mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-06 10:46:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

ITS#9189 add channel-bindings tests

Browse Source
This commit is contained in:
Isaac Boukris 2020-04-18 16:30:03 +02:00
parent 3cd50fa8b3
commit 7b0017ad49
4 changed files with 113 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
tests/data/slapd-sasl-gssapi.conf
View File

@ -63,3 +63,6 @@ rootpw secret
sasl-realm @KRB5REALM@ sasl-realm @KRB5REALM@
sasl-host localhost sasl-host localhost
database config
rootpw secret

8
tests/scripts/setup_kdc.sh
View File

@ -142,3 +142,11 @@ if test $RC != 0 ; then
exit 0 exit 0
fi fi
fi fi
HAVE_SASL_GSS_CBIND=no
grep CHANNEL_BINDING $TESTDIR/plugin_out > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
HAVE_SASL_GSS_CBIND=yes
fi

22
tests/scripts/test068-sasl-tls-external
View File

@ -88,6 +88,28 @@ else
echo "success" echo "success"
fi fi
# Exercise channel-bindings code in builds without SASL support
for cb in "none" "tls-unique" "tls-endpoint" ; do
echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...."
$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
-o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt \
-o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key \
-o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1 \
> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $PID
exit $RC
else
echo "success"
fi
done
test $KILLSERVERS != no && kill -HUP $KILLPIDS test $KILLSERVERS != no && kill -HUP $KILLPIDS
if test $RC != 0 ; then if test $RC != 0 ; then

83
tests/scripts/test077-sasl-gssapi
View File

@ -21,7 +21,10 @@ if test $WITH_SASL = no ; then
exit 0 exit 0
fi fi
mkdir -p $TESTDIR $DBDIR1 SLAPTEST="$TESTWD/../servers/slapd/slaptest"
CONFDIR=$TESTDIR/slapd.d
mkdir -p $TESTDIR $DBDIR1 $CONFDIR
cp -r $DATADIR/tls $TESTDIR cp -r $DATADIR/tls $TESTDIR
cd $TESTWD cd $TESTWD
@ -32,7 +35,8 @@ echo "Starting KDC for SASL/GSSAPI tests..."
echo "Running slapadd to build slapd database..." echo "Running slapadd to build slapd database..."
. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1 . $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
$SLAPADD -f $CONF1 -l $LDIFORDERED $SLAPTEST -f $CONF1 -F $CONFDIR
$SLAPADD -F $CONFDIR -l $LDIFORDERED
RC=$? RC=$?
if test $RC != 0 ; then if test $RC != 0 ; then
echo "slapadd failed ($RC)!" echo "slapadd failed ($RC)!"
@ -41,7 +45,7 @@ if test $RC != 0 ; then
fi fi
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & $SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
PID=$! PID=$!
if test $WAIT != 0 ; then if test $WAIT != 0 ; then
echo PID $PID echo PID $PID
@ -144,6 +148,79 @@ else
fi fi
fi fi
if test $WITH_TLS = no ; then
echo "TLS support not available, skipping channe-binding test"
elif test $HAVE_SASL_GSS_CBIND = no ; then
echo "SASL has no channel-binding support in GSSAPI, test skipped"
else
echo "Testing SASL/GSSAPI with SASL_CBINDING..."
for acb in "none" "tls-unique" "tls-endpoint" ; do
echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
$LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
dn: cn=config
changetype: modify
replace: olcSaslCBinding
olcSaslCBinding: ${acb}
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
for icb in "none" "tls-unique" "tls-endpoint" ; do
# The gnutls implemantation of "tls-unique" seems broken
if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
if test $WITH_TLS_TYPE == gnutls ; then
continue
fi
fi
fail="no"
if test $icb != $acb -a $acb != "none" ; then
# This currently fails in MIT, but it is planned to be
# fixed not to fail like in heimdal - avoid testing.
if test $icb = "none" ; then
continue
fi
# Otherwise unmatching bindings are expected to fail.
fail="yes"
fi
echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
echo -ne "(client: ${icb},\tserver: ${acb}): "
$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
-o SASL_CBINDING=$icb > $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
if test $fail = "no" ; then
echo "test failed ($RC)!"
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
elif test $fail = "yes" ; then
echo "failed: command succeeded unexpectedly."
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit 1
fi
echo "success"
RC=0
done
done
fi
kill $KDCPROC kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS test $KILLSERVERS != no && kill -HUP $KILLPIDS