You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2015/10/21 18:50:01 UTC
directory-kerby git commit: Adding some JWT tests
Repository: directory-kerby
Updated Branches:
refs/heads/master 49482c42e -> b4c2b2ddd
Adding some JWT tests
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/b4c2b2dd
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/b4c2b2dd
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/b4c2b2dd
Branch: refs/heads/master
Commit: b4c2b2ddd00aa972c192f1f8097344442d237e49
Parents: 49482c4
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Oct 21 17:49:52 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Oct 21 17:49:52 2015 +0100
----------------------------------------------------------------------
.../kerberos/kdc/WithAccessTokenKdcTest.java | 69 ++++++++++++++++++--
.../kerberos/kdc/WithIdentityTokenKdcTest.java | 63 +++++++++++++++++-
.../kerberos/kdc/WithTokenKdcTestBase.java | 32 +++++----
.../kerb/server/preauth/token/TokenPreauth.java | 2 +-
4 files changed, 143 insertions(+), 23 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b4c2b2dd/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
index d815e37..d623098 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
@@ -19,7 +19,13 @@
*/
package org.apache.kerby.kerberos.kdc;
+import java.io.InputStream;
+import java.security.PrivateKey;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.common.PrivateKeyReader;
import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
+import org.junit.Assert;
import org.junit.Test;
public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
@@ -27,12 +33,65 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
@Test
public void testRequestServiceTicketWithAccessToken() throws Exception {
prepareToken(getServerPrincipal());
+ performTest();
+ }
+
+ @Test
+ public void testBadIssuer() throws Exception {
+ InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
+ prepareToken(getServerPrincipal(), "oauth1.com", AUDIENCE, privateKey);
+
+ try {
+ performTest();
+ Assert.fail("Failure expected on a bad issuer value");
+ } catch (Exception ex) {
+ // expected
+ Assert.assertTrue(ex instanceof KrbException);
+ }
+ }
+
+ // TODO - not failing yet.
+ @Test
+ @org.junit.Ignore
+ public void testBadAudienceRestriction() throws Exception {
+ InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
+ prepareToken(getServerPrincipal(), ISSUER, "krbtgt2@EXAMPLE.COM", privateKey);
+
+ try {
+ performTest();
+ Assert.fail("Failure expected on a bad audience restriction value");
+ } catch (Exception ex) {
+ // expected
+ Assert.assertTrue(ex instanceof KrbException);
+ }
+ }
+
+ // TODO - not failing yet.
+ @Test
+ @org.junit.Ignore
+ public void testUnsignedToken() throws Exception {
+ prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, null);
+
+ try {
+ performTest();
+ Assert.fail("Failure expected on an unsigned token");
+ } catch (Exception ex) {
+ // expected
+ Assert.assertTrue(ex instanceof KrbException);
+ }
+ }
+
+ private void performTest() throws Exception {
createCredentialCache(getClientPrincipal(), getClientPassword());
- ServiceTicket serviceTicket = getKrbClient().requestServiceTicketWithAccessToken(
- getKrbToken(), getServerPrincipal(), getcCacheFile().getPath());
- verifyTicket(serviceTicket);
-
- deleteCcacheFile();
+ try {
+ ServiceTicket serviceTicket = getKrbClient().requestServiceTicketWithAccessToken(
+ getKrbToken(), getServerPrincipal(), getcCacheFile().getPath());
+ verifyTicket(serviceTicket);
+ } finally {
+ deleteCcacheFile();
+ }
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b4c2b2dd/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
index 045da51..73e7820 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
@@ -20,11 +20,14 @@
package org.apache.kerby.kerberos.kdc;
import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.common.PrivateKeyReader;
import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
+import org.junit.Assert;
import org.junit.Test;
-import static org.assertj.core.api.Assertions.assertThat;
+import java.io.InputStream;
+import java.security.PrivateKey;
public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
@@ -32,6 +35,58 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
public void testKdc() throws Exception {
prepareToken(null);
+ performTest();
+ }
+
+ @Test
+ public void testBadIssuer() throws Exception {
+ InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
+ prepareToken(null, "oauth1.com", AUDIENCE, privateKey);
+
+ try {
+ performTest();
+ Assert.fail("Failure expected on a bad issuer value");
+ } catch (Exception ex) {
+ // expected
+ Assert.assertTrue(ex instanceof KrbException);
+ }
+ }
+
+ // TODO - not failing yet.
+ @Test
+ @org.junit.Ignore
+ public void testBadAudienceRestriction() throws Exception {
+ InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
+ prepareToken(null, ISSUER, "krbtgt2@EXAMPLE.COM", privateKey);
+
+ try {
+ performTest();
+ Assert.fail("Failure expected on a bad audience restriction value");
+ } catch (Exception ex) {
+ // expected
+ Assert.assertTrue(ex instanceof KrbException);
+ }
+ }
+
+ // TODO - not failing yet.
+ @Test
+ @org.junit.Ignore
+ public void testUnsignedToken() throws Exception {
+ prepareToken(null, ISSUER, "krbtgt2@EXAMPLE.COM", null);
+
+ try {
+ performTest();
+ Assert.fail("Failure expected on an unsigned token");
+ } catch (Exception ex) {
+ // expected
+ Assert.assertTrue(ex instanceof KrbException);
+ }
+ }
+
+ private void performTest() throws Exception {
+
createCredentialCache(getClientPrincipal(), getClientPassword());
TgtTicket tgt = null;
@@ -39,8 +94,10 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
tgt = getKrbClient().requestTgtWithToken(getKrbToken(),
getcCacheFile().getPath());
} catch (KrbException e) {
- assertThat(e.getMessage().contains("timeout")).isTrue();
- return;
+ if (e.getMessage().contains("timeout")) {
+ return;
+ }
+ throw e;
}
verifyTicket(tgt);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b4c2b2dd/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
index 9c0a8a2..8db50f9 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
@@ -40,7 +40,6 @@ import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.security.PrivateKey;
-import java.security.interfaces.RSAPrivateKey;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
@@ -77,10 +76,23 @@ public class WithTokenKdcTestBase extends KdcTestBase {
protected File getcCacheFile() {
return cCacheFile;
}
-
+
protected AuthToken prepareToken(String servicePrincipal) {
+ InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ PrivateKey privateKey = null;
+ try {
+ privateKey = PrivateKeyReader.loadPrivateKey(is);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ return prepareToken(servicePrincipal, ISSUER, AUDIENCE, privateKey);
+ }
+
+ protected AuthToken prepareToken(String servicePrincipal, String issuer, String audience,
+ PrivateKey signingKey) {
AuthToken authToken = KrbRuntime.getTokenProvider().createTokenFactory().createToken();
- authToken.setIssuer(ISSUER);
+ authToken.setIssuer(issuer);
authToken.setSubject(SUBJECT);
authToken.addAttribute("group", GROUP);
@@ -90,7 +102,7 @@ public class WithTokenKdcTestBase extends KdcTestBase {
if (servicePrincipal != null) {
aud.add(servicePrincipal);
}
- aud.add(AUDIENCE);
+ aud.add(audience);
authToken.setAudiences(aud);
// Set expiration in 60 minutes
@@ -106,16 +118,8 @@ public class WithTokenKdcTestBase extends KdcTestBase {
TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
- if (tokenEncoder instanceof JwtTokenEncoder) {
- InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
- PrivateKey privateKey = null;
- try {
- privateKey = PrivateKeyReader.loadPrivateKey(is);
- } catch (Exception e) {
- e.printStackTrace();
- }
-
- ((JwtTokenEncoder) tokenEncoder).setSignKey((RSAPrivateKey) privateKey);
+ if (tokenEncoder instanceof JwtTokenEncoder && signingKey != null) {
+ ((JwtTokenEncoder) tokenEncoder).setSignKey(signingKey);
}
krbToken = new KrbToken();
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b4c2b2dd/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index e5154ad..2e8e860 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -76,7 +76,7 @@ public class TokenPreauth extends AbstractPreauthPlugin {
TokenInfo tokenInfo = paTokenRequest.getTokenInfo();
String issuer = tokenInfo.getTokenVendor();
if (!(issuers.contains(issuer))) {
- throw new KrbException("Unconfigured issuer:" + issuer);
+ throw new KrbException("Unconfigured issuer: " + issuer);
}
TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
if (tokenDecoder instanceof JwtTokenDecoder) {