You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2023/03/30 09:50:44 UTC
[directory-kerby] branch 1.1.x-fixes updated (e05d0df0 -> 9c30c050)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch 1.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/directory-kerby.git
from e05d0df0 DIRKRB-734 - Adding a test
new 750498cd Adding some tests to make sure signatures are required for JWT tests
new 9c30c050 JWT fix
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../kerb/integration/test/JWTTokenTest.java | 96 +++++++++++++++++++++-
.../kerb/server/preauth/token/TokenPreauth.java | 2 +-
2 files changed, 96 insertions(+), 2 deletions(-)
[directory-kerby] 02/02: JWT fix
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/directory-kerby.git
commit 9c30c050828b282daa108eba3cf364caa6ea11d3
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 30 07:41:54 2023 +0100
JWT fix
---
.../apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index 8809399c..e57433b5 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -97,7 +97,7 @@ public class TokenPreauth extends AbstractPreauthPlugin {
AuthToken authToken = null;
try {
authToken = tokenDecoder.decodeFromBytes(token.getTokenValue());
- if (!tokenDecoder.isSigned() && !kdcRequest.isHttps()) {
+ if (!tokenDecoder.isSigned()) {
throw new KrbException("Token should be signed.");
}
} catch (IOException e) {
[directory-kerby] 01/02: Adding some tests to make sure signatures are required for JWT tests
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/directory-kerby.git
commit 750498cd7f483731650fb47cea2ddeddce535c80
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 30 07:10:42 2023 +0100
Adding some tests to make sure signatures are required for JWT tests
---
.../kerb/integration/test/JWTTokenTest.java | 96 +++++++++++++++++++++-
1 file changed, 95 insertions(+), 1 deletion(-)
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
index 116185ad..cc8b3b0f 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
@@ -216,6 +216,55 @@ public class JWTTokenTest extends TokenLoginTestBase {
cCacheFile.delete();
}
+ @org.junit.Test
+ public void accessTokenNoSignature() throws Exception {
+
+ KrbClient client = getKrbClient();
+
+ // Get a TGT
+ TgtTicket tgt = client.requestTgt(getClientPrincipal(), getClientPassword());
+ assertNotNull(tgt);
+
+ // Write to cache
+ Credential credential = new Credential(tgt);
+ CredentialCache cCache = new CredentialCache();
+ cCache.addCredential(credential);
+ cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
+
+ File cCacheFile = Files.createTempFile("krb5_" + getClientPrincipal(), "cc").toFile();
+ cCache.store(cCacheFile);
+
+ KrbTokenClient tokenClient = new KrbTokenClient(client);
+
+ tokenClient.setKdcHost(client.getSetting().getKdcHost());
+ tokenClient.setKdcTcpPort(client.getSetting().getKdcTcpPort());
+
+ tokenClient.setKdcRealm(client.getSetting().getKdcRealm());
+ tokenClient.init();
+
+ // Create a JWT token with an invalid audience
+ AuthToken authToken = issueToken(getClientPrincipal());
+ authToken.isAcToken(true);
+ authToken.isIdToken(false);
+ authToken.setAudiences(Collections.singletonList(getServerPrincipal()));
+ KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
+
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ assertTrue(tokenEncoder instanceof JwtTokenEncoder);
+
+ krbToken.setTokenValue(tokenEncoder.encodeAsBytes(authToken));
+
+ // Now get a SGT using the JWT
+ try {
+ tokenClient.requestSgt(krbToken, getServerPrincipal(), cCacheFile.getPath());
+ fail("Failure expected on no signature");
+ } catch (KrbException ex) {
+ assertTrue(ex.getMessage().contains("Token should be signed"));
+ } finally {
+ cCacheFile.delete();
+ }
+ }
+
@org.junit.Test
public void accessTokenUnknownIssuer() throws Exception {
@@ -448,7 +497,6 @@ public class JWTTokenTest extends TokenLoginTestBase {
// Create a JWT token
AuthToken authToken = issueToken(getClientPrincipal());
- authToken.setAudiences(Collections.singletonList(authToken.getAudiences().get(0) + "_"));
KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
@@ -465,6 +513,52 @@ public class JWTTokenTest extends TokenLoginTestBase {
cCacheFile.delete();
}
+ @org.junit.Test
+ public void identityTokenNoSignature() throws Exception {
+
+ KrbClient client = getKrbClient();
+
+ // Get a TGT
+ TgtTicket tgt = client.requestTgt(getClientPrincipal(), getClientPassword());
+ assertNotNull(tgt);
+
+ // Write to cache
+ Credential credential = new Credential(tgt);
+ CredentialCache cCache = new CredentialCache();
+ cCache.addCredential(credential);
+ cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
+
+ File cCacheFile = Files.createTempFile("krb5_" + getClientPrincipal(), "cc").toFile();
+ cCache.store(cCacheFile);
+
+ KrbTokenClient tokenClient = new KrbTokenClient(client);
+
+ tokenClient.setKdcHost(client.getSetting().getKdcHost());
+ tokenClient.setKdcTcpPort(client.getSetting().getKdcTcpPort());
+
+ tokenClient.setKdcRealm(client.getSetting().getKdcRealm());
+ tokenClient.init();
+
+ // Create a JWT token
+ AuthToken authToken = issueToken(getClientPrincipal());
+ KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
+
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ assertTrue(tokenEncoder instanceof JwtTokenEncoder);
+
+ krbToken.setTokenValue(tokenEncoder.encodeAsBytes(authToken));
+
+ // Now get a TGT using the JWT token
+ try {
+ tokenClient.requestTgt(krbToken, cCacheFile.getPath());
+ fail("Failure expected on an invalid signature");
+ } catch (KrbException ex) {
+ assertTrue(ex.getMessage().contains("Token should be signed"));
+ } finally {
+ cCacheFile.delete();
+ }
+ }
+
@org.junit.Test
public void identityTokenUnknownIssuer() throws Exception {