You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2017/08/03 12:46:02 UTC
directory-kerby git commit: DIRKRB-638 - KerbyGssAppTest fails when
there is no keytab on the service side - Test added.
Repository: directory-kerby
Updated Branches:
refs/heads/trunk ca49a5615 -> 75dc602f7
DIRKRB-638 - KerbyGssAppTest fails when there is no keytab on the service side
- Test added.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/75dc602f
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/75dc602f
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/75dc602f
Branch: refs/heads/trunk
Commit: 75dc602f730d0df125904cfc791e046b509fb3d9
Parents: ca49a56
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Aug 3 13:45:44 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Aug 3 13:45:44 2017 +0100
----------------------------------------------------------------------
.../kerb/integration/test/KerbyGssAppTest.java | 7 ---
.../kerberos/kerb/gss/impl/GssAcceptCred.java | 60 ++++++++++++++++----
.../kerberos/kerb/gss/impl/GssContext.java | 8 ++-
3 files changed, 54 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/75dc602f/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
index 1ae01b1..b6f4e43 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
@@ -21,7 +21,6 @@ package org.apache.kerby.kerberos.kerb.integration.test;
import org.apache.kerby.kerberos.kerb.gss.KerbyGssProvider;
import org.junit.Before;
-import org.junit.Test;
import java.security.Provider;
@@ -35,10 +34,4 @@ public class KerbyGssAppTest extends GssAppTest {
super.setUp();
}
- // See DIRKRB-638
- @Test
- @org.junit.Ignore
- public void testServerUsingPassword() throws Exception {
-
- }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/75dc602f/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
index e33a4f3..bb5bfd0 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
@@ -20,6 +20,7 @@
package org.apache.kerby.kerberos.kerb.gss.impl;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -27,25 +28,30 @@ import sun.security.jgss.GSSCaller;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.kerberos.KeyTab;
public final class GssAcceptCred extends GssCredElement {
private final KeyTab keyTab;
+ private final KerberosTicket ticket;
public static GssAcceptCred getInstance(final GSSCaller caller,
GssNameElement name, int lifeTime) throws GSSException {
- KeyTab keyTab = null;
- if (name == null) {
- keyTab = CredUtils.getKeyTabFromContext(null);
- } else {
- KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
- name.getPrincipalName().getNameType().getValue());
- keyTab = CredUtils.getKeyTabFromContext(princ);
+ // Try to get a keytab first
+ KeyTab keyTab = getKeyTab(name);
+ KerberosTicket ticket = null;
+ if (keyTab == null) {
+ // Otherwise try to get a kerberos ticket
+ if (name == null) {
+ ticket = CredUtils.getKerberosTicketFromContext(caller, null, null);
+ } else {
+ ticket = CredUtils.getKerberosTicketFromContext(caller, name.getPrincipalName().getName(), null);
+ }
}
- if (keyTab == null) {
+ if (keyTab == null && ticket == null) {
String error = "Failed to find any Kerberos credential";
if (name != null) {
error += " for " + name.getPrincipalName().getName();
@@ -54,15 +60,30 @@ public final class GssAcceptCred extends GssCredElement {
}
if (name == null) {
- name = GssNameElement.getInstance(keyTab.getPrincipal().getName(), GSSName.NT_HOSTBASED_SERVICE);
+ if (keyTab != null) {
+ name = GssNameElement.getInstance(keyTab.getPrincipal().getName(), GSSName.NT_HOSTBASED_SERVICE);
+ } else {
+ name = GssNameElement.getInstance(ticket.getClient().getName(), GSSName.NT_HOSTBASED_SERVICE);
+ }
}
- return new GssAcceptCred(caller, name, keyTab, lifeTime);
+ return new GssAcceptCred(caller, name, keyTab, ticket, lifeTime);
+ }
+
+ private static KeyTab getKeyTab(GssNameElement name) throws GSSException {
+ if (name == null) {
+ return CredUtils.getKeyTabFromContext(null);
+ } else {
+ KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
+ name.getPrincipalName().getNameType().getValue());
+ return CredUtils.getKeyTabFromContext(princ);
+ }
}
- private GssAcceptCred(GSSCaller caller, GssNameElement name, KeyTab keyTab, int lifeTime) {
+ private GssAcceptCred(GSSCaller caller, GssNameElement name, KeyTab keyTab, KerberosTicket ticket, int lifeTime) {
super(caller, name);
this.keyTab = keyTab;
+ this.ticket = ticket;
this.accLifeTime = lifeTime;
}
@@ -78,9 +99,24 @@ public final class GssAcceptCred extends GssCredElement {
return this.keyTab;
}
+ public KerberosTicket getKerberosTicket() {
+ return ticket;
+ }
+
public KerberosKey[] getKeys() {
KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
name.getPrincipalName().getNameType().getValue());
- return keyTab.getKeys(princ);
+ if (keyTab != null) {
+ return keyTab.getKeys(princ);
+ }
+
+ return null;
+ }
+
+ public EncryptionKey getKeyFromTicket() {
+ if (ticket != null) {
+ return new EncryptionKey(ticket.getSessionKeyType(), ticket.getSessionKey().getEncoded());
+ }
+ return null;
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/75dc602f/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
index 38b0715..c719a1a 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
@@ -435,8 +435,12 @@ public class GssContext implements GSSContextSpi {
int kvno = apReq.getTicket().getEncryptedEncPart().getKvno();
int encryptType = apReq.getTicket().getEncryptedEncPart().getEType().getValue();
- // Get server key from credential
- EncryptionKey serverKey = GssUtil.getEncryptionKey(acceptCred.getKeys(), encryptType, kvno);
+ // Get server key from ticket
+ EncryptionKey serverKey = acceptCred.getKeyFromTicket();
+ if (serverKey == null) {
+ // Otherwise get it from the keytab
+ serverKey = GssUtil.getEncryptionKey(acceptCred.getKeys(), encryptType, kvno);
+ }
if (serverKey == null) {
throw new GSSException(GSSException.FAILURE, -1, "Server key not found");
}