提交 f9b04d2e 编写于 作者: W weijun

7172701: KDC tests cleanup

Reviewed-by: xuelei
上级 e22bd11b
/* /*
* Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -67,10 +67,6 @@ import sun.security.util.DerValue; ...@@ -67,10 +67,6 @@ import sun.security.util.DerValue;
* <ul> * <ul>
* <li>test.kdc.save.ccache * <li>test.kdc.save.ccache
* </ul> * </ul>
* Support policies:
* <ul>
* <li>ok-as-delegate
* </ul>
* Issues and TODOs: * Issues and TODOs:
* <ol> * <ol>
* <li> Generates krb5.conf to be used on another machine, currently the kdc is * <li> Generates krb5.conf to be used on another machine, currently the kdc is
...@@ -178,6 +174,10 @@ public class KDC { ...@@ -178,6 +174,10 @@ public class KDC {
* Multiple ETYPE-INFO-ENTRY with same etype but different salt * Multiple ETYPE-INFO-ENTRY with same etype but different salt
*/ */
DUP_ETYPE, DUP_ETYPE,
/**
* What backend server can be delegated to
*/
OK_AS_DELEGATE,
}; };
static { static {
...@@ -232,7 +232,11 @@ public class KDC { ...@@ -232,7 +232,11 @@ public class KDC {
* @param obj the value * @param obj the value
*/ */
public void setOption(Option key, Object value) { public void setOption(Option key, Object value) {
options.put(key, value); if (value == null) {
options.remove(key);
} else {
options.put(key, value);
}
} }
/** /**
...@@ -579,53 +583,6 @@ public class KDC { ...@@ -579,53 +583,6 @@ public class KDC {
} }
} }
private Map<String,String> policies = new HashMap<>();
public void setPolicy(String rule, String value) {
if (value == null) {
policies.remove(rule);
} else {
policies.put(rule, value);
}
}
/**
* If the provided client/server pair matches a rule
*
* A system property named test.kdc.policy.RULE will be consulted.
* If it's unset, returns false. If its value is "", any pair is
* matched. Otherwise, it should contains the server name matched.
*
* TODO: client name is not used currently.
*
* @param c client name
* @param s server name
* @param rule rule name
* @return if a match is found
*/
private boolean configMatch(String c, String s, String rule) {
String policy = policies.get(rule);
boolean result = false;
if (policy == null) {
result = false;
} else if (policy.length() == 0) {
result = true;
} else {
String[] names = policy.split("\\s+");
for (String name: names) {
if (name.equals(s)) {
result = true;
break;
}
}
}
if (result) {
System.out.printf(">>>> Policy match result (%s vs %s on %s) %b\n",
c, s, rule, result);
}
return result;
}
/** /**
* Processes an incoming request and generates a response. * Processes an incoming request and generates a response.
* @param in the request * @param in the request
...@@ -724,7 +681,10 @@ public class KDC { ...@@ -724,7 +681,10 @@ public class KDC {
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true; bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
} }
if (configMatch("", service.getNameString(), "ok-as-delegate")) { String okAsDelegate = (String)options.get(Option.OK_AS_DELEGATE);
if (okAsDelegate != null && (
okAsDelegate.isEmpty() ||
okAsDelegate.contains(service.getNameString()))) {
bFlags[Krb5.TKT_OPTS_DELEGATE] = true; bFlags[Krb5.TKT_OPTS_DELEGATE] = true;
} }
bFlags[Krb5.TKT_OPTS_INITIAL] = true; bFlags[Krb5.TKT_OPTS_INITIAL] = true;
......
/* /*
* Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -21,6 +21,32 @@ ...@@ -21,6 +21,32 @@
* questions. * questions.
*/ */
/*
* @test
* @bug 6853328 7172701
* @run main/othervm OkAsDelegate false true true false false false
* FORWARDABLE ticket not allowed, always fail
* @run main/othervm OkAsDelegate true false false false false false
* Service ticket no OK-AS-DELEGATE. Request nothing, gain nothing
* @run main/othervm OkAsDelegate true false true false false false
* Service ticket no OK-AS-DELEGATE. Request deleg policy, gain nothing
* @run main/othervm OkAsDelegate true true false true false true
* Service ticket no OK-AS-DELEGATE. Request deleg, granted
* @run main/othervm OkAsDelegate true true true true false true
* Service ticket no OK-AS-DELEGATE. Request deleg and deleg policy, granted, with info not by policy
* @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true
* Service ticket has OK-AS-DELEGATE. Request deleg policy, granted
* @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true
* Service ticket has OK-AS-DELEGATE. granted, with info by policy
* @run main/othervm -Dtest.spnego OkAsDelegate false true true false false false
* @run main/othervm -Dtest.spnego OkAsDelegate true false false false false false
* @run main/othervm -Dtest.spnego OkAsDelegate true false true false false false
* @run main/othervm -Dtest.spnego OkAsDelegate true true false true false true
* @run main/othervm -Dtest.spnego OkAsDelegate true true true true false true
* @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true
* @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true
* @summary Support OK-AS-DELEGATE flag
*/
import com.sun.security.jgss.ExtendedGSSContext; import com.sun.security.jgss.ExtendedGSSContext;
import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSException;
...@@ -52,7 +78,7 @@ public class OkAsDelegate { ...@@ -52,7 +78,7 @@ public class OkAsDelegate {
boolean delegated boolean delegated
) throws Exception { ) throws Exception {
OneKDC kdc = new OneKDC(null); OneKDC kdc = new OneKDC(null);
kdc.setPolicy("ok-as-delegate", kdc.setOption(KDC.Option.OK_AS_DELEGATE,
System.getProperty("test.kdc.policy.ok-as-delegate")); System.getProperty("test.kdc.policy.ok-as-delegate"));
kdc.writeJAASConf(); kdc.writeJAASConf();
if (!forwardable) { if (!forwardable) {
......
/* /*
* Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -21,8 +21,19 @@ ...@@ -21,8 +21,19 @@
* questions. * questions.
*/ */
import com.sun.security.jgss.ExtendedGSSContext; /*
import java.io.File; * @test
* @bug 6853328 7172701
* @run main/othervm OkAsDelegateXRealm false
* KDC no OK-AS-DELEGATE, fail
* @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true
* KDC set OK-AS-DELEGATE for all, succeed
* @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false
* KDC set OK-AS-DELEGATE for host/host.r3.local only, fail
* @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local,krbtgt/R2,krbtgt/R3 OkAsDelegateXRealm true
* KDC set OK-AS-DELEGATE for all three, succeed
* @summary Support OK-AS-DELEGATE flag
*/
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.security.Security; import java.security.Security;
...@@ -31,11 +42,7 @@ import javax.security.auth.callback.CallbackHandler; ...@@ -31,11 +42,7 @@ import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.callback.UnsupportedCallbackException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import sun.security.jgss.GSSUtil; import sun.security.jgss.GSSUtil;
import sun.security.krb5.Config; import sun.security.krb5.Config;
...@@ -50,21 +57,21 @@ public class OkAsDelegateXRealm implements CallbackHandler { ...@@ -50,21 +57,21 @@ public class OkAsDelegateXRealm implements CallbackHandler {
// Create and start the KDCs. Here we have 3 realms: R1, R2 and R3. // Create and start the KDCs. Here we have 3 realms: R1, R2 and R3.
// R1 is trusted by R2, and R2 trusted by R3. // R1 is trusted by R2, and R2 trusted by R3.
KDC kdc1 = KDC.create("R1"); KDC kdc1 = KDC.create("R1");
kdc1.setPolicy("ok-as-delegate", kdc1.setOption(KDC.Option.OK_AS_DELEGATE,
System.getProperty("test.kdc.policy.ok-as-delegate")); System.getProperty("test.kdc.policy.ok-as-delegate"));
kdc1.addPrincipal("dummy", "bogus".toCharArray()); kdc1.addPrincipal("dummy", "bogus".toCharArray());
kdc1.addPrincipalRandKey("krbtgt/R1"); kdc1.addPrincipalRandKey("krbtgt/R1");
kdc1.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray()); kdc1.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
KDC kdc2 = KDC.create("R2"); KDC kdc2 = KDC.create("R2");
kdc2.setPolicy("ok-as-delegate", kdc2.setOption(KDC.Option.OK_AS_DELEGATE,
System.getProperty("test.kdc.policy.ok-as-delegate")); System.getProperty("test.kdc.policy.ok-as-delegate"));
kdc2.addPrincipalRandKey("krbtgt/R2"); kdc2.addPrincipalRandKey("krbtgt/R2");
kdc2.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray()); kdc2.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
kdc2.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray()); kdc2.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
KDC kdc3 = KDC.create("R3"); KDC kdc3 = KDC.create("R3");
kdc3.setPolicy("ok-as-delegate", kdc3.setOption(KDC.Option.OK_AS_DELEGATE,
System.getProperty("test.kdc.policy.ok-as-delegate")); System.getProperty("test.kdc.policy.ok-as-delegate"));
kdc3.addPrincipalRandKey("krbtgt/R3"); kdc3.addPrincipalRandKey("krbtgt/R3");
kdc3.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray()); kdc3.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
......
#
# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
# @test
# @bug 6853328
# @summary Support OK-AS-DELEGATE flag
# @run shell/timeout=600 ok-as-delegate-xrealm.sh
#
if [ "${TESTSRC}" = "" ] ; then
TESTSRC=`dirname $0`
fi
if [ "${TESTJAVA}" = "" ] ; then
JAVAC_CMD=`which javac`
TESTJAVA=`dirname $JAVAC_CMD`/..
fi
# set platform-dependent variables
OS=`uname -s`
case "$OS" in
Windows_* )
FS="\\"
SEP=";"
;;
CYGWIN* )
FS="/"
SEP=";"
;;
* )
FS="/"
SEP=":"
;;
esac
${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
${TESTSRC}${FS}OkAsDelegateXRealm.java \
${TESTSRC}${FS}KDC.java \
${TESTSRC}${FS}OneKDC.java \
${TESTSRC}${FS}Action.java \
${TESTSRC}${FS}Context.java \
|| exit 10
# Add $TESTSRC to classpath so that customized nameservice can be used
J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}."
# KDC no OK-AS-DELEGATE, fail
$J OkAsDelegateXRealm false || exit 1
# KDC set OK-AS-DELEGATE for all, succeed
$J -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true || exit 2
# KDC set OK-AS-DELEGATE for host/host.r3.local only, fail
$J -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false || exit 3
# KDC set OK-AS-DELEGATE for all, succeed
$J "-Dtest.kdc.policy.ok-as-delegate=host/host.r3.local krbtgt/R2 krbtgt/R3" OkAsDelegateXRealm true || exit 4
exit 0
#
# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
# @test
# @bug 6853328
# @summary Support OK-AS-DELEGATE flag
# @run shell/timeout=600 ok-as-delegate.sh
#
if [ "${TESTSRC}" = "" ] ; then
TESTSRC=`dirname $0`
fi
if [ "${TESTJAVA}" = "" ] ; then
JAVAC_CMD=`which javac`
TESTJAVA=`dirname $JAVAC_CMD`/..
fi
# set platform-dependent variables
OS=`uname -s`
case "$OS" in
Windows_* )
FS="\\"
SEP=";"
;;
CYGWIN* )
FS="/"
SEP=";"
;;
* )
FS="/"
SEP=":"
;;
esac
${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
${TESTSRC}${FS}OkAsDelegate.java \
${TESTSRC}${FS}KDC.java \
${TESTSRC}${FS}OneKDC.java \
${TESTSRC}${FS}Action.java \
${TESTSRC}${FS}Context.java \
|| exit 10
# Testing Kerberos 5
# Add $TESTSRC to classpath so that customized nameservice can be used
J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. OkAsDelegate"
JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
# FORWARDABLE ticket not allowed, always fail
$J false true true false false false || exit 1
# Service ticket no OK-AS-DELEGATE
# Request nothing, gain nothing
$J true false false false false false || exit 2
# Request deleg policy, gain nothing
$J true false true false false false || exit 3
# Request deleg, granted
$J true true false true false true || exit 4
# Request deleg and deleg policy, granted, with info not by policy
$J true true true true false true || exit 5
# Service ticket has OK-AS-DELEGATE
# Request deleg policy, granted
$JOK true false true true true true || exit 6
# Request deleg and deleg policy, granted, with info by policy
$JOK true true true true true true || exit 7
# Testing SPNEGO
# Add $TESTSRC to classpath so that customized nameservice can be used
J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego OkAsDelegate"
JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
# FORWARDABLE ticket not allowed, always fail
$J false true true false false false || exit 11
# Service ticket no OK-AS-DELEGATE
# Request nothing, gain nothing
$J true false false false false false || exit 12
# Request deleg policy, gain nothing
$J true false true false false false || exit 13
# Request deleg, granted
$J true true false true false true || exit 14
# Request deleg and deleg policy, granted, with info not by policy
$J true true true true false true || exit 15
# Service ticket has OK-AS-DELEGATE
# Request deleg policy, granted
$JOK true false true true true true || exit 16
# Request deleg and deleg policy, granted, with info by policy
$JOK true true true true true true || exit 17
exit 0
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册