|
Packit |
fd8b60 |
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
Packit |
fd8b60 |
/* tests/kdbtest.c - test program to exercise KDB modules */
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Copyright (C) 2012 by the Massachusetts Institute of Technology.
|
|
Packit |
fd8b60 |
* All rights reserved.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* Redistribution and use in source and binary forms, with or without
|
|
Packit |
fd8b60 |
* modification, are permitted provided that the following conditions
|
|
Packit |
fd8b60 |
* are met:
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* * Redistributions of source code must retain the above copyright
|
|
Packit |
fd8b60 |
* notice, this list of conditions and the following disclaimer.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* * Redistributions in binary form must reproduce the above copyright
|
|
Packit |
fd8b60 |
* notice, this list of conditions and the following disclaimer in
|
|
Packit |
fd8b60 |
* the documentation and/or other materials provided with the
|
|
Packit |
fd8b60 |
* distribution.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
Packit |
fd8b60 |
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
Packit |
fd8b60 |
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
Packit |
fd8b60 |
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
Packit |
fd8b60 |
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
|
Packit |
fd8b60 |
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
Packit |
fd8b60 |
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
Packit |
fd8b60 |
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
Packit |
fd8b60 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
Packit |
fd8b60 |
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
Packit |
fd8b60 |
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
Packit |
fd8b60 |
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* This test program uses libkdb5 APIs to exercise as much of the LDAP and DB2
|
|
Packit |
fd8b60 |
* back ends.
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#include <krb5.h>
|
|
Packit |
fd8b60 |
#include <kadm5/admin.h>
|
|
Packit |
fd8b60 |
#include <string.h>
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static krb5_context ctx;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#define CHECK(code) check(code, __LINE__)
|
|
Packit |
fd8b60 |
#define CHECK_COND(val) check_cond(val, __LINE__)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
check(krb5_error_code code, int lineno)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
const char *errmsg;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (code) {
|
|
Packit |
fd8b60 |
errmsg = krb5_get_error_message(ctx, code);
|
|
Packit |
fd8b60 |
fprintf(stderr, "Unexpected error at line %d: %s\n", lineno, errmsg);
|
|
Packit |
fd8b60 |
krb5_free_error_message(ctx, errmsg);
|
|
Packit |
fd8b60 |
exit(1);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
check_cond(int value, int lineno)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
if (!value) {
|
|
Packit |
fd8b60 |
fprintf(stderr, "Unexpected result at line %d\n", lineno);
|
|
Packit |
fd8b60 |
exit(1);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static krb5_data princ_data[2] = {
|
|
Packit |
fd8b60 |
{ KV5M_DATA, 6, "xy*(z)" },
|
|
Packit |
fd8b60 |
{ KV5M_DATA, 12, "+<> *()\\#\",;" }
|
|
Packit |
fd8b60 |
};
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static krb5_principal_data sample_princ = {
|
|
Packit |
fd8b60 |
KV5M_PRINCIPAL,
|
|
Packit |
fd8b60 |
{ KV5M_DATA, 11, "KRBTEST.COM" },
|
|
Packit |
fd8b60 |
princ_data, 2, KRB5_NT_UNKNOWN
|
|
Packit |
fd8b60 |
};
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static krb5_principal_data xrealm_princ = {
|
|
Packit |
fd8b60 |
KV5M_PRINCIPAL,
|
|
Packit |
fd8b60 |
{ KV5M_DATA, 12, "KRBTEST2.COM" },
|
|
Packit |
fd8b60 |
princ_data, 2, KRB5_NT_UNKNOWN
|
|
Packit |
fd8b60 |
};
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#define U(x) (unsigned char *)x
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* tl1 through tl4 are normalized to attributes in the LDAP back end. tl5 is
|
|
Packit |
fd8b60 |
* stored as untranslated tl-data. tl3 contains an encoded osa_princ_ent with
|
|
Packit |
fd8b60 |
* a policy reference to "<test*>".
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
static krb5_tl_data tl5 = { NULL, KRB5_TL_MKVNO, 2, U("\0\1") };
|
|
Packit |
fd8b60 |
static krb5_tl_data tl4 = { &tl5, KRB5_TL_LAST_ADMIN_UNLOCK, 4,
|
|
Packit |
fd8b60 |
U("\6\0\0\0") };
|
|
Packit |
fd8b60 |
static krb5_tl_data tl3 = { &tl4, KRB5_TL_KADM_DATA, 32,
|
|
Packit |
fd8b60 |
U("\x12\x34\x5C\x01\x00\x00\x00\x08"
|
|
Packit |
fd8b60 |
"\x3C\x74\x65\x73\x74\x2A\x3E\x00"
|
|
Packit |
fd8b60 |
"\x00\x00\x08\x00\x00\x00\x00\x00"
|
|
Packit |
fd8b60 |
"\x00\x00\x00\x00\x00\x00\x00\x00") };
|
|
Packit |
fd8b60 |
static krb5_tl_data tl2 = { &tl3, KRB5_TL_MOD_PRINC, 8, U("\5\6\7\0x@Y\0") };
|
|
Packit |
fd8b60 |
static krb5_tl_data tl1 = { &tl2, KRB5_TL_LAST_PWD_CHANGE, 4, U("\1\2\3\4") };
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* An encoded osa_print_enc with no policy reference. */
|
|
Packit |
fd8b60 |
static krb5_tl_data tl_no_policy = { NULL, KRB5_TL_KADM_DATA, 24,
|
|
Packit |
fd8b60 |
U("\x12\x34\x5C\x01\x00\x00\x00\x00"
|
|
Packit |
fd8b60 |
"\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
Packit |
fd8b60 |
"\x00\x00\x00\x02\x00\x00\x00\x00") };
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static krb5_key_data keys[] = {
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
2, /* key_data_ver */
|
|
Packit |
fd8b60 |
2, /* key_data_kvno */
|
|
Packit |
fd8b60 |
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, KRB5_KDB_SALTTYPE_SPECIAL },
|
|
Packit |
fd8b60 |
{ 32, 7 },
|
|
Packit |
fd8b60 |
{ U("\x17\xF2\x75\xF2\x95\x4F\x2E\xD1"
|
|
Packit |
fd8b60 |
"\xF9\x0C\x37\x7B\xA7\xF4\xD6\xA3"
|
|
Packit |
fd8b60 |
"\x69\xAA\x01\x36\xE0\xBF\x0C\x92"
|
|
Packit |
fd8b60 |
"\x7A\xD6\x13\x3C\x69\x37\x59\xA9"),
|
|
Packit |
fd8b60 |
U("expsalt") }
|
|
Packit |
fd8b60 |
},
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
2, /* key_data_ver */
|
|
Packit |
fd8b60 |
2, /* key_data_kvno */
|
|
Packit |
fd8b60 |
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 },
|
|
Packit |
fd8b60 |
{ 16, 0 },
|
|
Packit |
fd8b60 |
{ U("\xDC\xEE\xB7\x0B\x3D\xE7\x65\x62"
|
|
Packit |
fd8b60 |
"\xE6\x89\x22\x6C\x76\x42\x91\x48"),
|
|
Packit |
fd8b60 |
NULL }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
};
|
|
Packit |
fd8b60 |
#undef U
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static char polname[] = "<test*>";
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static krb5_db_entry sample_entry = {
|
|
Packit |
fd8b60 |
0,
|
|
Packit |
fd8b60 |
KRB5_KDB_V1_BASE_LENGTH,
|
|
Packit |
fd8b60 |
/* mask */
|
|
Packit |
fd8b60 |
KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION |
|
|
Packit |
fd8b60 |
KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_POLICY | KADM5_MAX_RLIFE |
|
|
Packit |
fd8b60 |
KADM5_LAST_SUCCESS | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT |
|
|
Packit |
fd8b60 |
KADM5_KEY_DATA | KADM5_TL_DATA,
|
|
Packit |
fd8b60 |
/* attributes */
|
|
Packit |
fd8b60 |
KRB5_KDB_REQUIRES_PRE_AUTH | KRB5_KDB_REQUIRES_HW_AUTH |
|
|
Packit |
fd8b60 |
KRB5_KDB_DISALLOW_SVR,
|
|
Packit |
fd8b60 |
1234, /* max_life */
|
|
Packit |
fd8b60 |
5678, /* max_renewable_life */
|
|
Packit |
fd8b60 |
9012, /* expiration */
|
|
Packit |
fd8b60 |
3456, /* pw_expiration */
|
|
Packit |
fd8b60 |
1, /* last_success */
|
|
Packit |
fd8b60 |
5, /* last_failed */
|
|
Packit |
fd8b60 |
2, /* fail_auth_count */
|
|
Packit |
fd8b60 |
5, /* n_tl_data */
|
|
Packit |
fd8b60 |
2, /* n_key_data */
|
|
Packit |
fd8b60 |
0, NULL, /* e_length, e_data */
|
|
Packit |
fd8b60 |
&sample_princ,
|
|
Packit |
fd8b60 |
&tl1,
|
|
Packit |
fd8b60 |
keys
|
|
Packit |
fd8b60 |
};
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static osa_policy_ent_rec sample_policy = {
|
|
Packit |
fd8b60 |
0, /* version */
|
|
Packit |
fd8b60 |
polname, /* name */
|
|
Packit |
fd8b60 |
1357, /* pw_min_life */
|
|
Packit |
fd8b60 |
100, /* pw_max_life */
|
|
Packit |
fd8b60 |
6, /* pw_min_length */
|
|
Packit |
fd8b60 |
2, /* pw_min_classes */
|
|
Packit |
fd8b60 |
3, /* pw_history_num */
|
|
Packit |
fd8b60 |
0, /* policy_refcnt */
|
|
Packit |
fd8b60 |
2, /* pw_max_fail */
|
|
Packit |
fd8b60 |
60, /* pw_failcnt_interval */
|
|
Packit |
fd8b60 |
120, /* pw_lockout_duration */
|
|
Packit |
fd8b60 |
0, /* attributes */
|
|
Packit |
fd8b60 |
2468, /* max_life */
|
|
Packit |
fd8b60 |
3579, /* max_renewable_life */
|
|
Packit |
fd8b60 |
"aes", /* allowed_keysalts */
|
|
Packit |
fd8b60 |
0, NULL /* n_tl_data, tl_data */
|
|
Packit |
fd8b60 |
};
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Compare pol against sample_policy. */
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
check_policy(osa_policy_ent_t pol)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
CHECK_COND(strcmp(pol->name, sample_policy.name) == 0);
|
|
Packit |
fd8b60 |
CHECK_COND(pol->pw_min_life == sample_policy.pw_min_life);
|
|
Packit |
fd8b60 |
CHECK_COND(pol->pw_max_life == sample_policy.pw_max_life);
|
|
Packit |
fd8b60 |
CHECK_COND(pol->pw_min_length == sample_policy.pw_min_length);
|
|
Packit |
fd8b60 |
CHECK_COND(pol->pw_min_classes == sample_policy.pw_min_classes);
|
|
Packit |
fd8b60 |
CHECK_COND(pol->pw_history_num == sample_policy.pw_history_num);
|
|
Packit |
fd8b60 |
CHECK_COND(pol->pw_max_life == sample_policy.pw_max_life);
|
|
Packit |
fd8b60 |
CHECK_COND(pol->pw_failcnt_interval == sample_policy.pw_failcnt_interval);
|
|
Packit |
fd8b60 |
CHECK_COND(pol->pw_lockout_duration == sample_policy.pw_lockout_duration);
|
|
Packit |
fd8b60 |
CHECK_COND(pol->attributes == sample_policy.attributes);
|
|
Packit |
fd8b60 |
CHECK_COND(pol->max_life == sample_policy.max_life);
|
|
Packit |
fd8b60 |
CHECK_COND(pol->max_renewable_life == sample_policy.max_renewable_life);
|
|
Packit |
fd8b60 |
CHECK_COND(strcmp(pol->allowed_keysalts,
|
|
Packit |
fd8b60 |
sample_policy.allowed_keysalts) == 0);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Compare ent against sample_entry. */
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
check_entry(krb5_db_entry *ent)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
krb5_int16 i, j;
|
|
Packit |
fd8b60 |
krb5_key_data *k1, *k2;
|
|
Packit |
fd8b60 |
krb5_tl_data *tl, etl;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
CHECK_COND(ent->attributes == sample_entry.attributes);
|
|
Packit |
fd8b60 |
CHECK_COND(ent->max_life == sample_entry.max_life);
|
|
Packit |
fd8b60 |
CHECK_COND(ent->max_renewable_life == sample_entry.max_renewable_life);
|
|
Packit |
fd8b60 |
CHECK_COND(ent->expiration == sample_entry.expiration);
|
|
Packit |
fd8b60 |
CHECK_COND(ent->pw_expiration == sample_entry.pw_expiration);
|
|
Packit |
fd8b60 |
CHECK_COND(ent->last_success == sample_entry.last_success);
|
|
Packit |
fd8b60 |
CHECK_COND(ent->last_failed == sample_entry.last_failed);
|
|
Packit |
fd8b60 |
CHECK_COND(ent->fail_auth_count == sample_entry.fail_auth_count);
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_principal_compare(ctx, ent->princ, sample_entry.princ));
|
|
Packit |
fd8b60 |
CHECK_COND(ent->n_key_data == sample_entry.n_key_data);
|
|
Packit |
fd8b60 |
for (i = 0; i < ent->n_key_data; i++) {
|
|
Packit |
fd8b60 |
k1 = &ent->key_data[i];
|
|
Packit |
fd8b60 |
k2 = &sample_entry.key_data[i];
|
|
Packit |
fd8b60 |
CHECK_COND(k1->key_data_ver == k2->key_data_ver);
|
|
Packit |
fd8b60 |
CHECK_COND(k1->key_data_kvno == k2->key_data_kvno);
|
|
Packit |
fd8b60 |
for (j = 0; j < k1->key_data_ver; j++) {
|
|
Packit |
fd8b60 |
CHECK_COND(k1->key_data_type[j] == k2->key_data_type[j]);
|
|
Packit |
fd8b60 |
CHECK_COND(k1->key_data_length[j] == k2->key_data_length[j]);
|
|
Packit |
fd8b60 |
CHECK_COND(memcmp(k1->key_data_contents[j],
|
|
Packit |
fd8b60 |
k2->key_data_contents[j],
|
|
Packit |
fd8b60 |
k1->key_data_length[j]) == 0);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
for (tl = sample_entry.tl_data; tl != NULL; tl = tl->tl_data_next) {
|
|
Packit |
fd8b60 |
etl.tl_data_type = tl->tl_data_type;
|
|
Packit |
fd8b60 |
CHECK(krb5_dbe_lookup_tl_data(ctx, ent, &etl));
|
|
Packit |
fd8b60 |
CHECK_COND(tl->tl_data_length == etl.tl_data_length);
|
|
Packit |
fd8b60 |
CHECK_COND(memcmp(tl->tl_data_contents, etl.tl_data_contents,
|
|
Packit |
fd8b60 |
tl->tl_data_length) == 0);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Audit a successful or failed preauth attempt for *entp. Then reload *entp
|
|
Packit |
fd8b60 |
* (by fetching sample_princ) so we can see the effect. */
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
sim_preauth(krb5_timestamp authtime, krb5_boolean ok, krb5_db_entry **entp)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
/* Both back ends ignore the request, local_addr, and remote_addr
|
|
Packit |
fd8b60 |
* parameters for now. */
|
|
Packit |
fd8b60 |
krb5_db_audit_as_req(ctx, NULL, NULL, NULL, *entp, *entp, authtime,
|
|
Packit |
fd8b60 |
ok ? 0 : KRB5KDC_ERR_PREAUTH_FAILED);
|
|
Packit |
fd8b60 |
krb5_db_free_principal(ctx, *entp);
|
|
Packit |
fd8b60 |
CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, entp));
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static krb5_error_code
|
|
Packit |
fd8b60 |
iter_princ_handler(void *data, krb5_db_entry *ent)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
int *count = data;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_principal_compare(ctx, ent->princ, sample_entry.princ));
|
|
Packit |
fd8b60 |
(*count)++;
|
|
Packit |
fd8b60 |
return 0;
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
iter_pol_handler(void *data, osa_policy_ent_t pol)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
int *count = data;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
CHECK_COND(strcmp(pol->name, sample_policy.name) == 0);
|
|
Packit |
fd8b60 |
(*count)++;
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
int
|
|
Packit |
fd8b60 |
main()
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
krb5_db_entry *ent;
|
|
Packit |
fd8b60 |
osa_policy_ent_t pol;
|
|
Packit |
fd8b60 |
krb5_pa_data **e_data;
|
|
Packit |
fd8b60 |
const char *status;
|
|
Packit |
fd8b60 |
int count;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
CHECK(krb5_init_context_profile(NULL, KRB5_INIT_CONTEXT_KDC, &ctx));
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* If we can, revert to requiring all entries match sample_princ in
|
|
Packit |
fd8b60 |
* iter_princ_handler */
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_inited(ctx) != 0);
|
|
Packit |
fd8b60 |
CHECK(krb5_db_create(ctx, NULL));
|
|
Packit |
fd8b60 |
CHECK(krb5_db_inited(ctx));
|
|
Packit |
fd8b60 |
CHECK(krb5_db_fini(ctx));
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_inited(ctx) != 0);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_inited(ctx) != 0);
|
|
Packit |
fd8b60 |
CHECK(krb5_db_open(ctx, NULL, KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN));
|
|
Packit |
fd8b60 |
CHECK(krb5_db_inited(ctx));
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Manipulate a policy, leaving it in place at the end. */
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);
|
|
Packit |
fd8b60 |
CHECK(krb5_db_create_policy(ctx, &sample_policy));
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_create_policy(ctx, &sample_policy) != 0);
|
|
Packit |
fd8b60 |
CHECK(krb5_db_get_policy(ctx, polname, &pol));
|
|
Packit |
fd8b60 |
check_policy(pol);
|
|
Packit |
fd8b60 |
pol->pw_min_length--;
|
|
Packit |
fd8b60 |
CHECK(krb5_db_put_policy(ctx, pol));
|
|
Packit |
fd8b60 |
krb5_db_free_policy(ctx, pol);
|
|
Packit |
fd8b60 |
CHECK(krb5_db_get_policy(ctx, polname, &pol));
|
|
Packit |
fd8b60 |
CHECK_COND(pol->pw_min_length == sample_policy.pw_min_length - 1);
|
|
Packit |
fd8b60 |
krb5_db_free_policy(ctx, pol);
|
|
Packit |
fd8b60 |
CHECK(krb5_db_delete_policy(ctx, polname));
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);
|
|
Packit |
fd8b60 |
CHECK(krb5_db_create_policy(ctx, &sample_policy));
|
|
Packit |
fd8b60 |
count = 0;
|
|
Packit |
fd8b60 |
CHECK(krb5_db_iter_policy(ctx, NULL, iter_pol_handler, &count));
|
|
Packit |
fd8b60 |
CHECK_COND(count == 1);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Create a principal. */
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_delete_principal(ctx, &sample_princ) ==
|
|
Packit |
fd8b60 |
KRB5_KDB_NOENTRY);
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_get_principal(ctx, &xrealm_princ, 0, &ent) ==
|
|
Packit |
fd8b60 |
KRB5_KDB_NOENTRY);
|
|
Packit |
fd8b60 |
CHECK(krb5_db_put_principal(ctx, &sample_entry));
|
|
Packit |
fd8b60 |
/* Putting again will fail with LDAP (due to KADM5_PRINCIPAL in mask)
|
|
Packit |
fd8b60 |
* but succeed with DB2, so don't check the result. */
|
|
Packit |
fd8b60 |
(void)krb5_db_put_principal(ctx, &sample_entry);
|
|
Packit |
fd8b60 |
/* But it should succeed in both back ends with KADM5_LOAD in mask. */
|
|
Packit |
fd8b60 |
sample_entry.mask |= KADM5_LOAD;
|
|
Packit |
fd8b60 |
CHECK(krb5_db_put_principal(ctx, &sample_entry));
|
|
Packit |
fd8b60 |
sample_entry.mask &= ~KADM5_LOAD;
|
|
Packit |
fd8b60 |
/* Fetch and compare the added principal. */
|
|
Packit |
fd8b60 |
CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, &ent));
|
|
Packit |
fd8b60 |
check_entry(ent);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* We can't set up a successful allowed-to-delegate check through existing
|
|
Packit |
fd8b60 |
* APIs yet, but we can make a failed check. */
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_check_allowed_to_delegate(ctx, &sample_princ, ent,
|
|
Packit |
fd8b60 |
&sample_princ) != 0);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Exercise lockout code. */
|
|
Packit |
fd8b60 |
/* Policy params: max_fail 2, failcnt_interval 60, lockout_duration 120 */
|
|
Packit |
fd8b60 |
/* Initial state: last_success 1, last_failed 5, fail_auth_count 2,
|
|
Packit |
fd8b60 |
* last admin unlock 6 */
|
|
Packit |
fd8b60 |
/* Check succeeds due to last admin unlock. */
|
|
Packit |
fd8b60 |
CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 7, &status, &e_data));
|
|
Packit |
fd8b60 |
/* Failure count resets to 1 due to last admin unlock. */
|
|
Packit |
fd8b60 |
sim_preauth(8, FALSE, &ent;;
|
|
Packit |
fd8b60 |
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 8);
|
|
Packit |
fd8b60 |
/* Failure count resets to 1 due to failcnt_interval */
|
|
Packit |
fd8b60 |
sim_preauth(70, FALSE, &ent;;
|
|
Packit |
fd8b60 |
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 70);
|
|
Packit |
fd8b60 |
/* Failure count resets to 0 due to successful preauth. */
|
|
Packit |
fd8b60 |
sim_preauth(75, TRUE, &ent;;
|
|
Packit |
fd8b60 |
CHECK_COND(ent->fail_auth_count == 0 && ent->last_success == 75);
|
|
Packit |
fd8b60 |
/* Failure count increments to 2 and stops incrementing. */
|
|
Packit |
fd8b60 |
sim_preauth(80, FALSE, &ent;;
|
|
Packit |
fd8b60 |
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 80);
|
|
Packit |
fd8b60 |
sim_preauth(100, FALSE, &ent;;
|
|
Packit |
fd8b60 |
CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);
|
|
Packit |
fd8b60 |
sim_preauth(110, FALSE, &ent;;
|
|
Packit |
fd8b60 |
CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);
|
|
Packit |
fd8b60 |
/* Check fails due to reaching maximum failure count. */
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_check_policy_as(ctx, NULL, ent, ent, 170, &status,
|
|
Packit |
fd8b60 |
&e_data) == KRB5KDC_ERR_CLIENT_REVOKED);
|
|
Packit |
fd8b60 |
/* Check succeeds after lockout_duration has passed. */
|
|
Packit |
fd8b60 |
CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 230, &status, &e_data));
|
|
Packit |
fd8b60 |
/* Failure count resets to 1 on next failure. */
|
|
Packit |
fd8b60 |
sim_preauth(240, FALSE, &ent;;
|
|
Packit |
fd8b60 |
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 240);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Exercise LDAP code to clear a policy reference and to set the key
|
|
Packit |
fd8b60 |
* data on an existing principal. */
|
|
Packit |
fd8b60 |
CHECK(krb5_dbe_update_tl_data(ctx, ent, &tl_no_policy));
|
|
Packit |
fd8b60 |
ent->mask = KADM5_POLICY_CLR | KADM5_KEY_DATA;
|
|
Packit |
fd8b60 |
CHECK(krb5_db_put_principal(ctx, ent));
|
|
Packit |
fd8b60 |
CHECK(krb5_db_delete_policy(ctx, polname));
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Put the modified entry again (with KDB_TL_USER_INFO tl-data for LDAP) as
|
|
Packit |
fd8b60 |
* from a load operation. */
|
|
Packit |
fd8b60 |
ent->mask = (sample_entry.mask & ~KADM5_POLICY) | KADM5_LOAD;
|
|
Packit |
fd8b60 |
CHECK(krb5_db_put_principal(ctx, ent));
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Exercise LDAP code to create a new principal at a DN from
|
|
Packit |
fd8b60 |
* KDB_TL_USER_INFO tl-data. */
|
|
Packit |
fd8b60 |
CHECK(krb5_db_delete_principal(ctx, &sample_princ));
|
|
Packit |
fd8b60 |
CHECK(krb5_db_put_principal(ctx, ent));
|
|
Packit |
fd8b60 |
krb5_db_free_principal(ctx, ent);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Exercise principal iteration code. */
|
|
Packit |
fd8b60 |
count = 0;
|
|
Packit |
fd8b60 |
CHECK(krb5_db_iterate(ctx, "xy*", iter_princ_handler, &count, 0));
|
|
Packit |
fd8b60 |
CHECK_COND(count == 1);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
CHECK(krb5_db_fini(ctx));
|
|
Packit |
fd8b60 |
CHECK_COND(krb5_db_inited(ctx) != 0);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* It might be nice to exercise krb5_db_destroy here, but the LDAP module
|
|
Packit |
fd8b60 |
* doesn't support it. */
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
krb5_free_context(ctx);
|
|
Packit |
fd8b60 |
return 0;
|
|
Packit |
fd8b60 |
}
|