s4:torture: Pass the pkinit ccache via a torture variable

Mixing -Uuser%password and --krb5-ccache doesn't really work on the
cmdline as -U overwrited the ccache.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 2894badc8e96341b8d17f636c6a578739503b226..6e956d57dde2cef630eb77a91f1878ab24e8aca7 100644 (file)
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -162,7 +162,8 @@ static bool test_PACVerify(struct torture_context *tctx,
 {
        NTSTATUS status;
        bool ok;
-       bool pkinit_in_use = torture_setting_bool(tctx, "pkinit_in_use", false);
+       const char *pkinit_ccache = torture_setting_string(tctx, "pkinit_ccache", NULL);
+       bool pkinit_in_use = pkinit_ccache != NULL;
        bool expect_pac_upn_dns_info = torture_setting_bool(tctx, "expect_pac_upn_dns_info", true);
        size_t num_pac_buffers;
        struct gensec_security *gensec_client_context;
@@ -186,20 +187,61 @@ static bool test_PACVerify(struct torture_context *tctx,
                "Testing PAC Verify (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n",
                secure_channel_type, test_machine_name, negotiate_flags);
 
-       /*
-        * Copy the credentials in order to use a different MEMORY krb5 ccache
-        * for each client/server setup. The MEMORY cache identifier is a
-        * pointer to the creds container. If we copy it the pointer changes and
-        * we will get a new clean memory cache.
-        */
-       client_creds = cli_credentials_shallow_copy(tmp_ctx,
-                                           popt_get_cmdline_credentials());
-       torture_assert(tctx, client_creds, "Failed to copy of credentials");
-       if (!pkinit_in_use) {
-               /* Invalidate the gss creds container to allocate a new MEMORY ccache */
+       if (pkinit_in_use) {
+               struct cli_credentials *tmp_creds = NULL;
+               const char *error_string = NULL;
+               int rc;
+
+               torture_comment(tctx,
+                               "Using pkinit_ccache=%s\n",
+                               pkinit_ccache);
+
+               tmp_creds = cli_credentials_init(tctx);
+               torture_assert(tctx, tmp_creds, "Failed to create credentials");
+
+               rc = cli_credentials_set_ccache(tmp_creds,
+                                               tctx->lp_ctx,
+                                               pkinit_ccache,
+                                               CRED_SPECIFIED,
+                                               &error_string);
+               torture_assert_int_equal(tctx,
+                                        rc,
+                                        0,
+                                        "cli_credentials_set_ccache failed");
+               cli_credentials_set_kerberos_state(tmp_creds,
+                                                  CRED_USE_KERBEROS_REQUIRED,
+                                                  CRED_SPECIFIED);
+
+               /*
+                * Copy the credentials in order to use a different MEMORY krb5
+                * ccache for each client/server setup. The MEMORY cache
+                * identifier is a pointer to the creds container. If we copy
+                * it the pointer changes and we will get a new clean memory
+                * cache.
+                */
+               client_creds =
+                       cli_credentials_shallow_copy(tmp_ctx, tmp_creds);
+               torture_assert(tctx,
+                              client_creds,
+                              "Failed to copy of credentials");
+       } else {
+               /*
+                * Copy the credentials in order to use a different MEMORY krb5
+                * ccache for each client/server setup. The MEMORY cache
+                * identifier is a pointer to the creds container. If we copy
+                * it the pointer changes and we will get a new clean memory
+                * cache.
+                */
+               client_creds =
+                       cli_credentials_shallow_copy(tmp_ctx,
+                                                    popt_get_cmdline_credentials());
+               torture_assert(tctx,
+                              client_creds,
+                              "Failed to copy of credentials");
                cli_credentials_invalidate_ccache(client_creds, CRED_SPECIFIED);
        }
 
+
        server_creds = cli_credentials_shallow_copy(tmp_ctx,
                                                    credentials);
        torture_assert(tctx, server_creds, "Failed to copy of credentials");

diff --git a/testprogs/blackbox/test_pkinit_pac_heimdal.sh b/testprogs/blackbox/test_pkinit_pac_heimdal.sh
index 122053983658661952c95b62c13950248432dd1b..45edb7e6cb41dd577730391b9f22209f9e12a177 100755 (executable)
--- a/testprogs/blackbox/test_pkinit_pac_heimdal.sh
+++ b/testprogs/blackbox/test_pkinit_pac_heimdal.sh
@@ -46,7 +46,7 @@ USER_PRINCIPAL_NAME=`echo "${USERNAME}@${REALM}" | tr A-Z a-z`
 PKUSER="--pk-user=FILE:$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
 
 testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "STEP1 remote.pac verification" $smbtorture4 ncacn_np:$SERVER rpc.pac --workgroup=$DOMAIN -U$USERNAME%$PASSWORD --krb5-ccache=$KRB5CCNAME --option=torture:pkinit_in_use=yes || failed=`expr $failed + 1`
+testit "STEP1 remote.pac verification" $smbtorture4 ncacn_np:$SERVER rpc.pac --workgroup=$DOMAIN -U$USERNAME%$PASSWORD --option=torture:pkinit_ccache=$KRB5CCNAME || failed=`expr $failed + 1`
 
 rm -f $PASSFILE_PATH
 rm -f $KRB5CCNAME_PATH