You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2019/01/10 11:24:12 UTC
directory-kerby git commit: Process the pre-auth data if it is there
even if pre-auth is not required
Repository: directory-kerby
Updated Branches:
refs/heads/trunk e15570488 -> 56b24f41f
Process the pre-auth data if it is there even if pre-auth is not required
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/56b24f41
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/56b24f41
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/56b24f41
Branch: refs/heads/trunk
Commit: 56b24f41f8de7ea37c2f3cf349962d44b16f8031
Parents: e155704
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Jan 10 11:23:56 2019 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Jan 10 11:23:56 2019 +0000
----------------------------------------------------------------------
.../kerb/server/PreAuthNotRequiredTest.java | 102 +++++++++++++++++++
.../kerb/server/request/KdcRequest.java | 20 ++--
2 files changed, 108 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/56b24f41/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/PreAuthNotRequiredTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/PreAuthNotRequiredTest.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/PreAuthNotRequiredTest.java
new file mode 100644
index 0000000..bf53458
--- /dev/null
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/PreAuthNotRequiredTest.java
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.server;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.io.File;
+
+import org.apache.kerby.KOptions;
+import org.apache.kerby.kerberos.kerb.client.KrbClient;
+import org.apache.kerby.kerberos.kerb.client.KrbConfigKey;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.identity.backend.BackendConfig;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.junit.Test;
+
+/**
+ * Test client connection when pre-auth is not required by the AS
+ */
+public class PreAuthNotRequiredTest extends LoginTestBase {
+
+ @Override
+ protected void setUpKdcServer() throws Exception {
+ KdcConfig config = new KdcConfig();
+ config.setString(KdcConfigKey.PREAUTH_REQUIRED, "false");
+ SimpleKdcServer kdcServer = new TestKdcServer(allowTcp(), allowUdp(), config, new BackendConfig());
+ super.setKdcServer(kdcServer);
+
+ configKdcSeverAndClient();
+
+ prepareKdc();
+
+ kdcServer.start();
+ }
+
+ @Test
+ public void testPreAuthTrue() throws Exception {
+ KrbClient client = super.getKrbClient();
+ client.getKrbConfig().setString(KrbConfigKey.PREAUTH_REQUIRED, "true");
+
+ KOptions requestOptions = new KOptions();
+ requestOptions.add(KrbOption.CLIENT_PRINCIPAL, getClientPrincipal());
+ requestOptions.add(KrbOption.USE_KEYTAB, true);
+
+ File keytab = new File(getTestDir(), "test-client.keytab");
+ requestOptions.add(KrbOption.KEYTAB_FILE, keytab);
+
+ getKdcServer().exportPrincipal(getClientPrincipal(), keytab);
+
+ TgtTicket tgt = client.requestTgt(requestOptions);
+ assertThat(tgt).isNotNull();
+
+ SgtTicket tkt = client.requestSgt(tgt, getServerPrincipal());
+ assertThat(tkt).isNotNull();
+
+ keytab.delete();
+
+ }
+
+ @Test
+ public void testPreAuthFalse() throws Exception {
+ KrbClient client = super.getKrbClient();
+ client.getKrbConfig().setString(KrbConfigKey.PREAUTH_REQUIRED, "false");
+
+ KOptions requestOptions = new KOptions();
+ requestOptions.add(KrbOption.CLIENT_PRINCIPAL, getClientPrincipal());
+ requestOptions.add(KrbOption.USE_KEYTAB, true);
+
+ File keytab = new File(getTestDir(), "test-client.keytab");
+ requestOptions.add(KrbOption.KEYTAB_FILE, keytab);
+
+ getKdcServer().exportPrincipal(getClientPrincipal(), keytab);
+
+ TgtTicket tgt = client.requestTgt(requestOptions);
+ assertThat(tgt).isNotNull();
+
+ SgtTicket tkt = client.requestSgt(tgt, getServerPrincipal());
+ assertThat(tkt).isNotNull();
+
+ keytab.delete();
+
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/56b24f41/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index 2e97451..2fc938c 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -170,16 +170,12 @@ public abstract class KdcRequest {
public void process() throws KrbException {
checkVersion();
checkTgsEntry();
- if (isPreauthRequired()) {
- kdcFindFast();
- }
+ kdcFindFast();
checkEncryptionType();
if (PreauthHandler.isToken(getKdcReq().getPaData())) {
isToken = true;
- if (isPreauthRequired()) {
- preauth();
- }
+ preauth();
checkClient();
checkServer();
} else {
@@ -188,9 +184,7 @@ public abstract class KdcRequest {
}
checkClient();
checkServer();
- if (isPreauthRequired()) {
- preauth();
- }
+ preauth();
}
checkPolicy();
issueTicket();
@@ -670,15 +664,12 @@ public abstract class KdcRequest {
protected abstract void checkClient() throws KrbException;
/**
- * Do the preatuh.
+ * Do the preauth.
*
* @throws org.apache.kerby.kerberos.kerb.KrbException e
*/
protected void preauth() throws KrbException {
KdcReq request = getKdcReq();
-
- PaData preAuthData = request.getPaData();
-
if (isAnonymous && !isPkinit) {
LOG.info("Need PKINIT.");
KrbError krbError = makePreAuthenticationError(kdcContext, request,
@@ -686,7 +677,8 @@ public abstract class KdcRequest {
throw new KdcRecoverableException(krbError);
}
- if (preAuthData == null || preAuthData.isEmpty()) {
+ PaData preAuthData = request.getPaData();
+ if (isPreauthRequired() && (preAuthData == null || preAuthData.isEmpty())) {
LOG.info("The preauth data is empty.");
KrbError krbError = makePreAuthenticationError(kdcContext, request,
KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false);