summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add more impersonation testsallow_s4u2sSimo Sorce2017-01-133-46/+244
| | | | | | Sets up separate service to test multiple configurations. Signed-off-by: Simo Sorce <simo@redhat.com>
* Control access to constrained delegationSimo Sorce2017-01-136-0/+136
| | | | | | | | A client must be tusted or must be explicitly allowed to perform impersonation or constrained delegation to be able to use evidence tickets for s4u2proxy operations. Signed-off-by: Simo Sorce <simo@redhat.com>
* Add control to permit/deny protocol transitionSimo Sorce2017-01-134-7/+27
| | | | | | Denies by default. Signed-off-by: Simo Sorce <simo@redhat.com>
* Make local call staticSimo Sorce2017-01-131-4/+4
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Parse cred_store struct earlierSimo Sorce2017-01-133-47/+73
| | | | | | | | This will provide immediate feedback if an option is incorrectly formatted as well as avoid multiple parsing when the cred store spec needs to be used in multiple places. Signed-off-by: Simo Sorce <simo@redhat.com>
* Use a local keytab for creds encryptionSimo Sorce2017-01-133-36/+142
| | | | | | | | | | | | | If available use a keytab for creds encryption. Since now we can store encrypted credentials, on the cient side, for later reuse, it is better to be able to decrypt them even after a gssproxy daemon restart (maintenance, crashes, etc..) If a keytab is rotated this can cause a restarted gssproxy to fail to decrypt stored credentials, but in that case those credentials are also probably useless and need to be refreshed, so this is not a huge deal, and definitely better than the status quo. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix print_return logicSimo Sorce2017-01-131-3/+4
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Trace the gssproxy process too.Simo Sorce2017-01-121-1/+4
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Include new tests in `make dist` tarballRobbie Harwood2017-01-121-1/+1
| | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Merges #36
* Add test for cred store extensionsRobbie Harwood2017-01-123-0/+134
| | | | | | | Currently, these are ccache-only. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Lower 30-second timeouts to 10Robbie Harwood2017-01-123-4/+4
| | | | | | | | Since we actually hit some of these timeouts on purpose, this speeds up the test suite rather noticeably. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Indent subtestsRobbie Harwood2017-01-122-0/+6
| | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Separate out test return checking logicRobbie Harwood2017-01-125-39/+17
| | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Split out each test into its own fileRobbie Harwood2017-01-127-271/+290
| | | | | | | | Some naming and scoping issues are also fixed here in order for the result to run. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Split out test library functionsRobbie Harwood2017-01-122-549/+554
| | | | | | | | This is mostly code motion, the only exceptions being two corrections on using the "testdir" variable and import updates. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Cause `make check` to behave as expectedRobbie Harwood2017-01-121-1/+3
| | | | | | | `make tests` retains the current behavior as well. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Remove sysvinit supportRobbie Harwood2017-01-113-28/+4
| | | | | | | | Also set the default to systemd and add an option for no init. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Merges #37
* Always initialize ccache when storing.Simo Sorce2017-01-091-8/+4
| | | | | | | | | | | If we do not initialize the ccache additional entries will pile up and the code that retrieves the encrypted credentials will end up sourcing old, expired creds instead of the latest ones. Plues storage size may grow indefinitely. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com> Merges #35
* In acquire_cred_from, probe for remote credsSimo Sorce2017-01-093-5/+46
| | | | | | | | | | | | | | | | If the calling application is passing in a cred_store, it's either one of two cases: - The application previously stored credentials in a ccache and now wants to use them. - The application has access to specific keys and wants to acquire a local credential. In the first case we can only work with a remote call as a local mechanism wouldn't know what to do with remote creds. In the latter calling the remote code would make no sense as we have local credentials. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Make sure to pass on request for delegated credsSimo Sorce2017-01-091-0/+5
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Add cred_store support for local calls.Simo Sorce2017-01-093-29/+122
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Fix leak of ach in gp_accept_sec_context()Robbie Harwood2016-10-131-0/+1
| | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Merges #34
* Fix leak of localname in gp_export_creds_linux()Robbie Harwood2016-09-281-1/+3
| | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Merges #33
* Fix two leaks in gp_get_cred_environment()Robbie Harwood2016-09-281-9/+9
| | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Appease clang with memset instead of initializerRobbie Harwood2016-09-271-1/+3
| | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes 31
* Fix type of argument to gppint_get_def_creds()Robbie Harwood2016-09-271-1/+1
| | | | | | | Some compilers don't like GSS_C_NO_NAME as a generic NULL value. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix NULL deref in gssi_release_cred()Robbie Harwood2016-09-261-1/+3
| | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Merges 32
* Fix NULL deref in gssi_release_name()Robbie Harwood2016-09-261-1/+1
| | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add configure option for build hardeningRobbie Harwood2016-09-083-2/+24
| | | | | | | | Ticket: https://fedorahosted.org/gss-proxy/ticket/147 Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Merges #30
* Package runtests.py in dist tarballRobbie Harwood2016-09-081-0/+2
| | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Merges #29
* Deploy KDC on LDAP instead of db2Robbie Harwood2016-07-181-6/+145
| | | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #28
* Release version 0.5.1Robbie Harwood2016-06-131-1/+1
| | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com>
* Use new socket if uid, pid, or gid changesRobbie Harwood2016-06-071-0/+22
| | | | | | | | | | | The gssproxy daemon uses SO_PEERCRED to determine credentials of the connecting process. However, these credentials are set only at the time connect has called. Therefore they must be reset every time uid or pid changes. For completeness, we check gid as well. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #27
* Fix typo in gp_get_export_creds_type()Andrew Elble2016-06-011-1/+1
| | | | | | | | Should be EXP_CREDS_TYPE_OPTION, not EXP_CTX_TYPE_OPTION. Fixes: e155f81d84f7 ("Add helper to find options in rpc messages") Signed-off-by: Andrew Elble <aweits@rit.edu> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Fix return check on gp_conv_gssx_to_nameRobbie Harwood2016-05-181-1/+3
| | | | | | | | | This bug was found by Coverity. Merges #25 Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Release version 0.5.0Simo Sorce2016-05-041-1/+1
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* BUILD: Include gp_rpc_debug.h into tarballLukas Slebodnik2016-05-041-0/+1
| | | | | | | | | | | | | | | | | | New header file was introduced in the commit fdcad4fa9696c5f501b16d1b3f622ccc28b6147f but it was not properly added to makefile and therefore it was not included into tarball. And build will fail from tarball due to missing header. gssproxy-0.4.1/tests/cli_srv_comm.c:17:0: <--[gcc] gssproxy-0.4.1/src/gp_rpc_process.h:18:26: fatal error: gp_rpc_debug.h: No such file or directory <--[gcc] #include "gp_rpc_debug.h" ^ compilation terminated. Makefile:1267: recipe for target 'tests/cli_srv_comm.o' failed Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Allow to specify a client name for init testsSimo Sorce2016-05-043-3/+37
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Add test to verify krb5_principal worksSimo Sorce2016-05-041-40/+162
| | | | | | | | | | This test creates a keytab with multiple keys and attempts to use both by specifying which key to use only in the gssproxy configuration Ticket: https://fedorahosted.org/gss-proxy/ticket/155 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Implement the krb5_principal optionSimo Sorce2016-04-221-0/+17
| | | | | | | | | | The krb5_principal option was defined and documented but not actually used. Implement it's use when a service keytab is provided. Ticket: https://fedorahosted.org/gss-proxy/ticket/155 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Fix use after free bugSimo Sorce2016-04-221-1/+2
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Fix crash bug when reconfiguring serviceSimo Sorce2016-04-221-2/+6
| | | | | | | | If the socket is null the strcmp will segfault. Check for equality of pointers or nullity before entering the strcmp() Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Fix for gss_inquire_attrs_for_mech accepting NULLsRobbie Harwood2015-12-161-16/+22
| | | | | | | | | | | | | | As per rfc5587, gss_inquire_attrs_for_mech must accept NULL mech_attrs and known_mech_attrs arguments. Up until 1.14, MIT krb5 was not ever passing NULLs in these fields. This fixes an interposer loop (and subsequent segmentation fault) due to our previous assumption that these arguments not be NULL. See also: https://tools.ietf.org/html/rfc5587#section-3.4.3 Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Since krb5 1.14 inquire_context may return no nameSimo Sorce2015-12-161-6/+10
| | | | | | | | | | In 1.14 a patch to more officially support partially established contexts has been intrdouced. With this patch names are not returned. Cope with that by checking if a name is provided before trying to convert. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Always use valgrind for gssproxy testsSimo Sorce2015-12-011-1/+2
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
* Better naming for tests log filesSimo Sorce2015-12-012-19/+18
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
* Add impersonate testSimo Sorce2015-12-014-0/+198
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
* Appropriately resolve const warnings in tests.Simo Sorce2015-12-012-6/+8
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
* Use t_utils.h in all tests.Simo Sorce2015-12-017-191/+63
| | | | | | | Avoid duplicating the same helper functions everywhere. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
* Add acquire test and generally improve testsSimo Sorce2015-12-017-31/+263
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-06 01:48:00 +0000