You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2015/11/04 09:25:49 UTC
[23/48] directory-kerby git commit: Renaming
Renaming
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/93485f4c
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/93485f4c
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/93485f4c
Branch: refs/heads/pkinit-support
Commit: 93485f4c14e930958de8838cb92a7e10d989db03
Parents: 657a5b5
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Sep 30 12:33:05 2015 +0200
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Sep 30 14:54:31 2015 +0200
----------------------------------------------------------------------
.../kerberos/kerb/server/request/AsRequest.java | 2 +-
.../server/request/ServiceTickertIssuer.java | 59 -----
.../server/request/ServiceTicketIssuer.java | 59 +++++
.../kerb/server/request/TgsRequest.java | 2 +-
.../kerb/server/request/TgtTickertIssuer.java | 43 ----
.../kerb/server/request/TgtTicketIssuer.java | 43 ++++
.../kerb/server/request/TickertIssuer.java | 249 -------------------
.../kerb/server/request/TicketIssuer.java | 249 +++++++++++++++++++
8 files changed, 353 insertions(+), 353 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/93485f4c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
index 688fed5..2765673 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
@@ -102,7 +102,7 @@ public class AsRequest extends KdcRequest {
*/
@Override
protected void issueTicket() throws KrbException {
- TickertIssuer issuer = new TgtTickertIssuer(this);
+ TicketIssuer issuer = new TgtTicketIssuer(this);
Ticket newTicket = issuer.issueTicket();
setTicket(newTicket);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/93485f4c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTickertIssuer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTickertIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTickertIssuer.java
deleted file mode 100644
index 8510b40..0000000
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTickertIssuer.java
+++ /dev/null
@@ -1,59 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.server.request;
-
-import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
-import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
-import org.apache.kerby.kerberos.kerb.spec.base.TransitedEncoding;
-import org.apache.kerby.kerberos.kerb.spec.ticket.Ticket;
-
-/**
- * Issuing service ticket.
- */
-public class ServiceTickertIssuer extends TickertIssuer {
- private final Ticket tgtTicket;
- private final AuthToken token;
-
- public ServiceTickertIssuer(TgsRequest kdcRequest) {
- super(kdcRequest);
- tgtTicket = kdcRequest.getTgtTicket();
- token = kdcRequest.getToken();
- }
-
- protected KdcRequest getTgsRequest() {
- return getKdcRequest();
- }
-
- @Override
- protected PrincipalName getclientPrincipal() {
- if (token != null) {
- return new PrincipalName(token.getSubject());
- }
- return tgtTicket.getEncPart().getCname();
- }
-
- @Override
- protected TransitedEncoding getTransitedEncoding() {
- if (token != null) {
- return super.getTransitedEncoding();
- }
- return tgtTicket.getEncPart().getTransited();
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/93485f4c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTicketIssuer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTicketIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTicketIssuer.java
new file mode 100644
index 0000000..9ab7c65
--- /dev/null
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTicketIssuer.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.server.request;
+
+import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
+import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.spec.base.TransitedEncoding;
+import org.apache.kerby.kerberos.kerb.spec.ticket.Ticket;
+
+/**
+ * Issuing service ticket.
+ */
+public class ServiceTicketIssuer extends TicketIssuer {
+ private final Ticket tgtTicket;
+ private final AuthToken token;
+
+ public ServiceTicketIssuer(TgsRequest kdcRequest) {
+ super(kdcRequest);
+ tgtTicket = kdcRequest.getTgtTicket();
+ token = kdcRequest.getToken();
+ }
+
+ protected KdcRequest getTgsRequest() {
+ return getKdcRequest();
+ }
+
+ @Override
+ protected PrincipalName getclientPrincipal() {
+ if (token != null) {
+ return new PrincipalName(token.getSubject());
+ }
+ return tgtTicket.getEncPart().getCname();
+ }
+
+ @Override
+ protected TransitedEncoding getTransitedEncoding() {
+ if (token != null) {
+ return super.getTransitedEncoding();
+ }
+ return tgtTicket.getEncPart().getTransited();
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/93485f4c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
index 4d6d50c..5d80c03 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -107,7 +107,7 @@ public class TgsRequest extends KdcRequest {
*/
@Override
protected void issueTicket() throws KrbException {
- TickertIssuer issuer = new ServiceTickertIssuer(this);
+ TicketIssuer issuer = new ServiceTicketIssuer(this);
Ticket newTicket = issuer.issueTicket();
setTicket(newTicket);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/93485f4c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgtTickertIssuer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgtTickertIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgtTickertIssuer.java
deleted file mode 100644
index 4003f95..0000000
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgtTickertIssuer.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.server.request;
-
-import org.apache.kerby.kerberos.kerb.spec.base.TransitedEncoding;
-import org.apache.kerby.kerberos.kerb.spec.base.TransitedEncodingType;
-
-/**
- * Issuing TGT ticket.
- */
-public class TgtTickertIssuer extends TickertIssuer {
-
- public TgtTickertIssuer(AsRequest kdcRequest) {
- super(kdcRequest);
- }
-
- @Override
- protected TransitedEncoding getTransitedEncoding() {
- TransitedEncoding transEnc = new TransitedEncoding();
- transEnc.setTrType(TransitedEncodingType.DOMAIN_X500_COMPRESS);
- byte[] empty = new byte[0];
- transEnc.setContents(empty);
-
- return transEnc;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/93485f4c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgtTicketIssuer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgtTicketIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgtTicketIssuer.java
new file mode 100644
index 0000000..91d2e46
--- /dev/null
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgtTicketIssuer.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.server.request;
+
+import org.apache.kerby.kerberos.kerb.spec.base.TransitedEncoding;
+import org.apache.kerby.kerberos.kerb.spec.base.TransitedEncodingType;
+
+/**
+ * Issuing TGT ticket.
+ */
+public class TgtTicketIssuer extends TicketIssuer {
+
+ public TgtTicketIssuer(AsRequest kdcRequest) {
+ super(kdcRequest);
+ }
+
+ @Override
+ protected TransitedEncoding getTransitedEncoding() {
+ TransitedEncoding transEnc = new TransitedEncoding();
+ transEnc.setTrType(TransitedEncodingType.DOMAIN_X500_COMPRESS);
+ byte[] empty = new byte[0];
+ transEnc.setContents(empty);
+
+ return transEnc;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/93485f4c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TickertIssuer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TickertIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TickertIssuer.java
deleted file mode 100644
index 37403d7..0000000
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TickertIssuer.java
+++ /dev/null
@@ -1,249 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.server.request;
-
-import org.apache.kerby.kerberos.kerb.KrbErrorCode;
-import org.apache.kerby.kerberos.kerb.KrbException;
-import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
-import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
-import org.apache.kerby.kerberos.kerb.server.KdcConfig;
-import org.apache.kerby.kerberos.kerb.server.KdcContext;
-import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
-import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
-import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
-import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
-import org.apache.kerby.kerberos.kerb.spec.base.HostAddresses;
-import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
-import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
-import org.apache.kerby.kerberos.kerb.spec.base.TransitedEncoding;
-import org.apache.kerby.kerberos.kerb.spec.base.TransitedEncodingType;
-import org.apache.kerby.kerberos.kerb.spec.kdc.KdcOption;
-import org.apache.kerby.kerberos.kerb.spec.kdc.KdcOptions;
-import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
-import org.apache.kerby.kerberos.kerb.spec.ticket.EncTicketPart;
-import org.apache.kerby.kerberos.kerb.spec.ticket.Ticket;
-import org.apache.kerby.kerberos.kerb.spec.ticket.TicketFlag;
-import org.apache.kerby.kerberos.kerb.spec.ticket.TicketFlags;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * Handling ticket constructing, filling, and issuing.
- */
-public abstract class TickertIssuer {
- private static final Logger LOG = LoggerFactory.getLogger(TickertIssuer.class);
- private final KdcRequest kdcRequest;
-
- public TickertIssuer(KdcRequest kdcRequest) {
- this.kdcRequest = kdcRequest;
- }
-
- protected KdcRequest getKdcRequest() {
- return kdcRequest;
- }
-
- public Ticket issueTicket() throws KrbException {
- KdcReq request = kdcRequest.getKdcReq();
-
- Ticket issuedTicket = new Ticket();
-
- PrincipalName serverPrincipal = getServerPrincipal();
- issuedTicket.setSname(serverPrincipal);
-
- String serverRealm = request.getReqBody().getRealm();
- issuedTicket.setRealm(serverRealm);
-
- EncTicketPart encTicketPart = makeEncTicketPart();
-
- EncryptionKey encryptionKey = getTicketEncryptionKey();
-
- EncryptedData encryptedData = EncryptionUtil.seal(encTicketPart,
- encryptionKey, KeyUsage.KDC_REP_TICKET);
- issuedTicket.setEncryptedEncPart(encryptedData);
- issuedTicket.setEncPart(encTicketPart);
-
- return issuedTicket;
- }
-
- public EncTicketPart makeEncTicketPart() throws KrbException {
- KdcReq request = kdcRequest.getKdcReq();
-
- EncTicketPart encTicketPart = new EncTicketPart();
- KdcConfig config = kdcRequest.getKdcContext().getConfig();
-
- TicketFlags ticketFlags = new TicketFlags();
- encTicketPart.setFlags(ticketFlags);
- ticketFlags.setFlag(TicketFlag.INITIAL);
-
- if (kdcRequest.isPreAuthenticated()) {
- ticketFlags.setFlag(TicketFlag.PRE_AUTH);
- }
-
- if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.FORWARDABLE)) {
- if (!config.isForwardableAllowed()) {
- LOG.warn("Forward is not allowed.");
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
-
- ticketFlags.setFlag(TicketFlag.FORWARDABLE);
- }
-
- if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.PROXIABLE)) {
- if (!config.isProxiableAllowed()) {
- LOG.warn("Proxy is not allowed.");
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
-
- ticketFlags.setFlag(TicketFlag.PROXIABLE);
- }
-
- if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.ALLOW_POSTDATE)) {
- if (!config.isPostdatedAllowed()) {
- LOG.warn("Post date is not allowed.");
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
-
- ticketFlags.setFlag(TicketFlag.MAY_POSTDATE);
- }
-
- EncryptionKey sessionKey = EncryptionHandler.random2Key(
- kdcRequest.getEncryptionType());
- encTicketPart.setKey(sessionKey);
-
- encTicketPart.setCname(getclientPrincipal());
- encTicketPart.setCrealm(request.getReqBody().getRealm());
-
- TransitedEncoding transEnc = getTransitedEncoding();
- encTicketPart.setTransited(transEnc);
-
- KdcOptions kdcOptions = request.getReqBody().getKdcOptions();
-
- KerberosTime now = KerberosTime.now();
- encTicketPart.setAuthTime(now);
-
- KerberosTime krbStartTime = request.getReqBody().getFrom();
- if (krbStartTime == null || krbStartTime.lessThan(now)
- || krbStartTime.isInClockSkew(config.getAllowableClockSkew())) {
- krbStartTime = now;
- }
- if (krbStartTime.greaterThan(now)
- && !krbStartTime.isInClockSkew(config.getAllowableClockSkew())
- && !kdcOptions.isFlagSet(KdcOption.POSTDATED)) {
- throw new KrbException(KrbErrorCode.KDC_ERR_CANNOT_POSTDATE);
- }
-
- if (kdcOptions.isFlagSet(KdcOption.POSTDATED)) {
- if (!config.isPostdatedAllowed()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
-
- ticketFlags.setFlag(TicketFlag.POSTDATED);
- encTicketPart.setStartTime(krbStartTime);
- }
-
- KerberosTime krbEndTime = request.getReqBody().getTill();
- if (krbEndTime == null || krbEndTime.getTime() == 0) {
- krbEndTime = krbStartTime.extend(config.getMaximumTicketLifetime() * 1000);
- } else if (krbStartTime.greaterThan(krbEndTime)) {
- throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID);
- }
- encTicketPart.setEndTime(krbEndTime);
-
- long ticketLifeTime = Math.abs(krbEndTime.diff(krbStartTime));
- if (ticketLifeTime < config.getMinimumTicketLifetime()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID);
- }
-
- KerberosTime krbRtime = request.getReqBody().getRtime();
- if (kdcOptions.isFlagSet(KdcOption.RENEWABLE_OK)) {
- kdcOptions.setFlag(KdcOption.RENEWABLE);
- }
- if (kdcOptions.isFlagSet(KdcOption.RENEWABLE)) {
- if (!config.isRenewableAllowed()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
-
- ticketFlags.setFlag(TicketFlag.RENEWABLE);
-
- if (krbRtime == null || krbRtime.getTime() == 0) {
- krbRtime = KerberosTime.NEVER;
- }
- KerberosTime allowedMaximumRenewableTime = krbStartTime;
- allowedMaximumRenewableTime = allowedMaximumRenewableTime
- .extend(config.getMaximumRenewableLifetime() * 1000);
- if (krbRtime.greaterThan(allowedMaximumRenewableTime)) {
- krbRtime = allowedMaximumRenewableTime;
- }
- encTicketPart.setRenewtill(krbRtime);
- }
-
- HostAddresses hostAddresses = request.getReqBody().getAddresses();
- if (hostAddresses == null || hostAddresses.isEmpty()) {
- if (!config.isEmptyAddressesAllowed()) {
- throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
- }
- } else {
- encTicketPart.setClientAddresses(hostAddresses);
- }
-
- return encTicketPart;
- }
-
- protected KdcContext getKdcContext() {
- return kdcRequest.getKdcContext();
- }
-
- protected KdcReq getKdcReq() {
- return kdcRequest.getKdcReq();
- }
-
- protected PrincipalName getclientPrincipal() {
- if (kdcRequest.isToken()) {
- return new PrincipalName(kdcRequest.getToken().getSubject());
- } else {
- return getKdcReq().getReqBody().getCname();
- }
- }
-
- protected PrincipalName getServerPrincipal() {
- return getKdcReq().getReqBody().getSname();
- }
-
- protected EncryptionType getTicketEncryptionType() throws KrbException {
- EncryptionType encryptionType = kdcRequest.getEncryptionType();
- return encryptionType;
- }
-
- protected EncryptionKey getTicketEncryptionKey() throws KrbException {
- EncryptionType encryptionType = getTicketEncryptionType();
- EncryptionKey serverKey =
- kdcRequest.getServerEntry().getKeys().get(encryptionType);
- return serverKey;
- }
-
- protected TransitedEncoding getTransitedEncoding() {
- TransitedEncoding transEnc = new TransitedEncoding();
- transEnc.setTrType(TransitedEncodingType.DOMAIN_X500_COMPRESS);
- byte[] empty = new byte[0];
- transEnc.setContents(empty);
-
- return transEnc;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/93485f4c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
new file mode 100644
index 0000000..7021c27
--- /dev/null
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
@@ -0,0 +1,249 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.server.request;
+
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.server.KdcConfig;
+import org.apache.kerby.kerberos.kerb.server.KdcContext;
+import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.base.HostAddresses;
+import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.spec.base.TransitedEncoding;
+import org.apache.kerby.kerberos.kerb.spec.base.TransitedEncodingType;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcOption;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcOptions;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
+import org.apache.kerby.kerberos.kerb.spec.ticket.EncTicketPart;
+import org.apache.kerby.kerberos.kerb.spec.ticket.Ticket;
+import org.apache.kerby.kerberos.kerb.spec.ticket.TicketFlag;
+import org.apache.kerby.kerberos.kerb.spec.ticket.TicketFlags;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Handling ticket constructing, filling, and issuing.
+ */
+public abstract class TicketIssuer {
+ private static final Logger LOG = LoggerFactory.getLogger(TicketIssuer.class);
+ private final KdcRequest kdcRequest;
+
+ public TicketIssuer(KdcRequest kdcRequest) {
+ this.kdcRequest = kdcRequest;
+ }
+
+ protected KdcRequest getKdcRequest() {
+ return kdcRequest;
+ }
+
+ public Ticket issueTicket() throws KrbException {
+ KdcReq request = kdcRequest.getKdcReq();
+
+ Ticket issuedTicket = new Ticket();
+
+ PrincipalName serverPrincipal = getServerPrincipal();
+ issuedTicket.setSname(serverPrincipal);
+
+ String serverRealm = request.getReqBody().getRealm();
+ issuedTicket.setRealm(serverRealm);
+
+ EncTicketPart encTicketPart = makeEncTicketPart();
+
+ EncryptionKey encryptionKey = getTicketEncryptionKey();
+
+ EncryptedData encryptedData = EncryptionUtil.seal(encTicketPart,
+ encryptionKey, KeyUsage.KDC_REP_TICKET);
+ issuedTicket.setEncryptedEncPart(encryptedData);
+ issuedTicket.setEncPart(encTicketPart);
+
+ return issuedTicket;
+ }
+
+ public EncTicketPart makeEncTicketPart() throws KrbException {
+ KdcReq request = kdcRequest.getKdcReq();
+
+ EncTicketPart encTicketPart = new EncTicketPart();
+ KdcConfig config = kdcRequest.getKdcContext().getConfig();
+
+ TicketFlags ticketFlags = new TicketFlags();
+ encTicketPart.setFlags(ticketFlags);
+ ticketFlags.setFlag(TicketFlag.INITIAL);
+
+ if (kdcRequest.isPreAuthenticated()) {
+ ticketFlags.setFlag(TicketFlag.PRE_AUTH);
+ }
+
+ if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.FORWARDABLE)) {
+ if (!config.isForwardableAllowed()) {
+ LOG.warn("Forward is not allowed.");
+ throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
+ }
+
+ ticketFlags.setFlag(TicketFlag.FORWARDABLE);
+ }
+
+ if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.PROXIABLE)) {
+ if (!config.isProxiableAllowed()) {
+ LOG.warn("Proxy is not allowed.");
+ throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
+ }
+
+ ticketFlags.setFlag(TicketFlag.PROXIABLE);
+ }
+
+ if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.ALLOW_POSTDATE)) {
+ if (!config.isPostdatedAllowed()) {
+ LOG.warn("Post date is not allowed.");
+ throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
+ }
+
+ ticketFlags.setFlag(TicketFlag.MAY_POSTDATE);
+ }
+
+ EncryptionKey sessionKey = EncryptionHandler.random2Key(
+ kdcRequest.getEncryptionType());
+ encTicketPart.setKey(sessionKey);
+
+ encTicketPart.setCname(getclientPrincipal());
+ encTicketPart.setCrealm(request.getReqBody().getRealm());
+
+ TransitedEncoding transEnc = getTransitedEncoding();
+ encTicketPart.setTransited(transEnc);
+
+ KdcOptions kdcOptions = request.getReqBody().getKdcOptions();
+
+ KerberosTime now = KerberosTime.now();
+ encTicketPart.setAuthTime(now);
+
+ KerberosTime krbStartTime = request.getReqBody().getFrom();
+ if (krbStartTime == null || krbStartTime.lessThan(now)
+ || krbStartTime.isInClockSkew(config.getAllowableClockSkew())) {
+ krbStartTime = now;
+ }
+ if (krbStartTime.greaterThan(now)
+ && !krbStartTime.isInClockSkew(config.getAllowableClockSkew())
+ && !kdcOptions.isFlagSet(KdcOption.POSTDATED)) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_CANNOT_POSTDATE);
+ }
+
+ if (kdcOptions.isFlagSet(KdcOption.POSTDATED)) {
+ if (!config.isPostdatedAllowed()) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
+ }
+
+ ticketFlags.setFlag(TicketFlag.POSTDATED);
+ encTicketPart.setStartTime(krbStartTime);
+ }
+
+ KerberosTime krbEndTime = request.getReqBody().getTill();
+ if (krbEndTime == null || krbEndTime.getTime() == 0) {
+ krbEndTime = krbStartTime.extend(config.getMaximumTicketLifetime() * 1000);
+ } else if (krbStartTime.greaterThan(krbEndTime)) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID);
+ }
+ encTicketPart.setEndTime(krbEndTime);
+
+ long ticketLifeTime = Math.abs(krbEndTime.diff(krbStartTime));
+ if (ticketLifeTime < config.getMinimumTicketLifetime()) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID);
+ }
+
+ KerberosTime krbRtime = request.getReqBody().getRtime();
+ if (kdcOptions.isFlagSet(KdcOption.RENEWABLE_OK)) {
+ kdcOptions.setFlag(KdcOption.RENEWABLE);
+ }
+ if (kdcOptions.isFlagSet(KdcOption.RENEWABLE)) {
+ if (!config.isRenewableAllowed()) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
+ }
+
+ ticketFlags.setFlag(TicketFlag.RENEWABLE);
+
+ if (krbRtime == null || krbRtime.getTime() == 0) {
+ krbRtime = KerberosTime.NEVER;
+ }
+ KerberosTime allowedMaximumRenewableTime = krbStartTime;
+ allowedMaximumRenewableTime = allowedMaximumRenewableTime
+ .extend(config.getMaximumRenewableLifetime() * 1000);
+ if (krbRtime.greaterThan(allowedMaximumRenewableTime)) {
+ krbRtime = allowedMaximumRenewableTime;
+ }
+ encTicketPart.setRenewtill(krbRtime);
+ }
+
+ HostAddresses hostAddresses = request.getReqBody().getAddresses();
+ if (hostAddresses == null || hostAddresses.isEmpty()) {
+ if (!config.isEmptyAddressesAllowed()) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
+ }
+ } else {
+ encTicketPart.setClientAddresses(hostAddresses);
+ }
+
+ return encTicketPart;
+ }
+
+ protected KdcContext getKdcContext() {
+ return kdcRequest.getKdcContext();
+ }
+
+ protected KdcReq getKdcReq() {
+ return kdcRequest.getKdcReq();
+ }
+
+ protected PrincipalName getclientPrincipal() {
+ if (kdcRequest.isToken()) {
+ return new PrincipalName(kdcRequest.getToken().getSubject());
+ } else {
+ return getKdcReq().getReqBody().getCname();
+ }
+ }
+
+ protected PrincipalName getServerPrincipal() {
+ return getKdcReq().getReqBody().getSname();
+ }
+
+ protected EncryptionType getTicketEncryptionType() throws KrbException {
+ EncryptionType encryptionType = kdcRequest.getEncryptionType();
+ return encryptionType;
+ }
+
+ protected EncryptionKey getTicketEncryptionKey() throws KrbException {
+ EncryptionType encryptionType = getTicketEncryptionType();
+ EncryptionKey serverKey =
+ kdcRequest.getServerEntry().getKeys().get(encryptionType);
+ return serverKey;
+ }
+
+ protected TransitedEncoding getTransitedEncoding() {
+ TransitedEncoding transEnc = new TransitedEncoding();
+ transEnc.setTrType(TransitedEncodingType.DOMAIN_X500_COMPRESS);
+ byte[] empty = new byte[0];
+ transEnc.setContents(empty);
+
+ return transEnc;
+ }
+}