Return-Path: 
 <directory-cvs-return-2011-apmail-incubator-directory-cvs-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-directory-cvs-archive@www.apache.org
Received: (qmail 34907 invoked from network); 2 Nov 2004 07:01:57 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 2 Nov 2004 07:01:57 -0000
Received: (qmail 35941 invoked by uid 500); 2 Nov 2004 07:01:56 -0000
Delivered-To: apmail-incubator-directory-cvs-archive@incubator.apache.org
Received: (qmail 35884 invoked by uid 500); 2 Nov 2004 07:01:56 -0000
Mailing-List: contact directory-cvs-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:directory-cvs-help@incubator.apache.org>
List-Unsubscribe: <mailto:directory-cvs-unsubscribe@incubator.apache.org>
List-Post: <mailto:directory-cvs@incubator.apache.org>
List-Id: <directory-cvs.incubator.apache.org>
Reply-To: directory-dev@incubator.apache.org
Delivered-To: mailing list directory-cvs@incubator.apache.org
Received: (qmail 35858 invoked by uid 99); 2 Nov 2004 07:01:55 -0000
X-ASF-Spam-Status: No, hits=-10.0 required=10.0
	tests=ALL_TRUSTED,NO_REAL_NAME
X-Spam-Check-By: apache.org
Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194)
  by apache.org (qpsmtpd/0.28) with SMTP; Mon, 01 Nov 2004 23:01:55 -0800
Received: (qmail 34875 invoked by uid 65534); 2 Nov 2004 07:01:54 -0000
Date: 2 Nov 2004 07:01:54 -0000
Message-ID: <20041102070154.34871.qmail@minotaur.apache.org>
From: erodriguez@apache.org
To: directory-cvs@incubator.apache.org
Subject: svn commit: rev 56360 -
 incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Author: erodriguez
Date: Mon Nov  1 23:01:53 2004
New Revision: 56360

Modified:
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Minor refactoring, hoping for better code reuse in AP scenarios.

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java	(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java	Mon Nov  1 23:01:53 2004
@@ -59,9 +59,9 @@
 		
 		Ticket tgt = authHeader.getTicket();
 		
-		Authenticator authenticator = verifyApReq(authHeader, tgt);
+		Authenticator authenticator = verifyAuthHeader(authHeader, tgt);
 		
-		verifyTicket(authHeader, request);
+		verifyTicket(tgt, request.getServerPrincipal());
 		
 		verifyBodyChecksum(authenticator.getChecksum(), request);
 		
@@ -96,7 +96,7 @@
 	}
 	
 	// RFC 1510 A.10.  KRB_AP_REQ verification
-	private Authenticator verifyApReq(ApplicationRequest authHeader, Ticket tgt)
+	private Authenticator verifyAuthHeader(ApplicationRequest authHeader, Ticket ticket)
 			throws KerberosException, IOException {
 		
 		if (authHeader.getProtocolVersionNumber() != 5)
@@ -111,7 +111,7 @@
 		if (authHeader.getOption(ApOptions.USE_SESSION_KEY)) {
 			serverKey = authHeader.getTicket().getSessionKey();
 		} else {
-			KerberosPrincipal serverPrincipal = tgt.getServerPrincipal();
+			KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
 			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
 			if (serverEntry != null) {
 				serverKey = serverEntry.getEncryptionKey();
@@ -128,11 +128,11 @@
 		}
 		
 		try {
-			byte[] decTicketPart = _cryptoService.decrypt(serverKey, tgt.getEncPart());
+			byte[] decTicketPart = _cryptoService.decrypt(serverKey, ticket.getEncPart());
 
 			EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
 			EncTicketPart encPart = ticketPartDecoder.decode(decTicketPart);
-			tgt.setEncTicketPart(encPart);
+			ticket.setEncTicketPart(encPart);
 		} catch (KerberosException ke) {
 			throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
 		}
@@ -140,19 +140,19 @@
 		Authenticator authenticator;
 		
 		try {
-			byte[] decAuthenticator = _cryptoService.decrypt(tgt.getSessionKey(), authHeader.getEncPart());
+			byte[] decAuthenticator = _cryptoService.decrypt(ticket.getSessionKey(), authHeader.getEncPart());
 			AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
 			authenticator = authDecoder.decode(decAuthenticator);
 		} catch (KerberosException ke) {
 			throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
 		}
 		
-		if (!authenticator.getClientPrincipal().getName().equals(tgt.getClientPrincipal().getName())) {
+		if (!authenticator.getClientPrincipal().getName().equals(ticket.getClientPrincipal().getName())) {
 			throw KerberosException.KRB_AP_ERR_BADMATCH;
 		}
 		
 		// TODO - need to get at IP Address for sender
-		if (tgt.getClientAddresses() != null) {
+		if (ticket.getClientAddresses() != null) {
 			// if (sender_address(packet) is not in decr_ticket.caddr)
             //    then error_out(KRB_AP_ERR_BADADDR);
 		}
@@ -170,13 +170,13 @@
 		if (!authenticator.getClientTime().isInClockSkew(_config.getClockSkew()))
 			throw KerberosException.KRB_AP_ERR_SKEW;
 		
-		if (tgt.getStartTime() != null && !tgt.getStartTime().isInClockSkew(_config.getClockSkew()) ||
-				tgt.getFlag(TicketFlags.INVALID))
+		if (ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew(_config.getClockSkew()) ||
+				ticket.getFlag(TicketFlags.INVALID))
 				// it hasn't yet become valid
                 throw KerberosException.KRB_AP_ERR_TKT_NYV;
 		
 		// TODO - doesn't take into account skew
-		if (!tgt.getEndTime().greaterThan(new KerberosTime()))
+		if (!ticket.getEndTime().greaterThan(new KerberosTime()))
             throw KerberosException.KRB_AP_ERR_TKT_EXPIRED;
 		
 		authHeader.setOption(ApOptions.MUTUAL_REQUIRED);
@@ -184,12 +184,11 @@
 		return authenticator;
 	}
 	
-	private void verifyTicket(ApplicationRequest authHeader, KdcRequest request)
+	private void verifyTicket(Ticket ticket, KerberosPrincipal serverPrincipal)
 			throws KerberosException {
 		
-		Ticket tgt = authHeader.getTicket();
-		if (!tgt.getRealm().equals(_config.getPrimaryRealm()) &&
-				!tgt.getServerPrincipal().equals(request.getServerPrincipal()))
+		if (!ticket.getRealm().equals(_config.getPrimaryRealm()) &&
+				!ticket.getServerPrincipal().equals(serverPrincipal))
 			throw KerberosException.KRB_AP_ERR_NOT_US;
 	}
 	
@@ -229,12 +228,11 @@
 			throw KerberosException.KRB_AP_ERR_MODIFIED;
 	}
 	
-	private EncryptionKey getServerKey(KdcRequest request) throws KerberosException {
+	private EncryptionKey getServerKey(KerberosPrincipal serverPrincipal) throws KerberosException {
 		
 		EncryptionKey serverKey = null;
 		// TODO - allow lookup with realm
 		try {
-			KerberosPrincipal serverPrincipal = request.getServerPrincipal();
 			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
 			if (serverEntry != null) {
 				serverKey = serverEntry.getEncryptionKey();
@@ -279,7 +277,7 @@
 		
 		processTimes(request, newTicketBody, tgt);
 		
-		EncryptionKey serverKey = getServerKey(request);
+		EncryptionKey serverKey = getServerKey(request.getServerPrincipal());
 		
 		EncTicketPart ticketPart = newTicketBody.getEncTicketPart();