directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject [33/36] directory-kerby git commit: DIRKRB-529 Request a TGT with user token credential and tgt ticket.
Date Mon, 15 Feb 2016 02:42:57 GMT
DIRKRB-529 Request a TGT with user token credential and tgt ticket.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/8eb310de
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/8eb310de
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/8eb310de

Branch: refs/heads/kadmin-remote
Commit: 8eb310de783d7e5958cae8d5bd6ab6b239d9e67f
Parents: 426e114
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Fri Jan 29 16:29:56 2016 +0800
Committer: plusplusjiajia <jiajia.li@intel.com>
Committed: Fri Jan 29 16:29:56 2016 +0800

----------------------------------------------------------------------
 .../kdc/TokenWithAnonymousPkinitKdcTest.java    | 96 ++++++++++++++++++++
 .../kerby/kerberos/kerb/client/KrbOption.java   |  1 +
 .../kerberos/kerb/client/KrbTokenClient.java    | 20 +++-
 .../kerb/client/request/ArmoredRequest.java     | 26 ++++--
 4 files changed, 136 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8eb310de/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenWithAnonymousPkinitKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenWithAnonymousPkinitKdcTest.java
b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenWithAnonymousPkinitKdcTest.java
new file mode 100644
index 0000000..68a024e
--- /dev/null
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenWithAnonymousPkinitKdcTest.java
@@ -0,0 +1,96 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kdc;
+
+import org.apache.kerby.kerberos.kerb.KrbConstant;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.client.KrbConfigKey;
+import org.apache.kerby.kerberos.kerb.client.KrbTokenClient;
+import org.apache.kerby.kerberos.kerb.server.KdcConfigKey;
+import org.apache.kerby.kerberos.kerb.server.TestKdcServer;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TokenWithAnonymousPkinitKdcTest extends TokenKdcTestBase {
+
+    @Override
+    protected void configKdcSeverAndClient() {
+        super.configKdcSeverAndClient();
+
+        String pkinitIdentity = getClass().getResource("/kdccerttest.pem").getPath() + ","
+                + getClass().getResource("/kdckey.pem").getPath();
+        getKdcServer().getKdcConfig().setString(KdcConfigKey.PKINIT_IDENTITY, pkinitIdentity);
+
+        String pkinitAnchors = getClass().getResource("/cacerttest.pem").getPath();
+        getKrbClient().getKrbConfig().setString(KrbConfigKey.PKINIT_ANCHORS, pkinitAnchors);
+    }
+
+    @Override
+    protected void createPrincipals() throws KrbException {
+        super.createPrincipals();
+        //Anonymity support is not enabled by default.
+        //To enable it, you must create the principal WELLKNOWN/ANONYMOUS
+        getKdcServer().createPrincipal(KrbConstant.ANONYMOUS_PRINCIPAL);
+    }
+
+    @Test
+    public void testKdc() throws Exception {
+        prepareToken(getAudience("krbtgt"));
+        performTest();
+    }
+
+    private void performTest() throws Exception {
+
+        TgtTicket tgt;
+        KrbTokenClient tokenClient = getTokenClient();
+        try {
+            tgt = tokenClient.requestTgt(getKrbToken(),
+                    createAnonymousTgt());
+        } catch (KrbException e) {
+            if (e.getMessage().contains("timeout")) {
+                return;
+            }
+            throw e;
+        }
+        verifyTicket(tgt);
+
+        SgtTicket tkt = getKrbClient().requestSgt(tgt,
+                getServerPrincipal());
+        verifyTicket(tkt);
+    }
+
+    private String getAudience(String name) {
+        return name + "/" + TestKdcServer.KDC_REALM + "@" + TestKdcServer.KDC_REALM;
+    }
+
+    private TgtTicket createAnonymousTgt() {
+        TgtTicket tgt = null;
+
+        try {
+            tgt = getPkinitClient().requestTgt();
+        } catch (KrbException te) {
+            te.printStackTrace();
+            Assert.fail();
+        }
+        return tgt;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8eb310de/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbOption.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbOption.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbOption.java
index cf28700..f20c908 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbOption.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbOption.java
@@ -73,6 +73,7 @@ public enum KrbOption implements KOption {
         KOptionType.STR)),
     ARMOR_CACHE(new KOptionInfo("armor-cache", "armor credential cache",
         KOptionType.STR)),
+    TGT(new KOptionInfo("tgt", "tgt ticket", KOptionType.OBJ)),
     USE_TGT(new KOptionInfo("use-tgt", "use tgt to get service ticket",
         KOptionType.OBJ)),
     CONF_DIR(new KOptionInfo("-conf", "conf dir", KrbOptionGroup.KRB, KOptionType.DIR));

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8eb310de/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
index 3582113..b71d61e 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
@@ -66,7 +66,7 @@ public class KrbTokenClient extends KrbClientBase {
     }
 
     /**
-     * Request a TGT with user token credential
+     * Request a TGT with user token credential and armor cache
      * @param token The auth token
      * @param armorCache The armor cache
      * @return TGT
@@ -84,6 +84,24 @@ public class KrbTokenClient extends KrbClientBase {
     }
 
     /**
+     * Request a TGT with user token credential and tgt
+     * @param token The auth token
+     * @param tgt The tgt ticket
+     * @return TGT
+     * @throws KrbException e
+     */
+    public TgtTicket requestTgt(AuthToken token, TgtTicket tgt) throws KrbException {
+        if (!token.isIdToken()) {
+            throw new IllegalArgumentException("Identity token is expected");
+        }
+
+        KOptions requestOptions = new KOptions();
+        requestOptions.add(TokenOption.USER_ID_TOKEN, token);
+        requestOptions.add(KrbOption.TGT, tgt);
+        return requestTgt(requestOptions);
+    }
+
+    /**
      * Request a service ticket using an Access Token.
      * @param token The auth token
      * @param serverPrincipal The server principal

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8eb310de/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
index a52d652..b70ef60 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
@@ -49,6 +49,7 @@ import org.apache.kerby.kerberos.kerb.type.kdc.KdcReq;
 import org.apache.kerby.kerberos.kerb.type.kdc.KdcReqBody;
 import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
 import org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
+import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
 import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
 
 import java.io.File;
@@ -77,21 +78,34 @@ public class ArmoredRequest {
 
     protected void preauth() throws KrbException {
         KOptions preauthOptions = getPreauthOptions();
-        String ccache = preauthOptions.getStringOption(KrbOption.ARMOR_CACHE);
-        credential = getCredential(ccache);
-
+        getCredential(preauthOptions);
         armorCacheKey = getArmorCacheKey(credential);
+
         subKey = getSubKey(armorCacheKey.getKeyType());
         EncryptionKey armorKey = makeArmorKey(subKey, armorCacheKey);
         kdcRequest.getFastRequestState().setArmorKey(armorKey);
     }
 
+    private void getCredential(KOptions kOptions) throws KrbException {
+
+        if (kOptions.contains(KrbOption.ARMOR_CACHE)) {
+            String ccache = kOptions.getStringOption(KrbOption.ARMOR_CACHE);
+            credential = getCredentialFromFile(ccache);
+        } else if (kOptions.contains(KrbOption.TGT)) {
+            TgtTicket tgt = (TgtTicket) kOptions.getOptionValue(KrbOption.TGT);
+            credential = new Credential(tgt);
+        }
+    }
+
     public KOptions getPreauthOptions() {
         KOptions results = new KOptions();
 
         KOptions krbOptions = kdcRequest.getRequestOptions();
-        results.add(krbOptions.getOption(KrbOption.ARMOR_CACHE));
-
+        if (krbOptions.contains(KrbOption.ARMOR_CACHE)) {
+            results.add(krbOptions.getOption(KrbOption.ARMOR_CACHE));
+        } else if (krbOptions.contains(KrbOption.TGT)) {
+            results.add(krbOptions.getOption(KrbOption.TGT));
+        }
         return results;
     }
 
@@ -103,7 +117,7 @@ public class ArmoredRequest {
         return armorCacheKey;
     }
 
-    private Credential getCredential(String ccache) throws KrbException {
+    private Credential getCredentialFromFile(String ccache) throws KrbException {
         File ccacheFile = new File(ccache);
         CredentialCache cc = null;
         try {


Mime
View raw message