directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: rev 56123 - in incubator/directory/kerberos/trunk/source/main/org/apache/kerberos: crypto kdc kdc/server/udp kdc/store
Date Sun, 31 Oct 2004 06:27:51 GMT
Author: erodriguez
Date: Sat Oct 30 23:27:50 2004
New Revision: 56123

Modified:
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/crypto/CryptoService.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/server/udp/Main.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
Log:
Moved all service dependencies to use constructor injectian and began to centralize all configuration
parameters.

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/crypto/CryptoService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/crypto/CryptoService.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/crypto/CryptoService.java
Sat Oct 30 23:27:50 2004
@@ -25,12 +25,16 @@
 import java.util.*;
 
 public class CryptoService {
-
+	
 	private static final Map _encryptionEngines = new HashMap();
 	private static final Map _checksumEngines   = new HashMap();
 	
-	// TODO - these maps are classic configuration and, as such, probably belong elsewhere
-	public CryptoService() {
+	private KdcConfiguration _config;
+	
+	public CryptoService(KdcConfiguration config) {
+		
+		_config = config;
+		
 		_encryptionEngines.put(EncryptionType.NULL,          new NullEncryption());
 		_encryptionEngines.put(EncryptionType.DES_CBC_CRC,   new DesCbcCrcEncryption());
 		_encryptionEngines.put(EncryptionType.DES_CBC_MD4,   new DesCbcMd4Encryption());
@@ -56,18 +60,21 @@
 		return (EncryptionEngine)_encryptionEngines.get(type);
 	}
 	
-	public static EncryptionType getBestEncryptionType(EncryptionType[] requestedTypes) {
+	public EncryptionType getBestEncryptionType(EncryptionType[] requestedTypes)
+			throws KerberosException {
+		
+		EncryptionType[] encryptionTypes = _config.getEncryptionTypes();
 		
 		for (int i = 0; i < requestedTypes.length; i++) {
-			for (int j = 0; j < LocalConfig.DEFAULT_ETYPE_LIST.length; j++) {
-				if (requestedTypes[i] == LocalConfig.DEFAULT_ETYPE_LIST[j])
-					return LocalConfig.DEFAULT_ETYPE_LIST[j];
+			for (int j = 0; j < encryptionTypes.length; j++) {
+				if (requestedTypes[i] == encryptionTypes[j])
+					return encryptionTypes[j];
 			}
 		}
-		return LocalConfig.DEFAULT_ETYPE;
+		throw KerberosException.KDC_ERR_ETYPE_NOSUPP;
 	}
 	
-	public static EncryptionKey getNewSessionKey() {
+	public EncryptionKey getNewSessionKey() {
 		byte[] confounder = Confounder.bytes(8);
 		DesStringToKey subSessionKey = new DesStringToKey(new String(confounder));
 		return new EncryptionKey(EncryptionType.DES_CBC_MD5, subSessionKey.getKey());

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
Sat Oct 30 23:27:50 2004
@@ -27,12 +27,18 @@
 
 public class AuthenticationService {
 	
-	private PrincipalStore _store;
-	private PrincipalStore _bootstrap;
-	
-	public AuthenticationService(PrincipalStore store, PrincipalStore bootstrap) {
-		_store     = store;
-		_bootstrap = bootstrap;
+	private PrincipalStore   _store;
+	private PrincipalStore   _bootstrap;
+	private CryptoService    _cryptoService;
+	private KdcConfiguration _config;
+	
+	public AuthenticationService(PrincipalStore store, PrincipalStore bootstrap,
+			CryptoService cryptoService, KdcConfiguration config) {
+		
+		_store         = store;
+		_bootstrap     = bootstrap;
+		_cryptoService = cryptoService;
+		_config        = config;
 	}
 	
 	public AuthenticationReply getReplyFor(KdcRequest request) throws KerberosException {
@@ -133,7 +139,7 @@
 				request.getKdcOptions().get(KdcOptions.ENC_TKT_IN_SKEY))
 			throw KerberosException.KDC_ERR_BADOPTION;
 		
-		newTicketBody.setSessionKey(CryptoService.getNewSessionKey());
+		newTicketBody.setSessionKey(_cryptoService.getNewSessionKey());
 		newTicketBody.setClientPrincipal(request.getClientPrincipal());
 		newTicketBody.setTransitedEncoding(new TransitedEncoding());
 		
@@ -142,7 +148,7 @@
 	
 		if (request.getKdcOptions().get(KdcOptions.POSTDATED)) {
 			// TODO - possibly allow req.from range
-			if (!LocalConfig.KDC_POSTDATE_ALLOWED)
+			if (!_config.isPostdateAllowed())
 				throw KerberosException.KDC_ERR_POLICY;
 			newTicketBody.setFlag(TicketFlags.INVALID);
 			newTicketBody.setStartTime(request.getFrom());
@@ -159,7 +165,7 @@
 	                      new_tkt.starttime+server.max_life,
 	                      new_tkt.starttime+max_life_for_realm);
 	*/
-	long endTime = Math.min(now.getTime() + LocalConfig.DEFAULT_MAXIMUM_TICKET_LIFETIME, till);
+	long endTime = Math.min(now.getTime() + _config.getMaximumTicketLifetime(), till);
 	KerberosTime kerberosEndTime = new KerberosTime(endTime);
 	newTicketBody.setEndTime(kerberosEndTime);
 
@@ -189,7 +195,7 @@
 		if (request.getKdcOptions().get(KdcOptions.RENEWABLE)) {
 			newTicketBody.setFlag(TicketFlags.RENEWABLE);
 			long renewTill = Math.min(request.getFrom().getTime()
-					+ LocalConfig.DEFAULT_MAXIMUM_RENEWABLE_LIFETIME, tempRtime);
+					+ _config.getMaximumRenewableLifetime(), tempRtime);
 			newTicketBody.setRenewTill(new KerberosTime(renewTill));
 		}
 
@@ -214,9 +220,7 @@
 		try {
 			byte[] plainText = encoder.encode(ticketPart);
 			
-			CryptoService enc = new CryptoService();
-			
-			encryptedTicketPart = enc.getEncryptedData(serverKey, plainText);
+			encryptedTicketPart = _cryptoService.getEncryptedData(serverKey, plainText);
 			
 		} catch (Exception e) {
 			e.printStackTrace();
@@ -230,9 +234,7 @@
 		try {
 			byte[] plainText = encoder.encode(reply);
 			
-			CryptoService enc = new CryptoService();
-			
-			EncryptedData cipherText = enc.getEncryptedData(clientKey, plainText);
+			EncryptedData cipherText = _cryptoService.getEncryptedData(clientKey, plainText);
 
 			reply.setEncPart(cipherText);
 			

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
Sat Oct 30 23:27:50 2004
@@ -16,6 +16,7 @@
  */
 package org.apache.kerberos.kdc;
 
+import org.apache.kerberos.crypto.*;
 import org.apache.kerberos.io.decoder.*;
 import org.apache.kerberos.io.encoder.*;
 import org.apache.kerberos.kdc.replay.*;
@@ -31,21 +32,26 @@
 	private static final byte TGS_REQ = (byte) 0x6C;
 	private static final byte TGS_REP = (byte) 0x6D;
 	
-	private static final ReplayCache replay = new InMemoryReplayCache();
+	private ReplayCache _replay = new InMemoryReplayCache();
 	
-	private static final KdcRequestDecoder decoder = new KdcRequestDecoder();
-	private static final KdcReplyEncoder   encoder = new KdcReplyEncoder();
+	private KdcRequestDecoder _decoder = new KdcRequestDecoder();
+	private KdcReplyEncoder   _encoder = new KdcReplyEncoder();
 	
-	private static final PrincipalStore bootstrap = new KdcBootstrapStore();
+	private PrincipalStore   _bootstrap    = new KdcBootstrapStore();
+	private CryptoService    _cryptoService;
+	private KdcConfiguration _config;
+	private PrincipalStore   _store;
 	
 	private AuthenticationService _authService;
 	private TicketGrantingService _tgsService;
-	private PrincipalStore _store;
 	
-	public KdcDispatcher(PrincipalStore store) {
+	public KdcDispatcher(KdcConfiguration config, PrincipalStore store) {
+		_config      = config;
 		_store       = store;
-		_authService = new AuthenticationService(_store, bootstrap);
-		_tgsService  = new TicketGrantingService(_store, bootstrap, replay);
+		
+		_cryptoService = new CryptoService(_config);
+		_authService   = new AuthenticationService(_store, _bootstrap, _cryptoService, _config);
+		_tgsService    = new TicketGrantingService(_store, _bootstrap, _cryptoService, _config,
_replay);
 	}
 	
 	public byte[] dispatch(byte[] requestBytes) throws IOException, KerberosException {
@@ -53,7 +59,7 @@
 		ByteArrayInputStream  input  = new ByteArrayInputStream(requestBytes);
 		ByteArrayOutputStream output = new ByteArrayOutputStream();
 		
-		KdcRequest request = decoder.decode(input);
+		KdcRequest request = _decoder.decode(input);
 
 		byte messageType = requestBytes[0];
 		
@@ -63,7 +69,7 @@
 				// generate the reply
 				AuthenticationReply authReply = _authService.getReplyFor(request);
 				// ASN1 encode the reply
-				encoder.encode(authReply, output);
+				_encoder.encode(authReply, output);
 	    		
 				break;
 			
@@ -71,7 +77,7 @@
 				// generate the reply
 				TicketGrantReply ticketReply = _tgsService.getReplyFor(request);
 				// ASN1 encode the reply
-				encoder.encode(ticketReply, output);
+				_encoder.encode(ticketReply, output);
 				
 	    		break;
 	    		

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Sat Oct 30 23:27:50 2004
@@ -37,14 +37,20 @@
  */
 public class TicketGrantingService {
 	
-	private PrincipalStore _store;
-	private PrincipalStore _bootstrap;
-	private ReplayCache    _replayCache;
-	
-	public TicketGrantingService(PrincipalStore store, PrincipalStore bootstrap, ReplayCache
replay) {
-		_store       = store;
-		_bootstrap   = bootstrap;
-		_replayCache = replay;
+	private PrincipalStore   _store;
+	private PrincipalStore   _bootstrap;
+	private CryptoService    _cryptoService;
+	private KdcConfiguration _config;
+	private ReplayCache      _replayCache;
+	
+	public TicketGrantingService(PrincipalStore store, PrincipalStore bootstrap,
+			CryptoService cryptoService, KdcConfiguration config, ReplayCache replay) {
+		
+		_store         = store;
+		_bootstrap     = bootstrap;
+		_cryptoService = cryptoService;
+		_config        = config;
+		_replayCache   = replay;
 	}
 	
 	public TicketGrantReply getReplyFor(KdcRequest request) throws KerberosException, IOException
{
@@ -61,9 +67,9 @@
 		
 		verifyBodyChecksum(authenticator.getChecksum(), request);
 		
-		EncryptionKey sessionKey = CryptoService.getNewSessionKey();
+		EncryptionKey sessionKey = _cryptoService.getNewSessionKey();
 		
-		EncryptionType eType = CryptoService.getBestEncryptionType(request.getEType());
+		EncryptionType eType = _cryptoService.getBestEncryptionType(request.getEType());
 		
 		Ticket newTicket = getNewTicket(request, tgt, sessionKey, authenticator);
 		
@@ -131,10 +137,8 @@
 			throw KerberosException.KRB_AP_ERR_NOKEY;
 		}
 		
-		CryptoService enc = new CryptoService();
-		
 		try {
-			byte[] decTicketPart = enc.decrypt(serverKey, tgt.getEncPart());
+			byte[] decTicketPart = _cryptoService.decrypt(serverKey, tgt.getEncPart());
 
 			EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
 			EncTicketPart encPart = ticketPartDecoder.decode(decTicketPart);
@@ -146,7 +150,7 @@
 		Authenticator authenticator;
 		
 		try {
-			byte[] decAuthenticator = enc.decrypt(tgt.getSessionKey(), authHeader.getEncPart());
+			byte[] decAuthenticator = _cryptoService.decrypt(tgt.getSessionKey(), authHeader.getEncPart());
 			AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
 			authenticator = authDecoder.decode(decAuthenticator);
 		} catch (KerberosException ke) {
@@ -173,10 +177,10 @@
         
 		_replayCache.save(authenticator.getClientTime(), authenticator.getClientPrincipal());
 		
-		if (!authenticator.getClientTime().isInClockSkew())
+		if (!authenticator.getClientTime().isInClockSkew(_config.getClockSkew()))
 			throw KerberosException.KRB_AP_ERR_SKEW;
 		
-		if (tgt.getStartTime() != null && !tgt.getStartTime().isInClockSkew() ||
+		if (tgt.getStartTime() != null && !tgt.getStartTime().isInClockSkew(_config.getClockSkew())
||
 				tgt.getFlag(TicketFlags.INVALID))
 				// it hasn't yet become valid
                 throw KerberosException.KRB_AP_ERR_TKT_NYV;
@@ -200,7 +204,7 @@
 			throws KerberosException {
 		
 		Ticket tgt = authHeader.getTicket();
-		if (!tgt.getRealm().toString().equals(LocalConfig.KDC_PRIMARY_REALM) &&
+		if (!tgt.getRealm().toString().equals(_config.getPrimaryRealm()) &&
 				!tgt.getServerPrincipal().equals(request.getServerPrincipal()))
 			throw KerberosException.KRB_AP_ERR_NOT_US;
 	}
@@ -351,7 +355,7 @@
 			newTicketBody.setFlag(TicketFlags.POSTDATED);
 			newTicketBody.setFlag(TicketFlags.INVALID);
 			
-			if (!LocalConfig.KDC_POSTDATE_ALLOWED)
+			if (!_config.isPostdateAllowed())
 				throw KerberosException.KDC_ERR_POLICY;
 			
 			newTicketBody.setStartTime(request.getFrom());
@@ -425,7 +429,7 @@
             */
 			List minimizer = new ArrayList();
 			minimizer.add(till);
-			minimizer.add(new KerberosTime(now.getTime() + LocalConfig.KDC_MAXIMUM_TICKET_LIFETIME));
+			minimizer.add(new KerberosTime(now.getTime() + _config.getMaximumTicketLifetime()));
 			minimizer.add(tgt.getEndTime());
 			KerberosTime minTime = (KerberosTime)Collections.min(minimizer);
 			newTicketBody.setEndTime(minTime);
@@ -461,7 +465,7 @@
 			// TODO - client and server configurable; requires store 
 			List minimizer = new ArrayList();
 			minimizer.add(rtime);
-			minimizer.add(new KerberosTime(now.getTime() + LocalConfig.DEFAULT_MAXIMUM_RENEWABLE_LIFETIME));
+			minimizer.add(new KerberosTime(now.getTime() + _config.getMaximumRenewableLifetime()));
 			minimizer.add(tgt.getRenewTill());
 			newTicketBody.setRenewTill((KerberosTime)Collections.min(minimizer));
 		}
@@ -474,8 +478,7 @@
 
 		if (request.getEncAuthorizationData() != null) {
 			try {
-				CryptoService enc = new CryptoService();
-				byte[] decryptedAuthData = enc.decrypt(authHeader.getSubSessionKey(),
+				byte[] decryptedAuthData = _cryptoService.decrypt(authHeader.getSubSessionKey(),
 						request.getEncAuthorizationData());
 				AuthorizationDataDecoder decoder = new AuthorizationDataDecoder();
 				authData = decoder.decode(decryptedAuthData);
@@ -522,8 +525,6 @@
 			throw KerberosException.KRB_ERR_GENERIC;
 		}
 		
-		CryptoService enc = new CryptoService();
-		
 		if (request.getOption(KdcOptions.ENC_TKT_IN_SKEY)) {
 			/*
 			if (server not specified) then
@@ -539,7 +540,7 @@
 		} else {
 			// encrypt with serverKey
 		}
-		return enc.getEncryptedData(serverKey, encodedTicket);
+		return _cryptoService.getEncryptedData(serverKey, encodedTicket);
 	}
 	
 	// TODO - support multiple encryption types, this is hardwired for DES_CBC_MD5
@@ -548,9 +549,7 @@
 		try {
 			byte[] plainText = encoder.encode(reply);
 			
-			CryptoService enc = new CryptoService();
-			
-			EncryptedData cipherText = enc.getEncryptedData(key, plainText);
+			EncryptedData cipherText = _cryptoService.getEncryptedData(key, plainText);
 
 			reply.setEncPart(cipherText);
 			

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/server/udp/Main.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/server/udp/Main.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/server/udp/Main.java
Sat Oct 30 23:27:50 2004
@@ -24,11 +24,9 @@
 
 public class Main {
 
-	public static final int DEFAULT_PORT = 88;
-	public static final int BUFFER_SIZE  = 1024;
-
-	private static final PrincipalStore ldap = new LdapStore();
-	private static final KdcDispatcher kdc   = new KdcDispatcher(ldap);
+	private static final KdcConfiguration config = new KdcConfiguration();
+	private static final PrincipalStore ldap     = new LdapStore(config);
+	private static final KdcDispatcher kdc       = new KdcDispatcher(config, ldap);
 	
 	public static void main(String[] args) {
 		Main m = new Main();
@@ -36,13 +34,16 @@
 	}
 
 	private void go() {
+		
+		initConfig();
+		initStore();
+		
 		DatagramSocket socket = null;
 		try {
-			socket = new DatagramSocket(DEFAULT_PORT);
-			initStore();
+			socket = new DatagramSocket(config.getDefaultPort());
 
 			while (true) {
-				byte[] requestBytes = new byte[BUFFER_SIZE];
+				byte[] requestBytes = new byte[config.getBufferSize()];
 
 				DatagramPacket packet = new DatagramPacket(requestBytes, requestBytes.length);
 				socket.receive(packet);
@@ -56,6 +57,10 @@
 			if (socket != null)
 				socket.close();
 		}
+	}
+	
+	private void initConfig() {
+		// TODO - implement
 	}
 
 	private void initStore() {

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
Sat Oct 30 23:27:50 2004
@@ -20,7 +20,6 @@
 import org.apache.kerberos.kdc.jaas.*;
 
 import java.security.*;
-import java.util.*;
 
 import javax.naming.*;
 import javax.naming.directory.*;
@@ -42,27 +41,34 @@
 	public static final String PRINCIPAL_REALM    = "krb5PrincipalRealm";
 	public static final String REALM_NAME         = "krb5RealmName";
 	
-	private Subject _subject;
+	private KdcConfiguration _config;
+	private Subject          _subject;
+	
+	public LdapStore(KdcConfiguration config) {
+		_config = config;
+	}
 	
 	public void init() {
 		if (_subject == null) {
-			KdcSubject subjectLogin = new KdcSubjectLogin(LocalConfig.KDC_PRINCIPAL,
-					LocalConfig.KDC_PASSPHRASE);
+			KdcSubject subjectLogin = new KdcSubjectLogin(_config.getKdcPrincipal(),
+					_config.getKdcPassPhrase());
 			_subject = subjectLogin.getSubject();
 		}
 	}
 	
 	public PrincipalStoreEntry getEntry(KerberosPrincipal principal) {
-		return (PrincipalStoreEntry)Subject.doAs(_subject, new JaasLdapLookupAction(principal));
+		return (PrincipalStoreEntry)Subject.doAs(_subject, new JaasLdapLookupAction(_config, principal));
 	}
 }
 
 class JaasLdapLookupAction implements PrivilegedAction {
 
+	private KdcConfiguration    _config;
 	private KerberosPrincipal   _principal;
 	private PrincipalStoreEntry _entry;
 
-	public JaasLdapLookupAction(KerberosPrincipal principal) {
+	public JaasLdapLookupAction(KdcConfiguration config, KerberosPrincipal principal) {
+		_config    = config;
 		_principal = principal;
 	}
 
@@ -73,23 +79,8 @@
 
 	private void performJndiOperation() {
 
-		// Set up environment for initial context
-		Hashtable env = new Hashtable();
-		env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
-		env.put(Context.PROVIDER_URL, LocalConfig.JNDI_PROVIDER_URL);
-		// Request that the key be returned as binary, not String
-		env.put("java.naming.ldap.attributes.binary", "krb5Key");
-		// Request the use of SASL-GSSAPI, using already established Kerberos credentials
-		env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
-		// Request mutual authentication
-		env.put("javax.security.sasl.server.authentication", "true");
-		// Request authentication with integrity and privacy protection
-		env.put("javax.security.sasl.qop", "auth-conf");
-		// Request high-strength cryptographic protection
-		env.put("javax.security.sasl.strength", "high");
-
 		try {
-			DirContext ctx = new InitialDirContext(env);
+			DirContext ctx = new InitialDirContext(_config.getProperties());
 
 			search(ctx);
 

Mime
View raw message