directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From seelm...@apache.org
Subject svn commit: r1150436 - in /directory/apacheds/trunk/kerberos-test/src/test: java/org/apache/directory/server/kerberos/kdc/ resources/org/ resources/org/apache/ resources/org/apache/directory/ resources/org/apache/directory/server/ resources/org/apache/...
Date Sun, 24 Jul 2011 17:04:01 GMT
Author: seelmann
Date: Sun Jul 24 17:03:59 2011
New Revision: 1150436

URL: http://svn.apache.org/viewvc?rev=1150436&view=rev
Log:
Added Kerberos tests to obtain TGT and service tickets. TCP tests are ignored since they are
failing.

Added:
    directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java
    directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java
    directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java
    directory/apacheds/trunk/kerberos-test/src/test/resources/org/
    directory/apacheds/trunk/kerberos-test/src/test/resources/org/apache/
    directory/apacheds/trunk/kerberos-test/src/test/resources/org/apache/directory/
    directory/apacheds/trunk/kerberos-test/src/test/resources/org/apache/directory/server/
    directory/apacheds/trunk/kerberos-test/src/test/resources/org/apache/directory/server/kerberos/
    directory/apacheds/trunk/kerberos-test/src/test/resources/org/apache/directory/server/kerberos/kdc/
    directory/apacheds/trunk/kerberos-test/src/test/resources/org/apache/directory/server/kerberos/kdc/KerberosIT.ldif
Modified:
    directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTestUtils.java

Added: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java?rev=1150436&view=auto
==============================================================================
--- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java
(added)
+++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java
Sun Jul 24 17:03:59 2011
@@ -0,0 +1,213 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.directory.server.kerberos.kdc;
+
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Collections;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosTicket;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang.SystemUtils;
+import org.apache.directory.server.core.LdapCoreSessionConnection;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
+import org.apache.directory.shared.ldap.model.entry.DefaultEntry;
+import org.apache.directory.shared.ldap.model.entry.DefaultModification;
+import org.apache.directory.shared.ldap.model.entry.Entry;
+import org.apache.directory.shared.ldap.model.entry.Modification;
+import org.apache.directory.shared.ldap.model.entry.ModificationOperation;
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.rules.TemporaryFolder;
+
+
+/**
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class AbstractKerberosITest extends AbstractLdapTestUnit
+{
+    public static final String USERS_DN = "ou=users,dc=example,dc=com";
+    public static final String REALM = "EXAMPLE.COM";
+    public static final String USER_UID = "hnelson";
+    public static final String USER_PASSWORD = "secret";
+    public static final String LDAP_SERVICE_NAME = "ldap";
+    public static final String HOSTNAME = KerberosTestUtils.getHostName();
+
+    @Rule
+    public TemporaryFolder folder = new TemporaryFolder();
+
+    protected LdapCoreSessionConnection conn;
+
+
+    @Before
+    public void setUp() throws Exception
+    {
+        conn = new LdapCoreSessionConnection( service );
+
+        enableKerberosSchema();
+    }
+
+
+    @After
+    public void tearDown() throws Exception
+    {
+        conn.close();
+    }
+
+
+    /**
+     * Obtains a TGT and service tickets for the user. 
+     * Also makes some assertions on the received tickets.
+     *
+     * @param encryptionType the encryption type to use
+     * @throws Exception
+     */
+    protected void testObtainTickets( EncryptionType encryptionType ) throws Exception
+    {
+        Subject subject = new Subject();
+
+        KerberosTestUtils.obtainTGT( subject, USER_UID, USER_PASSWORD );
+        
+        assertEquals( 1, subject.getPrivateCredentials().size() );
+        assertEquals( 0, subject.getPublicCredentials().size() );
+
+        KerberosTestUtils.obtainServiceTickets( subject, USER_UID, LDAP_SERVICE_NAME, HOSTNAME
);
+
+        assertEquals( 2, subject.getPrivateCredentials().size() );
+        assertEquals( 0, subject.getPublicCredentials().size() );
+        for ( KerberosTicket kt : subject.getPrivateCredentials( KerberosTicket.class ) )
+        {
+            // System.out.println( kt.getClient() );
+            // System.out.println( kt.getServer() );
+            // System.out.println( kt.getSessionKeyType() );
+            assertEquals( encryptionType.getValue(), kt.getSessionKeyType() );
+        }
+        // sSystem.out.println( subject );
+    }
+
+
+    private void enableKerberosSchema() throws LdapException
+    {
+        Modification mod = new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
+            "m-disabled", "FALSE" );
+        conn.modify( "cn=Krb5kdc,ou=schema", mod );
+    }
+
+
+    protected void setupEnv( EncryptionType encryptionType ) throws LdapException, IOException
+    {
+        // create krb5.conf with proper encryption type
+        String krb5confPath = createKrb5Conf( encryptionType );
+        System.setProperty( "java.security.krb5.conf", krb5confPath );
+
+        // change encryption type in KDC
+        kdcServer.setEncryptionTypes( Collections.singleton( encryptionType ) );
+
+        // create principals
+        createPrincipal( "uid=" + USER_UID, "Last", "First Last",
+            USER_UID, USER_PASSWORD, USER_UID + "@" + REALM );
+
+        createPrincipal( "uid=krbtgt", "KDC Service", "KDC Service",
+            "krbtgt", "secret", "krbtgt/" + REALM + "@" + REALM );
+
+        String servicePrincipal = LDAP_SERVICE_NAME + "/" + HOSTNAME + "@" + REALM;
+        createPrincipal( "uid=ldap", "Service", "LDAP Service",
+            "ldap", "randall", servicePrincipal );
+    }
+
+
+    /**
+     * Creates the krb5.conf file for the test.
+     * 
+     * It looks similar to this:
+     * 
+     * <pre>
+     * [libdefaults]
+     *     default_realm = EXAMPLE.COM
+     *     default_tkt_enctypes = aes256-cts-hmac-sha1-96
+     *     default_tgs_enctypes = aes256-cts-hmac-sha1-96
+     *     permitted_enctypes = aes256-cts-hmac-sha1-96
+     * 
+     * [realms]
+     *     EXAMPLE.COM = {
+     *         kdc = localhost:6088
+     *     }
+     * 
+     * [domain_realm]
+     *     .example.com = EXAMPLE.COM
+     *     example.com = EXAMPLE.COM
+     * </pre>
+     *
+     * @param encryptionType
+     * @return the path to the krb5.conf file
+     * @throws IOException
+     */
+    private String createKrb5Conf( EncryptionType encryptionType ) throws IOException
+    {
+        File file = folder.newFile( "krb5.conf" );
+
+        String data = "";
+
+        data += "[libdefaults]" + SystemUtils.LINE_SEPARATOR;
+        data += "default_realm = " + REALM + SystemUtils.LINE_SEPARATOR;
+        data += "default_tkt_enctypes = " + encryptionType.getName() + SystemUtils.LINE_SEPARATOR;
+        data += "default_tgs_enctypes = " + encryptionType.getName() + SystemUtils.LINE_SEPARATOR;
+        data += "permitted_enctypes = " + encryptionType.getName() + SystemUtils.LINE_SEPARATOR;
+        
+        data += "[realms]" + SystemUtils.LINE_SEPARATOR;
+        data += REALM + " = {" + SystemUtils.LINE_SEPARATOR;
+        data += "kdc = " + HOSTNAME + ":" + kdcServer.getTransports()[0].getPort() + SystemUtils.LINE_SEPARATOR;
+        data += "}" + SystemUtils.LINE_SEPARATOR;
+
+        data += "[domain_realm]" + SystemUtils.LINE_SEPARATOR;
+        data += "." + REALM.toLowerCase() + " = " + REALM + SystemUtils.LINE_SEPARATOR;
+        data += REALM.toLowerCase() + " = " + REALM + SystemUtils.LINE_SEPARATOR;
+
+        FileUtils.writeStringToFile( file, data );
+
+        return file.getAbsolutePath();
+    }
+
+
+    private void createPrincipal( String rdn, String sn, String cn,
+        String uid, String userPassword, String principalName ) throws LdapException
+    {
+        Entry entry = new DefaultEntry();
+        entry.setDn( rdn + "," + USERS_DN );
+        entry.add( "objectClass", "top", "person", "inetOrgPerson", "krb5principal", "krb5kdcentry"
);
+        entry.add( "cn", cn );
+        entry.add( "sn", sn );
+        entry.add( "uid", uid );
+        entry.add( "userPassword", userPassword );
+        entry.add( "krb5PrincipalName", principalName );
+        entry.add( "krb5KeyVersionNumber", "0" );
+        conn.add( entry );
+    }
+
+}

Added: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java?rev=1150436&view=auto
==============================================================================
--- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java
(added)
+++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java
Sun Jul 24 17:03:59 2011
@@ -0,0 +1,153 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.directory.server.kerberos.kdc;
+
+
+import java.lang.reflect.Field;
+
+import org.apache.directory.server.annotations.CreateKdcServer;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifFiles;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.annotations.CreatePartition;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
+import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * Test to obtain TGTs and Service Tickets from KDCs via TCP.
+ * 
+ * We use some internal knowledge of the Sun/Oracle implementation here to force
+ * the usage of TCP: In sun.security.krb5.KrbKdcReq the static field udpPrefLimit 
+ * is set to 1 which means that TCP is always used.
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory
+Project</a>
+ */
+@RunWith(FrameworkRunner.class)
+@CreateDS(name = "KerberosTcpIT-class",
+    partitions =
+       {
+           @CreatePartition(
+               name = "example",
+               suffix = "dc=example,dc=com")
+       },
+       additionalInterceptors =
+       {
+               KeyDerivationInterceptor.class
+       })
+@CreateLdapServer(
+    transports =
+   {
+       @CreateTransport(protocol = "LDAP")
+   })
+@CreateKdcServer(
+    transports =
+   {
+       @CreateTransport(protocol = "TCP")
+   })
+@ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
+@Ignore("TCP tests not working.")
+public class KerberosTcpITest extends AbstractKerberosITest
+{
+    private static Integer udpPrefLimit;
+
+
+    @BeforeClass
+    public static void setUdpPrefLimit() throws Exception
+    {
+        System.setProperty( "sun.security.krb5.debug", "true" );
+
+        // Save current value of sun.security.krb5.KrbKdcReq.udpPrefLimit field.
+        // Then set it to 1 to force TCP.
+        udpPrefLimit = getUdpPrefLimit();
+        setUdpPrefLimit( 1 );
+    }
+
+
+    @AfterClass
+    public static void resetUdpPrefLimit() throws Exception
+    {
+        // Reset sun.security.krb5.KrbKdcReq.udpPrefLimit field
+        setUdpPrefLimit( udpPrefLimit );
+    }
+
+
+    private static Integer getUdpPrefLimit() throws Exception
+    {
+        Field udpPrefLimitField = getUdpPrefLimitField();
+        Object value = udpPrefLimitField.get( null );
+        return ( Integer ) value;
+    }
+
+
+    private static void setUdpPrefLimit( int limit ) throws Exception
+    {
+        Field udpPrefLimitField = getUdpPrefLimitField();
+        udpPrefLimitField.setAccessible( true );
+        udpPrefLimitField.set( null, limit );
+    }
+
+
+    private static Field getUdpPrefLimitField() throws ClassNotFoundException, NoSuchFieldException
+    {
+        String clazz = "sun.security.krb5.KrbKdcReq";
+        Class<?> krbKdcReqClass = Class.forName( clazz );
+        Field udpPrefLimitField = krbKdcReqClass.getDeclaredField( "udpPrefLimit" );
+        udpPrefLimitField.setAccessible( true );
+        return udpPrefLimitField;
+    }
+
+
+    // TODO: fix failing tests
+    // TODO: add tests for other encryption types
+    // TODO: add tests for different options
+
+    @Test
+    public void testObtainTickets_DES_CBC_MD5() throws Exception
+    {
+        setupEnv( EncryptionType.DES_CBC_MD5 );
+        testObtainTickets( EncryptionType.DES_CBC_MD5 );
+    }
+
+
+    @Test
+    public void testObtainTickets_AES128() throws Exception
+    {
+        setupEnv( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+        testObtainTickets( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+    }
+
+
+    @Test
+    public void testObtainTickets_AES256() throws Exception
+    {
+        setupEnv( EncryptionType.AES256_CTS_HMAC_SHA1_96 );
+        testObtainTickets( EncryptionType.AES256_CTS_HMAC_SHA1_96 );
+    }
+
+}

Modified: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTestUtils.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTestUtils.java?rev=1150436&r1=1150435&r2=1150436&view=diff
==============================================================================
--- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTestUtils.java
(original)
+++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTestUtils.java
Sun Jul 24 17:03:59 2011
@@ -25,7 +25,29 @@ import java.io.CharArrayWriter;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
-import java.io.Reader;                            
+import java.io.Reader;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.security.PrivilegedAction;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import org.apache.directory.ldap.client.api.Krb5LoginConfiguration;
+import org.apache.directory.server.i18n.I18n;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
 
 
 /**
@@ -222,4 +244,172 @@ public class KerberosTestUtils
 
         return result;
     }
+
+
+    /**
+     * Gets the host name for 'localhost' used for Kerberos tests.
+     * On Windows 7 and Server 2008 the loopback address 127.0.0.1
+     * isn't resolved to localhost by default. In that case we need
+     * to use the IP address for the service principal.
+     *
+     * @return the hostname
+     */
+    public static String getHostName()
+    {
+        String hostName;
+        try
+        {
+            InetAddress loopback = InetAddress.getByName( "127.0.0.1" );
+            hostName = loopback.getHostName();
+        }
+        catch ( UnknownHostException e )
+        {
+            System.err.println( "Can't find loopback address '127.0.0.1', using hostname
'localhost'" );
+            hostName = "localhost";
+        }
+        return hostName;
+    }
+
+
+    /**
+     * Obtains a new TGT from KDC.
+     * 
+     * Possible errors:
+     * Bad username:  Client not found in Kerberos database
+     * Bad password:  Integrity check on decrypted field failed
+     * 
+     * @param subject the empty subject
+     * @param userName the user name 
+     * @param password the password
+     * @throws LoginException
+     * 
+     */
+    public static void obtainTGT( Subject subject, String userName, String password ) throws
LoginException
+    {
+        // Use our custom configuration to avoid reliance on external config
+        Configuration.setConfiguration( new Krb5LoginConfiguration() );
+
+        // Obtain TGT
+        LoginContext lc = new LoginContext( KerberosUdpITest.class.getName(), subject, new
+                CallbackHandlerBean( userName, password ) );
+        lc.login();
+    }
+
+    private static class CallbackHandlerBean implements CallbackHandler
+    {
+        private String name;
+        private String password;
+
+
+        /**
+         * Creates a new instance of CallbackHandlerBean.
+         *
+         * @param name
+         * @param password
+         */
+        public CallbackHandlerBean( String name, String password )
+        {
+            this.name = name;
+            this.password = password;
+        }
+
+
+        public void handle( Callback[] callbacks ) throws UnsupportedCallbackException, IOException
+        {
+            for ( Callback callback : callbacks )
+            {
+                if ( callback instanceof NameCallback )
+                {
+                    NameCallback nameCallback = ( NameCallback ) callback;
+                    nameCallback.setName( name );
+                }
+                else if ( callback instanceof PasswordCallback )
+                {
+                    PasswordCallback passwordCallback = ( PasswordCallback ) callback;
+                    passwordCallback.setPassword( password.toCharArray() );
+                }
+                else
+                {
+                    throw new UnsupportedCallbackException( callback, I18n.err( I18n.ERR_617
) );
+                }
+            }
+        }
+    }
+
+
+    /**
+     * Obtains a Service Ticket from KDC.
+     *
+     * @param subject the subject, must contain a valid TGT
+     * @param userName the user name
+     * @param serviceName the service name
+     * @param hostName the host name of the service
+     * @throws GSSException
+     */
+    public static void obtainServiceTickets( Subject subject, String userName, String serviceName,
String hostName )
+        throws GSSException
+    {
+        ObtainServiceTicketAction action = new ObtainServiceTicketAction( userName, serviceName,
hostName );
+        GSSException exception = Subject.doAs( subject, action );
+        if ( exception != null )
+        {
+            throw exception;
+        }
+    }
+
+    private static class ObtainServiceTicketAction implements PrivilegedAction<GSSException>
+    {
+        private String userName;
+        private String serviceName;
+        private String hostName;
+
+
+        public ObtainServiceTicketAction( String userName, String serviceName, String hostName
)
+        {
+            this.userName = userName;
+            this.serviceName = serviceName;
+            this.hostName = hostName;
+        }
+
+
+        public GSSException run()
+        {
+            try
+            {
+                GSSManager manager = GSSManager.getInstance();
+                GSSName clientName = manager.createName( userName, GSSName.NT_USER_NAME );
+                GSSCredential clientCred = manager.createCredential( clientName,
+                                                               8 * 3600,
+                                                               createKerberosOid(),
+                                                               GSSCredential.INITIATE_ONLY
);
+
+                GSSName serverName = manager.createName( serviceName + "@" + hostName, GSSName.NT_HOSTBASED_SERVICE
);
+                GSSContext context = manager.createContext( serverName,
+                                                      createKerberosOid(),
+                                                      clientCred,
+                                                      GSSContext.DEFAULT_LIFETIME );
+                context.requestMutualAuth( true );
+                context.requestConf( true );
+                context.requestInteg( true );
+
+                context.initSecContext( new byte[0], 0, 0 );
+
+                // byte[] outToken = context.initSecContext( new byte[0], 0, 0 );
+                // System.out.println(new BASE64Encoder().encode(outToken));
+                context.dispose();
+
+                return null;
+            }
+            catch ( GSSException gsse )
+            {
+                return gsse;
+            }
+        }
+
+
+        private Oid createKerberosOid() throws GSSException
+        {
+            return new Oid( "1.2.840.113554.1.2.2" );
+        }
+    }
 }

Added: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java?rev=1150436&view=auto
==============================================================================
--- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java
(added)
+++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java
Sun Jul 24 17:03:59 2011
@@ -0,0 +1,135 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.directory.server.kerberos.kdc;
+
+
+import org.apache.directory.server.annotations.CreateKdcServer;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifFiles;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.annotations.CreatePartition;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
+import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * Test to obtain TGTs and Service Tickets from KDCs via UDP.
+ * 
+ * We use some internal knowledge of the Sun/Oracle implementation here:
+ * In sun.security.krb5.KrbKdcReq the field udpPrefLimit is set to -1 which means
+ * that UDP is always used first. Only if the KDC replies with RB_ERR_RESPONSE_TOO_BIG
+ * TCP is used.
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@RunWith(FrameworkRunner.class)
+@CreateDS(name = "KerberosUdpIT-class",
+    partitions =
+       {
+           @CreatePartition(
+               name = "example",
+               suffix = "dc=example,dc=com")
+       },
+       additionalInterceptors =
+       {
+               KeyDerivationInterceptor.class
+       })
+@CreateLdapServer(
+    transports =
+   {
+       @CreateTransport(protocol = "LDAP")
+   })
+@CreateKdcServer(
+    transports =
+   {
+       @CreateTransport(protocol = "UDP")
+   })
+@ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
+public class KerberosUdpITest extends AbstractKerberosITest
+{
+
+    // TODO: fix failing tests
+    // TODO: add tests for other encryption types
+    // TODO: add tests for different options
+
+    @Test
+    @Ignore("Fails")
+    public void testObtainTickets_DES_CBC_CRC() throws Exception
+    {
+        setupEnv( EncryptionType.DES_CBC_CRC );
+        testObtainTickets( EncryptionType.DES_CBC_CRC );
+    }
+
+
+    @Test
+    @Ignore("Fails")
+    public void testObtainTickets_DES_CBC_MD4() throws Exception
+    {
+        setupEnv( EncryptionType.DES_CBC_MD4 );
+        testObtainTickets( EncryptionType.DES_CBC_MD4 );
+    }
+
+
+    @Test
+    public void testObtainTickets_DES_CBC_MD5() throws Exception
+    {
+        setupEnv( EncryptionType.DES_CBC_MD5 );
+        testObtainTickets( EncryptionType.DES_CBC_MD5 );
+    }
+
+
+    @Test
+    public void testObtainTickets_DES3_CBC_SHA1_KD() throws Exception
+    {
+        setupEnv( EncryptionType.DES3_CBC_SHA1_KD );
+        testObtainTickets( EncryptionType.DES3_CBC_SHA1_KD );
+    }
+
+
+    @Test
+    @Ignore("Fails with KrbException: Integrity check on decrypted field failed (31) - Integrity
check on decrypted field failed")
+    public void testObtainTickets_RC4_HMAC() throws Exception
+    {
+        setupEnv( EncryptionType.RC4_HMAC );
+        testObtainTickets( EncryptionType.RC4_HMAC );
+    }
+
+
+    @Test
+    public void testObtainTickets_AES128() throws Exception
+    {
+        setupEnv( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+        testObtainTickets( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+    }
+
+
+    @Test
+    public void testObtainTickets_AES256() throws Exception
+    {
+        setupEnv( EncryptionType.AES256_CTS_HMAC_SHA1_96 );
+        testObtainTickets( EncryptionType.AES256_CTS_HMAC_SHA1_96 );
+    }
+
+}

Added: directory/apacheds/trunk/kerberos-test/src/test/resources/org/apache/directory/server/kerberos/kdc/KerberosIT.ldif
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/resources/org/apache/directory/server/kerberos/kdc/KerberosIT.ldif?rev=1150436&view=auto
==============================================================================
--- directory/apacheds/trunk/kerberos-test/src/test/resources/org/apache/directory/server/kerberos/kdc/KerberosIT.ldif
(added)
+++ directory/apacheds/trunk/kerberos-test/src/test/resources/org/apache/directory/server/kerberos/kdc/KerberosIT.ldif
Sun Jul 24 17:03:59 2011
@@ -0,0 +1,10 @@
+dn: dc=example,dc=com
+objectClass: top
+objectClass: domain
+dc: example
+
+dn: ou=users,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: users
+



Mime
View raw message