You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2017/08/04 10:28:26 UTC
directory-kerby git commit: Make it possible to get a SGT using an
AuthToken and a TGT
Repository: directory-kerby
Updated Branches:
refs/heads/1.0.x-fixes f9261f919 -> 0d92a5eed
Make it possible to get a SGT using an AuthToken and a TGT
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/0d92a5ee
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/0d92a5ee
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/0d92a5ee
Branch: refs/heads/1.0.x-fixes
Commit: 0d92a5eede78a5e4f5ca68d19ee0b30026814462
Parents: f9261f9
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Aug 4 09:47:48 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Aug 4 11:24:19 2017 +0100
----------------------------------------------------------------------
.../kerb/integration/test/JWTTokenTest.java | 52 ++++++++++++++++++++
.../kerberos/kerb/client/KrbTokenClient.java | 21 ++++++--
2 files changed, 69 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0d92a5ee/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
index aeb0ced..792e23a 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
@@ -265,6 +265,58 @@ public class JWTTokenTest extends TokenLoginTestBase {
cCacheFile.delete();
}
+ // Use the TGT here instead of an armor cache
+ @org.junit.Test
+ public void accessTokenUsingTicket() throws Exception {
+
+ KrbClient client = getKrbClient();
+
+ // Get a TGT
+ TgtTicket tgt = client.requestTgt(getClientPrincipal(), getClientPassword());
+ assertNotNull(tgt);
+
+ KrbTokenClient tokenClient = new KrbTokenClient(client);
+
+ tokenClient.setKdcHost(client.getSetting().getKdcHost());
+ tokenClient.setKdcTcpPort(client.getSetting().getKdcTcpPort());
+
+ tokenClient.setKdcRealm(client.getSetting().getKdcRealm());
+ tokenClient.init();
+
+ // Create a JWT token
+ AuthToken authToken = issueToken(getClientPrincipal());
+ authToken.isAcToken(true);
+ authToken.isIdToken(false);
+ authToken.setAudiences(Collections.singletonList(getServerPrincipal()));
+ KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
+
+ InputStream is = Files.newInputStream(getSignKeyFile().toPath());
+ PrivateKey signKey = PrivateKeyReader.loadPrivateKey(is);
+ krbToken.setTokenValue(signToken(authToken, signKey));
+
+ // Now get a SGT using the JWT
+ SgtTicket tkt = tokenClient.requestSgt(krbToken, getServerPrincipal(), tgt);
+ assertTrue(tkt != null);
+
+ // Decrypt the ticket
+ Ticket ticket = tkt.getTicket();
+ EncryptionKey key = EncryptionHandler.string2Key(getServerPrincipal(), getServerPassword(),
+ ticket.getEncryptedEncPart().getEType());
+
+ EncTicketPart encPart =
+ EncryptionUtil.unseal(ticket.getEncryptedEncPart(),
+ key, KeyUsage.KDC_REP_TICKET, EncTicketPart.class);
+
+ // Examine the authorization data
+ AuthorizationData authzData = encPart.getAuthorizationData();
+ assertEquals(1, authzData.getElements().size());
+ AuthorizationDataEntry dataEntry = authzData.getElements().iterator().next();
+ AdToken token = dataEntry.getAuthzDataAs(AdToken.class);
+ KrbToken decodedKrbToken = token.getToken();
+ assertEquals(getClientPrincipal(), decodedKrbToken.getSubject());
+ assertEquals(getServerPrincipal(), decodedKrbToken.getAudiences().get(0));
+ }
+
@org.junit.Test
public void identityToken() throws Exception {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0d92a5ee/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
index b71d61e..eedc016 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbTokenClient.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.client;
@@ -122,4 +122,17 @@ public class KrbTokenClient extends KrbClientBase {
return requestSgt(requestOptions);
}
+
+ public SgtTicket requestSgt(AuthToken token, String serverPrincipal, TgtTicket tgt) throws KrbException {
+ if (!token.isAcToken()) {
+ throw new IllegalArgumentException("Access token is expected");
+ }
+
+ KOptions requestOptions = new KOptions();
+ requestOptions.add(TokenOption.USER_AC_TOKEN, token);
+ requestOptions.add(KrbOption.TGT, tgt);
+ requestOptions.add(KrbOption.SERVER_PRINCIPAL, serverPrincipal);
+
+ return requestSgt(requestOptions);
+ }
}