11 files changed, 511 insertions, 0 deletions

diff --git a/src/kadmin/v4server/unit-test/ChangeLog b/src/kadmin/v4server/unit-test/ChangeLog
new file mode 100644
index 000000000..93120b8a4
--- /dev/null
+++ b/src/kadmin/v4server/unit-test/ChangeLog
@@ -0,0 +1,13 @@
+Mon Jul 15 17:15:51 1996  Marc Horowitz  <marc@mit.edu>
+
+	* helpers.exp (exp_prog): the check for non-newline-terminated
+ 	stdout was causing failures where there weren't any.  Barry
+ 	doesn't remember why this was here to begin with.
+	* Makefile.ov (unit-test-body), helpers.exp: some versions of
+ 	runtest do not like digits in command-line variable names. 
+ 	* Makefile.ov (unit-test-body), helpers.exp: ovsec_v4adm_server
+ 	renamed to kadmind4
+	* getpid.sh: grep out any programs with expect or kadmind4 in
+ 	their names.
+
+
diff --git a/src/kadmin/v4server/unit-test/Makefile.ov b/src/kadmin/v4server/unit-test/Makefile.ov
new file mode 100644
index 000000000..3af65607e
--- /dev/null
+++ b/src/kadmin/v4server/unit-test/Makefile.ov
@@ -0,0 +1,19 @@
+#
+# $Id$
+#
+
+TOP = ../..
+include $(TOP)/config.mk/template
+
+unit-test:: unit-test-setup unit-test-body unit-test-cleanup
+
+unit-test-setup::
+	$(START_SERVERS_LOCAL) -v4files -kdcport 750 -keysalt des-cbc-crc:v4
+	$(LOCAL_MAKE_KEYTAB) -princ changepw/kerberos /krb5/ovsec_adm.srvtab
+
+unit-test-body::
+	$(RUNTEST) VFOURSERVER=../kadmind4 --tool v4server \
+		KDBFIVE_EDIT=../../../admin/edit/kdb5_edit
+
+unit-test-cleanup::
+	$(STOP_SERVERS_LOCAL) -v4files
diff --git a/src/kadmin/v4server/unit-test/config/ChangeLog b/src/kadmin/v4server/unit-test/config/ChangeLog
new file mode 100644
index 000000000..aa01abc17
--- /dev/null
+++ b/src/kadmin/v4server/unit-test/config/ChangeLog
@@ -0,0 +1,7 @@
+Mon Jul 15 17:18:56 1996  Marc Horowitz  <marc@mit.edu>
+
+	* unix.exp: some versions of runtest do not like digits in
+ 	command-line variable names.  ovsec_edit_keytab renamed to
+ 	kadm5_keytab
+	
+
diff --git a/src/kadmin/v4server/unit-test/config/unix.exp b/src/kadmin/v4server/unit-test/config/unix.exp
new file mode 100644
index 000000000..874092311
--- /dev/null
+++ b/src/kadmin/v4server/unit-test/config/unix.exp
@@ -0,0 +1,42 @@
+global env
+
+set kill /bin/kill
+
+if {[file exists /bin/sleep]} {
+    set sleep /bin/sleep
+} else {
+    set sleep /usr/bin/sleep
+}
+
+set kpasswd_v4 /usr/athena/bin/kpasswd
+set ovpasswd $env(TOP)/kpasswd/kpasswd
+set kadmin_local $env(TOP)/cli/kadmin.local
+set kdb5_edit $KDBFIVE_EDIT
+set remove_changepw_perms ./remove_changepw_perms.sh
+set getpid ./getpid.sh
+set ovsec_adm_server $env(TOP)/server/kadmind
+set ovsec_edit_keytab $env(TOP)/keytab/kadm5_keytab
+set hostname [exec hostname]
+
+# change-password.exp sends ^C to kpasswd to kill it; on HP-UX the
+# default intr character is DEL, and setting it on all platforms
+# won't hurt
+set stty_init "intr \\^c"
+
+if {[info commands exp_version] != {}} {
+	set exp_version_4 [regexp {^4} [exp_version]]
+} else {
+	set exp_version_4 [regexp {^4} [expect_version]]
+}
+
+# Backward compatibility until we're using expect 5 everywhere
+if {$exp_version_4} {
+	global wait_error_index wait_errno_index wait_status_index
+	set wait_error_index 0
+	set wait_errno_index 1
+	set wait_status_index 1
+} else {
+	set wait_error_index 2
+	set wait_errno_index 3
+	set wait_status_index 3
+}
diff --git a/src/kadmin/v4server/unit-test/getpid.sh b/src/kadmin/v4server/unit-test/getpid.sh
new file mode 100644
index 000000000..5c1b1a690
--- /dev/null
+++ b/src/kadmin/v4server/unit-test/getpid.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# tcl sucks big fat hairy rocks
+
+$PS_ALL | awk "/$1/"' && !/awk/ && !/getpid/ && !/expect/ && !/kadmind4/ { print $2 }'
diff --git a/src/kadmin/v4server/unit-test/helpers.exp b/src/kadmin/v4server/unit-test/helpers.exp
new file mode 100644
index 000000000..7f23b65c8
--- /dev/null
+++ b/src/kadmin/v4server/unit-test/helpers.exp
@@ -0,0 +1,232 @@
+proc server_pids { } {
+    global env
+
+    return [eval [concat exec $env(PS_ALL) | \
+	    awk {{/kadmind4/ && !/awk/ && !/expect/ {printf("%d ", $2)}}}]]
+}
+
+proc server_exit { name status } {
+    global wait_error_index wait_errno_index wait_status_index
+    global server_id
+    global kill
+
+    verbose "$name: stopping V4 kpasswd server." 1
+
+    # We can't know whether the process exists or not, so we have
+    # to ignore errors.  XXX will close ever time out?
+    catch {close $server_id}
+    set pids [server_pids]
+    if {$pids != {}} {
+	verbose "server_exit killing process(es) $pids"
+	catch {exec $kill $pids}
+    } else {
+	verbose "server_exit: couldn't find running server(s) to kill"
+    }
+
+    # wait hangs on AIX if the process was killed; since status == -1
+    # in that case, solve the problem by not waiting; the zombies will
+    # be cleaned up when the test finishes
+    if {$status == -1} {
+	return 1
+    }
+
+    set ret [wait -i $server_id]
+    verbose "% Exit $ret" 2
+
+    if {[lindex $ret $wait_error_index] == -1} {
+	fail "$name: wait returned error [lindex $ret $wait_errno_index]"
+	return 0
+    } else {
+	if { [lindex $ret $wait_status_index] == $status ||
+	(($status<0) && ([lindex $ret $wait_status_index] == ($status+256))) } {
+	    pass "$name"
+	} else {
+	    fail "$name: unexpected return status [lindex $ret $wait_status_index], should be $status"
+	    return 0
+	}
+    }
+
+    return 1
+}
+
+proc myfail { msg } {
+	global mytest_status
+	fail "$msg"
+	set mytest_status 1
+}
+
+proc server_start { name cmdline should_listen args } {
+    global spawn_id server_id
+    global VFOURSERVER
+    global mytest_status
+    global sleep hostname
+
+    set max_tries 60
+
+    verbose "$name: starting V4 kpasswd server." 1
+
+    for {set num_tries 0} {$num_tries <= $max_tries} {incr num_tries} {
+	if {$num_tries} {
+	    exec $sleep 5
+	    verbose "Couldn't connect to V4 kpasswd server; retrying ($num_tries so far)."
+	}
+
+	spawn $VFOURSERVER $cmdline
+	set server_id $spawn_id
+
+	foreach test $args {
+	    set mytest_status 0
+	    uplevel 1 "expect {
+		-i $server_id
+		$test
+		timeout { myfail \"$name: timeout\" }
+		eof { myfail \"$name: eof while expecting string\" }
+	    }"
+
+	    if {$mytest_status == 1} { 
+		return 0
+	    }
+	}
+
+	set pids [server_pids]
+
+	if {$should_listen} {
+	    exec $sleep 1
+	    set save_spawn_id $spawn_id
+	    spawn telnet $hostname kerberos_master
+	    expect {
+		{Connection refused} {
+		    close -i $save_spawn_id
+		    wait -i $save_spawn_id
+		    close
+		    wait
+		    continue
+		}
+		{Connected} {
+		    send "close\n"
+		    close
+		    wait
+		    set spawn_id $save_spawn_id
+		    break
+		}
+		default {
+		    close -i $save_spawn_id
+		    wait -i $save_spawn_id
+		    catch {close}
+		    wait
+		    continue
+		}
+	    }
+	} else {
+	    break
+	}
+    }
+
+    if {$pids == {}} {
+	# Try twice to find the server processes.  Not sure why,
+	# but there seems to be some sort of race condition in the OS.
+
+	verbose "server_start: couldn't find server process(es) -- trying again"
+	exec $sleep 1
+	set pids [server_pids]
+    }
+
+    if {$num_tries > $max_tries} {
+	myfail "$name: couldn't connect to V4 kpasswd server"
+	return 0
+    } else {
+	if {$pids != {}} {
+	    verbose "server_start: server process ID(s) is/are $pids"
+	}
+	pass "$name"
+	return 1
+    }
+}
+
+proc exp_prog { name prog cmdline status args } {
+	global spawn_id spawn_pid
+	global mytest_status
+	global wait_error_index wait_errno_index wait_status_index
+
+	verbose "$name: spawning $prog $cmdline" 1
+
+	set spawn_pid [eval "spawn $prog $cmdline"]
+
+	# at the end, eof is success
+
+#	lappend args { eof { if {[regexp "\[\r\n\]$" $expect_out(buffer)] == 0} { myfail "final status message not newline-terminated" } } }
+	lappend args { eof {} }
+
+	foreach test $args {
+		set mytest_status 0
+		uplevel 1 "expect {
+			$test
+			timeout { close; myfail \"$name: timeout\" }
+		      eof { myfail \"$name: eof while expecting string\" }
+		}"
+
+		if {$mytest_status == 1} { return 0 }
+	}
+
+	# at this point, the id is closed and we can wait on it.
+
+	set ret [wait]
+	verbose "% Exit $ret" 2
+
+	if {$status == -1} { return 1 }
+
+	if {[lindex $ret $wait_error_index] == -1} {
+		fail "$name: wait returned error [lindex $ret $wait_errno_index]"
+	} else {
+		if { [lindex $ret $wait_status_index] == $status ||
+		     (($status<0) && ([lindex $ret $wait_status_index] == ($status+256))) } {
+			pass "$name"
+		} else {
+			fail "$name: unexpected return status [lindex $ret $wait_status_index], should be $status"
+		}
+	}
+
+	return 1
+}
+
+proc fix_salt { name fullname oldpw newpw } {
+	global kdb5_edit
+
+	exp_prog "$name: kdb5_edit" $kdb5_edit "" 0 {
+		"kdb5_edit:" { send "cpw $fullname\n" }
+	} {
+		"Enter password:" { send "$newpw\n" }
+	} {
+		"Re-enter password for verification:" { send "$newpw\n" }
+	} {
+		"kdb5_edit:" { send "quit\n" }
+	}
+}
+
+proc unexpire { name fullname } {
+    global kadmin_local
+    
+    # While we're at it, make sure they aren't expired.
+    exp_prog "$name: kadmin.local" $kadmin_local "" 0 {
+	"kadmin.local:" {
+	    send "modprinc -expire \"May 6, 1999\" $fullname\n" 
+	}
+    } { 
+	-re "Principal .* modified." { send "quit\n" }
+    }
+}
+
+proc kpasswd_v4 { name fullname status oldpw newpw args } {
+	global kpasswd_v4 s
+
+	eval [concat {
+		exp_prog $name $kpasswd_v4 "-u $fullname" $status {
+			-re "Old password for $fullname:" { send "$oldpw\n" }
+		} {
+			-re "New Password for $fullname:" { send "$newpw\n" }
+		} {
+		   -re "Verifying, please re-enter New Password for $fullname:"
+				{ send "$newpw\n" }
+		}
+		} $args]
+}
diff --git a/src/kadmin/v4server/unit-test/remove_changepw_perms.sh b/src/kadmin/v4server/unit-test/remove_changepw_perms.sh
new file mode 100644
index 000000000..27d026ff3
--- /dev/null
+++ b/src/kadmin/v4server/unit-test/remove_changepw_perms.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# tcl sucks big fat hairy rocks
+
+ed /krb5/ovsec_adm.acl <<EOF >/dev/null 2>&1
+g/changepw\/kerberos/s/^/#/
+w
+q
+EOF
diff --git a/src/kadmin/v4server/unit-test/v4server.0/setup-srvtab.exp b/src/kadmin/v4server/unit-test/v4server.0/setup-srvtab.exp
new file mode 100644
index 000000000..3c8e181b2
--- /dev/null
+++ b/src/kadmin/v4server/unit-test/v4server.0/setup-srvtab.exp
@@ -0,0 +1,11 @@
+load_lib "helpers.exp"
+
+set timeout 10
+
+exp_prog "setup" $ovsec_edit_keytab \
+	"-k /krb5/ovsec_adm.srvtab -a -c -p admin changepw/kerberos" \
+	0 {
+	"Enter password:" { send "admin\n" }
+} {
+	-re "Entry for principal changepw/kerberos .* added to keytab" {}
+}
diff --git a/src/kadmin/v4server/unit-test/v4server.1/access.exp b/src/kadmin/v4server/unit-test/v4server.1/access.exp
new file mode 100644
index 000000000..4d30fc9c7
--- /dev/null
+++ b/src/kadmin/v4server/unit-test/v4server.1/access.exp
@@ -0,0 +1,88 @@
+load_lib "helpers.exp"
+
+set timeout 30
+
+# Setup: make sure the principals we will use have V4 salt
+fix_salt "A.setup" testuser notathena notathena
+unexpire "A.setup" testuser
+unexpire "A.setup" changepw/kerberos
+
+proc kill_admin_server {} {
+	global env kill getpid
+
+	set pid [exec $getpid kadmind]
+	if {$pid != ""} {
+		exec $kill $pid
+	}
+}
+
+proc start_admin_server {} {
+    global ovsec_adm_server sleep
+
+    set max_tries 60
+
+    for {set num_tries 0} {$num_tries <= $max_tries} {incr num_tries} {
+	if {$num_tries} {
+	    exec $sleep 5
+	    verbose "$ovsec_adm_server couldn't bind; retrying ($num_tries so far)"
+	}
+	if {[catch "exec $ovsec_adm_server" msg]} {
+	    if {[regexp {Address already in use} $msg]} {
+		continue
+	    }
+	    fail "starting $ovsec_adm_server: $msg"
+	}
+	return
+    }
+    fail "starting $ovsec_adm_server: $msg"
+}
+	
+proc remove_changepw_perms {} {
+	global remove_changepw_perms
+
+	exec $remove_changepw_perms
+}
+
+proc set_changepw_perms { perms } {
+	remove_changepw_perms
+
+	exec echo "changepw/kerberos@SECURE-TEST.OV.COM	$perms" \
+		>> /krb5/ovsec_adm.acl
+}
+
+# start off with a dead admin server
+kill_admin_server
+
+set_changepw_perms "i"
+start_admin_server
+server_start A.1 "-n" 1 {
+	"KADM Server starting in the OVSEC_KADM mode" {}
+}
+kpasswd_v4 A.1 testuser 2 notathena foobar {
+	"Operation requires ``change-password'' privilege" {}
+} {
+	"$kpasswd_v4: Insufficient access to perform requested operation while attempting to change password." {}
+} {
+	"Password NOT changed." {}
+}
+server_exit A.1 -1
+kill_admin_server
+
+set_changepw_perms "c"
+start_admin_server
+server_start A.2 "-n" 1 {
+	"KADM Server starting in the OVSEC_KADM mode" {}
+}
+kpasswd_v4 A.2 testuser 2 notathena foobar {
+	"Operation requires ``get'' privilege" {}
+} {
+	"$kpasswd_v4: Insufficient access to perform requested operation while attempting to change password." {}
+} {
+	"Password NOT changed." {}
+}
+server_exit A.2 -1
+kill_admin_server
+
+set_changepw_perms "ci"
+
+start_admin_server
diff --git a/src/kadmin/v4server/unit-test/v4server.1/change-password.exp b/src/kadmin/v4server/unit-test/v4server.1/change-password.exp
new file mode 100644
index 000000000..62b9ec30a
--- /dev/null
+++ b/src/kadmin/v4server/unit-test/v4server.1/change-password.exp
@@ -0,0 +1,59 @@
+load_lib "helpers.exp"
+
+set timeout 30
+
+spawn stty -a
+expect { eof {} }
+wait
+
+# Setup: make sure the principals we will use have V4 salt
+fix_salt "CPW.setup" testuser notathena notathena
+fix_salt "CPW.setup" pol1 pol111111 pol111111
+fix_salt "CPW.setup" pol2 pol222222 pol222222
+unexpire "CPW.setup" testuser
+unexpire "CPW.setup" pol1
+unexpire "CPW.setup" pol2
+unexpire "CPW.setup" changepw/kerberos
+
+server_start "CPW.all" "-n" 1 {
+	"KADM Server starting in the OVSEC_KADM mode" {}
+}
+
+kpasswd_v4 CPW.1 testuser 0 notathena foobar { "Password changed." {} }
+kpasswd_v4 CPW.1 testuser 0 foobar notathena { "Password changed." {} }
+
+kpasswd_v4 CPW.3 pol1 -1 pol111111 foo {
+	"New password is too short." {}
+} {
+	"$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
+}
+
+kpasswd_v4 CPW.4 pol1 -1 pol111111 foooooooo {
+	"New password does not have enough character classes." {}
+} {
+	"$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
+}
+
+kpasswd_v4 CPW.5 pol1 -1 pol111111 Abyssinia {
+	"New password was found in a dictionary" {}
+} {
+	"$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
+}
+
+kpasswd_v4 CPW.6.setup pol1 0 pol111111 polAAAAAA { "Password changed." {} }
+kpasswd_v4 CPW.6 pol1 -1 polAAAAAA pol111111 {
+	"New password was used previously." {}
+} {
+	"$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
+}
+
+# this relies on the fact that kdb5_edit resets last_pwd_change, which
+# it appears to
+kpasswd_v4 CPW.7.setup pol2 0 pol222222 polBBBBBB { "Password changed." {} }
+kpasswd_v4 CPW.7 pol2 -1 polBBBBBB pol222222 {
+	"Password cannot be changed because it was changed too recently." {}
+} {
+	"$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
+}
+
+server_exit "CPW.all" -1
diff --git a/src/kadmin/v4server/unit-test/v4server.1/usage.exp b/src/kadmin/v4server/unit-test/v4server.1/usage.exp
new file mode 100644
index 000000000..4d292067a
--- /dev/null
+++ b/src/kadmin/v4server/unit-test/v4server.1/usage.exp
@@ -0,0 +1,26 @@
+load_lib "helpers.exp"
+
+set timeout 10
+
+server_start "U.1: -h" "-h" 0 {
+	-re {Usage: .*} {}
+} {
+	eof {}
+}
+server_exit "U.1: -h" 255
+
+server_start "U.4: -n" "-n" 1 {
+	"Enter KDC database master key:" {
+		myfail "unexpected password prompt"
+	}
+	"KADM Server starting in the OVSEC_KADM mode" {}
+}
+
+server_exit "U.4: -n" -1
+
+server_start "U.5: no -n" "" 1 {
+	"KADM Server starting in the OVSEC_KADM mode" {}
+} {
+	"Enter KDC database master key:" { send "mrroot\n" }
+}
+server_exit "U.5: no -n" -1