mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 00:37:00 +08:00
tests: test-gssapi is now run as non-root
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This commit is contained in:
Nikos Mavrogiannopoulos
committed by
Nikos Mavrogiannopoulos
Nikos Mavrogiannopoulos
parent
834326fe70
commit
8eafacf2a9
@@ -40,14 +40,15 @@ dist_check_SCRIPTS += radius-test full-test unix-test kerberos-test radius-test-
|
||||
|
||||
#other root requiring tests
|
||||
dist_check_SCRIPTS += test-iroute test-multi-cookie test-pass-script test-pass-opt-cert \
|
||||
test-cookie-timeout test-cookie-timeout-2 test-explicit-ip test-gssapi \
|
||||
test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \
|
||||
test-cookie-invalidation test-user-config test-append-routes test-ban
|
||||
endif
|
||||
|
||||
if HAVE_CWRAP
|
||||
dist_check_SCRIPTS += test-pass test-pass-cert test-cert test-group-pass \
|
||||
test-pass-group-cert test-pass-group-cert-no-pass test-sighup \
|
||||
test-enc-key test-sighup-key-change test-get-cert test-san-cert
|
||||
test-enc-key test-sighup-key-change test-get-cert test-san-cert \
|
||||
test-gssapi
|
||||
|
||||
if HAVE_CWRAP_PAM
|
||||
dist_check_SCRIPTS += test-pam test-pam-noauth
|
||||
|
||||
@@ -45,8 +45,8 @@ try-mtu-discovery = false
|
||||
#
|
||||
# There may be multiple certificate and key pairs and each key
|
||||
# should correspond to the preceding certificate.
|
||||
server-cert = ./certs/server-cert.pem
|
||||
server-key = ./certs/server-key.pem
|
||||
server-cert = @SRCDIR@/certs/server-cert.pem
|
||||
server-key = @SRCDIR@/certs/server-key.pem
|
||||
|
||||
# Diffie-Hellman parameters. Only needed if you require support
|
||||
# for the DHE ciphersuites (by default this server supports ECDHE).
|
||||
@@ -122,19 +122,19 @@ cookie-validity = 172800
|
||||
use-utmp = true
|
||||
|
||||
# PID file
|
||||
pid-file = /var/run/ocserv.pid
|
||||
pid-file = ./ocserv.pid
|
||||
|
||||
# The default server directory. Does not require any devices present.
|
||||
#chroot-dir = /path/to/chroot
|
||||
|
||||
# socket file used for IPC, will be appended with .PID
|
||||
# It must be accessible within the chroot environment (if any)
|
||||
socket-file = /var/run/ocserv-socket
|
||||
socket-file = ./ocserv-socket
|
||||
|
||||
# The user the worker processes will be run as. It should be
|
||||
# unique (no other services run as this user).
|
||||
run-as-user = nobody
|
||||
run-as-group = daemon
|
||||
run-as-user = @USERNAME@
|
||||
run-as-group = @GROUP@
|
||||
|
||||
# Network settings
|
||||
|
||||
|
||||
@@ -29,6 +29,8 @@ max-same-clients = 2
|
||||
tcp-port = 4449
|
||||
udp-port = 4449
|
||||
|
||||
#listen-clear-file = ./ocserv-gssapi-conn.socket
|
||||
|
||||
# Keepalive in seconds
|
||||
keepalive = 32400
|
||||
|
||||
@@ -45,8 +47,8 @@ try-mtu-discovery = false
|
||||
#
|
||||
# There may be multiple certificate and key pairs and each key
|
||||
# should correspond to the preceding certificate.
|
||||
server-cert = ./certs/server-cert.pem
|
||||
server-key = ./certs/server-key.pem
|
||||
server-cert = @SRCDIR@/certs/server-cert.pem
|
||||
server-key = @SRCDIR@/certs/server-key.pem
|
||||
|
||||
# Diffie-Hellman parameters. Only needed if you require support
|
||||
# for the DHE ciphersuites (by default this server supports ECDHE).
|
||||
@@ -122,19 +124,21 @@ cookie-validity = 172800
|
||||
use-utmp = true
|
||||
|
||||
# PID file
|
||||
pid-file = /var/run/ocserv.pid
|
||||
pid-file = ./ocserv.pid
|
||||
|
||||
# The default server directory. Does not require any devices present.
|
||||
#chroot-dir = /path/to/chroot
|
||||
|
||||
# socket file used for IPC, will be appended with .PID
|
||||
# It must be accessible within the chroot environment (if any)
|
||||
socket-file = /var/run/ocserv-socket
|
||||
socket-file = ./ocserv-gssapi-socket
|
||||
|
||||
# The user the worker processes will be run as. It should be
|
||||
# unique (no other services run as this user).
|
||||
run-as-user = nobody
|
||||
run-as-group = daemon
|
||||
run-as-user = @USERNAME@
|
||||
run-as-group = @GROUP@
|
||||
#run-as-user = root
|
||||
#run-as-group = root
|
||||
|
||||
# Network settings
|
||||
|
||||
|
||||
@@ -20,19 +20,24 @@
|
||||
|
||||
SERV="${SERV:-../src/ocserv}"
|
||||
srcdir=${srcdir:-.}
|
||||
builddir=${builddir:-.}
|
||||
NO_NEED_ROOT=1
|
||||
PORT=4449
|
||||
|
||||
if test -f /etc/gss/mech.d/mech.ntlmssp.conf;then
|
||||
NTLMSSP_CONF=/etc/gss/mech.d/mech.ntlmssp.conf
|
||||
else
|
||||
NTLMSSP_CONF=/etc/gss/mech.d/ntlmssp.conf
|
||||
fi
|
||||
NTLMSSP_CONF=""
|
||||
for conf in /etc/gss/mech.d/mech.ntlmssp.conf /etc/gss/mech.d/ntlmssp.conf;do
|
||||
if test -f ${conf};then
|
||||
NTLMSSP_CONF=${conf}
|
||||
fi
|
||||
done
|
||||
|
||||
if test ! -f $NTLMSSP_CONF;then
|
||||
if test -z "$NTLMSSP_CONF";then
|
||||
echo "GSS NTLM SSP was not found"
|
||||
exit 77
|
||||
fi
|
||||
|
||||
echo $NTLMSSP_CONF
|
||||
|
||||
$SERV --version 2>&1|grep gssapi >/dev/null 2>&1
|
||||
if [ $? != 0 ];then
|
||||
exit 77
|
||||
@@ -42,20 +47,26 @@ fi
|
||||
|
||||
echo "Testing local backend with gssapi... "
|
||||
|
||||
export NTLM_USER_FILE=$srcdir/ntlm.pass
|
||||
export NTLM_USER_FILE=${builddir}/ntlm.pass
|
||||
echo "TESTINVALID:testinvalid:testpass" >$NTLM_USER_FILE
|
||||
echo "TESTINVALID:testinvalid:wrongpass" >$NTLM_USER_FILE.wrong
|
||||
|
||||
launch_server -d 1 -f -c data/test-gssapi.config & PID=$!
|
||||
VERBOSE=1
|
||||
|
||||
update_config test-gssapi.config
|
||||
launch_sr_server -d 1 -f -c ${CONFIG} & PID=$!
|
||||
wait_server $PID
|
||||
|
||||
echo "Connecting with curl... "
|
||||
curl https://testinvalid:testpass@localhost:4449 --cacert ${srcdir}/certs/ca.pem --negotiate -f -v ||
|
||||
#CURLOPTS="--cacert ${srcdir}/certs/ca.pem"
|
||||
CURLOPTS="--insecure"
|
||||
|
||||
echo "Connecting with curl/negotiate... "
|
||||
LD_PRELOAD=libsocket_wrapper.so curl https://testinvalid:testpass@$ADDRESS:$PORT ${CURLOPTS} --negotiate -f -v ||
|
||||
fail $PID "Could not connect to server"
|
||||
|
||||
export NTLM_USER_FILE=$srcdir/ntlm.pass.wrong
|
||||
export NTLM_USER_FILE=${builddir}/ntlm.pass.wrong
|
||||
echo "Connecting with curl and wrong password... "
|
||||
curl https://testinvalid:wrongpass@localhost:4449 --cacert ${srcdir}/certs/ca.pem --negotiate -f -v &&
|
||||
LD_PRELOAD=libsocket_wrapper.so curl https://testinvalid:wrongpass@$ADDRESS:$PORT ${CURLOPTS} --negotiate -f -v &&
|
||||
fail $PID "Connected to server with wrong password"
|
||||
|
||||
kill $PID
|
||||
@@ -66,15 +77,16 @@ echo "Testing local backend with gssapi and local-map on... "
|
||||
sleep 2
|
||||
|
||||
# Test whether no-local-map is by default true
|
||||
launch_server -d 1 -f -c data/test-gssapi-local-map.config & PID=$!
|
||||
update_config test-gssapi-local-map.config
|
||||
launch_sr_server -d 1 -f -c ${CONFIG} & PID=$!
|
||||
wait_server $PID
|
||||
|
||||
echo "Connecting with curl... "
|
||||
curl https://testinvalid:testpass@localhost:4449 --cacert ${srcdir}/certs/ca.pem --negotiate -f -v &&
|
||||
LD_PRELOAD=libsocket_wrapper.so curl https://testinvalid:testpass@$ADDRESS:$PORT ${CURLOPTS} --negotiate -f -v &&
|
||||
fail $PID "Connected to server even when local map was required"
|
||||
|
||||
rm -f $srcdir/ntlm.pass
|
||||
rm -f $srcdir/ntlm.pass.wrong
|
||||
rm -f ${builddir}/ntlm.pass
|
||||
rm -f ${builddir}/ntlm.pass.wrong
|
||||
|
||||
kill $PID
|
||||
wait
|
||||
|
||||
Reference in New Issue
Block a user