You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2023/03/30 07:08:00 UTC
[directory-kerby] 01/02: Adding some tests to make sure signatures are required for JWT tests
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2.0.x-fixes
in repository https://gitbox.apache.org/repos/asf/directory-kerby.git
commit 5723236092d9fd87b56c2c3004a6d18139cfb226
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 30 07:10:42 2023 +0100
Adding some tests to make sure signatures are required for JWT tests
---
.../kerb/integration/test/JWTTokenTest.java | 96 +++++++++++++++++++++-
1 file changed, 95 insertions(+), 1 deletion(-)
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
index 98b2772f..4b20a45b 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
@@ -217,6 +217,55 @@ public class JWTTokenTest extends TokenLoginTestBase {
}
}
+ @org.junit.Test
+ public void accessTokenNoSignature() throws Exception {
+
+ KrbClient client = getKrbClient();
+
+ // Get a TGT
+ TgtTicket tgt = client.requestTgt(getClientPrincipal(), getClientPassword());
+ assertNotNull(tgt);
+
+ // Write to cache
+ Credential credential = new Credential(tgt);
+ CredentialCache cCache = new CredentialCache();
+ cCache.addCredential(credential);
+ cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
+
+ File cCacheFile = Files.createTempFile("krb5_" + getClientPrincipal(), "cc").toFile();
+ cCache.store(cCacheFile);
+
+ KrbTokenClient tokenClient = new KrbTokenClient(client);
+
+ tokenClient.setKdcHost(client.getSetting().getKdcHost());
+ tokenClient.setKdcTcpPort(client.getSetting().getKdcTcpPort());
+
+ tokenClient.setKdcRealm(client.getSetting().getKdcRealm());
+ tokenClient.init();
+
+ // Create a JWT token with an invalid audience
+ AuthToken authToken = issueToken(getClientPrincipal());
+ authToken.isAcToken(true);
+ authToken.isIdToken(false);
+ authToken.setAudiences(Collections.singletonList(getServerPrincipal()));
+ KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
+
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ assertTrue(tokenEncoder instanceof JwtTokenEncoder);
+
+ krbToken.setTokenValue(tokenEncoder.encodeAsBytes(authToken));
+
+ // Now get a SGT using the JWT
+ try {
+ tokenClient.requestSgt(krbToken, getServerPrincipal(), cCacheFile.getPath());
+ fail("Failure expected on no signature");
+ } catch (KrbException ex) {
+ assertTrue(ex.getMessage().contains("Token should be signed"));
+ } finally {
+ cCacheFile.delete();
+ }
+ }
+
@org.junit.Test(expected = KrbException.class)
public void accessTokenUnknownIssuer() throws Exception {
@@ -452,7 +501,6 @@ public class JWTTokenTest extends TokenLoginTestBase {
// Create a JWT token
AuthToken authToken = issueToken(getClientPrincipal());
- authToken.setAudiences(Collections.singletonList(authToken.getAudiences().get(0) + "_"));
KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
@@ -469,6 +517,52 @@ public class JWTTokenTest extends TokenLoginTestBase {
}
}
+ @org.junit.Test
+ public void identityTokenNoSignature() throws Exception {
+
+ KrbClient client = getKrbClient();
+
+ // Get a TGT
+ TgtTicket tgt = client.requestTgt(getClientPrincipal(), getClientPassword());
+ assertNotNull(tgt);
+
+ // Write to cache
+ Credential credential = new Credential(tgt);
+ CredentialCache cCache = new CredentialCache();
+ cCache.addCredential(credential);
+ cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
+
+ File cCacheFile = Files.createTempFile("krb5_" + getClientPrincipal(), "cc").toFile();
+ cCache.store(cCacheFile);
+
+ KrbTokenClient tokenClient = new KrbTokenClient(client);
+
+ tokenClient.setKdcHost(client.getSetting().getKdcHost());
+ tokenClient.setKdcTcpPort(client.getSetting().getKdcTcpPort());
+
+ tokenClient.setKdcRealm(client.getSetting().getKdcRealm());
+ tokenClient.init();
+
+ // Create a JWT token
+ AuthToken authToken = issueToken(getClientPrincipal());
+ KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
+
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ assertTrue(tokenEncoder instanceof JwtTokenEncoder);
+
+ krbToken.setTokenValue(tokenEncoder.encodeAsBytes(authToken));
+
+ // Now get a TGT using the JWT token
+ try {
+ tokenClient.requestTgt(krbToken, cCacheFile.getPath());
+ fail("Failure expected on an invalid signature");
+ } catch (KrbException ex) {
+ assertTrue(ex.getMessage().contains("Token should be signed"));
+ } finally {
+ cCacheFile.delete();
+ }
+ }
+
@org.junit.Test(expected = KrbException.class)
public void identityTokenUnknownIssuer() throws Exception {