fd8b60 |
verbose "starting $test"
|
|
Packit |
fd8b60 |
expect_after $def_exp_after
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
expect "kadmin.local: "
|
|
Packit |
fd8b60 |
send "ank +requires_preauth krbtest/fast@$REALMNAME\r"
|
|
Packit |
fd8b60 |
expect "Enter password for principal \"krbtest/fast@$REALMNAME\":"
|
|
Packit |
fd8b60 |
send "adminpass$KEY\r"
|
|
Packit |
fd8b60 |
expect "Re-enter password for principal \"krbtest/fast@$REALMNAME\":"
|
|
Packit |
fd8b60 |
send "adminpass$KEY\r"
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"Principal \"krbtest/fast@$REALMNAME\" created" { }
|
|
Packit |
fd8b60 |
"Principal or policy already exists while creating*" { }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect "kadmin.local: "
|
|
Packit |
fd8b60 |
send "quit\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if ![check_exit_status kadmin_local] {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set ret [catch $body]
|
|
Packit |
fd8b60 |
catch "expect eof"
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if $ret {
|
|
Packit |
fd8b60 |
set failall 1
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
fail $test
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
delete_db
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
pass $test
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
envstack_pop
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# create the admin database lock file
|
|
Packit |
fd8b60 |
catch "exec touch $tmppwd/adb.lock"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set last_passname_db $multipass_name
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# setup_replica_db
|
|
Packit |
fd8b60 |
# Initialize the replica Kerberos database. Returns 1 on success, 0 on
|
|
Packit |
fd8b60 |
# failure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc setup_replica_db { } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KDB5_UTIL
|
|
Packit |
fd8b60 |
global KADMIN_LOCAL
|
|
Packit |
fd8b60 |
global KEY
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set failall 0
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
if { ![setup_kerberos_files] || ![setup_kerberos_env replica] } {
|
|
Packit |
fd8b60 |
set failall 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Set up a common expect_after for use in multiple places.
|
|
Packit |
fd8b60 |
set def_exp_after {
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
set test "$test (timeout)"
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
set test "$test (eof)"
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set test "replica kdb5_util create "
|
|
Packit |
fd8b60 |
set body {
|
|
Packit |
fd8b60 |
if $failall {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
#exec xterm
|
|
Packit |
fd8b60 |
verbose "starting $test"
|
|
Packit |
fd8b60 |
spawn $KDB5_UTIL -r $REALMNAME create -W
|
|
Packit |
fd8b60 |
expect_after $def_exp_after
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
expect "Enter KDC database master key:"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set test "replica kdb5_util create (verify)"
|
|
Packit |
fd8b60 |
send "masterkey$KEY\r"
|
|
Packit |
fd8b60 |
expect "Re-enter KDC database master key to verify:"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set test "replica kdb5_util create"
|
|
Packit |
fd8b60 |
send "masterkey$KEY\r"
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
-re "\[Cc\]ouldn't" {
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
"Cannot find/read stored" exp_continue
|
|
Packit |
fd8b60 |
"Warning: proceeding without master key" exp_continue
|
|
Packit |
fd8b60 |
eof { }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if ![check_exit_status kdb5_util] {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set ret [catch $body]
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if $ret {
|
|
Packit |
fd8b60 |
set failall 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Stash the master key in a file.
|
|
Packit |
fd8b60 |
set test "replica kdb5_util stash"
|
|
Packit |
fd8b60 |
set body {
|
|
Packit |
fd8b60 |
if $failall {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
spawn $KDB5_UTIL -r $REALMNAME stash
|
|
Packit |
fd8b60 |
verbose "starting $test"
|
|
Packit |
fd8b60 |
expect_after $def_exp_after
|
|
Packit |
fd8b60 |
expect "Enter KDC database master key:"
|
|
Packit |
fd8b60 |
send "masterkey$KEY\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if ![check_exit_status kdb5_util] {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set ret [catch $body]
|
|
Packit |
fd8b60 |
catch "expect eof"
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if $ret {
|
|
Packit |
fd8b60 |
set failall 1
|
|
Packit |
fd8b60 |
delete_db
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if !$failall {
|
|
Packit |
fd8b60 |
# create the admin database lock file
|
|
Packit |
fd8b60 |
catch "exec touch $tmppwd/replica-adb.lock"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return [expr !$failall]
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc start_kpropd {} {
|
|
Packit |
fd8b60 |
global kpropd_pid kpropd_spawn_id KPROPD T_INETD KDB5_UTIL portbase tmppwd
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
setup_kerberos_env replica
|
|
Packit |
fd8b60 |
spawn $KPROPD -S -d -t -P [expr 10 + $portbase] -s $tmppwd/keytab -f $tmppwd/incoming-replica-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl
|
|
Packit |
fd8b60 |
set kpropd_pid [exp_pid]
|
|
Packit |
fd8b60 |
set kpropd_spawn_id $spawn_id
|
|
Packit |
fd8b60 |
envstack_pop
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# start_kerberos_daemons
|
|
Packit |
fd8b60 |
# A procedure to build a Kerberos database and start up the kerberos
|
|
Packit |
fd8b60 |
# and kadmind daemons. This sets the global variables kdc_pid,
|
|
Packit |
fd8b60 |
# kdc_spawn_id, kadmind_pid, and kadmind_spawn_id. The procedure
|
|
Packit |
fd8b60 |
# stop_kerberos_daemons should be used to stop the daemons. If the
|
|
Packit |
fd8b60 |
# argument is non-zero, call pass at relevant points. Returns 1 on
|
|
Packit |
fd8b60 |
# success, 0 on failure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc start_kerberos_daemons { standalone } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KRB5KDC
|
|
Packit |
fd8b60 |
global KADMIND
|
|
Packit |
fd8b60 |
global KEY
|
|
Packit |
fd8b60 |
global kdc_pid
|
|
Packit |
fd8b60 |
global kdc_spawn_id
|
|
Packit |
fd8b60 |
global kadmind_pid
|
|
Packit |
fd8b60 |
global kadmind_spawn_id
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
global env
|
|
Packit |
fd8b60 |
global timeout
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if ![setup_kerberos_db 0] {
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if {$standalone} {
|
|
Packit |
fd8b60 |
file delete $tmppwd/krb.log $tmppwd/kadmind.log $tmppwd/krb5kdc_rcache
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Start up the kerberos daemon
|
|
Packit |
fd8b60 |
# Why are we doing all this with the log file you may ask.
|
|
Packit |
fd8b60 |
# We need a handle on when the server starts. If we log the output
|
|
Packit |
fd8b60 |
# of the server to say stderr, then if we stop looking for output,
|
|
Packit |
fd8b60 |
# buffers will fill and the server will stop working....
|
|
Packit |
fd8b60 |
# So, we look to see when a line is added to the log file and then
|
|
Packit |
fd8b60 |
# check it..
|
|
Packit |
fd8b60 |
# The same thing is done a little later for the kadmind
|
|
Packit |
fd8b60 |
set kdc_lfile $tmppwd/kdc.log
|
|
Packit |
fd8b60 |
set kadmind_lfile $tmppwd/kadmind5.log
|
|
Packit |
fd8b60 |
set kdc_pidfile $tmppwd/kdc.pid
|
|
Packit |
fd8b60 |
set kadmind_pidfile $tmppwd/kadmind.pid
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
setup_kerberos_env kdc
|
|
Packit |
fd8b60 |
# Nuke pid file - to test if setup
|
|
Packit |
fd8b60 |
file delete $kdc_pidfile
|
|
Packit |
fd8b60 |
spawn $KRB5KDC -r $REALMNAME -n -P $kdc_pidfile
|
|
Packit |
fd8b60 |
envstack_pop
|
|
Packit |
fd8b60 |
set kdc_pid [exp_pid]
|
|
Packit |
fd8b60 |
set kdc_spawn_id $spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"starting" { }
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
if {$standalone} {
|
|
Packit |
fd8b60 |
verbose -log "krb5kdc failed to start"
|
|
Packit |
fd8b60 |
fail "krb5kdc"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
perror "krb5kdc failed to start"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
stop_kerberos_daemons
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (![file exists $kdc_pidfile]) {
|
|
Packit |
fd8b60 |
fail "krb5kdc pidfile"
|
|
Packit |
fd8b60 |
stop_kerberos_daemons
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set f [open $kdc_pidfile "r"]
|
|
Packit |
fd8b60 |
if {[gets $f foundpid] < 0 || ![string equal $kdc_pid $foundpid]} {
|
|
Packit |
fd8b60 |
fail "krb5kdc pid file contents"
|
|
Packit |
fd8b60 |
close $f
|
|
Packit |
fd8b60 |
stop_kerberos_daemons
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
close $f
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if {$standalone} {
|
|
Packit |
fd8b60 |
pass "krb5kdc"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Give the kerberos daemon a few seconds to get set up.
|
|
Packit |
fd8b60 |
# sleep 2
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# Save setting of KRB5_KTNAME. We do not want to override kdc.conf
|
|
Packit |
fd8b60 |
# file during kadmind startup. (this is in case user has KRB5_KTNAME
|
|
Packit |
fd8b60 |
# set before starting make check)
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
if [info exists env(KRB5_KTNAME)] {
|
|
Packit |
fd8b60 |
set start_save_ktname $env(KRB5_KTNAME)
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
catch "unset env(KRB5_KTNAME)"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Start up the kadmind daemon
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
setup_kerberos_env kdc
|
|
Packit |
fd8b60 |
file delete $kadmind_pidfile
|
|
Packit |
fd8b60 |
spawn $KADMIND -r $REALMNAME -W -nofork -P $kadmind_pidfile
|
|
Packit |
fd8b60 |
envstack_pop
|
|
Packit |
fd8b60 |
set kadmind_pid [exp_pid]
|
|
Packit |
fd8b60 |
set kadmind_spawn_id $spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Restore KRB5_KTNAME
|
|
Packit |
fd8b60 |
if [info exists start_save_ktname] {
|
|
Packit |
fd8b60 |
set env(KRB5_KTNAME) $start_save_ktname
|
|
Packit |
fd8b60 |
unset start_save_ktname
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"Seeding random number" exp_continue
|
|
Packit |
fd8b60 |
"No principal in keytab matches desired name" {
|
|
Packit |
fd8b60 |
dump_db
|
|
Packit |
fd8b60 |
exp_continue
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
"starting" { }
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
verbose -log "kadmind failed to start"
|
|
Packit |
fd8b60 |
if {$standalone} {
|
|
Packit |
fd8b60 |
fail "kadmind"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
perror "kadmind failed to start"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
stop_kerberos_daemons
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (![file exists $kadmind_pidfile]) {
|
|
Packit |
fd8b60 |
fail "kadmind pidfile"
|
|
Packit |
fd8b60 |
stop_kerberos_daemons
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set f [open $kadmind_pidfile "r"]
|
|
Packit |
fd8b60 |
if {[gets $f foundpid] < 0 || ![string equal $kadmind_pid $foundpid]} {
|
|
Packit |
fd8b60 |
fail "kadmind pid file contents"
|
|
Packit |
fd8b60 |
close $f
|
|
Packit |
fd8b60 |
stop_kerberos_daemons
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
close $f
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if {$standalone} {
|
|
Packit |
fd8b60 |
pass "kadmind"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Give the kadmind daemon a few seconds to get set up.
|
|
Packit |
fd8b60 |
# sleep 2
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# stop_kerberos_daemons
|
|
Packit |
fd8b60 |
# Stop the kerberos daemons. Returns 1 on success, 0 on failure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc stop_kerberos_daemons { } {
|
|
Packit |
fd8b60 |
global kdc_pid
|
|
Packit |
fd8b60 |
global kdc_spawn_id
|
|
Packit |
fd8b60 |
global kadmind_pid
|
|
Packit |
fd8b60 |
global kadmind_spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
verbose "entered stop_kerberos_daemons"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if [info exists kdc_pid] {
|
|
Packit |
fd8b60 |
if [catch "exec kill $kdc_pid" msg] {
|
|
Packit |
fd8b60 |
verbose "kill kdc: $msg"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if [catch "expect -i $kdc_spawn_id eof" msg] {
|
|
Packit |
fd8b60 |
verbose "expect kdc eof: $msg"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set kdc_list [wait -i $kdc_spawn_id]
|
|
Packit |
fd8b60 |
verbose "wait -i $kdc_spawn_id returned $kdc_list (kdc)"
|
|
Packit |
fd8b60 |
unset kdc_pid
|
|
Packit |
fd8b60 |
unset kdc_list
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if [info exists kadmind_pid] {
|
|
Packit |
fd8b60 |
if [catch "exec kill $kadmind_pid" msg] {
|
|
Packit |
fd8b60 |
verbose "kill kadmind: $msg"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if [catch "expect -i $kadmind_spawn_id eof" msg] {
|
|
Packit |
fd8b60 |
verbose "expect kadmind eof: $msg"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set kadmind_list [wait -i $kadmind_spawn_id]
|
|
Packit |
fd8b60 |
verbose "wait -i $kadmind_spawn_id returned $kadmind_list (kadmind5)"
|
|
Packit |
fd8b60 |
unset kadmind_pid
|
|
Packit |
fd8b60 |
unset kadmind_list
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
verbose "exiting stop_kerberos_daemons"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# add_kerberos_key
|
|
Packit |
fd8b60 |
# Add an key to the Kerberos database. start_kerberos_daemons must be
|
|
Packit |
fd8b60 |
# called before this procedure. If the standalone argument is
|
|
Packit |
fd8b60 |
# non-zero, call pass at relevant points. Returns 1 on success, 0 on
|
|
Packit |
fd8b60 |
# failure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc add_kerberos_key { kkey standalone } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KADMIN
|
|
Packit |
fd8b60 |
global KEY
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use kadmin to add an key.
|
|
Packit |
fd8b60 |
set test "kadmin ank $kkey"
|
|
Packit |
fd8b60 |
set body {
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
setup_kerberos_env client
|
|
Packit |
fd8b60 |
spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank $kkey@$REALMNAME"
|
|
Packit |
fd8b60 |
envstack_pop
|
|
Packit |
fd8b60 |
verbose "starting $test"
|
|
Packit |
fd8b60 |
expect_after {
|
|
Packit |
fd8b60 |
"Cannot contact any KDC" {
|
|
Packit |
fd8b60 |
set test "$test (lost KDC)"
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
set test "$test (timeout)"
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
set test "$test (eof)"
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect -re "assword\[^\r\n\]*: *"
|
|
Packit |
fd8b60 |
send "adminpass$KEY\r"
|
|
Packit |
fd8b60 |
expect "Enter password for principal \"$kkey@$REALMNAME\":"
|
|
Packit |
fd8b60 |
send "$kkey"
|
|
Packit |
fd8b60 |
send "$KEY\r"
|
|
Packit |
fd8b60 |
expect "Re-enter password for principal \"$kkey@$REALMNAME\":"
|
|
Packit |
fd8b60 |
send "$kkey"
|
|
Packit |
fd8b60 |
send "$KEY\r"
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"Principal \"$kkey@$REALMNAME\" created" { }
|
|
Packit |
fd8b60 |
"Principal or policy already exists while creating*" { }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
if ![check_exit_status kadmin] {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set ret [catch $body]
|
|
Packit |
fd8b60 |
catch "expect eof"
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if $ret {
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
fail $test
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
pass $test
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# dump_db
|
|
Packit |
fd8b60 |
proc dump_db { } {
|
|
Packit |
fd8b60 |
global KADMIN_LOCAL
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
spawn $KADMIN_LOCAL -r $REALMNAME
|
|
Packit |
fd8b60 |
expect_after {
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
perror "failed to get debugging dump of database (eof)"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
perror "failed to get debugging dump of database (timeout)"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect "kadmin.local: "
|
|
Packit |
fd8b60 |
send "getprincs\r"
|
|
Packit |
fd8b60 |
expect "kadmin.local: "
|
|
Packit |
fd8b60 |
send "quit\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# add_random_key
|
|
Packit |
fd8b60 |
# Add a key with a random password to the Kerberos database.
|
|
Packit |
fd8b60 |
# start_kerberos_daemons must be called before this procedure. If the
|
|
Packit |
fd8b60 |
# standalone argument is non-zero, call pass at relevant points.
|
|
Packit |
fd8b60 |
# Returns 1 on success, 0 on failure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc add_random_key { kkey standalone } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KADMIN
|
|
Packit |
fd8b60 |
global KEY
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use kadmin to add an key.
|
|
Packit |
fd8b60 |
set test "kadmin ark $kkey"
|
|
Packit |
fd8b60 |
set body {
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
setup_kerberos_env client
|
|
Packit |
fd8b60 |
spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank -randkey $kkey@$REALMNAME"
|
|
Packit |
fd8b60 |
envstack_pop
|
|
Packit |
fd8b60 |
expect_after {
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
set test "$test (timeout)"
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
set test "$test (eof)"
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect -re "assword\[^\r\n\]*: *"
|
|
Packit |
fd8b60 |
send "adminpass$KEY\r"
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"Principal \"$kkey@$REALMNAME\" created" { }
|
|
Packit |
fd8b60 |
"Principal or policy already exists while creating*" { }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
if ![check_exit_status kadmin] {
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if [catch $body] {
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
fail $test
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if $standalone {
|
|
Packit |
fd8b60 |
pass $test
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# setup_keytab
|
|
Packit |
fd8b60 |
# Set up a keytab file. start_kerberos_daemons and add_random_key
|
|
Packit |
fd8b60 |
# $id/$hostname must be called before this procedure. If the
|
|
Packit |
fd8b60 |
# argument is non-zero, call pass at relevant points. Returns 1 on
|
|
Packit |
fd8b60 |
# success, 0 on failure. If the id field is not provided, host is used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc setup_keytab { standalone {id host} } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KADMIN_LOCAL
|
|
Packit |
fd8b60 |
global KEY
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
global hostname
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
global last_service
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if {!$standalone && [file exists $tmppwd/keytab] && $last_service == $id} {
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
file delete $tmppwd/keytab $tmppwd/keytab.old
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if ![get_hostname] {
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
file delete $hostname-new-keytab
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
setup_kerberos_env kdc
|
|
Packit |
fd8b60 |
spawn $KADMIN_LOCAL -r $REALMNAME
|
|
Packit |
fd8b60 |
envstack_pop
|
|
Packit |
fd8b60 |
expect_after {
|
|
Packit |
fd8b60 |
-re "(.*)\r\nkadmin.local: " {
|
|
Packit |
fd8b60 |
fail "kadmin.local keytab (unmatched output: $expect_out(1,string))"
|
|
Packit |
fd8b60 |
if {!$standalone} {
|
|
Packit |
fd8b60 |
file delete $tmppwd/keytab
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
catch "expect_after"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "kadmin.local keytab"
|
|
Packit |
fd8b60 |
if {!$standalone} {
|
|
Packit |
fd8b60 |
file delete $tmppwd/keytab
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
catch "expect_after"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail "kadmin.local keytab"
|
|
Packit |
fd8b60 |
if {!$standalone} {
|
|
Packit |
fd8b60 |
file delete $tmppwd/keytab
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
catch "expect_after"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect "kadmin.local: "
|
|
Packit |
fd8b60 |
send "xst -k $hostname-new-keytab $id/$hostname kiprop/$hostname\r"
|
|
Packit |
fd8b60 |
expect "xst -k $hostname-new-keytab $id/$hostname kiprop/$hostname\r\n"
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
-re ".*Entry for principal $id/$hostname.* added to keytab WRFILE:$hostname-new-keytab." { }
|
|
Packit |
fd8b60 |
-re "\r\nkadmin.local: " {
|
|
Packit |
fd8b60 |
if {$standalone} {
|
|
Packit |
fd8b60 |
fail "kadmin.local keytab"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
file delete $tmppwd/keytab
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect "kadmin.local: "
|
|
Packit |
fd8b60 |
send "quit\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if ![check_exit_status "kadmin.local keytab"] {
|
|
Packit |
fd8b60 |
if {!$standalone} {
|
|
Packit |
fd8b60 |
file delete $tmppwd/keytab
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
catch "exec mv -f $hostname-new-keytab $tmppwd/keytab" exec_output
|
|
Packit |
fd8b60 |
if ![string match "" $exec_output] {
|
|
Packit |
fd8b60 |
verbose -log "$exec_output"
|
|
Packit |
fd8b60 |
perror "can't mv new keytab"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if {$standalone} {
|
|
Packit |
fd8b60 |
pass "kadmin.local keytab"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Make the keytab file globally readable in case we are using a
|
|
Packit |
fd8b60 |
# root shell and the keytab is NFS mounted.
|
|
Packit |
fd8b60 |
catch "exec chmod a+r $tmppwd/keytab"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Remember what we just extracted
|
|
Packit |
fd8b60 |
set last_service $id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# kinit
|
|
Packit |
fd8b60 |
# Use kinit to get a ticket. If the argument is non-zero, call pass
|
|
Packit |
fd8b60 |
# at relevant points. Returns 1 on success, 0 on failure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc kinit { name pass standalone } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KINIT
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use kinit to get a ticket.
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# For now always get forwardable tickets. Later when we need to make
|
|
Packit |
fd8b60 |
# tests that distiguish between forwardable tickets and otherwise
|
|
Packit |
fd8b60 |
# we should but another option to this proc. --proven
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
spawn $KINIT -5 -f $name@$REALMNAME
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"Password for $name@$REALMNAME:" {
|
|
Packit |
fd8b60 |
verbose "kinit started"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "kinit"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail "kinit"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
send "$pass\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
if ![check_exit_status kinit] {
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if {$standalone} {
|
|
Packit |
fd8b60 |
pass "kinit"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc kinit_renew { name pass standalone } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KINIT
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
spawn $KINIT -5 -f $name@$REALMNAME
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"Password for $name@$REALMNAME:" {
|
|
Packit |
fd8b60 |
verbose "kinit started"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "kinit"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail "kinit"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
send "$pass\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
if ![check_exit_status kinit] {
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
spawn $KINIT -R
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
if ![check_exit_status "kinit_renew"] {
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Retrieve a ticket using FAST armor
|
|
Packit |
fd8b60 |
proc kinit_fast { name pass standalone } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KINIT
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
global env
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use kinit to get a ticket.
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
spawn $KINIT -5 -f -T $env(KRB5CCNAME) $name@$REALMNAME
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"Password for $name@$REALMNAME:" {
|
|
Packit |
fd8b60 |
verbose "kinit started"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "kinit_fast"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail "kinit_fast"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
send "$pass\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
if ![check_exit_status kinit] {
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if {$standalone} {
|
|
Packit |
fd8b60 |
pass "kinit_fast"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc kinit_anonymous { name } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KINIT
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use kinit to get a ticket.
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
spawn $KINIT -5 -f -n $name@$REALMNAME
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"Password for $name@$REALMNAME:" {
|
|
Packit |
fd8b60 |
fail "kinit_anonymous (password requested)"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "kinit_anonymous (timeout)"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof { }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if ![check_exit_status kinit] {
|
|
Packit |
fd8b60 |
fail "kinit anonymous"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
pass "kinit anonymous"
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc kinit_kt { name keytab standalone testname } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KINIT
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use kinit to get a ticket.
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# For now always get forwardable tickets. Later when we need to make
|
|
Packit |
fd8b60 |
# tests that distiguish between forwardable tickets and otherwise
|
|
Packit |
fd8b60 |
# we should but another option to this proc. --proven
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
spawn $KINIT -5 -f -k -t $keytab $name@$REALMNAME
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "kinit $testname"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof { }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if ![check_exit_status "kinit $testname"] {
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if {$standalone} {
|
|
Packit |
fd8b60 |
pass "kinit $testname"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# List tickets. Requires client and server names, and test name.
|
|
Packit |
fd8b60 |
# Checks that klist exist status is zero.
|
|
Packit |
fd8b60 |
# Records pass or fail, and returns 1 or 0.
|
|
Packit |
fd8b60 |
proc do_klist { myname servname testname } {
|
|
Packit |
fd8b60 |
global KLIST
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
spawn $KLIST -5 -e
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
-re "Ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Default principal:\[ \]*$myname.*$servname\r\n" {
|
|
Packit |
fd8b60 |
verbose "klist started"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail $testname
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail $testname
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if ![check_exit_status $testname] {
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
pass $testname
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc do_klist_kt { keytab testname } {
|
|
Packit |
fd8b60 |
global KLIST
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
spawn $KLIST -5 -e -k $keytab
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
-re "Keytab name:\[ \]*(.+:)?.*KVNO Principal\r\n---- -*\r\n" {
|
|
Packit |
fd8b60 |
verbose "klist started"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail $testname
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail $testname
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set more 1
|
|
Packit |
fd8b60 |
while {$more} {
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
-re { *[0-9][0-9]* *[a-zA-Z/@.-]* \([/a-zA-Z 0-9-]*\) *\r\n} {
|
|
Packit |
fd8b60 |
verbose -log "key: $expect_out(buffer)"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof { set more 0 }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if ![check_exit_status $testname] {
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
pass $testname
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc do_klist_err { testname } {
|
|
Packit |
fd8b60 |
global KLIST
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
spawn $KLIST -5
|
|
Packit |
fd8b60 |
# Might say "credentials cache" or "credentials cache file".
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
-re "klist: No credentials cache found.*\r\n" {
|
|
Packit |
fd8b60 |
verbose "klist started"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail $testname
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail $testname
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
# We can't use check_exit_status, because we expect an exit status
|
|
Packit |
fd8b60 |
# of 1.
|
|
Packit |
fd8b60 |
catch "expect eof"
|
|
Packit |
fd8b60 |
set status_list [wait -i $spawn_id]
|
|
Packit |
fd8b60 |
verbose "wait -i $spawn_id returned $status_list ($testname)"
|
|
Packit |
fd8b60 |
if { [lindex $status_list 2] != 0 } {
|
|
Packit |
fd8b60 |
fail "$testname (bad exit status) $status_list"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
} else { if { [lindex $status_list 3] != 1 } {
|
|
Packit |
fd8b60 |
fail "$testname (bad exit status) $status_list"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
pass $testname
|
|
Packit |
fd8b60 |
} }
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc do_kdestroy { testname } {
|
|
Packit |
fd8b60 |
global KDESTROY
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
spawn $KDESTROY -5
|
|
Packit |
fd8b60 |
if ![check_exit_status $testname] {
|
|
Packit |
fd8b60 |
fail $testname
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
pass $testname
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc xst { keytab name } {
|
|
Packit |
fd8b60 |
global KADMIN_LOCAL
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
envstack_push
|
|
Packit |
fd8b60 |
setup_kerberos_env kdc
|
|
Packit |
fd8b60 |
spawn $KADMIN_LOCAL -r $REALMNAME
|
|
Packit |
fd8b60 |
envstack_pop
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
expect_after {
|
|
Packit |
fd8b60 |
-re "(.*)\r\nkadmin.local: " {
|
|
Packit |
fd8b60 |
fail "kadmin.local xst $keytab (unmatched output: $expect_out(1,string)"
|
|
Packit |
fd8b60 |
catch "expect_after"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "kadmin.local xst $keytab (timeout)"
|
|
Packit |
fd8b60 |
catch "expect_after"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail "kadmin.local xst $keytab (eof)"
|
|
Packit |
fd8b60 |
catch "expect_after"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect "kadmin.local: "
|
|
Packit |
fd8b60 |
send "xst -k $keytab $name\r"
|
|
Packit |
fd8b60 |
expect -re "xst -k \[^\r\n\]*\r\n.*Entry for principal .* added to keytab WRFILE:.*\r\nkadmin.local: "
|
|
Packit |
fd8b60 |
send "quit\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
if ![check_exit_status "kadmin.local $keytab"] {
|
|
Packit |
fd8b60 |
perror "kadmin.local xst $keytab exited abnormally"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
return 1
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# helpful sometimes for debugging the test suite
|
|
Packit |
fd8b60 |
proc export_debug_envvars { } {
|
|
Packit |
fd8b60 |
global env
|
|
Packit |
fd8b60 |
foreach i {KDB5_UTIL KRB5KDC KADMIND KADMIN KADMIN_LOCAL KINIT KTUTIL KLIST KPASSWD REALMNAME GSSCLIENT KPROPLOG} {
|
|
Packit |
fd8b60 |
global $i
|
|
Packit |
fd8b60 |
if [info exists $i] { set env($i) [set $i] }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
proc spawn_xterm { } {
|
|
Packit |
fd8b60 |
export_debug_envvars
|
|
Packit |
fd8b60 |
exec "xterm"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
proc spawn_shell { } {
|
|
Packit |
fd8b60 |
export_debug_envvars
|
|
Packit |
fd8b60 |
spawn "sh"
|
|
Packit |
fd8b60 |
exp_interact
|
|
Packit |
fd8b60 |
}
|