#!/usr/bin/env bash set -o errexit set -o nounset set -o pipefail echo "Running ${TEST_NAME}" cd "${OS_ROOT}" source hack/lib/init.sh function cleanup() { out=$? # get the jUnit output file into a workable state in case we crashed in the middle of testing something os::test::junit::reconcile_output # check that we didn't mangle jUnit output os::test::junit::check_test_counters exit $out } trap "cleanup" EXIT os::test::junit::declare_suite_start "${TEST_NAME}" # Client has no GSSAPI libs and server is GSSAPI only # Everything fails # Errors do NOT mention Kerberos if [[ "${CLIENT}" = 'CLIENT_MISSING_LIBS' && "${SERVER}" = 'SERVER_GSSAPI_ONLY' ]]; then os::cmd::expect_failure_and_text 'oc login' 'Login failed \(401 Unauthorized\)' os::cmd::expect_failure_and_text 'oc whoami' 'system:anonymous' os::cmd::expect_failure_and_text 'oc login -u user1' 'Login failed \(401 Unauthorized\)' os::cmd::expect_failure_and_not_text 'oc whoami' 'user1' os::cmd::expect_failure_and_text 'oc login -u user2 -p wrongpassword' 'Login failed \(401 Unauthorized\)' os::cmd::expect_failure_and_not_text 'oc whoami' 'user2' os::cmd::expect_failure_and_text 'oc login -u user2 -p password' 'Login failed \(401 Unauthorized\)' os::cmd::expect_failure_and_not_text 'oc whoami' 'user2' os::cmd::expect_failure_and_text "oc login -u 'user3@${REALM}'" 'Login failed \(401 Unauthorized\)' os::cmd::expect_failure_and_not_text 'oc whoami' 'user3' os::cmd::expect_failure_and_text "oc login -u 'user4@${REALM}' -p wrongpassword" 'Login failed \(401 Unauthorized\)' os::cmd::expect_failure_and_not_text 'oc whoami' 'user4' os::cmd::expect_failure_and_text "oc login -u 'user5@${REALM}' -p password" 'Login failed \(401 Unauthorized\)' os::cmd::expect_failure_and_not_text 'oc whoami' 'user5' fi # Client has uncofigured GSSAPI libs and server is GSSAPI only # Everything fails # Errors mention Kerberos if [[ "${CLIENT}" = 'CLIENT_HAS_LIBS' && "${SERVER}" = 'SERVER_GSSAPI_ONLY' ]]; then DEFAULT_REALM="$(grep default_realm /etc/krb5.conf | awk {'printf $3'})" os::cmd::expect_failure_and_text 'oc login' 'No Kerberos credentials available' os::cmd::expect_failure_and_text 'oc whoami' 'system:anonymous' # Fedora has no default realm, so a realm-less username is considered invalid # Ubuntu has a default realm, so will complain about not finding the credentials for it # Hence we accept either of those error messages in the next three sets of tests os::cmd::expect_failure_and_text 'oc login -u user1' "An invalid name was supplied|Can't find client principal user1@${DEFAULT_REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user1' os::cmd::expect_failure_and_text 'oc login -u user2 -p wrongpassword' "An invalid name was supplied|Can't find client principal user2@${DEFAULT_REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user2' os::cmd::expect_failure_and_text 'oc login -u user2 -p password' "An invalid name was supplied|Can't find client principal user2@${DEFAULT_REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user2' os::cmd::expect_failure_and_text "oc login -u 'user3@${REALM}'" "Can't find client principal user3@${REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user3' os::cmd::expect_failure_and_text "oc login -u 'user4@${REALM}' -p wrongpassword" "Can't find client principal user4@${REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user4' os::cmd::expect_failure_and_text "oc login -u 'user5@${REALM}' -p password" "Can't find client principal user5@${REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user5' fi # Client has GSSAPI configured and server is GSSAPI only # Only GSSAPI works # Errors mention Kerberos if [[ "${CLIENT}" = 'CLIENT_HAS_LIBS_IS_CONFIGURED' && "${SERVER}" = 'SERVER_GSSAPI_ONLY' ]]; then # No ticket os::cmd::expect_failure_and_text 'oc login' 'No Kerberos credentials available' os::cmd::expect_failure_and_text 'oc whoami' 'system:anonymous' os::cmd::expect_failure 'kinit user1 <<< wrongpassword' os::cmd::expect_failure_and_text 'oc login' 'No Kerberos credentials available' os::cmd::expect_failure_and_not_text 'oc whoami' 'user1' # Single ticket os::cmd::expect_success 'kinit user1 <<< password' os::cmd::expect_success_and_text 'oc login' 'Login successful.' os::cmd::expect_success_and_text 'oc whoami' "user1@${REALM}" os::cmd::expect_success_and_text 'oc logout' "user1@${REALM}" # Having multiple tickets os::cmd::expect_success "kinit user2@${REALM} <<< password" os::cmd::expect_success 'kinit user3 <<< password' os::cmd::expect_failure 'kinit user4 <<< wrongpassword' os::cmd::expect_failure "kinit user5@${REALM} <<< wrongpassword" # Shortname, non-default ticket os::cmd::expect_success_and_text 'oc login -u user1' 'Login successful.' os::cmd::expect_success_and_text 'oc whoami' "user1@${REALM}" os::cmd::expect_success_and_text 'oc logout' "user1@${REALM}" # Longname, non-default ticket os::cmd::expect_success_and_text "oc login -u 'user2@${REALM}'" 'Login successful.' os::cmd::expect_success_and_text 'oc whoami' "user2@${REALM}" os::cmd::expect_success_and_text 'oc logout' "user2@${REALM}" # Default ticket os::cmd::expect_success_and_text 'oc login' 'Login successful.' os::cmd::expect_success_and_text 'oc whoami' "user3@${REALM}" os::cmd::expect_success_and_text 'oc logout' "user3@${REALM}" # Non-ticket users os::cmd::expect_failure_and_text 'oc login -u user4' "Can't find client principal user4@${REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user4' os::cmd::expect_failure_and_text "oc login -u 'user4@${REALM}'" "Can't find client principal user4@${REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user4' os::cmd::expect_failure_and_text 'oc login -u user4 -p password' "Can't find client principal user4@${REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user4' os::cmd::expect_failure_and_text "oc login -u 'user4@${REALM}' -p password" "Can't find client principal user4@${REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user4' os::cmd::expect_failure_and_text 'oc login -u user5 -p wrongpassword' "Can't find client principal user5@${REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user5' os::cmd::expect_failure_and_text "oc login -u 'user5@${REALM}' -p wrongpassword" "Can't find client principal user5@${REALM} in cache collection" os::cmd::expect_failure_and_not_text 'oc whoami' 'user5' # Password is ignored if you have the ticket for the user os::cmd::expect_success_and_text 'oc login -u user1 -p wrongpassword' 'Login successful.' os::cmd::expect_success_and_text 'oc whoami' "user1@${REALM}" os::cmd::expect_success_and_text 'oc logout' "user1@${REALM}" os::cmd::expect_success_and_text "oc login -u 'user2@${REALM}' -p wrongpassword" 'Login successful.' os::cmd::expect_success_and_text 'oc whoami' "user2@${REALM}" os::cmd::expect_success_and_text 'oc logout' "user2@${REALM}" fi # Client has no GSSAPI libs or unconfigured GSSAPI libs and server is GSSAPI with Basic fallback # Only BASIC works # Errors do NOT mention Kerberos if [[ ( "${CLIENT}" = 'CLIENT_MISSING_LIBS' || "${CLIENT}" = 'CLIENT_HAS_LIBS' ) && "${SERVER}" = 'SERVER_GSSAPI_BASIC_FALLBACK' ]]; then os::cmd::expect_failure_and_text 'oc login <<< \n' 'Login failed \(401 Unauthorized\)' os::cmd::expect_failure_and_text 'oc whoami' 'system:anonymous' os::cmd::expect_failure_and_text 'oc login -u user1 <