directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject [31/48] directory-kerby git commit: DIRKRB-429 Token issuer must be trusted as one of preconfigured issuers.
Date Wed, 04 Nov 2015 08:25:57 GMT
DIRKRB-429 Token issuer must be trusted as one of preconfigured issuers.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/d61b6ee9
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/d61b6ee9
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/d61b6ee9

Branch: refs/heads/pkinit-support
Commit: d61b6ee93d0f2a6e5ef257dd90d00efc1c9d2500
Parents: 0500943
Author: plusplus_jiajia <jiajia.li@intel.com>
Authored: Mon Oct 19 14:59:32 2015 +0800
Committer: plusplus_jiajia <jiajia.li@intel.com>
Committed: Mon Oct 19 14:59:32 2015 +0800

----------------------------------------------------------------------
 .../apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java   |  1 +
 .../kerb/integration/test/TokenLoginTestBase.java         |  1 +
 .../org/apache/kerby/kerberos/kerb/server/KdcConfig.java  |  5 +++++
 .../apache/kerby/kerberos/kerb/server/KdcConfigKey.java   |  3 ++-
 .../kerberos/kerb/server/preauth/token/TokenPreauth.java  | 10 ++++++----
 5 files changed, 15 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d61b6ee9/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
index 7dc24d3..9c0a8a2 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
@@ -67,6 +67,7 @@ public class WithTokenKdcTestBase extends KdcTestBase {
         super.configKdcSeverAndClient();
         String verifyKeyPath = this.getClass().getResource("/").getPath();
         getKdcServer().getKdcConfig().setString(KdcConfigKey.VERIFY_KEY, verifyKeyPath);
+        getKdcServer().getKdcConfig().setString(KdcConfigKey.ISSUERS, ISSUER);
     }
 
     protected AuthToken getKrbToken() {

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d61b6ee9/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
index 3943ffe..16ff65f 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
@@ -66,6 +66,7 @@ public class TokenLoginTestBase extends LoginTestBase {
             isTokenPreauthAllowed());
         String verifyKeyFile = this.getClass().getResource("/").getPath();
         getKdcServer().getKdcConfig().setString(KdcConfigKey.VERIFY_KEY, verifyKeyFile);
+        getKdcServer().getKdcConfig().setString(KdcConfigKey.ISSUERS, "token-service");
     }
 
     protected Boolean isTokenPreauthAllowed() {

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d61b6ee9/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
index e51b28d..dc2fc78 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
@@ -23,6 +23,7 @@ import org.apache.kerby.config.Conf;
 import org.apache.kerby.kerberos.kerb.common.KrbConfHelper;
 import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
 
+import java.util.Arrays;
 import java.util.List;
 
 /**
@@ -165,4 +166,8 @@ public class KdcConfig extends Conf {
     public String getVerifyKeyConfig() {
         return KrbConfHelper.getStringUnderSection(this, KdcConfigKey.VERIFY_KEY);
     }
+
+    public List<String> getIssuers() {
+        return Arrays.asList(KrbConfHelper.getStringArrayUnderSection(this, KdcConfigKey.ISSUERS));
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d61b6ee9/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
index 1311b02..771c781 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
@@ -49,7 +49,8 @@ public enum KdcConfigKey implements SectionConfigKey {
     ENCRYPTION_TYPES("aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd"),
     RESTRICT_ANONYMOUS_TO_TGT(false, "kdcdefaults"),
     KDC_MAX_DGRAM_REPLY_SIZE(4096, "kdcdefaults"),
-    VERIFY_KEY(null, "kdcdefaults");
+    VERIFY_KEY(null, "kdcdefaults"),
+    ISSUERS(null, "kdcdefaults");
 
     private Object defaultValue;
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d61b6ee9/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index ef06006..e5154ad 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -72,11 +72,14 @@ public class TokenPreauth extends AbstractPreauthPlugin {
                 KeyUsage.PA_TOKEN, PaTokenRequest.class);
 
             KrbToken token = paTokenRequest.getToken();
-
+            List<String> issuers = kdcRequest.getKdcContext().getConfig().getIssuers();
+            TokenInfo tokenInfo = paTokenRequest.getTokenInfo();
+            String issuer = tokenInfo.getTokenVendor();
+            if (!(issuers.contains(issuer))) {
+                throw new KrbException("Unconfigured issuer:" + issuer);
+            }
             TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
             if (tokenDecoder instanceof JwtTokenDecoder) {
-                TokenInfo tokenInfo = paTokenRequest.getTokenInfo();
-                String issuer = tokenInfo.getTokenVendor();
                 String verifyKeyPath = kdcRequest.getKdcContext().getConfig().getVerifyKeyConfig();
                 if (verifyKeyPath != null) {
                     File verifyKeyFile = getVerifyKeyFile(verifyKeyPath, issuer);
@@ -94,7 +97,6 @@ public class TokenPreauth extends AbstractPreauthPlugin {
                     }
                 }
             }
-
             AuthToken authToken = null;
             try {
                 authToken = tokenDecoder.decodeFromBytes(token.getTokenValue());


Mime
View raw message