2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 #include <afsconfig.h>
11 #include <afs/param.h>
15 #include <sys/types.h>
17 #include <sys/resource.h>
19 #include <netinet/in.h>
25 #include <afs/cellconfig.h>
27 #include <afs/com_err.h>
28 #include <afs/debug.h>
34 static char *whoami = "test_rxkad_free";
35 static char realm[MAXKTCREALMLEN];
37 static char *admin_user;
39 static struct ktc_principal afs;
40 static struct ktc_token oldAFSToken;
41 static struct ktc_principal oldClient;
48 if (oldAFSToken.endTime > 0) {
49 code = ktc_SetToken(&afs, &oldAFSToken, &oldClient, 0);
50 printf("%s original AFS token\n",
51 (code == 0 ? "Restoring" : "Failed to restore"));
54 printf("Crashing at line %d\n", line);
58 #define CRASH() Crash (__LINE__)
59 #define EXIT() Crash (0)
64 printf("New Objects client %d, server %d. Destroyed objects %d.\n",
65 rxkad_stats.clientObjects, rxkad_stats.serverObjects,
66 rxkad_stats.destroyObject);
67 printf("client conns: %d %d %d, destroyed client %d.\n",
68 rxkad_stats.connections[0], rxkad_stats.connections[1],
69 rxkad_stats.connections[2], rxkad_stats.destroyClient);
70 printf("server challenges %d, responses %d %d %d\n",
71 rxkad_stats.challengesSent, rxkad_stats.responses[0],
72 rxkad_stats.responses[1], rxkad_stats.responses[2]);
73 printf("server conns %d %d %d unused %d, unauth %d\n",
74 rxkad_stats.destroyConn[0], rxkad_stats.destroyConn[1],
75 rxkad_stats.destroyConn[2], rxkad_stats.destroyUnused,
76 rxkad_stats.destroyUnauth);
80 SetFields(conn, name, flags, expiration, lifetime)
81 IN struct ubik_client *conn;
93 if (strcmp(name, KA_TGS_NAME) == 0)
100 if (flags & KAFNOSEAL)
101 what = "NOTGS+NOSEAL";
104 else if (flags & KAFNOSEAL)
109 if (strcmp(name, admin_user) == 0)
111 } else if (expiration) {
112 which = "expiration";
113 sprintf(buf, "now + %.1f hours",
114 (double)(expiration - time(0)) / 3600.0);
116 } else if (lifetime) {
118 sprintf(buf, "%.1f hours", (double)lifetime / 3600.0);
123 printf("Setting %s of ", which);
124 ka_PrintUserID("", name, instance, "");
125 printf(" to %s\n", what);
127 ubik_Call(KAM_SetFields, conn, 0, name, instance, flags, expiration,
131 afs_com_err(whoami, code, "calling set fields on %s", name);
136 #define SetLife(c,n,l) SetFields (c,n,0,0,l);
137 #define SetExp(c,n,e) SetFields (c,n,0,e,0);
138 #define SetFlags(c,n,f) SetFields (c,n,f,0,0);
141 #define KERBEROS 0x2a
144 CheckLife(tokenEnd, start, expectedLife, match)
149 char bob[KA_TIMESTR_LEN];
150 printf("Expecting %s match with lifetime of %.1f hours\n",
151 (match == EXACT ? "exact" : "kerberos"),
152 (double)expectedLife / 3600.0);
153 expectedEnd = expectedLife + start;
154 if (match == EXACT) {
155 if (abs(expectedEnd - tokenEnd) <= 2)
158 if (match == KERBEROS) {
159 unsigned char kerberosV4Life;
161 kerberosV4Life = time_to_life(start, expectedEnd);
162 kend = life_to_time(start, kerberosV4Life);
163 if (abs(kend - tokenEnd) <= 1)
165 kerberosV4Life = time_to_life(start, expectedEnd - 2);
166 kend = life_to_time(start, kerberosV4Life);
167 if (abs(kend - tokenEnd) <= 1)
170 ka_timestr(tokenEnd, bob, KA_TIMESTR_LEN);
171 printf("End doesn't match: token was %s", bob);
172 ka_timestr(expectedEnd, bob, KA_TIMESTR_LEN);
173 printf(", but expected %s\n", bob);
178 GetTokenLife(name, passwd, expectedLife, match)
181 IN long expectedLife;
182 IN long match; /* or expected error code */
188 code = ka_UserAuthenticateLife(0, name, "", cell, passwd, 0, &reason);
189 if (!((match == EXACT) || (match == KERBEROS))) { /* must be error code */
191 printf("Received expected error code\n");
196 fprintf(stderr, "Unable to authenticate to AFS because %s.\n",
200 code = ktc_GetToken(&afs, &t, sizeof(t), 0);
202 afs_com_err(whoami, code, "getting afs token from ktc");
205 CheckLife(t.endTime, t.startTime, expectedLife, match);
209 Main(struct cmd_syndesc *as, void *arock)
212 char name[MAXKTCNAMELEN];
213 char instance[MAXKTCNAMELEN];
214 char newCell[MAXKTCREALMLEN];
216 long serverList[MAXSERVERS];
217 extern struct passwd *getpwuid();
220 struct ktc_encryptionKey key;
227 unsigned long startTime;
228 unsigned long deadTime;
232 int patient = (as->parms[0].items != 0);
237 if (as->parms[12].items) { /* if username specified */
239 ka_ParseLoginName(as->parms[12].items->data, name, instance,
242 afs_com_err(whoami, code, "parsing user's name '%s'",
243 as->parms[12].items->data);
246 if (strlen(newCell) > 0)
249 /* No explicit name provided: use Unix uid. */
250 pw = getpwuid(getuid());
252 printf("Can't figure out your name from your user id.\n");
255 strncpy(name, pw->pw_name, sizeof(name));
256 strcpy(instance, "");
259 admin_user = name; /* this guy should keep admin bit */
261 if (strcmp(as->parms[14].name, "-cell") == 0) {
262 if (as->parms[14].items) { /* if cell specified */
264 printf("Duplicate cell specification not allowed\n");
266 strncpy(newCell, as->parms[14].items->data, sizeof(newCell));
270 code = ka_ExpandCell(newCell, newCell, 0 /*local */ );
272 afs_com_err(whoami, code, "Can't expand cell name");
276 code = ka_CellToRealm(cell, realm, 0);
278 afs_com_err(whoami, code, "Can't get realm from cell name");
282 if (as->parms[13].items) { /* if password specified */
283 strncpy(passwd, as->parms[13].items->data, sizeof(passwd));
284 memset(as->parms[13].items->data, 0,
285 strlen(as->parms[13].items->data));
287 char msg[sizeof(name) + 15];
288 if (as->parms[12].items)
289 strcpy(msg, "Admin Password: ");
291 sprintf(msg, "Password for %s: ", name);
292 code = read_pw_string(passwd, sizeof(passwd), msg, 0);
295 else if (strlen(passwd) == 0)
296 code = KANULLPASSWORD;
298 afs_com_err(whoami, code, "reading password");
302 if (as->parms[15].items) {
304 char *ap[MAXSERVERS + 2];
306 for (ip = as->parms[15].items, i = 2; ip; ip = ip->next, i++)
310 code = ubik_ParseClientList(i, ap, serverList);
312 afs_com_err(whoami, code, "could not parse server list");
315 ka_ExplicitCell(cell, serverList);
318 ka_StringToKey(passwd, cell, &key);
320 strcpy(afs.name, AUTH_SUPERUSER);
321 strcpy(afs.instance, "");
322 strcpy(afs.cell, cell);
323 code = ktc_GetToken(&afs, &oldAFSToken, sizeof(oldAFSToken), &oldClient);
325 afs_com_err(whoami, code, "saving existing afs token");
331 struct ktc_token token;
332 struct ktc_token *pToken;
333 struct ubik_client *ubikConn;
334 struct kaentryinfo tentry;
335 struct ktc_principal tgs_server;
336 struct ktc_token tgs_token;
337 struct ktc_principal tgs_client;
341 ka_GetAdminToken(name, instance, cell, &key, 3600, &token,
344 afs_com_err(whoami, code, "getting admin token");
348 if (token.ticketLen == 0) {
349 fprintf("Can't get admin token\n");
354 ka_AuthServerConn(cell, KA_MAINTENANCE_SERVICE, pToken,
357 afs_com_err(whoami, code, "Getting AuthServer ubik conn");
361 SetFlags(ubikConn, AUTH_SUPERUSER, KAFNORMAL);
362 SetFlags(ubikConn, name, KAFNORMAL);
363 SetLife(ubikConn, KA_TGS_NAME, MAXKTCTICKETLIFETIME);
364 SetLife(ubikConn, AUTH_SUPERUSER, MAXKTCTICKETLIFETIME);
365 SetLife(ubikConn, name, 3600);
366 deadTime = startTime + 365 * 24 * 3600;
367 SetExp(ubikConn, KA_TGS_NAME, deadTime);
368 SetExp(ubikConn, AUTH_SUPERUSER, deadTime);
369 SetExp(ubikConn, name, deadTime);
371 GetTokenLife(name, passwd, 3600, EXACT);
373 /* get TGS ticket for proper realm */
374 strcpy(tgs_server.name, KA_TGS_NAME);
375 strcpy(tgs_server.instance, realm);
376 strcpy(tgs_server.cell, cell);
377 /* save this for future use */
379 ktc_GetToken(&tgs_server, &tgs_token, sizeof(tgs_token),
382 afs_com_err(whoami, code, "saving tgs token");
386 SetLife(ubikConn, name, MAXKTCTICKETLIFETIME);
388 GetTokenLife(name, passwd, MAXKTCTICKETLIFETIME, EXACT);
390 SetLife(ubikConn, AUTH_SUPERUSER, 4000);
392 GetTokenLife(name, passwd, 4000, KERBEROS);
393 SetLife(ubikConn, AUTH_SUPERUSER, MAXKTCTICKETLIFETIME);
395 SetLife(ubikConn, KA_TGS_NAME, 5000);
397 GetTokenLife(name, passwd, 5000, KERBEROS);
398 SetLife(ubikConn, KA_TGS_NAME, MAXKTCTICKETLIFETIME);
401 SetExp(ubikConn, KA_TGS_NAME, now + 6000);
402 GetTokenLife(name, passwd, 6000, KERBEROS);
403 SetExp(ubikConn, KA_TGS_NAME, deadTime);
406 SetExp(ubikConn, AUTH_SUPERUSER, now + 7000);
407 GetTokenLife(name, passwd, 7000, KERBEROS);
408 SetExp(ubikConn, AUTH_SUPERUSER, deadTime);
411 SetExp(ubikConn, name, now + 8000);
412 GetTokenLife(name, passwd, 8000, KERBEROS);
414 /* since the rest should be errors, restore good AFS ticket */
415 code = ktc_SetToken(&afs, &oldAFSToken, &oldClient, 0);
417 afs_com_err(whoami, code, "restoring old afs token");
421 SetExp(ubikConn, name, now - 1000);
422 GetTokenLife(name, passwd, 8000, KABADUSER);
423 SetExp(ubikConn, name, deadTime);
425 SetExp(ubikConn, AUTH_SUPERUSER, now - 1000);
426 GetTokenLife(name, passwd, 8000, KABADSERVER);
427 SetExp(ubikConn, AUTH_SUPERUSER, deadTime);
429 SetFlags(ubikConn, AUTH_SUPERUSER, KAFNORMAL + KAFNOSEAL);
430 GetTokenLife(name, passwd, 8000, KABADSERVER);
431 SetFlags(ubikConn, AUTH_SUPERUSER, KAFNORMAL);
433 SetFlags(ubikConn, name, KAFNORMAL + KAFNOTGS);
434 GetTokenLife(name, passwd, 8000, KABADUSER);
435 /* restore old tgs, since GetTicket are prohibited too. */
436 code = ktc_SetToken(&tgs_server, &tgs_token, &tgs_client, 0);
438 afs_com_err(whoami, code, "restoring old tgs token");
441 printf("Restoring TGT obtained before NOTGS set\n");
442 code = ka_GetServerToken(AUTH_SUPERUSER, "", cell, 100, 0, 1);
443 if (code != KABADUSER) {
444 afs_com_err(whoami, code,
445 "expected BADUSER error, getting AFS token w/ old tgs token but with NOTGS set");
448 printf("Received expected error code\n");
449 SetFlags(ubikConn, name, KAFNORMAL);
451 if (patient) { /* this requires waiting too long */
452 struct ktc_token afsToken;
453 code = ktc_SetToken(&afs, &oldAFSToken, &oldClient, 0);
455 afs_com_err(whoami, code, "restoring old afs token");
458 fprintf(stdout, "Waiting for TGS ticket to age (about 5 min)...");
460 while (((now = time(0)) - tgs_token.startTime) < 5 * 60) {
461 if (((now - tgs_token.startTime) % 60) == 0) {
462 fprintf(stdout, "%d seconds to go...",
463 (now - tgs_token.startTime));
466 IOMGR_Sleep(1); /* with afs token restored... */
468 /* restore old tgs */
469 code = ktc_SetToken(&tgs_server, &tgs_token, &tgs_client, 0);
471 afs_com_err(whoami, code, "restoring old tgs token");
475 ka_GetServerToken(AUTH_SUPERUSER, "", cell,
476 MAXKTCTICKETLIFETIME, &afsToken, 1);
478 afs_com_err(whoami, code, "getting AFS token w/ old tgs token");
481 CheckLife(afsToken.endTime, afsToken.startTime, 3600 - (5 * 60),
484 ubik_ClientDestroy(ubikConn);
487 printf("calling finalize\n");
490 printf("All Okay\n");
499 struct cmd_syndesc *ts;
502 initialize_U_error_table();
503 initialize_CMD_error_table();
504 initialize_RXK_error_table();
505 initialize_KTC_error_table();
506 initialize_ACFG_error_table();
507 initialize_KA_error_table();
509 ts = cmd_CreateSyntax(NULL, Main, NULL, "Main program");
510 /* 0 */ cmd_AddParm(ts, "-patient", CMD_FLAG, CMD_OPTIONAL,
511 "wait for TGS ticket to age");
513 /* 12 */ cmd_AddParm(ts, "-admin_username", CMD_SINGLE, CMD_OPTIONAL,
514 "admin principal to use for authentication");
515 /* 13 */ cmd_AddParm(ts, "-password_for_admin", CMD_SINGLE, CMD_OPTIONAL,
517 /* 14 */ cmd_AddParm(ts, "-cell", CMD_SINGLE, CMD_OPTIONAL, "cell name");
518 /* 15 */ cmd_AddParm(ts, "-servers", CMD_LIST, CMD_OPTIONAL,
519 "explicit list of authentication servers");
520 code = cmd_Dispatch(argc, argv);