You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2016/06/07 02:23:07 UTC
[21/29] directory-kerby git commit: DIRKRB-542. Kerby Authorization.
Contributed by Gerard Gagliano
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierMac.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierMac.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierMac.java
new file mode 100644
index 0000000..2ee906d
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierMac.java
@@ -0,0 +1,107 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.asn1.type.Asn1Integer;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+import org.apache.kerby.kerberos.kerb.type.base.CheckSum;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+
+/**
+ * <pre>
+ * Verifier-MAC ::= SEQUENCE {
+ * identifier [0] PrincipalName OPTIONAL,
+ * kvno [1] UInt32 OPTIONAL,
+ * enctype [2] Int32 OPTIONAL,
+ * mac [3] Checksum
+ * }
+ * </pre>
+ *
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class CamMacVerifierMac extends KrbSequenceType {
+
+ protected enum CamMacField implements EnumType {
+ CAMMAC_identifier, CAMMAC_kvno, CAMMAC_enctype, CAMMAC_mac;
+
+ @Override
+ public int getValue() {
+ return ordinal();
+ }
+
+ @Override
+ public String getName() {
+ return name();
+ }
+ }
+
+ /** The CamMac's fields */
+ private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+ new ExplicitField(CamMacField.CAMMAC_identifier, PrincipalName.class),
+ new ExplicitField(CamMacField.CAMMAC_kvno, Asn1Integer.class),
+ new ExplicitField(CamMacField.CAMMAC_enctype, Asn1Integer.class),
+ new ExplicitField(CamMacField.CAMMAC_mac, CheckSum.class)};
+
+ public CamMacVerifierMac() {
+ super(fieldInfos);
+ }
+
+ public CamMacVerifierMac(PrincipalName identifier) {
+ super(fieldInfos);
+ setFieldAs(CamMacField.CAMMAC_identifier, identifier);
+ }
+
+ public PrincipalName getIdentifier() {
+ return getFieldAs(CamMacField.CAMMAC_identifier, PrincipalName.class);
+ }
+
+ public void setIdentifier(PrincipalName identifier) {
+ setFieldAs(CamMacField.CAMMAC_identifier, identifier);
+ }
+
+ public int getKvno() {
+ return getFieldAs(CamMacField.CAMMAC_kvno, Asn1Integer.class).getValue().intValue();
+ }
+
+ public void setKvno(int kvno) {
+ setFieldAs(CamMacField.CAMMAC_kvno, new Asn1Integer(kvno));
+ }
+
+ public int getEnctype() {
+ return getFieldAs(CamMacField.CAMMAC_enctype, Asn1Integer.class).getValue().intValue();
+ }
+
+ public void setEnctype(int encType) {
+ setFieldAs(CamMacField.CAMMAC_enctype, new Asn1Integer(encType));
+ }
+
+ public CheckSum getMac() {
+ return getFieldAs(CamMacField.CAMMAC_mac, CheckSum.class);
+ }
+
+ public void setMac(CheckSum mac) {
+ setFieldAs(CamMacField.CAMMAC_mac, mac);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/PrincipalList.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/PrincipalList.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/PrincipalList.java
new file mode 100644
index 0000000..667315a
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/PrincipalList.java
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+
+/**
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class PrincipalList extends KrbSequenceOfType<PrincipalName> {
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KeyUsage.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KeyUsage.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KeyUsage.java
index 44256cc..a47d81e 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KeyUsage.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KeyUsage.java
@@ -100,7 +100,8 @@ public enum KeyUsage implements EnumType {
ENC_CHALLENGE_KDC(55),
AS_REQ(56),
//PA-TOKEN padata,encrypted with the client key
- PA_TOKEN(57);
+ PA_TOKEN(57),
+ AD_CAMMAC_VERIFIER_MAC(64); //See RFC 7751
private int value;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/ADTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/ADTest.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/ADTest.java
new file mode 100644
index 0000000..21cb16f
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/ADTest.java
@@ -0,0 +1,143 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.codec;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.IOException;
+
+import org.apache.kerby.asn1.type.Asn1Utf8String;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.type.ad.ADAuthenticationIndicator;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataEntry;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataWrapper;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataWrapper.WrapperType;
+import org.junit.Test;
+
+/**
+ * Test class for Authorization data codec.
+ *
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADTest {
+
+ private static final String FOO = "Foo";
+ private static final String BAR = "Bar";
+
+ /**
+ * Test the Authorization Data codec.
+ *
+ * @throws KrbException Exception
+ * @throws IOException Exception
+ */
+ @Test
+ public void testADCodec() throws KrbException, IOException {
+ int i = -1;
+
+ // Construct an AD_AUTHENTICATION_INDICATOR entry
+ ADAuthenticationIndicator indicators = new ADAuthenticationIndicator();
+ indicators.add(new Asn1Utf8String(FOO));
+ indicators.add(new Asn1Utf8String(BAR));
+
+ // Encode
+ System.out.println("\nIndicators prior to encoding:");
+ for (Asn1Utf8String ind : indicators.getAuthIndicators()) {
+ System.out.println(ind.toString());
+ }
+ byte[] enIndicators = indicators.encode();
+
+ // Decode get this out of asn1 tests
+ indicators.decode(enIndicators);
+ System.out.println("\nIndicators after decoding:");
+ for (Asn1Utf8String ind : indicators.getAuthIndicators()) {
+ System.out.println(ind.toString());
+ }
+
+ // Create an AD_IF_RELEVENT container
+ AuthorizationData adirData = new AuthorizationData();
+ adirData.add(indicators);
+ AuthorizationDataWrapper adirWrap = new AuthorizationDataWrapper(WrapperType.AD_IF_RELEVANT, adirData);
+
+ // Encode
+ System.out.println("\nADE (IR) Wrapper prior to encoding:");
+ for (AuthorizationDataEntry ade : adirWrap.getAuthorizationData().getElements()) {
+ ADAuthenticationIndicator ad = (ADAuthenticationIndicator) ade;
+ for (Asn1Utf8String ind : ad.getAuthIndicators()) {
+ System.out.println(ind.toString());
+ }
+ }
+ byte[] enAdir = adirWrap.encode();
+
+ // Decode
+ adirWrap.decode(enAdir);
+ System.out.println("\nADE (IR) Wrapper after decoding:");
+ for (AuthorizationDataEntry ade : adirWrap.getAuthorizationData().getElements()) {
+ ADAuthenticationIndicator ad = (ADAuthenticationIndicator) ade;
+ i = 0;
+ for (Asn1Utf8String ind : ad.getAuthIndicators()) {
+ System.out.println(ind.toString());
+ if (i == 0) {
+ assertEquals(ind.getValue(), FOO);
+ } else {
+ assertEquals(ind.getValue(), BAR);
+ }
+ i++;
+ }
+ }
+
+ // Create an AD_MANDATORY_FOR_KDC container
+ AuthorizationData admfkData = new AuthorizationData();
+ admfkData.add(indicators);
+ AuthorizationDataWrapper admfkWrap = new AuthorizationDataWrapper(WrapperType.AD_MANDATORY_FOR_KDC, admfkData);
+
+ // Encode
+ System.out.println("\nADE (MFK) Wrapper prior to encoding:");
+ for (AuthorizationDataEntry ade : admfkWrap.getAuthorizationData().getElements()) {
+ ADAuthenticationIndicator ad = (ADAuthenticationIndicator) ade;
+ for (Asn1Utf8String ind : ad.getAuthIndicators()) {
+ System.out.println(ind.toString());
+ }
+ }
+ byte[] enAdmfk = admfkWrap.encode();
+
+ // Decode
+ admfkWrap.decode(enAdmfk);
+ System.out.println("\nADE (MFK) Wrapper after decoding:");
+ for (AuthorizationDataEntry ade : admfkWrap.getAuthorizationData().getElements()) {
+ ADAuthenticationIndicator ad = (ADAuthenticationIndicator) ade;
+ for (Asn1Utf8String ind : ad.getAuthIndicators()) {
+ System.out.println(ind.toString());
+ }
+ i = 0;
+ for (Asn1Utf8String ind : ad.getAuthIndicators()) {
+ System.out.println(ind.toString());
+ if (i == 0) {
+ assertEquals(ind.getValue(), FOO);
+ } else {
+ assertEquals(ind.getValue(), BAR);
+ }
+ i++;
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsRepCodecTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsRepCodecTest.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsRepCodecTest.java
index af24cb9..c2a46dc 100644
--- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsRepCodecTest.java
+++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsRepCodecTest.java
@@ -117,7 +117,7 @@ public class PkinitAnonymousAsRepCodecTest {
KdcDhKeyInfo kdcDhKeyInfo = new KdcDhKeyInfo();
kdcDhKeyInfo.decode(eContentInfo);
assertThat(kdcDhKeyInfo.getSubjectPublicKey()).isNotNull();
- assertThat(kdcDhKeyInfo.getDHKeyExpiration()).isNotNull();
+ assertThat(kdcDhKeyInfo.getDHKeyExpiration()).isNull();
assertThat(kdcDhKeyInfo.getNonce()).isNotNull();
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsReqCodecTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsReqCodecTest.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsReqCodecTest.java
index 424a430..7138ca0 100644
--- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsReqCodecTest.java
+++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/PkinitAnonymousAsReqCodecTest.java
@@ -20,8 +20,10 @@
package org.apache.kerby.kerberos.kerb.codec;
import org.apache.kerby.asn1.Asn1;
+import org.apache.kerby.cms.type.DigestAlgorithmIdentifiers;
import org.apache.kerby.cms.type.SignedContentInfo;
import org.apache.kerby.cms.type.SignedData;
+import org.apache.kerby.cms.type.SignerInfos;
import org.apache.kerby.kerberos.kerb.KrbConstant;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.type.base.KrbMessageType;
@@ -45,7 +47,7 @@ import java.text.ParseException;
import java.util.Arrays;
import java.util.List;
-import static org.assertj.core.api.Assertions.*;
+import static org.assertj.core.api.Assertions.assertThat;
public class PkinitAnonymousAsReqCodecTest {
@Test
@@ -114,15 +116,23 @@ public class PkinitAnonymousAsReqCodecTest {
SignedContentInfo contentInfo = new SignedContentInfo();
Asn1.parseAndDump(paPkAsReq.getSignedAuthPack());
contentInfo.decode(paPkAsReq.getSignedAuthPack());
- assertThat(contentInfo.getContentType()).isEqualTo("1.2.840.113549.1.7.2");
+ assertThat(contentInfo.getContentType()) .isEqualTo("1.2.840.113549.1.7.2");
Asn1.dump(contentInfo);
SignedData signedData = contentInfo.getSignedData();
assertThat(signedData.getVersion()).isEqualTo(3);
- assertThat(signedData.getDigestAlgorithms().getElements().isEmpty()).isTrue();
- assertThat(signedData.getCertificates().getElements().isEmpty()).isTrue();
- assertThat(signedData.getCrls().getElements().isEmpty()).isTrue();
- assertThat(signedData.getSignerInfos().getElements().isEmpty()).isTrue();
+ DigestAlgorithmIdentifiers dais = signedData.getDigestAlgorithms();
+ assertThat(dais).isNotNull();
+ if (dais != null) {
+ assertThat(dais.getElements()).isEmpty();
+ }
+ assertThat(signedData.getCertificates()).isNull();
+ assertThat(signedData.getCrls()).isNull();
+ SignerInfos signerInfos = signedData.getSignerInfos();
+ assertThat(signerInfos).isNotNull();
+ if (signerInfos != null) {
+ assertThat(signerInfos.getElements()).isEmpty();
+ }
assertThat(signedData.getEncapContentInfo().getContentType())
.isEqualTo("1.3.6.1.5.2.3.1");
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/CacheableIdentityService.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/CacheableIdentityService.java b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/CacheableIdentityService.java
index 0e8fe4b..41dc555 100644
--- a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/CacheableIdentityService.java
+++ b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/CacheableIdentityService.java
@@ -22,6 +22,8 @@ package org.apache.kerby.kerberos.kerb.identity;
import org.apache.kerby.config.Config;
import org.apache.kerby.config.Configured;
import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import java.util.LinkedHashMap;
import java.util.Map;
@@ -142,4 +144,15 @@ public class CacheableIdentityService
underlying.deleteIdentity(principalName);
}
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public AuthorizationData getIdentityAuthorizationData(Object kdcRequest,
+ EncTicketPart encTicketPart) throws KrbException {
+
+ return underlying.getIdentityAuthorizationData(kdcRequest,
+ encTicketPart);
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/IdentityService.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/IdentityService.java b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/IdentityService.java
index 2f0ca2e..e09aeec 100644
--- a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/IdentityService.java
+++ b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/IdentityService.java
@@ -20,6 +20,8 @@
package org.apache.kerby.kerberos.kerb.identity;
import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
/**
* Identity service for KDC backend to create, get and manage principal accounts.
@@ -55,6 +57,16 @@ public interface IdentityService {
KrbIdentity getIdentity(String principalName) throws KrbException;
/**
+ * Get an identity's Authorization Data.
+ * @param kdcRequest The KdcRequest
+ * @param encTicketPart The EncTicketPart being built for the KrbIdentity
+ * @return The Authorization Data
+ * @throws KrbException e
+ */
+ AuthorizationData getIdentityAuthorizationData(Object kdcRequest,
+ EncTicketPart encTicketPart) throws KrbException;
+
+ /**
* Add an identity, and return the newly created result.
* @param identity The identity
* @return identity
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/backend/AbstractIdentityBackend.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/backend/AbstractIdentityBackend.java b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/backend/AbstractIdentityBackend.java
index 7c0e6b3..5349e43 100644
--- a/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/backend/AbstractIdentityBackend.java
+++ b/kerby-kerb/kerb-identity/src/main/java/org/apache/kerby/kerberos/kerb/identity/backend/AbstractIdentityBackend.java
@@ -23,6 +23,8 @@ import org.apache.kerby.config.Configured;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.identity.BatchTrans;
import org.apache.kerby.kerberos.kerb.identity.KrbIdentity;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -167,6 +169,38 @@ public abstract class AbstractIdentityBackend
* {@inheritDoc}
*/
@Override
+ public AuthorizationData getIdentityAuthorizationData(Object kdcRequest,
+ EncTicketPart encTicketPart) throws KrbException {
+ if (kdcRequest == null) {
+ throw new IllegalArgumentException("Invalid identity");
+ }
+
+ logger.debug("getIdentityAuthorizationData called, krbIdentity = {}",
+ kdcRequest);
+
+ AuthorizationData authData = doGetIdentityAuthorizationData(kdcRequest,
+ encTicketPart);
+ logger.debug("getIdentityAuthorizationData {}, authData = {}",
+ (authData != null ? "successful" : "failed"), authData);
+
+ return authData;
+ }
+
+ /**
+ * Get an identity's Authorization Data, invoked by getIdentityAuthorizationData.
+ * @param krbIdentity The KrbIdentity
+ * @param encTicketPart The EncTicketPart being built for the KrbIdentity
+ * @return The Authorization Data
+ * @throws KrbException e
+ */
+ protected AuthorizationData doGetIdentityAuthorizationData(
+ Object kdcRequest, EncTicketPart encTicketPart)
+ throws KrbException {
+ return null;
+ }
+
+ /** {@inheritDoc} */
+ @Override
public KrbIdentity addIdentity(KrbIdentity identity) throws KrbException {
if (identity == null) {
throw new IllegalArgumentException("null identity to add");
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java
index 2844956..4f45026 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java
@@ -131,18 +131,22 @@ public class PreauthHandler {
}
public static boolean isToken(PaData paData) {
- for (PaDataEntry paEntry : paData.getElements()) {
- if (paEntry.getPaDataType() == PaDataType.TOKEN_REQUEST) {
- return true;
+ if (paData != null) {
+ for (PaDataEntry paEntry : paData.getElements()) {
+ if (paEntry.getPaDataType() == PaDataType.TOKEN_REQUEST) {
+ return true;
+ }
}
}
return false;
}
public static boolean isPkinit(PaData paData) {
- for (PaDataEntry paEntry : paData.getElements()) {
- if (paEntry.getPaDataType() == PaDataType.PK_AS_REQ) {
- return true;
+ if (paData != null) {
+ for (PaDataEntry paEntry : paData.getElements()) {
+ if (paEntry.getPaDataType() == PaDataType.PK_AS_REQ) {
+ return true;
+ }
}
}
return false;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index e374734..8d44d9f 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -205,29 +205,31 @@ public abstract class KdcRequest {
private void kdcFindFast() throws KrbException {
PaData paData = getKdcReq().getPaData();
- for (PaDataEntry paEntry : paData.getElements()) {
- if (paEntry.getPaDataType() == PaDataType.FX_FAST) {
- LOG.info("Found fast padata and start to process it.");
- KrbFastArmoredReq fastArmoredReq = KrbCodec.decode(paEntry.getPaDataValue(),
- KrbFastArmoredReq.class);
- KrbFastArmor fastArmor = fastArmoredReq.getArmor();
- armorApRequest(fastArmor);
-
- EncryptedData encryptedData = fastArmoredReq.getEncryptedFastReq();
- KrbFastReq fastReq = KrbCodec.decode(
- EncryptionHandler.decrypt(encryptedData, getArmorKey(), KeyUsage.FAST_ENC),
- KrbFastReq.class);
- innerBodyout = KrbCodec.encode(fastReq.getKdcReqBody());
-
- // TODO: get checksumed data in stream
- CheckSum checkSum = fastArmoredReq.getReqChecksum();
- if (checkSum == null) {
- LOG.warn("Checksum is empty.");
- throw new KrbException(KrbErrorCode.KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED);
+ if (paData != null) {
+ for (PaDataEntry paEntry : paData.getElements()) {
+ if (paEntry.getPaDataType() == PaDataType.FX_FAST) {
+ LOG.info("Found fast padata and start to process it.");
+ KrbFastArmoredReq fastArmoredReq = KrbCodec.decode(paEntry.getPaDataValue(),
+ KrbFastArmoredReq.class);
+ KrbFastArmor fastArmor = fastArmoredReq.getArmor();
+ armorApRequest(fastArmor);
+
+ EncryptedData encryptedData = fastArmoredReq.getEncryptedFastReq();
+ KrbFastReq fastReq = KrbCodec.decode(
+ EncryptionHandler.decrypt(encryptedData, getArmorKey(), KeyUsage.FAST_ENC),
+ KrbFastReq.class);
+ innerBodyout = KrbCodec.encode(fastReq.getKdcReqBody());
+
+ // TODO: get checksumed data in stream
+ CheckSum checkSum = fastArmoredReq.getReqChecksum();
+ if (checkSum == null) {
+ LOG.warn("Checksum is empty.");
+ throw new KrbException(KrbErrorCode.KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED);
+ }
+ byte[] reqBody = KrbCodec.encode(getKdcReq().getReqBody());
+ CheckSumHandler.verifyWithKey(checkSum, reqBody,
+ getArmorKey().getKeyData(), KeyUsage.FAST_REQ_CHKSUM);
}
- byte[] reqBody = KrbCodec.encode(getKdcReq().getReqBody());
- CheckSumHandler.verifyWithKey(checkSum, reqBody,
- getArmorKey().getKeyData(), KeyUsage.FAST_REQ_CHKSUM);
}
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
index 21ff6fb..9d18057 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -101,7 +101,7 @@ public class TgsRequest extends KdcRequest {
*
* @return The tgt ticket.
*/
- protected Ticket getTgtTicket() {
+ public Ticket getTgtTicket() {
return tgtTicket;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
index a9bae5b..5df40d6 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
@@ -26,6 +26,7 @@ import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
import org.apache.kerby.kerberos.kerb.server.KdcConfig;
import org.apache.kerby.kerberos.kerb.server.KdcContext;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
@@ -204,9 +205,21 @@ public abstract class TicketIssuer {
encTicketPart.setClientAddresses(hostAddresses);
}
+ AuthorizationData authData = makeAuthorizationData(kdcRequest,
+ encTicketPart);
+ if (authData != null) {
+ encTicketPart.setAuthorizationData(authData);
+ }
+
return encTicketPart;
}
+ protected AuthorizationData makeAuthorizationData(KdcRequest kdcRequest,
+ EncTicketPart encTicketPart) throws KrbException {
+ return getKdcContext().getIdentityService()
+ .getIdentityAuthorizationData(kdcRequest, encTicketPart);
+ }
+
protected KdcContext getKdcContext() {
return kdcRequest.getKdcContext();
}