Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id C8C8E200D08 for ; Thu, 7 Sep 2017 04:13:34 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id C76821609DA; Thu, 7 Sep 2017 02:13:34 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C98731609C5 for ; Thu, 7 Sep 2017 04:13:33 +0200 (CEST) Received: (qmail 4565 invoked by uid 500); 7 Sep 2017 02:13:33 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 4548 invoked by uid 99); 7 Sep 2017 02:13:33 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Sep 2017 02:13:32 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 4BA91F5533; Thu, 7 Sep 2017 02:13:31 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: plusplusjiajia@apache.org To: commits@directory.apache.org Message-Id: <68a8d46376764d5dab9e84559ae295b2@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: directory-kerby git commit: DIRKRB-653 Implement kinit -c -S to get service ticket. Contributed by Frank Zeng. Date: Thu, 7 Sep 2017 02:13:31 +0000 (UTC) archived-at: Thu, 07 Sep 2017 02:13:35 -0000 Repository: directory-kerby Updated Branches: refs/heads/trunk c90672d6d -> d37de32e4 DIRKRB-653 Implement kinit -c -S to get service ticket. Contributed by Frank Zeng. Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/d37de32e Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/d37de32e Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/d37de32e Branch: refs/heads/trunk Commit: d37de32e442090709c9d78c85a53b30ac6b08117 Parents: c90672d Author: plusplusjiajia Authored: Thu Sep 7 10:13:25 2017 +0800 Committer: plusplusjiajia Committed: Thu Sep 7 10:13:25 2017 +0800 ---------------------------------------------------------------------- .../kerberos/kerb/client/KrbClientBase.java | 84 ++++++++++++-------- .../kerberos/kerb/ccache/CredentialCache.java | 5 ++ .../kerby/kerberos/tool/kinit/KinitTool.java | 53 ++++++++++-- 3 files changed, 105 insertions(+), 37 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d37de32e/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java index d05fee2..cc05a25 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java @@ -215,13 +215,16 @@ public class KrbClientBase { /** * Request a service ticket * @param ccFile The credential cache file + * @param servicePrincipal The service principal * @return service ticket * @throws KrbException e */ - public SgtTicket requestSgt(File ccFile) throws KrbException { + public SgtTicket requestSgt(File ccFile, String servicePrincipal) throws KrbException { Credential credential = getCredentialFromFile(ccFile); - String servicePrincipal = credential.getServicePrincipal().getName(); TgtTicket tgt = getTgtTicketFromCredential(credential); + if (servicePrincipal == null) { + servicePrincipal = credential.getServicePrincipal().getName(); + } KOptions requestOptions = new KOptions(); requestOptions.add(KrbKdcOption.RENEW); @@ -243,21 +246,7 @@ public class KrbClientBase { File ccacheFile) throws KrbException { LOG.info("Storing the tgt to the credential cache file."); if (!ccacheFile.exists()) { - try { - if (!ccacheFile.createNewFile()) { - throw new KrbException("Failed to create ccache file " - + ccacheFile.getAbsolutePath()); - } - // sets read-write permissions to owner only - ccacheFile.setReadable(false, false); - ccacheFile.setReadable(true, true); - if (!ccacheFile.setWritable(true, true)) { - throw new KrbException("Cache file is not readable."); - } - } catch (IOException e) { - throw new KrbException("Failed to create ccache file " - + ccacheFile.getAbsolutePath(), e); - } + createCacheFile(ccacheFile); } if (ccacheFile.exists() && ccacheFile.canWrite()) { CredentialCache cCache = new CredentialCache(tgtTicket); @@ -281,32 +270,65 @@ public class KrbClientBase { public void storeTicket(SgtTicket sgtTicket, File ccacheFile) throws KrbException { LOG.info("Storing the sgt to the credential cache file."); if (!ccacheFile.exists()) { + createCacheFile(ccacheFile); + } + if (ccacheFile.exists() && ccacheFile.canWrite()) { + CredentialCache cCache = new CredentialCache(); try { - if (!ccacheFile.createNewFile()) { - throw new KrbException("Failed to create ccache file " - + ccacheFile.getAbsolutePath()); - } - // sets read-write permissions to owner only - ccacheFile.setReadable(false, false); - ccacheFile.setReadable(true, true); - if (!ccacheFile.setWritable(true, true)) { - throw new KrbException("Cache file is not readable."); - } + cCache.load(ccacheFile); + cCache.addCredential(new Credential(sgtTicket, sgtTicket.getClientPrincipal())); + cCache.setPrimaryPrincipal(sgtTicket.getClientPrincipal()); + cCache.store(ccacheFile); } catch (IOException e) { - throw new KrbException("Failed to create ccache file " - + ccacheFile.getAbsolutePath(), e); + throw new KrbException("Failed to store sgt", e); } + } else { + throw new IllegalArgumentException("Invalid ccache file, " + + "not exist or writable: " + ccacheFile.getAbsolutePath()); + } + } + + /** + * Store sgt into the specified credential cache file. + * @param sgtTicket The sgt ticket + * @param ccacheFile The credential cache file + * @throws KrbException e + */ + public void renewTicket(SgtTicket sgtTicket, File ccacheFile) throws KrbException { + LOG.info("Renewing the ticket to the credential cache file."); + if (!ccacheFile.exists()) { + createCacheFile(ccacheFile); } if (ccacheFile.exists() && ccacheFile.canWrite()) { CredentialCache cCache = new CredentialCache(sgtTicket); try { cCache.store(ccacheFile); } catch (IOException e) { - throw new KrbException("Failed to store tgt", e); + throw new KrbException("Failed to renew ticket", e); } } else { throw new IllegalArgumentException("Invalid ccache file, " - + "not exist or writable: " + ccacheFile.getAbsolutePath()); + + "not exist or writable: " + ccacheFile.getAbsolutePath()); + } + } + + /** + * Create the specified credential cache file. + */ + private void createCacheFile(File ccacheFile) throws KrbException { + try { + if (!ccacheFile.createNewFile()) { + throw new KrbException("Failed to create ccache file " + + ccacheFile.getAbsolutePath()); + } + // sets read-write permissions to owner only + ccacheFile.setReadable(true, true); + if (!ccacheFile.setWritable(true, true)) { + throw new KrbException("Cache file is not readable."); + } + } catch (IOException e) { + throw new KrbException("Failed to create ccache file " + + ccacheFile.getAbsolutePath(), e); } } http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d37de32e/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java ---------------------------------------------------------------------- diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java index f742649..828a0c5 100644 --- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java +++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java @@ -157,6 +157,11 @@ public class CredentialCache implements KrbCredentialCache { @Override public void addCredential(Credential credential) { if (credential != null) { + for (Credential cred : this.credentials) { + if (cred.getServerName().getName().equals(credential.getServerName().getName())) { + return; + } + } this.credentials.add(credential); } } http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d37de32e/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java ---------------------------------------------------------------------- diff --git a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java index 8ad13a9..d359f0c 100644 --- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java +++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java @@ -83,13 +83,25 @@ public class KinitTool { + "\t\t-X [=]\n" + "\n"; - private static void printUsage(String error) { System.err.println(error + "\n"); System.err.println(USAGE); System.exit(-1); } + private static final String KVNO_USAGE = (OSUtil.isWindows() + ? "Usage: bin\\kinit.cmd" : "Usage: sh bin/kinit.sh") + + " <-conf conf_dir> <-c cachename> <-S service_name>\n\n" + + "\tDESCRIPTION:\n" + + "\t\tkinit obtains a service ticket for the specified principal and prints out the key version number.\n" + + "\n"; + + private static void printKvnoUsage(String error) { + System.err.println(error + "\n"); + System.err.println(KVNO_USAGE); + System.exit(-1); + } + /** * Get password for the input principal from console */ @@ -135,13 +147,13 @@ public class KinitTool { SgtTicket sgtTicket = null; try { - sgtTicket = krbClient.requestSgt(ccFile); + sgtTicket = krbClient.requestSgt(ccFile, null); } catch (KrbException e) { System.err.println("kinit: " + e.getKrbErrorCode().getMessage()); } try { - krbClient.storeTicket(sgtTicket, ccFile); + krbClient.renewTicket(sgtTicket, ccFile); } catch (KrbException e) { System.err.println("kinit: " + e.getKrbErrorCode().getMessage()); } @@ -151,6 +163,30 @@ public class KinitTool { return; } + if (ktOptions.contains(KinitOption.SERVICE) && ktOptions.contains(KinitOption.KRB5_CACHE)) { + String ccName = ktOptions.getStringOption(KinitOption.KRB5_CACHE); + File ccFile = new File(ccName); + if (ccFile.exists()) { + System.out.println("Use credential cache to request a service ticket."); + String servicePrincipal = ktOptions.getStringOption(KinitOption.SERVICE); + SgtTicket sgtTicket = null; + try { + sgtTicket = krbClient.requestSgt(ccFile, servicePrincipal); + } catch (KrbException e) { + System.err.println("kinit: " + e.getKrbErrorCode().getMessage()); + } + + try { + krbClient.storeTicket(sgtTicket, ccFile); + } catch (KrbException e) { + System.err.println("kinit: " + e.getKrbErrorCode().getMessage()); + } + + System.out.println(sgtTicket.getEncKdcRepPart().getSname().getName() + ": knvo = " + + sgtTicket.getTicket().getEncryptedEncPart().getKvno()); + return; + } + } if (ktOptions.contains(KinitOption.ANONYMOUS)) { ktOptions.add(PkinitOption.USE_ANONYMOUS); @@ -189,7 +225,9 @@ public class KinitTool { System.out.println("Successfully requested and stored ticket in " + ccacheFile.getAbsolutePath()); + if (ktOptions.contains(KinitOption.SERVICE)) { + System.out.println("Use tgt to request a service ticket."); String servicePrincipal = ktOptions.getStringOption(KinitOption.SERVICE); SgtTicket sgtTicket; try { @@ -198,8 +236,9 @@ public class KinitTool { System.err.println("kinit: " + e.getKrbErrorCode().getMessage()); return; } - System.out.println("Successfully requested the service ticket for " + servicePrincipal - + "\nKey version: " + sgtTicket.getTicket().getTktvno()); + + System.out.println(sgtTicket.getEncKdcRepPart().getSname().getName() + ": knvo = " + + sgtTicket.getTicket().getEncryptedEncPart().getKvno()); } } @@ -270,8 +309,10 @@ public class KinitTool { if (principal == null) { if (ktOptions.contains(KinitOption.ANONYMOUS)) { principal = KrbConstant.ANONYMOUS_PRINCIPAL; - } else if (!ktOptions.contains(KinitOption.KRB5_CACHE)) { + } else if (!ktOptions.contains(KinitOption.SERVICE) && !ktOptions.contains(KinitOption.KRB5_CACHE)) { printUsage("No principal is specified"); + } else if (ktOptions.contains(KinitOption.SERVICE) && !ktOptions.contains(KinitOption.KRB5_CACHE)) { + printKvnoUsage("No credential cache file given."); } }