You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2004/11/02 08:18:08 UTC

svn commit: rev 56363 - incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/changepw/store

Author: erodriguez
Date: Mon Nov  1 23:18:07 2004
New Revision: 56363

Added:
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/changepw/store/
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/changepw/store/LdapPasswordStore.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/changepw/store/PasswordStore.java
Log:
New store interface and LDAP implementation for change password service.

Added: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/changepw/store/LdapPasswordStore.java
==============================================================================
--- (empty file)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/changepw/store/LdapPasswordStore.java	Mon Nov  1 23:18:07 2004
@@ -0,0 +1,144 @@
+/*
+ *   Copyright 2004 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.changepw.store;
+
+import org.apache.kerberos.kdc.*;
+import org.apache.kerberos.kdc.jaas.*;
+import org.apache.kerberos.kdc.store.*;
+import org.apache.kerberos.messages.value.*;
+
+import java.security.*;
+
+import javax.naming.*;
+import javax.naming.directory.*;
+import javax.security.auth.*;
+import javax.security.auth.kerberos.*;
+import javax.security.auth.login.*;
+
+public class LdapPasswordStore implements PasswordStore {
+	
+	public static final String PRINCIPAL_NAME     = "krb5PrincipalName";
+	public static final String KEY_VERSION_NUMBER = "krb5KeyVersionNumber";
+	public static final String MAX_LIFE           = "krb5MaxLife";
+	public static final String MAX_RENEW          = "krb5MaxRenew";
+	public static final String KDC_FLAGS          = "krb5KDCFlags";
+	public static final String ENCRYPTION_TYPE    = "krb5EncryptionType";
+	public static final String VALID_START        = "krb5ValidStart";
+	public static final String VALID_END          = "krb5ValidEnd";
+	public static final String PASSWORD_END       = "krb5PasswordEnd";
+	public static final String KEY                = "krb5Key";
+	public static final String PRINCIPAL_REALM    = "krb5PrincipalRealm";
+	public static final String REALM_NAME         = "krb5RealmName";
+	
+	private KdcConfiguration _config;
+	private BootstrapStore   _bootstrap;
+	private Subject          _subject;
+	
+	public LdapPasswordStore(KdcConfiguration config, BootstrapStore bootstrap) {
+		_config    = config;
+		_bootstrap = bootstrap;
+	}
+	
+	public void init() {
+		
+		_subject = new Subject();
+		
+		KerberosPrincipal principal = _config.getChangepwPrincipal();
+		EncryptionKey entry         = _bootstrap.getEntry(principal).getEncryptionKey();
+		
+		KerberosKey key = new KerberosKey(principal, entry.getKeyValue(),
+				entry.getKeyType().getOrdinal(), entry.getKeyVersion());
+		
+		_subject.getPrincipals().add(principal);
+		_subject.getPrivateCredentials().add(key);
+		
+		Configuration.setConfiguration(new Krb5Configuration());
+		
+		LoginContext lc = null;
+		try {
+			lc = new LoginContext(LdapPasswordStore.class.getName(), _subject);
+			lc.login();
+		} catch (LoginException le) {
+			System.err.println("Authentication attempt failed" + le);
+		}
+	}
+	
+	public String changePassword(KerberosPrincipal principal, byte[] newKey) {
+		return (String)Subject.doAs(_subject, new JaasLdapLookupAction(_config, principal, newKey));
+	}
+}
+
+class JaasLdapLookupAction implements PrivilegedAction {
+
+	private KdcConfiguration  _config;
+	private KerberosPrincipal _principal;
+	private byte[]            _newKey;
+	private String            _name;
+
+	public JaasLdapLookupAction(KdcConfiguration config, KerberosPrincipal principal, byte[] newKey) {
+		_config    = config;
+		_principal = principal;
+		_newKey    = newKey;
+	}
+
+	public Object run() {
+		performJndiOperation();
+		return _name;
+	}
+
+	private void performJndiOperation() {
+
+		try {
+			DirContext ctx = new InitialDirContext(_config.getProperties());
+
+			search(ctx);
+			
+			ModificationItem[] mods = new ModificationItem[1];
+			mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
+				new BasicAttribute("krb5key", _newKey));
+			ctx.modifyAttributes(_name, mods);
+
+			ctx.close();
+		} catch (NamingException e) {
+			_name = null;
+			e.printStackTrace();
+		}
+	}
+
+	private void search(DirContext ctx) throws NamingException {
+		
+		String[] attrIDs = {LdapPasswordStore.PRINCIPAL_NAME, LdapPasswordStore.KEY_VERSION_NUMBER,
+							LdapPasswordStore.ENCRYPTION_TYPE, LdapPasswordStore.KEY};
+
+		Attributes matchAttrs = new BasicAttributes(false); // case-sensitive
+		matchAttrs.put(new BasicAttribute(LdapPasswordStore.PRINCIPAL_NAME, _principal));
+		matchAttrs.put(new BasicAttribute(LdapPasswordStore.KEY));
+		matchAttrs.put(new BasicAttribute(LdapPasswordStore.ENCRYPTION_TYPE));
+		matchAttrs.put(new BasicAttribute(LdapPasswordStore.KEY_VERSION_NUMBER));
+
+		// Search for objects that have those matching attributes
+		NamingEnumeration answer = ctx.search("", matchAttrs, attrIDs);
+		
+		if (answer.hasMore()) {
+			SearchResult sr = (SearchResult) answer.next();
+			if (sr != null) {
+				_name = sr.getName();
+			}
+		}
+	}
+}
+

Added: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/changepw/store/PasswordStore.java
==============================================================================
--- (empty file)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/changepw/store/PasswordStore.java	Mon Nov  1 23:18:07 2004
@@ -0,0 +1,25 @@
+/*
+ *   Copyright 2004 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.changepw.store;
+
+import javax.security.auth.kerberos.*;
+
+public interface PasswordStore {
+	public void init();
+	public String changePassword(KerberosPrincipal principal, byte[] key);
+}
+