diff options
author | Simo Sorce <simo@redhat.com> | 2015-11-10 23:14:56 -0500 |
---|---|---|
committer | Robbie Harwood <rharwood@redhat.com> | 2015-12-01 17:54:08 -0500 |
commit | 664fe8357a20373a6d472525a8f8c68b3f3e0caf (patch) | |
tree | b692dea707e2466527e50206a123a8201c108547 | |
parent | e674f691ae0a9b2e7d2b2d2c3a745691efd469a1 (diff) | |
download | gss-proxy-664fe8357a20373a6d472525a8f8c68b3f3e0caf.tar.gz gss-proxy-664fe8357a20373a6d472525a8f8c68b3f3e0caf.tar.xz gss-proxy-664fe8357a20373a6d472525a8f8c68b3f3e0caf.zip |
Add impersonate test
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | proxy/tests/Makefile.am | 8 | ||||
-rwxr-xr-x | proxy/tests/runtests.py | 37 | ||||
-rw-r--r-- | proxy/tests/t_impersonate.c | 152 |
4 files changed, 198 insertions, 0 deletions
@@ -42,6 +42,7 @@ interposetest gssproxy.service t_accept t_acquire +t_impersonate t_init ar-lib compile diff --git a/proxy/tests/Makefile.am b/proxy/tests/Makefile.am index ad993cb..8aa840b 100644 --- a/proxy/tests/Makefile.am +++ b/proxy/tests/Makefile.am @@ -13,6 +13,13 @@ t_accept_SOURCES = \ t_accept_LDADD = \ $(GSSAPI_LIBS) +t_impersonate_SOURCES = \ + t_utils.c \ + t_impersonate.c + +t_impersonate_LDADD = \ + $(GSSAPI_LIBS) + t_init_SOURCES = \ t_utils.c \ t_init.c @@ -22,6 +29,7 @@ t_init_LDADD = \ check_PROGRAMS = \ t_acquire \ + t_impersonate \ t_accept \ t_init diff --git a/proxy/tests/runtests.py b/proxy/tests/runtests.py index 9c8c206..c656269 100755 --- a/proxy/tests/runtests.py +++ b/proxy/tests/runtests.py @@ -498,6 +498,38 @@ def run_acquire_test(testdir, env, expected_failure=False): "Acquire test returned %s" % str(p1.returncode)) +def run_impersonate_test(testdir, env, expected_failure=False): + + logfile = open(os.path.join(testdir, 'testimpersonate.log'), 'a') + + svc_name = "host@%s" % WRAP_HOSTNAME + svc_keytab = os.path.join(testdir, SVC_KTNAME) + testenv = {'KRB5CCNAME': os.path.join(testdir, 't_impersonate_ccache'), + 'KRB5_KTNAME': svc_keytab, + 'KRB5_TRACE': os.path.join(testdir, 't_impersonate_trace.log'), + 'GSS_USE_PROXY': 'yes', + 'GSSPROXY_BEHAVIOR': 'REMOTE_FIRST'} + testenv.update(env) + + cmd = ["./tests/t_impersonate", USR_NAME, svc_name] + print("[COMMAND]\n%s\n[ENVIRONMENT]\n%s\n" % (cmd, env), file=logfile) + logfile.flush() + + p1 = subprocess.Popen(cmd, stderr=subprocess.STDOUT, stdout=logfile, + env=testenv, preexec_fn=os.setsid) + try: + p1.wait(30) + except subprocess.TimeoutExpired: + # p1.returncode is set to None here + pass + if p1.returncode != 0 and not expected_failure: + print_failure("SUCCESS" if p1.returncode == 0 else "FAILED", + "Impersonate test returned %s" % str(p1.returncode)) + else: + print_success("SUCCESS" if p1.returncode == 0 else "FAILED", + "Impersonate test returned %s" % str(p1.returncode)) + + if __name__ == '__main__': args = parse_args() @@ -528,8 +560,13 @@ if __name__ == '__main__': time.sleep(5) #Give time to gssproxy to fully start up processes['GSS-Proxy(%d)' % gproc.pid] = gproc gssapienv['GSSPROXY_SOCKET'] = gpsocket + print("Testing basic acquire creds", file=sys.stderr) run_acquire_test(testdir, gssapienv) + + print("Testing impersonate creds", file=sys.stderr) + run_impersonate_test(testdir, gssapienv) + print("Testing basic init/accept context", file=sys.stderr) run_basic_test(testdir, gssapienv) diff --git a/proxy/tests/t_impersonate.c b/proxy/tests/t_impersonate.c new file mode 100644 index 0000000..1e54a2b --- /dev/null +++ b/proxy/tests/t_impersonate.c @@ -0,0 +1,152 @@ +/* Copyright (C) 2014 the GSS-PROXY contributors, see COPYING for license */ + +#include "t_utils.h" +#include <unistd.h> + +int main(int argc, const char *argv[]) +{ + char buffer[MAX_RPC_SIZE]; + uint32_t buflen; + gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL; + gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL; + gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL; + gss_ctx_id_t init_ctx = GSS_C_NO_CONTEXT; + gss_ctx_id_t accept_ctx = GSS_C_NO_CONTEXT; + gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER; + gss_name_t user_name; + gss_name_t target_name; + gss_OID_set_desc oid_set = { 1, discard_const(gss_mech_krb5) }; + uint32_t ret_maj; + uint32_t ret_min; + uint32_t time_rec; + int ret = -1; + + if (argc != 3) return -1; + + ret = t_string_to_name(argv[1], &user_name, GSS_C_NT_USER_NAME); + if (ret) { + DEBUG("Failed to import user name from argv[1]\n"); + ret = -1; + goto done; + } + + ret = t_string_to_name(argv[2], &target_name, + GSS_C_NT_HOSTBASED_SERVICE); + if (ret) { + DEBUG("Failed to import server name from argv[2]\n"); + ret = -1; + goto done; + } + + ret_maj = gss_acquire_cred(&ret_min, + GSS_C_NO_NAME, + GSS_C_INDEFINITE, + &oid_set, + GSS_C_BOTH, + &impersonator_cred_handle, + NULL, NULL); + if (ret_maj != GSS_S_COMPLETE) { + DEBUG("gss_acquire_cred() failed\n"); + t_log_failure(GSS_C_NO_OID, ret_maj, ret_min); + ret = -1; + goto done; + } + + ret_maj = gss_acquire_cred_impersonate_name(&ret_min, + impersonator_cred_handle, + user_name, + GSS_C_INDEFINITE, + &oid_set, + GSS_C_INITIATE, + &user_cred_handle, + NULL, NULL); + if (ret_maj != GSS_S_COMPLETE) { + DEBUG("gss_acquire_cred_impersonate_name() failed\n"); + t_log_failure(GSS_C_NO_OID, ret_maj, ret_min); + ret = -1; + goto done; + } + + ret_maj = gss_init_sec_context(&ret_min, + user_cred_handle, + &init_ctx, + target_name, + GSS_C_NO_OID, + GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &in_token, + NULL, + &out_token, + NULL, + NULL); + if (ret_maj != GSS_S_CONTINUE_NEEDED) { + DEBUG("gss_init_sec_context() failed\n"); + t_log_failure(GSS_C_NO_OID, ret_maj, ret_min); + ret = -1; + goto done; + } + + /* We get stuff from stdin and spit it out on stderr */ + if (!out_token.length) { + DEBUG("No output token ?"); + ret = -1; + goto done; + } + + /* in/out token inverted here intentionally */ + ret_maj = gss_accept_sec_context(&ret_min, + &accept_ctx, + GSS_C_NO_CREDENTIAL, + &out_token, + GSS_C_NO_CHANNEL_BINDINGS, + NULL, + NULL, + &in_token, + NULL, + NULL, + NULL); + if (ret_maj) { + DEBUG("Error accepting context\n"); + t_log_failure(GSS_C_NO_OID, ret_maj, ret_min); + ret = -1; + goto done; + } + + if (!in_token.length) { + DEBUG("No output token ?"); + ret = -1; + goto done; + } + + gss_release_buffer(&ret_min, &out_token); + + ret_maj = gss_init_sec_context(&ret_min, + user_cred_handle, + &init_ctx, + target_name, + GSS_C_NO_OID, + GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &in_token, + NULL, + &out_token, + NULL, + NULL); + if (ret_maj) { + DEBUG("Error initializing context\n"); + t_log_failure(GSS_C_NO_OID, ret_maj, ret_min); + ret = -1; + goto done; + } + + ret = 0; + +done: + gss_release_buffer(&ret_min, &in_token); + gss_release_buffer(&ret_min, &out_token); + gss_release_cred(&ret_min, &cred_handle); + return ret; +} |