From 3e53a8cd98b9410cd378ad68d8528e2a8d6d4f6a Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 17 Nov 2014 17:39:38 +0100 Subject: [PATCH 122/128] krb5: add copy_ccache_into_memory() Reviewed-by: Jakub Hrozek --- Makefile.am | 18 +++ src/providers/krb5/krb5_ccache.c | 110 +++++++++++++++++ src/providers/krb5/krb5_ccache.h | 17 +++ src/tests/cmocka/test_copy_ccache.c | 238 ++++++++++++++++++++++++++++++++++++ 4 files changed, 383 insertions(+) create mode 100644 src/tests/cmocka/test_copy_ccache.c diff --git a/Makefile.am b/Makefile.am index 130c647e51d3554b2b0f69e83f17b38f1366eb3b..62d900dec654baff59762c934885aef9ae5510b9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -214,6 +214,7 @@ if HAVE_CMOCKA test_search_bases \ sdap-tests \ test_sysdb_views \ + test_copy_ccache \ $(NULL) if BUILD_IFP @@ -2079,6 +2080,23 @@ test_sysdb_views_LDADD = \ libsss_test_common.la \ $(NULL) +test_copy_ccache_SOURCES = \ + src/tests/cmocka/test_copy_ccache.c \ + src/providers/krb5/krb5_ccache.c \ + src/util/sss_krb5.c \ + $(NULL) +test_copy_ccache_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_copy_ccache_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(KRB5_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + endif # HAVE_CMOCKA noinst_PROGRAMS = pam_test_client diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c index 7aa36b744ddcf7e46edcc26405a5101645b8b546..de6e694a9ba7099e3b05fa8ab3aa9245c280dba5 100644 --- a/src/providers/krb5/krb5_ccache.c +++ b/src/providers/krb5/krb5_ccache.c @@ -667,3 +667,113 @@ errno_t safe_remove_old_ccache_file(const char *old_ccache, return sss_krb5_cc_destroy(old_ccache, uid, gid); } + +krb5_error_code copy_ccache_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, + const char *ccache_file, + char **_mem_name) +{ + krb5_error_code kerr; + krb5_ccache ccache; + krb5_ccache mem_ccache = NULL; + char *ccache_name = NULL; + krb5_principal princ = NULL; + char *mem_name = NULL; + char *sep; + + kerr = krb5_cc_resolve(kctx, ccache_file, &ccache); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error resolving ccache [%s].\n", + ccache_file); + return kerr; + } + + kerr = krb5_cc_get_full_name(kctx, ccache, &ccache_name); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to read name for ccache [%s].\n", + ccache_file); + goto done; + } + + sep = strchr(ccache_name, ':'); + if (sep == NULL || sep[1] == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Ccache name [%s] does not have delimiter[:] .\n", ccache_name); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + + if (strncmp(ccache_name, "MEMORY:", sizeof("MEMORY:") -1) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Ccache [%s] is already memory ccache.\n", + ccache_name); + *_mem_name = talloc_strdup(mem_ctx, ccache_name); + if(*_mem_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + kerr = 0; + goto done; + } + if (strncmp(ccache_name, "FILE:", sizeof("FILE:") -1) == 0) { + mem_name = talloc_asprintf(mem_ctx, "MEMORY:%s", sep + 1); + if (mem_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Unexpected ccache type for ccache [%s], " \ + "currently only FILE is supported.\n", + ccache_name); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + + kerr = krb5_cc_resolve(kctx, mem_name, &mem_ccache); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error resolving ccache [%s].\n", mem_name); + goto done; + } + + kerr = krb5_cc_get_principal(kctx, ccache, &princ); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "error reading principal from ccache [%s].\n", ccache_name); + goto done; + } + + kerr = krb5_cc_initialize(kctx, mem_ccache, princ); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to initialize ccache [%s].\n", mem_name); + goto done; + } + + kerr = krb5_cc_copy_creds(kctx, ccache, mem_ccache); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to copy ccache [%s] to [%s].\n", ccache_name, mem_name); + goto done; + } + + *_mem_name = mem_name; + kerr = 0; + +done: + if (kerr != 0) { + talloc_free(mem_name); + } + + free(ccache_name); + krb5_free_principal(kctx, princ); + + if (krb5_cc_close(kctx, ccache) != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n"); + } + + if (krb5_cc_close(kctx, mem_ccache) != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n"); + } + + return kerr; +} diff --git a/src/providers/krb5/krb5_ccache.h b/src/providers/krb5/krb5_ccache.h index e47df3665e3f325cc56d34767b416662577cc048..f3928e644d704ed263cbe28bab327bf75b2f5cce 100644 --- a/src/providers/krb5/krb5_ccache.h +++ b/src/providers/krb5/krb5_ccache.h @@ -53,4 +53,21 @@ errno_t safe_remove_old_ccache_file(const char *old_ccache, const char *new_ccache, uid_t uid, gid_t gid); +/** + * @brief Copy given ccache into a MEMORY ccache + * + * @param[in] mem_ctx Talloc memory context the new ccache name should be + * allocated on + * @param[in] kctx Kerberos context + * @param[in] ccache_file Name of existing ccache + * @param[out] _mem_name Name of the new MEMORY ccache + * + * In contrast to MEMORY keytabs MEMORY ccaches can and must be removed + * explicitly with krb5_cc_destroy() from the memory. Just calling + * krb5_cc_close() will keep the MEMORY ccache in memory even if there are no + * open handles for the given MEMORY ccache. + */ +krb5_error_code copy_ccache_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, + const char *ccache_file, + char **_mem_name); #endif /* __KRB5_CCACHE_H__ */ diff --git a/src/tests/cmocka/test_copy_ccache.c b/src/tests/cmocka/test_copy_ccache.c new file mode 100644 index 0000000000000000000000000000000000000000..c7a5573b83b8faeb5c7447b48fa40ec8957e1aaf --- /dev/null +++ b/src/tests/cmocka/test_copy_ccache.c @@ -0,0 +1,238 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + SSSD tests: Tests ccache utilities + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/sss_krb5.h" +#include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_ccache.h" +#include "tests/cmocka/common_mock.h" + +#define CCACHE_TEST_CLIENT_PRINC "test/client@TEST.CCACHE" +#define CCACHE_TEST_SERVER_PRINC "test/server@TEST.CCACHE" +#define CCACHE_PATH TEST_DIR "/ccache_test.ccache" + +struct ccache_test_ctx { + krb5_context kctx; + const char *ccache_file_name; + krb5_principal client_principal; + krb5_principal server_principal; +}; + +void setup_ccache(void **state) +{ + struct ccache_test_ctx *test_ctx; + krb5_error_code kerr; + krb5_ccache ccache; + krb5_creds test_creds; + static krb5_address addr; + int add=0x12345; + krb5_authdata *a; + + static krb5_address *addrs[] = { + &addr, + NULL, + }; + + assert_true(leak_check_setup()); + + + test_ctx = talloc_zero(global_talloc_context, struct ccache_test_ctx); + assert_non_null(test_ctx); + + kerr = krb5_init_context(&test_ctx->kctx); + assert_int_equal(kerr, 0); + + addr.magic = KV5M_ADDRESS; + addr.addrtype = ADDRTYPE_INET; + addr.length = 4; + addr.contents = (krb5_octet *) &add; + + memset(&test_creds, 0, sizeof(test_creds)); + test_creds.magic = KV5M_CREDS; + kerr = krb5_parse_name(test_ctx->kctx, CCACHE_TEST_CLIENT_PRINC, + &test_ctx->client_principal); + assert_int_equal(kerr, 0); + test_creds.client = test_ctx->client_principal; + kerr = krb5_parse_name(test_ctx->kctx, CCACHE_TEST_SERVER_PRINC, + &test_ctx->server_principal); + assert_int_equal(kerr, 0); + test_creds.server = test_ctx->server_principal; + + test_creds.keyblock.magic = KV5M_KEYBLOCK; + test_creds.keyblock.contents = 0; + test_creds.keyblock.enctype = 1; + test_creds.keyblock.length = 1; + test_creds.keyblock.contents = (unsigned char *) discard_const("1"); + test_creds.times.authtime = 1111; + test_creds.times.starttime = 2222; + test_creds.times.endtime = 3333; + test_creds.times.renew_till = 4444; + test_creds.is_skey = 1; + test_creds.ticket_flags = 5555; + test_creds.addresses = addrs; + + test_creds.ticket.magic = KV5M_DATA; + test_creds.ticket.length = sizeof("Ticket"); + test_creds.ticket.data = discard_const("Ticket"); + + test_creds.authdata = malloc (2 * sizeof(krb5_authdata *)); + assert_non_null(test_creds.authdata); + + a = (krb5_authdata *) malloc(sizeof(krb5_authdata)); + assert_non_null(a); + + a->magic = KV5M_AUTHDATA; + a->ad_type = KRB5_AUTHDATA_IF_RELEVANT; + a->contents = (krb5_octet * ) malloc(1); + assert_non_null(a->contents); + a->contents[0]=5; + a->length = 1; + test_creds.authdata[0] = a; + test_creds.authdata[1] = NULL; + + + test_ctx->ccache_file_name = "FILE:" CCACHE_PATH; + + kerr = krb5_cc_resolve(test_ctx->kctx, test_ctx->ccache_file_name, + &ccache); + assert_int_equal(kerr, 0); + + kerr = krb5_cc_initialize(test_ctx->kctx, ccache, test_creds.client); + assert_int_equal(kerr, 0); + + kerr = krb5_cc_store_cred(test_ctx->kctx, ccache, &test_creds); + assert_int_equal(kerr, 0); + + kerr = krb5_cc_close(test_ctx->kctx, ccache); + assert_int_equal(kerr, 0); + + check_leaks_push(test_ctx); + *state = test_ctx; + + krb5_free_authdata(test_ctx->kctx, test_creds.authdata); +} + +void teardown_ccache(void **state) +{ + int ret; + struct ccache_test_ctx *test_ctx = talloc_get_type(*state, + struct ccache_test_ctx); + assert_non_null(test_ctx); + + krb5_free_principal(test_ctx->kctx, test_ctx->client_principal); + krb5_free_principal(test_ctx->kctx, test_ctx->server_principal); + krb5_free_context(test_ctx->kctx); + + ret = unlink(CCACHE_PATH); + assert_int_equal(ret, 0); + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); +} + +void test_copy_ccache(void **state) +{ + krb5_error_code kerr; + char *mem_ccache_name; + krb5_ccache ccache; + krb5_creds mcreds; + krb5_creds creds; + krb5_principal mem_principal; + struct ccache_test_ctx *test_ctx = talloc_get_type(*state, + struct ccache_test_ctx); + assert_non_null(test_ctx); + + kerr = copy_ccache_into_memory(test_ctx, test_ctx->kctx, + test_ctx->ccache_file_name, + &mem_ccache_name); + assert_int_equal(kerr, 0); + assert_non_null(mem_ccache_name); + + kerr = krb5_cc_resolve(test_ctx->kctx, mem_ccache_name, &ccache); + assert_int_equal(kerr, 0); + + talloc_free(mem_ccache_name); + + kerr = krb5_cc_get_principal(test_ctx->kctx, ccache, &mem_principal); + assert_int_equal(kerr, 0); + assert_non_null(mem_principal); + + assert_true(krb5_principal_compare(test_ctx->kctx, mem_principal, + test_ctx->client_principal)); + krb5_free_principal(test_ctx->kctx, mem_principal); + + memset(&mcreds, 0, sizeof(mcreds)); + memset(&creds, 0, sizeof(mcreds)); + mcreds.client = test_ctx->client_principal; + mcreds.server = test_ctx->server_principal; + kerr = krb5_cc_retrieve_cred(test_ctx->kctx, ccache, 0, &mcreds, &creds); + assert_int_equal(kerr, 0); + krb5_free_cred_contents(test_ctx->kctx, &creds); + + kerr = krb5_cc_destroy(test_ctx->kctx, ccache); + assert_int_equal(kerr, 0); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const UnitTest tests[] = { + unit_test_setup_teardown(test_copy_ccache, + setup_ccache, teardown_ccache), + }; + + /* Set debug level to invalid value so we can deside if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old db to be sure */ + tests_set_cwd(); + + rv = run_tests(tests); + + return rv; +} -- 1.9.3