2 * Utility functions for tests that use Kerberos.
4 * The canonical version of this file is maintained in the rra-c-util package,
5 * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
7 * Written by Russ Allbery <eagle@eyrie.org>
8 * Copyright 2006, 2007, 2009, 2011, 2012, 2013, 2014
9 * The Board of Trustees of the Leland Stanford Junior University
11 * Permission is hereby granted, free of charge, to any person obtaining a
12 * copy of this software and associated documentation files (the "Software"),
13 * to deal in the Software without restriction, including without limitation
14 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
15 * and/or sell copies of the Software, and to permit persons to whom the
16 * Software is furnished to do so, subject to the following conditions:
18 * The above copyright notice and this permission notice shall be included in
19 * all copies or substantial portions of the Software.
21 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
22 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
23 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
24 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
25 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
26 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
27 * DEALINGS IN THE SOFTWARE.
30 #ifndef TAP_KERBEROS_H
31 #define TAP_KERBEROS_H 1
34 #include <tests/tap/macros.h>
37 # include <portable/krb5.h>
40 /* Holds the information parsed from the Kerberos test configuration. */
41 struct kerberos_config {
42 char *keytab; /* Path to the keytab. */
43 char *principal; /* Principal whose keys are in the keytab. */
44 char *cache; /* Path to the Kerberos ticket cache. */
45 char *userprinc; /* The fully-qualified principal. */
46 char *username; /* The local (non-realm) part of principal. */
47 char *realm; /* The realm part of the principal. */
48 char *password; /* The password. */
49 char *pkinit_principal; /* Principal for PKINIT authentication. */
50 char *pkinit_cert; /* Path to certificates for PKINIT. */
54 * Whether to skip all tests (by calling skip_all) in kerberos_setup if
55 * certain configuration information isn't available. "_BOTH" means that the
56 * tests require both keytab and password, but PKINIT is not required.
59 TAP_KRB_NEEDS_NONE = 0x00,
60 TAP_KRB_NEEDS_KEYTAB = 0x01,
61 TAP_KRB_NEEDS_PASSWORD = 0x02,
62 TAP_KRB_NEEDS_BOTH = 0x01 | 0x02,
63 TAP_KRB_NEEDS_PKINIT = 0x04
69 * Set up Kerberos, returning the test configuration information. This
70 * obtains Kerberos tickets from config/keytab, if one is present, and stores
71 * them in a Kerberos ticket cache, sets KRB5_KTNAME and KRB5CCNAME. It also
72 * loads the principal and password from config/password, if it exists, and
73 * stores the principal, password, username, and realm in the returned struct.
75 * If there is no config/keytab file, KRB5_KTNAME and KRB5CCNAME won't be set
76 * and the keytab field will be NULL. If there is no config/password file,
77 * the principal field will be NULL. If the files exist but loading them
78 * fails, or authentication fails, kerberos_setup calls bail.
80 * kerberos_cleanup will be run as a cleanup function normally, freeing all
81 * resources and cleaning up temporary files on process exit. It can,
82 * however, be called directly if for some reason the caller needs to delete
83 * the Kerberos environment again. However, normally the caller can just call
84 * kerberos_setup again.
86 struct kerberos_config *kerberos_setup(enum kerberos_needs)
87 __attribute__((__malloc__));
88 void kerberos_cleanup(void);
91 * Generate a krb5.conf file for testing and set KRB5_CONFIG to point to it.
92 * The [appdefaults] section will be stripped out and the default realm will
93 * be set to the realm specified, if not NULL. This will use config/krb5.conf
94 * in preference, so users can configure the tests by creating that file if
95 * the system file isn't suitable.
97 * Depends on data/generate-krb5-conf being present in the test suite.
99 * kerberos_cleanup_conf will clean up after this function, but usually
100 * doesn't need to be called directly since it's registered as an atexit
103 void kerberos_generate_conf(const char *realm);
104 void kerberos_cleanup_conf(void);
106 /* Thes interfaces are only available with native Kerberos support. */
109 /* Bail out with an error, appending the Kerberos error message. */
110 void bail_krb5(krb5_context, krb5_error_code, const char *format, ...)
111 __attribute__((__noreturn__, __nonnull__(3), __format__(printf, 3, 4)));
113 /* Report a diagnostic with Kerberos error to stderr prefixed with #. */
114 void diag_krb5(krb5_context, krb5_error_code, const char *format, ...)
115 __attribute__((__nonnull__(3), __format__(printf, 3, 4)));
118 * Given a Kerberos context and the path to a keytab, retrieve the principal
119 * for the first entry in the keytab and return it. Calls bail on failure.
120 * The returned principal should be freed with krb5_free_principal.
122 krb5_principal kerberos_keytab_principal(krb5_context, const char *path)
123 __attribute__((__nonnull__));
125 #endif /* HAVE_KRB5 */
129 #endif /* !TAP_MESSAGES_H */