mschmitt · May 23, 2024 09:32
diff --git a/oidc.sh b/oidc.sh
 #!/usr/bin/env bash

 rm -f cookie.txt
 rm -f trace_curl.* trace_krb5.*

 # source url sets the $URL1 environment. Confidentiality something something.
 source url

 # Test case 1: No authentication, no cookies, allow redirect.
 # Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server returns error/login page.
 # Result: Works (fails), as expected. 
 # klist: No ticket for oidc server, as expected.
 curl --trace-ascii trace_curl_unauth.txt --output body_unauth.html --location "${URL1}"

 # Test case 2: negotiate, cookies, allow redirect.
 # Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server works krb5 auth, redirects to application server.
 # Result: "gss_init_sec_context() failed: Server not found in Kerberos database" on initial request, no further auth attempt after redirect
 # klist: No ticket for oidc server.
 export KRB5_TRACE=trace_krb5_location.txt
 curl --trace-ascii trace_curl_location.txt --output body_location.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --location --write-out '%output{url1.out}%{redirect_url}' "${URL1}"

 # Test case 3, step 1: negotiate, cookies, save redirect URL
 # Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server works krb5 auth, redirects to application server.
 # Result: "gss_init_sec_context() failed: Server not found in Kerberos database" on initial request, redirect received.
 # klist: No ticket for oidc server, as expected.
 export KRB5_TRACE=trace_krb5_url1.txt
 curl --trace-ascii trace_curl_url1.txt --output body_url1.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --write-out '%output{url1.out}%{redirect_url}' "${URL1}"

 # Test case 3, step 2: negotiate, cookies, to redirect URL
 # Expected behaviour: Oidc server works krb5 auth, redirects to application server.
 # Result: Negotiate header gets sent, body is same error page as on case 1, no redirect back to application received, url2.out is empty.
 # klist: Has ticket for oidc server.
 URL2=$(cat url1.out)
 export KRB5_TRACE=trace_krb5_url2.txt
 curl --trace-ascii trace_curl_url2.txt --output body_url2.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --write-out '%output{url2.out}%{redirect_url}' "${URL2}"

 # All error pages from case 1, 2 and 3.2 (interactions with oidc) are identical, minor differences in nonces on the login forms.
 # $ wc body_unauth.html body_location.html body_url2.html
 #  739  1997 27343 body_unauth.html
 #  739  1997 27343 body_location.html
 #  739  1997 27343 body_url2.html
	#!/usr/bin/env bash

	rm -f cookie.txt
	rm -f trace_curl.* trace_krb5.*

	# source url sets the $URL1 environment. Confidentiality something something.
	source url

	# Test case 1: No authentication, no cookies, allow redirect.
	# Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server returns error/login page.
	# Result: Works (fails), as expected.
	# klist: No ticket for oidc server, as expected.
	curl --trace-ascii trace_curl_unauth.txt --output body_unauth.html --location "${URL1}"

	# Test case 2: negotiate, cookies, allow redirect.
	# Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server works krb5 auth, redirects to application server.
	# Result: "gss_init_sec_context() failed: Server not found in Kerberos database" on initial request, no further auth attempt after redirect
	# klist: No ticket for oidc server.
	export KRB5_TRACE=trace_krb5_location.txt
	curl --trace-ascii trace_curl_location.txt --output body_location.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --location --write-out '%output{url1.out}%{redirect_url}' "${URL1}"

	# Test case 3, step 1: negotiate, cookies, save redirect URL
	# Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server works krb5 auth, redirects to application server.
	# Result: "gss_init_sec_context() failed: Server not found in Kerberos database" on initial request, redirect received.
	# klist: No ticket for oidc server, as expected.
	export KRB5_TRACE=trace_krb5_url1.txt
	curl --trace-ascii trace_curl_url1.txt --output body_url1.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --write-out '%output{url1.out}%{redirect_url}' "${URL1}"

	# Test case 3, step 2: negotiate, cookies, to redirect URL
	# Expected behaviour: Oidc server works krb5 auth, redirects to application server.
	# Result: Negotiate header gets sent, body is same error page as on case 1, no redirect back to application received, url2.out is empty.
	# klist: Has ticket for oidc server.
	URL2=$(cat url1.out)
	export KRB5_TRACE=trace_krb5_url2.txt
	curl --trace-ascii trace_curl_url2.txt --output body_url2.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --write-out '%output{url2.out}%{redirect_url}' "${URL2}"

	# All error pages from case 1, 2 and 3.2 (interactions with oidc) are identical, minor differences in nonces on the login forms.
	# $ wc body_unauth.html body_location.html body_url2.html
	# 739 1997 27343 body_unauth.html
	# 739 1997 27343 body_location.html
	# 739 1997 27343 body_url2.html