Add impersonate test

Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
author: Simo Sorce <simo@redhat.com> 2015-11-10 23:14:56 -0500
committer: Robbie Harwood <rharwood@redhat.com> 2015-12-01 17:54:08 -0500
commit: 664fe8357a20373a6d472525a8f8c68b3f3e0caf (patch)
tree: b692dea707e2466527e50206a123a8201c108547
parent: e674f691ae0a9b2e7d2b2d2c3a745691efd469a1 (diff)
download: gss-proxy-664fe8357a20373a6d472525a8f8c68b3f3e0caf.tar.gz
gss-proxy-664fe8357a20373a6d472525a8f8c68b3f3e0caf.tar.xz
gss-proxy-664fe8357a20373a6d472525a8f8c68b3f3e0caf.zip
4 files changed, 198 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
index a28bfab..bd885a1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -42,6 +42,7 @@ interposetest
 gssproxy.service
 t_accept
 t_acquire
+t_impersonate
 t_init
 ar-lib
 compile
diff --git a/proxy/tests/Makefile.am b/proxy/tests/Makefile.am
index ad993cb..8aa840b 100644
--- a/proxy/tests/Makefile.am
+++ b/proxy/tests/Makefile.am
@@ -13,6 +13,13 @@ t_accept_SOURCES = \
 t_accept_LDADD = \
     $(GSSAPI_LIBS)
 
+t_impersonate_SOURCES = \
+    t_utils.c \
+    t_impersonate.c
+
+t_impersonate_LDADD = \
+    $(GSSAPI_LIBS)
+
 t_init_SOURCES = \
     t_utils.c \
     t_init.c
@@ -22,6 +29,7 @@ t_init_LDADD = \
 
 check_PROGRAMS = \
     t_acquire \
+    t_impersonate \
     t_accept \
     t_init
 
diff --git a/proxy/tests/runtests.py b/proxy/tests/runtests.py
index 9c8c206..c656269 100755
--- a/proxy/tests/runtests.py
+++ b/proxy/tests/runtests.py
@@ -498,6 +498,38 @@ def run_acquire_test(testdir, env, expected_failure=False):
                       "Acquire test returned %s" % str(p1.returncode))
 
 
+def run_impersonate_test(testdir, env, expected_failure=False):
+
+    logfile = open(os.path.join(testdir, 'testimpersonate.log'), 'a')
+
+    svc_name = "host@%s" % WRAP_HOSTNAME
+    svc_keytab = os.path.join(testdir, SVC_KTNAME)
+    testenv = {'KRB5CCNAME': os.path.join(testdir, 't_impersonate_ccache'),
+               'KRB5_KTNAME': svc_keytab,
+               'KRB5_TRACE': os.path.join(testdir, 't_impersonate_trace.log'),
+               'GSS_USE_PROXY': 'yes',
+               'GSSPROXY_BEHAVIOR': 'REMOTE_FIRST'}
+    testenv.update(env)
+
+    cmd = ["./tests/t_impersonate", USR_NAME, svc_name]
+    print("[COMMAND]\n%s\n[ENVIRONMENT]\n%s\n" % (cmd, env), file=logfile)
+    logfile.flush()
+
+    p1 = subprocess.Popen(cmd, stderr=subprocess.STDOUT, stdout=logfile,
+                          env=testenv, preexec_fn=os.setsid)
+    try:
+        p1.wait(30)
+    except subprocess.TimeoutExpired:
+        # p1.returncode is set to None here
+        pass
+    if p1.returncode != 0 and not expected_failure:
+        print_failure("SUCCESS" if p1.returncode == 0 else "FAILED",
+                      "Impersonate test returned %s" % str(p1.returncode))
+    else:
+        print_success("SUCCESS" if p1.returncode == 0 else "FAILED",
+                      "Impersonate test returned %s" % str(p1.returncode))
+
+
 if __name__ == '__main__':
 
     args = parse_args()
@@ -528,8 +560,13 @@ if __name__ == '__main__':
             time.sleep(5) #Give time to gssproxy to fully start up
             processes['GSS-Proxy(%d)' % gproc.pid] = gproc
             gssapienv['GSSPROXY_SOCKET'] = gpsocket
+
             print("Testing basic acquire creds", file=sys.stderr)
             run_acquire_test(testdir, gssapienv)
+
+            print("Testing impersonate creds", file=sys.stderr)
+            run_impersonate_test(testdir, gssapienv)
+
             print("Testing basic init/accept context", file=sys.stderr)
             run_basic_test(testdir, gssapienv)
 
diff --git a/proxy/tests/t_impersonate.c b/proxy/tests/t_impersonate.c
new file mode 100644
index 0000000..1e54a2b
--- /dev/null
+++ b/proxy/tests/t_impersonate.c
@@ -0,0 +1,152 @@
+/* Copyright (C) 2014 the GSS-PROXY contributors, see COPYING for license */
+
+#include "t_utils.h"
+#include <unistd.h>
+
+int main(int argc, const char *argv[])
+{
+    char buffer[MAX_RPC_SIZE];
+    uint32_t buflen;
+    gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL;
+    gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL;
+    gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL;
+    gss_ctx_id_t init_ctx = GSS_C_NO_CONTEXT;
+    gss_ctx_id_t accept_ctx = GSS_C_NO_CONTEXT;
+    gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER;
+    gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
+    gss_name_t user_name;
+    gss_name_t target_name;
+    gss_OID_set_desc oid_set = { 1, discard_const(gss_mech_krb5) };
+    uint32_t ret_maj;
+    uint32_t ret_min;
+    uint32_t time_rec;
+    int ret = -1;
+
+    if (argc != 3) return -1;
+
+    ret = t_string_to_name(argv[1], &user_name, GSS_C_NT_USER_NAME);
+    if (ret) {
+        DEBUG("Failed to import user name from argv[1]\n");
+        ret = -1;
+        goto done;
+    }
+
+    ret = t_string_to_name(argv[2], &target_name,
+                           GSS_C_NT_HOSTBASED_SERVICE);
+    if (ret) {
+        DEBUG("Failed to import server name from argv[2]\n");
+        ret = -1;
+        goto done;
+    }
+
+    ret_maj = gss_acquire_cred(&ret_min,
+                               GSS_C_NO_NAME,
+                               GSS_C_INDEFINITE,
+                               &oid_set,
+                               GSS_C_BOTH,
+                               &impersonator_cred_handle,
+                               NULL, NULL);
+    if (ret_maj != GSS_S_COMPLETE) {
+        DEBUG("gss_acquire_cred() failed\n");
+        t_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
+        ret = -1;
+        goto done;
+    }
+
+    ret_maj = gss_acquire_cred_impersonate_name(&ret_min,
+                                                impersonator_cred_handle,
+                                                user_name,
+                                                GSS_C_INDEFINITE,
+                                                &oid_set,
+                                                GSS_C_INITIATE,
+                                                &user_cred_handle,
+                                                NULL, NULL);
+    if (ret_maj != GSS_S_COMPLETE) {
+        DEBUG("gss_acquire_cred_impersonate_name() failed\n");
+        t_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
+        ret = -1;
+        goto done;
+    }
+
+    ret_maj = gss_init_sec_context(&ret_min,
+                                   user_cred_handle,
+                                   &init_ctx,
+                                   target_name,
+                                   GSS_C_NO_OID,
+                                   GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
+                                   0,
+                                   GSS_C_NO_CHANNEL_BINDINGS,
+                                   &in_token,
+                                   NULL,
+                                   &out_token,
+                                   NULL,
+                                   NULL);
+    if (ret_maj != GSS_S_CONTINUE_NEEDED) {
+        DEBUG("gss_init_sec_context() failed\n");
+        t_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
+        ret = -1;
+        goto done;
+    }
+
+    /* We get stuff from stdin and spit it out on stderr */
+    if (!out_token.length) {
+        DEBUG("No output token ?");
+        ret = -1;
+        goto done;
+    }
+
+    /* in/out token inverted here intentionally */
+    ret_maj = gss_accept_sec_context(&ret_min,
+                                     &accept_ctx,
+                                     GSS_C_NO_CREDENTIAL,
+                                     &out_token,
+                                     GSS_C_NO_CHANNEL_BINDINGS,
+                                     NULL,
+                                     NULL,
+                                     &in_token,
+                                     NULL,
+                                     NULL,
+                                     NULL);
+    if (ret_maj) {
+        DEBUG("Error accepting context\n");
+        t_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
+        ret = -1;
+        goto done;
+    }
+
+    if (!in_token.length) {
+        DEBUG("No output token ?");
+        ret = -1;
+        goto done;
+    }
+
+    gss_release_buffer(&ret_min, &out_token);
+
+    ret_maj = gss_init_sec_context(&ret_min,
+                                   user_cred_handle,
+                                   &init_ctx,
+                                   target_name,
+                                   GSS_C_NO_OID,
+                                   GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
+                                   0,
+                                   GSS_C_NO_CHANNEL_BINDINGS,
+                                   &in_token,
+                                   NULL,
+                                   &out_token,
+                                   NULL,
+                                   NULL);
+    if (ret_maj) {
+        DEBUG("Error initializing context\n");
+        t_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
+        ret = -1;
+        goto done;
+    }
+
+    ret = 0;
+
+done:
+    gss_release_buffer(&ret_min, &in_token);
+    gss_release_buffer(&ret_min, &out_token);
+    gss_release_cred(&ret_min, &cred_handle);
+    return ret;
+}
author	Simo Sorce <simo@redhat.com>	2015-11-10 23:14:56 -0500
committer	Robbie Harwood <rharwood@redhat.com>	2015-12-01 17:54:08 -0500
commit	664fe8357a20373a6d472525a8f8c68b3f3e0caf (patch)
tree	b692dea707e2466527e50206a123a8201c108547
parent	e674f691ae0a9b2e7d2b2d2c3a745691efd469a1 (diff)
download	gss-proxy-664fe8357a20373a6d472525a8f8c68b3f3e0caf.tar.gz gss-proxy-664fe8357a20373a6d472525a8f8c68b3f3e0caf.tar.xz gss-proxy-664fe8357a20373a6d472525a8f8c68b3f3e0caf.zip