directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject directory-kerby git commit: DIRKRB-653 Implement kinit -c -S to get service ticket. Contributed by Frank Zeng.
Date Thu, 07 Sep 2017 02:13:31 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/trunk c90672d6d -> d37de32e4


DIRKRB-653 Implement kinit -c -S to get service ticket. Contributed by Frank Zeng.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/d37de32e
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/d37de32e
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/d37de32e

Branch: refs/heads/trunk
Commit: d37de32e442090709c9d78c85a53b30ac6b08117
Parents: c90672d
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Thu Sep 7 10:13:25 2017 +0800
Committer: plusplusjiajia <jiajia.li@intel.com>
Committed: Thu Sep 7 10:13:25 2017 +0800

----------------------------------------------------------------------
 .../kerberos/kerb/client/KrbClientBase.java     | 84 ++++++++++++--------
 .../kerberos/kerb/ccache/CredentialCache.java   |  5 ++
 .../kerby/kerberos/tool/kinit/KinitTool.java    | 53 ++++++++++--
 3 files changed, 105 insertions(+), 37 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d37de32e/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
index d05fee2..cc05a25 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
@@ -215,13 +215,16 @@ public class KrbClientBase {
     /**
      * Request a service ticket
      * @param ccFile The credential cache file
+     * @param servicePrincipal The service principal
      * @return service ticket
      * @throws KrbException e
      */
-    public SgtTicket requestSgt(File ccFile) throws KrbException {
+    public SgtTicket requestSgt(File ccFile, String servicePrincipal) throws KrbException
{
         Credential credential = getCredentialFromFile(ccFile);
-        String servicePrincipal = credential.getServicePrincipal().getName();
         TgtTicket tgt = getTgtTicketFromCredential(credential);
+        if (servicePrincipal == null) {
+            servicePrincipal = credential.getServicePrincipal().getName();
+        }
 
         KOptions requestOptions = new KOptions();
         requestOptions.add(KrbKdcOption.RENEW);
@@ -243,21 +246,7 @@ public class KrbClientBase {
                             File ccacheFile) throws KrbException {
         LOG.info("Storing the tgt to the credential cache file.");
         if (!ccacheFile.exists()) {
-            try {
-                if (!ccacheFile.createNewFile()) {
-                    throw new KrbException("Failed to create ccache file "
-                        + ccacheFile.getAbsolutePath());
-                }
-                // sets read-write permissions to owner only
-                ccacheFile.setReadable(false, false);
-                ccacheFile.setReadable(true, true);
-                if (!ccacheFile.setWritable(true, true)) {
-                    throw new KrbException("Cache file is not readable.");
-                }
-            } catch (IOException e) {
-                throw new KrbException("Failed to create ccache file "
-                    + ccacheFile.getAbsolutePath(), e);
-            }
+            createCacheFile(ccacheFile);
         }
         if (ccacheFile.exists() && ccacheFile.canWrite()) {
             CredentialCache cCache = new CredentialCache(tgtTicket);
@@ -281,32 +270,65 @@ public class KrbClientBase {
     public void storeTicket(SgtTicket sgtTicket, File ccacheFile) throws KrbException {
         LOG.info("Storing the sgt to the credential cache file.");
         if (!ccacheFile.exists()) {
+            createCacheFile(ccacheFile);
+        }
+        if (ccacheFile.exists() && ccacheFile.canWrite()) {
+            CredentialCache cCache = new CredentialCache();
             try {
-                if (!ccacheFile.createNewFile()) {
-                    throw new KrbException("Failed to create ccache file "
-                        + ccacheFile.getAbsolutePath());
-                }
-                // sets read-write permissions to owner only
-                ccacheFile.setReadable(false, false);
-                ccacheFile.setReadable(true, true);
-                if (!ccacheFile.setWritable(true, true)) {
-                    throw new KrbException("Cache file is not readable.");
-                }
+                cCache.load(ccacheFile);
+                cCache.addCredential(new Credential(sgtTicket, sgtTicket.getClientPrincipal()));
+                cCache.setPrimaryPrincipal(sgtTicket.getClientPrincipal());
+                cCache.store(ccacheFile);
             } catch (IOException e) {
-                throw new KrbException("Failed to create ccache file "
-                    + ccacheFile.getAbsolutePath(), e);
+                throw new KrbException("Failed to store sgt", e);
             }
+        } else {
+            throw new IllegalArgumentException("Invalid ccache file, "
+                    + "not exist or writable: " + ccacheFile.getAbsolutePath());
+        }
+    }
+
+    /**
+     * Store sgt into the specified credential cache file.
+     * @param sgtTicket The sgt ticket
+     * @param ccacheFile The credential cache file
+     * @throws KrbException e
+     */
+    public void renewTicket(SgtTicket sgtTicket, File ccacheFile) throws KrbException {
+        LOG.info("Renewing the ticket to the credential cache file.");
+        if (!ccacheFile.exists()) {
+            createCacheFile(ccacheFile);
         }
         if (ccacheFile.exists() && ccacheFile.canWrite()) {
             CredentialCache cCache = new CredentialCache(sgtTicket);
             try {
                 cCache.store(ccacheFile);
             } catch (IOException e) {
-                throw new KrbException("Failed to store tgt", e);
+                throw new KrbException("Failed to renew ticket", e);
             }
         } else {
             throw new IllegalArgumentException("Invalid ccache file, "
-                    + "not exist or writable: " + ccacheFile.getAbsolutePath());
+                + "not exist or writable: " + ccacheFile.getAbsolutePath());
+        }
+    }
+
+    /**
+     * Create the specified credential cache file.
+     */
+    private void createCacheFile(File ccacheFile) throws KrbException {
+        try {
+            if (!ccacheFile.createNewFile()) {
+                throw new KrbException("Failed to create ccache file "
+                    + ccacheFile.getAbsolutePath());
+            }
+            // sets read-write permissions to owner only
+            ccacheFile.setReadable(true, true);
+            if (!ccacheFile.setWritable(true, true)) {
+                throw new KrbException("Cache file is not readable.");
+            }
+        } catch (IOException e) {
+            throw new KrbException("Failed to create ccache file "
+                + ccacheFile.getAbsolutePath(), e);
         }
     }
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d37de32e/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java
b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java
index f742649..828a0c5 100644
--- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java
+++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java
@@ -157,6 +157,11 @@ public class CredentialCache implements KrbCredentialCache {
     @Override
     public void addCredential(Credential credential) {
         if (credential != null) {
+            for (Credential cred : this.credentials) {
+                if (cred.getServerName().getName().equals(credential.getServerName().getName()))
{
+                    return;
+                }
+            }
             this.credentials.add(credential);
         }
     }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d37de32e/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
----------------------------------------------------------------------
diff --git a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
index 8ad13a9..d359f0c 100644
--- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
+++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
@@ -83,13 +83,25 @@ public class KinitTool {
             + "\t\t-X <attribute>[=<value>]\n"
             + "\n";
 
-
     private static void printUsage(String error) {
         System.err.println(error + "\n");
         System.err.println(USAGE);
         System.exit(-1);
     }
 
+    private static final String KVNO_USAGE = (OSUtil.isWindows()
+        ? "Usage: bin\\kinit.cmd" : "Usage: sh bin/kinit.sh")
+        + " <-conf conf_dir> <-c cachename> <-S service_name>\n\n"
+        + "\tDESCRIPTION:\n"
+        + "\t\tkinit obtains a service ticket for the specified principal and prints out
the key version number.\n"
+        + "\n";
+
+    private static void printKvnoUsage(String error) {
+        System.err.println(error + "\n");
+        System.err.println(KVNO_USAGE);
+        System.exit(-1);
+    }
+
     /**
      * Get password for the input principal from console
      */
@@ -135,13 +147,13 @@ public class KinitTool {
 
                 SgtTicket sgtTicket = null;
                 try {
-                    sgtTicket = krbClient.requestSgt(ccFile);
+                    sgtTicket = krbClient.requestSgt(ccFile, null);
                 } catch (KrbException e) {
                     System.err.println("kinit: " + e.getKrbErrorCode().getMessage());
                 }
 
                 try {
-                    krbClient.storeTicket(sgtTicket, ccFile);
+                    krbClient.renewTicket(sgtTicket, ccFile);
                 } catch (KrbException e) {
                     System.err.println("kinit: " + e.getKrbErrorCode().getMessage());
                 }
@@ -151,6 +163,30 @@ public class KinitTool {
             return;
         }
 
+        if (ktOptions.contains(KinitOption.SERVICE) && ktOptions.contains(KinitOption.KRB5_CACHE))
{
+            String ccName = ktOptions.getStringOption(KinitOption.KRB5_CACHE);
+            File ccFile = new File(ccName);
+            if (ccFile.exists()) {
+                System.out.println("Use credential cache to request a service ticket.");
+                String servicePrincipal = ktOptions.getStringOption(KinitOption.SERVICE);
+                SgtTicket sgtTicket = null;
+                try {
+                    sgtTicket = krbClient.requestSgt(ccFile, servicePrincipal);
+                } catch (KrbException e) {
+                    System.err.println("kinit: " + e.getKrbErrorCode().getMessage());
+                }
+
+                try {
+                    krbClient.storeTicket(sgtTicket, ccFile);
+                } catch (KrbException e) {
+                    System.err.println("kinit: " + e.getKrbErrorCode().getMessage());
+                }
+
+                System.out.println(sgtTicket.getEncKdcRepPart().getSname().getName() + ":
knvo = "
+                    + sgtTicket.getTicket().getEncryptedEncPart().getKvno());
+                return;
+            }
+        }
 
         if (ktOptions.contains(KinitOption.ANONYMOUS)) {
             ktOptions.add(PkinitOption.USE_ANONYMOUS);
@@ -189,7 +225,9 @@ public class KinitTool {
 
         System.out.println("Successfully requested and stored ticket in "
             + ccacheFile.getAbsolutePath());
+
         if (ktOptions.contains(KinitOption.SERVICE)) {
+            System.out.println("Use tgt to request a service ticket.");
             String servicePrincipal = ktOptions.getStringOption(KinitOption.SERVICE);
             SgtTicket sgtTicket;
             try {
@@ -198,8 +236,9 @@ public class KinitTool {
                 System.err.println("kinit: " + e.getKrbErrorCode().getMessage());
                 return;
             }
-            System.out.println("Successfully requested the service ticket for " + servicePrincipal
-            + "\nKey version: " + sgtTicket.getTicket().getTktvno());
+
+            System.out.println(sgtTicket.getEncKdcRepPart().getSname().getName() + ": knvo
= "
+                + sgtTicket.getTicket().getEncryptedEncPart().getKvno());
         }
     }
 
@@ -270,8 +309,10 @@ public class KinitTool {
         if (principal == null) {
             if (ktOptions.contains(KinitOption.ANONYMOUS)) {
                 principal = KrbConstant.ANONYMOUS_PRINCIPAL;
-            } else if (!ktOptions.contains(KinitOption.KRB5_CACHE)) {
+            } else if (!ktOptions.contains(KinitOption.SERVICE) && !ktOptions.contains(KinitOption.KRB5_CACHE))
{
                 printUsage("No principal is specified");
+            } else if (ktOptions.contains(KinitOption.SERVICE) && !ktOptions.contains(KinitOption.KRB5_CACHE))
{
+                printKvnoUsage("No credential cache file given.");
             }
         }
 


Mime
View raw message