directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r549366 - in /directory/clients/trunk/kerberos: password/src/main/java/org/apache/directory/client/password/ExportKey.java realm/src/main/java/org/apache/directory/client/realm/ExportKey.java
Date Thu, 21 Jun 2007 04:54:55 GMT
Author: erodriguez
Date: Wed Jun 20 21:54:54 2007
New Revision: 549366

URL: http://svn.apache.org/viewvc?view=rev&rev=549366
Log:
Moved key export to Set Change Password client to make it part of Set Change Password v2.

Added:
    directory/clients/trunk/kerberos/password/src/main/java/org/apache/directory/client/password/ExportKey.java
  (contents, props changed)
      - copied, changed from r548177, directory/clients/trunk/kerberos/realm/src/main/java/org/apache/directory/client/realm/ExportKey.java
Removed:
    directory/clients/trunk/kerberos/realm/src/main/java/org/apache/directory/client/realm/ExportKey.java

Copied: directory/clients/trunk/kerberos/password/src/main/java/org/apache/directory/client/password/ExportKey.java
(from r548177, directory/clients/trunk/kerberos/realm/src/main/java/org/apache/directory/client/realm/ExportKey.java)
URL: http://svn.apache.org/viewvc/directory/clients/trunk/kerberos/password/src/main/java/org/apache/directory/client/password/ExportKey.java?view=diff&rev=549366&p1=directory/clients/trunk/kerberos/realm/src/main/java/org/apache/directory/client/realm/ExportKey.java&r1=548177&p2=directory/clients/trunk/kerberos/password/src/main/java/org/apache/directory/client/password/ExportKey.java&r2=549366
==============================================================================
--- directory/clients/trunk/kerberos/realm/src/main/java/org/apache/directory/client/realm/ExportKey.java
(original)
+++ directory/clients/trunk/kerberos/password/src/main/java/org/apache/directory/client/password/ExportKey.java
Wed Jun 20 21:54:54 2007
@@ -17,13 +17,13 @@
  *  under the License. 
  *  
  */
-package org.apache.directory.client.realm;
+package org.apache.directory.client.password;
 
 
-import java.io.BufferedReader;
 import java.io.File;
 import java.io.IOException;
-import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Hashtable;
 import java.util.Iterator;
@@ -36,13 +36,9 @@
 import javax.naming.directory.InitialDirContext;
 import javax.security.auth.Subject;
 import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.login.Configuration;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
+import javax.security.auth.kerberos.KerberosTicket;
 
 import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
-import org.apache.directory.server.kerberos.shared.jaas.CallbackHandlerBean;
-import org.apache.directory.server.kerberos.shared.jaas.Krb5LoginConfiguration;
 import org.apache.directory.server.kerberos.shared.keytab.Keytab;
 import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
@@ -52,164 +48,132 @@
 
 
 /**
- * A command-line client for exporting Kerberos symmetric keys.
+ * A command object for exporting the Kerberos keys of a target principal.
  * 
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  * @version $Rev$, $Date$
  */
 public class ExportKey
 {
-    private String hostname = "ldap.example.com";
-    private String realm = "EXAMPLE.COM";
-    private int port = 389;
-    private String principalName = "ldap/" + hostname + "@" + realm;
-    private String kdc = "localhost";
-    private String username = "hnelson";
-    private String password = "s3crEt";
-    private String keytabFileName = "/root/test.keytab";
+    /** The remote LDAP server name. */
+    private String hostname;
 
-    private DirContext ctx;
-
-    static BufferedReader in;
+    /** The remote LDAP server port. */
+    private int port;
 
+    /** The keytab file to write the keys to. */
+    private String keytabFileName;
 
     /**
-     * Creates a new instance of ExportKey and sets JAAS system properties
-     * for the KDC and realm, so we don't have to rely on external configuration.
+     * Sets system properties for help debugging.
      */
-    public ExportKey()
+    static
     {
-        System.setProperty( "java.security.krb5.realm", realm );
-        System.setProperty( "java.security.krb5.kdc", kdc );
+        System.setProperty( "javax.security.auth.useSubjectCredsOnly", "true" );
+        System.setProperty( "sun.security.krb5.debug", "true" );
     }
 
 
     /**
-     * TODO - Add CLI support for parameters:
-     * client name
-     * baseDN
-     * server
-     * service
-     * filename
+     * Creates a new instance of ExportKey.
      *
-     * @param args
-     * @throws Exception
+     * @param hostname
+     * @param port 
      */
-    public static void main( String[] args ) throws Exception
+    public ExportKey( String hostname, int port )
     {
-        new ExportKey().go();
+        this.hostname = hostname;
+        this.port = port;
     }
 
 
-    /*
-     in = new BufferedReader( new InputStreamReader( System.in ) );
-     String name = getInputString( "What is your name? " );
-     System.out.println( "Your name is " + name );
+    /**
+     * Execute the request to export keys to a keytab.  The search base DN is the root of
the
+     * sub-tree where principals can be found, eg "ou=users,dc=example,dc=com".
+     * 
+     * @param tgt 
+     * @param serviceTicket 
+     * @param searchBaseDn 
+     * @param targetPrincipal 
+     * @throws PasswordConnectionException 
      */
-    private static String getInputString( String prompt ) throws IOException
+    public void execute( KerberosTicket tgt, KerberosTicket serviceTicket, String searchBaseDn,
+        KerberosPrincipal targetPrincipal ) throws PasswordConnectionException
     {
-        System.out.print( prompt );
-        return in.readLine();
-    }
+        Subject subject = new Subject();
+        subject.getPrivateCredentials().add( tgt );
+        subject.getPrivateCredentials().add( serviceTicket );
 
+        PrincipalStoreEntry entry = getContext( subject, searchBaseDn, targetPrincipal );
 
-    /**
-     * Setup context as remote.
-     * Call GetPrincipal.
-     * Use PrincipalEntry and reconstituteKeyMap().
-     */
-    public void go()
-    {
-        Subject subject = getSubject();
+        Map<EncryptionType, EncryptionKey> map = entry.getKeyMap();
 
-        getContext( subject );
+        writeKeytab( targetPrincipal.getName(), map );
     }
 
 
     /**
-     * Gets the {@link Subject}.
+     * Perform JNDI work as authenticated Subject.
+     *
+     * @param subject
      */
-    private Subject getSubject()
+    private PrincipalStoreEntry getContext( Subject subject, final String searchBaseDn,
+        final KerberosPrincipal targetPrincipal ) throws PasswordConnectionException
     {
-        // Use our custom configuration to avoid reliance on external config
-        Configuration.setConfiguration( new Krb5LoginConfiguration() );
+        Object entry;
 
-        // 1. Authenticate to Kerberos.
-        LoginContext lc = null;
         try
         {
-            lc = new LoginContext( ExportKey.class.getName(), new CallbackHandlerBean( username,
password ) );
-            lc.login();
-        }
-        catch ( LoginException le )
-        {
-            // Bad username:  Client not found in Kerberos database
-            // Bad password:  Integrity check on decrypted field failed
-            System.out.println( "Authentication failed:  " + le.getMessage() );
-        }
-
-        return lc.getSubject();
-    }
-
-
-    private void getContext( Subject subject )
-    {
-        // 2. Perform JNDI work as authenticated Subject.
-        Subject.doAs( subject, new PrivilegedAction()
-        {
-            public Object run()
+            entry = Subject.doAs( subject, new PrivilegedExceptionAction()
             {
-                try
+                public Object run() throws Exception
                 {
-                    // Create the initial context
-                    Hashtable<String, String> env = new Hashtable<String, String>();
-                    env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"
);
-                    env.put( Context.PROVIDER_URL, "ldap://" + hostname + ":" + port + "/ou=users,dc=example,dc=com"
);
-
-                    // Request the use of the "GSSAPI" SASL mechanism
-                    // Authenticate by using already established Kerberos credentials
-                    env.put( Context.SECURITY_AUTHENTICATION, "GSSAPI" );
-
-                    // Request privacy protection
-                    env.put( "javax.security.sasl.qop", "auth-conf" );
-
-                    // Request mutual authentication
-                    env.put( "javax.security.sasl.server.authentication", "true" );
-
-                    // Request high-strength cryptographic protection
-                    env.put( "javax.security.sasl.strength", "high" );
-
-                    env.put( "java.naming.ldap.attributes.binary", "krb5key" );
-
-                    ctx = new InitialDirContext( env );
-
-                    KerberosPrincipal principal = new KerberosPrincipal( principalName );
-                    GetPrincipal getPrincipal = new GetPrincipal( principal );
-
-                    PrincipalStoreEntry entry = ( PrincipalStoreEntry ) getPrincipal.execute(
ctx, null );
-
-                    Map<EncryptionType, EncryptionKey> map = entry.getKeyMap();
-
-                    writeKeytab( map );
-                }
-                catch ( NamingException e )
-                {
-                    e.printStackTrace();
-                    System.out.println( "Should not have caught exception:  " + e.getMessage()
);
-                }
-                catch ( IOException ioe )
-                {
-                    ioe.printStackTrace();
-                    System.out.println( "Should not have caught exception:  " + ioe.getMessage()
);
+                    try
+                    {
+                        // Create the initial context
+                        Hashtable<String, String> env = new Hashtable<String, String>();
+                        env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"
);
+                        env.put( Context.PROVIDER_URL, "ldap://" + hostname + ":" + port
+ "/" + searchBaseDn );
+
+                        // Request the use of the "GSSAPI" SASL mechanism
+                        // Authenticate by using already established Kerberos credentials
+                        env.put( Context.SECURITY_AUTHENTICATION, "GSSAPI" );
+
+                        // Request privacy protection
+                        env.put( "javax.security.sasl.qop", "auth-conf" );
+
+                        // Request mutual authentication
+                        env.put( "javax.security.sasl.server.authentication", "true" );
+
+                        // Request high-strength cryptographic protection
+                        env.put( "javax.security.sasl.strength", "high" );
+
+                        env.put( "java.naming.ldap.attributes.binary", "krb5key" );
+
+                        DirContext ctx = new InitialDirContext( env );
+
+                        GetPrincipal getPrincipal = new GetPrincipal( targetPrincipal );
+
+                        return getPrincipal.execute( ctx, null );
+                    }
+                    catch ( NamingException ne )
+                    {
+                        throw new PrivilegedActionException( ne );
+                    }
                 }
+            } );
+        }
+        catch ( PrivilegedActionException pae )
+        {
+            throw new PasswordConnectionException( "Error retrieving principal.", pae.getCause()
);
+        }
 
-                return null;
-            }
-        } );
+        return ( PrincipalStoreEntry ) entry;
     }
 
 
-    private void writeKeytab( Map<EncryptionType, EncryptionKey> map ) throws IOException
+    private void writeKeytab( String principalName, Map<EncryptionType, EncryptionKey>
map )
+        throws PasswordConnectionException
     {
         List<KeytabEntry> entries = new ArrayList<KeytabEntry>();
 
@@ -223,7 +187,15 @@
         File file = new File( keytabFileName );
         Keytab keytab = new Keytab();
         keytab.setEntries( entries );
-        keytab.write( file );
+
+        try
+        {
+            keytab.write( file );
+        }
+        catch ( IOException ioe )
+        {
+            throw new PasswordConnectionException( "Error writing keytab.", ioe );
+        }
     }
 
 

Propchange: directory/clients/trunk/kerberos/password/src/main/java/org/apache/directory/client/password/ExportKey.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message