8048030: Expectations should be consistent

Reviewed-by: valeriep, mullan, ahgross

src/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java

@@ -112,18 +112,7 @@ public final class KerberosPrincipal
      * java.security.krb5.realm system property.
      */
     public KerberosPrincipal(String name) {
-
-        PrincipalName krb5Principal = null;
-
-        try {
-            // Appends the default realm if it is missing
-            krb5Principal = new PrincipalName(name, KRB_NT_PRINCIPAL);
-        } catch (KrbException e) {
-            throw new IllegalArgumentException(e.getMessage());
-        }
-        nameType = KRB_NT_PRINCIPAL;  // default name type
-        fullName = krb5Principal.toString();
-        realm = krb5Principal.getRealmString();
+        this(name, KRB_NT_PRINCIPAL);
     }
 
     /**
@@ -165,6 +154,20 @@ public final class KerberosPrincipal
             throw new IllegalArgumentException(e.getMessage());
         }
 
+        // A ServicePermission with a principal in the deduced realm and
+        // any action must be granted if no realm is provided by caller.
+        if (krb5Principal.isRealmDeduced() && !Realm.AUTODEDUCEREALM) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                try {
+                    sm.checkPermission(new ServicePermission(
+                            "@" + krb5Principal.getRealmAsString(), "-"));
+                } catch (SecurityException se) {
+                    // Swallow the actual exception to hide info
+                    throw new SecurityException("Cannot read realm info");
+                }
+            }
+        }
         this.nameType = nameType;
         fullName = krb5Principal.toString();
         realm = krb5Principal.getRealmString();

src/share/classes/javax/security/auth/kerberos/ServicePermission.java

@@ -50,7 +50,7 @@ import java.io.IOException;
  * used within.
  * <p>
  * The service principal name is the canonical name of the
- * {@code KereberosPrincipal} supplying the service, that is
+ * {@code KerberosPrincipal} supplying the service, that is
  * the KerberosPrincipal represents a Kerberos service
  * principal. This name is treated in a case sensitive manner.
  * An asterisk may appear by itself, to signify any service principal.
@@ -145,6 +145,9 @@ public final class ServicePermission extends Permission
      * @param action the action string
      */
     public ServicePermission(String servicePrincipal, String action) {
+        // Note: servicePrincipal can be "@REALM" which means any principal in
+        // this realm implies it. action can be "-" which means any
+        // action implies it.
         super(servicePrincipal);
         init(servicePrincipal, getMask(action));
     }
@@ -188,7 +191,9 @@ public final class ServicePermission extends Permission
 
     boolean impliesIgnoreMask(ServicePermission p) {
         return ((this.getName().equals("*")) ||
-                this.getName().equals(p.getName()));
+                this.getName().equals(p.getName()) ||
+                (p.getName().startsWith("@") &&
+                        this.getName().endsWith(p.getName())));
     }
 
     /**
@@ -295,7 +300,10 @@ public final class ServicePermission extends Permission
     /**
      * Convert an action string to an integer actions mask.
      *
-     * @param action the action string
+     * Note: if action is "-", action will be NONE, which means any
+     * action implies it.
+     *
+     * @param action the action string.
      * @return the action mask
      */
     private static int getMask(String action) {
@@ -312,9 +320,11 @@ public final class ServicePermission extends Permission
 
         char[] a = action.toCharArray();
 
-        int i = a.length - 1;
-        if (i < 0)
+        if (a.length == 1 && a[0] == '-') {
             return mask;
+        }
+
+        int i = a.length - 1;
 
         while (i != -1) {
             char c;
@@ -475,6 +485,17 @@ final class KrbServicePermissionCollection extends PermissionCollection
 
         ServicePermission np = (ServicePermission) permission;
         int desired = np.getMask();
+
+        if (desired == 0) {
+            for (Permission p: perms) {
+                ServicePermission sp = (ServicePermission)p;
+                if (sp.impliesIgnoreMask(np)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
         int effective = 0;
         int needed = desired;
 

src/share/classes/sun/security/jgss/krb5/Krb5NameElement.java

@@ -28,7 +28,10 @@ package sun.security.jgss.krb5;
 import org.ietf.jgss.*;
 import sun.security.jgss.spi.*;
 import sun.security.krb5.PrincipalName;
+import sun.security.krb5.Realm;
 import sun.security.krb5.KrbException;
+
+import javax.security.auth.kerberos.ServicePermission;
 import java.io.UnsupportedEncodingException;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
@@ -126,6 +129,18 @@ public class Krb5NameElement
             throw new GSSException(GSSException.BAD_NAME, -1, e.getMessage());
         }
 
+        if (principalName.isRealmDeduced() && !Realm.AUTODEDUCEREALM) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                try {
+                    sm.checkPermission(new ServicePermission(
+                            "@" + principalName.getRealmAsString(), "-"));
+                } catch (SecurityException se) {
+                    // Do not chain the actual exception to hide info
+                    throw new GSSException(GSSException.FAILURE);
+                }
+            }
+        }
         return new Krb5NameElement(principalName, gssNameStr, gssNameType);
     }
 
@@ -198,7 +213,7 @@ public class Krb5NameElement
      * If either name denotes an anonymous principal, the call should
      * return false.
      *
-     * @param name to be compared with
+     * @param other to be compared with
      * @returns true if they both refer to the same entity, else false
      * @exception GSSException with major codes of BAD_NAMETYPE,
      *  BAD_NAME, FAILURE

src/share/classes/sun/security/jgss/wrapper/GSSNameElement.java

@@ -30,6 +30,7 @@ import java.security.Provider;
 import java.security.Security;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import sun.security.krb5.Realm;
 import sun.security.jgss.GSSUtil;
 import sun.security.util.ObjectIdentifier;
 import sun.security.util.DerInputStream;
@@ -38,6 +39,8 @@ import sun.security.jgss.GSSUtil;
 import sun.security.jgss.GSSExceptionImpl;
 import sun.security.jgss.spi.GSSNameSpi;
 
+import javax.security.auth.kerberos.ServicePermission;
+
 /**
  * This class is essentially a wrapper class for the gss_name_t
  * structure of the native GSS library.
@@ -150,6 +153,26 @@ public class GSSNameElement implements GSSNameSpi {
         pName = cStub.importName(name, nameType);
         setPrintables();
 
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null && !Realm.AUTODEDUCEREALM) {
+            String krbName = getKrbName();
+            int atPos = krbName.lastIndexOf('@');
+            if (atPos != -1) {
+                String atRealm = krbName.substring(atPos);
+                if (nameType.equals(GSSUtil.NT_GSS_KRB5_PRINCIPAL)
+                        && new String(nameBytes).endsWith(atRealm)) {
+                    // Created from Kerberos name with realm, no need to check
+                } else {
+                    try {
+                        sm.checkPermission(new ServicePermission(atRealm, "-"));
+                    } catch (SecurityException se) {
+                        // Do not chain the actual exception to hide info
+                        throw new GSSException(GSSException.FAILURE);
+                    }
+                }
+            }
+        }
+
         SunNativeProvider.debug("Imported " + printableName + " w/ type " +
                                 printableType);
     }

src/share/classes/sun/security/krb5/KrbServiceLocator.java

@@ -25,6 +25,11 @@
 
 package sun.security.krb5;
 
+import sun.security.krb5.internal.Krb5;
+
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.Arrays;
 import java.util.Hashtable;
 import java.util.Random;
@@ -52,6 +57,8 @@ class KrbServiceLocator {
 
     private static final Random random = new Random();
 
+    private static final boolean DEBUG = Krb5.DEBUG;
+
     private KrbServiceLocator() {
     }
 
@@ -62,8 +69,7 @@ class KrbServiceLocator {
      * Information on the mapping of DNS hostnames and domain names
      * to Kerberos realms is stored using DNS TXT records
      *
-     * @param domainName A string domain name.
-     * @param environment The possibly null environment of the context.
+     * @param realmName A string realm name.
      * @return An ordered list of hostports for the Kerberos service or null if
      *          the service has not been located.
      */
@@ -81,8 +87,18 @@ class KrbServiceLocator {
             if (!(ctx instanceof DirContext)) {
                 return null; // cannot create a DNS context
             }
-            Attributes attrs =
-                ((DirContext)ctx).getAttributes(dnsUrl, SRV_TXT_ATTR);
+            Attributes attrs = null;
+            try {
+                // both connect and accept are needed since DNS is thru UDP
+                attrs = AccessController.doPrivileged(
+                        (PrivilegedExceptionAction<Attributes>)
+                                () -> ((DirContext)ctx).getAttributes(
+                                        dnsUrl, SRV_TXT_ATTR),
+                        null,
+                        new java.net.SocketPermission("*", "connect,accept"));
+            } catch (PrivilegedActionException e) {
+                throw (NamingException)e.getCause();
+            }
             Attribute attr;
 
             if (attrs != null && ((attr = attrs.get(SRV_TXT)) != null)) {
@@ -124,7 +140,8 @@ class KrbServiceLocator {
      * Queries DNS for a list of KERBEROS Service Location Records (SRV) for a
      * given domain name.
      *
-     * @param domainName A string domain name.
+     * @param realmName A string realm name.
+     * @param protocol the protocol string, can be "_udp" or "_tcp"
      * @return An ordered list of hostports for the Kerberos service or null if
      *          the service has not been located.
      */
@@ -142,8 +159,20 @@ class KrbServiceLocator {
             if (!(ctx instanceof DirContext)) {
                 return null; // cannot create a DNS context
             }
-            Attributes attrs =
-                ((DirContext)ctx).getAttributes(dnsUrl, SRV_RR_ATTR);
+
+            Attributes attrs = null;
+            try {
+                // both connect and accept are needed since DNS is thru UDP
+                attrs = AccessController.doPrivileged(
+                        (PrivilegedExceptionAction<Attributes>)
+                                () -> ((DirContext)ctx).getAttributes(
+                                        dnsUrl, SRV_RR_ATTR),
+                        null,
+                        new java.net.SocketPermission("*", "connect,accept"));
+            } catch (PrivilegedActionException e) {
+                throw (NamingException)e.getCause();
+            }
+
             Attribute attr;
 
             if (attrs != null && ((attr = attrs.get(SRV_RR)) != null)) {

src/share/classes/sun/security/krb5/PrincipalName.java

@@ -123,6 +123,13 @@ public class PrincipalName implements Cloneable {
      */
     private final Realm nameRealm;      // not null
 
+
+    /**
+     * When constructing a PrincipalName, whether the realm is included in
+     * the input, or deduced from default realm or domain-realm mapping.
+     */
+    private final boolean realmDeduced;
+
     // cached default salt, not used in clone
     private transient String salt = null;
 
@@ -143,6 +150,7 @@ public class PrincipalName implements Cloneable {
         this.nameType = nameType;
         this.nameStrings = nameStrings.clone();
         this.nameRealm = nameRealm;
+        this.realmDeduced = false;
     }
 
     // This method is called by Windows NativeCred.c
@@ -150,11 +158,6 @@ public class PrincipalName implements Cloneable {
         this(KRB_NT_UNKNOWN, nameParts, new Realm(realm));
     }
 
-    public PrincipalName(String[] nameParts, int type)
-            throws IllegalArgumentException, RealmException {
-        this(type, nameParts, Realm.getDefault());
-    }
-
     // Validate a nameStrings argument
     private static void validateNameStrings(String[] ns) {
         if (ns == null) {
@@ -226,7 +229,7 @@ public class PrincipalName implements Cloneable {
      * <a href="http://www.ietf.org/rfc/rfc4120.txt">
      * http://www.ietf.org/rfc/rfc4120.txt</a>.
      *
-     * @param encoding a Der-encoded data.
+     * @param encoding DER-encoded PrincipalName (without Realm)
      * @param realm the realm for this name
      * @exception Asn1Exception if an error occurs while decoding
      * an ASN1 encoded data.
@@ -240,6 +243,7 @@ public class PrincipalName implements Cloneable {
         if (realm == null) {
             throw new IllegalArgumentException("Null realm not allowed");
         }
+        realmDeduced = false;
         nameRealm = realm;
         DerValue der;
         if (encoding == null) {
@@ -394,6 +398,10 @@ public class PrincipalName implements Cloneable {
         if (realm == null) {
             realm = Realm.parseRealmAtSeparator(name);
         }
+
+        // No realm info from parameter and string, must deduce later
+        realmDeduced = realm == null;
+
         switch (type) {
         case KRB_NT_SRV_HST:
             if (nameParts.length >= 2) {
@@ -413,8 +421,8 @@ public class PrincipalName implements Cloneable {
                                 hostName.toLowerCase(Locale.ENGLISH)+".")) {
                         hostName = canonicalized;
                     }
-                } catch (UnknownHostException e) {
-                    // no canonicalization, use old
+                } catch (UnknownHostException | SecurityException e) {
+                    // not canonicalized or no permission to do so, use old
                 }
                 nameParts[1] = hostName.toLowerCase(Locale.ENGLISH);
             }
@@ -680,4 +688,7 @@ public class PrincipalName implements Cloneable {
         return result;
     }
 
+    public boolean isRealmDeduced() {
+        return realmDeduced;
+    }
 }

src/share/classes/sun/security/krb5/Realm.java

@@ -47,6 +47,12 @@ import sun.security.krb5.internal.util.KerberosString;
  * This class is immutable.
  */
 public class Realm implements Cloneable {
+
+    public static final boolean AUTODEDUCEREALM =
+        java.security.AccessController.doPrivileged(
+                new sun.security.action.GetBooleanAction(
+                        "sun.security.krb5.autodeducerealm"));
+
     private final String realm; // not null nor empty
 
     public Realm(String name) throws RealmException {

src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java

@@ -146,8 +146,9 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
         }
         try {
             return new PrincipalName(
+                    type,
                     result.toArray(new String[result.size()]),
-                    type);
+                    Realm.getDefault());
         } catch (RealmException re) {
             return null;
         }

test/sun/security/krb5/auto/KDC.java

@@ -858,8 +858,9 @@ public class KDC {
 
         PrincipalName service = asReq.reqBody.sname;
         if (options.containsKey(KDC.Option.RESP_NT)) {
-            service = new PrincipalName(service.getNameStrings(),
-                    (int)options.get(KDC.Option.RESP_NT));
+            service = new PrincipalName((int)options.get(KDC.Option.RESP_NT),
+                    service.getNameStrings(),
+                    Realm.getDefault());
         }
         try {
             System.out.println(realm + "> " + asReq.reqBody.cname +

test/sun/security/krb5/auto/SSL.java

@@ -78,8 +78,11 @@ public class SSL extends SecurityManager {
             return;
         }
         ServicePermission p = (ServicePermission)perm;
+        // ServicePermissions required to create GSSName are ignored
+        if (!p.getActions().isEmpty()) {
             permChecks = permChecks + p.getActions().toUpperCase().charAt(0);
         }
+    }
 
     public static void main(String[] args) throws Exception {
 

test/sun/security/krb5/name/Constructors.java

@@ -40,22 +40,22 @@ public class Constructors {
 
         // Good ones
         type = PrincipalName.KRB_NT_UNKNOWN;
-        checkName("a", type, "R", "R", "a");
-        checkName("a@R2", type, "R", "R", "a");
-        checkName("a/b", type, "R", "R", "a", "b");
-        checkName("a/b@R2", type, "R", "R", "a", "b");
-        checkName("a/b/c", type, "R", "R", "a", "b", "c");
-        checkName("a/b/c@R2", type, "R", "R", "a", "b", "c");
+        checkName("a", type, "R", "R", false, "a");
+        checkName("a@R2", type, "R", "R", false, "a");
+        checkName("a/b", type, "R", "R", false, "a", "b");
+        checkName("a/b@R2", type, "R", "R", false, "a", "b");
+        checkName("a/b/c", type, "R", "R", false, "a", "b", "c");
+        checkName("a/b/c@R2", type, "R", "R", false, "a", "b", "c");
         // Weird ones
-        checkName("a\\/b", type, "R", "R", "a/b");
-        checkName("a\\/b\\/c", type, "R", "R", "a/b/c");
-        checkName("a\\/b\\@R2", type, "R", "R", "a/b@R2");
+        checkName("a\\/b", type, "R", "R", false, "a/b");
+        checkName("a\\/b\\/c", type, "R", "R", false, "a/b/c");
+        checkName("a\\/b\\@R2", type, "R", "R", false, "a/b@R2");
         // Bad ones
-        checkName("a", type, "", null);
-        checkName("a/", type, "R", null);
-        checkName("/a", type, "R", null);
-        checkName("a//b", type, "R", null);
-        checkName("a@", type, null, null);
+        checkName("a", type, "", null, false);
+        checkName("a/", type, "R", null, false);
+        checkName("/a", type, "R", null, false);
+        checkName("a//b", type, "R", null, false);
+        checkName("a@", type, null, null, false);
         type = PrincipalName.KRB_NT_SRV_HST;
 
         // Part 2: on realm choices
@@ -77,17 +77,17 @@ public class Constructors {
 
         if (testNoDefaultDomain) {
             type = PrincipalName.KRB_NT_UNKNOWN;
-            checkName("a", type, "R1", "R1", "a");      // arg
-            checkName("a@R1", type, null, "R1", "a");   // or r in name
-            checkName("a@R2", type, "R1", "R1", "a");   // arg over r
-            checkName("a", type, null, null);      // fail if none
-            checkName("a/b@R1", type, null, "R1", "a", "b");
+            checkName("a", type, "R1", "R1", false, "a");      // arg
+            checkName("a@R1", type, null, "R1", false, "a");   // or r in name
+            checkName("a@R2", type, "R1", "R1", false, "a");   // arg over r
+            checkName("a", type, null, null, false);      // fail if none
+            checkName("a/b@R1", type, null, "R1", false, "a", "b");
             type = PrincipalName.KRB_NT_SRV_HST;
             // Let's pray "b.h" won't be canonicalized
-            checkName("a/b.h", type, "R1", "R1", "a", "b.h");    // arg
-            checkName("a/b.h@R1", type, null, "R1", "a", "b.h"); // or r in name
-            checkName("a/b.h@R1", type, "R2", "R2", "a", "b.h"); // arg over r
-            checkName("a/b.h", type, null, null);    // fail if none
+            checkName("a/b.h", type, "R1", "R1", false, "a", "b.h");    // arg
+            checkName("a/b.h@R1", type, null, "R1", false, "a", "b.h"); // or r in name
+            checkName("a/b.h@R1", type, "R2", "R2", false, "a", "b.h"); // arg over r
+            checkName("a/b.h", type, null, null, false);    // fail if none
         }
 
         // When there is default realm
@@ -96,25 +96,25 @@ public class Constructors {
         Config.refresh();
 
         type = PrincipalName.KRB_NT_UNKNOWN;
-        checkName("a", type, "R1", "R1", "a");      // arg
-        checkName("a@R1", type, null, "R1", "a");   // or r in name
-        checkName("a@R2", type, "R1", "R1", "a");   // arg over r
-        checkName("a", type, null, "R", "a");       // default
-        checkName("a/b", type, null, "R", "a", "b");
+        checkName("a", type, "R1", "R1", false, "a");      // arg
+        checkName("a@R1", type, null, "R1", false, "a");   // or r in name
+        checkName("a@R2", type, "R1", "R1", false, "a");   // arg over r
+        checkName("a", type, null, "R", true, "a");       // default
+        checkName("a/b", type, null, "R", true, "a", "b");
         type = PrincipalName.KRB_NT_SRV_HST;
-        checkName("a/b.h3", type, "R1", "R1", "a", "b.h3");     // arg
-        checkName("a/b.h@R1", type, null, "R1", "a", "b.h");    // or r in name
-        checkName("a/b.h3@R2", type, "R1", "R1", "a", "b.h3");  // arg over r
-        checkName("a/b.h2", type, "R1", "R1", "a", "b.h2");     // arg over map
-        checkName("a/b.h2@R1", type, null, "R1", "a", "b.h2");  // r over map
-        checkName("a/b.h2", type, null, "R2", "a", "b.h2");     // map
-        checkName("a/b.h", type, null, "R", "a", "b.h");        // default
+        checkName("a/b.h3", type, "R1", "R1", false, "a", "b.h3");     // arg
+        checkName("a/b.h@R1", type, null, "R1", false, "a", "b.h");    // or r in name
+        checkName("a/b.h3@R2", type, "R1", "R1", false, "a", "b.h3");  // arg over r
+        checkName("a/b.h2", type, "R1", "R1", false, "a", "b.h2");     // arg over map
+        checkName("a/b.h2@R1", type, null, "R1", false, "a", "b.h2");  // r over map
+        checkName("a/b.h2", type, null, "R2", true, "a", "b.h2");     // map
+        checkName("a/b.h", type, null, "R", true, "a", "b.h");        // default
     }
 
     // Check if the creation matches the expected output.
     // Note: realm == null means creation failure
     static void checkName(String n, int t, String s,
-            String realm, String... parts)
+            String realm, boolean deduced, String... parts)
             throws Exception {
         PrincipalName pn = null;
         try {
@@ -131,5 +131,8 @@ public class Constructors {
             throw new Exception(pn.toString() + " vs "
                     + Arrays.toString(parts) + "@" + realm);
         }
+        if (deduced != pn.isRealmDeduced()) {
+            throw new Exception("pn.realmDeduced is " + pn.isRealmDeduced());
+        }
     }
 }