You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2015/11/04 09:26:06 UTC
[40/48] directory-kerby git commit: DIRKRB-435 JWT Audience
restriction validation is not working. Add check Access Token Audience.
DIRKRB-435 JWT Audience restriction validation is not working. Add check Access Token Audience.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/0365e57c
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/0365e57c
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/0365e57c
Branch: refs/heads/pkinit-support
Commit: 0365e57cdacc7d2439504ec5e4af22575568485a
Parents: 23eee00
Author: plusplus_jiajia <ji...@intel.com>
Authored: Tue Oct 27 13:32:34 2015 +0800
Committer: plusplus_jiajia <ji...@intel.com>
Committed: Tue Oct 27 13:32:34 2015 +0800
----------------------------------------------------------------------
.../kerberos/kdc/WithAccessTokenKdcTest.java | 14 +++---
.../kerberos/kdc/WithIdentityTokenKdcTest.java | 53 ++++++++++----------
.../kerberos/kdc/WithTokenKdcTestBase.java | 10 ++--
.../integration/test/TokenLoginTestBase.java | 4 +-
.../kerb/server/preauth/token/TokenPreauth.java | 14 +++---
5 files changed, 47 insertions(+), 48 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
index 3a2d4ff..8686190 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
@@ -40,12 +40,12 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
prepareToken(getServerPrincipal());
performTest();
}
-
+
@Test
public void testBadIssuer() throws Exception {
InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
- prepareToken(getServerPrincipal(), "oauth1.com", AUDIENCE, privateKey, null);
+ prepareToken(getServerPrincipal(), "oauth1.com", privateKey, null);
try {
performTest();
@@ -61,7 +61,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
prepareToken("bad-service" + "/" + getHostname() + "@" + TestKdcServer.KDC_REALM,
- ISSUER, AUDIENCE, privateKey, null);
+ ISSUER, privateKey, null);
try {
performTest();
@@ -74,7 +74,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
@Test
public void testUnsignedToken() throws Exception {
- prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, null, null);
+ prepareToken(getServerPrincipal(), ISSUER, null, null);
try {
performTest();
@@ -89,7 +89,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
public void testSignedTokenWithABadKey() throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = keyGen.generateKeyPair();
- prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, keyPair.getPrivate(), null);
+ prepareToken(getServerPrincipal(), ISSUER, keyPair.getPrivate(), null);
try {
performTest();
@@ -108,7 +108,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
- prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, privateKey, publicKey);
+ prepareToken(getServerPrincipal(), ISSUER, privateKey, publicKey);
performTest();
}
@@ -121,7 +121,7 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
- prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, keyPair.getPrivate(), publicKey);
+ prepareToken(getServerPrincipal(), ISSUER, keyPair.getPrivate(), publicKey);
try {
performTest();
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
index 3c0895f..052cb0d 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
@@ -22,6 +22,7 @@ package org.apache.kerby.kerberos.kdc;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.common.PrivateKeyReader;
import org.apache.kerby.kerberos.kerb.common.PublicKeyReader;
+import org.apache.kerby.kerberos.kerb.server.TestKdcServer;
import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
import org.junit.Assert;
@@ -37,17 +38,16 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
@Test
public void testKdc() throws Exception {
-
- prepareToken(null);
+ prepareToken(getAudience("krbtgt"));
performTest();
}
-
+
@Test
public void testBadIssuer() throws Exception {
InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
- prepareToken(null, "oauth1.com", AUDIENCE, privateKey, null);
-
+ prepareToken(getAudience("krbtgt"), "oauth1.com", privateKey, null);
+
try {
performTest();
Assert.fail("Failure expected on a bad issuer value");
@@ -56,15 +56,13 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
Assert.assertTrue(ex instanceof KrbException);
}
}
-
- // TODO - not failing yet.
+
@Test
- @org.junit.Ignore
public void testBadAudienceRestriction() throws Exception {
InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
- prepareToken(null, ISSUER, "krbtgt2@EXAMPLE.COM", privateKey, null);
-
+ prepareToken("krbtgt2@EXAMPLE.COM", ISSUER, privateKey, null);
+
try {
performTest();
Assert.fail("Failure expected on a bad audience restriction value");
@@ -76,8 +74,7 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
@Test
public void testUnsignedToken() throws Exception {
- prepareToken(null, ISSUER, "krbtgt2@EXAMPLE.COM", null, null);
-
+ prepareToken(getAudience("krbtgt2"), ISSUER, null, null);
try {
performTest();
Assert.fail("Failure expected on an unsigned token");
@@ -86,13 +83,13 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
Assert.assertTrue(ex instanceof KrbException);
}
}
-
+
@Test
public void testSignedTokenWithABadKey() throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = keyGen.generateKeyPair();
- prepareToken(null, ISSUER, AUDIENCE, keyPair.getPrivate(), null);
-
+ prepareToken(getAudience("krbtgt"), ISSUER, keyPair.getPrivate(), null);
+
try {
performTest();
Assert.fail("Failure expected on a bad key");
@@ -101,30 +98,30 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
Assert.assertTrue(ex instanceof KrbException);
}
}
-
+
@Test
public void testSignedEncryptedToken() throws Exception {
InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
-
+
is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
-
- prepareToken(null, ISSUER, AUDIENCE, privateKey, publicKey);
-
+
+ prepareToken(getAudience("krbtgt"), ISSUER, privateKey, publicKey);
+
performTest();
}
-
+
@Test
public void testSignedEncryptedTokenBadSigningKey() throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = keyGen.generateKeyPair();
-
+
InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
-
- prepareToken(null, ISSUER, AUDIENCE, keyPair.getPrivate(), publicKey);
-
+
+ prepareToken(getAudience("krbtgt"), ISSUER, keyPair.getPrivate(), publicKey);
+
try {
performTest();
Assert.fail("Failure expected on a bad key");
@@ -133,7 +130,7 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
Assert.assertTrue(ex instanceof KrbException);
}
}
-
+
private void performTest() throws Exception {
createCredentialCache(getClientPrincipal(), getClientPassword());
@@ -154,4 +151,8 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
getServerPrincipal());
verifyTicket(tkt);
}
+
+ private String getAudience(String name) {
+ return name + "/" + TestKdcServer.KDC_REALM + "@" + TestKdcServer.KDC_REALM;
+ }
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
index 0b94be5..e90e8c5 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
@@ -50,7 +50,6 @@ import static org.assertj.core.api.Assertions.assertThat;
public class WithTokenKdcTestBase extends KdcTestBase {
static final String SUBJECT = "test-sub";
- static final String AUDIENCE = "krbtgt@EXAMPLE.COM";
static final String ISSUER = "oauth2.com";
static final String GROUP = "sales-group";
static final String ROLE = "ADMIN";
@@ -82,7 +81,7 @@ public class WithTokenKdcTestBase extends KdcTestBase {
return cCacheFile;
}
- protected AuthToken prepareToken(String servicePrincipal) {
+ protected AuthToken prepareToken(String audience) {
InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = null;
try {
@@ -91,10 +90,10 @@ public class WithTokenKdcTestBase extends KdcTestBase {
e.printStackTrace();
}
- return prepareToken(servicePrincipal, ISSUER, AUDIENCE, privateKey, null);
+ return prepareToken(audience, ISSUER, privateKey, null);
}
- protected AuthToken prepareToken(String servicePrincipal, String issuer, String audience,
+ protected AuthToken prepareToken(String audience, String issuer,
PrivateKey signingKey, PublicKey encryptionKey) {
AuthToken authToken = KrbRuntime.getTokenProvider().createTokenFactory().createToken();
authToken.setIssuer(issuer);
@@ -104,9 +103,6 @@ public class WithTokenKdcTestBase extends KdcTestBase {
authToken.addAttribute("role", ROLE);
List<String> aud = new ArrayList<String>();
- if (servicePrincipal != null) {
- aud.add(servicePrincipal);
- }
aud.add(audience);
authToken.setAudiences(aud);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
index 16ff65f..4fcc54d 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
@@ -20,11 +20,13 @@
package org.apache.kerby.kerberos.kerb.integration.test;
import org.apache.kerby.kerberos.kerb.KrbRuntime;
+import org.apache.kerby.kerberos.kerb.common.KrbUtil;
import org.apache.kerby.kerberos.kerb.integration.test.jaas.TokenCache;
import org.apache.kerby.kerberos.kerb.integration.test.jaas.TokenJaasKrbUtil;
import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
import org.apache.kerby.kerberos.kerb.server.KdcConfigKey;
import org.apache.kerby.kerberos.kerb.server.LoginTestBase;
+import org.apache.kerby.kerberos.kerb.server.TestKdcServer;
import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
import org.apache.kerby.kerberos.provider.token.JwtTokenProvider;
@@ -108,7 +110,7 @@ public class TokenLoginTestBase extends LoginTestBase {
authToken.addAttribute("role", ROLE);
List<String> aud = new ArrayList<String>();
- aud.add("krb5kdc-with-token-extension");
+ aud.add(KrbUtil.makeTgsPrincipal(TestKdcServer.KDC_REALM).getName());
authToken.setAudiences(aud);
// Set expiration in 60 minutes
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0365e57c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index a2c57d6..7316070 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -99,19 +99,19 @@ public class TokenPreauth extends AbstractPreauthPlugin {
throw new KrbException("Token Decoding failed");
}
+ List<String> audiences = authToken.getAudiences();
+ PrincipalName serverPrincipal = kdcRequest.getKdcReq().getReqBody().getSname();
+ serverPrincipal.setRealm(kdcRequest.getKdcReq().getReqBody().getRealm());
+ kdcRequest.setServerPrincipal(serverPrincipal);
+ if (!audiences.contains(serverPrincipal.getName())) {
+ throw new KrbException("Token audience not match with the target server principal!");
+ }
if (kdcRequest instanceof AsRequest) {
AsRequest asRequest = (AsRequest) kdcRequest;
asRequest.setToken(authToken);
} else if (kdcRequest instanceof TgsRequest) {
TgsRequest tgsRequest = (TgsRequest) kdcRequest;
tgsRequest.setToken(authToken);
- List<String> audiences = authToken.getAudiences();
- PrincipalName serverPrincipal = kdcRequest.getKdcReq().getReqBody().getSname();
- serverPrincipal.setRealm(kdcRequest.getKdcReq().getReqBody().getRealm());
- kdcRequest.setServerPrincipal(serverPrincipal);
- if (!audiences.contains(serverPrincipal.getName())) {
- throw new KrbException("Token audience not match with the target server principal!");
- }
}
return true;
} else {