diff options
author | Kai Wohlfahrt <kjw53@cam.ac.uk> | 2017-11-06 17:41:34 +0000 |
---|---|---|
committer | Kai Wohlfahrt <kai@prodo.ai> | 2018-12-11 13:33:10 +0000 |
commit | 6cca9c0f9f2d7ed80ae52609160d2678e6fe38cd (patch) | |
tree | e7c9dd4fee257d7a0e423581fbb14341576478dc /nixos/tests/kerberos | |
parent | fe8f2b8813e75ab8b20e133b60afaac6e955bca7 (diff) | |
download | nixlib-6cca9c0f9f2d7ed80ae52609160d2678e6fe38cd.tar nixlib-6cca9c0f9f2d7ed80ae52609160d2678e6fe38cd.tar.gz nixlib-6cca9c0f9f2d7ed80ae52609160d2678e6fe38cd.tar.bz2 nixlib-6cca9c0f9f2d7ed80ae52609160d2678e6fe38cd.tar.lz nixlib-6cca9c0f9f2d7ed80ae52609160d2678e6fe38cd.tar.xz nixlib-6cca9c0f9f2d7ed80ae52609160d2678e6fe38cd.tar.zst nixlib-6cca9c0f9f2d7ed80ae52609160d2678e6fe38cd.zip |
kerberos-server: add kerberos option
Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation.
Diffstat (limited to 'nixos/tests/kerberos')
-rw-r--r-- | nixos/tests/kerberos/default.nix | 5 | ||||
-rw-r--r-- | nixos/tests/kerberos/heimdal.nix | 53 | ||||
-rw-r--r-- | nixos/tests/kerberos/mit.nix | 45 |
3 files changed, 103 insertions, 0 deletions
diff --git a/nixos/tests/kerberos/default.nix b/nixos/tests/kerberos/default.nix new file mode 100644 index 000000000000..ae8bdb8bbc82 --- /dev/null +++ b/nixos/tests/kerberos/default.nix @@ -0,0 +1,5 @@ +{ system ? builtins.currentSystem }: +{ + mit = import ./mit.nix { inherit system; }; + heimdal = import ./heimdal.nix { inherit system; }; +} diff --git a/nixos/tests/kerberos/heimdal.nix b/nixos/tests/kerberos/heimdal.nix new file mode 100644 index 000000000000..a0551b131e91 --- /dev/null +++ b/nixos/tests/kerberos/heimdal.nix @@ -0,0 +1,53 @@ +import ../make-test.nix ({pkgs, ...}: { + name = "kerberos_server-heimdal"; + machine = { config, libs, pkgs, ...}: + { services.kerberos_server = + { enable = true; + realms = { + "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}]; + }; + }; + krb5 = { + enable = true; + kerberos = pkgs.heimdalFull; + libdefaults = { + default_realm = "FOO.BAR"; + }; + realms = { + "FOO.BAR" = { + admin_server = "machine"; + kdc = "machine"; + }; + }; + }; + }; + + testScript = '' + $machine->start; + + $machine->succeed( + "kadmin -l init --realm-max-ticket-life='8 day' \\ + --realm-max-renewable-life='10 day' FOO.BAR" + ); + + $machine->succeed("systemctl restart kadmind.service kdc.service"); + $machine->waitForUnit("kadmind.service"); + $machine->waitForUnit("kdc.service"); + $machine->waitForUnit("kpasswdd.service"); + + $machine->succeed( + "kadmin -l add --password=admin_pw --use-defaults admin" + ); + $machine->succeed( + "kadmin -l ext_keytab --keytab=admin.keytab admin" + ); + $machine->succeed( + "kadmin -p admin -K admin.keytab add --password=alice_pw --use-defaults \\ + alice" + ); + $machine->succeed( + "kadmin -l ext_keytab --keytab=alice.keytab alice" + ); + $machine->succeed("kinit -kt alice.keytab alice"); + ''; +}) diff --git a/nixos/tests/kerberos/mit.nix b/nixos/tests/kerberos/mit.nix new file mode 100644 index 000000000000..6da3a384aa99 --- /dev/null +++ b/nixos/tests/kerberos/mit.nix @@ -0,0 +1,45 @@ +import ../make-test.nix ({pkgs, ...}: { + name = "kerberos_server-mit"; + machine = { config, libs, pkgs, ...}: + { services.kerberos_server = + { enable = true; + realms = { + "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}]; + }; + }; + krb5 = { + enable = true; + kerberos = pkgs.krb5Full; + libdefaults = { + default_realm = "FOO.BAR"; + }; + realms = { + "FOO.BAR" = { + admin_server = "machine"; + kdc = "machine"; + }; + }; + }; + users.extraUsers.alice = { isNormalUser = true; }; + }; + + testScript = '' + $machine->start; + + $machine->succeed( + "kdb5_util create -s -r FOO.BAR -P master_key" + ); + + $machine->succeed("systemctl restart kadmind.service kdc.service"); + $machine->waitForUnit("kadmind.service"); + $machine->waitForUnit("kdc.service"); + + $machine->succeed( + "kadmin.local add_principal -pw admin_pw admin" + ); + $machine->succeed( + "kadmin -p admin -w admin_pw addprinc -pw alice_pw alice" + ); + $machine->succeed("echo alice_pw | sudo -u alice kinit"); + ''; +}) |