You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ka...@apache.org on 2013/04/14 19:47:07 UTC
svn commit: r1467804 [2/2] - in /directory/apacheds/trunk/kerberos-client2:
./ src/ src/main/ src/main/java/ src/main/java/org/
src/main/java/org/apache/ src/main/java/org/apache/directory/
src/main/java/org/apache/directory/kerberos/ src/main/java/org...
Added: directory/apacheds/trunk/kerberos-client2/src/test/java/org/apache/directory/kerberos/client/KdcAsRepTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-client2/src/test/java/org/apache/directory/kerberos/client/KdcAsRepTest.java?rev=1467804&view=auto
==============================================================================
--- directory/apacheds/trunk/kerberos-client2/src/test/java/org/apache/directory/kerberos/client/KdcAsRepTest.java (added)
+++ directory/apacheds/trunk/kerberos-client2/src/test/java/org/apache/directory/kerberos/client/KdcAsRepTest.java Sun Apr 14 17:47:06 2013
@@ -0,0 +1,233 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.kerberos.client;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.fail;
+
+import java.nio.ByteBuffer;
+
+import org.apache.directory.api.asn1.ber.Asn1Decoder;
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.kerberos.client.KdcConnection;
+import org.apache.directory.kerberos.client.TgTicket;
+import org.apache.directory.kerberos.client.TgtRequest;
+import org.apache.directory.server.annotations.CreateKdcServer;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifs;
+import org.apache.directory.server.core.annotations.ContextEntry;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.annotations.CreatePartition;
+import org.apache.directory.server.core.api.CoreSession;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
+import org.apache.directory.shared.kerberos.codec.methodData.MethodDataContainer;
+import org.apache.directory.shared.kerberos.codec.types.PaDataType;
+import org.apache.directory.shared.kerberos.components.MethodData;
+import org.apache.directory.shared.kerberos.exceptions.ErrorType;
+import org.apache.directory.shared.kerberos.exceptions.KerberosException;
+import org.apache.directory.shared.kerberos.messages.KrbError;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+@RunWith(FrameworkRunner.class)
+@CreateDS(name = "KerberosTcpIT-class", enableChangeLog = false,
+ partitions =
+ {
+ @CreatePartition(
+ name = "example",
+ suffix = "dc=example,dc=com",
+ contextEntry=@ContextEntry( entryLdif =
+ "dn: dc=example,dc=com\n" +
+ "objectClass: domain\n" +
+ "dc: example" ) )
+ },
+ additionalInterceptors =
+ {
+ KeyDerivationInterceptor.class
+ })
+@CreateLdapServer(
+ transports =
+ {
+ @CreateTransport(protocol = "LDAP")
+ })
+@CreateKdcServer(
+ searchBaseDn = "dc=example,dc=com",
+ transports =
+ {
+ @CreateTransport(protocol = "TCP")
+ })
+@ApplyLdifs({
+ // krbtgt
+ "dn: uid=krbtgt,dc=example,dc=com",
+ "objectClass: top",
+ "objectClass: person",
+ "objectClass: inetOrgPerson",
+ "objectClass: krb5principal",
+ "objectClass: krb5kdcentry",
+ "cn: KDC Service",
+ "sn: Service",
+ "uid: krbtgt",
+ "userPassword: secret",
+ "krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM",
+ "krb5KeyVersionNumber: 0",
+
+ //app service
+ "dn: uid=ldap,dc=example,dc=com",
+ "objectClass: top",
+ "objectClass: person",
+ "objectClass: inetOrgPerson",
+ "objectClass: krb5principal",
+ "objectClass: krb5kdcentry",
+ "cn: LDAP",
+ "sn: Service",
+ "uid: ldap",
+ "userPassword: randall",
+ "krb5PrincipalName: ldap/localhost@EXAMPLE.COM",
+ "krb5KeyVersionNumber: 0"
+})
+public class KdcAsRepTest extends AbstractLdapTestUnit
+{
+ public static final String USERS_DN = "dc=example,dc=com";
+
+ private static CoreSession session;
+
+ private static KdcConnection conn;
+
+ private String userPassword = "secret";
+
+ private String principalName = "will@EXAMPLE.COM";
+
+ @Before
+ public void setup() throws Exception
+ {
+ if ( session == null )
+ {
+ kdcServer.setSearchBaseDn( USERS_DN );
+ session = kdcServer.getDirectoryService().getAdminSession();
+ createPrincipal( "will", userPassword, principalName );
+ }
+
+ if ( conn == null )
+ {
+ conn = KdcConnection.createTcpConnection( "localhost", kdcServer.getTcpPort() );
+ conn.setTimeout( Integer.MAX_VALUE );
+ }
+ }
+
+
+ @Test
+ public void testKrbErrUnknwonClientPrincipal() throws Exception
+ {
+ try
+ {
+ conn.getTgt( "unknown@EXAMPLE.COM", userPassword );
+ }
+ catch( KerberosException e )
+ {
+ KrbError err = e.getError();
+ assertNotNull( err );
+ assertEquals( ErrorType.KDC_ERR_C_PRINCIPAL_UNKNOWN, err.getErrorCode() );
+ }
+ }
+
+
+ @Test
+ public void testKrbErrPreAuthRequired() throws Exception
+ {
+ TgtRequest tgtReq = new TgtRequest();
+ tgtReq.setClientPrincipal( principalName );
+ tgtReq.setPassword( userPassword );
+ tgtReq.setPreAuthEnabled( false );
+
+ try
+ {
+ conn.getTgt( tgtReq );
+ }
+ catch( KerberosException e )
+ {
+ KrbError err = e.getError();
+ assertNotNull( err );
+ assertEquals( ErrorType.KDC_ERR_PREAUTH_REQUIRED, err.getErrorCode() );
+ byte[] eData = err.getEData();
+ ByteBuffer stream = ByteBuffer.allocate( eData.length );
+ stream.put( eData );
+ stream.flip();
+
+ Asn1Decoder decoder = new Asn1Decoder();
+ MethodDataContainer container = new MethodDataContainer();
+ container.setStream( stream );
+ decoder.decode( stream, container );
+ MethodData padata = container.getMethodData();
+ assertEquals( 2, padata.getPaDatas().length );
+ assertEquals( PaDataType.PA_ENCTYPE_INFO2, padata.getPaDatas()[1].getPaDataType() );
+ assertEquals( PaDataType.PA_ENC_TIMESTAMP, padata.getPaDatas()[0].getPaDataType() );
+ }
+ }
+
+
+ @Test
+ public void testKrbErrCantPostdate() throws Exception
+ {
+ TgtRequest tgtReq = new TgtRequest();
+ tgtReq.setClientPrincipal( principalName );
+ tgtReq.setPassword( userPassword );
+ tgtReq.setStartTime( System.currentTimeMillis() + 600000 ); // now + 10 min
+
+ try
+ {
+ conn.getTgt( tgtReq );
+ fail("should fail with KDC_ERR_CANNOT_POSTDATE");
+ }
+ catch( KerberosException e )
+ {
+ KrbError err = e.getError();
+ assertNotNull( err );
+ assertEquals( ErrorType.KDC_ERR_CANNOT_POSTDATE, err.getErrorCode() );
+ }
+
+ tgtReq.setPostdated( true );
+ TgTicket tgt = conn.getTgt( tgtReq );
+ assertNotNull( tgt );
+ }
+
+
+ private String createPrincipal( String uid, String userPassword, String principalName ) throws Exception
+ {
+ Entry entry = new DefaultEntry( session.getDirectoryService().getSchemaManager() );
+ entry.setDn( "uid=" + uid + "," + USERS_DN );
+ entry.add( "objectClass", "top", "person", "inetOrgPerson", "krb5principal", "krb5kdcentry" );
+ entry.add( "cn", uid );
+ entry.add( "sn", uid );
+ entry.add( "uid", uid );
+ entry.add( "userPassword", userPassword );
+ entry.add( "krb5PrincipalName", principalName );
+ entry.add( "krb5KeyVersionNumber", "0" );
+ session.add( entry );
+
+ return entry.getDn().getName();
+ }
+}
Added: directory/apacheds/trunk/kerberos-client2/src/test/java/org/apache/directory/kerberos/client/KdcConnectionTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-client2/src/test/java/org/apache/directory/kerberos/client/KdcConnectionTest.java?rev=1467804&view=auto
==============================================================================
--- directory/apacheds/trunk/kerberos-client2/src/test/java/org/apache/directory/kerberos/client/KdcConnectionTest.java (added)
+++ directory/apacheds/trunk/kerberos-client2/src/test/java/org/apache/directory/kerberos/client/KdcConnectionTest.java Sun Apr 14 17:47:06 2013
@@ -0,0 +1,233 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.kerberos.client;
+
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.kerberos.client.KdcConnection;
+import org.apache.directory.kerberos.client.ServiceTicket;
+import org.apache.directory.kerberos.client.TgTicket;
+import org.apache.directory.kerberos.client.TgtRequest;
+import org.apache.directory.server.annotations.CreateChngPwdServer;
+import org.apache.directory.server.annotations.CreateKdcServer;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifs;
+import org.apache.directory.server.core.annotations.ContextEntry;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.annotations.CreatePartition;
+import org.apache.directory.server.core.api.CoreSession;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
+import org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswdErrorType;
+import org.apache.directory.shared.kerberos.exceptions.KerberosException;
+import org.junit.Before;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+@RunWith(FrameworkRunner.class)
+@CreateDS(name = "KerberosTcpIT-class", enableChangeLog = false,
+ partitions =
+ {
+ @CreatePartition(
+ name = "example",
+ suffix = "dc=example,dc=com",
+ contextEntry=@ContextEntry( entryLdif =
+ "dn: dc=example,dc=com\n" +
+ "objectClass: domain\n" +
+ "dc: example" ) )
+ },
+ additionalInterceptors =
+ {
+ KeyDerivationInterceptor.class
+ })
+@CreateLdapServer(
+ transports =
+ {
+ @CreateTransport(protocol = "LDAP")
+ })
+@CreateKdcServer(
+ searchBaseDn = "dc=example,dc=com",
+ transports =
+ {
+ @CreateTransport(protocol = "TCP")
+ },
+ chngPwdServer = @CreateChngPwdServer
+ (
+ transports =
+ {
+ @CreateTransport(protocol = "TCP")
+ }
+ ))
+@ApplyLdifs({
+ // krbtgt
+ "dn: uid=krbtgt,dc=example,dc=com",
+ "objectClass: top",
+ "objectClass: person",
+ "objectClass: inetOrgPerson",
+ "objectClass: krb5principal",
+ "objectClass: krb5kdcentry",
+ "cn: KDC Service",
+ "sn: Service",
+ "uid: krbtgt",
+ "userPassword: secret",
+ "krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM",
+ "krb5KeyVersionNumber: 0",
+
+ // changepwd
+ "dn: uid=kadmin,dc=example,dc=com",
+ "objectClass: top",
+ "objectClass: person",
+ "objectClass: inetOrgPerson",
+ "objectClass: krb5principal",
+ "objectClass: krb5kdcentry",
+ "cn: changepw Service",
+ "sn: Service",
+ "uid: kadmin",
+ "userPassword: secret",
+ "krb5PrincipalName: kadmin/changepw@EXAMPLE.COM",
+ "krb5KeyVersionNumber: 0",
+
+ // app service
+ "dn: uid=ldap,dc=example,dc=com",
+ "objectClass: top",
+ "objectClass: person",
+ "objectClass: inetOrgPerson",
+ "objectClass: krb5principal",
+ "objectClass: krb5kdcentry",
+ "cn: LDAP",
+ "sn: Service",
+ "uid: ldap",
+ "userPassword: randall",
+ "krb5PrincipalName: ldap/localhost@EXAMPLE.COM",
+ "krb5KeyVersionNumber: 0"
+})
+public class KdcConnectionTest extends AbstractLdapTestUnit
+{
+ public static final String USERS_DN = "dc=example,dc=com";
+
+ private static CoreSession session;
+
+ private static KdcConnection conn;
+
+ private String userPassword = "secret";
+
+ private String principalName = "will@EXAMPLE.COM";
+
+ private String serverPrincipal = "ldap/localhost@EXAMPLE.COM";
+
+ @Before
+ public void setup() throws Exception
+ {
+ if ( session == null )
+ {
+ kdcServer.setSearchBaseDn( USERS_DN );
+ session = kdcServer.getDirectoryService().getAdminSession();
+ createPrincipal( "will", userPassword, principalName );
+ }
+
+ if ( conn == null )
+ {
+ conn = KdcConnection.createTcpConnection( "localhost", kdcServer.getTcpPort() );
+ conn.setEncryptionTypes( kdcServer.getConfig().getEncryptionTypes() );
+ conn.setTimeout( Integer.MAX_VALUE );
+ }
+ }
+
+
+ @Test
+ public void testGettingInitialTicket() throws Exception
+ {
+ TgTicket tgt = conn.getTgt( principalName, userPassword );
+ assertNotNull( tgt );
+ assertFalse( tgt.isForwardable() );
+ }
+
+
+ @Test
+ public void testTgtFlags() throws Exception
+ {
+ TgtRequest tgtReq = new TgtRequest();
+ tgtReq.setClientPrincipal( principalName );
+ tgtReq.setPassword( userPassword );
+ tgtReq.setForwardable( true );
+
+ TgTicket tgt = conn.getTgt( tgtReq );
+ assertNotNull( tgt );
+ assertTrue( tgt.isForwardable() );
+ }
+
+ @Test
+ public void testGetServiceTicket() throws Exception
+ {
+ ServiceTicket rep = conn.getServiceTicket( principalName, userPassword, serverPrincipal );
+ System.out.println( rep );
+ assertNotNull( rep );
+ }
+
+
+ @Test
+ @Ignore("Failing with NPE in public ChangePasswdErrorType getResultCode()")
+ public void testChangePassword() throws Exception
+ {
+ String newPassword = "newPassword";
+ int port = kdcServer.getChangePwdServer().getTcpPort();
+
+ conn.changePassword( principalName, userPassword, newPassword, "localhost", port, false );
+
+ try
+ {
+ conn.getTgt( principalName, userPassword );
+ fail( "should fail with kerberos exception cause of invalid password" );
+ }
+ catch( KerberosException e )
+ {
+ }
+
+ TgTicket tgt = conn.getTgt( principalName, newPassword );
+ assertNotNull( tgt );
+ }
+
+
+ private String createPrincipal( String uid, String userPassword, String principalName ) throws Exception
+ {
+ Entry entry = new DefaultEntry( session.getDirectoryService().getSchemaManager() );
+ entry.setDn( "uid=" + uid + "," + USERS_DN );
+ entry.add( "objectClass", "top", "person", "inetOrgPerson", "krb5principal", "krb5kdcentry" );
+ entry.add( "cn", uid );
+ entry.add( "sn", uid );
+ entry.add( "uid", uid );
+ entry.add( "userPassword", userPassword );
+ entry.add( "krb5PrincipalName", principalName );
+ entry.add( "krb5KeyVersionNumber", "0" );
+ session.add( entry );
+
+ return entry.getDn().getName();
+ }
+}
Added: directory/apacheds/trunk/kerberos-client2/src/test/resources/log4j.xml
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-client2/src/test/resources/log4j.xml?rev=1467804&view=auto
==============================================================================
--- directory/apacheds/trunk/kerberos-client2/src/test/resources/log4j.xml (added)
+++ directory/apacheds/trunk/kerberos-client2/src/test/resources/log4j.xml Sun Apr 14 17:47:06 2013
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+-->
+<log4j:configuration>
+
+ <appender name="stdout" class="org.apache.log4j.ConsoleAppender">
+ <layout class="org.apache.log4j.PatternLayout">
+ <param name="ConversionPattern"
+ value="[%d{HH:mm:ss}] %p [%c] - %m%n"/>
+ </layout>
+ </appender>
+
+ <appender name="file" class="org.apache.log4j.FileAppender">
+ <param name="Append" value="false"/>
+ <param name="File" value="/tmp/krbconn.log" />
+ <layout class="org.apache.log4j.PatternLayout">
+ <param name="ConversionPattern"
+ value="[%d{HH:mm:ss}] %p [%c] - %m%n"/>
+ </layout>
+ </appender>
+
+ <logger name="LOG_CHANGES" additivity="false">
+ <level value="warn"/>
+ </logger>
+
+ <logger name="org.apache.directory.shared.ldap.model.schema" additivity="false">
+ <level value="warn"/>
+ </logger>
+
+ <logger name="net.sf.ehcache" additivity="false">
+ <level value="warn"/>
+ </logger>
+
+ <logger name="org.apache.directory.server.xdbm" additivity="false">
+ <level value="warn"/>
+ </logger>
+
+ <logger name="org.apache.directory.server.core.partition" additivity="false">
+ <level value="warn"/>
+ </logger>
+
+ <logger name="JdbmTable" additivity="false">
+ <level value="warn"/>
+ </logger>
+
+ <logger name="JdbmIndex" additivity="false">
+ <level value="warn"/>
+ </logger>
+
+ <logger name="org.apache.directory.server.replication" additivity="false">
+ <level value="debug"/>
+ </logger>
+
+ <logger name="org.apache.directory.ldap.client.api" additivity="false">
+ <level value="warn"/>
+ </logger>
+
+ <logger name="org.apache.directory.server.core">
+ <level value="warn"/>
+ </logger>
+
+ <logger name="org.apache.directory.shared.kerberos">
+ <level value="debug"/>
+ </logger>
+
+ <logger name="org.apache.directory.shared.ldap">
+ <level value="warn"/>
+ </logger>
+
+ <logger name="org.apache.directory.shared.util">
+ <level value="warn"/>
+ </logger>
+
+ <root>
+ <level value="off"/>
+ <appender-ref ref="stdout" />
+ <appender-ref ref="file" />
+ </root>
+</log4j:configuration>
\ No newline at end of file