Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id C7B9F200B29 for ; Thu, 30 Jun 2016 10:53:53 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id C6AE1160A51; Thu, 30 Jun 2016 08:53:53 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 8BF40160A72 for ; Thu, 30 Jun 2016 10:53:50 +0200 (CEST) Received: (qmail 96632 invoked by uid 500); 30 Jun 2016 08:53:49 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 95482 invoked by uid 99); 30 Jun 2016 08:53:48 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Jun 2016 08:53:48 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id C44DFE00DB; Thu, 30 Jun 2016 08:53:48 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: drankye@apache.org To: commits@directory.apache.org Date: Thu, 30 Jun 2016 08:54:07 -0000 Message-Id: <83eef82387944469aaebf782e2888d68@git.apache.org> In-Reply-To: <19c327db7623444a91b9a5859944fa8f@git.apache.org> References: <19c327db7623444a91b9a5859944fa8f@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [20/44] directory-kerby git commit: DIRKRB-542. Kerby Authorization. Contributed by Gerard Gagliano archived-at: Thu, 30 Jun 2016 08:53:53 -0000 http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierMac.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierMac.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierMac.java new file mode 100644 index 0000000..2ee906d --- /dev/null +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierMac.java @@ -0,0 +1,107 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.kerby.kerberos.kerb.type.ad; + +import org.apache.kerby.asn1.Asn1FieldInfo; +import org.apache.kerby.asn1.EnumType; +import org.apache.kerby.asn1.ExplicitField; +import org.apache.kerby.asn1.type.Asn1Integer; +import org.apache.kerby.kerberos.kerb.type.KrbSequenceType; +import org.apache.kerby.kerberos.kerb.type.base.CheckSum; +import org.apache.kerby.kerberos.kerb.type.base.PrincipalName; + +/** + * 
+ * Verifier-MAC ::= SEQUENCE { 
+ *      identifier [0]  PrincipalName OPTIONAL, 
+ *      kvno [1]        UInt32 OPTIONAL, 
+ *      enctype [2]     Int32 OPTIONAL, 
+ *      mac [3]         Checksum
+ * }
+ *
+ * + * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM + * + * @author Apache DirectoryProject + */ +public class CamMacVerifierMac extends KrbSequenceType { + + protected enum CamMacField implements EnumType { + CAMMAC_identifier, CAMMAC_kvno, CAMMAC_enctype, CAMMAC_mac; + + @Override + public int getValue() { + return ordinal(); + } + + @Override + public String getName() { + return name(); + } + } + + /** The CamMac's fields */ + private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] { + new ExplicitField(CamMacField.CAMMAC_identifier, PrincipalName.class), + new ExplicitField(CamMacField.CAMMAC_kvno, Asn1Integer.class), + new ExplicitField(CamMacField.CAMMAC_enctype, Asn1Integer.class), + new ExplicitField(CamMacField.CAMMAC_mac, CheckSum.class)}; + + public CamMacVerifierMac() { + super(fieldInfos); + } + + public CamMacVerifierMac(PrincipalName identifier) { + super(fieldInfos); + setFieldAs(CamMacField.CAMMAC_identifier, identifier); + } + + public PrincipalName getIdentifier() { + return getFieldAs(CamMacField.CAMMAC_identifier, PrincipalName.class); + } + + public void setIdentifier(PrincipalName identifier) { + setFieldAs(CamMacField.CAMMAC_identifier, identifier); + } + + public int getKvno() { + return getFieldAs(CamMacField.CAMMAC_kvno, Asn1Integer.class).getValue().intValue(); + } + + public void setKvno(int kvno) { + setFieldAs(CamMacField.CAMMAC_kvno, new Asn1Integer(kvno)); + } + + public int getEnctype() { + return getFieldAs(CamMacField.CAMMAC_enctype, Asn1Integer.class).getValue().intValue(); + } + + public void setEnctype(int encType) { + setFieldAs(CamMacField.CAMMAC_enctype, new Asn1Integer(encType)); + } + + public CheckSum getMac() { + return getFieldAs(CamMacField.CAMMAC_mac, CheckSum.class); + } + + public void setMac(CheckSum mac) { + setFieldAs(CamMacField.CAMMAC_mac, mac); + } +} http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/PrincipalList.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/PrincipalList.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/PrincipalList.java new file mode 100644 index 0000000..667315a --- /dev/null +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/PrincipalList.java @@ -0,0 +1,31 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.kerby.kerberos.kerb.type.ad; + +import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType; +import org.apache.kerby.kerberos.kerb.type.base.PrincipalName; + +/** + * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM + * + * @author Apache DirectoryProject + */ +public class PrincipalList extends KrbSequenceOfType { +} http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KeyUsage.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KeyUsage.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KeyUsage.java index 44256cc..a47d81e 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KeyUsage.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KeyUsage.java @@ -100,7 +100,8 @@ public enum KeyUsage implements EnumType { ENC_CHALLENGE_KDC(55), AS_REQ(56), //PA-TOKEN padata,encrypted with the client key - PA_TOKEN(57); + PA_TOKEN(57), + AD_CAMMAC_VERIFIER_MAC(64); //See RFC 7751 private int value; http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/ADTest.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/ADTest.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/ADTest.java new file mode 100644 index 0000000..21cb16f --- /dev/null +++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/ADTest.java @@ -0,0 +1,143 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.kerby.kerberos.kerb.codec; + +import static org.junit.Assert.assertEquals; + +import java.io.IOException; + +import org.apache.kerby.asn1.type.Asn1Utf8String; +import org.apache.kerby.kerberos.kerb.KrbException; +import org.apache.kerby.kerberos.kerb.type.ad.ADAuthenticationIndicator; +import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData; +import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataEntry; +import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataWrapper; +import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataWrapper.WrapperType; +import org.junit.Test; + +/** + * Test class for Authorization data codec. + * + * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM + * + * @author Apache DirectoryProject + */ +public class ADTest { + + private static final String FOO = "Foo"; + private static final String BAR = "Bar"; + + /** + * Test the Authorization Data codec. + * + * @throws KrbException Exception + * @throws IOException Exception + */ + @Test + public void testADCodec() throws KrbException, IOException { + int i = -1; + + // Construct an AD_AUTHENTICATION_INDICATOR entry + ADAuthenticationIndicator indicators = new ADAuthenticationIndicator(); + indicators.add(new Asn1Utf8String(FOO)); + indicators.add(new Asn1Utf8String(BAR)); + + // Encode + System.out.println("\nIndicators prior to encoding:"); + for (Asn1Utf8String ind : indicators.getAuthIndicators()) { + System.out.println(ind.toString()); + } + byte[] enIndicators = indicators.encode(); + + // Decode get this out of asn1 tests + indicators.decode(enIndicators); + System.out.println("\nIndicators after decoding:"); + for (Asn1Utf8String ind : indicators.getAuthIndicators()) { + System.out.println(ind.toString()); + } + + // Create an AD_IF_RELEVENT container + AuthorizationData adirData = new AuthorizationData(); + adirData.add(indicators); + AuthorizationDataWrapper adirWrap = new AuthorizationDataWrapper(WrapperType.AD_IF_RELEVANT, adirData); + + // Encode + System.out.println("\nADE (IR) Wrapper prior to encoding:"); + for (AuthorizationDataEntry ade : adirWrap.getAuthorizationData().getElements()) { + ADAuthenticationIndicator ad = (ADAuthenticationIndicator) ade; + for (Asn1Utf8String ind : ad.getAuthIndicators()) { + System.out.println(ind.toString()); + } + } + byte[] enAdir = adirWrap.encode(); + + // Decode + adirWrap.decode(enAdir); + System.out.println("\nADE (IR) Wrapper after decoding:"); + for (AuthorizationDataEntry ade : adirWrap.getAuthorizationData().getElements()) { + ADAuthenticationIndicator ad = (ADAuthenticationIndicator) ade; + i = 0; + for (Asn1Utf8String ind : ad.getAuthIndicators()) { + System.out.println(ind.toString()); + if (i == 0) { + assertEquals(ind.getValue(), FOO); + } else { + assertEquals(ind.getValue(), BAR); + } + i++; + } + } + + // Create an AD_MANDATORY_FOR_KDC container + AuthorizationData admfkData = new AuthorizationData(); + admfkData.add(indicators); + AuthorizationDataWrapper admfkWrap = new AuthorizationDataWrapper(WrapperType.AD_MANDATORY_FOR_KDC, admfkData); + + // Encode + System.out.println("\nADE (MFK) Wrapper prior to encoding:"); + for (AuthorizationDataEntry ade : admfkWrap.getAuthorizationData().getElements()) { + ADAuthenticationIndicator ad = (ADAuthenticationIndicator) ade; + for (Asn1Utf8String ind : ad.getAuthIndicators()) { + System.out.println(ind.toString()); + } + } + byte[] enAdmfk = admfkWrap.encode(); + + // Decode + admfkWrap.decode(enAdmfk); + System.out.println("\nADE (MFK) Wrapper after decoding:"); + for (AuthorizationDataEntry ade : admfkWrap.getAuthorizationData().getElements()) { + ADAuthenticationIndicator ad = (ADAuthenticationIndicator) ade; + for (Asn1Utf8String ind : ad.getAuthIndicators()) { + System.out.println(ind.toString()); + } + i = 0; + for (Asn1Utf8String ind : ad.getAuthIndicators()) { + System.out.println(ind.toString()); + if (i == 0) { + assertEquals(ind.getValue(), FOO); + } else { + assertEquals(ind.getValue(), BAR); + } + i++; + } + } + } +} http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsRepCodecTest.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsRepCodecTest.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsRepCodecTest.java index af24cb9..c2a46dc 100644 --- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsRepCodecTest.java +++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsRepCodecTest.java @@ -117,7 +117,7 @@ public class PkinitAnonymousAsRepCodecTest { KdcDhKeyInfo kdcDhKeyInfo = new KdcDhKeyInfo(); kdcDhKeyInfo.decode(eContentInfo); assertThat(kdcDhKeyInfo.getSubjectPublicKey()).isNotNull(); - assertThat(kdcDhKeyInfo.getDHKeyExpiration()).isNotNull(); + assertThat(kdcDhKeyInfo.getDHKeyExpiration()).isNull(); assertThat(kdcDhKeyInfo.getNonce()).isNotNull(); } } http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsReqCodecTest.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsReqCodecTest.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsReqCodecTest.java index 424a430..7138ca0 100644 --- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsReqCodecTest.java +++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsReqCodecTest.java @@ -20,8 +20,10 @@ package org.apache.kerby.kerberos.kerb.codec; import org.apache.kerby.asn1.Asn1; +import org.apache.kerby.cms.type.DigestAlgorithmIdentifiers; import org.apache.kerby.cms.type.SignedContentInfo; import org.apache.kerby.cms.type.SignedData; +import org.apache.kerby.cms.type.SignerInfos; import org.apache.kerby.kerberos.kerb.KrbConstant; import org.apache.kerby.kerberos.kerb.type.base.EncryptionType; import org.apache.kerby.kerberos.kerb.type.base.KrbMessageType; @@ -45,7 +47,7 @@ import java.text.ParseException; import java.util.Arrays; import java.util.List; -import static org.assertj.core.api.Assertions.*; +import static org.assertj.core.api.Assertions.assertThat; public class PkinitAnonymousAsReqCodecTest { @Test @@ -114,15 +116,23 @@ public class PkinitAnonymousAsReqCodecTest { SignedContentInfo contentInfo = new SignedContentInfo(); Asn1.parseAndDump(paPkAsReq.getSignedAuthPack()); contentInfo.decode(paPkAsReq.getSignedAuthPack()); - assertThat(contentInfo.getContentType()).isEqualTo("1.2.840.113549.1.7.2"); + assertThat(contentInfo.getContentType()) .isEqualTo("1.2.840.113549.1.7.2"); Asn1.dump(contentInfo); SignedData signedData = contentInfo.getSignedData(); assertThat(signedData.getVersion()).isEqualTo(3); - assertThat(signedData.getDigestAlgorithms().getElements().isEmpty()).isTrue(); - assertThat(signedData.getCertificates().getElements().isEmpty()).isTrue(); - assertThat(signedData.getCrls().getElements().isEmpty()).isTrue(); - assertThat(signedData.getSignerInfos().getElements().isEmpty()).isTrue(); + DigestAlgorithmIdentifiers dais = signedData.getDigestAlgorithms(); + assertThat(dais).isNotNull(); + if (dais != null) { + assertThat(dais.getElements()).isEmpty(); + } + assertThat(signedData.getCertificates()).isNull(); + assertThat(signedData.getCrls()).isNull(); + SignerInfos signerInfos = signedData.getSignerInfos(); + assertThat(signerInfos).isNotNull(); + if (signerInfos != null) { + assertThat(signerInfos.getElements()).isEmpty(); + } assertThat(signedData.getEncapContentInfo().getContentType()) .isEqualTo("1.3.6.1.5.2.3.1"); http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/CacheableIdentityService.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/CacheableIdentityService.java b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/CacheableIdentityService.java index 0e8fe4b..41dc555 100644 --- a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/CacheableIdentityService.java +++ b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/CacheableIdentityService.java @@ -22,6 +22,8 @@ package org.apache.kerby.kerberos.kerb.identity; import org.apache.kerby.config.Config; import org.apache.kerby.config.Configured; import org.apache.kerby.kerberos.kerb.KrbException; +import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData; +import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart; import java.util.LinkedHashMap; import java.util.Map; @@ -142,4 +144,15 @@ public class CacheableIdentityService underlying.deleteIdentity(principalName); } + + /** + * {@inheritDoc} + */ + @Override + public AuthorizationData getIdentityAuthorizationData(Object kdcRequest, + EncTicketPart encTicketPart) throws KrbException { + + return underlying.getIdentityAuthorizationData(kdcRequest, + encTicketPart); + } } http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/IdentityService.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/IdentityService.java b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/IdentityService.java index 2f0ca2e..e09aeec 100644 --- a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/IdentityService.java +++ b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/IdentityService.java @@ -20,6 +20,8 @@ package org.apache.kerby.kerberos.kerb.identity; import org.apache.kerby.kerberos.kerb.KrbException; +import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData; +import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart; /** * Identity service for KDC backend to create, get and manage principal accounts. @@ -55,6 +57,16 @@ public interface IdentityService { KrbIdentity getIdentity(String principalName) throws KrbException; /** + * Get an identity's Authorization Data. + * @param kdcRequest The KdcRequest + * @param encTicketPart The EncTicketPart being built for the KrbIdentity + * @return The Authorization Data + * @throws KrbException e + */ + AuthorizationData getIdentityAuthorizationData(Object kdcRequest, + EncTicketPart encTicketPart) throws KrbException; + + /** * Add an identity, and return the newly created result. * @param identity The identity * @return identity http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/backend/AbstractIdentityBackend.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/backend/AbstractIdentityBackend.java b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/backend/AbstractIdentityBackend.java index 7c0e6b3..5349e43 100644 --- a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/backend/AbstractIdentityBackend.java +++ b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/backend/AbstractIdentityBackend.java @@ -23,6 +23,8 @@ import org.apache.kerby.config.Configured; import org.apache.kerby.kerberos.kerb.KrbException; import org.apache.kerby.kerberos.kerb.identity.BatchTrans; import org.apache.kerby.kerberos.kerb.identity.KrbIdentity; +import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData; +import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -167,6 +169,38 @@ public abstract class AbstractIdentityBackend * {@inheritDoc} */ @Override + public AuthorizationData getIdentityAuthorizationData(Object kdcRequest, + EncTicketPart encTicketPart) throws KrbException { + if (kdcRequest == null) { + throw new IllegalArgumentException("Invalid identity"); + } + + logger.debug("getIdentityAuthorizationData called, krbIdentity = {}", + kdcRequest); + + AuthorizationData authData = doGetIdentityAuthorizationData(kdcRequest, + encTicketPart); + logger.debug("getIdentityAuthorizationData {}, authData = {}", + (authData != null ? "successful" : "failed"), authData); + + return authData; + } + + /** + * Get an identity's Authorization Data, invoked by getIdentityAuthorizationData. + * @param krbIdentity The KrbIdentity + * @param encTicketPart The EncTicketPart being built for the KrbIdentity + * @return The Authorization Data + * @throws KrbException e + */ + protected AuthorizationData doGetIdentityAuthorizationData( + Object kdcRequest, EncTicketPart encTicketPart) + throws KrbException { + return null; + } + + /** {@inheritDoc} */ + @Override public KrbIdentity addIdentity(KrbIdentity identity) throws KrbException { if (identity == null) { throw new IllegalArgumentException("null identity to add"); http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java index 2844956..4f45026 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java @@ -131,18 +131,22 @@ public class PreauthHandler { } public static boolean isToken(PaData paData) { - for (PaDataEntry paEntry : paData.getElements()) { - if (paEntry.getPaDataType() == PaDataType.TOKEN_REQUEST) { - return true; + if (paData != null) { + for (PaDataEntry paEntry : paData.getElements()) { + if (paEntry.getPaDataType() == PaDataType.TOKEN_REQUEST) { + return true; + } } } return false; } public static boolean isPkinit(PaData paData) { - for (PaDataEntry paEntry : paData.getElements()) { - if (paEntry.getPaDataType() == PaDataType.PK_AS_REQ) { - return true; + if (paData != null) { + for (PaDataEntry paEntry : paData.getElements()) { + if (paEntry.getPaDataType() == PaDataType.PK_AS_REQ) { + return true; + } } } return false; http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java index e374734..8d44d9f 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java @@ -205,29 +205,31 @@ public abstract class KdcRequest { private void kdcFindFast() throws KrbException { PaData paData = getKdcReq().getPaData(); - for (PaDataEntry paEntry : paData.getElements()) { - if (paEntry.getPaDataType() == PaDataType.FX_FAST) { - LOG.info("Found fast padata and start to process it."); - KrbFastArmoredReq fastArmoredReq = KrbCodec.decode(paEntry.getPaDataValue(), - KrbFastArmoredReq.class); - KrbFastArmor fastArmor = fastArmoredReq.getArmor(); - armorApRequest(fastArmor); - - EncryptedData encryptedData = fastArmoredReq.getEncryptedFastReq(); - KrbFastReq fastReq = KrbCodec.decode( - EncryptionHandler.decrypt(encryptedData, getArmorKey(), KeyUsage.FAST_ENC), - KrbFastReq.class); - innerBodyout = KrbCodec.encode(fastReq.getKdcReqBody()); - - // TODO: get checksumed data in stream - CheckSum checkSum = fastArmoredReq.getReqChecksum(); - if (checkSum == null) { - LOG.warn("Checksum is empty."); - throw new KrbException(KrbErrorCode.KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED); + if (paData != null) { + for (PaDataEntry paEntry : paData.getElements()) { + if (paEntry.getPaDataType() == PaDataType.FX_FAST) { + LOG.info("Found fast padata and start to process it."); + KrbFastArmoredReq fastArmoredReq = KrbCodec.decode(paEntry.getPaDataValue(), + KrbFastArmoredReq.class); + KrbFastArmor fastArmor = fastArmoredReq.getArmor(); + armorApRequest(fastArmor); + + EncryptedData encryptedData = fastArmoredReq.getEncryptedFastReq(); + KrbFastReq fastReq = KrbCodec.decode( + EncryptionHandler.decrypt(encryptedData, getArmorKey(), KeyUsage.FAST_ENC), + KrbFastReq.class); + innerBodyout = KrbCodec.encode(fastReq.getKdcReqBody()); + + // TODO: get checksumed data in stream + CheckSum checkSum = fastArmoredReq.getReqChecksum(); + if (checkSum == null) { + LOG.warn("Checksum is empty."); + throw new KrbException(KrbErrorCode.KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED); + } + byte[] reqBody = KrbCodec.encode(getKdcReq().getReqBody()); + CheckSumHandler.verifyWithKey(checkSum, reqBody, + getArmorKey().getKeyData(), KeyUsage.FAST_REQ_CHKSUM); } - byte[] reqBody = KrbCodec.encode(getKdcReq().getReqBody()); - CheckSumHandler.verifyWithKey(checkSum, reqBody, - getArmorKey().getKeyData(), KeyUsage.FAST_REQ_CHKSUM); } } } http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java index 21ff6fb..9d18057 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java @@ -101,7 +101,7 @@ public class TgsRequest extends KdcRequest { * * @return The tgt ticket. */ - protected Ticket getTgtTicket() { + public Ticket getTgtTicket() { return tgtTicket; } http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java index a9bae5b..5df40d6 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java @@ -26,6 +26,7 @@ import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler; import org.apache.kerby.kerberos.kerb.server.KdcConfig; import org.apache.kerby.kerberos.kerb.server.KdcContext; import org.apache.kerby.kerberos.kerb.type.KerberosTime; +import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData; import org.apache.kerby.kerberos.kerb.type.base.EncryptedData; import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey; import org.apache.kerby.kerberos.kerb.type.base.EncryptionType; @@ -204,9 +205,21 @@ public abstract class TicketIssuer { encTicketPart.setClientAddresses(hostAddresses); } + AuthorizationData authData = makeAuthorizationData(kdcRequest, + encTicketPart); + if (authData != null) { + encTicketPart.setAuthorizationData(authData); + } + return encTicketPart; } + protected AuthorizationData makeAuthorizationData(KdcRequest kdcRequest, + EncTicketPart encTicketPart) throws KrbException { + return getKdcContext().getIdentityService() + .getIdentityAuthorizationData(kdcRequest, encTicketPart); + } + protected KdcContext getKdcContext() { return kdcRequest.getKdcContext(); }