directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dran...@apache.org
Subject directory-kerberos git commit: Reorganized token related project layout
Date Wed, 11 Mar 2015 21:38:42 GMT
Repository: directory-kerberos
Updated Branches:
  refs/heads/master 2d3667905 -> bffabdc72


Reorganized token related project layout


Project: http://git-wip-us.apache.org/repos/asf/directory-kerberos/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerberos/commit/bffabdc7
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerberos/tree/bffabdc7
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerberos/diff/bffabdc7

Branch: refs/heads/master
Commit: bffabdc723d735192880ccbbb4728d96e153a76b
Parents: 2d36679
Author: Drankye <drankye@gmail.com>
Authored: Thu Mar 12 05:38:30 2015 +0800
Committer: Drankye <drankye@gmail.com>
Committed: Thu Mar 12 05:38:30 2015 +0800

----------------------------------------------------------------------
 kdc-tool/pom.xml                                |   1 +
 kdc-tool/token-tool/pom.xml                     |  49 ++++++++
 .../org/apache/kerby/token/AuthzDataEntry.java  |  52 ++++++++
 .../java/org/apache/kerby/token/TokenCache.java |  82 ++++++++++++
 .../org/apache/kerby/token/TokenExtractor.java  | 102 +++++++++++++++
 .../java/org/apache/kerby/token/TokenTool.java  | 125 +++++++++++++++++++
 .../kerby/kerberos/kerb/client/KrbClient.java   |   2 +-
 .../kerb/client/preauth/token/TokenContext.java |   2 +-
 .../kerb/client/preauth/token/TokenPreauth.java |   2 +-
 .../kerberos/kerb/spec/pa/token/KerbToken.java  |  50 ++++++++
 .../kerberos/kerb/server/WithTokenKdcTest.java  |   2 +-
 lib/kerby-token/pom.xml                         |  44 -------
 .../org/apache/kerby/token/AuthzDataEntry.java  |  52 --------
 .../java/org/apache/kerby/token/KerbToken.java  |  47 -------
 .../java/org/apache/kerby/token/TokenCache.java |  82 ------------
 .../org/apache/kerby/token/TokenExtractor.java  | 101 ---------------
 .../java/org/apache/kerby/token/TokenTool.java  | 124 ------------------
 lib/pom.xml                                     |   1 -
 18 files changed, 465 insertions(+), 455 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/pom.xml
----------------------------------------------------------------------
diff --git a/kdc-tool/pom.xml b/kdc-tool/pom.xml
index 4999d0d..da3cb47 100644
--- a/kdc-tool/pom.xml
+++ b/kdc-tool/pom.xml
@@ -28,5 +28,6 @@
 
   <modules>
     <module>kinit</module>
+    <module>token-tool</module>
   </modules>
 </project>

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/token-tool/pom.xml
----------------------------------------------------------------------
diff --git a/kdc-tool/token-tool/pom.xml b/kdc-tool/token-tool/pom.xml
new file mode 100644
index 0000000..10c3e1e
--- /dev/null
+++ b/kdc-tool/token-tool/pom.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License. See accompanying LICENSE file.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.apache.kerby</groupId>
+    <artifactId>kdc-tool</artifactId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>token-tool</artifactId>
+  <name>Token Tool Project</name>
+  <version>1.0-SNAPSHOT</version>
+  <packaging>jar</packaging>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>nimbus-jose-jwt</artifactId>
+      <version>3.8.2</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-core</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerby-asn1</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+  </dependencies>
+
+</project>

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
----------------------------------------------------------------------
diff --git a/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
new file mode 100644
index 0000000..d4bfedb
--- /dev/null
+++ b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
@@ -0,0 +1,52 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.token;
+
+import org.apache.kerby.asn1.type.Asn1FieldInfo;
+import org.apache.kerby.asn1.type.Asn1Integer;
+import org.apache.kerby.asn1.type.Asn1OctetString;
+import org.apache.kerby.asn1.type.Asn1SequenceType;
+
+/**
+ AuthorizationData       ::= SEQUENCE OF SEQUENCE {
+     ad-type         [0] Int32,
+     ad-data         [1] OCTET STRING
+ }
+ */
+public class AuthzDataEntry extends Asn1SequenceType {
+    static int AD_TYPE = 0;
+    static int AD_DATA = 1;
+
+    public AuthzDataEntry() {
+        super(new Asn1FieldInfo[] {
+                new Asn1FieldInfo(AD_TYPE, Asn1Integer.class),
+                new Asn1FieldInfo(AD_DATA, Asn1OctetString.class)
+        });
+    }
+
+    public int getAuthzType() {
+        Integer value = getFieldAsInteger(AD_TYPE);
+        return value;
+    }
+
+    public byte[] getAuthzData() {
+        return getFieldAsOctets(AD_DATA);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenCache.java
----------------------------------------------------------------------
diff --git a/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenCache.java b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenCache.java
new file mode 100644
index 0000000..51e3593
--- /dev/null
+++ b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenCache.java
@@ -0,0 +1,82 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.token;
+
+import java.io.*;
+
+public class TokenCache {
+    private static final String DEFAULT_TOKEN_CACHE_PATH = ".tokenauth";
+    private static final String TOKEN_CACHE_FILE = ".tokenauth.token";
+
+    public static String readToken(String tokenCacheFile) {
+        File cacheFile = null;
+
+        if (tokenCacheFile != null && ! tokenCacheFile.isEmpty()) {
+            cacheFile = new File(tokenCacheFile);
+            if (!cacheFile.exists()) {
+                throw new RuntimeException("Invalid token cache specified: " + tokenCacheFile);
+            };
+        } else {
+            cacheFile = getDefaultTokenCache();
+            if (!cacheFile.exists()) {
+                throw new RuntimeException("No token cache available by default");
+            };
+        }
+
+        String token = null;
+        try {
+            BufferedReader reader = new BufferedReader(new FileReader(cacheFile));
+            String line = reader.readLine();
+            reader.close();
+            if (line != null) {
+                token = line;
+            }
+        } catch (IOException ex) {
+            //NOP
+        }
+
+        return token;
+    }
+
+    public static void writeToken(String token) {
+        File cacheFile = getDefaultTokenCache();
+
+        try {
+            Writer writer = new FileWriter(cacheFile);
+            writer.write(token.toString());
+            writer.close();
+            // sets read-write permissions to owner only
+            cacheFile.setReadable(false, false);
+            cacheFile.setReadable(true, true);
+            cacheFile.setWritable(true, true);
+        }
+        catch (IOException ioe) {
+            // if case of any error we just delete the cache, if user-only
+            // write permissions are not properly set a security exception
+            // is thrown and the file will be deleted.
+            cacheFile.delete();
+        }
+    }
+
+    public static File getDefaultTokenCache() {
+        String homeDir = System.getProperty("user.home", DEFAULT_TOKEN_CACHE_PATH);
+        return new File(homeDir, TOKEN_CACHE_FILE);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenExtractor.java
----------------------------------------------------------------------
diff --git a/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenExtractor.java
b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenExtractor.java
new file mode 100644
index 0000000..2eed75c
--- /dev/null
+++ b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenExtractor.java
@@ -0,0 +1,102 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.token;
+
+import com.sun.security.jgss.AuthorizationDataEntry;
+import com.sun.security.jgss.ExtendedGSSContext;
+import com.sun.security.jgss.InquireType;
+import org.apache.kerby.asn1.type.Asn1SequenceOf;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+
+import java.io.IOException;
+import java.util.List;
+
+public class TokenExtractor {
+    static final int JWT_AUTHZ_DATA_TYPE = 81;
+    public static final int AD_IF_RELEVANT_TYPE = 1;
+
+    /**
+     AuthorizationData       ::= SEQUENCE OF SEQUENCE {
+         ad-type         [0] Int32,
+         ad-data         [1] OCTET STRING
+     }
+     */
+    public static class AuthorizationData extends Asn1SequenceOf<AuthzDataEntry> {
+
+    }
+
+    public static KerbToken checkAuthzData(GSSContext context) throws GSSException, IOException
{
+        System.out.println("Looking for token from authorization data in GSSContext");
+
+        Object authzData = null;
+        if (context instanceof ExtendedGSSContext) {
+            ExtendedGSSContext ex = (ExtendedGSSContext)context;
+            authzData = ex.inquireSecContext(
+                    InquireType.KRB5_GET_AUTHZ_DATA);
+        }
+
+        if (authzData != null) {
+            AuthorizationDataEntry[] authzEntries = (AuthorizationDataEntry[]) authzData;
+            KerbToken resultToken = null;
+            for (int i = 0; i < authzEntries.length; ++i) {
+                resultToken = getAuthzToken(authzEntries[i]);
+                if (resultToken != null) {
+                    return resultToken;
+                }
+            }
+        }
+        return null;
+    }
+
+    public static KerbToken getAuthzToken(AuthorizationDataEntry authzDataEntry) throws IOException
{
+        if (authzDataEntry.getType() == AD_IF_RELEVANT_TYPE) {
+            String token = getToken(authzDataEntry);
+            if (token == null) {
+                return null;
+            }
+
+            try {
+                return TokenTool.fromJwtToken(token);
+            } catch (Exception e) {
+                // noop when not jwt token
+            }
+        }
+
+        return null;
+    }
+
+    public static String getToken(AuthorizationDataEntry authzDataEntry) throws IOException
{
+        List<AuthzDataEntry> entries = decode(authzDataEntry);
+        for (AuthzDataEntry entry : entries) {
+            if (entry.getAuthzType() == JWT_AUTHZ_DATA_TYPE) {
+                return new String(entry.getAuthzData());
+            }
+        }
+        return null;
+    }
+
+    public static List<AuthzDataEntry> decode(AuthorizationDataEntry authzDataEntry)
throws IOException {
+        AuthorizationData authzData = new AuthorizationData();
+        authzData.decode(authzDataEntry.getData());
+        return authzData.getElements();
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenTool.java
----------------------------------------------------------------------
diff --git a/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenTool.java b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenTool.java
new file mode 100644
index 0000000..9946dfa
--- /dev/null
+++ b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenTool.java
@@ -0,0 +1,125 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.token;
+
+import com.nimbusds.jose.PlainHeader;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.PlainJWT;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
+
+import java.text.ParseException;
+import java.util.*;
+
+public class TokenTool {
+
+    public static JWT issueToken(String principal, String group, String role) {
+        // must have for kerb-token
+        String krbPrincipal = principal + "@SH.INTEL.COM";
+
+        PlainHeader header = new PlainHeader();
+        //header.setCustomParameter("krbPrincipal", krbPrincipal);
+
+        JWTClaimsSet jwtClaims = new JWTClaimsSet();
+
+        String iss = "token-service";
+        jwtClaims.setIssuer(iss);
+
+        String sub = principal;
+        jwtClaims.setSubject(sub);
+
+        // must have for kerb-token
+        jwtClaims.setSubject(krbPrincipal);
+
+        jwtClaims.setClaim("group", group);
+        if (role != null) {
+            jwtClaims.setClaim("role", role);
+        }
+
+        List<String> aud = new ArrayList<String>();
+        aud.add("krb5kdc-with-token-extension");
+        jwtClaims.setAudience(aud);
+
+        // Set expiration in 60 minutes
+        final Date NOW =  new Date(new Date().getTime() / 1000 * 1000);
+        Date exp = new Date(NOW.getTime() + 1000 * 60 * 60);
+        jwtClaims.setExpirationTime(exp);
+
+        Date nbf = NOW;
+        jwtClaims.setNotBeforeTime(nbf);
+
+        Date iat = NOW;
+        jwtClaims.setIssueTime(iat);
+
+        String jti = UUID.randomUUID().toString();
+        jwtClaims.setJWTID(jti);
+
+        PlainJWT jwt = new PlainJWT(header, jwtClaims);
+        return jwt;
+    }
+
+    public static JWT decodeToken(String token) throws ParseException {
+        PlainJWT jwt = PlainJWT.parse(token);
+
+        return jwt;
+    }
+
+    public static KerbToken fromJwtToken(String token) throws ParseException {
+        Map<String, Object> attrs = decodeAndExtractTokenAttributes(token);
+        return new KerbToken(attrs);
+    }
+
+    public static Map<String, Object> decodeAndExtractTokenAttributes(String token)
throws ParseException {
+        PlainJWT jwt = PlainJWT.parse(token);
+
+        Map<String, Object> attrs = new HashMap<String, Object>();
+        attrs.putAll(jwt.getJWTClaimsSet().getAllClaims());
+        //attrs.putAll(jwt.getHeader().getCustomParameters());
+
+        return attrs;
+    }
+
+    public static void main(String[] args) throws ParseException {
+        String principal, group, role = null;
+
+        if (args.length != 2 && args.length != 3) {
+            System.out.println("This is a simple token issuing tool just for kerb-token PoC
usage\n");
+            System.out.println("tokeninit <username> <group> [role]\n");
+            System.exit(1);
+        }
+        principal = args[0];
+        group = args[1];
+        if (args.length > 2) {
+            role = args[2];
+        }
+
+        JWT jwt = issueToken(principal, group, role);
+        String token = jwt.serialize();
+
+        TokenCache.writeToken(token);
+        System.out.println("Issued token: " + token);
+
+        /*
+        JWT jwt2 = decodeToken(token);
+        String krbPrincipal = (String) jwt2.getHeader().getCustomParameter("krbPrincipal");
+        System.out.println("Decoded token with krbprincipal: " + krbPrincipal);
+        */
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
index 55a18db..201566e 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
@@ -34,7 +34,7 @@ import org.apache.kerby.kerberos.kerb.spec.common.KrbError;
 import org.apache.kerby.kerberos.kerb.spec.common.PrincipalName;
 import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
 import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
-import org.apache.kerby.token.KerbToken;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
 import org.apache.kerby.transport.Network;
 import org.apache.kerby.transport.Transport;
 import org.apache.kerby.transport.event.TransportEvent;

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
index e1696dc..f46956c 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
@@ -19,7 +19,7 @@
  */
 package org.apache.kerby.kerberos.kerb.client.preauth.token;
 
-import org.apache.kerby.token.KerbToken;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
 
 public class TokenContext {
 

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
index f67ad71..b912311 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
@@ -33,7 +33,7 @@ import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaData;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
-import org.apache.kerby.token.KerbToken;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
 
 import java.util.Collections;
 import java.util.List;

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/KerbToken.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/KerbToken.java
b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/KerbToken.java
new file mode 100644
index 0000000..360c979
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/KerbToken.java
@@ -0,0 +1,50 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *
+ */
+package org.apache.kerby.kerberos.kerb.spec.pa.token;
+
+import java.util.Map;
+
+/**
+ * This is the token definition according to TokenPreauth draft.
+ */
+public class KerbToken {
+
+    private Map<String, Object> attributes;
+
+    public KerbToken(Map<String, Object> attributes) {
+        this.attributes = attributes;
+    }
+
+    public Map<String, Object> getAttributes() {
+        return attributes;
+    }
+
+    public String getPrincipal() {
+        return (String) attributes.get("sub");
+    }
+
+    public String[] getGroups() {
+        String grp = (String) attributes.get("group");
+        if (grp != null) {
+            return new String[] { grp };
+        }
+        return new String[0];
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithTokenKdcTest.java
b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithTokenKdcTest.java
index b0b0489..46be468 100644
--- a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithTokenKdcTest.java
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithTokenKdcTest.java
@@ -22,7 +22,7 @@ package org.apache.kerby.kerberos.kerb.server;
 import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
 import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
-import org.apache.kerby.token.KerbToken;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
 
 import static org.assertj.core.api.Assertions.assertThat;
 

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/pom.xml
----------------------------------------------------------------------
diff --git a/lib/kerby-token/pom.xml b/lib/kerby-token/pom.xml
deleted file mode 100644
index e15128c..0000000
--- a/lib/kerby-token/pom.xml
+++ /dev/null
@@ -1,44 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed under the Apache License, Version 2.0 (the "License");
-  you may not use this file except in compliance with the License.
-  You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License. See accompanying LICENSE file.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <modelVersion>4.0.0</modelVersion>
-
-  <parent>
-    <groupId>org.apache.kerby</groupId>
-    <artifactId>lib</artifactId>
-    <version>1.0-SNAPSHOT</version>
-  </parent>
-
-  <artifactId>kerby-token</artifactId>
-  <name>Kerby-token Project</name>
-  <version>1.0-SNAPSHOT</version>
-  <packaging>jar</packaging>
-
-  <dependencies>
-    <dependency>
-      <groupId>com.nimbusds</groupId>
-      <artifactId>nimbus-jose-jwt</artifactId>
-      <version>3.8.2</version>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.kerby</groupId>
-      <artifactId>kerby-asn1</artifactId>
-      <version>${project.version}</version>
-    </dependency>
-  </dependencies>
-
-</project>

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
----------------------------------------------------------------------
diff --git a/lib/kerby-token/src/main/java/org/apache/kerby/token/AuthzDataEntry.java b/lib/kerby-token/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
deleted file mode 100644
index d4bfedb..0000000
--- a/lib/kerby-token/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- *  Licensed to the Apache Software Foundation (ASF) under one
- *  or more contributor license agreements.  See the NOTICE file
- *  distributed with this work for additional information
- *  regarding copyright ownership.  The ASF licenses this file
- *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
- *  with the License.  You may obtain a copy of the License at
- *  
- *    http://www.apache.org/licenses/LICENSE-2.0
- *  
- *  Unless required by applicable law or agreed to in writing,
- *  software distributed under the License is distributed on an
- *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *  KIND, either express or implied.  See the License for the
- *  specific language governing permissions and limitations
- *  under the License. 
- *  
- */
-package org.apache.kerby.token;
-
-import org.apache.kerby.asn1.type.Asn1FieldInfo;
-import org.apache.kerby.asn1.type.Asn1Integer;
-import org.apache.kerby.asn1.type.Asn1OctetString;
-import org.apache.kerby.asn1.type.Asn1SequenceType;
-
-/**
- AuthorizationData       ::= SEQUENCE OF SEQUENCE {
-     ad-type         [0] Int32,
-     ad-data         [1] OCTET STRING
- }
- */
-public class AuthzDataEntry extends Asn1SequenceType {
-    static int AD_TYPE = 0;
-    static int AD_DATA = 1;
-
-    public AuthzDataEntry() {
-        super(new Asn1FieldInfo[] {
-                new Asn1FieldInfo(AD_TYPE, Asn1Integer.class),
-                new Asn1FieldInfo(AD_DATA, Asn1OctetString.class)
-        });
-    }
-
-    public int getAuthzType() {
-        Integer value = getFieldAsInteger(AD_TYPE);
-        return value;
-    }
-
-    public byte[] getAuthzData() {
-        return getFieldAsOctets(AD_DATA);
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/src/main/java/org/apache/kerby/token/KerbToken.java
----------------------------------------------------------------------
diff --git a/lib/kerby-token/src/main/java/org/apache/kerby/token/KerbToken.java b/lib/kerby-token/src/main/java/org/apache/kerby/token/KerbToken.java
deleted file mode 100644
index be4a127..0000000
--- a/lib/kerby-token/src/main/java/org/apache/kerby/token/KerbToken.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/**
- *  Licensed to the Apache Software Foundation (ASF) under one
- *  or more contributor license agreements.  See the NOTICE file
- *  distributed with this work for additional information
- *  regarding copyright ownership.  The ASF licenses this file
- *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
- *  with the License.  You may obtain a copy of the License at
- *  
- *    http://www.apache.org/licenses/LICENSE-2.0
- *  
- *  Unless required by applicable law or agreed to in writing,
- *  software distributed under the License is distributed on an
- *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *  KIND, either express or implied.  See the License for the
- *  specific language governing permissions and limitations
- *  under the License. 
- *  
- */
-package org.apache.kerby.token;
-
-import java.util.Map;
-
-public class KerbToken {
-
-  private Map<String, Object> attributes;
-
-  public KerbToken(Map<String, Object> attributes) {
-    this.attributes = attributes;
-  }
-
-  public Map<String, Object> getAttributes() {
-    return attributes;
-  }
-
-  public String getPrincipal() {
-    return (String) attributes.get("sub");
-  }
-
-  public String[] getGroups() {
-    String grp = (String) attributes.get("group");
-    if (grp != null) {
-      return new String[] { grp };
-    }
-    return new String[0];
-  }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenCache.java
----------------------------------------------------------------------
diff --git a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenCache.java b/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenCache.java
deleted file mode 100644
index 51e3593..0000000
--- a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenCache.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/**
- *  Licensed to the Apache Software Foundation (ASF) under one
- *  or more contributor license agreements.  See the NOTICE file
- *  distributed with this work for additional information
- *  regarding copyright ownership.  The ASF licenses this file
- *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
- *  with the License.  You may obtain a copy of the License at
- *  
- *    http://www.apache.org/licenses/LICENSE-2.0
- *  
- *  Unless required by applicable law or agreed to in writing,
- *  software distributed under the License is distributed on an
- *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *  KIND, either express or implied.  See the License for the
- *  specific language governing permissions and limitations
- *  under the License. 
- *  
- */
-package org.apache.kerby.token;
-
-import java.io.*;
-
-public class TokenCache {
-    private static final String DEFAULT_TOKEN_CACHE_PATH = ".tokenauth";
-    private static final String TOKEN_CACHE_FILE = ".tokenauth.token";
-
-    public static String readToken(String tokenCacheFile) {
-        File cacheFile = null;
-
-        if (tokenCacheFile != null && ! tokenCacheFile.isEmpty()) {
-            cacheFile = new File(tokenCacheFile);
-            if (!cacheFile.exists()) {
-                throw new RuntimeException("Invalid token cache specified: " + tokenCacheFile);
-            };
-        } else {
-            cacheFile = getDefaultTokenCache();
-            if (!cacheFile.exists()) {
-                throw new RuntimeException("No token cache available by default");
-            };
-        }
-
-        String token = null;
-        try {
-            BufferedReader reader = new BufferedReader(new FileReader(cacheFile));
-            String line = reader.readLine();
-            reader.close();
-            if (line != null) {
-                token = line;
-            }
-        } catch (IOException ex) {
-            //NOP
-        }
-
-        return token;
-    }
-
-    public static void writeToken(String token) {
-        File cacheFile = getDefaultTokenCache();
-
-        try {
-            Writer writer = new FileWriter(cacheFile);
-            writer.write(token.toString());
-            writer.close();
-            // sets read-write permissions to owner only
-            cacheFile.setReadable(false, false);
-            cacheFile.setReadable(true, true);
-            cacheFile.setWritable(true, true);
-        }
-        catch (IOException ioe) {
-            // if case of any error we just delete the cache, if user-only
-            // write permissions are not properly set a security exception
-            // is thrown and the file will be deleted.
-            cacheFile.delete();
-        }
-    }
-
-    public static File getDefaultTokenCache() {
-        String homeDir = System.getProperty("user.home", DEFAULT_TOKEN_CACHE_PATH);
-        return new File(homeDir, TOKEN_CACHE_FILE);
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenExtractor.java
----------------------------------------------------------------------
diff --git a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenExtractor.java b/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenExtractor.java
deleted file mode 100644
index 8e43384..0000000
--- a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenExtractor.java
+++ /dev/null
@@ -1,101 +0,0 @@
-/**
- *  Licensed to the Apache Software Foundation (ASF) under one
- *  or more contributor license agreements.  See the NOTICE file
- *  distributed with this work for additional information
- *  regarding copyright ownership.  The ASF licenses this file
- *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
- *  with the License.  You may obtain a copy of the License at
- *  
- *    http://www.apache.org/licenses/LICENSE-2.0
- *  
- *  Unless required by applicable law or agreed to in writing,
- *  software distributed under the License is distributed on an
- *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *  KIND, either express or implied.  See the License for the
- *  specific language governing permissions and limitations
- *  under the License. 
- *  
- */
-package org.apache.kerby.token;
-
-import com.sun.security.jgss.AuthorizationDataEntry;
-import com.sun.security.jgss.ExtendedGSSContext;
-import com.sun.security.jgss.InquireType;
-import org.apache.kerby.asn1.type.Asn1SequenceOf;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSException;
-
-import java.io.IOException;
-import java.util.List;
-
-public class TokenExtractor {
-    static final int JWT_AUTHZ_DATA_TYPE = 81;
-    public static final int AD_IF_RELEVANT_TYPE = 1;
-
-    /**
-     AuthorizationData       ::= SEQUENCE OF SEQUENCE {
-         ad-type         [0] Int32,
-         ad-data         [1] OCTET STRING
-     }
-     */
-    public static class AuthorizationData extends Asn1SequenceOf<AuthzDataEntry> {
-
-    }
-
-    public static KerbToken checkAuthzData(GSSContext context) throws GSSException, IOException
{
-        System.out.println("Looking for token from authorization data in GSSContext");
-
-        Object authzData = null;
-        if (context instanceof ExtendedGSSContext) {
-            ExtendedGSSContext ex = (ExtendedGSSContext)context;
-            authzData = ex.inquireSecContext(
-                    InquireType.KRB5_GET_AUTHZ_DATA);
-        }
-
-        if (authzData != null) {
-            AuthorizationDataEntry[] authzEntries = (AuthorizationDataEntry[]) authzData;
-            KerbToken resultToken = null;
-            for (int i = 0; i < authzEntries.length; ++i) {
-                resultToken = getAuthzToken(authzEntries[i]);
-                if (resultToken != null) {
-                    return resultToken;
-                }
-            }
-        }
-        return null;
-    }
-
-    public static KerbToken getAuthzToken(AuthorizationDataEntry authzDataEntry) throws IOException
{
-        if (authzDataEntry.getType() == AD_IF_RELEVANT_TYPE) {
-            String token = getToken(authzDataEntry);
-            if (token == null) {
-                return null;
-            }
-
-            try {
-                return TokenTool.fromJwtToken(token);
-            } catch (Exception e) {
-                // noop when not jwt token
-            }
-        }
-
-        return null;
-    }
-
-    public static String getToken(AuthorizationDataEntry authzDataEntry) throws IOException
{
-        List<AuthzDataEntry> entries = decode(authzDataEntry);
-        for (AuthzDataEntry entry : entries) {
-            if (entry.getAuthzType() == JWT_AUTHZ_DATA_TYPE) {
-                return new String(entry.getAuthzData());
-            }
-        }
-        return null;
-    }
-
-    public static List<AuthzDataEntry> decode(AuthorizationDataEntry authzDataEntry)
throws IOException {
-        AuthorizationData authzData = new AuthorizationData();
-        authzData.decode(authzDataEntry.getData());
-        return authzData.getElements();
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenTool.java
----------------------------------------------------------------------
diff --git a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenTool.java b/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenTool.java
deleted file mode 100644
index 2de1973..0000000
--- a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenTool.java
+++ /dev/null
@@ -1,124 +0,0 @@
-/**
- *  Licensed to the Apache Software Foundation (ASF) under one
- *  or more contributor license agreements.  See the NOTICE file
- *  distributed with this work for additional information
- *  regarding copyright ownership.  The ASF licenses this file
- *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
- *  with the License.  You may obtain a copy of the License at
- *  
- *    http://www.apache.org/licenses/LICENSE-2.0
- *  
- *  Unless required by applicable law or agreed to in writing,
- *  software distributed under the License is distributed on an
- *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *  KIND, either express or implied.  See the License for the
- *  specific language governing permissions and limitations
- *  under the License. 
- *  
- */
-package org.apache.kerby.token;
-
-import com.nimbusds.jose.PlainHeader;
-import com.nimbusds.jwt.JWT;
-import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.PlainJWT;
-
-import java.text.ParseException;
-import java.util.*;
-
-public class TokenTool {
-
-    public static JWT issueToken(String principal, String group, String role) {
-        // must have for kerb-token
-        String krbPrincipal = principal + "@SH.INTEL.COM";
-
-        PlainHeader header = new PlainHeader();
-        //header.setCustomParameter("krbPrincipal", krbPrincipal);
-
-        JWTClaimsSet jwtClaims = new JWTClaimsSet();
-
-        String iss = "token-service";
-        jwtClaims.setIssuer(iss);
-
-        String sub = principal;
-        jwtClaims.setSubject(sub);
-
-        // must have for kerb-token
-        jwtClaims.setSubject(krbPrincipal);
-
-        jwtClaims.setClaim("group", group);
-        if (role != null) {
-            jwtClaims.setClaim("role", role);
-        }
-
-        List<String> aud = new ArrayList<String>();
-        aud.add("krb5kdc-with-token-extension");
-        jwtClaims.setAudience(aud);
-
-        // Set expiration in 60 minutes
-        final Date NOW =  new Date(new Date().getTime() / 1000 * 1000);
-        Date exp = new Date(NOW.getTime() + 1000 * 60 * 60);
-        jwtClaims.setExpirationTime(exp);
-
-        Date nbf = NOW;
-        jwtClaims.setNotBeforeTime(nbf);
-
-        Date iat = NOW;
-        jwtClaims.setIssueTime(iat);
-
-        String jti = UUID.randomUUID().toString();
-        jwtClaims.setJWTID(jti);
-
-        PlainJWT jwt = new PlainJWT(header, jwtClaims);
-        return jwt;
-    }
-
-    public static JWT decodeToken(String token) throws ParseException {
-        PlainJWT jwt = PlainJWT.parse(token);
-
-        return jwt;
-    }
-
-    public static KerbToken fromJwtToken(String token) throws ParseException {
-        Map<String, Object> attrs = decodeAndExtractTokenAttributes(token);
-        return new KerbToken(attrs);
-    }
-
-    public static Map<String, Object> decodeAndExtractTokenAttributes(String token)
throws ParseException {
-        PlainJWT jwt = PlainJWT.parse(token);
-
-        Map<String, Object> attrs = new HashMap<String, Object>();
-        attrs.putAll(jwt.getJWTClaimsSet().getAllClaims());
-        //attrs.putAll(jwt.getHeader().getCustomParameters());
-
-        return attrs;
-    }
-
-    public static void main(String[] args) throws ParseException {
-        String principal, group, role = null;
-
-        if (args.length != 2 && args.length != 3) {
-            System.out.println("This is a simple token issuing tool just for kerb-token PoC
usage\n");
-            System.out.println("tokeninit <username> <group> [role]\n");
-            System.exit(1);
-        }
-        principal = args[0];
-        group = args[1];
-        if (args.length > 2) {
-            role = args[2];
-        }
-
-        JWT jwt = issueToken(principal, group, role);
-        String token = jwt.serialize();
-
-        TokenCache.writeToken(token);
-        System.out.println("Issued token: " + token);
-
-        /*
-        JWT jwt2 = decodeToken(token);
-        String krbPrincipal = (String) jwt2.getHeader().getCustomParameter("krbPrincipal");
-        System.out.println("Decoded token with krbprincipal: " + krbPrincipal);
-        */
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/pom.xml
----------------------------------------------------------------------
diff --git a/lib/pom.xml b/lib/pom.xml
index a514a61..2185fdd 100644
--- a/lib/pom.xml
+++ b/lib/pom.xml
@@ -30,7 +30,6 @@
     <module>kerby-config</module>
     <module>kerby-event</module>
     <module>kerby-pkix</module>
-    <module>kerby-token</module>
     <module>kerby-util</module>
   </modules>
 


Mime
View raw message