directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject [40/48] directory-kerby git commit: DIRKRB-435 JWT Audience restriction validation is not working. Add check Access Token Audience.
Date Wed, 04 Nov 2015 08:26:06 GMT
DIRKRB-435 JWT Audience restriction validation is not working. Add check Access Token Audience.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/0365e57c
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/0365e57c
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/0365e57c

Branch: refs/heads/pkinit-support
Commit: 0365e57cdacc7d2439504ec5e4af22575568485a
Parents: 23eee00
Author: plusplus_jiajia <jiajia.li@intel.com>
Authored: Tue Oct 27 13:32:34 2015 +0800
Committer: plusplus_jiajia <jiajia.li@intel.com>
Committed: Tue Oct 27 13:32:34 2015 +0800

----------------------------------------------------------------------
 .../kerberos/kdc/WithAccessTokenKdcTest.java    | 14 +++---
 .../kerberos/kdc/WithIdentityTokenKdcTest.java  | 53 ++++++++++----------
 .../kerberos/kdc/WithTokenKdcTestBase.java      | 10 ++--
 .../integration/test/TokenLoginTestBase.java    |  4 +-
 .../kerb/server/preauth/token/TokenPreauth.java | 14 +++---
 5 files changed, 47 insertions(+), 48 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
index 3a2d4ff..8686190 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
@@ -40,12 +40,12 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
         prepareToken(getServerPrincipal());
         performTest();
     }
-    
+
     @Test
     public void testBadIssuer() throws Exception {
         InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
         PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
-        prepareToken(getServerPrincipal(), "oauth1.com", AUDIENCE, privateKey, null);
+        prepareToken(getServerPrincipal(), "oauth1.com", privateKey, null);
         
         try {
             performTest();
@@ -61,7 +61,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
         InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
         PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
         prepareToken("bad-service" + "/" + getHostname() + "@" + TestKdcServer.KDC_REALM,
-                ISSUER, AUDIENCE, privateKey, null);
+                ISSUER, privateKey, null);
         
         try {
             performTest();
@@ -74,7 +74,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
 
     @Test
     public void testUnsignedToken() throws Exception {
-        prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, null, null);
+        prepareToken(getServerPrincipal(), ISSUER, null, null);
         
         try {
             performTest();
@@ -89,7 +89,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
     public void testSignedTokenWithABadKey() throws Exception {
         KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
         KeyPair keyPair = keyGen.generateKeyPair();
-        prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, keyPair.getPrivate(), null);
+        prepareToken(getServerPrincipal(), ISSUER, keyPair.getPrivate(), null);
         
         try {
             performTest();
@@ -108,7 +108,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
         is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
         PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
         
-        prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, privateKey, publicKey);
+        prepareToken(getServerPrincipal(), ISSUER, privateKey, publicKey);
         
         performTest();
     }
@@ -121,7 +121,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
         InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
         PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
         
-        prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, keyPair.getPrivate(), publicKey);
+        prepareToken(getServerPrincipal(), ISSUER, keyPair.getPrivate(), publicKey);
         
         try {
             performTest();

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
index 3c0895f..052cb0d 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
@@ -22,6 +22,7 @@ package org.apache.kerby.kerberos.kdc;
 import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.common.PrivateKeyReader;
 import org.apache.kerby.kerberos.kerb.common.PublicKeyReader;
+import org.apache.kerby.kerberos.kerb.server.TestKdcServer;
 import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
 import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
 import org.junit.Assert;
@@ -37,17 +38,16 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
 
     @Test
     public void testKdc() throws Exception {
-
-        prepareToken(null);
+        prepareToken(getAudience("krbtgt"));
         performTest();
     }
-    
+
     @Test
     public void testBadIssuer() throws Exception {
         InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
         PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
-        prepareToken(null, "oauth1.com", AUDIENCE, privateKey, null);
-        
+        prepareToken(getAudience("krbtgt"), "oauth1.com", privateKey, null);
+
         try {
             performTest();
             Assert.fail("Failure expected on a bad issuer value");
@@ -56,15 +56,13 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
             Assert.assertTrue(ex instanceof KrbException);
         }
     }
-    
-    // TODO - not failing yet.
+
     @Test
-    @org.junit.Ignore
     public void testBadAudienceRestriction() throws Exception {
         InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
         PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
-        prepareToken(null, ISSUER, "krbtgt2@EXAMPLE.COM", privateKey, null);
-        
+        prepareToken("krbtgt2@EXAMPLE.COM", ISSUER, privateKey, null);
+
         try {
             performTest();
             Assert.fail("Failure expected on a bad audience restriction value");
@@ -76,8 +74,7 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
 
     @Test
     public void testUnsignedToken() throws Exception {
-        prepareToken(null, ISSUER, "krbtgt2@EXAMPLE.COM", null, null);
-        
+        prepareToken(getAudience("krbtgt2"), ISSUER, null, null);
         try {
             performTest();
             Assert.fail("Failure expected on an unsigned token");
@@ -86,13 +83,13 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
             Assert.assertTrue(ex instanceof KrbException);
         }
     }
-    
+
     @Test
     public void testSignedTokenWithABadKey() throws Exception {
         KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
         KeyPair keyPair = keyGen.generateKeyPair();
-        prepareToken(null, ISSUER, AUDIENCE, keyPair.getPrivate(), null);
-        
+        prepareToken(getAudience("krbtgt"), ISSUER, keyPair.getPrivate(), null);
+
         try {
             performTest();
             Assert.fail("Failure expected on a bad key");
@@ -101,30 +98,30 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
             Assert.assertTrue(ex instanceof KrbException);
         }
     }
-    
+
     @Test
     public void testSignedEncryptedToken() throws Exception {
         InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
         PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
-        
+
         is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
         PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
-        
-        prepareToken(null, ISSUER, AUDIENCE, privateKey, publicKey);
-        
+
+        prepareToken(getAudience("krbtgt"), ISSUER, privateKey, publicKey);
+
         performTest();
     }
-    
+
     @Test
     public void testSignedEncryptedTokenBadSigningKey() throws Exception {
         KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
         KeyPair keyPair = keyGen.generateKeyPair();
-        
+
         InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
         PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
-        
-        prepareToken(null, ISSUER, AUDIENCE, keyPair.getPrivate(), publicKey);
-        
+
+        prepareToken(getAudience("krbtgt"), ISSUER, keyPair.getPrivate(), publicKey);
+
         try {
             performTest();
             Assert.fail("Failure expected on a bad key");
@@ -133,7 +130,7 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
             Assert.assertTrue(ex instanceof KrbException);
         }
     }
-    
+
     private void performTest() throws Exception {
 
         createCredentialCache(getClientPrincipal(), getClientPassword());
@@ -154,4 +151,8 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
                 getServerPrincipal());
         verifyTicket(tkt);
     }
+
+    private String getAudience(String name) {
+        return name + "/" + TestKdcServer.KDC_REALM + "@" + TestKdcServer.KDC_REALM;
+    }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
index 0b94be5..e90e8c5 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
@@ -50,7 +50,6 @@ import static org.assertj.core.api.Assertions.assertThat;
 
 public class WithTokenKdcTestBase extends KdcTestBase {
     static final String SUBJECT = "test-sub";
-    static final String AUDIENCE = "krbtgt@EXAMPLE.COM";
     static final String ISSUER = "oauth2.com";
     static final String GROUP = "sales-group";
     static final String ROLE = "ADMIN";
@@ -82,7 +81,7 @@ public class WithTokenKdcTestBase extends KdcTestBase {
         return cCacheFile;
     }
     
-    protected AuthToken prepareToken(String servicePrincipal) {
+    protected AuthToken prepareToken(String audience) {
         InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
         PrivateKey privateKey = null;
         try {
@@ -91,10 +90,10 @@ public class WithTokenKdcTestBase extends KdcTestBase {
             e.printStackTrace();
         }
 
-        return prepareToken(servicePrincipal, ISSUER, AUDIENCE, privateKey, null);
+        return prepareToken(audience, ISSUER, privateKey, null);
     }
     
-    protected AuthToken prepareToken(String servicePrincipal, String issuer, String audience,

+    protected AuthToken prepareToken(String audience, String issuer,
                                      PrivateKey signingKey, PublicKey encryptionKey) {
         AuthToken authToken = KrbRuntime.getTokenProvider().createTokenFactory().createToken();
         authToken.setIssuer(issuer);
@@ -104,9 +103,6 @@ public class WithTokenKdcTestBase extends KdcTestBase {
         authToken.addAttribute("role", ROLE);
 
         List<String> aud = new ArrayList<String>();
-        if (servicePrincipal != null) {
-            aud.add(servicePrincipal);
-        }
         aud.add(audience);
         authToken.setAudiences(aud);
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
index 16ff65f..4fcc54d 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
@@ -20,11 +20,13 @@
 package org.apache.kerby.kerberos.kerb.integration.test;
 
 import org.apache.kerby.kerberos.kerb.KrbRuntime;
+import org.apache.kerby.kerberos.kerb.common.KrbUtil;
 import org.apache.kerby.kerberos.kerb.integration.test.jaas.TokenCache;
 import org.apache.kerby.kerberos.kerb.integration.test.jaas.TokenJaasKrbUtil;
 import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
 import org.apache.kerby.kerberos.kerb.server.KdcConfigKey;
 import org.apache.kerby.kerberos.kerb.server.LoginTestBase;
+import org.apache.kerby.kerberos.kerb.server.TestKdcServer;
 import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
 import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
 import org.apache.kerby.kerberos.provider.token.JwtTokenProvider;
@@ -108,7 +110,7 @@ public class TokenLoginTestBase extends LoginTestBase {
         authToken.addAttribute("role", ROLE);
 
         List<String> aud = new ArrayList<String>();
-        aud.add("krb5kdc-with-token-extension");
+        aud.add(KrbUtil.makeTgsPrincipal(TestKdcServer.KDC_REALM).getName());
         authToken.setAudiences(aud);
 
         // Set expiration in 60 minutes

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index a2c57d6..7316070 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -99,19 +99,19 @@ public class TokenPreauth extends AbstractPreauthPlugin {
                 throw new KrbException("Token Decoding failed");
             }
 
+            List<String> audiences = authToken.getAudiences();
+            PrincipalName serverPrincipal = kdcRequest.getKdcReq().getReqBody().getSname();
+            serverPrincipal.setRealm(kdcRequest.getKdcReq().getReqBody().getRealm());
+            kdcRequest.setServerPrincipal(serverPrincipal);
+            if (!audiences.contains(serverPrincipal.getName())) {
+                throw new KrbException("Token audience not match with the target server principal!");
+            }
             if (kdcRequest instanceof AsRequest) {
                 AsRequest asRequest = (AsRequest) kdcRequest;
                 asRequest.setToken(authToken);
             } else if (kdcRequest instanceof TgsRequest) {
                 TgsRequest tgsRequest = (TgsRequest) kdcRequest;
                 tgsRequest.setToken(authToken);
-                List<String> audiences = authToken.getAudiences();
-                PrincipalName serverPrincipal = kdcRequest.getKdcReq().getReqBody().getSname();
-                serverPrincipal.setRealm(kdcRequest.getKdcReq().getReqBody().getRealm());
-                kdcRequest.setServerPrincipal(serverPrincipal);
-                if (!audiences.contains(serverPrincipal.getName())) {
-                    throw new KrbException("Token audience not match with the target server
principal!");
-                }
             }
             return true;
         } else {


Mime
View raw message