Return-Path: X-Original-To: apmail-directory-commits-archive@www.apache.org Delivered-To: apmail-directory-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9E2BD18BE1 for ; Tue, 27 Oct 2015 05:35:06 +0000 (UTC) Received: (qmail 38586 invoked by uid 500); 27 Oct 2015 05:35:03 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 38501 invoked by uid 500); 27 Oct 2015 05:35:03 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 38470 invoked by uid 99); 27 Oct 2015 05:35:02 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Oct 2015 05:35:02 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id A8C41E0984; Tue, 27 Oct 2015 05:35:02 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: plusplusjiajia@apache.org To: commits@directory.apache.org Date: Tue, 27 Oct 2015 05:35:02 -0000 Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: [1/2] directory-kerby git commit: DIRKRB-435 JWT Audience restriction validation is not working. Add check Access Token Audience. Repository: directory-kerby Updated Branches: refs/heads/master 8ad5f32e0 -> 103de43fa DIRKRB-435 JWT Audience restriction validation is not working. Add check Access Token Audience. Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/0365e57c Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/0365e57c Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/0365e57c Branch: refs/heads/master Commit: 0365e57cdacc7d2439504ec5e4af22575568485a Parents: 23eee00 Author: plusplus_jiajia Authored: Tue Oct 27 13:32:34 2015 +0800 Committer: plusplus_jiajia Committed: Tue Oct 27 13:32:34 2015 +0800 ---------------------------------------------------------------------- .../kerberos/kdc/WithAccessTokenKdcTest.java | 14 +++--- .../kerberos/kdc/WithIdentityTokenKdcTest.java | 53 ++++++++++---------- .../kerberos/kdc/WithTokenKdcTestBase.java | 10 ++-- .../integration/test/TokenLoginTestBase.java | 4 +- .../kerb/server/preauth/token/TokenPreauth.java | 14 +++--- 5 files changed, 47 insertions(+), 48 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java ---------------------------------------------------------------------- diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java index 3a2d4ff..8686190 100644 --- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java +++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java @@ -40,12 +40,12 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase { prepareToken(getServerPrincipal()); performTest(); } - + @Test public void testBadIssuer() throws Exception { InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is); - prepareToken(getServerPrincipal(), "oauth1.com", AUDIENCE, privateKey, null); + prepareToken(getServerPrincipal(), "oauth1.com", privateKey, null); try { performTest(); @@ -61,7 +61,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase { InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is); prepareToken("bad-service" + "/" + getHostname() + "@" + TestKdcServer.KDC_REALM, - ISSUER, AUDIENCE, privateKey, null); + ISSUER, privateKey, null); try { performTest(); @@ -74,7 +74,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase { @Test public void testUnsignedToken() throws Exception { - prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, null, null); + prepareToken(getServerPrincipal(), ISSUER, null, null); try { performTest(); @@ -89,7 +89,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase { public void testSignedTokenWithABadKey() throws Exception { KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); KeyPair keyPair = keyGen.generateKeyPair(); - prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, keyPair.getPrivate(), null); + prepareToken(getServerPrincipal(), ISSUER, keyPair.getPrivate(), null); try { performTest(); @@ -108,7 +108,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase { is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); PublicKey publicKey = PublicKeyReader.loadPublicKey(is); - prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, privateKey, publicKey); + prepareToken(getServerPrincipal(), ISSUER, privateKey, publicKey); performTest(); } @@ -121,7 +121,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase { InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); PublicKey publicKey = PublicKeyReader.loadPublicKey(is); - prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, keyPair.getPrivate(), publicKey); + prepareToken(getServerPrincipal(), ISSUER, keyPair.getPrivate(), publicKey); try { performTest(); http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java ---------------------------------------------------------------------- diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java index 3c0895f..052cb0d 100644 --- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java +++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java @@ -22,6 +22,7 @@ package org.apache.kerby.kerberos.kdc; import org.apache.kerby.kerberos.kerb.KrbException; import org.apache.kerby.kerberos.kerb.common.PrivateKeyReader; import org.apache.kerby.kerberos.kerb.common.PublicKeyReader; +import org.apache.kerby.kerberos.kerb.server.TestKdcServer; import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket; import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket; import org.junit.Assert; @@ -37,17 +38,16 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase { @Test public void testKdc() throws Exception { - - prepareToken(null); + prepareToken(getAudience("krbtgt")); performTest(); } - + @Test public void testBadIssuer() throws Exception { InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is); - prepareToken(null, "oauth1.com", AUDIENCE, privateKey, null); - + prepareToken(getAudience("krbtgt"), "oauth1.com", privateKey, null); + try { performTest(); Assert.fail("Failure expected on a bad issuer value"); @@ -56,15 +56,13 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase { Assert.assertTrue(ex instanceof KrbException); } } - - // TODO - not failing yet. + @Test - @org.junit.Ignore public void testBadAudienceRestriction() throws Exception { InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is); - prepareToken(null, ISSUER, "krbtgt2@EXAMPLE.COM", privateKey, null); - + prepareToken("krbtgt2@EXAMPLE.COM", ISSUER, privateKey, null); + try { performTest(); Assert.fail("Failure expected on a bad audience restriction value"); @@ -76,8 +74,7 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase { @Test public void testUnsignedToken() throws Exception { - prepareToken(null, ISSUER, "krbtgt2@EXAMPLE.COM", null, null); - + prepareToken(getAudience("krbtgt2"), ISSUER, null, null); try { performTest(); Assert.fail("Failure expected on an unsigned token"); @@ -86,13 +83,13 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase { Assert.assertTrue(ex instanceof KrbException); } } - + @Test public void testSignedTokenWithABadKey() throws Exception { KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); KeyPair keyPair = keyGen.generateKeyPair(); - prepareToken(null, ISSUER, AUDIENCE, keyPair.getPrivate(), null); - + prepareToken(getAudience("krbtgt"), ISSUER, keyPair.getPrivate(), null); + try { performTest(); Assert.fail("Failure expected on a bad key"); @@ -101,30 +98,30 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase { Assert.assertTrue(ex instanceof KrbException); } } - + @Test public void testSignedEncryptedToken() throws Exception { InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is); - + is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); PublicKey publicKey = PublicKeyReader.loadPublicKey(is); - - prepareToken(null, ISSUER, AUDIENCE, privateKey, publicKey); - + + prepareToken(getAudience("krbtgt"), ISSUER, privateKey, publicKey); + performTest(); } - + @Test public void testSignedEncryptedTokenBadSigningKey() throws Exception { KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); KeyPair keyPair = keyGen.generateKeyPair(); - + InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); PublicKey publicKey = PublicKeyReader.loadPublicKey(is); - - prepareToken(null, ISSUER, AUDIENCE, keyPair.getPrivate(), publicKey); - + + prepareToken(getAudience("krbtgt"), ISSUER, keyPair.getPrivate(), publicKey); + try { performTest(); Assert.fail("Failure expected on a bad key"); @@ -133,7 +130,7 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase { Assert.assertTrue(ex instanceof KrbException); } } - + private void performTest() throws Exception { createCredentialCache(getClientPrincipal(), getClientPassword()); @@ -154,4 +151,8 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase { getServerPrincipal()); verifyTicket(tkt); } + + private String getAudience(String name) { + return name + "/" + TestKdcServer.KDC_REALM + "@" + TestKdcServer.KDC_REALM; + } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java ---------------------------------------------------------------------- diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java index 0b94be5..e90e8c5 100644 --- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java +++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java @@ -50,7 +50,6 @@ import static org.assertj.core.api.Assertions.assertThat; public class WithTokenKdcTestBase extends KdcTestBase { static final String SUBJECT = "test-sub"; - static final String AUDIENCE = "krbtgt@EXAMPLE.COM"; static final String ISSUER = "oauth2.com"; static final String GROUP = "sales-group"; static final String ROLE = "ADMIN"; @@ -82,7 +81,7 @@ public class WithTokenKdcTestBase extends KdcTestBase { return cCacheFile; } - protected AuthToken prepareToken(String servicePrincipal) { + protected AuthToken prepareToken(String audience) { InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = null; try { @@ -91,10 +90,10 @@ public class WithTokenKdcTestBase extends KdcTestBase { e.printStackTrace(); } - return prepareToken(servicePrincipal, ISSUER, AUDIENCE, privateKey, null); + return prepareToken(audience, ISSUER, privateKey, null); } - protected AuthToken prepareToken(String servicePrincipal, String issuer, String audience, + protected AuthToken prepareToken(String audience, String issuer, PrivateKey signingKey, PublicKey encryptionKey) { AuthToken authToken = KrbRuntime.getTokenProvider().createTokenFactory().createToken(); authToken.setIssuer(issuer); @@ -104,9 +103,6 @@ public class WithTokenKdcTestBase extends KdcTestBase { authToken.addAttribute("role", ROLE); List aud = new ArrayList(); - if (servicePrincipal != null) { - aud.add(servicePrincipal); - } aud.add(audience); authToken.setAudiences(aud); http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java index 16ff65f..4fcc54d 100644 --- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java +++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java @@ -20,11 +20,13 @@ package org.apache.kerby.kerberos.kerb.integration.test; import org.apache.kerby.kerberos.kerb.KrbRuntime; +import org.apache.kerby.kerberos.kerb.common.KrbUtil; import org.apache.kerby.kerberos.kerb.integration.test.jaas.TokenCache; import org.apache.kerby.kerberos.kerb.integration.test.jaas.TokenJaasKrbUtil; import org.apache.kerby.kerberos.kerb.provider.TokenEncoder; import org.apache.kerby.kerberos.kerb.server.KdcConfigKey; import org.apache.kerby.kerberos.kerb.server.LoginTestBase; +import org.apache.kerby.kerberos.kerb.server.TestKdcServer; import org.apache.kerby.kerberos.kerb.spec.base.AuthToken; import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket; import org.apache.kerby.kerberos.provider.token.JwtTokenProvider; @@ -108,7 +110,7 @@ public class TokenLoginTestBase extends LoginTestBase { authToken.addAttribute("role", ROLE); List aud = new ArrayList(); - aud.add("krb5kdc-with-token-extension"); + aud.add(KrbUtil.makeTgsPrincipal(TestKdcServer.KDC_REALM).getName()); authToken.setAudiences(aud); // Set expiration in 60 minutes http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java index a2c57d6..7316070 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java @@ -99,19 +99,19 @@ public class TokenPreauth extends AbstractPreauthPlugin { throw new KrbException("Token Decoding failed"); } + List audiences = authToken.getAudiences(); + PrincipalName serverPrincipal = kdcRequest.getKdcReq().getReqBody().getSname(); + serverPrincipal.setRealm(kdcRequest.getKdcReq().getReqBody().getRealm()); + kdcRequest.setServerPrincipal(serverPrincipal); + if (!audiences.contains(serverPrincipal.getName())) { + throw new KrbException("Token audience not match with the target server principal!"); + } if (kdcRequest instanceof AsRequest) { AsRequest asRequest = (AsRequest) kdcRequest; asRequest.setToken(authToken); } else if (kdcRequest instanceof TgsRequest) { TgsRequest tgsRequest = (TgsRequest) kdcRequest; tgsRequest.setToken(authToken); - List audiences = authToken.getAudiences(); - PrincipalName serverPrincipal = kdcRequest.getKdcReq().getReqBody().getSname(); - serverPrincipal.setRealm(kdcRequest.getKdcReq().getReqBody().getRealm()); - kdcRequest.setServerPrincipal(serverPrincipal); - if (!audiences.contains(serverPrincipal.getName())) { - throw new KrbException("Token audience not match with the target server principal!"); - } } return true; } else {