diff options
Diffstat (limited to 'src/kadmin/v4server/unit-test')
-rw-r--r-- | src/kadmin/v4server/unit-test/ChangeLog | 13 | ||||
-rw-r--r-- | src/kadmin/v4server/unit-test/Makefile.ov | 19 | ||||
-rw-r--r-- | src/kadmin/v4server/unit-test/config/ChangeLog | 7 | ||||
-rw-r--r-- | src/kadmin/v4server/unit-test/config/unix.exp | 42 | ||||
-rw-r--r-- | src/kadmin/v4server/unit-test/getpid.sh | 5 | ||||
-rw-r--r-- | src/kadmin/v4server/unit-test/helpers.exp | 232 | ||||
-rw-r--r-- | src/kadmin/v4server/unit-test/remove_changepw_perms.sh | 9 | ||||
-rw-r--r-- | src/kadmin/v4server/unit-test/v4server.0/setup-srvtab.exp | 11 | ||||
-rw-r--r-- | src/kadmin/v4server/unit-test/v4server.1/access.exp | 88 | ||||
-rw-r--r-- | src/kadmin/v4server/unit-test/v4server.1/change-password.exp | 59 | ||||
-rw-r--r-- | src/kadmin/v4server/unit-test/v4server.1/usage.exp | 26 |
11 files changed, 511 insertions, 0 deletions
diff --git a/src/kadmin/v4server/unit-test/ChangeLog b/src/kadmin/v4server/unit-test/ChangeLog new file mode 100644 index 000000000..93120b8a4 --- /dev/null +++ b/src/kadmin/v4server/unit-test/ChangeLog @@ -0,0 +1,13 @@ +Mon Jul 15 17:15:51 1996 Marc Horowitz <marc@mit.edu> + + * helpers.exp (exp_prog): the check for non-newline-terminated + stdout was causing failures where there weren't any. Barry + doesn't remember why this was here to begin with. + * Makefile.ov (unit-test-body), helpers.exp: some versions of + runtest do not like digits in command-line variable names. + * Makefile.ov (unit-test-body), helpers.exp: ovsec_v4adm_server + renamed to kadmind4 + * getpid.sh: grep out any programs with expect or kadmind4 in + their names. + + diff --git a/src/kadmin/v4server/unit-test/Makefile.ov b/src/kadmin/v4server/unit-test/Makefile.ov new file mode 100644 index 000000000..3af65607e --- /dev/null +++ b/src/kadmin/v4server/unit-test/Makefile.ov @@ -0,0 +1,19 @@ +# +# $Id$ +# + +TOP = ../.. +include $(TOP)/config.mk/template + +unit-test:: unit-test-setup unit-test-body unit-test-cleanup + +unit-test-setup:: + $(START_SERVERS_LOCAL) -v4files -kdcport 750 -keysalt des-cbc-crc:v4 + $(LOCAL_MAKE_KEYTAB) -princ changepw/kerberos /krb5/ovsec_adm.srvtab + +unit-test-body:: + $(RUNTEST) VFOURSERVER=../kadmind4 --tool v4server \ + KDBFIVE_EDIT=../../../admin/edit/kdb5_edit + +unit-test-cleanup:: + $(STOP_SERVERS_LOCAL) -v4files diff --git a/src/kadmin/v4server/unit-test/config/ChangeLog b/src/kadmin/v4server/unit-test/config/ChangeLog new file mode 100644 index 000000000..aa01abc17 --- /dev/null +++ b/src/kadmin/v4server/unit-test/config/ChangeLog @@ -0,0 +1,7 @@ +Mon Jul 15 17:18:56 1996 Marc Horowitz <marc@mit.edu> + + * unix.exp: some versions of runtest do not like digits in + command-line variable names. ovsec_edit_keytab renamed to + kadm5_keytab + + diff --git a/src/kadmin/v4server/unit-test/config/unix.exp b/src/kadmin/v4server/unit-test/config/unix.exp new file mode 100644 index 000000000..874092311 --- /dev/null +++ b/src/kadmin/v4server/unit-test/config/unix.exp @@ -0,0 +1,42 @@ +global env + +set kill /bin/kill + +if {[file exists /bin/sleep]} { + set sleep /bin/sleep +} else { + set sleep /usr/bin/sleep +} + +set kpasswd_v4 /usr/athena/bin/kpasswd +set ovpasswd $env(TOP)/kpasswd/kpasswd +set kadmin_local $env(TOP)/cli/kadmin.local +set kdb5_edit $KDBFIVE_EDIT +set remove_changepw_perms ./remove_changepw_perms.sh +set getpid ./getpid.sh +set ovsec_adm_server $env(TOP)/server/kadmind +set ovsec_edit_keytab $env(TOP)/keytab/kadm5_keytab +set hostname [exec hostname] + +# change-password.exp sends ^C to kpasswd to kill it; on HP-UX the +# default intr character is DEL, and setting it on all platforms +# won't hurt +set stty_init "intr \\^c" + +if {[info commands exp_version] != {}} { + set exp_version_4 [regexp {^4} [exp_version]] +} else { + set exp_version_4 [regexp {^4} [expect_version]] +} + +# Backward compatibility until we're using expect 5 everywhere +if {$exp_version_4} { + global wait_error_index wait_errno_index wait_status_index + set wait_error_index 0 + set wait_errno_index 1 + set wait_status_index 1 +} else { + set wait_error_index 2 + set wait_errno_index 3 + set wait_status_index 3 +} diff --git a/src/kadmin/v4server/unit-test/getpid.sh b/src/kadmin/v4server/unit-test/getpid.sh new file mode 100644 index 000000000..5c1b1a690 --- /dev/null +++ b/src/kadmin/v4server/unit-test/getpid.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +# tcl sucks big fat hairy rocks + +$PS_ALL | awk "/$1/"' && !/awk/ && !/getpid/ && !/expect/ && !/kadmind4/ { print $2 }' diff --git a/src/kadmin/v4server/unit-test/helpers.exp b/src/kadmin/v4server/unit-test/helpers.exp new file mode 100644 index 000000000..7f23b65c8 --- /dev/null +++ b/src/kadmin/v4server/unit-test/helpers.exp @@ -0,0 +1,232 @@ +proc server_pids { } { + global env + + return [eval [concat exec $env(PS_ALL) | \ + awk {{/kadmind4/ && !/awk/ && !/expect/ {printf("%d ", $2)}}}]] +} + +proc server_exit { name status } { + global wait_error_index wait_errno_index wait_status_index + global server_id + global kill + + verbose "$name: stopping V4 kpasswd server." 1 + + # We can't know whether the process exists or not, so we have + # to ignore errors. XXX will close ever time out? + catch {close $server_id} + set pids [server_pids] + if {$pids != {}} { + verbose "server_exit killing process(es) $pids" + catch {exec $kill $pids} + } else { + verbose "server_exit: couldn't find running server(s) to kill" + } + + # wait hangs on AIX if the process was killed; since status == -1 + # in that case, solve the problem by not waiting; the zombies will + # be cleaned up when the test finishes + if {$status == -1} { + return 1 + } + + set ret [wait -i $server_id] + verbose "% Exit $ret" 2 + + if {[lindex $ret $wait_error_index] == -1} { + fail "$name: wait returned error [lindex $ret $wait_errno_index]" + return 0 + } else { + if { [lindex $ret $wait_status_index] == $status || + (($status<0) && ([lindex $ret $wait_status_index] == ($status+256))) } { + pass "$name" + } else { + fail "$name: unexpected return status [lindex $ret $wait_status_index], should be $status" + return 0 + } + } + + return 1 +} + +proc myfail { msg } { + global mytest_status + fail "$msg" + set mytest_status 1 +} + +proc server_start { name cmdline should_listen args } { + global spawn_id server_id + global VFOURSERVER + global mytest_status + global sleep hostname + + set max_tries 60 + + verbose "$name: starting V4 kpasswd server." 1 + + for {set num_tries 0} {$num_tries <= $max_tries} {incr num_tries} { + if {$num_tries} { + exec $sleep 5 + verbose "Couldn't connect to V4 kpasswd server; retrying ($num_tries so far)." + } + + spawn $VFOURSERVER $cmdline + set server_id $spawn_id + + foreach test $args { + set mytest_status 0 + uplevel 1 "expect { + -i $server_id + $test + timeout { myfail \"$name: timeout\" } + eof { myfail \"$name: eof while expecting string\" } + }" + + if {$mytest_status == 1} { + return 0 + } + } + + set pids [server_pids] + + if {$should_listen} { + exec $sleep 1 + set save_spawn_id $spawn_id + spawn telnet $hostname kerberos_master + expect { + {Connection refused} { + close -i $save_spawn_id + wait -i $save_spawn_id + close + wait + continue + } + {Connected} { + send "close\n" + close + wait + set spawn_id $save_spawn_id + break + } + default { + close -i $save_spawn_id + wait -i $save_spawn_id + catch {close} + wait + continue + } + } + } else { + break + } + } + + if {$pids == {}} { + # Try twice to find the server processes. Not sure why, + # but there seems to be some sort of race condition in the OS. + + verbose "server_start: couldn't find server process(es) -- trying again" + exec $sleep 1 + set pids [server_pids] + } + + if {$num_tries > $max_tries} { + myfail "$name: couldn't connect to V4 kpasswd server" + return 0 + } else { + if {$pids != {}} { + verbose "server_start: server process ID(s) is/are $pids" + } + pass "$name" + return 1 + } +} + +proc exp_prog { name prog cmdline status args } { + global spawn_id spawn_pid + global mytest_status + global wait_error_index wait_errno_index wait_status_index + + verbose "$name: spawning $prog $cmdline" 1 + + set spawn_pid [eval "spawn $prog $cmdline"] + + # at the end, eof is success + +# lappend args { eof { if {[regexp "\[\r\n\]$" $expect_out(buffer)] == 0} { myfail "final status message not newline-terminated" } } } + lappend args { eof {} } + + foreach test $args { + set mytest_status 0 + uplevel 1 "expect { + $test + timeout { close; myfail \"$name: timeout\" } + eof { myfail \"$name: eof while expecting string\" } + }" + + if {$mytest_status == 1} { return 0 } + } + + # at this point, the id is closed and we can wait on it. + + set ret [wait] + verbose "% Exit $ret" 2 + + if {$status == -1} { return 1 } + + if {[lindex $ret $wait_error_index] == -1} { + fail "$name: wait returned error [lindex $ret $wait_errno_index]" + } else { + if { [lindex $ret $wait_status_index] == $status || + (($status<0) && ([lindex $ret $wait_status_index] == ($status+256))) } { + pass "$name" + } else { + fail "$name: unexpected return status [lindex $ret $wait_status_index], should be $status" + } + } + + return 1 +} + +proc fix_salt { name fullname oldpw newpw } { + global kdb5_edit + + exp_prog "$name: kdb5_edit" $kdb5_edit "" 0 { + "kdb5_edit:" { send "cpw $fullname\n" } + } { + "Enter password:" { send "$newpw\n" } + } { + "Re-enter password for verification:" { send "$newpw\n" } + } { + "kdb5_edit:" { send "quit\n" } + } +} + +proc unexpire { name fullname } { + global kadmin_local + + # While we're at it, make sure they aren't expired. + exp_prog "$name: kadmin.local" $kadmin_local "" 0 { + "kadmin.local:" { + send "modprinc -expire \"May 6, 1999\" $fullname\n" + } + } { + -re "Principal .* modified." { send "quit\n" } + } +} + +proc kpasswd_v4 { name fullname status oldpw newpw args } { + global kpasswd_v4 s + + eval [concat { + exp_prog $name $kpasswd_v4 "-u $fullname" $status { + -re "Old password for $fullname:" { send "$oldpw\n" } + } { + -re "New Password for $fullname:" { send "$newpw\n" } + } { + -re "Verifying, please re-enter New Password for $fullname:" + { send "$newpw\n" } + } + } $args] +} diff --git a/src/kadmin/v4server/unit-test/remove_changepw_perms.sh b/src/kadmin/v4server/unit-test/remove_changepw_perms.sh new file mode 100644 index 000000000..27d026ff3 --- /dev/null +++ b/src/kadmin/v4server/unit-test/remove_changepw_perms.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +# tcl sucks big fat hairy rocks + +ed /krb5/ovsec_adm.acl <<EOF >/dev/null 2>&1 +g/changepw\/kerberos/s/^/#/ +w +q +EOF diff --git a/src/kadmin/v4server/unit-test/v4server.0/setup-srvtab.exp b/src/kadmin/v4server/unit-test/v4server.0/setup-srvtab.exp new file mode 100644 index 000000000..3c8e181b2 --- /dev/null +++ b/src/kadmin/v4server/unit-test/v4server.0/setup-srvtab.exp @@ -0,0 +1,11 @@ +load_lib "helpers.exp" + +set timeout 10 + +exp_prog "setup" $ovsec_edit_keytab \ + "-k /krb5/ovsec_adm.srvtab -a -c -p admin changepw/kerberos" \ + 0 { + "Enter password:" { send "admin\n" } +} { + -re "Entry for principal changepw/kerberos .* added to keytab" {} +} diff --git a/src/kadmin/v4server/unit-test/v4server.1/access.exp b/src/kadmin/v4server/unit-test/v4server.1/access.exp new file mode 100644 index 000000000..4d30fc9c7 --- /dev/null +++ b/src/kadmin/v4server/unit-test/v4server.1/access.exp @@ -0,0 +1,88 @@ +load_lib "helpers.exp" + +set timeout 30 + +# Setup: make sure the principals we will use have V4 salt +fix_salt "A.setup" testuser notathena notathena +unexpire "A.setup" testuser +unexpire "A.setup" changepw/kerberos + +proc kill_admin_server {} { + global env kill getpid + + set pid [exec $getpid kadmind] + if {$pid != ""} { + exec $kill $pid + } +} + +proc start_admin_server {} { + global ovsec_adm_server sleep + + set max_tries 60 + + for {set num_tries 0} {$num_tries <= $max_tries} {incr num_tries} { + if {$num_tries} { + exec $sleep 5 + verbose "$ovsec_adm_server couldn't bind; retrying ($num_tries so far)" + } + if {[catch "exec $ovsec_adm_server" msg]} { + if {[regexp {Address already in use} $msg]} { + continue + } + fail "starting $ovsec_adm_server: $msg" + } + return + } + fail "starting $ovsec_adm_server: $msg" +} + +proc remove_changepw_perms {} { + global remove_changepw_perms + + exec $remove_changepw_perms +} + +proc set_changepw_perms { perms } { + remove_changepw_perms + + exec echo "changepw/kerberos@SECURE-TEST.OV.COM $perms" \ + >> /krb5/ovsec_adm.acl +} + +# start off with a dead admin server +kill_admin_server + +set_changepw_perms "i" +start_admin_server +server_start A.1 "-n" 1 { + "KADM Server starting in the OVSEC_KADM mode" {} +} +kpasswd_v4 A.1 testuser 2 notathena foobar { + "Operation requires ``change-password'' privilege" {} +} { + "$kpasswd_v4: Insufficient access to perform requested operation while attempting to change password." {} +} { + "Password NOT changed." {} +} +server_exit A.1 -1 +kill_admin_server + +set_changepw_perms "c" +start_admin_server +server_start A.2 "-n" 1 { + "KADM Server starting in the OVSEC_KADM mode" {} +} +kpasswd_v4 A.2 testuser 2 notathena foobar { + "Operation requires ``get'' privilege" {} +} { + "$kpasswd_v4: Insufficient access to perform requested operation while attempting to change password." {} +} { + "Password NOT changed." {} +} +server_exit A.2 -1 +kill_admin_server + +set_changepw_perms "ci" + +start_admin_server diff --git a/src/kadmin/v4server/unit-test/v4server.1/change-password.exp b/src/kadmin/v4server/unit-test/v4server.1/change-password.exp new file mode 100644 index 000000000..62b9ec30a --- /dev/null +++ b/src/kadmin/v4server/unit-test/v4server.1/change-password.exp @@ -0,0 +1,59 @@ +load_lib "helpers.exp" + +set timeout 30 + +spawn stty -a +expect { eof {} } +wait + +# Setup: make sure the principals we will use have V4 salt +fix_salt "CPW.setup" testuser notathena notathena +fix_salt "CPW.setup" pol1 pol111111 pol111111 +fix_salt "CPW.setup" pol2 pol222222 pol222222 +unexpire "CPW.setup" testuser +unexpire "CPW.setup" pol1 +unexpire "CPW.setup" pol2 +unexpire "CPW.setup" changepw/kerberos + +server_start "CPW.all" "-n" 1 { + "KADM Server starting in the OVSEC_KADM mode" {} +} + +kpasswd_v4 CPW.1 testuser 0 notathena foobar { "Password changed." {} } +kpasswd_v4 CPW.1 testuser 0 foobar notathena { "Password changed." {} } + +kpasswd_v4 CPW.3 pol1 -1 pol111111 foo { + "New password is too short." {} +} { + "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break } +} + +kpasswd_v4 CPW.4 pol1 -1 pol111111 foooooooo { + "New password does not have enough character classes." {} +} { + "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break } +} + +kpasswd_v4 CPW.5 pol1 -1 pol111111 Abyssinia { + "New password was found in a dictionary" {} +} { + "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break } +} + +kpasswd_v4 CPW.6.setup pol1 0 pol111111 polAAAAAA { "Password changed." {} } +kpasswd_v4 CPW.6 pol1 -1 polAAAAAA pol111111 { + "New password was used previously." {} +} { + "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break } +} + +# this relies on the fact that kdb5_edit resets last_pwd_change, which +# it appears to +kpasswd_v4 CPW.7.setup pol2 0 pol222222 polBBBBBB { "Password changed." {} } +kpasswd_v4 CPW.7 pol2 -1 polBBBBBB pol222222 { + "Password cannot be changed because it was changed too recently." {} +} { + "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break } +} + +server_exit "CPW.all" -1 diff --git a/src/kadmin/v4server/unit-test/v4server.1/usage.exp b/src/kadmin/v4server/unit-test/v4server.1/usage.exp new file mode 100644 index 000000000..4d292067a --- /dev/null +++ b/src/kadmin/v4server/unit-test/v4server.1/usage.exp @@ -0,0 +1,26 @@ +load_lib "helpers.exp" + +set timeout 10 + +server_start "U.1: -h" "-h" 0 { + -re {Usage: .*} {} +} { + eof {} +} +server_exit "U.1: -h" 255 + +server_start "U.4: -n" "-n" 1 { + "Enter KDC database master key:" { + myfail "unexpected password prompt" + } + "KADM Server starting in the OVSEC_KADM mode" {} +} + +server_exit "U.4: -n" -1 + +server_start "U.5: no -n" "" 1 { + "KADM Server starting in the OVSEC_KADM mode" {} +} { + "Enter KDC database master key:" { send "mrroot\n" } +} +server_exit "U.5: no -n" -1 |