tests: test-gssapi is now run as non-root

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests/Makefile.am

@@ -40,14 +40,15 @@ dist_check_SCRIPTS += radius-test full-test unix-test kerberos-test radius-test-
 
 #other root requiring tests
 dist_check_SCRIPTS += test-iroute test-multi-cookie test-pass-script test-pass-opt-cert \
-	test-cookie-timeout test-cookie-timeout-2 test-explicit-ip test-gssapi \
+	test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \
 	test-cookie-invalidation test-user-config test-append-routes test-ban
 endif
 
 if HAVE_CWRAP
 dist_check_SCRIPTS += test-pass test-pass-cert test-cert test-group-pass \
 	test-pass-group-cert test-pass-group-cert-no-pass test-sighup \
-	test-enc-key test-sighup-key-change test-get-cert test-san-cert
+	test-enc-key test-sighup-key-change test-get-cert test-san-cert \
+	test-gssapi
 
 if HAVE_CWRAP_PAM
 dist_check_SCRIPTS += test-pam test-pam-noauth

tests/data/test-gssapi-local-map.config

@@ -45,8 +45,8 @@ try-mtu-discovery = false
 #
 # There may be multiple certificate and key pairs and each key
 # should correspond to the preceding certificate.
-server-cert = ./certs/server-cert.pem
+server-cert = @SRCDIR@/certs/server-cert.pem
-server-key = ./certs/server-key.pem
+server-key = @SRCDIR@/certs/server-key.pem
 
 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
@@ -122,19 +122,19 @@ cookie-validity = 172800
 use-utmp = true
 
 # PID file
-pid-file = /var/run/ocserv.pid
+pid-file = ./ocserv.pid
 
 # The default server directory. Does not require any devices present.
 #chroot-dir = /path/to/chroot
 
 # socket file used for IPC, will be appended with .PID
 # It must be accessible within the chroot environment (if any)
-socket-file = /var/run/ocserv-socket
+socket-file = ./ocserv-socket
 
 # The user the worker processes will be run as. It should be
 # unique (no other services run as this user).
-run-as-user = nobody
+run-as-user = @USERNAME@
-run-as-group = daemon
+run-as-group = @GROUP@
 
 # Network settings
 

tests/data/test-gssapi.config

@@ -29,6 +29,8 @@ max-same-clients = 2
 tcp-port = 4449
 udp-port = 4449
 
+#listen-clear-file = ./ocserv-gssapi-conn.socket
+
 # Keepalive in seconds
 keepalive = 32400
 
@@ -45,8 +47,8 @@ try-mtu-discovery = false
 #
 # There may be multiple certificate and key pairs and each key
 # should correspond to the preceding certificate.
-server-cert = ./certs/server-cert.pem
+server-cert = @SRCDIR@/certs/server-cert.pem
-server-key = ./certs/server-key.pem
+server-key = @SRCDIR@/certs/server-key.pem
 
 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
@@ -122,19 +124,21 @@ cookie-validity = 172800
 use-utmp = true
 
 # PID file
-pid-file = /var/run/ocserv.pid
+pid-file = ./ocserv.pid
 
 # The default server directory. Does not require any devices present.
 #chroot-dir = /path/to/chroot
 
 # socket file used for IPC, will be appended with .PID
 # It must be accessible within the chroot environment (if any)
-socket-file = /var/run/ocserv-socket
+socket-file = ./ocserv-gssapi-socket
 
 # The user the worker processes will be run as. It should be
 # unique (no other services run as this user).
-run-as-user = nobody
+run-as-user = @USERNAME@
-run-as-group = daemon
+run-as-group = @GROUP@
+#run-as-user = root
+#run-as-group = root
 
 # Network settings
 

tests/test-gssapi

@@ -20,19 +20,24 @@
 
 SERV="${SERV:-../src/ocserv}"
 srcdir=${srcdir:-.}
+builddir=${builddir:-.}
+NO_NEED_ROOT=1
 PORT=4449
 
-if test -f /etc/gss/mech.d/mech.ntlmssp.conf;then
+NTLMSSP_CONF=""
-	NTLMSSP_CONF=/etc/gss/mech.d/mech.ntlmssp.conf
+for conf in /etc/gss/mech.d/mech.ntlmssp.conf /etc/gss/mech.d/ntlmssp.conf;do
-else
+	if test -f ${conf};then
-	NTLMSSP_CONF=/etc/gss/mech.d/ntlmssp.conf
+		NTLMSSP_CONF=${conf}
 	fi
+done
 
-if test ! -f $NTLMSSP_CONF;then
+if test -z "$NTLMSSP_CONF";then
 	echo "GSS NTLM SSP was not found"
 	exit 77
 fi
 
+echo $NTLMSSP_CONF
+
 $SERV --version 2>&1|grep gssapi >/dev/null 2>&1
 if [ $? != 0 ];then
 	exit 77
@@ -42,20 +47,26 @@ fi
 
 echo "Testing local backend with gssapi... "
 
-export NTLM_USER_FILE=$srcdir/ntlm.pass
+export NTLM_USER_FILE=${builddir}/ntlm.pass
 echo "TESTINVALID:testinvalid:testpass" >$NTLM_USER_FILE
 echo "TESTINVALID:testinvalid:wrongpass" >$NTLM_USER_FILE.wrong
 
-launch_server -d 1 -f -c data/test-gssapi.config & PID=$!
+VERBOSE=1
+
+update_config test-gssapi.config
+launch_sr_server -d 1 -f -c ${CONFIG} & PID=$!
 wait_server $PID
 
-echo "Connecting with curl... "
+#CURLOPTS="--cacert ${srcdir}/certs/ca.pem"
-curl https://testinvalid:testpass@localhost:4449 --cacert ${srcdir}/certs/ca.pem --negotiate -f -v ||
+CURLOPTS="--insecure"
+
+echo "Connecting with curl/negotiate... "
+LD_PRELOAD=libsocket_wrapper.so curl https://testinvalid:testpass@$ADDRESS:$PORT ${CURLOPTS} --negotiate -f -v ||
 	fail $PID "Could not connect to server"
 
-export NTLM_USER_FILE=$srcdir/ntlm.pass.wrong
+export NTLM_USER_FILE=${builddir}/ntlm.pass.wrong
 echo "Connecting with curl and wrong password... "
-curl https://testinvalid:wrongpass@localhost:4449 --cacert ${srcdir}/certs/ca.pem --negotiate -f -v &&
+LD_PRELOAD=libsocket_wrapper.so curl https://testinvalid:wrongpass@$ADDRESS:$PORT ${CURLOPTS} --negotiate -f -v &&
 	fail $PID "Connected to server with wrong password"
 
 kill $PID
@@ -66,15 +77,16 @@ echo "Testing local backend with gssapi and local-map on... "
 sleep 2
 
 # Test whether no-local-map is by default true
-launch_server -d 1 -f -c data/test-gssapi-local-map.config & PID=$!
+update_config test-gssapi-local-map.config
+launch_sr_server -d 1 -f -c ${CONFIG} & PID=$!
 wait_server $PID
 
 echo "Connecting with curl... "
-curl https://testinvalid:testpass@localhost:4449 --cacert ${srcdir}/certs/ca.pem --negotiate -f -v &&
+LD_PRELOAD=libsocket_wrapper.so curl https://testinvalid:testpass@$ADDRESS:$PORT  ${CURLOPTS} --negotiate -f -v &&
 	fail $PID "Connected to server even when local map was required"
 
-rm -f $srcdir/ntlm.pass
+rm -f ${builddir}/ntlm.pass
-rm -f $srcdir/ntlm.pass.wrong
+rm -f ${builddir}/ntlm.pass.wrong
 
 kill $PID
 wait