# Kerberos kadmin test.

# This is a DejaGnu test script.

# This script tests Kerberos kadmin5 using kadmin.local as verification.

#++

# kadmin_add	- Test add new v5 principal function of kadmin.

#

# Adds principal $pname with password $password.  Returns 1 on success.

#--

proc kadmin_add { pname password } {

    global REALMNAME

    global KADMIN

    global KADMIN_LOCAL

    global KEY

    global spawn_id

    global tmppwd

    set good 0

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank $pname"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin add $pname lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin add $pname"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin add $pname"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*:" {

	send "adminpass$KEY\r"

    }

    expect "Enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" }

    expect "Re-enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" }

    expect "Principal \"$pname@$REALMNAME\" created." { set good 1 }

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin add)"

    catch "close -i $spawn_id"

    if { $good == 1 } {

	#

	# use kadmin.local to verify that a principal was created and that its

	# salt types are 0 (normal).

	#

	envstack_push

	setup_kerberos_env kdc

	spawn $KADMIN_LOCAL -r $REALMNAME

	envstack_pop

	expect_after {

	    -i $spawn_id

	    timeout {

		fail "kadmin add $pname"

		catch "expect_after"

		return 0

	    }

	    eof {

		fail "kadmin add $pname"

		catch "expect_after"

		return 0

	    }

	}

	set good 0

	expect "kadmin.local: " { send "getprinc $pname\r" }

	expect "Principal: $pname@$REALMNAME" { set good 1 }

	expect "Expiration date:" { verbose "got expiration date" }

	expect "Last password change:" { verbose "got last pwchange" }

	expect "Password expiration date:" { verbose "got pwexpire date" }

	expect "Maximum ticket life:" { verbose "got max life" }

	expect "Maximum renewable life:" { verbose "got max rlife" }

	expect "Last modified:" { verbose "got last modified" }

	expect "Last successful authentication:" { verbose "last succ auth" }

	expect "Last failed authentication:" { verbose "last pw failed" }

	expect "Failed password attempts:" { verbose "num failed attempts" }

	expect "Number of keys:" { verbose "num keys"} 

	expect {

		"Key: " { verbose "Key listed" 

			exp_continue

		}

		"Attributes:" { verbose "attributes" }

	}

	expect "kadmin.local: " { send "q\r" }

	expect_after

	expect eof

	set k_stat [wait -i $spawn_id]

	verbose "wait -i $spawn_id returned $k_stat (kadmin.local show)"

	catch "close -i $spawn_id"

	if { $good == 1 } {

	    pass "kadmin add $pname"

	    return 1

	}

	else {

	    fail "kadmin add $pname"

	    return 0

	}

    }

    else {

	fail "kadmin add $pname"

	return 0

    }

}

#++

# kadmin_add_rnd	- Test add new v5 principal with random key function.

#

# Adds principal $pname with random key.  Returns 1 on success.

#--

proc kadmin_add_rnd { pname { flags "" } } {

    global REALMNAME

    global KADMIN

    global KADMIN_LOCAL

    global KEY

    global spawn_id

    global tmppwd

    set good 0

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank -randkey $flags $pname"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin add rnd $pname lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin add_rnd $pname"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin add_rnd $pname"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*: *" {

	send "adminpass$KEY\r"

    }

    expect "Principal \"$pname@$REALMNAME\" created." { set good 1 }

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin add_rnd)"

    catch "close -i $spawn_id"

    if { $good == 1 } {

	#

	# use kadmin.local to verify that a principal was created and that its

	# salt types are 0 (normal).

	#

	envstack_push

	setup_kerberos_env kdc

	spawn $KADMIN_LOCAL -r $REALMNAME

	envstack_pop

	expect_after {

	     -i $spawn_id

	    timeout {

		fail "kadmin add_rnd $pname"

		catch "expect_after"

		return 0

	    }

	    eof {

		fail "kadmin add_rnd $pname"

		catch "expect_after"

		return 0

	    }

	}

	set good 0

	expect "kadmin.local:" { send "getprinc $pname\r" }

	expect "Principal: $pname@$REALMNAME" { set good 1 }

	expect "kadmin.local:" { send "q\r" }

	expect_after

	expect eof

	set k_stat [wait -i $spawn_id]

	verbose "wait -i $spawn_id returned $k_stat (kadmin.local show)"

	catch "close -i $spawn_id"

	if { $good == 1 } {

	    pass "kadmin add_rnd $pname"

	    return 1

	}

	else {

	    fail "kadmin add_rnd $pname"

	    return 0

	}

    }

    else {

	fail "kadmin add_rnd $pname"

	return 0

    }

}

#++

# kadmin_show	- Test show principal function of kadmin.

# 

# Retrieves entry for $pname.  Returns 1 on success.

#--

proc kadmin_show { pname } {

    global REALMNAME

    global KADMIN

    global KEY

    global spawn_id

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "get_principal $pname"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin show $pname lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin show $pname"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin show $pname"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*: *"

    send "adminpass$KEY\r"

    expect -re "\r.*Principal: $pname@$REALMNAME.*Key: .*Attributes:.*Policy: .*\r"

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin show)"

    catch "close -i $spawn_id"

    pass "kadmin show $pname"

    return 1

}

#++

# kadmin_cpw	- Test change password function of kadmin

#

# Change password of $pname to $password.  Returns 1 on success.

#--

proc kadmin_cpw { pname password } {

    global REALMNAME

    global KADMIN

    global KEY

    global spawn_id

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "cpw $pname"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin cpw $pname lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin cpw $pname"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin cpw $pname"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*: *" {

	send "adminpass$KEY\r"

    }

    expect "Enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" }

    expect "Re-enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" }

    # When in doubt, jam one of these in there.

    expect "\r"

    expect "Password for \"$pname@$REALMNAME\" changed."

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin cpw)"

    catch "close -i $spawn_id"

    pass "kadmin cpw $pname"

    return 1

}

#++

# kadmin_cpw_rnd	- Test change random key function of kadmin.

#

# Changes principal $pname's key to a new random key.  Returns 1 on success.

#--

proc kadmin_cpw_rnd { pname } {

    global REALMNAME

    global KADMIN

    global KEY

    global spawn_id

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "cpw -randkey $pname"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin cpw_rnd $pname lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin cpw_rnd $pname"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin cpw_rnd $pname"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*: *" {

	send "adminpass$KEY\r"

    }

    # When in doubt, jam one of these in there.

    expect "\r"

    expect "Key for \"$pname@$REALMNAME\" randomized."

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin cpw_rnd)"

    catch "close -i $spawn_id"

    pass "kadmin cpw_rnd $pname"

    return 1

}

#++

# kadmin_modify	- Test modify principal function of kadmin.

#

# Modifies principal $pname with flags $flags.  Returns 1 on success.

#--

proc kadmin_modify { pname flags } {

    global REALMNAME

    global KADMIN

    global KEY

    global spawn_id

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "modprinc $flags $pname"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin modify $pname ($flags) lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin modify $pname"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin modify $pname"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*: *"

    send "adminpass$KEY\r"

    # When in doubt, jam one of these in there.

    expect "\r"

    expect "Principal \"$pname@$REALMNAME\" modified."

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin modify)"

    catch "close -i $spawn_id"

    pass "kadmin modify $pname"

    return 1

}

#++

# kadmin_list	- Test list database function of kadmin.

#

# Lists the database and verifies that output matches regular expression

# "(.*@$REALMNAME)*".  Returns 1 on success.

#--

proc kadmin_list {  } {

    global REALMNAME

    global KADMIN

    global KEY

    global spawn_id

    # "*" would match everything

    # "*n" should match a few like kadmin/admin but see ticket 5667

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "get_principals *n"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin ldb lost KDC"

	    catch "expect_after"

	    return 0

	}

	"Communication failure" {

	    fail "kadmin ldb got RPC error"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin ldb"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin ldb"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*: *" {

	send "adminpass$KEY\r"

    }

    expect -re "\(.*@$REALMNAME\r\n\)+"

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin list)"

    catch "close -i $spawn_id"

    pass "kadmin ldb"

    return 1

}

#++

# kadmin_extract	- Test extract service key function of kadmin.

#

# Extracts service key for service name $name instance $instance.  Returns

# 1 on success.

#--

proc kadmin_extract { instance name } {

    global REALMNAME

    global KADMIN

    global KEY

    global spawn_id

    global tmppwd

    catch "exec rm -f $tmppwd/keytab"

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "xst -k $tmppwd/keytab $name/$instance"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin xst $instance $name lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin xst $instance $name"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin xst $instance $name"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*: *" {

	send "adminpass$KEY\r"

    }

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin xst)"

    catch "close -i $spawn_id"

    catch "exec rm -f $instance-new-keytab"

    pass "kadmin xst $instance $name"

    return 1

}

#++

# kadmin_delete	- Test delete principal function of kadmin.

#

# Deletes principal $pname.  Returns 1 on success.

#--

proc kadmin_delete { pname } {

    global REALMNAME

    global KADMIN

    global KADMIN_LOCAL

    global KEY

    global spawn_id

    global tmppwd

    set good 0

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "delprinc -force $pname"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin_delete $pname lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin delprinc $pname"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin delprinc $pname"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*: *" {

	send "adminpass$KEY\r"

    }

    expect "Principal \"$pname@$REALMNAME\" deleted." { set good 1 }

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin delprinc)"

    catch "close -i $spawn_id"

    if { $good == 1 } {

	#

	# use kadmin.local to verify that the old principal is not present.

	#

	envstack_push

	setup_kerberos_env kdc

	spawn $KADMIN_LOCAL -r $REALMNAME

	envstack_pop

	expect_after {

	    -i $spawn_id

	    timeout {

		fail "kadmin delprinc $pname"

		catch "expect_after"

		return 0

	    }

	    eof {

		fail "kadmin delprinc $pname"

		catch "expect_after"

		return 0

	    }

	}

	set good 0

	expect "kadmin.local: " { send "getprinc $pname\r" }

	expect "Principal does not exist while retrieving \"$pname@$REALMNAME\"." { set good 1 }

	expect "kadmin.local: " { send "quit\r" }

	expect_after

	expect eof

	set k_stat [wait -i $spawn_id]

	verbose "wait -i $spawn_id returned $k_stat (kadmin.local show)"

	catch "close -i $spawn_id"

	if { $good == 1 } {

	    pass "kadmin delprinc $pname"

	    return 1

	}

	else {

	    fail "kadmin delprinc $pname"

	    return 0

	}

    }

    else {

	fail "kadmin delprinc $pname"

	return 0

    }

}

#++

# kadmin_delete	- Test delete principal function of kadmin.

#

# Deletes principal $pname.  Returns 1 on success.

#--

proc kadmin_delete_locked_down { pname } {

    global REALMNAME

    global KADMIN

    global KADMIN_LOCAL

    global KEY

    global spawn_id

    global tmppwd

    #

    # First test that we fail, then unlock and retry

    #

    set good 0

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "delprinc -force $pname"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin_delete $pname lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin delprinc $pname"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin delprinc $pname"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*: *" {

	send "adminpass$KEY\r"

    }

    expect "delete_principal: Operation requires ``delete'' privilege while deleting principal \"$pname@$REALMNAME\"" { set good 1 }

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin delprinc)"

    catch "close -i $spawn_id"

    if { $good == 1 } {

	#

	# use kadmin.local to remove lockdown.

	#

	envstack_push

	setup_kerberos_env kdc

	spawn $KADMIN_LOCAL -r $REALMNAME

	envstack_pop

	expect_after {

	    -i $spawn_id

	    timeout {

		fail "kadmin delprinc $pname"

		catch "expect_after"

		return 0

	    }

	    eof {

		fail "kadmin delprinc $pname"

		catch "expect_after"

		return 0

	    }

	}

	set good 0

	expect "kadmin.local: " { send "modprinc -lockdown_keys $pname\r" }

	expect "Principal \"$pname@$REALMNAME\" modified." { set good 1 }

	expect "kadmin.local: " { send "quit\r" }

	expect_after

	expect eof

	set k_stat [wait -i $spawn_id]

	verbose "wait -i $spawn_id returned $k_stat (kadmin.local show)"

	catch "close -i $spawn_id"

	if { $good == 1 } {

            set good 0

            if {[kadmin_delete $pname]} { set good 1 }

        }

	if { $good == 1 } {

	    pass "kadmin delprinc $pname"

	    return 1

	}

	else {

	    fail "kadmin delprinc $pname"

	    return 0

	}

    }

    else {

	fail "kadmin delprinc $pname"

	return 0

    }

}

#++

# kpasswd_cpw	- Test password changing using kpasswd.

#

# Change $princ's password from $opw to $npw.  Returns 1 on success.

#--

proc kpasswd_cpw { princ opw npw } {

    global KPASSWD

    global REALMNAME

    spawn $KPASSWD $princ

    expect_after {

	timeout {

	    fail "kpasswd $princ $npw"

#	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kpasswd $princ $npw"

#	    catch "expect_after"

	    return 0

	}

    }

#    expect "Changing password for $princ."

#    expect "Old password:" { send "$opw\r" }

#    expect "New password:" { send "$npw\r" }

#    expect "New password (again):" { send "$npw\r" }

    expect "Password for $princ@$REALMNAME:" { send "$opw\r" }

    expect "Enter new password:"  { send "$npw\r" }

    expect "Enter it again:"      { send "$npw\r" }

#    expect "Kerberos password changed."

    expect "Password changed."

    expect_after

    expect eof

    if ![check_exit_status "kpasswd"] {

	fail "kpasswd $princ $npw"

	return 0

    }

    pass "kpasswd $princ $npw"

    return 1

}

#++

# kadmin_addpol	- Test add new policy function of kadmin.

#

# Adds policy $pname.  Returns 1 on success.

#--

proc kadmin_addpol { pname } {

    global REALMNAME

    global KADMIN

    global KADMIN_LOCAL

    global KEY

    global spawn_id

    global tmppwd

    set good 0

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "addpol $pname"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin addpol $pname lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin addpol $pname"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin addpol $pname"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*: *" {

	send "adminpass$KEY\r"

    }

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)"

    catch "close -i $spawn_id"

    #

    # use kadmin.local to verify that a policy was created

    #

    envstack_push

    setup_kerberos_env kdc

    spawn $KADMIN_LOCAL -r $REALMNAME

    envstack_pop

    expect_after {

        -i $spawn_id

        timeout {

	    fail "kadmin addpol $pname"

	    catch "expect_after"

	    return 0

        }

        eof {

	    fail "kadmin addpol $pname"

	    catch "expect_after"

	    return 0

        }

    }

    set good 0

    expect "kadmin.local: " { send "getpol $pname\r" }

    expect "Policy: $pname" { set good 1 }

    expect "Maximum password life:" { verbose "got max pw life" }

    expect "Minimum password life:" { verbose "got min pw life" }

    expect "Minimum password length:" { verbose "got min pw length" }

    expect "Minimum number of password character classes:" {

        verbose "got min pw character classes" }

    expect "Number of old keys kept:" { verbose "got num old keys kept" }

    expect "kadmin.local: " { send "q\r" }

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin.local showpol)"

    catch "close -i $spawn_id"

    if { $good == 1 } {

        pass "kadmin addpol $pname"

        return 1

    }

    else {

        fail "kadmin addpol $pname"

        return 0

    }

}

#++

# kadmin_delpol	- Test delete policy function of kadmin.

#

# Deletes policy $pname.  Returns 1 on success.

#--

proc kadmin_delpol { pname } {

    global REALMNAME

    global KADMIN

    global KADMIN_LOCAL

    global KEY

    global spawn_id

    global tmppwd

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "delpol -force $pname"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin_delpol $pname lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin delpol $pname"

	    catch "expect_after"

	    return 0

	}

	eof {

	    fail "kadmin delpol $pname"

	    catch "expect_after"

	    return 0

	}

    }

    expect -re "assword\[^\r\n\]*: *" {

	send "adminpass$KEY\r"

    }

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin delpol)"

    catch "close -i $spawn_id"

    #

    # use kadmin.local to verify that the old policy is not present.

    #

    envstack_push

    setup_kerberos_env kdc

    spawn $KADMIN_LOCAL -r $REALMNAME

    envstack_pop

    expect_after {

        -i $spawn_id

        timeout {

	    fail "kadmin delpol $pname"

	    catch "expect_after"

	    return 0

        }

        eof {

	    fail "kadmin delpol $pname"

	    catch "expect_after"

	    return 0

        }

    }

    set good 0

    expect "kadmin.local: " { send "getpol $pname\r" }

    expect "Policy does not exist while retrieving policy \"$pname\"." {

	set good 1

    }

    expect "kadmin.local: " { send "quit\r" }

    expect_after

    expect eof

    set k_stat [wait -i $spawn_id]

    verbose "wait -i $spawn_id returned $k_stat (kadmin.local showpol)"

    catch "close -i $spawn_id"

    if { $good == 1 } {

        pass "kadmin delpol $pname"

        return 1

    }

    else {

        fail "kadmin delpol $pname"

        return 0

    }

}

#++

# kadmin_listpols	- Test list policy database function of kadmin.

#

# Lists the policies.  Returns 1 on success.

#--

proc kadmin_listpols {  } {

    global REALMNAME

    global KADMIN

    global KEY

    global spawn_id

    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "get_policies *"

    expect_after {

	"Cannot contact any KDC" {

	    fail "kadmin lpols lost KDC"

	    catch "expect_after"

	    return 0

	}

	timeout {

	    fail "kadmin lpols"

	    catch "expect_after"