2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 #include <afsconfig.h>
11 #include <afs/param.h>
17 #include <sys/types.h>
19 #include <sys/resource.h>
21 #include <netinet/in.h>
27 #include <afs/cellconfig.h>
29 #include <afs/com_err.h>
30 #include <afs/debug.h>
36 static char *whoami = "test_rxkad_free";
37 static char realm[MAXKTCREALMLEN];
39 static char *admin_user;
41 static struct ktc_principal afs;
42 static struct ktc_token oldAFSToken;
43 static struct ktc_principal oldClient;
50 if (oldAFSToken.endTime > 0) {
51 code = ktc_SetToken(&afs, &oldAFSToken, &oldClient, 0);
52 printf("%s original AFS token\n",
53 (code == 0 ? "Restoring" : "Failed to restore"));
56 printf("Crashing at line %d\n", line);
60 #define CRASH() Crash (__LINE__)
61 #define EXIT() Crash (0)
66 printf("New Objects client %d, server %d. Destroyed objects %d.\n",
67 rxkad_stats.clientObjects, rxkad_stats.serverObjects,
68 rxkad_stats.destroyObject);
69 printf("client conns: %d %d %d, destroyed client %d.\n",
70 rxkad_stats.connections[0], rxkad_stats.connections[1],
71 rxkad_stats.connections[2], rxkad_stats.destroyClient);
72 printf("server challenges %d, responses %d %d %d\n",
73 rxkad_stats.challengesSent, rxkad_stats.responses[0],
74 rxkad_stats.responses[1], rxkad_stats.responses[2]);
75 printf("server conns %d %d %d unused %d, unauth %d\n",
76 rxkad_stats.destroyConn[0], rxkad_stats.destroyConn[1],
77 rxkad_stats.destroyConn[2], rxkad_stats.destroyUnused,
78 rxkad_stats.destroyUnauth);
82 SetFields(conn, name, flags, expiration, lifetime)
83 IN struct ubik_client *conn;
95 if (strcmp(name, KA_TGS_NAME) == 0)
101 if (flags & KAFNOTGS)
102 if (flags & KAFNOSEAL)
103 what = "NOTGS+NOSEAL";
106 else if (flags & KAFNOSEAL)
111 if (strcmp(name, admin_user) == 0)
113 } else if (expiration) {
114 which = "expiration";
115 sprintf(buf, "now + %.1f hours",
116 (double)(expiration - time(0)) / 3600.0);
118 } else if (lifetime) {
120 sprintf(buf, "%.1f hours", (double)lifetime / 3600.0);
125 printf("Setting %s of ", which);
126 ka_PrintUserID("", name, instance, "");
127 printf(" to %s\n", what);
129 ubik_Call(KAM_SetFields, conn, 0, name, instance, flags, expiration,
133 com_err(whoami, code, "calling set fields on %s", name);
138 #define SetLife(c,n,l) SetFields (c,n,0,0,l);
139 #define SetExp(c,n,e) SetFields (c,n,0,e,0);
140 #define SetFlags(c,n,f) SetFields (c,n,f,0,0);
143 #define KERBEROS 0x2a
146 CheckLife(tokenEnd, start, expectedLife, match)
151 char bob[KA_TIMESTR_LEN];
152 printf("Expecting %s match with lifetime of %.1f hours\n",
153 (match == EXACT ? "exact" : "kerberos"),
154 (double)expectedLife / 3600.0);
155 expectedEnd = expectedLife + start;
156 if (match == EXACT) {
157 if (abs(expectedEnd - tokenEnd) <= 2)
160 if (match == KERBEROS) {
161 unsigned char kerberosV4Life;
163 kerberosV4Life = time_to_life(start, expectedEnd);
164 kend = life_to_time(start, kerberosV4Life);
165 if (abs(kend - tokenEnd) <= 1)
167 kerberosV4Life = time_to_life(start, expectedEnd - 2);
168 kend = life_to_time(start, kerberosV4Life);
169 if (abs(kend - tokenEnd) <= 1)
172 ka_timestr(tokenEnd, bob, KA_TIMESTR_LEN);
173 printf("End doesn't match: token was %s", bob);
174 ka_timestr(expectedEnd, bob, KA_TIMESTR_LEN);
175 printf(", but expected %s\n", bob);
180 GetTokenLife(name, passwd, expectedLife, match)
183 IN long expectedLife;
184 IN long match; /* or expected error code */
190 code = ka_UserAuthenticateLife(0, name, "", cell, passwd, 0, &reason);
191 if (!((match == EXACT) || (match == KERBEROS))) { /* must be error code */
193 printf("Received expected error code\n");
198 fprintf(stderr, "Unable to authenticate to AFS because %s.\n",
202 code = ktc_GetToken(&afs, &t, sizeof(t), 0);
204 com_err(whoami, code, "getting afs token from ktc");
207 CheckLife(t.endTime, t.startTime, expectedLife, match);
212 IN struct cmd_syndesc *as;
216 char name[MAXKTCNAMELEN];
217 char instance[MAXKTCNAMELEN];
218 char newCell[MAXKTCREALMLEN];
220 long serverList[MAXSERVERS];
221 extern struct passwd *getpwuid();
224 struct ktc_encryptionKey key;
231 unsigned long startTime;
232 unsigned long deadTime;
236 int patient = (as->parms[0].items != 0);
241 if (as->parms[12].items) { /* if username specified */
243 ka_ParseLoginName(as->parms[12].items->data, name, instance,
246 com_err(whoami, code, "parsing user's name '%s'",
247 as->parms[12].items->data);
250 if (strlen(newCell) > 0)
253 /* No explicit name provided: use Unix uid. */
254 pw = getpwuid(getuid());
256 printf("Can't figure out your name from your user id.\n");
259 strncpy(name, pw->pw_name, sizeof(name));
260 strcpy(instance, "");
263 admin_user = name; /* this guy should keep admin bit */
265 if (strcmp(as->parms[14].name, "-cell") == 0) {
266 if (as->parms[14].items) { /* if cell specified */
268 printf("Duplicate cell specification not allowed\n");
270 strncpy(newCell, as->parms[14].items->data, sizeof(newCell));
274 code = ka_ExpandCell(newCell, newCell, 0 /*local */ );
276 com_err(whoami, code, "Can't expand cell name");
280 code = ka_CellToRealm(cell, realm, 0);
282 com_err(whoami, code, "Can't get realm from cell name");
286 if (as->parms[13].items) { /* if password specified */
287 strncpy(passwd, as->parms[13].items->data, sizeof(passwd));
288 memset(as->parms[13].items->data, 0,
289 strlen(as->parms[13].items->data));
291 char msg[sizeof(name) + 15];
292 if (as->parms[12].items)
293 strcpy(msg, "Admin Password: ");
295 sprintf(msg, "Password for %s: ", name);
296 code = read_pw_string(passwd, sizeof(passwd), msg, 0);
299 else if (strlen(passwd) == 0)
300 code = KANULLPASSWORD;
302 com_err(whoami, code, "reading password");
306 if (as->parms[15].items) {
308 char *ap[MAXSERVERS + 2];
310 for (ip = as->parms[15].items, i = 2; ip; ip = ip->next, i++)
314 code = ubik_ParseClientList(i, ap, serverList);
316 com_err(whoami, code, "could not parse server list");
319 ka_ExplicitCell(cell, serverList);
322 ka_StringToKey(passwd, cell, &key);
324 strcpy(afs.name, AUTH_SUPERUSER);
325 strcpy(afs.instance, "");
326 strcpy(afs.cell, cell);
327 code = ktc_GetToken(&afs, &oldAFSToken, sizeof(oldAFSToken), &oldClient);
329 com_err(whoami, code, "saving existing afs token");
335 struct ktc_token token;
336 struct ktc_token *pToken;
337 struct ubik_client *ubikConn;
338 struct kaentryinfo tentry;
339 struct ktc_principal tgs_server;
340 struct ktc_token tgs_token;
341 struct ktc_principal tgs_client;
345 ka_GetAdminToken(name, instance, cell, &key, 3600, &token,
348 com_err(whoami, code, "getting admin token");
352 if (token.ticketLen == 0) {
353 fprintf("Can't get admin token\n");
358 ka_AuthServerConn(cell, KA_MAINTENANCE_SERVICE, pToken,
361 com_err(whoami, code, "Getting AuthServer ubik conn");
365 SetFlags(ubikConn, AUTH_SUPERUSER, KAFNORMAL);
366 SetFlags(ubikConn, name, KAFNORMAL);
367 SetLife(ubikConn, KA_TGS_NAME, MAXKTCTICKETLIFETIME);
368 SetLife(ubikConn, AUTH_SUPERUSER, MAXKTCTICKETLIFETIME);
369 SetLife(ubikConn, name, 3600);
370 deadTime = startTime + 365 * 24 * 3600;
371 SetExp(ubikConn, KA_TGS_NAME, deadTime);
372 SetExp(ubikConn, AUTH_SUPERUSER, deadTime);
373 SetExp(ubikConn, name, deadTime);
375 GetTokenLife(name, passwd, 3600, EXACT);
377 /* get TGS ticket for proper realm */
378 strcpy(tgs_server.name, KA_TGS_NAME);
379 strcpy(tgs_server.instance, realm);
380 strcpy(tgs_server.cell, cell);
381 /* save this for future use */
383 ktc_GetToken(&tgs_server, &tgs_token, sizeof(tgs_token),
386 com_err(whoami, code, "saving tgs token");
390 SetLife(ubikConn, name, MAXKTCTICKETLIFETIME);
392 GetTokenLife(name, passwd, MAXKTCTICKETLIFETIME, EXACT);
394 SetLife(ubikConn, AUTH_SUPERUSER, 4000);
396 GetTokenLife(name, passwd, 4000, KERBEROS);
397 SetLife(ubikConn, AUTH_SUPERUSER, MAXKTCTICKETLIFETIME);
399 SetLife(ubikConn, KA_TGS_NAME, 5000);
401 GetTokenLife(name, passwd, 5000, KERBEROS);
402 SetLife(ubikConn, KA_TGS_NAME, MAXKTCTICKETLIFETIME);
405 SetExp(ubikConn, KA_TGS_NAME, now + 6000);
406 GetTokenLife(name, passwd, 6000, KERBEROS);
407 SetExp(ubikConn, KA_TGS_NAME, deadTime);
410 SetExp(ubikConn, AUTH_SUPERUSER, now + 7000);
411 GetTokenLife(name, passwd, 7000, KERBEROS);
412 SetExp(ubikConn, AUTH_SUPERUSER, deadTime);
415 SetExp(ubikConn, name, now + 8000);
416 GetTokenLife(name, passwd, 8000, KERBEROS);
418 /* since the rest should be errors, restore good AFS ticket */
419 code = ktc_SetToken(&afs, &oldAFSToken, &oldClient, 0);
421 com_err(whoami, code, "restoring old afs token");
425 SetExp(ubikConn, name, now - 1000);
426 GetTokenLife(name, passwd, 8000, KABADUSER);
427 SetExp(ubikConn, name, deadTime);
429 SetExp(ubikConn, AUTH_SUPERUSER, now - 1000);
430 GetTokenLife(name, passwd, 8000, KABADSERVER);
431 SetExp(ubikConn, AUTH_SUPERUSER, deadTime);
433 SetFlags(ubikConn, AUTH_SUPERUSER, KAFNORMAL + KAFNOSEAL);
434 GetTokenLife(name, passwd, 8000, KABADSERVER);
435 SetFlags(ubikConn, AUTH_SUPERUSER, KAFNORMAL);
437 SetFlags(ubikConn, name, KAFNORMAL + KAFNOTGS);
438 GetTokenLife(name, passwd, 8000, KABADUSER);
439 /* restore old tgs, since GetTicket are prohibited too. */
440 code = ktc_SetToken(&tgs_server, &tgs_token, &tgs_client, 0);
442 com_err(whoami, code, "restoring old tgs token");
445 printf("Restoring TGT obtained before NOTGS set\n");
446 code = ka_GetServerToken(AUTH_SUPERUSER, "", cell, 100, 0, 1);
447 if (code != KABADUSER) {
448 com_err(whoami, code,
449 "expected BADUSER error, getting AFS token w/ old tgs token but with NOTGS set");
452 printf("Received expected error code\n");
453 SetFlags(ubikConn, name, KAFNORMAL);
455 if (patient) { /* this requires waiting too long */
456 struct ktc_token afsToken;
457 code = ktc_SetToken(&afs, &oldAFSToken, &oldClient, 0);
459 com_err(whoami, code, "restoring old afs token");
462 fprintf(stdout, "Waiting for TGS ticket to age (about 5 min)...");
464 while (((now = time(0)) - tgs_token.startTime) < 5 * 60) {
465 if (((now - tgs_token.startTime) % 60) == 0) {
466 fprintf(stdout, "%d seconds to go...",
467 (now - tgs_token.startTime));
470 IOMGR_Sleep(1); /* with afs token restored... */
472 /* restore old tgs */
473 code = ktc_SetToken(&tgs_server, &tgs_token, &tgs_client, 0);
475 com_err(whoami, code, "restoring old tgs token");
479 ka_GetServerToken(AUTH_SUPERUSER, "", cell,
480 MAXKTCTICKETLIFETIME, &afsToken, 1);
482 com_err(whoami, code, "getting AFS token w/ old tgs token");
485 CheckLife(afsToken.endTime, afsToken.startTime, 3600 - (5 * 60),
488 ubik_ClientDestroy(ubikConn);
491 printf("calling finalize\n");
494 printf("All Okay\n");
503 register struct cmd_syndesc *ts;
506 initialize_U_error_table();
507 initialize_CMD_error_table();
508 initialize_RXK_error_table();
509 initialize_KTC_error_table();
510 initialize_ACFG_error_table();
511 initialize_KA_error_table();
513 ts = cmd_CreateSyntax(0, Main, 0, "Main program");
514 /* 0 */ cmd_AddParm(ts, "-patient", CMD_FLAG, CMD_OPTIONAL,
515 "wait for TGS ticket to age");
517 /* 12 */ cmd_AddParm(ts, "-admin_username", CMD_SINGLE, CMD_OPTIONAL,
518 "admin principal to use for authentication");
519 /* 13 */ cmd_AddParm(ts, "-password_for_admin", CMD_SINGLE, CMD_OPTIONAL,
521 /* 14 */ cmd_AddParm(ts, "-cell", CMD_SINGLE, CMD_OPTIONAL, "cell name");
522 /* 15 */ cmd_AddParm(ts, "-servers", CMD_LIST, CMD_OPTIONAL,
523 "explicit list of authentication servers");
524 code = cmd_Dispatch(argc, argv);