directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject directory-kerby git commit: DIRKRB-627 - Kerby hangs when the service principal is not known
Date Wed, 03 May 2017 16:50:33 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/trunk 00a1a16a2 -> 309e79279


DIRKRB-627 - Kerby hangs when the service principal is not known


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/309e7927
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/309e7927
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/309e7927

Branch: refs/heads/trunk
Commit: 309e7927921602740ec18f23e30cbea47839920e
Parents: 00a1a16
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed May 3 17:50:20 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed May 3 17:50:20 2017 +0100

----------------------------------------------------------------------
 .../client/impl/DefaultInternalKrbClient.java   |  5 +-
 .../kerb/server/BadCredentialsTest.java         | 65 ++++++++++++++++++++
 .../kerb/server/request/KdcRequest.java         |  5 ++
 3 files changed, 74 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/309e7927/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
index 2c83e2f..d7a9f1d 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
@@ -14,7 +14,7 @@
  *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *  KIND, either express or implied.  See the License for the
  *  specific language governing permissions and limitations
- *  under the License. 
+ *  under the License.
  *
  */
 package org.apache.kerby.kerberos.kerb.client.impl;
@@ -87,6 +87,9 @@ public class DefaultInternalKrbClient extends AbstractInternalKrbClient
{
                 }
             }
             if (!ok) {
+                if (first instanceof KrbException) {
+                    throw (KrbException) first;
+                }
                 throw new KrbException("Failed to create transport", first);
             }
         } finally {

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/309e7927/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/BadCredentialsTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/BadCredentialsTest.java
b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/BadCredentialsTest.java
new file mode 100644
index 0000000..e741f4c
--- /dev/null
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/BadCredentialsTest.java
@@ -0,0 +1,65 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.server;
+
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ * Send some unknown principals, bad passwords etc. to the KDC to check that it is handled
correctly.
+ */
+public class BadCredentialsTest extends KdcTestBase {
+
+    @Test
+    public void testUnknownClientPrincipal() {
+        String principal = "unknown@" + TestKdcServer.KDC_REALM;
+        try {
+            getKrbClient().requestTgt(principal, getClientPassword());
+        } catch (KrbException ex) {
+            Assert.assertEquals(KrbErrorCode.KDC_ERR_C_PRINCIPAL_UNKNOWN, ex.getKrbErrorCode());
+        }
+    }
+
+    @Test
+    public void testUnknownClientPassword() {
+        try {
+            getKrbClient().requestTgt(getClientPrincipal(), "badpass");
+        } catch (KrbException ex) {
+            Assert.assertEquals(KrbErrorCode.KRB_AP_ERR_BAD_INTEGRITY, ex.getKrbErrorCode());
+        }
+    }
+
+    @Test
+    public void testUnknownServicePrincipal() {
+        try {
+            TgtTicket tgtTicket =
+                getKrbClient().requestTgt(getClientPrincipal(), getClientPassword());
+
+            String serverPrincipal = "unknown/" + getHostname() + "@" + TestKdcServer.KDC_REALM;
+            getKrbClient().requestSgt(tgtTicket, serverPrincipal);
+        } catch (KrbException ex) {
+            Assert.assertEquals(KrbErrorCode.KDC_ERR_S_PRINCIPAL_UNKNOWN, ex.getKrbErrorCode());
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/309e7927/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index 24a5579..8f04443 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -648,6 +648,11 @@ public abstract class KdcRequest {
         principal.setRealm(serverRealm);
 
         KrbIdentity serverEntry = getEntry(principal.getName());
+        if (serverEntry == null) {
+            LOG.error("Principal: " + principal.getName() + " is not known");
+            throw new KrbException(KrbErrorCode.KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        }
+
         setServerEntry(serverEntry);
         for (EncryptionType encType : request.getReqBody().getEtypes()) {
             if (serverEntry.getKeys().containsKey(encType)) {


Mime
View raw message