You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by dr...@apache.org on 2015/01/22 22:48:04 UTC
[25/45] directory-kerberos git commit: DIRKRB-149 New layout
structure with the new name "Apache Kerby"
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/AbstractPreauthPlugin.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/AbstractPreauthPlugin.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/AbstractPreauthPlugin.java
deleted file mode 100644
index 4a4dc41..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/AbstractPreauthPlugin.java
+++ /dev/null
@@ -1,91 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth;
-
-import org.apache.kerberos.kerb.preauth.PaFlags;
-import org.apache.kerberos.kerb.preauth.PluginRequestContext;
-import org.apache.kerberos.kerb.preauth.PreauthPluginMeta;
-import org.apache.kerberos.kerb.server.KdcContext;
-import org.apache.kerberos.kerb.server.request.KdcRequest;
-import org.apache.kerberos.kerb.KrbException;
-import org.apache.kerberos.kerb.spec.pa.PaData;
-import org.apache.kerberos.kerb.spec.pa.PaDataEntry;
-import org.apache.kerberos.kerb.spec.pa.PaDataType;
-
-public class AbstractPreauthPlugin implements KdcPreauth {
-
- private PreauthPluginMeta pluginMeta;
-
- public AbstractPreauthPlugin(PreauthPluginMeta meta) {
- this.pluginMeta = meta;
- }
-
- @Override
- public String getName() {
- return pluginMeta.getName();
- }
-
- public int getVersion() {
- return pluginMeta.getVersion();
- }
-
- public PaDataType[] getPaTypes() {
- return pluginMeta.getPaTypes();
- }
-
- @Override
- public void initWith(KdcContext kdcContext) {
-
- }
-
- @Override
- public PluginRequestContext initRequestContext(KdcRequest kdcRequest) {
- return null;
- }
-
- @Override
- public void provideEdata(KdcRequest kdcRequest, PluginRequestContext requestContext,
- PaData outPaData) throws KrbException {
-
- }
-
- @Override
- public boolean verify(KdcRequest kdcRequest, PluginRequestContext requestContext,
- PaDataEntry paData) throws KrbException {
- return false;
- }
-
- @Override
- public void providePaData(KdcRequest kdcRequest, PluginRequestContext requestContext,
- PaData paData) {
-
- }
-
- @Override
- public PaFlags getFlags(KdcRequest kdcRequest, PluginRequestContext requestContext,
- PaDataType paType) {
- return null;
- }
-
- @Override
- public void destroy() {
-
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/FastContext.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/FastContext.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/FastContext.java
deleted file mode 100644
index a426f7d..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/FastContext.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth;
-
-import org.apache.kerberos.kerb.spec.common.EncryptionKey;
-import org.apache.kerberos.kerb.spec.fast.FastOptions;
-import org.apache.kerberos.kerb.spec.fast.KrbFastArmor;
-import org.apache.kerberos.kerb.spec.kdc.KdcReq;
-
-public class FastContext {
-
- public KdcReq fastOuterRequest;
- public EncryptionKey armorKey;
- public KrbFastArmor fastArmor;
- public FastOptions fastOptions;
- public int nonce;
- public int fastFlags;
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/KdcPreauth.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/KdcPreauth.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/KdcPreauth.java
deleted file mode 100644
index c137b6a..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/KdcPreauth.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth;
-
-import org.apache.kerberos.kerb.preauth.PaFlags;
-import org.apache.kerberos.kerb.preauth.PluginRequestContext;
-import org.apache.kerberos.kerb.preauth.PreauthPluginMeta;
-import org.apache.kerberos.kerb.server.KdcContext;
-import org.apache.kerberos.kerb.server.request.KdcRequest;
-import org.apache.kerberos.kerb.KrbException;
-import org.apache.kerberos.kerb.spec.pa.PaData;
-import org.apache.kerberos.kerb.spec.pa.PaDataEntry;
-import org.apache.kerberos.kerb.spec.pa.PaDataType;
-
-/**
- * KDC side preauth plugin module
- */
-public interface KdcPreauth extends PreauthPluginMeta {
-
- /**
- * Initializing plugin context for each realm
- */
- public void initWith(KdcContext context);
-
- /**
- * Initializing request context
- */
- public PluginRequestContext initRequestContext(KdcRequest kdcRequest);
-
- /**
- * Optional: provide pa_data to send to the client as part of the "you need to
- * use preauthentication" error.
- */
- public void provideEdata(KdcRequest kdcRequest, PluginRequestContext requestContext,
- PaData outPaData) throws KrbException;
-
- /**
- * Optional: verify preauthentication data sent by the client, setting the
- * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
- * field as appropriate.
- */
- public boolean verify(KdcRequest kdcRequest, PluginRequestContext requestContext,
- PaDataEntry paData) throws KrbException;
-
- /**
- * Optional: generate preauthentication response data to send to the client as
- * part of the AS-REP.
- */
- public void providePaData(KdcRequest kdcRequest, PluginRequestContext requestContext,
- PaData paData);
-
- /**
- * Return PA_REAL if pa_type is a real preauthentication type or PA_INFO if it is
- * an informational type.
- */
- public PaFlags getFlags(KdcRequest kdcRequest, PluginRequestContext requestContext,
- PaDataType paType);
-
- /**
- * When exiting...
- */
- public void destroy();
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthContext.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthContext.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthContext.java
deleted file mode 100644
index d2812e9..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthContext.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth;
-
-import java.util.ArrayList;
-import java.util.List;
-
-public class PreauthContext {
- private boolean preauthRequired = true;
- private List<PreauthHandle> handles = new ArrayList<PreauthHandle>(5);
-
- public PreauthContext() {
-
- }
-
- public boolean isPreauthRequired() {
- return preauthRequired;
- }
-
- public void setPreauthRequired(boolean preauthRequired) {
- this.preauthRequired = preauthRequired;
- }
-
- public List<PreauthHandle> getHandles() {
- return handles;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthHandle.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthHandle.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthHandle.java
deleted file mode 100644
index 90f8724..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthHandle.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth;
-
-import org.apache.kerberos.kerb.preauth.PluginRequestContext;
-import org.apache.kerberos.kerb.server.request.KdcRequest;
-import org.apache.kerberos.kerb.KrbException;
-import org.apache.kerberos.kerb.spec.pa.PaData;
-import org.apache.kerberos.kerb.spec.pa.PaDataEntry;
-
-public class PreauthHandle {
-
- public KdcPreauth preauth;
- public PluginRequestContext requestContext;
-
- public PreauthHandle(KdcPreauth preauth) {
- this.preauth = preauth;
- }
-
- public void initRequestContext(KdcRequest kdcRequest) {
- requestContext = preauth.initRequestContext(kdcRequest);
- }
-
- public void provideEdata(KdcRequest kdcRequest, PaData outPaData) throws KrbException {
- preauth.provideEdata(kdcRequest, requestContext, outPaData);
- }
-
- public void verify(KdcRequest kdcRequest, PaDataEntry paData) throws KrbException {
- preauth.verify(kdcRequest, requestContext, paData);
- }
-
- public void providePaData(KdcRequest kdcRequest, PaData paData) {
- preauth.providePaData(kdcRequest, requestContext, paData);
- }
-
- public void destroy() {
- preauth.destroy();
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthHandler.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthHandler.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthHandler.java
deleted file mode 100644
index d8d9bca..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/PreauthHandler.java
+++ /dev/null
@@ -1,124 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth;
-
-import org.apache.kerberos.kerb.server.KdcConfig;
-import org.apache.kerberos.kerb.server.KdcContext;
-import org.apache.kerberos.kerb.server.preauth.builtin.EncTsPreauth;
-import org.apache.kerberos.kerb.server.preauth.builtin.TgtPreauth;
-import org.apache.kerberos.kerb.server.request.KdcRequest;
-import org.apache.kerberos.kerb.KrbException;
-import org.apache.kerberos.kerb.spec.pa.PaData;
-import org.apache.kerberos.kerb.spec.pa.PaDataEntry;
-import org.apache.kerberos.kerb.spec.pa.PaDataType;
-
-import java.util.ArrayList;
-import java.util.List;
-
-public class PreauthHandler {
-
- private List<KdcPreauth> preauths;
-
- /**
- * Should be called only once, for global
- */
- public void init(KdcConfig kdcConfig) {
- loadPreauthPlugins(kdcConfig);
- }
-
- private void loadPreauthPlugins(KdcConfig kdcConfig) {
- preauths = new ArrayList<KdcPreauth>();
-
- KdcPreauth preauth = new EncTsPreauth();
- preauths.add(preauth);
-
- preauth = new TgtPreauth();
- preauths.add(preauth);
- }
-
- /**
- * Should be called per realm
- * @param context
- */
- public void initWith(KdcContext context) {
- for (KdcPreauth preauth : preauths) {
- preauth.initWith(context);
- }
- }
-
- public PreauthContext preparePreauthContext(KdcRequest kdcRequest) {
- PreauthContext preauthContext = new PreauthContext();
-
- KdcContext kdcContext = kdcRequest.getKdcContext();
- preauthContext.setPreauthRequired(kdcContext.getConfig().isPreauthRequired());
-
- for (KdcPreauth preauth : preauths) {
- PreauthHandle handle = new PreauthHandle(preauth);
- handle.initRequestContext(kdcRequest);
- preauthContext.getHandles().add(handle);
- }
-
- return preauthContext;
- }
-
- public void provideEdata(KdcRequest kdcRequest, PaData outPaData) throws KrbException {
- PreauthContext preauthContext = kdcRequest.getPreauthContext();
-
- for (PreauthHandle handle : preauthContext.getHandles()) {
- handle.provideEdata(kdcRequest, outPaData);
- }
- }
-
- public void verify(KdcRequest kdcRequest, PaData paData) throws KrbException {
- for (PaDataEntry paEntry : paData.getElements()) {
- PreauthHandle handle = findHandle(kdcRequest, paEntry.getPaDataType());
- if (handle != null) {
- handle.verify(kdcRequest, paEntry);
- }
- }
- }
-
- public void providePaData(KdcRequest kdcRequest, PaData paData) {
- PreauthContext preauthContext = kdcRequest.getPreauthContext();
-
- for (PreauthHandle handle : preauthContext.getHandles()) {
- handle.providePaData(kdcRequest, paData);
- }
- }
-
- private PreauthHandle findHandle(KdcRequest kdcRequest, PaDataType paType) {
- PreauthContext preauthContext = kdcRequest.getPreauthContext();
-
- for (PreauthHandle handle : preauthContext.getHandles()) {
- for (PaDataType pt : handle.preauth.getPaTypes()) {
- if (pt == paType) {
- return handle;
- }
- }
- }
- return null;
- }
-
- public void destroy() {
- for (KdcPreauth preauth : preauths) {
- preauth.destroy();
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/builtin/EncTsPreauth.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/builtin/EncTsPreauth.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/builtin/EncTsPreauth.java
deleted file mode 100644
index 5c7e6d0..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/builtin/EncTsPreauth.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth.builtin;
-
-import org.apache.kerberos.kerb.KrbErrorCode;
-import org.apache.kerberos.kerb.codec.KrbCodec;
-import org.apache.kerberos.kerb.common.EncryptionUtil;
-import org.apache.kerberos.kerb.preauth.PluginRequestContext;
-import org.apache.kerberos.kerb.preauth.builtin.EncTsPreauthMeta;
-import org.apache.kerberos.kerb.server.KdcContext;
-import org.apache.kerberos.kerb.server.preauth.AbstractPreauthPlugin;
-import org.apache.kerberos.kerb.server.request.KdcRequest;
-import org.apache.kerberos.kerb.KrbException;
-import org.apache.kerberos.kerb.spec.common.EncryptedData;
-import org.apache.kerberos.kerb.spec.common.EncryptionKey;
-import org.apache.kerberos.kerb.spec.common.KeyUsage;
-import org.apache.kerberos.kerb.spec.pa.PaDataEntry;
-import org.apache.kerberos.kerb.spec.pa.PaEncTsEnc;
-
-public class EncTsPreauth extends AbstractPreauthPlugin {
-
- public EncTsPreauth() {
- super(new EncTsPreauthMeta());
- }
-
- @Override
- public boolean verify(KdcRequest kdcRequest, PluginRequestContext requestContext,
- PaDataEntry paData) throws KrbException {
- EncryptedData encData = KrbCodec.decode(paData.getPaDataValue(), EncryptedData.class);
- EncryptionKey clientKey = kdcRequest.getClientKey(encData.getEType());
- PaEncTsEnc timestamp = EncryptionUtil.unseal(encData, clientKey,
- KeyUsage.AS_REQ_PA_ENC_TS, PaEncTsEnc.class);
-
- KdcContext kdcContext = kdcRequest.getKdcContext();
- long clockSkew = kdcContext.getConfig().getAllowableClockSkew() * 1000;
- if (!timestamp.getAllTime().isInClockSkew(clockSkew)) {
- throw new KrbException(KrbErrorCode.KDC_ERR_PREAUTH_FAILED);
- }
-
- return true;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/builtin/TgtPreauth.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/builtin/TgtPreauth.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/builtin/TgtPreauth.java
deleted file mode 100644
index 0cdc582..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/builtin/TgtPreauth.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth.builtin;
-
-import org.apache.kerberos.kerb.preauth.PluginRequestContext;
-import org.apache.kerberos.kerb.preauth.builtin.TgtPreauthMeta;
-import org.apache.kerberos.kerb.server.preauth.AbstractPreauthPlugin;
-import org.apache.kerberos.kerb.server.request.KdcRequest;
-import org.apache.kerberos.kerb.server.request.TgsRequest;
-import org.apache.kerberos.kerb.KrbException;
-import org.apache.kerberos.kerb.spec.pa.PaDataEntry;
-
-public class TgtPreauth extends AbstractPreauthPlugin {
-
- public TgtPreauth() {
- super(new TgtPreauthMeta());
- }
-
- @Override
- public boolean verify(KdcRequest kdcRequest, PluginRequestContext requestContext,
- PaDataEntry paData) throws KrbException {
-
- TgsRequest tgsRequest = (TgsRequest) kdcRequest;
- tgsRequest.verifyAuthenticator(paData);
- return true;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitKdcContext.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitKdcContext.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitKdcContext.java
deleted file mode 100644
index 19e8561..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitKdcContext.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth.pkinit;
-
-import org.apache.kerberos.kerb.preauth.pkinit.IdentityOpts;
-import org.apache.kerberos.kerb.preauth.pkinit.PluginOpts;
-
-public class PkinitKdcContext {
-
- public PluginOpts pluginOpts;
- public IdentityOpts identityOpts;
- public String realm;
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
deleted file mode 100644
index 7d621e7..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
+++ /dev/null
@@ -1,93 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth.pkinit;
-
-import org.apache.kerberos.kerb.codec.KrbCodec;
-import org.apache.kerberos.kerb.preauth.PluginRequestContext;
-import org.apache.kerberos.kerb.preauth.pkinit.PkinitPreauthMeta;
-import org.apache.kerberos.kerb.server.KdcContext;
-import org.apache.kerberos.kerb.server.preauth.AbstractPreauthPlugin;
-import org.apache.kerberos.kerb.server.request.KdcRequest;
-import org.apache.kerberos.kerb.KrbException;
-import org.apache.kerberos.kerb.spec.common.PrincipalName;
-import org.apache.kerberos.kerb.spec.pa.PaDataEntry;
-import org.apache.kerberos.kerb.spec.pa.PaDataType;
-import org.apache.kerberos.kerb.spec.pa.pkinit.PaPkAsReq;
-
-import java.util.HashMap;
-import java.util.Map;
-
-public class PkinitPreauth extends AbstractPreauthPlugin {
-
- private Map<String, PkinitKdcContext> pkinitContexts;
-
- public PkinitPreauth() {
- super(new PkinitPreauthMeta());
-
- pkinitContexts = new HashMap<String, PkinitKdcContext>(1);
- }
-
- @Override
- public void initWith(KdcContext kdcContext) {
- super.initWith(kdcContext);
-
- PkinitKdcContext tmp = new PkinitKdcContext();
- tmp.realm = kdcContext.getKdcRealm();
- pkinitContexts.put(kdcContext.getKdcRealm(), tmp);
- }
-
- @Override
- public PluginRequestContext initRequestContext(KdcRequest kdcRequest) {
- PkinitRequestContext reqCtx = new PkinitRequestContext();
-
- //reqCtx.updateRequestOpts(pkinitContext.pluginOpts);
-
- return reqCtx;
- }
-
- @Override
- public boolean verify(KdcRequest kdcRequest, PluginRequestContext requestContext,
- PaDataEntry paData) throws KrbException {
-
- PkinitRequestContext reqCtx = (PkinitRequestContext) requestContext;
- PkinitKdcContext pkinitContext = findContext(kdcRequest.getServerPrincipal());
- if (pkinitContext == null) {
- return false;
- }
-
- reqCtx.paType = paData.getPaDataType();
- if (paData.getPaDataType() == PaDataType.PK_AS_REQ) {
- PaPkAsReq paPkAsReq = KrbCodec.decode(paData.getPaDataValue(), PaPkAsReq.class);
- if (paPkAsReq == null) {
- return false;
- }
- }
-
- return true;
- }
-
- private PkinitKdcContext findContext(PrincipalName principal) {
- String realm = principal.getRealm();
- if (pkinitContexts.containsKey(realm)) {
- return pkinitContexts.get(realm);
- }
- return null;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitRequestContext.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitRequestContext.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitRequestContext.java
deleted file mode 100644
index e207fe4..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/pkinit/PkinitRequestContext.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth.pkinit;
-
-import org.apache.kerberos.kerb.preauth.PluginRequestContext;
-import org.apache.kerberos.kerb.spec.pa.PaDataType;
-import org.apache.kerberos.kerb.spec.pa.pkinit.AuthPack;
-
-public class PkinitRequestContext implements PluginRequestContext {
-
- public AuthPack authPack;
- public PaDataType paType;
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/token/TokenRequestContext.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/token/TokenRequestContext.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/token/TokenRequestContext.java
deleted file mode 100644
index fa88900..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/preauth/token/TokenRequestContext.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.preauth.token;
-
-import org.apache.kerberos.kerb.preauth.PluginRequestContext;
-import org.apache.kerberos.kerb.spec.pa.PaDataType;
-
-public class TokenRequestContext implements PluginRequestContext {
-
- public boolean doIdentityMatching;
- public PaDataType paType;
- public boolean identityInitialized;
- public boolean identityPrompted;
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/CacheService.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/CacheService.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/CacheService.java
deleted file mode 100644
index 78fb168..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/CacheService.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.replay;
-
-public interface CacheService
-{
- boolean checkAndCache(RequestRecord request);
- void clear();
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/ReplayCheckService.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/ReplayCheckService.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/ReplayCheckService.java
deleted file mode 100644
index c1232ce..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/ReplayCheckService.java
+++ /dev/null
@@ -1,25 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.replay;
-
-public interface ReplayCheckService
-{
- boolean checkReplay(String clientPrincipal, String serverPrincipal, long requestTime, int microseconds);
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/ReplayCheckServiceImpl.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/ReplayCheckServiceImpl.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/ReplayCheckServiceImpl.java
deleted file mode 100644
index 43f1444..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/ReplayCheckServiceImpl.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.replay;
-
-public class ReplayCheckServiceImpl implements ReplayCheckService
-{
- private CacheService cacheService;
-
- public ReplayCheckServiceImpl(CacheService cacheService) {
- this.cacheService = cacheService;
- }
-
- public ReplayCheckServiceImpl() {
- this(new SimpleCacheService());
- }
-
- @Override
- public boolean checkReplay(String clientPrincipal, String serverPrincipal,
- long requestTime, int microseconds) {
- RequestRecord record = new RequestRecord(clientPrincipal, serverPrincipal, requestTime, microseconds);
- return cacheService.checkAndCache(record);
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/RequestRecord.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/RequestRecord.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/RequestRecord.java
deleted file mode 100644
index 4f1dd84..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/RequestRecord.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.replay;
-
-public class RequestRecord {
- private String clientPrincipal;
- private String serverPrincipal;
- private long requestTime;
- private int microseconds;
-
- public RequestRecord(String clientPrincipal, String serverPrincipal, long requestTime, int microseconds) {
- this.clientPrincipal = clientPrincipal;
- this.serverPrincipal = serverPrincipal;
- this.requestTime = requestTime;
- this.microseconds = microseconds;
- }
-
- @Override
- public boolean equals(Object o) {
- if (this == o) return true;
- if (o == null || getClass() != o.getClass()) return false;
-
- RequestRecord that = (RequestRecord) o;
-
- if (microseconds != that.microseconds) return false;
- if (requestTime != that.requestTime) return false;
- if (!clientPrincipal.equals(that.clientPrincipal)) return false;
- if (!serverPrincipal.equals(that.serverPrincipal)) return false;
-
- return true;
- }
-
- @Override
- public int hashCode() {
- int result = clientPrincipal.hashCode();
- result = 31 * result + serverPrincipal.hashCode();
- result = 31 * result + (int) (requestTime ^ (requestTime >>> 32));
- result = 31 * result + microseconds;
- return result;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/SimpleCacheService.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/SimpleCacheService.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/SimpleCacheService.java
deleted file mode 100644
index f471f43..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/replay/SimpleCacheService.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.replay;
-
-import java.util.HashSet;
-import java.util.Set;
-
-public class SimpleCacheService implements CacheService {
- private Set<RequestRecord> requests;
-
- public SimpleCacheService() {
- requests = new HashSet<RequestRecord>();
- }
-
- @Override
- public boolean checkAndCache(RequestRecord request) {
- if (requests.contains(request)) {
- return true;
- } else {
- requests.add(request);
- }
- return false;
- }
-
- @Override
- public void clear() {
- requests.clear();
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/AsRequest.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/AsRequest.java
deleted file mode 100644
index f6d0026..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/AsRequest.java
+++ /dev/null
@@ -1,91 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.request;
-
-import org.apache.kerberos.kerb.KrbException;
-import org.apache.kerberos.kerb.common.EncryptionUtil;
-import org.apache.kerberos.kerb.server.KdcContext;
-import org.apache.kerberos.kerb.spec.KerberosTime;
-import org.apache.kerberos.kerb.spec.common.*;
-import org.apache.kerberos.kerb.spec.kdc.*;
-import org.apache.kerberos.kerb.spec.ticket.Ticket;
-import org.apache.kerberos.kerb.spec.ticket.TicketFlag;
-
-public class AsRequest extends KdcRequest {
-
- public AsRequest(AsReq asReq, KdcContext kdcContext) {
- super(asReq, kdcContext);
- }
-
- @Override
- protected void makeReply() throws KrbException {
- Ticket ticket = getTicket();
-
- AsRep reply = new AsRep();
-
- reply.setCname(getClientEntry().getPrincipal());
- reply.setCrealm(kdcContext.getServerRealm());
- reply.setTicket(ticket);
-
- EncKdcRepPart encKdcRepPart = makeEncKdcRepPart();
- reply.setEncPart(encKdcRepPart);
-
- EncryptionKey clientKey = getClientKey();
- EncryptedData encryptedData = EncryptionUtil.seal(encKdcRepPart,
- clientKey, KeyUsage.AS_REP_ENCPART);
- reply.setEncryptedEncPart(encryptedData);
-
- setReply(reply);
- }
-
- protected EncKdcRepPart makeEncKdcRepPart() {
- KdcReq request = getKdcReq();
- Ticket ticket = getTicket();
-
- EncKdcRepPart encKdcRepPart = new EncAsRepPart();
-
- //session key
- encKdcRepPart.setKey(ticket.getEncPart().getKey());
-
- LastReq lastReq = new LastReq();
- LastReqEntry entry = new LastReqEntry();
- entry.setLrType(LastReqType.THE_LAST_INITIAL);
- entry.setLrValue(new KerberosTime());
- lastReq.add(entry);
- encKdcRepPart.setLastReq(lastReq);
-
- encKdcRepPart.setNonce(request.getReqBody().getNonce());
-
- encKdcRepPart.setFlags(ticket.getEncPart().getFlags());
- encKdcRepPart.setAuthTime(ticket.getEncPart().getAuthTime());
- encKdcRepPart.setStartTime(ticket.getEncPart().getStartTime());
- encKdcRepPart.setEndTime(ticket.getEncPart().getEndTime());
-
- if (ticket.getEncPart().getFlags().isFlagSet(TicketFlag.RENEWABLE)) {
- encKdcRepPart.setRenewTill(ticket.getEncPart().getRenewtill());
- }
-
- encKdcRepPart.setSname(ticket.getSname());
- encKdcRepPart.setSrealm(ticket.getRealm());
- encKdcRepPart.setCaddr(ticket.getEncPart().getClientAddresses());
-
- return encKdcRepPart;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/KdcRequest.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/KdcRequest.java
deleted file mode 100644
index 41dcc10..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/KdcRequest.java
+++ /dev/null
@@ -1,521 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.request;
-
-import org.apache.kerberos.kerb.KrbErrorCode;
-import org.apache.kerberos.kerb.codec.KrbCodec;
-import org.apache.kerberos.kerb.common.EncryptionUtil;
-import org.apache.kerberos.kerb.crypto.EncryptionHandler;
-import org.apache.kerberos.kerb.identity.KrbIdentity;
-import org.apache.kerberos.kerb.server.KdcConfig;
-import org.apache.kerberos.kerb.server.KdcContext;
-import org.apache.kerberos.kerb.server.preauth.FastContext;
-import org.apache.kerberos.kerb.server.preauth.PreauthContext;
-import org.apache.kerberos.kerb.server.preauth.PreauthHandler;
-import org.apache.kerberos.kerb.KrbConstant;
-import org.apache.kerberos.kerb.KrbErrorException;
-import org.apache.kerberos.kerb.KrbException;
-import org.apache.kerberos.kerb.spec.KerberosTime;
-import org.apache.kerberos.kerb.spec.common.*;
-import org.apache.kerberos.kerb.spec.kdc.KdcOption;
-import org.apache.kerberos.kerb.spec.kdc.KdcOptions;
-import org.apache.kerberos.kerb.spec.kdc.KdcRep;
-import org.apache.kerberos.kerb.spec.kdc.KdcReq;
-import org.apache.kerberos.kerb.spec.pa.PaData;
-import org.apache.kerberos.kerb.spec.pa.PaDataEntry;
-import org.apache.kerberos.kerb.spec.pa.PaDataType;
-import org.apache.kerberos.kerb.spec.ticket.EncTicketPart;
-import org.apache.kerberos.kerb.spec.ticket.Ticket;
-import org.apache.kerberos.kerb.spec.ticket.TicketFlag;
-import org.apache.kerberos.kerb.spec.ticket.TicketFlags;
-
-import java.net.InetAddress;
-import java.nio.ByteBuffer;
-import java.util.Date;
-import java.util.List;
-
-public abstract class KdcRequest {
-
- protected KdcContext kdcContext;
-
- private Ticket ticket;
- private boolean isPreAuthenticated;
- private KdcReq kdcReq;
- private KdcRep reply;
- private InetAddress clientAddress;
- private boolean isTcp;
- private EncryptionType encryptionType;
- private EncryptionKey clientKey;
- private KrbIdentity clientEntry;
- private KrbIdentity serverEntry;
- private EncryptionKey serverKey;
- private KrbIdentity tgsEntry;
- private PreauthContext preauthContext;
- private FastContext fastContext;
- private PrincipalName serverPrincipal;
-
- public KdcRequest(KdcReq kdcReq, KdcContext kdcContext) {
- this.kdcReq = kdcReq;
- this.kdcContext = kdcContext;
- this.preauthContext = kdcContext.getPreauthHandler()
- .preparePreauthContext(this);
- this.fastContext = new FastContext();
- }
-
- public KdcContext getKdcContext() {
- return kdcContext;
- }
-
- public PreauthContext getPreauthContext() {
- return preauthContext;
- }
-
- public void process() throws KrbException {
- checkVersion();
- checkClient();
- checkServer();
- preauth();
- authenticate();
- issueTicket();
- makeReply();
- }
-
- public KdcReq getKdcReq() {
- return kdcReq;
- }
-
- public KrbIdentity getTgsEntry() {
- return tgsEntry;
- }
-
- public void setTgsEntry(KrbIdentity tgsEntry) {
- this.tgsEntry = tgsEntry;
- }
-
- public boolean isTcp() {
- return isTcp;
- }
-
- public void isTcp(boolean isTcp) {
- this.isTcp = isTcp;
- }
-
- public KrbMessage getReply() {
- return reply;
- }
-
- public void setReply(KdcRep reply) {
- this.reply = reply;
- }
-
- public InetAddress getClientAddress() {
- return clientAddress;
- }
-
- public void setClientAddress(InetAddress clientAddress) {
- this.clientAddress = clientAddress;
- }
-
- public EncryptionType getEncryptionType() {
- return encryptionType;
- }
-
- public void setEncryptionType(EncryptionType encryptionType) {
- this.encryptionType = encryptionType;
- }
-
- public Ticket getTicket() {
- return ticket;
- }
-
- public void setTicket(Ticket ticket) {
- this.ticket = ticket;
- }
-
- public boolean isPreAuthenticated() {
- return isPreAuthenticated;
- }
-
- public void setPreAuthenticated(boolean isPreAuthenticated) {
- this.isPreAuthenticated = isPreAuthenticated;
- }
-
- public KrbIdentity getServerEntry() {
- return serverEntry;
- }
-
- public void setServerEntry(KrbIdentity serverEntry) {
- this.serverEntry = serverEntry;
- }
-
- public KrbIdentity getClientEntry() {
- return clientEntry;
- }
-
- public void setClientEntry(KrbIdentity clientEntry) {
- this.clientEntry = clientEntry;
- }
-
- public EncryptionKey getClientKey(EncryptionType encType) throws KrbException {
- return getClientEntry().getKey(encType);
- }
-
- public EncryptionKey getClientKey() {
- return clientKey;
- }
-
- public void setClientKey(EncryptionKey clientKey) {
- this.clientKey = clientKey;
- }
-
- public EncryptionKey getServerKey() {
- return serverKey;
- }
-
- public void setServerKey(EncryptionKey serverKey) {
- this.serverKey = serverKey;
- }
-
- public PrincipalName getTgsPrincipal() {
- PrincipalName result = new PrincipalName(kdcContext.getConfig().getTgsPrincipal());
- result.setRealm(kdcContext.getKdcRealm());
- return result;
- }
-
- protected abstract void makeReply() throws KrbException;
-
- protected void checkVersion() throws KrbException {
- KdcReq request = getKdcReq();
-
- int kerberosVersion = request.getPvno();
- if (kerberosVersion != KrbConstant.KRB_V5) {
- throw new KrbException(KrbErrorCode.KDC_ERR_BAD_PVNO);
- }
- }
-
- protected void checkPolicy() throws KrbException {
- KrbIdentity entry = getClientEntry();
-
- if (entry.isDisabled()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
- }
-
- if (entry.isLocked()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
- }
-
- if (entry.getExpireTime().lessThan(new Date().getTime())) {
- throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
- }
- }
-
- protected void checkClient() throws KrbException {
- KdcReq request = getKdcReq();
-
- PrincipalName clientPrincipal = request.getReqBody().getCname();
- String clientRealm = request.getReqBody().getRealm();
- if (clientRealm == null || clientRealm.isEmpty()) {
- clientRealm = kdcContext.getServerRealm();
- }
- clientPrincipal.setRealm(clientRealm);
-
- KrbIdentity clientEntry = getEntry(clientPrincipal.getName());
- setClientEntry(clientEntry);
-
- EncryptionType encType = request.getReqBody().getEtypes().listIterator().next();
- EncryptionKey clientKey = clientEntry.getKeys().get(encType);
- setClientKey(clientKey);
- }
-
- protected void preauth() throws KrbException {
- KdcReq request = getKdcReq();
-
- PaData preAuthData = request.getPaData();
-
- if (preauthContext.isPreauthRequired()) {
- if (preAuthData == null || preAuthData.isEmpty()) {
- KrbError krbError = makePreAuthenticationError(kdcContext);
- throw new KrbErrorException(krbError);
- } else {
- getPreauthHandler().verify(this, preAuthData);
- }
- }
-
- setPreAuthenticated(true);
- }
-
- protected void setPreauthRequired(boolean preauthRequired) {
- preauthContext.setPreauthRequired(preauthRequired);
- }
-
- protected boolean isPreauthRequired() {
- return preauthContext.isPreauthRequired();
- }
-
- protected PreauthHandler getPreauthHandler() {
- return kdcContext.getPreauthHandler();
- }
-
- protected void checkEncryptionType() throws KrbException {
- List<EncryptionType> requestedTypes = getKdcReq().getReqBody().getEtypes();
-
- EncryptionType bestType = EncryptionUtil.getBestEncryptionType(requestedTypes,
- kdcContext.getConfig().getEncryptionTypes());
-
- if (bestType == null) {
- throw new KrbException(KrbErrorCode.KDC_ERR_ETYPE_NOSUPP);
- }
-
- setEncryptionType(bestType);
- }
-
- protected void authenticate() throws KrbException {
- checkEncryptionType();
- checkPolicy();
- }
-
- protected void issueTicket() throws KrbException {
- KdcReq request = getKdcReq();
-
- EncryptionType encryptionType = getEncryptionType();
- EncryptionKey serverKey = getServerEntry().getKeys().get(encryptionType);
-
- PrincipalName ticketPrincipal = request.getReqBody().getSname();
-
- EncTicketPart encTicketPart = new EncTicketPart();
- KdcConfig config = kdcContext.getConfig();
-
- TicketFlags ticketFlags = new TicketFlags();
- encTicketPart.setFlags(ticketFlags);
- ticketFlags.setFlag(TicketFlag.INITIAL);
-
- if (isPreAuthenticated()) {
- ticketFlags.setFlag(TicketFlag.PRE_AUTH);
- }
-
- if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.FORWARDABLE)) {
- if (!config.isForwardableAllowed()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
-
- ticketFlags.setFlag(TicketFlag.FORWARDABLE);
- }
-
- if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.PROXIABLE)) {
- if (!config.isProxiableAllowed()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
-
- ticketFlags.setFlag(TicketFlag.PROXIABLE);
- }
-
- if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.ALLOW_POSTDATE)) {
- if (!config.isPostdatedAllowed()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
-
- ticketFlags.setFlag(TicketFlag.MAY_POSTDATE);
- }
-
- KdcOptions kdcOptions = request.getReqBody().getKdcOptions();
-
- EncryptionKey sessionKey = EncryptionHandler.random2Key(getEncryptionType());
- encTicketPart.setKey(sessionKey);
-
- encTicketPart.setCname(request.getReqBody().getCname());
- encTicketPart.setCrealm(request.getReqBody().getRealm());
-
- TransitedEncoding transEnc = new TransitedEncoding();
- encTicketPart.setTransited(transEnc);
- String serverRealm = request.getReqBody().getRealm();
-
- KerberosTime now = KerberosTime.now();
- encTicketPart.setAuthTime(now);
-
- KerberosTime krbStartTime = request.getReqBody().getFrom();
- if (krbStartTime == null || krbStartTime.lessThan(now) ||
- krbStartTime.isInClockSkew(config.getAllowableClockSkew())) {
- krbStartTime = now;
- }
- if (krbStartTime.greaterThan(now)
- && !krbStartTime.isInClockSkew(config.getAllowableClockSkew())
- && !kdcOptions.isFlagSet(KdcOption.POSTDATED)) {
- throw new KrbException(KrbErrorCode.KDC_ERR_CANNOT_POSTDATE);
- }
-
- if (kdcOptions.isFlagSet(KdcOption.POSTDATED)) {
- if (!config.isPostdatedAllowed()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
-
- ticketFlags.setFlag(TicketFlag.POSTDATED);
- encTicketPart.setStartTime(krbStartTime);
- }
-
- KerberosTime krbEndTime = request.getReqBody().getTill();
- if (krbEndTime == null) {
- krbEndTime = krbStartTime.extend(config.getMaximumTicketLifetime() * 1000);
- } else if (krbStartTime.greaterThan(krbEndTime)) {
- throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID);
- }
- encTicketPart.setEndTime(krbEndTime);
-
- long ticketLifeTime = Math.abs(krbEndTime.diff(krbStartTime));
- if (ticketLifeTime < config.getMinimumTicketLifetime()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID);
- }
-
- KerberosTime krbRtime = request.getReqBody().getRtime();
- if (kdcOptions.isFlagSet(KdcOption.RENEWABLE_OK)) {
- kdcOptions.setFlag(KdcOption.RENEWABLE);
- }
- if (kdcOptions.isFlagSet(KdcOption.RENEWABLE)) {
- if (!config.isRenewableAllowed()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
-
- ticketFlags.setFlag(TicketFlag.RENEWABLE);
-
- if (krbRtime == null) {
- krbRtime = KerberosTime.NEVER;
- }
- KerberosTime allowedMaximumRenewableTime = krbStartTime;
- allowedMaximumRenewableTime.extend(config.getMaximumRenewableLifetime() * 1000);
- if (krbRtime.greaterThan(allowedMaximumRenewableTime)) {
- krbRtime = allowedMaximumRenewableTime;
- }
- encTicketPart.setRenewtill(krbRtime);
- }
-
- HostAddresses hostAddresses = request.getReqBody().getAddresses();
- if (hostAddresses == null || hostAddresses.isEmpty()) {
- if (!config.isEmptyAddressesAllowed()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
- } else {
- encTicketPart.setClientAddresses(hostAddresses);
- }
-
- EncryptedData encryptedData = EncryptionUtil.seal(encTicketPart,
- serverKey, KeyUsage.KDC_REP_TICKET);
-
- Ticket newTicket = new Ticket();
- newTicket.setSname(ticketPrincipal);
- newTicket.setEncryptedEncPart(encryptedData);
- newTicket.setRealm(serverRealm);
- newTicket.setEncPart(encTicketPart);
-
- setTicket(newTicket);
- }
-
- private void checkServer() throws KrbException {
- KdcReq request = getKdcReq();
-
- KrbIdentity tgsEntry = getEntry(getTgsPrincipal().getName());
- setTgsEntry(tgsEntry);
-
- PrincipalName principal = request.getReqBody().getSname();
- String serverRealm = request.getReqBody().getRealm();
- if (serverRealm == null || serverRealm.isEmpty()) {
- serverRealm = kdcContext.getServerRealm();
- }
- principal.setRealm(serverRealm);
-
- KrbIdentity serverEntry = getEntry(principal.getName());
- setServerEntry(serverEntry);
-
- EncryptionType encType = request.getReqBody().getEtypes().listIterator().next();
- EncryptionKey serverKey = serverEntry.getKeys().get(encType);
- setServerKey(serverKey);
- }
-
- protected KrbError makePreAuthenticationError(KdcContext kdcContext) throws KrbException {
- EncryptionType requestedType = getEncryptionType();
- List<EncryptionType> encryptionTypes = kdcContext.getConfig().getEncryptionTypes();
- boolean isNewEtype = true;
-
- EtypeInfo2 eTypeInfo2 = new EtypeInfo2();
-
- EtypeInfo eTypeInfo = new EtypeInfo();
-
- for (EncryptionType encryptionType : encryptionTypes) {
- if (!isNewEtype) {
- EtypeInfoEntry etypeInfoEntry = new EtypeInfoEntry();
- etypeInfoEntry.setEtype(encryptionType);
- etypeInfoEntry.setSalt(null);
- eTypeInfo.add(etypeInfoEntry);
- }
-
- EtypeInfo2Entry etypeInfo2Entry = new EtypeInfo2Entry();
- etypeInfo2Entry.setEtype(encryptionType);
- eTypeInfo2.add(etypeInfo2Entry);
- }
-
- byte[] encTypeInfo = null;
- byte[] encTypeInfo2 = null;
- if (!isNewEtype) {
- encTypeInfo = KrbCodec.encode(eTypeInfo);
- }
- encTypeInfo2 = KrbCodec.encode(eTypeInfo2);
-
- MethodData methodData = new MethodData();
- methodData.add(new PaDataEntry(PaDataType.ENC_TIMESTAMP, null));
- if (!isNewEtype) {
- methodData.add(new PaDataEntry(PaDataType.ETYPE_INFO, encTypeInfo));
- }
- methodData.add(new PaDataEntry(PaDataType.ETYPE_INFO2, encTypeInfo2));
-
- KrbError krbError = new KrbError();
- krbError.setErrorCode(KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED);
- byte[] encodedData = KrbCodec.encode(methodData);
- krbError.setEdata(encodedData);
-
- return krbError;
- }
-
- protected KrbIdentity getEntry(String principal) throws KrbException {
- KrbIdentity entry = null;
- KrbErrorCode krbErrorCode = KrbErrorCode.KDC_ERR_C_PRINCIPAL_UNKNOWN;
-
- try {
- entry = kdcContext.getIdentityService().getIdentity(principal);
- } catch (Exception e) {
- throw new KrbException(krbErrorCode, e);
- }
-
- if (entry == null) {
- throw new KrbException(krbErrorCode);
- }
-
- return entry;
- }
-
- public ByteBuffer getRequestBody() throws KrbException {
- return null;
- }
-
- public EncryptionKey getArmorKey() throws KrbException {
- return fastContext.armorKey;
- }
-
- public PrincipalName getServerPrincipal() {
- return serverPrincipal;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/TgsRequest.java b/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/TgsRequest.java
deleted file mode 100644
index 289e2e4..0000000
--- a/haox-kerb/kerb-server/src/main/java/org/apache/kerberos/kerb/server/request/TgsRequest.java
+++ /dev/null
@@ -1,196 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server.request;
-
-import org.apache.kerberos.kerb.KrbErrorCode;
-import org.apache.kerberos.kerb.codec.KrbCodec;
-import org.apache.kerberos.kerb.common.EncryptionUtil;
-import org.apache.kerberos.kerb.server.KdcContext;
-import org.apache.kerberos.kerb.KrbConstant;
-import org.apache.kerberos.kerb.KrbException;
-import org.apache.kerberos.kerb.spec.KerberosTime;
-import org.apache.kerberos.kerb.spec.ap.ApOption;
-import org.apache.kerberos.kerb.spec.ap.ApReq;
-import org.apache.kerberos.kerb.spec.ap.Authenticator;
-import org.apache.kerberos.kerb.spec.common.*;
-import org.apache.kerberos.kerb.spec.kdc.*;
-import org.apache.kerberos.kerb.spec.pa.PaDataEntry;
-import org.apache.kerberos.kerb.spec.ticket.EncTicketPart;
-import org.apache.kerberos.kerb.spec.ticket.Ticket;
-import org.apache.kerberos.kerb.spec.ticket.TicketFlag;
-
-import java.nio.ByteBuffer;
-
-public class TgsRequest extends KdcRequest {
-
- private EncryptionKey tgtSessionKey;
-
- public TgsRequest(TgsReq tgsReq, KdcContext kdcContext) {
- super(tgsReq, kdcContext);
-
- setPreauthRequired(true);
- }
-
- public EncryptionKey getTgtSessionKey() {
- return tgtSessionKey;
- }
-
- public void setTgtSessionKey(EncryptionKey tgtSessionKey) {
- this.tgtSessionKey = tgtSessionKey;
- }
-
- public void verifyAuthenticator(PaDataEntry paDataEntry) throws KrbException {
- ApReq apReq = KrbCodec.decode(paDataEntry.getPaDataValue(), ApReq.class);
-
- if (apReq.getPvno() != KrbConstant.KRB_V5) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
- }
-
- if (apReq.getMsgType() != KrbMessageType.AP_REQ) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_MSG_TYPE);
- }
-
- EncryptionType encType = getKdcReq().getReqBody().getEtypes().listIterator().next();
- EncryptionKey tgsKey = getTgsEntry().getKeys().get(encType);
-
- Ticket ticket = apReq.getTicket();
- if (ticket.getTktvno() != KrbConstant.KRB_V5) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
- }
-
- EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(),
- tgsKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class);
- ticket.setEncPart(encPart);
-
- EncryptionKey encKey = null;
- //if (apReq.getApOptions().isFlagSet(ApOptions.USE_SESSION_KEY)) {
- encKey = ticket.getEncPart().getKey();
-
- if (encKey == null) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY);
- }
- Authenticator authenticator = EncryptionUtil.unseal(apReq.getEncryptedAuthenticator(),
- encKey, KeyUsage.TGS_REQ_AUTH, Authenticator.class);
-
- if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH);
- }
-
- HostAddresses hostAddresses = ticket.getEncPart().getClientAddresses();
- if (hostAddresses == null || hostAddresses.isEmpty()) {
- if (!kdcContext.getConfig().isEmptyAddressesAllowed()) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
- }
- } else if (!hostAddresses.contains(getClientAddress())) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
- }
-
- PrincipalName serverPrincipal = ticket.getSname();
- serverPrincipal.setRealm(ticket.getRealm());
- PrincipalName clientPrincipal = authenticator.getCname();
- clientPrincipal.setRealm(authenticator.getCrealm());
-
- if (!authenticator.getCtime().isInClockSkew(
- kdcContext.getConfig().getAllowableClockSkew() * 1000)) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
- }
-
- KerberosTime now = KerberosTime.now();
- KerberosTime startTime = ticket.getEncPart().getStartTime();
- if (startTime == null) {
- startTime = ticket.getEncPart().getAuthTime();
- }
- if (! startTime.lessThan(now)) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
- }
-
- KerberosTime endTime = ticket.getEncPart().getEndTime();
- if (! endTime.greaterThan(now)) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED);
- }
-
- apReq.getApOptions().setFlag(ApOption.MUTUAL_REQUIRED);
-
- setTgtSessionKey(ticket.getEncPart().getKey());
- }
-
- @Override
- protected void makeReply() throws KrbException {
- Ticket ticket = getTicket();
-
- TgsRep reply = new TgsRep();
-
- reply.setCname(getClientEntry().getPrincipal());
- reply.setCrealm(kdcContext.getServerRealm());
- reply.setTicket(ticket);
-
- EncKdcRepPart encKdcRepPart = makeEncKdcRepPart();
- reply.setEncPart(encKdcRepPart);
-
- EncryptionKey sessionKey = getTgtSessionKey();
- EncryptedData encryptedData = EncryptionUtil.seal(encKdcRepPart,
- sessionKey, KeyUsage.TGS_REP_ENCPART_SESSKEY);
- reply.setEncryptedEncPart(encryptedData);
-
- setReply(reply);
- }
-
- private EncKdcRepPart makeEncKdcRepPart() {
- KdcReq request = getKdcReq();
- Ticket ticket = getTicket();
-
- EncKdcRepPart encKdcRepPart = new EncTgsRepPart();
-
- //session key
- encKdcRepPart.setKey(ticket.getEncPart().getKey());
-
- LastReq lastReq = new LastReq();
- LastReqEntry entry = new LastReqEntry();
- entry.setLrType(LastReqType.THE_LAST_INITIAL);
- entry.setLrValue(new KerberosTime());
- lastReq.add(entry);
- encKdcRepPart.setLastReq(lastReq);
-
- encKdcRepPart.setNonce(request.getReqBody().getNonce());
-
- encKdcRepPart.setFlags(ticket.getEncPart().getFlags());
- encKdcRepPart.setAuthTime(ticket.getEncPart().getAuthTime());
- encKdcRepPart.setStartTime(ticket.getEncPart().getStartTime());
- encKdcRepPart.setEndTime(ticket.getEncPart().getEndTime());
-
- if (ticket.getEncPart().getFlags().isFlagSet(TicketFlag.RENEWABLE)) {
- encKdcRepPart.setRenewTill(ticket.getEncPart().getRenewtill());
- }
-
- encKdcRepPart.setSname(ticket.getSname());
- encKdcRepPart.setSrealm(ticket.getRealm());
- encKdcRepPart.setCaddr(ticket.getEncPart().getClientAddresses());
-
- return encKdcRepPart;
- }
-
- public ByteBuffer getRequestBody() throws KrbException {
- return null;
- }
-
- public EncryptionKey getArmorKey() throws KrbException {
- return null;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/main/resources/kdc.conf
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/main/resources/kdc.conf b/haox-kerb/kerb-server/src/main/resources/kdc.conf
deleted file mode 100644
index 8f286a1..0000000
--- a/haox-kerb/kerb-server/src/main/resources/kdc.conf
+++ /dev/null
@@ -1,51 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-[logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
-
-[kdcdefaults]
- kdc_udp_port = 88
- kdc_tcp_port = 8014
- restrict_anonymous_to_tgt = true
- kdc_max_dgram_reply_size = 4096
-
-[realms]
-# ATHENA.MIT.EDU = {
-# kadmind_port = 749
-# max_life = 12h 0m 0s
-# max_renewable_life = 7d 0h 0m 0s
-# master_key_type = des3-hmac-sha1
-# supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
-# database_module = openldap_ldapconf
-# }
-
-[dbdefaults]
- ldap_kerberos_container_dn = cn=krbcontainer dc=mit dc=edu
-
-[dbmodules]
-# openldap_ldapconf = {
-# db_library = kldap
-# disable_last_success = true
-# ldap_kdc_dn = cn=krbadmin dc=mit,dc=edu
-# ldap_kadmind_dn = cn=krbadmin dc=mit dc=edu
-# ldap_service_password_file = /etc/kerberos/service.keyfile
-# ldap_servers = ldaps://kerberos.mit.edu
-# ldap_conns_per_server = 5
-# }
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/test/java/org/apache/kerberos/kerb/server/KdcTest.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/test/java/org/apache/kerberos/kerb/server/KdcTest.java b/haox-kerb/kerb-server/src/test/java/org/apache/kerberos/kerb/server/KdcTest.java
deleted file mode 100644
index ebab9df..0000000
--- a/haox-kerb/kerb-server/src/test/java/org/apache/kerberos/kerb/server/KdcTest.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import java.io.IOException;
-import java.net.InetSocketAddress;
-import java.net.SocketAddress;
-import java.nio.ByteBuffer;
-import java.nio.channels.SocketChannel;
-
-public class KdcTest {
-
- private String serverHost = "localhost";
- private short serverPort = 8089;
-
- private SimpleKdcServer kdcServer;
-
- @Before
- public void setUp() throws Exception {
- kdcServer = new SimpleKdcServer();
- kdcServer.setKdcHost(serverHost);
- kdcServer.setKdcTcpPort(serverPort);
- kdcServer.init();
- kdcServer.start();
- }
-
- @Test
- public void testKdc() throws IOException, InterruptedException {
- Thread.sleep(15);
-
- SocketChannel socketChannel = SocketChannel.open();
- socketChannel.configureBlocking(true);
- SocketAddress sa = new InetSocketAddress(serverHost, serverPort);
- socketChannel.connect(sa);
-
- String BAD_KRB_MESSAGE = "Hello World!";
- ByteBuffer writeBuffer = ByteBuffer.allocate(4 + BAD_KRB_MESSAGE.getBytes().length);
- writeBuffer.putInt(BAD_KRB_MESSAGE.getBytes().length);
- writeBuffer.put(BAD_KRB_MESSAGE.getBytes());
- writeBuffer.flip();
-
- socketChannel.write(writeBuffer);
- }
-
- @After
- public void tearDown() throws Exception {
- kdcServer.stop();
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-server/src/test/java/org/apache/kerberos/kerb/server/TestKdcConfigLoad.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-server/src/test/java/org/apache/kerberos/kerb/server/TestKdcConfigLoad.java b/haox-kerb/kerb-server/src/test/java/org/apache/kerberos/kerb/server/TestKdcConfigLoad.java
deleted file mode 100644
index 923861a..0000000
--- a/haox-kerb/kerb-server/src/test/java/org/apache/kerberos/kerb/server/TestKdcConfigLoad.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb.server;
-
-import org.apache.haox.config.Conf;
-import org.junit.Assert;
-import org.junit.Test;
-
-import java.io.File;
-import java.io.IOException;
-import java.net.URISyntaxException;
-import java.net.URL;
-
-public class TestKdcConfigLoad {
-
- @Test
- public void test() throws URISyntaxException, IOException {
- URL confFileUrl = TestKdcConfigLoad.class.getResource("/kdc.conf");
- File confFile = new File(confFileUrl.toURI());
-
- KdcConfig krbConfig = new KdcConfig();
- Conf conf = krbConfig.getConf();
- conf.addIniConfig(confFile);
-
- Assert.assertEquals(krbConfig.getDefaultLoggingLocation(), "FILE:/var/log/krb5libs.log");
- Assert.assertEquals(krbConfig.getKdcLoggingLocation(), "FILE:/var/log/krb5kdc.log");
- Assert.assertEquals(krbConfig.getAdminLoggingLocation(), "FILE:/var/log/kadmind.log");
-
- Assert.assertEquals(krbConfig.getKdcUdpPort(), 88);
- Assert.assertEquals(krbConfig.getKdcTcpPort(), 8014);
- Assert.assertTrue(krbConfig.isRestrictAnonymousToTgt());
- Assert.assertEquals(krbConfig.getKdcMaxDgramReplySize(), 4096);
-
- String[] ldapContainerDn = krbConfig.getLdapKerberosContainerDn();
- Assert.assertEquals(ldapContainerDn.length, 3);
- Assert.assertEquals(ldapContainerDn[0], "cn=krbcontainer");
- Assert.assertEquals(ldapContainerDn[1], "dc=mit");
- Assert.assertEquals(ldapContainerDn[2], "dc=edu");
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-util/pom.xml
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-util/pom.xml b/haox-kerb/kerb-util/pom.xml
deleted file mode 100644
index 6a0d367..0000000
--- a/haox-kerb/kerb-util/pom.xml
+++ /dev/null
@@ -1,46 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License. See accompanying LICENSE file.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <modelVersion>4.0.0</modelVersion>
-
- <parent>
- <groupId>org.haox</groupId>
- <artifactId>haox-kerb</artifactId>
- <version>1.0-SNAPSHOT</version>
- </parent>
-
- <artifactId>kerb-util</artifactId>
-
- <name>Haox-kerb Util</name>
- <description>Haox-kerb Utilities</description>
-
- <dependencies>
- <dependency>
- <groupId>org.haox</groupId>
- <artifactId>haox-config</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.haox</groupId>
- <artifactId>kerb-core</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.haox</groupId>
- <artifactId>kerb-crypto</artifactId>
- <version>${project.version}</version>
- </dependency>
- </dependencies>
-</project>
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/haox-kerb/kerb-util/src/main/java/org/apache/kerberos/kerb/KrbInputStream.java
----------------------------------------------------------------------
diff --git a/haox-kerb/kerb-util/src/main/java/org/apache/kerberos/kerb/KrbInputStream.java b/haox-kerb/kerb-util/src/main/java/org/apache/kerberos/kerb/KrbInputStream.java
deleted file mode 100644
index e8d430d..0000000
--- a/haox-kerb/kerb-util/src/main/java/org/apache/kerberos/kerb/KrbInputStream.java
+++ /dev/null
@@ -1,74 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerberos.kerb;
-
-import org.apache.kerberos.kerb.spec.KerberosTime;
-import org.apache.kerberos.kerb.spec.common.EncryptionKey;
-import org.apache.kerberos.kerb.spec.common.EncryptionType;
-import org.apache.kerberos.kerb.spec.common.PrincipalName;
-
-import java.io.DataInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-
-public abstract class KrbInputStream extends DataInputStream
-{
- public KrbInputStream(InputStream in) {
- super(in);
- }
-
- public KerberosTime readTime() throws IOException {
- long value = readInt();
- KerberosTime time = new KerberosTime(value * 1000);
- return time;
- }
-
- public abstract PrincipalName readPrincipal(int version) throws IOException;
-
- public EncryptionKey readKey(int version) throws IOException {
- int eType = readShort();
- EncryptionType encryptionType = EncryptionType.fromValue(eType);
-
- byte[] keyData = readCountedOctets();
- EncryptionKey key = new EncryptionKey(encryptionType, keyData);
-
- return key;
- }
-
- public String readCountedString() throws IOException {
- byte[] countedOctets = readCountedOctets();
- // ASCII
- return new String(countedOctets);
- }
-
- public byte[] readCountedOctets() throws IOException {
- int len = readOctetsCount();
- if (len == 0) {
- return null;
- }
-
- byte[] data = new byte[len];
- read(data);
-
- return data;
- }
-
- public abstract int readOctetsCount() throws IOException;
-}