directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject directory-kerby git commit: Make it possible to get a SGT using an AuthToken and a TGT
Date Fri, 04 Aug 2017 10:28:26 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/1.0.x-fixes f9261f919 -> 0d92a5eed


Make it possible to get a SGT using an AuthToken and a TGT


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/0d92a5ee
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/0d92a5ee
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/0d92a5ee

Branch: refs/heads/1.0.x-fixes
Commit: 0d92a5eede78a5e4f5ca68d19ee0b30026814462
Parents: f9261f9
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Aug 4 09:47:48 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Aug 4 11:24:19 2017 +0100

----------------------------------------------------------------------
 .../kerb/integration/test/JWTTokenTest.java     | 52 ++++++++++++++++++++
 .../kerberos/kerb/client/KrbTokenClient.java    | 21 ++++++--
 2 files changed, 69 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0d92a5ee/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
index aeb0ced..792e23a 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
@@ -265,6 +265,58 @@ public class JWTTokenTest extends TokenLoginTestBase {
         cCacheFile.delete();
     }
 
+    // Use the TGT here instead of an armor cache
+    @org.junit.Test
+    public void accessTokenUsingTicket() throws Exception {
+
+        KrbClient client = getKrbClient();
+
+        // Get a TGT
+        TgtTicket tgt = client.requestTgt(getClientPrincipal(), getClientPassword());
+        assertNotNull(tgt);
+
+        KrbTokenClient tokenClient = new KrbTokenClient(client);
+
+        tokenClient.setKdcHost(client.getSetting().getKdcHost());
+        tokenClient.setKdcTcpPort(client.getSetting().getKdcTcpPort());
+
+        tokenClient.setKdcRealm(client.getSetting().getKdcRealm());
+        tokenClient.init();
+
+        // Create a JWT token
+        AuthToken authToken = issueToken(getClientPrincipal());
+        authToken.isAcToken(true);
+        authToken.isIdToken(false);
+        authToken.setAudiences(Collections.singletonList(getServerPrincipal()));
+        KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
+
+        InputStream is = Files.newInputStream(getSignKeyFile().toPath());
+        PrivateKey signKey = PrivateKeyReader.loadPrivateKey(is);
+        krbToken.setTokenValue(signToken(authToken, signKey));
+
+        // Now get a SGT using the JWT
+        SgtTicket tkt = tokenClient.requestSgt(krbToken, getServerPrincipal(), tgt);
+        assertTrue(tkt != null);
+
+        // Decrypt the ticket
+        Ticket ticket = tkt.getTicket();
+        EncryptionKey key = EncryptionHandler.string2Key(getServerPrincipal(), getServerPassword(),
+                                                         ticket.getEncryptedEncPart().getEType());
+
+        EncTicketPart encPart =
+            EncryptionUtil.unseal(ticket.getEncryptedEncPart(),
+                                  key, KeyUsage.KDC_REP_TICKET, EncTicketPart.class);
+
+        // Examine the authorization data
+        AuthorizationData authzData = encPart.getAuthorizationData();
+        assertEquals(1, authzData.getElements().size());
+        AuthorizationDataEntry dataEntry = authzData.getElements().iterator().next();
+        AdToken token = dataEntry.getAuthzDataAs(AdToken.class);
+        KrbToken decodedKrbToken = token.getToken();
+        assertEquals(getClientPrincipal(), decodedKrbToken.getSubject());
+        assertEquals(getServerPrincipal(), decodedKrbToken.getAudiences().get(0));
+    }
+
     @org.junit.Test
     public void identityToken() throws Exception {
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0d92a5ee/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
index b71d61e..eedc016 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
@@ -6,16 +6,16 @@
  *  to you under the Apache License, Version 2.0 (the
  *  "License"); you may not use this file except in compliance
  *  with the License.  You may obtain a copy of the License at
- *  
+ *
  *    http://www.apache.org/licenses/LICENSE-2.0
- *  
+ *
  *  Unless required by applicable law or agreed to in writing,
  *  software distributed under the License is distributed on an
  *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *  KIND, either express or implied.  See the License for the
  *  specific language governing permissions and limitations
- *  under the License. 
- *  
+ *  under the License.
+ *
  */
 package org.apache.kerby.kerberos.kerb.client;
 
@@ -122,4 +122,17 @@ public class KrbTokenClient extends KrbClientBase {
 
         return requestSgt(requestOptions);
     }
+
+    public SgtTicket requestSgt(AuthToken token, String serverPrincipal, TgtTicket tgt) throws
KrbException {
+        if (!token.isAcToken()) {
+            throw new IllegalArgumentException("Access token is expected");
+        }
+
+        KOptions requestOptions = new KOptions();
+        requestOptions.add(TokenOption.USER_AC_TOKEN, token);
+        requestOptions.add(KrbOption.TGT, tgt);
+        requestOptions.add(KrbOption.SERVER_PRINCIPAL, serverPrincipal);
+
+        return requestSgt(requestOptions);
+    }
 }


Mime
View raw message