test_security_gssapi.cpp
Go to the documentation of this file.
1 /* SPDX-License-Identifier: MPL-2.0 */
2 
3 #include "testutil.hpp"
4 #include "testutil_monitoring.hpp"
5 #include "testutil_unity.hpp"
6 
7 #include <stdlib.h>
8 #include <string.h>
9 
10 // This test requires a KRB5 environment with the following
11 // service principal (substitute your host.domain and REALM):
12 //
13 // zmqtest2/host.domain@REALM (host.domain should be host running test)
14 //
15 // Export keys for this principal to a keytab file and set the environment
16 // variables KRB5_KTNAME and KRB5_CLIENT_KTNAME to FILE:/path/to/your/keytab.
17 // The test will use it both for client and server roles.
18 //
19 // The test is derived in large part from test_security_curve.cpp
20 
21 const char *name = "zmqtest2";
22 
23 static volatile int zap_deny_all = 0;
24 
25 // --------------------------------------------------------------------------
26 // This methods receives and validates ZAP requests (allowing or denying
27 // each client connection).
28 // N.B. on failure, each crypto type in keytab will be tried
29 
30 static void zap_handler (void *handler_)
31 {
32  // Process ZAP requests forever
33  while (true) {
34  char *version = s_recv (handler_);
35  if (!version)
36  break; // Terminating
37 
38  char *sequence = s_recv (handler_);
39  char *domain = s_recv (handler_);
40  char *address = s_recv (handler_);
41  char *routing_id = s_recv (handler_);
42  char *mechanism = s_recv (handler_);
43  char *principal = s_recv (handler_);
44 
45  TEST_ASSERT_EQUAL_STRING ("1.0", version);
46  TEST_ASSERT_EQUAL_STRING ("GSSAPI", mechanism);
47 
48  send_string_expect_success (handler_, version, ZMQ_SNDMORE);
49  send_string_expect_success (handler_, sequence, ZMQ_SNDMORE);
50 
51  if (!zap_deny_all) {
52  send_string_expect_success (handler_, "200", ZMQ_SNDMORE);
53  send_string_expect_success (handler_, "OK", ZMQ_SNDMORE);
54  send_string_expect_success (handler_, "anonymous", ZMQ_SNDMORE);
55  send_string_expect_success (handler_, "", 0);
56  //fprintf (stderr, "ALLOW %s\n", principal);
57  } else {
58  send_string_expect_success (handler_, "400", ZMQ_SNDMORE);
59  send_string_expect_success (handler_, "Denied", ZMQ_SNDMORE);
60  send_string_expect_success (handler_, "", ZMQ_SNDMORE);
61  send_string_expect_success (handler_, "", 0);
62  //fprintf (stderr, "DENY %s\n", principal);
63  }
64  free (version);
65  free (sequence);
66  free (domain);
67  free (address);
68  free (routing_id);
69  free (mechanism);
70  free (principal);
71  }
72  zmq_close (handler_);
73 }
74 
75 static char my_endpoint[MAX_SOCKET_STRING];
76 static void *zap_thread;
77 static void *server;
78 static void *server_mon;
79 
80 void check_krb_available ()
81 {
82  if (!getenv ("KRB5_KTNAME") || !getenv ("KRB5_CLIENT_KTNAME")) {
83  TEST_IGNORE_MESSAGE ("KRB5 environment unavailable, skipping test");
84  }
85 }
86 
87 void setUp ()
88 {
89  setup_test_context ();
90 
91  zap_thread = 0;
92  server = NULL;
93  server_mon = NULL;
94 
95  check_krb_available ();
96 
97  // Spawn ZAP handler
98  // We create and bind ZAP socket in main thread to avoid case
99  // where child thread does not start up fast enough.
100  void *handler = zmq_socket (get_test_context (), ZMQ_REP);
101  TEST_ASSERT_SUCCESS_ERRNO (zmq_bind (handler, "inproc://zeromq.zap.01"));
102  zap_thread = zmq_threadstart (&zap_handler, handler);
103 
104  // Server socket will accept connections
105  server = test_context_socket (ZMQ_DEALER);
106  int as_server = 1;
107  TEST_ASSERT_SUCCESS_ERRNO (
108  zmq_setsockopt (server, ZMQ_GSSAPI_SERVER, &as_server, sizeof (int)));
109  TEST_ASSERT_SUCCESS_ERRNO (
110  zmq_setsockopt (server, ZMQ_GSSAPI_PRINCIPAL, name, strlen (name) + 1));
111  int name_type = ZMQ_GSSAPI_NT_HOSTBASED;
112  TEST_ASSERT_SUCCESS_ERRNO (zmq_setsockopt (
113  server, ZMQ_GSSAPI_PRINCIPAL_NAMETYPE, &name_type, sizeof (name_type)));
114  bind_loopback_ipv4 (server, my_endpoint, sizeof my_endpoint);
115 
116  // Monitor handshake events on the server
117  TEST_ASSERT_SUCCESS_ERRNO (zmq_socket_monitor (
118  server, "inproc://monitor-server",
119  ZMQ_EVENT_HANDSHAKE_SUCCEEDED | ZMQ_EVENT_HANDSHAKE_FAILED_AUTH
120  | ZMQ_EVENT_HANDSHAKE_FAILED_PROTOCOL));
121 
122  // Create socket for collecting monitor events
123  server_mon = test_context_socket (ZMQ_PAIR);
124 
125  // Connect it to the inproc endpoints so they'll get events
126  TEST_ASSERT_SUCCESS_ERRNO (
127  zmq_connect (server_mon, "inproc://monitor-server"));
128 }
129 
130 void tearDown ()
131 {
132  // Shutdown
133  if (server_mon)
134  test_context_socket_close_zero_linger (server_mon);
135  if (server)
136  test_context_socket_close (server);
137  teardown_test_context ();
138 
139  // Wait until ZAP handler terminates
140  if (zap_thread)
141  zmq_threadclose (zap_thread);
142 }
143 
144 void test_valid_creds ()
145 {
146  void *client = test_context_socket (ZMQ_DEALER);
147  TEST_ASSERT_SUCCESS_ERRNO (zmq_setsockopt (
148  client, ZMQ_GSSAPI_SERVICE_PRINCIPAL, name, strlen (name) + 1));
149  TEST_ASSERT_SUCCESS_ERRNO (
150  zmq_setsockopt (client, ZMQ_GSSAPI_PRINCIPAL, name, strlen (name) + 1));
151  int name_type = ZMQ_GSSAPI_NT_HOSTBASED;
152  TEST_ASSERT_SUCCESS_ERRNO (zmq_setsockopt (
153  client, ZMQ_GSSAPI_PRINCIPAL_NAMETYPE, &name_type, sizeof (name_type)));
154  TEST_ASSERT_SUCCESS_ERRNO (zmq_connect (client, my_endpoint));
155 
156  bounce (server, client);
157  test_context_socket_close (client);
158 
159  int event = get_monitor_event (server_mon, NULL, NULL);
160  TEST_ASSERT_EQUAL_INT (ZMQ_EVENT_HANDSHAKE_SUCCEEDED, event);
161 }
162 
163 // Check security with valid but unauthorized credentials
164 // Note: ZAP may see multiple requests - after a failure, client will
165 // fall back to other crypto types for principal, if available.
166 void test_unauth_creds ()
167 {
168  void *client = test_context_socket (ZMQ_DEALER);
169  TEST_ASSERT_SUCCESS_ERRNO (zmq_setsockopt (
170  client, ZMQ_GSSAPI_SERVICE_PRINCIPAL, name, strlen (name) + 1));
171  TEST_ASSERT_SUCCESS_ERRNO (
172  zmq_setsockopt (client, ZMQ_GSSAPI_PRINCIPAL, name, strlen (name) + 1));
173  int name_type = ZMQ_GSSAPI_NT_HOSTBASED;
174  TEST_ASSERT_SUCCESS_ERRNO (zmq_setsockopt (
175  client, ZMQ_GSSAPI_PRINCIPAL_NAMETYPE, &name_type, sizeof (name_type)));
176  zap_deny_all = 1;
177  TEST_ASSERT_SUCCESS_ERRNO (zmq_connect (client, my_endpoint));
178 
179  expect_bounce_fail (server, client);
180  test_context_socket_close_zero_linger (client);
181 
182  int event = get_monitor_event (server_mon, NULL, NULL);
183  TEST_ASSERT_EQUAL_INT (ZMQ_EVENT_HANDSHAKE_FAILED_AUTH, event);
184 }
185 
186 // Check GSSAPI security with NULL client credentials
187 // This must be caught by the gssapi_server class, not passed to ZAP
188 void test_null_creds ()
189 {
190  void *client = test_context_socket (ZMQ_DEALER);
191  TEST_ASSERT_SUCCESS_ERRNO (zmq_connect (client, my_endpoint));
192  expect_bounce_fail (server, client);
193  test_context_socket_close_zero_linger (client);
194 
195  int error = 0;
196  int event = get_monitor_event (server_mon, &error, NULL);
197  TEST_ASSERT_EQUAL_INT (ZMQ_EVENT_HANDSHAKE_FAILED_PROTOCOL, event);
198  TEST_ASSERT_EQUAL_INT (ZMQ_PROTOCOL_ERROR_ZMTP_MECHANISM_MISMATCH, error);
199 }
200 
201 // Check GSSAPI security with PLAIN client credentials
202 // This must be caught by the curve_server class, not passed to ZAP
203 void test_plain_creds ()
204 {
205  void *client = test_context_socket (ZMQ_DEALER);
206  TEST_ASSERT_SUCCESS_ERRNO (
207  zmq_setsockopt (client, ZMQ_PLAIN_USERNAME, "admin", 5));
208  TEST_ASSERT_SUCCESS_ERRNO (
209  zmq_setsockopt (client, ZMQ_PLAIN_PASSWORD, "password", 8));
210  TEST_ASSERT_SUCCESS_ERRNO (zmq_connect (client, my_endpoint));
211  expect_bounce_fail (server, client);
212  test_context_socket_close_zero_linger (client);
213 }
214 
215 // Unauthenticated messages from a vanilla socket shouldn't be received
216 void test_vanilla_socket ()
217 {
218  fd_t s = connect_socket (my_endpoint);
219  // send anonymous ZMTP/1.0 greeting
220  send (s, "\x01\x00", 2, 0);
221  // send sneaky message that shouldn't be received
222  send (s, "\x08\x00sneaky\0", 9, 0);
223  int timeout = 250;
224  zmq_setsockopt (server, ZMQ_RCVTIMEO, &timeout, sizeof (timeout));
225  char *buf = s_recv (server);
226  if (buf != NULL) {
227  printf ("Received unauthenticated message: %s\n", buf);
228  TEST_ASSERT_NULL (buf);
229  }
230  close (s);
231 }
232 
233 int main (void)
234 {
235  // Avoid entanglements with user's credential cache
236  setenv ("KRB5CCNAME", "MEMORY", 1);
237 
238  setup_test_environment ();
239 
240  UNITY_BEGIN ();
241  RUN_TEST (test_valid_creds);
242  RUN_TEST (test_null_creds);
243  RUN_TEST (test_plain_creds);
244  RUN_TEST (test_vanilla_socket);
245  RUN_TEST (test_unauth_creds);
246  return UNITY_END ();
247 }
tearDown
void tearDown()
Definition: test_security_gssapi.cpp:130
bounce
static void bounce(void *socket_)
Definition: test_req_relaxed.cpp:50
TEST_ASSERT_EQUAL_STRING
#define TEST_ASSERT_EQUAL_STRING(expected, actual)
Definition: unity.h:235
name
GLuint const GLchar * name
Definition: glcorearb.h:3055
domain
const char domain[]
Definition: test_security_plain.cpp:74
ZMQ_EVENT_HANDSHAKE_FAILED_AUTH
#define ZMQ_EVENT_HANDSHAKE_FAILED_AUTH
Definition: zmq.h:423
ZMQ_PLAIN_USERNAME
#define ZMQ_PLAIN_USERNAME
Definition: zmq.h:310
NULL
NULL
Definition: test_security_zap.cpp:405
UNITY_END
return UNITY_END()
zmq_threadstart
ZMQ_EXPORT void * zmq_threadstart(zmq_thread_fn *func_, void *arg_)
Definition: zmq_utils.cpp:54
check_krb_available
void check_krb_available()
Definition: test_security_gssapi.cpp:80
ZMQ_GSSAPI_PRINCIPAL_NAMETYPE
#define ZMQ_GSSAPI_PRINCIPAL_NAMETYPE
Definition: zmq.h:349
zmq_socket_monitor
ZMQ_EXPORT int zmq_socket_monitor(void *s_, const char *addr_, int events_)
Definition: zmq.cpp:278
s
XmlRpcServer s
RUN_TEST
#define RUN_TEST(func)
Definition: unity_internals.h:615
test_vanilla_socket
void test_vanilla_socket()
Definition: test_security_gssapi.cpp:216
ZMQ_PLAIN_PASSWORD
#define ZMQ_PLAIN_PASSWORD
Definition: zmq.h:311
setup_test_context
void setup_test_context()
Definition: testutil_unity.cpp:179
test_unauth_creds
void test_unauth_creds()
Definition: test_security_gssapi.cpp:166
server_mon
static void * server_mon
Definition: test_security_gssapi.cpp:78
test_valid_creds
void test_valid_creds()
Definition: test_security_gssapi.cpp:144
bind_loopback_ipv4
void bind_loopback_ipv4(void *socket_, char *my_endpoint_, size_t len_)
Definition: testutil_unity.cpp:246
teardown_test_context
void teardown_test_context()
Definition: testutil_unity.cpp:189
get_test_context
void * get_test_context()
Definition: testutil_unity.cpp:184
client
void client(int num)
Definition: test_multithread.cpp:134
address
const char * address
Definition: builds/zos/test_fork.cpp:6
send
void send(fd_t fd_, const char(&data_)[N])
Definition: test_security_curve.cpp:209
error
Definition: cJSON.c:88
test_context_socket_close_zero_linger
void * test_context_socket_close_zero_linger(void *socket_)
Definition: testutil_unity.cpp:215
s_recv
char * s_recv(void *socket_)
Definition: testutil.cpp:123
zmq_connect
ZMQ_EXPORT int zmq_connect(void *s_, const char *addr_)
Definition: zmq.cpp:307
ZMQ_PROTOCOL_ERROR_ZMTP_MECHANISM_MISMATCH
#define ZMQ_PROTOCOL_ERROR_ZMTP_MECHANISM_MISMATCH
Definition: zmq.h:438
testutil_unity.hpp
ZMQ_EVENT_HANDSHAKE_SUCCEEDED
#define ZMQ_EVENT_HANDSHAKE_SUCCEEDED
Definition: zmq.h:417
ZMQ_DEALER
#define ZMQ_DEALER
Definition: zmq.h:263
main
int main(void)
Definition: test_security_gssapi.cpp:233
zmq_setsockopt
ZMQ_EXPORT int zmq_setsockopt(void *s_, int option_, const void *optval_, size_t optvallen_)
Definition: zmq.cpp:250
zmq_threadclose
ZMQ_EXPORT void zmq_threadclose(void *thread_)
Definition: zmq_utils.cpp:62
event
struct _cl_event * event
Definition: glcorearb.h:4163
test_plain_creds
void test_plain_creds()
Definition: test_security_gssapi.cpp:203
testutil.hpp
ZMQ_REP
#define ZMQ_REP
Definition: zmq.h:262
server
static void * server
Definition: test_security_gssapi.cpp:77
connect_socket
fd_t connect_socket(const char *endpoint_, const int af_, const int protocol_)
Definition: testutil.cpp:353
ZMQ_GSSAPI_NT_HOSTBASED
#define ZMQ_GSSAPI_NT_HOSTBASED
Definition: zmq.h:391
MAX_SOCKET_STRING
#define MAX_SOCKET_STRING
Definition: libzmq/tests/testutil.hpp:35
zmq_bind
ZMQ_EXPORT int zmq_bind(void *s_, const char *addr_)
Definition: zmq.cpp:299
zap_thread
static void * zap_thread
Definition: test_security_gssapi.cpp:76
timeout
GLbitfield GLuint64 timeout
Definition: glcorearb.h:3588
zmq_socket
ZMQ_EXPORT void * zmq_socket(void *, int type_)
Definition: zmq.cpp:230
ZMQ_GSSAPI_SERVICE_PRINCIPAL
#define ZMQ_GSSAPI_SERVICE_PRINCIPAL
Definition: zmq.h:326
test_context_socket
void * test_context_socket(int type_)
Definition: testutil_unity.cpp:200
test_null_creds
void test_null_creds()
Definition: test_security_gssapi.cpp:188
buf
GLenum GLuint GLenum GLsizei const GLchar * buf
Definition: glcorearb.h:4175
TEST_ASSERT_EQUAL_INT
#define TEST_ASSERT_EQUAL_INT(expected, actual)
Definition: unity.h:128
ZMQ_GSSAPI_PRINCIPAL
#define ZMQ_GSSAPI_PRINCIPAL
Definition: zmq.h:325
my_endpoint
static char my_endpoint[MAX_SOCKET_STRING]
Definition: test_security_gssapi.cpp:75
zmq_close
ZMQ_EXPORT int zmq_close(void *s_)
Definition: zmq.cpp:241
TEST_IGNORE_MESSAGE
#define TEST_IGNORE_MESSAGE(message)
Definition: unity.h:103
expect_bounce_fail
void expect_bounce_fail(void *server_, void *client_)
Definition: testutil.cpp:107
send_string_expect_success
void send_string_expect_success(void *socket_, const char *str_, int flags_)
Definition: testutil_unity.cpp:94
ZMQ_GSSAPI_SERVER
#define ZMQ_GSSAPI_SERVER
Definition: zmq.h:324
ZMQ_PAIR
#define ZMQ_PAIR
Definition: zmq.h:258
ZMQ_RCVTIMEO
#define ZMQ_RCVTIMEO
Definition: zmq.h:296
testutil_monitoring.hpp
get_monitor_event
static SETUP_TEARDOWN_TESTCONTEXT int get_monitor_event(void *monitor_)
Definition: test_heartbeats.cpp:34
zap_handler
static void zap_handler(void *handler_)
Definition: test_security_gssapi.cpp:30
setup_test_environment
void setup_test_environment(int timeout_seconds_)
Definition: testutil.cpp:201
UNITY_BEGIN
UNITY_BEGIN()
ZMQ_SNDMORE
#define ZMQ_SNDMORE
Definition: zmq.h:359
fd_t
zmq_fd_t fd_t
Definition: libzmq/tests/testutil.hpp:98
ZMQ_EVENT_HANDSHAKE_FAILED_PROTOCOL
#define ZMQ_EVENT_HANDSHAKE_FAILED_PROTOCOL
Definition: zmq.h:420
handler
void * handler
Definition: test_security_curve.cpp:27
setUp
void setUp()
Definition: test_security_gssapi.cpp:87
zap_deny_all
static volatile int zap_deny_all
Definition: test_security_gssapi.cpp:23
version
static struct @0 version
test_context_socket_close
void * test_context_socket_close(void *socket_)
Definition: testutil_unity.cpp:208
TEST_ASSERT_SUCCESS_ERRNO
#define TEST_ASSERT_SUCCESS_ERRNO(expr)
Definition: proxy_thr.cpp:47
TEST_ASSERT_NULL
#define TEST_ASSERT_NULL(pointer)
Definition: unity.h:124

libaditof
Author(s):
autogenerated on Wed May 21 2025 02:06:59