932 lines
32 KiB
Python
932 lines
32 KiB
Python
|
#!/usr/bin/env python3
|
||
|
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||
|
# Ref: https://raw.githubusercontent.com/gssapi/mod_auth_gssapi/master/tests/magtests.py
|
||
|
|
||
|
import argparse
|
||
|
import os
|
||
|
import os.path
|
||
|
import random
|
||
|
import shutil
|
||
|
import signal
|
||
|
import subprocess
|
||
|
import sys
|
||
|
import time
|
||
|
import traceback
|
||
|
|
||
|
# check that we can import requests (for use in test scripts)
|
||
|
import requests
|
||
|
|
||
|
import requests_gssapi
|
||
|
del requests
|
||
|
del requests_gssapi
|
||
|
|
||
|
|
||
|
def parse_args():
|
||
|
parser = argparse.ArgumentParser(
|
||
|
description='Mod Auth GSSAPI Tests Environment')
|
||
|
parser.add_argument('--path', default='%s/scratchdir' % os.getcwd(),
|
||
|
help="Directory in which tests are run")
|
||
|
parser.add_argument('--so-dir', default='%s/src/.libs' % os.getcwd(),
|
||
|
help="mod_auth_gssapi shared object dirpath")
|
||
|
return vars(parser.parse_args())
|
||
|
|
||
|
|
||
|
WRAP_HOSTNAME = "kdc.mag.dev"
|
||
|
WRAP_ALIASNAME = "alias.mag.dev"
|
||
|
WRAP_FAILNAME = "fail.mag.dev"
|
||
|
WRAP_IPADDR = '127.0.0.9'
|
||
|
WRAP_HTTP_PORT = '80'
|
||
|
WRAP_PROXY_PORT = '8080'
|
||
|
|
||
|
|
||
|
def setup_wrappers(base):
|
||
|
pkgcfg = subprocess.Popen(['pkg-config', '--exists', 'socket_wrapper'])
|
||
|
pkgcfg.wait()
|
||
|
if pkgcfg.returncode != 0:
|
||
|
raise ValueError('Socket Wrappers not available')
|
||
|
|
||
|
pkgcfg = subprocess.Popen(['pkg-config', '--exists', 'nss_wrapper'])
|
||
|
pkgcfg.wait()
|
||
|
if pkgcfg.returncode != 0:
|
||
|
raise ValueError('Socket Wrappers not available')
|
||
|
|
||
|
wrapdir = os.path.join(base, 'wrapdir')
|
||
|
if not os.path.exists(wrapdir):
|
||
|
os.makedirs(wrapdir)
|
||
|
|
||
|
hosts_file = os.path.join(testdir, 'hosts')
|
||
|
with open(hosts_file, 'w+') as f:
|
||
|
f.write('%s %s\n' % (WRAP_IPADDR, WRAP_HOSTNAME))
|
||
|
f.write('%s %s\n' % (WRAP_IPADDR, WRAP_ALIASNAME))
|
||
|
f.write('%s %s\n' % (WRAP_IPADDR, WRAP_FAILNAME))
|
||
|
|
||
|
passwd_file = os.path.join(testdir, 'passwd')
|
||
|
with open(passwd_file, 'w+') as f:
|
||
|
f.write('root:x:0:0:root:/root:/bin/sh')
|
||
|
f.write('maguser:x:1:1:maguser:/maguser:/bin/sh')
|
||
|
f.write('maguser2:x:2:2:maguser2:/maguser2:/bin/sh')
|
||
|
f.write('maguser3:x:3:3:maguser3:/maguser3:/bin/sh')
|
||
|
f.write('timeoutusr:x:4:4:timeoutusr:/timeoutusr:/bin/sh')
|
||
|
|
||
|
wenv = {'LD_PRELOAD': 'libsocket_wrapper.so libnss_wrapper.so',
|
||
|
'SOCKET_WRAPPER_DIR': wrapdir,
|
||
|
'SOCKET_WRAPPER_DEFAULT_IFACE': '9',
|
||
|
'WRAP_PROXY_PORT': WRAP_PROXY_PORT,
|
||
|
'NSS_WRAPPER_HOSTNAME': WRAP_HOSTNAME,
|
||
|
'NSS_WRAPPER_HOSTS': hosts_file,
|
||
|
'NSS_WRAPPER_PASSWD': passwd_file}
|
||
|
return wenv
|
||
|
|
||
|
|
||
|
def apply_venv(env):
|
||
|
env['PATH'] = os.environ.get('PATH', '')
|
||
|
env['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
|
||
|
return env
|
||
|
|
||
|
|
||
|
TESTREALM = "MAG.DEV"
|
||
|
KDC_DBNAME = 'db.file'
|
||
|
KDC_STASH = 'stash.file'
|
||
|
KDC_PASSWORD = 'modauthgssapi'
|
||
|
KRB5_CONF_TEMPLATE = '''
|
||
|
[libdefaults]
|
||
|
default_realm = {TESTREALM}
|
||
|
dns_lookup_realm = false
|
||
|
dns_lookup_kdc = false
|
||
|
rdns = false
|
||
|
ticket_lifetime = 24h
|
||
|
forwardable = yes
|
||
|
default_ccache_name = FILE://{TESTDIR}/ccaches/krb5_ccache_XXXXXX
|
||
|
|
||
|
[realms]
|
||
|
{TESTREALM} = {{
|
||
|
kdc = {WRAP_HOSTNAME}
|
||
|
pkinit_anchors = FILE:{TESTDIR}/{PKINIT_CA}
|
||
|
}}
|
||
|
|
||
|
[domain_realm]
|
||
|
.mag.dev = {TESTREALM}
|
||
|
mag.dev = {TESTREALM}
|
||
|
|
||
|
[dbmodules]
|
||
|
{TESTREALM} = {{
|
||
|
database_name = {KDCDIR}/{KDC_DBNAME}
|
||
|
}}
|
||
|
'''
|
||
|
KDC_CONF_TEMPLATE = '''
|
||
|
[kdcdefaults]
|
||
|
kdc_ports = 88
|
||
|
kdc_tcp_ports = 88
|
||
|
restrict_anonymous_to_tgt = true
|
||
|
pkinit_identity = FILE:{TESTDIR}/{PKINIT_KDC_CERT},{TESTDIR}/{PKINIT_KEY}
|
||
|
pkinit_anchors = FILE:{TESTDIR}/{PKINIT_CA}
|
||
|
pkinit_indicator = na1
|
||
|
pkinit_indicator = na2
|
||
|
pkinit_indicator = na3
|
||
|
|
||
|
[realms]
|
||
|
{TESTREALM} = {{
|
||
|
master_key_type = aes256-cts
|
||
|
max_life = 7d
|
||
|
max_renewable_life = 14d
|
||
|
acl_file = {KDCDIR}/kadm5.acl
|
||
|
dict_file = /usr/share/dict/words
|
||
|
default_principal_flags = +preauth
|
||
|
admin_keytab = {TESTREALM}/kadm5.keytab
|
||
|
key_stash_file = {KDCDIR}/{KDC_STASH}
|
||
|
}}
|
||
|
[logging]
|
||
|
kdc = FILE:{KDCLOG}
|
||
|
'''
|
||
|
|
||
|
PKINIT_CA = 'cacert.pem'
|
||
|
PKINIT_KEY = 'key.pem'
|
||
|
PKINIT_USER_REQ = 'user.csr'
|
||
|
PKINIT_USER_CERT = 'user.pem'
|
||
|
PKINIT_KDC_REQ = 'kdccert.csr'
|
||
|
PKINIT_KDC_CERT = 'kdccert.pem'
|
||
|
|
||
|
OPENSSLCNF_TEMPLATE = '''
|
||
|
[req]
|
||
|
prompt = no
|
||
|
distinguished_name = $ENV::O_SUBJECT
|
||
|
|
||
|
[ca]
|
||
|
CN = CA
|
||
|
C = US
|
||
|
OU = Insecure test CA do not use
|
||
|
O = {TESTREALM}
|
||
|
|
||
|
[kdc]
|
||
|
C = US
|
||
|
O = {TESTREALM}
|
||
|
CN = KDC
|
||
|
|
||
|
[user]
|
||
|
C = US
|
||
|
O = {TESTREALM}
|
||
|
CN = maguser3
|
||
|
|
||
|
[exts_ca]
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid:always,issuer:always
|
||
|
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
|
||
|
basicConstraints = critical,CA:TRUE
|
||
|
|
||
|
[components_kdc]
|
||
|
0.component=GeneralString:krbtgt
|
||
|
1.component=GeneralString:{TESTREALM}
|
||
|
|
||
|
[princ_kdc]
|
||
|
nametype=EXPLICIT:0,INTEGER:1
|
||
|
components=EXPLICIT:1,SEQUENCE:components_kdc
|
||
|
|
||
|
[krb5princ_kdc]
|
||
|
realm=EXPLICIT:0,GeneralString:{TESTREALM}
|
||
|
princ=EXPLICIT:1,SEQUENCE:princ_kdc
|
||
|
|
||
|
[exts_kdc]
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid:always,issuer:always
|
||
|
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
|
||
|
basicConstraints = critical,CA:FALSE
|
||
|
subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:krb5princ_kdc
|
||
|
extendedKeyUsage = 1.3.6.1.5.2.3.5
|
||
|
|
||
|
[components_client]
|
||
|
component=GeneralString:maguser3
|
||
|
|
||
|
[princ_client]
|
||
|
nametype=EXPLICIT:0,INTEGER:1
|
||
|
components=EXPLICIT:1,SEQUENCE:components_client
|
||
|
|
||
|
[krb5princ_client]
|
||
|
realm=EXPLICIT:0,GeneralString:{TESTREALM}
|
||
|
princ=EXPLICIT:1,SEQUENCE:princ_client
|
||
|
|
||
|
[exts_client]
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid:always,issuer:always
|
||
|
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
|
||
|
basicConstraints = critical,CA:FALSE
|
||
|
subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:krb5princ_client
|
||
|
extendedKeyUsage = 1.3.6.1.5.2.3.4
|
||
|
''' # noqa
|
||
|
|
||
|
|
||
|
def setup_test_certs(testdir, testenv, logfile):
|
||
|
opensslcnf = os.path.join(testdir, 'openssl.cnf')
|
||
|
pkinit_key = os.path.join(testdir, PKINIT_KEY)
|
||
|
pkinit_ca = os.path.join(testdir, PKINIT_CA)
|
||
|
pkinit_kdc_req = os.path.join(testdir, PKINIT_KDC_REQ)
|
||
|
pkinit_user_req = os.path.join(testdir, PKINIT_USER_REQ)
|
||
|
pkinit_kdc_cert = os.path.join(testdir, PKINIT_KDC_CERT)
|
||
|
pkinit_user_cert = os.path.join(testdir, PKINIT_USER_CERT)
|
||
|
|
||
|
text = OPENSSLCNF_TEMPLATE.format(TESTREALM=TESTREALM)
|
||
|
with open(opensslcnf, 'w+') as f:
|
||
|
f.write(text)
|
||
|
|
||
|
cmd = subprocess.Popen(["openssl", "genrsa", "-out", pkinit_key,
|
||
|
"2048"], stdout=logfile,
|
||
|
stderr=logfile, env=testenv,
|
||
|
preexec_fn=os.setsid)
|
||
|
cmd.wait()
|
||
|
if cmd.returncode != 0:
|
||
|
raise ValueError('Generating CA RSA key failed')
|
||
|
|
||
|
testenv.update({'O_SUBJECT': 'ca'})
|
||
|
cmd = subprocess.Popen(["openssl", "req", "-config", opensslcnf,
|
||
|
"-new", "-x509", "-extensions", "exts_ca",
|
||
|
"-set_serial", "1", "-days", "100",
|
||
|
"-key", pkinit_key, "-out", pkinit_ca],
|
||
|
stdout=logfile, stderr=logfile, env=testenv,
|
||
|
preexec_fn=os.setsid)
|
||
|
cmd.wait()
|
||
|
if cmd.returncode != 0:
|
||
|
raise ValueError('Generating CA certificate failed')
|
||
|
|
||
|
testenv.update({'O_SUBJECT': 'kdc'})
|
||
|
cmd = subprocess.Popen(["openssl", "req", "-config", opensslcnf,
|
||
|
"-new", "-subj", "/CN=kdc",
|
||
|
"-key", pkinit_key, "-out", pkinit_kdc_req],
|
||
|
stdout=logfile, stderr=logfile, env=testenv,
|
||
|
preexec_fn=os.setsid)
|
||
|
cmd.wait()
|
||
|
if cmd.returncode != 0:
|
||
|
raise ValueError('Generating KDC req failed')
|
||
|
|
||
|
cmd = subprocess.Popen(["openssl", "x509", "-extfile", opensslcnf,
|
||
|
"-extensions", "exts_kdc", "-set_serial", "2",
|
||
|
"-days", "100", "-req", "-CA", pkinit_ca,
|
||
|
"-CAkey", pkinit_key, "-out", pkinit_kdc_cert,
|
||
|
"-in", pkinit_kdc_req],
|
||
|
stdout=logfile, stderr=logfile, env=testenv,
|
||
|
preexec_fn=os.setsid)
|
||
|
cmd.wait()
|
||
|
if cmd.returncode != 0:
|
||
|
raise ValueError('Generating KDC certificate failed')
|
||
|
|
||
|
testenv.update({'O_SUBJECT': 'user'})
|
||
|
cmd = subprocess.Popen(["openssl", "req", "-config", opensslcnf,
|
||
|
"-new", "-subj", "/CN=user",
|
||
|
"-key", pkinit_key, "-out", pkinit_user_req],
|
||
|
stdout=logfile, stderr=logfile, env=testenv,
|
||
|
preexec_fn=os.setsid)
|
||
|
cmd.wait()
|
||
|
if cmd.returncode != 0:
|
||
|
raise ValueError('Generating client req failed')
|
||
|
|
||
|
cmd = subprocess.Popen(["openssl", "x509", "-extfile", opensslcnf,
|
||
|
"-extensions", "exts_client", "-set_serial", "3",
|
||
|
"-days", "100", "-req", "-CA", pkinit_ca,
|
||
|
"-CAkey", pkinit_key, "-out", pkinit_user_cert,
|
||
|
"-in", pkinit_user_req],
|
||
|
stdout=logfile, stderr=logfile, env=testenv,
|
||
|
preexec_fn=os.setsid)
|
||
|
cmd.wait()
|
||
|
if cmd.returncode != 0:
|
||
|
raise ValueError('Generating client certificate failed')
|
||
|
|
||
|
|
||
|
def setup_kdc(testdir, wrapenv):
|
||
|
# setup kerberos environment
|
||
|
testlog = os.path.join(testdir, 'kerb.log')
|
||
|
krb5conf = os.path.join(testdir, 'krb5.conf')
|
||
|
kdcconf = os.path.join(testdir, 'kdc.conf')
|
||
|
kdcdir = os.path.join(testdir, 'kdc')
|
||
|
if os.path.exists(kdcdir):
|
||
|
shutil.rmtree(kdcdir)
|
||
|
os.makedirs(kdcdir)
|
||
|
|
||
|
text = KRB5_CONF_TEMPLATE.format(TESTREALM=TESTREALM,
|
||
|
TESTDIR=testdir,
|
||
|
KDCDIR=kdcdir,
|
||
|
KDC_DBNAME=KDC_DBNAME,
|
||
|
WRAP_HOSTNAME=WRAP_HOSTNAME,
|
||
|
PKINIT_CA=PKINIT_CA,
|
||
|
PKINIT_USER_CERT=PKINIT_USER_CERT,
|
||
|
PKINIT_KEY=PKINIT_KEY)
|
||
|
with open(krb5conf, 'w+') as f:
|
||
|
f.write(text)
|
||
|
|
||
|
text = KDC_CONF_TEMPLATE.format(TESTREALM=TESTREALM,
|
||
|
TESTDIR=testdir,
|
||
|
KDCDIR=kdcdir,
|
||
|
KDCLOG=testlog,
|
||
|
KDC_STASH=KDC_STASH,
|
||
|
PKINIT_CA=PKINIT_CA,
|
||
|
PKINIT_KDC_CERT=PKINIT_KDC_CERT,
|
||
|
PKINIT_KEY=PKINIT_KEY)
|
||
|
with open(kdcconf, 'w+') as f:
|
||
|
f.write(text)
|
||
|
|
||
|
kdcenv = wrapenv.copy()
|
||
|
kdcenv.update({
|
||
|
'PATH': f'{wrapenv["PATH"]}:/sbin:/bin:/usr/sbin:/usr/bin',
|
||
|
'KRB5_CONFIG': krb5conf,
|
||
|
'KRB5_KDC_PROFILE': kdcconf,
|
||
|
'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'),
|
||
|
})
|
||
|
|
||
|
logfile = open(testlog, 'a')
|
||
|
ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s",
|
||
|
"-r", TESTREALM, "-P", KDC_PASSWORD],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=kdcenv, preexec_fn=os.setsid)
|
||
|
ksetup.wait()
|
||
|
if ksetup.returncode != 0:
|
||
|
raise ValueError('KDC Setup failed')
|
||
|
|
||
|
setup_test_certs(testdir, kdcenv, logfile)
|
||
|
|
||
|
kdcproc = subprocess.Popen(['krb5kdc', '-n'],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=kdcenv, preexec_fn=os.setsid)
|
||
|
return kdcproc, kdcenv
|
||
|
|
||
|
|
||
|
def kadmin_local(cmd, env, logfile):
|
||
|
ksetup = subprocess.Popen(["kadmin.local", "-q", cmd],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=env, preexec_fn=os.setsid)
|
||
|
ksetup.wait()
|
||
|
if ksetup.returncode != 0:
|
||
|
raise ValueError('Kadmin local [%s] failed' % cmd)
|
||
|
|
||
|
|
||
|
USR_NAME = "maguser"
|
||
|
USR_PWD = "magpwd"
|
||
|
USR_NAME_2 = "maguser2"
|
||
|
USR_PWD_2 = "magpwd2"
|
||
|
USR_NAME_3 = "maguser3"
|
||
|
SVC_KTNAME = "httpd/http.keytab"
|
||
|
KEY_TYPE = "aes256-cts-hmac-sha1-96:normal"
|
||
|
USR_NAME_4 = "timeoutusr"
|
||
|
|
||
|
|
||
|
def setup_keys(tesdir, env):
|
||
|
testlog = os.path.join(testdir, 'kerb.log')
|
||
|
logfile = open(testlog, 'a')
|
||
|
|
||
|
svc_name = "HTTP/%s" % WRAP_HOSTNAME
|
||
|
cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, svc_name)
|
||
|
kadmin_local(cmd, env, logfile)
|
||
|
|
||
|
svc_keytab = os.path.join(testdir, SVC_KTNAME)
|
||
|
cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, svc_name)
|
||
|
kadmin_local(cmd, env, logfile)
|
||
|
|
||
|
cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME)
|
||
|
kadmin_local(cmd, env, logfile)
|
||
|
|
||
|
cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2)
|
||
|
kadmin_local(cmd, env, logfile)
|
||
|
|
||
|
cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME_4)
|
||
|
kadmin_local(cmd, env, logfile)
|
||
|
|
||
|
# alias for multinamed hosts testing
|
||
|
alias_name = "HTTP/%s" % WRAP_ALIASNAME
|
||
|
cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name)
|
||
|
kadmin_local(cmd, env, logfile)
|
||
|
cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, alias_name)
|
||
|
kadmin_local(cmd, env, logfile)
|
||
|
|
||
|
cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3)
|
||
|
kadmin_local(cmd, env, logfile)
|
||
|
|
||
|
keys_env = env.copy()
|
||
|
keys_env.update({
|
||
|
"KRB5_KTNAME": svc_keytab,
|
||
|
})
|
||
|
return keys_env
|
||
|
|
||
|
|
||
|
def setup_http(testdir, so_dir, wrapenv):
|
||
|
httpdir = os.path.join(testdir, 'httpd')
|
||
|
if os.path.exists(httpdir):
|
||
|
shutil.rmtree(httpdir)
|
||
|
os.makedirs(httpdir)
|
||
|
os.mkdir(os.path.join(httpdir, 'conf.d'))
|
||
|
os.mkdir(os.path.join(httpdir, 'html'))
|
||
|
os.mkdir(os.path.join(httpdir, 'logs'))
|
||
|
httpdstdlog = os.path.join(testdir, 'httpd.stdlog')
|
||
|
|
||
|
distro = "Fedora"
|
||
|
moddir = "/etc/httpd/modules"
|
||
|
if not os.path.exists(moddir):
|
||
|
distro = "Debian"
|
||
|
moddir = "/usr/lib/apache2/modules"
|
||
|
if not os.path.exists(moddir):
|
||
|
raise ValueError("Could not find Apache module directory!")
|
||
|
os.symlink(moddir, os.path.join(httpdir, 'modules'))
|
||
|
|
||
|
shutil.copy('%s/mod_auth_gssapi.so' % so_dir, httpdir)
|
||
|
|
||
|
with open('tests/httpd.conf') as f:
|
||
|
text = f.read().format(HTTPROOT=httpdir,
|
||
|
HTTPNAME=WRAP_HOSTNAME,
|
||
|
HTTPADDR=WRAP_IPADDR,
|
||
|
PROXYPORT=WRAP_PROXY_PORT,
|
||
|
HTTPPORT=WRAP_HTTP_PORT,
|
||
|
HOSTNAME=WRAP_HOSTNAME)
|
||
|
config = os.path.join(httpdir, 'httpd.conf')
|
||
|
with open(config, 'w+') as f:
|
||
|
f.write(text)
|
||
|
|
||
|
shutil.copy('tests/401.html', os.path.join(httpdir, 'html'))
|
||
|
|
||
|
httpenv = wrapenv.copy()
|
||
|
httpenv.update({
|
||
|
'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
|
||
|
'MALLOC_CHECK_': '3',
|
||
|
'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1),
|
||
|
})
|
||
|
|
||
|
httpd = "httpd" if distro == "Fedora" else "apache2"
|
||
|
log = open(httpdstdlog, 'a')
|
||
|
httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
|
||
|
stdout=log, stderr=log,
|
||
|
env=httpenv, preexec_fn=os.setsid)
|
||
|
return httpproc
|
||
|
|
||
|
|
||
|
def kinit_user(testdir, kdcenv):
|
||
|
testlog = os.path.join(testdir, 'kinit.log')
|
||
|
ccache = os.path.join(testdir, 'k5ccache')
|
||
|
testenv = kdcenv.copy()
|
||
|
testenv.update({
|
||
|
'KRB5CCNAME': ccache,
|
||
|
})
|
||
|
|
||
|
with (open(testlog, 'a')) as logfile:
|
||
|
kinit = subprocess.Popen(["kinit", USR_NAME],
|
||
|
stdin=subprocess.PIPE,
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
kinit.communicate(('%s\n' % USR_PWD).encode("utf8"))
|
||
|
kinit.wait()
|
||
|
if kinit.returncode != 0:
|
||
|
raise ValueError('kinit failed')
|
||
|
|
||
|
return testenv
|
||
|
|
||
|
|
||
|
def kinit_certuser(testdir, kdcenv):
|
||
|
testlog = os.path.join(testdir, 'kinit.log')
|
||
|
ccache = os.path.join(testdir, 'k5ccache2')
|
||
|
pkinit_user_cert = os.path.join(testdir, PKINIT_USER_CERT)
|
||
|
pkinit_key = os.path.join(testdir, PKINIT_KEY)
|
||
|
ident = "X509_user_identity=FILE:" + pkinit_user_cert + "," + pkinit_key
|
||
|
testenv = kdcenv.copy()
|
||
|
testenv.update({
|
||
|
'KRB5CCNAME': ccache,
|
||
|
})
|
||
|
with (open(testlog, 'a')) as logfile:
|
||
|
logfile.write('PKINIT for maguser3\n')
|
||
|
kinit = subprocess.Popen(["kinit", USR_NAME_3, "-X", ident],
|
||
|
stdin=subprocess.PIPE,
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
kinit.wait()
|
||
|
if kinit.returncode != 0:
|
||
|
raise ValueError('kinit failed')
|
||
|
return testenv
|
||
|
|
||
|
|
||
|
def test_spnego_auth(testdir, testenv, logfile):
|
||
|
spnegodir = os.path.join(testdir, 'httpd', 'html', 'spnego')
|
||
|
os.mkdir(spnegodir)
|
||
|
shutil.copy('tests/index.html', spnegodir)
|
||
|
error_count = 0
|
||
|
|
||
|
spnego = subprocess.Popen(["tests/t_spnego.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
spnego.wait()
|
||
|
if spnego.returncode != 0:
|
||
|
sys.stderr.write('SPNEGO: FAILED\n')
|
||
|
error_count += 1
|
||
|
else:
|
||
|
sys.stderr.write('SPNEGO: SUCCESS\n')
|
||
|
|
||
|
spnego = subprocess.Popen(["tests/t_spnego_proxy.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
spnego.wait()
|
||
|
if spnego.returncode != 0:
|
||
|
sys.stderr.write('SPNEGO Proxy Auth: FAILED\n')
|
||
|
error_count += 1
|
||
|
else:
|
||
|
sys.stderr.write('SPNEGO Proxy Auth: SUCCESS\n')
|
||
|
|
||
|
spnego = subprocess.Popen(["tests/t_spnego_no_auth.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
spnego.wait()
|
||
|
if spnego.returncode != 0:
|
||
|
sys.stderr.write('SPNEGO No Auth: FAILED\n')
|
||
|
error_count += 1
|
||
|
else:
|
||
|
sys.stderr.write('SPNEGO No Auth: SUCCESS\n')
|
||
|
|
||
|
return error_count
|
||
|
|
||
|
|
||
|
def test_required_name_attr(testdir, testenv, logfile):
|
||
|
for i in range(1, 5):
|
||
|
required_name_attr_dir = os.path.join(testdir, 'httpd', 'html',
|
||
|
'required_name_attr'+str(i))
|
||
|
os.mkdir(required_name_attr_dir)
|
||
|
shutil.copy('tests/index.html', required_name_attr_dir)
|
||
|
|
||
|
tattr = subprocess.Popen(["tests/t_required_name_attr.py"],
|
||
|
stdout=logfile, stderr=logfile, env=testenv,
|
||
|
preexec_fn=os.setsid)
|
||
|
tattr.wait()
|
||
|
if tattr.returncode != 0:
|
||
|
sys.stderr.write('Required Name Attr: FAILED\n')
|
||
|
return 1
|
||
|
sys.stderr.write('Required Name Attr: SUCCESS\n')
|
||
|
return 0
|
||
|
|
||
|
|
||
|
def test_spnego_rewrite(testdir, testenv, logfile):
|
||
|
spnego_rewrite_dir = os.path.join(testdir, 'httpd', 'html',
|
||
|
'spnego_rewrite')
|
||
|
os.mkdir(spnego_rewrite_dir)
|
||
|
shutil.copy('tests/index.html', spnego_rewrite_dir)
|
||
|
|
||
|
spnego = subprocess.Popen(["tests/t_spnego_rewrite.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
spnego.wait()
|
||
|
if spnego.returncode != 0:
|
||
|
sys.stderr.write('SPNEGO Rewrite: FAILED\n')
|
||
|
return 1
|
||
|
sys.stderr.write('SPNEGO Rewrite: SUCCESS\n')
|
||
|
return 0
|
||
|
|
||
|
|
||
|
def test_spnego_negotiate_once(testdir, testenv, logfile):
|
||
|
spnego_negotiate_once_dir = os.path.join(testdir, 'httpd', 'html',
|
||
|
'spnego_negotiate_once')
|
||
|
os.mkdir(spnego_negotiate_once_dir)
|
||
|
shutil.copy('tests/index.html', spnego_negotiate_once_dir)
|
||
|
|
||
|
spnego = subprocess.Popen(["tests/t_spnego_negotiate_once.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
spnego.wait()
|
||
|
if spnego.returncode != 0:
|
||
|
sys.stderr.write('SPNEGO Negotiate Once: FAILED\n')
|
||
|
return 1
|
||
|
sys.stderr.write('SPNEGO Negotiate Once: SUCCESS\n')
|
||
|
return 0
|
||
|
|
||
|
|
||
|
def test_basic_auth_krb5(testdir, testenv, logfile):
|
||
|
basicdir = os.path.join(testdir, 'httpd', 'html', 'basic_auth_krb5')
|
||
|
os.mkdir(basicdir)
|
||
|
shutil.copy('tests/index.html', basicdir)
|
||
|
error_count = 0
|
||
|
|
||
|
basick5 = subprocess.Popen(["tests/t_basic_k5.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
basick5.wait()
|
||
|
if basick5.returncode != 0:
|
||
|
sys.stderr.write('BASIC-AUTH: FAILED\n')
|
||
|
error_count += 1
|
||
|
else:
|
||
|
sys.stderr.write('BASIC-AUTH: SUCCESS\n')
|
||
|
|
||
|
basick5 = subprocess.Popen(["tests/t_basic_k5_two_users.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
basick5.wait()
|
||
|
if basick5.returncode != 0:
|
||
|
sys.stderr.write('BASIC-AUTH Two Users: FAILED\n')
|
||
|
error_count += 1
|
||
|
else:
|
||
|
sys.stderr.write('BASIC-AUTH Two Users: SUCCESS\n')
|
||
|
|
||
|
basick5 = subprocess.Popen(["tests/t_basic_k5_fail_second.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
basick5.wait()
|
||
|
if basick5.returncode != 0:
|
||
|
sys.stderr.write('BASIC Fail Second User: FAILED\n')
|
||
|
error_count += 1
|
||
|
else:
|
||
|
sys.stderr.write('BASIC Fail Second User: SUCCESS\n')
|
||
|
|
||
|
basick5 = subprocess.Popen(["tests/t_basic_proxy.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
basick5.wait()
|
||
|
if basick5.returncode != 0:
|
||
|
sys.stderr.write('BASIC Proxy Auth: FAILED\n')
|
||
|
error_count += 1
|
||
|
else:
|
||
|
sys.stderr.write('BASIC Proxy Auth: SUCCESS\n')
|
||
|
|
||
|
return error_count
|
||
|
|
||
|
|
||
|
def test_basic_auth_timeout(testdir, testenv, logfile):
|
||
|
httpdir = os.path.join(testdir, 'httpd')
|
||
|
timeoutdir = os.path.join(httpdir, 'html', 'basic_auth_timeout')
|
||
|
os.mkdir(timeoutdir)
|
||
|
authdir = os.path.join(timeoutdir, 'auth')
|
||
|
os.mkdir(authdir)
|
||
|
sessdir = os.path.join(timeoutdir, 'session')
|
||
|
os.mkdir(sessdir)
|
||
|
shutil.copy('tests/index.html', os.path.join(authdir))
|
||
|
shutil.copy('tests/index.html', os.path.join(sessdir))
|
||
|
|
||
|
basictout = subprocess.Popen(["tests/t_basic_timeout.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
basictout.wait()
|
||
|
if basictout.returncode != 0:
|
||
|
sys.stderr.write('BASIC Timeout Behavior: FAILED\n')
|
||
|
return 1
|
||
|
else:
|
||
|
sys.stderr.write('BASIC Timeout Behavior: SUCCESS\n')
|
||
|
|
||
|
return 0
|
||
|
|
||
|
|
||
|
def test_bad_acceptor_name(testdir, testenv, logfile):
|
||
|
bandir = os.path.join(testdir, 'httpd', 'html', 'bad_acceptor_name')
|
||
|
os.mkdir(bandir)
|
||
|
shutil.copy('tests/index.html', bandir)
|
||
|
|
||
|
ban = subprocess.Popen(["tests/t_bad_acceptor_name.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
ban.wait()
|
||
|
if ban.returncode != 0:
|
||
|
sys.stderr.write('BAD ACCEPTOR: SUCCESS\n')
|
||
|
return 0
|
||
|
sys.stderr.write('BAD ACCEPTOR: FAILED\n')
|
||
|
return 1
|
||
|
|
||
|
|
||
|
def test_no_negotiate(testdir, testenv, logfile):
|
||
|
nonego_dir = os.path.join(testdir, 'httpd', 'html', 'nonego')
|
||
|
os.mkdir(nonego_dir)
|
||
|
shutil.copy('tests/index.html', nonego_dir)
|
||
|
|
||
|
spnego = subprocess.Popen(["tests/t_nonego.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
spnego.wait()
|
||
|
if spnego.returncode != 0:
|
||
|
sys.stderr.write('NO Negotiate: FAILED\n')
|
||
|
return 1
|
||
|
sys.stderr.write('NO Negotiate: SUCCESS\n')
|
||
|
return 0
|
||
|
|
||
|
|
||
|
def test_hostname_acceptor(testdir, testenv, logfile):
|
||
|
plain_test_name = 'hostname_acceptor'
|
||
|
hdir = os.path.join(testdir, 'httpd', 'html', plain_test_name)
|
||
|
os.mkdir(hdir)
|
||
|
shutil.copy('tests/index.html', hdir)
|
||
|
|
||
|
proxy_test_name = 'hostname_proxy'
|
||
|
hdir = os.path.join(testdir, 'httpd', 'html', proxy_test_name)
|
||
|
os.mkdir(hdir)
|
||
|
shutil.copy('tests/index.html', hdir)
|
||
|
ddir = os.path.join(testdir, 'httpd', 'delegccachedir')
|
||
|
os.mkdir(ddir)
|
||
|
|
||
|
failed = False
|
||
|
for test_name in [plain_test_name, proxy_test_name]:
|
||
|
for (name, fail) in [(WRAP_HOSTNAME, False),
|
||
|
(WRAP_ALIASNAME, False),
|
||
|
(WRAP_FAILNAME, True)]:
|
||
|
res = subprocess.Popen(["tests/t_hostname_acceptor.py",
|
||
|
name, test_name],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
res.wait()
|
||
|
if (fail and res.returncode == 0) or \
|
||
|
(not fail and res.returncode != 0):
|
||
|
failed = True
|
||
|
break
|
||
|
|
||
|
if failed:
|
||
|
sys.stderr.write('HOSTNAME ACCEPTOR: FAILED\n')
|
||
|
return 1
|
||
|
sys.stderr.write('HOSTNAME ACCEPTOR: SUCCESS\n')
|
||
|
return 0
|
||
|
|
||
|
|
||
|
def test_gss_localname(testdir, testenv, logfile):
|
||
|
hdir = os.path.join(testdir, 'httpd', 'html', 'gss_localname')
|
||
|
os.mkdir(hdir)
|
||
|
shutil.copy('tests/localname.html', os.path.join(hdir, 'index.html'))
|
||
|
error_count = 0
|
||
|
|
||
|
# Make sure spnego is explicitly tested
|
||
|
spnego = subprocess.Popen(["tests/t_localname.py", "SPNEGO"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
spnego.wait()
|
||
|
if spnego.returncode != 0:
|
||
|
sys.stderr.write('LOCALNAME(SPNEGO): FAILED\n')
|
||
|
error_count += 1
|
||
|
else:
|
||
|
sys.stderr.write('LOCALNAME(SPNEGO): SUCCESS\n')
|
||
|
|
||
|
# and bare krb5 (GS2-KRB5 is the name used by SASL for it)
|
||
|
krb5 = subprocess.Popen(["tests/t_localname.py", "GS2-KRB5"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
krb5.wait()
|
||
|
if krb5.returncode != 0:
|
||
|
if krb5.returncode == 42:
|
||
|
sys.stderr.write('LOCALNAME(KRB5): SKIPPED\n')
|
||
|
else:
|
||
|
sys.stderr.write('LOCALNAME(KRB5): FAILED\n')
|
||
|
error_count += 1
|
||
|
else:
|
||
|
sys.stderr.write('LOCALNAME(KRB5): SUCCESS\n')
|
||
|
|
||
|
return error_count
|
||
|
|
||
|
|
||
|
def faketime_setup(testenv):
|
||
|
# Wanted: an architecture- and distro-agnostic way to do this.
|
||
|
# libfaketime is installed in a place where ld.so won't pick it up by
|
||
|
# default, so...
|
||
|
paths = ['/usr/lib64/faketime/libfaketime.so.1',
|
||
|
'/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1']
|
||
|
libfaketime = None
|
||
|
for p in paths:
|
||
|
if os.path.isfile(p):
|
||
|
libfaketime = p
|
||
|
if not libfaketime:
|
||
|
raise NotImplementedError
|
||
|
|
||
|
# spedup x100
|
||
|
fakeenv = testenv.copy()
|
||
|
fakeenv.update({
|
||
|
'FAKETIME': '+0 x100',
|
||
|
'LD_PRELOAD': ' '.join((testenv['LD_PRELOAD'], libfaketime)),
|
||
|
})
|
||
|
return fakeenv
|
||
|
|
||
|
|
||
|
def http_restart(testdir, so_dir, testenv):
|
||
|
httpenv = testenv.copy()
|
||
|
httpenv.update({
|
||
|
'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
|
||
|
'MALLOC_CHECK_': '3',
|
||
|
'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1),
|
||
|
})
|
||
|
|
||
|
httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2"
|
||
|
config = os.path.join(testdir, 'httpd', 'httpd.conf')
|
||
|
log = open(os.path.join(testdir, 'httpd.stdlog'), 'a')
|
||
|
httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
|
||
|
stdout=log, stderr=log,
|
||
|
env=httpenv, preexec_fn=os.setsid)
|
||
|
return httpproc
|
||
|
|
||
|
|
||
|
def test_mech_name(testdir, testenv, logfile):
|
||
|
basicdir = os.path.join(testdir, 'httpd', 'html', 'mech_name')
|
||
|
os.mkdir(basicdir)
|
||
|
shutil.copy('tests/mech.html', basicdir)
|
||
|
|
||
|
mname = subprocess.Popen(["tests/t_mech_name.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
mname.wait()
|
||
|
if mname.returncode != 0:
|
||
|
sys.stderr.write('MECH-NAME: FAILED\n')
|
||
|
return 1
|
||
|
sys.stderr.write('MECH-NAME: SUCCESS\n')
|
||
|
return 0
|
||
|
|
||
|
|
||
|
def test_file_check(testdir, testenv, logfile):
|
||
|
basicdir = os.path.join(testdir, 'httpd', 'html', 'keytab_file_check')
|
||
|
os.mkdir(basicdir)
|
||
|
shutil.copy('tests/index.html', basicdir)
|
||
|
|
||
|
filec = subprocess.Popen(["tests/t_file_check.py"],
|
||
|
stdout=logfile, stderr=logfile,
|
||
|
env=testenv, preexec_fn=os.setsid)
|
||
|
filec.wait()
|
||
|
if filec.returncode == 0:
|
||
|
sys.stderr.write('FILE-CHECK: FAILED\n')
|
||
|
return 1
|
||
|
sys.stderr.write('FILE-CHECK: SUCCESS\n')
|
||
|
return 0
|
||
|
|
||
|
|
||
|
if __name__ == '__main__':
|
||
|
args = parse_args()
|
||
|
|
||
|
testdir = args['path']
|
||
|
so_dir = args['so_dir']
|
||
|
if os.path.exists(testdir):
|
||
|
shutil.rmtree(testdir)
|
||
|
os.makedirs(testdir)
|
||
|
|
||
|
processes = dict()
|
||
|
logfile = open(os.path.join(testdir, 'tests.log'), 'w')
|
||
|
# '-1' indicates setup phase
|
||
|
errs = -1
|
||
|
|
||
|
try:
|
||
|
# prepare environment for tests
|
||
|
wrapenv = apply_venv(setup_wrappers(testdir))
|
||
|
|
||
|
kdcproc, kdcenv = setup_kdc(testdir, wrapenv)
|
||
|
processes['KDC(%d)' % kdcproc.pid] = kdcproc
|
||
|
|
||
|
httpproc = setup_http(testdir, so_dir, kdcenv)
|
||
|
processes['HTTPD(%d)' % httpproc.pid] = httpproc
|
||
|
|
||
|
keysenv = setup_keys(testdir, kdcenv)
|
||
|
testenv = kinit_user(testdir, kdcenv)
|
||
|
|
||
|
testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd',
|
||
|
USR_NAME + '@' + TESTREALM)
|
||
|
# making testing
|
||
|
errs = 0
|
||
|
|
||
|
errs += test_spnego_auth(testdir, testenv, logfile)
|
||
|
|
||
|
testenv['MAG_GSS_NAME'] = USR_NAME + '@' + TESTREALM
|
||
|
errs += test_spnego_rewrite(testdir, testenv, logfile)
|
||
|
|
||
|
errs += test_spnego_negotiate_once(testdir, testenv, logfile)
|
||
|
|
||
|
errs += test_hostname_acceptor(testdir, testenv, logfile)
|
||
|
|
||
|
errs += test_bad_acceptor_name(testdir, testenv, logfile)
|
||
|
|
||
|
testenv['MAG_REMOTE_USER'] = USR_NAME
|
||
|
errs += test_gss_localname(testdir, testenv, logfile)
|
||
|
|
||
|
rpm_path = "/usr/lib64/krb5/plugins/preauth/pkinit.so"
|
||
|
deb_path = "/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so"
|
||
|
if os.path.exists(rpm_path) or os.path.exists(deb_path):
|
||
|
testenv = kinit_certuser(testdir, testenv)
|
||
|
errs += test_required_name_attr(testdir, testenv, logfile)
|
||
|
else:
|
||
|
sys.stderr.write("krb5 PKINIT module not found, skipping name "
|
||
|
"attribute tests\n")
|
||
|
|
||
|
testenv = kdcenv.copy()
|
||
|
testenv.update({
|
||
|
'MAG_USER_NAME': USR_NAME,
|
||
|
'MAG_USER_PASSWORD': USR_PWD,
|
||
|
'MAG_USER_NAME_2': USR_NAME_2,
|
||
|
'MAG_USER_PASSWORD_2': USR_PWD_2,
|
||
|
})
|
||
|
|
||
|
errs += test_basic_auth_krb5(testdir, testenv, logfile)
|
||
|
|
||
|
errs += test_no_negotiate(testdir, testenv, logfile)
|
||
|
|
||
|
errs += test_mech_name(testdir, testenv, logfile)
|
||
|
|
||
|
errs += test_file_check(testdir, testenv, logfile)
|
||
|
|
||
|
# After this point we need to speed up httpd to test creds timeout
|
||
|
try:
|
||
|
fakeenv = faketime_setup(kdcenv)
|
||
|
timeenv = fakeenv.copy()
|
||
|
timeenv.update({
|
||
|
'TIMEOUT_USER': USR_NAME_4,
|
||
|
'MAG_USER_PASSWORD': USR_PWD,
|
||
|
})
|
||
|
curporc = httpproc
|
||
|
pid = processes['HTTPD(%d)' % httpproc.pid].pid
|
||
|
os.killpg(pid, signal.SIGTERM)
|
||
|
time.sleep(1)
|
||
|
del processes['HTTPD(%d)' % httpproc.pid]
|
||
|
httpproc = http_restart(testdir, so_dir, timeenv)
|
||
|
processes['HTTPD(%d)' % httpproc.pid] = httpproc
|
||
|
|
||
|
errs += test_basic_auth_timeout(testdir, timeenv, logfile)
|
||
|
except NotImplementedError:
|
||
|
sys.stderr.write('BASIC Timeout Behavior: SKIPPED\n')
|
||
|
|
||
|
except Exception:
|
||
|
traceback.print_exc()
|
||
|
finally:
|
||
|
for name in processes:
|
||
|
logfile.write("Killing %s\n" % name)
|
||
|
os.killpg(processes[name].pid, signal.SIGTERM)
|
||
|
exit(errs)
|