You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by dr...@apache.org on 2015/03/11 22:48:26 UTC
[13/14] directory-kerberos git commit: Reorganized token related
project layout
Reorganized token related project layout
Project: http://git-wip-us.apache.org/repos/asf/directory-kerberos/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerberos/commit/bffabdc7
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerberos/tree/bffabdc7
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerberos/diff/bffabdc7
Branch: refs/heads/installation
Commit: bffabdc723d735192880ccbbb4728d96e153a76b
Parents: 2d36679
Author: Drankye <dr...@gmail.com>
Authored: Thu Mar 12 05:38:30 2015 +0800
Committer: Drankye <dr...@gmail.com>
Committed: Thu Mar 12 05:38:30 2015 +0800
----------------------------------------------------------------------
kdc-tool/pom.xml | 1 +
kdc-tool/token-tool/pom.xml | 49 ++++++++
.../org/apache/kerby/token/AuthzDataEntry.java | 52 ++++++++
.../java/org/apache/kerby/token/TokenCache.java | 82 ++++++++++++
.../org/apache/kerby/token/TokenExtractor.java | 102 +++++++++++++++
.../java/org/apache/kerby/token/TokenTool.java | 125 +++++++++++++++++++
.../kerby/kerberos/kerb/client/KrbClient.java | 2 +-
.../kerb/client/preauth/token/TokenContext.java | 2 +-
.../kerb/client/preauth/token/TokenPreauth.java | 2 +-
.../kerberos/kerb/spec/pa/token/KerbToken.java | 50 ++++++++
.../kerberos/kerb/server/WithTokenKdcTest.java | 2 +-
lib/kerby-token/pom.xml | 44 -------
.../org/apache/kerby/token/AuthzDataEntry.java | 52 --------
.../java/org/apache/kerby/token/KerbToken.java | 47 -------
.../java/org/apache/kerby/token/TokenCache.java | 82 ------------
.../org/apache/kerby/token/TokenExtractor.java | 101 ---------------
.../java/org/apache/kerby/token/TokenTool.java | 124 ------------------
lib/pom.xml | 1 -
18 files changed, 465 insertions(+), 455 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/pom.xml
----------------------------------------------------------------------
diff --git a/kdc-tool/pom.xml b/kdc-tool/pom.xml
index 4999d0d..da3cb47 100644
--- a/kdc-tool/pom.xml
+++ b/kdc-tool/pom.xml
@@ -28,5 +28,6 @@
<modules>
<module>kinit</module>
+ <module>token-tool</module>
</modules>
</project>
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/token-tool/pom.xml
----------------------------------------------------------------------
diff --git a/kdc-tool/token-tool/pom.xml b/kdc-tool/token-tool/pom.xml
new file mode 100644
index 0000000..10c3e1e
--- /dev/null
+++ b/kdc-tool/token-tool/pom.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. See accompanying LICENSE file.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kdc-tool</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>token-tool</artifactId>
+ <name>Token Tool Project</name>
+ <version>1.0-SNAPSHOT</version>
+ <packaging>jar</packaging>
+
+ <dependencies>
+ <dependency>
+ <groupId>com.nimbusds</groupId>
+ <artifactId>nimbus-jose-jwt</artifactId>
+ <version>3.8.2</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-core</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerby-asn1</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ </dependencies>
+
+</project>
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
----------------------------------------------------------------------
diff --git a/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/AuthzDataEntry.java b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
new file mode 100644
index 0000000..d4bfedb
--- /dev/null
+++ b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.token;
+
+import org.apache.kerby.asn1.type.Asn1FieldInfo;
+import org.apache.kerby.asn1.type.Asn1Integer;
+import org.apache.kerby.asn1.type.Asn1OctetString;
+import org.apache.kerby.asn1.type.Asn1SequenceType;
+
+/**
+ AuthorizationData ::= SEQUENCE OF SEQUENCE {
+ ad-type [0] Int32,
+ ad-data [1] OCTET STRING
+ }
+ */
+public class AuthzDataEntry extends Asn1SequenceType {
+ static int AD_TYPE = 0;
+ static int AD_DATA = 1;
+
+ public AuthzDataEntry() {
+ super(new Asn1FieldInfo[] {
+ new Asn1FieldInfo(AD_TYPE, Asn1Integer.class),
+ new Asn1FieldInfo(AD_DATA, Asn1OctetString.class)
+ });
+ }
+
+ public int getAuthzType() {
+ Integer value = getFieldAsInteger(AD_TYPE);
+ return value;
+ }
+
+ public byte[] getAuthzData() {
+ return getFieldAsOctets(AD_DATA);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenCache.java
----------------------------------------------------------------------
diff --git a/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenCache.java b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenCache.java
new file mode 100644
index 0000000..51e3593
--- /dev/null
+++ b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenCache.java
@@ -0,0 +1,82 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.token;
+
+import java.io.*;
+
+public class TokenCache {
+ private static final String DEFAULT_TOKEN_CACHE_PATH = ".tokenauth";
+ private static final String TOKEN_CACHE_FILE = ".tokenauth.token";
+
+ public static String readToken(String tokenCacheFile) {
+ File cacheFile = null;
+
+ if (tokenCacheFile != null && ! tokenCacheFile.isEmpty()) {
+ cacheFile = new File(tokenCacheFile);
+ if (!cacheFile.exists()) {
+ throw new RuntimeException("Invalid token cache specified: " + tokenCacheFile);
+ };
+ } else {
+ cacheFile = getDefaultTokenCache();
+ if (!cacheFile.exists()) {
+ throw new RuntimeException("No token cache available by default");
+ };
+ }
+
+ String token = null;
+ try {
+ BufferedReader reader = new BufferedReader(new FileReader(cacheFile));
+ String line = reader.readLine();
+ reader.close();
+ if (line != null) {
+ token = line;
+ }
+ } catch (IOException ex) {
+ //NOP
+ }
+
+ return token;
+ }
+
+ public static void writeToken(String token) {
+ File cacheFile = getDefaultTokenCache();
+
+ try {
+ Writer writer = new FileWriter(cacheFile);
+ writer.write(token.toString());
+ writer.close();
+ // sets read-write permissions to owner only
+ cacheFile.setReadable(false, false);
+ cacheFile.setReadable(true, true);
+ cacheFile.setWritable(true, true);
+ }
+ catch (IOException ioe) {
+ // if case of any error we just delete the cache, if user-only
+ // write permissions are not properly set a security exception
+ // is thrown and the file will be deleted.
+ cacheFile.delete();
+ }
+ }
+
+ public static File getDefaultTokenCache() {
+ String homeDir = System.getProperty("user.home", DEFAULT_TOKEN_CACHE_PATH);
+ return new File(homeDir, TOKEN_CACHE_FILE);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenExtractor.java
----------------------------------------------------------------------
diff --git a/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenExtractor.java b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenExtractor.java
new file mode 100644
index 0000000..2eed75c
--- /dev/null
+++ b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenExtractor.java
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.token;
+
+import com.sun.security.jgss.AuthorizationDataEntry;
+import com.sun.security.jgss.ExtendedGSSContext;
+import com.sun.security.jgss.InquireType;
+import org.apache.kerby.asn1.type.Asn1SequenceOf;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+
+import java.io.IOException;
+import java.util.List;
+
+public class TokenExtractor {
+ static final int JWT_AUTHZ_DATA_TYPE = 81;
+ public static final int AD_IF_RELEVANT_TYPE = 1;
+
+ /**
+ AuthorizationData ::= SEQUENCE OF SEQUENCE {
+ ad-type [0] Int32,
+ ad-data [1] OCTET STRING
+ }
+ */
+ public static class AuthorizationData extends Asn1SequenceOf<AuthzDataEntry> {
+
+ }
+
+ public static KerbToken checkAuthzData(GSSContext context) throws GSSException, IOException {
+ System.out.println("Looking for token from authorization data in GSSContext");
+
+ Object authzData = null;
+ if (context instanceof ExtendedGSSContext) {
+ ExtendedGSSContext ex = (ExtendedGSSContext)context;
+ authzData = ex.inquireSecContext(
+ InquireType.KRB5_GET_AUTHZ_DATA);
+ }
+
+ if (authzData != null) {
+ AuthorizationDataEntry[] authzEntries = (AuthorizationDataEntry[]) authzData;
+ KerbToken resultToken = null;
+ for (int i = 0; i < authzEntries.length; ++i) {
+ resultToken = getAuthzToken(authzEntries[i]);
+ if (resultToken != null) {
+ return resultToken;
+ }
+ }
+ }
+ return null;
+ }
+
+ public static KerbToken getAuthzToken(AuthorizationDataEntry authzDataEntry) throws IOException {
+ if (authzDataEntry.getType() == AD_IF_RELEVANT_TYPE) {
+ String token = getToken(authzDataEntry);
+ if (token == null) {
+ return null;
+ }
+
+ try {
+ return TokenTool.fromJwtToken(token);
+ } catch (Exception e) {
+ // noop when not jwt token
+ }
+ }
+
+ return null;
+ }
+
+ public static String getToken(AuthorizationDataEntry authzDataEntry) throws IOException {
+ List<AuthzDataEntry> entries = decode(authzDataEntry);
+ for (AuthzDataEntry entry : entries) {
+ if (entry.getAuthzType() == JWT_AUTHZ_DATA_TYPE) {
+ return new String(entry.getAuthzData());
+ }
+ }
+ return null;
+ }
+
+ public static List<AuthzDataEntry> decode(AuthorizationDataEntry authzDataEntry) throws IOException {
+ AuthorizationData authzData = new AuthorizationData();
+ authzData.decode(authzDataEntry.getData());
+ return authzData.getElements();
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenTool.java
----------------------------------------------------------------------
diff --git a/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenTool.java b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenTool.java
new file mode 100644
index 0000000..9946dfa
--- /dev/null
+++ b/kdc-tool/token-tool/src/main/java/org/apache/kerby/token/TokenTool.java
@@ -0,0 +1,125 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.token;
+
+import com.nimbusds.jose.PlainHeader;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.PlainJWT;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
+
+import java.text.ParseException;
+import java.util.*;
+
+public class TokenTool {
+
+ public static JWT issueToken(String principal, String group, String role) {
+ // must have for kerb-token
+ String krbPrincipal = principal + "@SH.INTEL.COM";
+
+ PlainHeader header = new PlainHeader();
+ //header.setCustomParameter("krbPrincipal", krbPrincipal);
+
+ JWTClaimsSet jwtClaims = new JWTClaimsSet();
+
+ String iss = "token-service";
+ jwtClaims.setIssuer(iss);
+
+ String sub = principal;
+ jwtClaims.setSubject(sub);
+
+ // must have for kerb-token
+ jwtClaims.setSubject(krbPrincipal);
+
+ jwtClaims.setClaim("group", group);
+ if (role != null) {
+ jwtClaims.setClaim("role", role);
+ }
+
+ List<String> aud = new ArrayList<String>();
+ aud.add("krb5kdc-with-token-extension");
+ jwtClaims.setAudience(aud);
+
+ // Set expiration in 60 minutes
+ final Date NOW = new Date(new Date().getTime() / 1000 * 1000);
+ Date exp = new Date(NOW.getTime() + 1000 * 60 * 60);
+ jwtClaims.setExpirationTime(exp);
+
+ Date nbf = NOW;
+ jwtClaims.setNotBeforeTime(nbf);
+
+ Date iat = NOW;
+ jwtClaims.setIssueTime(iat);
+
+ String jti = UUID.randomUUID().toString();
+ jwtClaims.setJWTID(jti);
+
+ PlainJWT jwt = new PlainJWT(header, jwtClaims);
+ return jwt;
+ }
+
+ public static JWT decodeToken(String token) throws ParseException {
+ PlainJWT jwt = PlainJWT.parse(token);
+
+ return jwt;
+ }
+
+ public static KerbToken fromJwtToken(String token) throws ParseException {
+ Map<String, Object> attrs = decodeAndExtractTokenAttributes(token);
+ return new KerbToken(attrs);
+ }
+
+ public static Map<String, Object> decodeAndExtractTokenAttributes(String token) throws ParseException {
+ PlainJWT jwt = PlainJWT.parse(token);
+
+ Map<String, Object> attrs = new HashMap<String, Object>();
+ attrs.putAll(jwt.getJWTClaimsSet().getAllClaims());
+ //attrs.putAll(jwt.getHeader().getCustomParameters());
+
+ return attrs;
+ }
+
+ public static void main(String[] args) throws ParseException {
+ String principal, group, role = null;
+
+ if (args.length != 2 && args.length != 3) {
+ System.out.println("This is a simple token issuing tool just for kerb-token PoC usage\n");
+ System.out.println("tokeninit <username> <group> [role]\n");
+ System.exit(1);
+ }
+ principal = args[0];
+ group = args[1];
+ if (args.length > 2) {
+ role = args[2];
+ }
+
+ JWT jwt = issueToken(principal, group, role);
+ String token = jwt.serialize();
+
+ TokenCache.writeToken(token);
+ System.out.println("Issued token: " + token);
+
+ /*
+ JWT jwt2 = decodeToken(token);
+ String krbPrincipal = (String) jwt2.getHeader().getCustomParameter("krbPrincipal");
+ System.out.println("Decoded token with krbprincipal: " + krbPrincipal);
+ */
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
index 55a18db..201566e 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
@@ -34,7 +34,7 @@ import org.apache.kerby.kerberos.kerb.spec.common.KrbError;
import org.apache.kerby.kerberos.kerb.spec.common.PrincipalName;
import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
-import org.apache.kerby.token.KerbToken;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
import org.apache.kerby.transport.Network;
import org.apache.kerby.transport.Transport;
import org.apache.kerby.transport.event.TransportEvent;
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
index e1696dc..f46956c 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
@@ -19,7 +19,7 @@
*/
package org.apache.kerby.kerberos.kerb.client.preauth.token;
-import org.apache.kerby.token.KerbToken;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
public class TokenContext {
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
index f67ad71..b912311 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
@@ -33,7 +33,7 @@ import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
import org.apache.kerby.kerberos.kerb.spec.pa.PaData;
import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
-import org.apache.kerby.token.KerbToken;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
import java.util.Collections;
import java.util.List;
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/KerbToken.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/KerbToken.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/KerbToken.java
new file mode 100644
index 0000000..360c979
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/KerbToken.java
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.spec.pa.token;
+
+import java.util.Map;
+
+/**
+ * This is the token definition according to TokenPreauth draft.
+ */
+public class KerbToken {
+
+ private Map<String, Object> attributes;
+
+ public KerbToken(Map<String, Object> attributes) {
+ this.attributes = attributes;
+ }
+
+ public Map<String, Object> getAttributes() {
+ return attributes;
+ }
+
+ public String getPrincipal() {
+ return (String) attributes.get("sub");
+ }
+
+ public String[] getGroups() {
+ String grp = (String) attributes.get("group");
+ if (grp != null) {
+ return new String[] { grp };
+ }
+ return new String[0];
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithTokenKdcTest.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithTokenKdcTest.java
index b0b0489..46be468 100644
--- a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithTokenKdcTest.java
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithTokenKdcTest.java
@@ -22,7 +22,7 @@ package org.apache.kerby.kerberos.kerb.server;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
-import org.apache.kerby.token.KerbToken;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.KerbToken;
import static org.assertj.core.api.Assertions.assertThat;
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/pom.xml
----------------------------------------------------------------------
diff --git a/lib/kerby-token/pom.xml b/lib/kerby-token/pom.xml
deleted file mode 100644
index e15128c..0000000
--- a/lib/kerby-token/pom.xml
+++ /dev/null
@@ -1,44 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License. See accompanying LICENSE file.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
-
- <parent>
- <groupId>org.apache.kerby</groupId>
- <artifactId>lib</artifactId>
- <version>1.0-SNAPSHOT</version>
- </parent>
-
- <artifactId>kerby-token</artifactId>
- <name>Kerby-token Project</name>
- <version>1.0-SNAPSHOT</version>
- <packaging>jar</packaging>
-
- <dependencies>
- <dependency>
- <groupId>com.nimbusds</groupId>
- <artifactId>nimbus-jose-jwt</artifactId>
- <version>3.8.2</version>
- </dependency>
- <dependency>
- <groupId>org.apache.kerby</groupId>
- <artifactId>kerby-asn1</artifactId>
- <version>${project.version}</version>
- </dependency>
- </dependencies>
-
-</project>
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
----------------------------------------------------------------------
diff --git a/lib/kerby-token/src/main/java/org/apache/kerby/token/AuthzDataEntry.java b/lib/kerby-token/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
deleted file mode 100644
index d4bfedb..0000000
--- a/lib/kerby-token/src/main/java/org/apache/kerby/token/AuthzDataEntry.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.token;
-
-import org.apache.kerby.asn1.type.Asn1FieldInfo;
-import org.apache.kerby.asn1.type.Asn1Integer;
-import org.apache.kerby.asn1.type.Asn1OctetString;
-import org.apache.kerby.asn1.type.Asn1SequenceType;
-
-/**
- AuthorizationData ::= SEQUENCE OF SEQUENCE {
- ad-type [0] Int32,
- ad-data [1] OCTET STRING
- }
- */
-public class AuthzDataEntry extends Asn1SequenceType {
- static int AD_TYPE = 0;
- static int AD_DATA = 1;
-
- public AuthzDataEntry() {
- super(new Asn1FieldInfo[] {
- new Asn1FieldInfo(AD_TYPE, Asn1Integer.class),
- new Asn1FieldInfo(AD_DATA, Asn1OctetString.class)
- });
- }
-
- public int getAuthzType() {
- Integer value = getFieldAsInteger(AD_TYPE);
- return value;
- }
-
- public byte[] getAuthzData() {
- return getFieldAsOctets(AD_DATA);
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/src/main/java/org/apache/kerby/token/KerbToken.java
----------------------------------------------------------------------
diff --git a/lib/kerby-token/src/main/java/org/apache/kerby/token/KerbToken.java b/lib/kerby-token/src/main/java/org/apache/kerby/token/KerbToken.java
deleted file mode 100644
index be4a127..0000000
--- a/lib/kerby-token/src/main/java/org/apache/kerby/token/KerbToken.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.token;
-
-import java.util.Map;
-
-public class KerbToken {
-
- private Map<String, Object> attributes;
-
- public KerbToken(Map<String, Object> attributes) {
- this.attributes = attributes;
- }
-
- public Map<String, Object> getAttributes() {
- return attributes;
- }
-
- public String getPrincipal() {
- return (String) attributes.get("sub");
- }
-
- public String[] getGroups() {
- String grp = (String) attributes.get("group");
- if (grp != null) {
- return new String[] { grp };
- }
- return new String[0];
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenCache.java
----------------------------------------------------------------------
diff --git a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenCache.java b/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenCache.java
deleted file mode 100644
index 51e3593..0000000
--- a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenCache.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.token;
-
-import java.io.*;
-
-public class TokenCache {
- private static final String DEFAULT_TOKEN_CACHE_PATH = ".tokenauth";
- private static final String TOKEN_CACHE_FILE = ".tokenauth.token";
-
- public static String readToken(String tokenCacheFile) {
- File cacheFile = null;
-
- if (tokenCacheFile != null && ! tokenCacheFile.isEmpty()) {
- cacheFile = new File(tokenCacheFile);
- if (!cacheFile.exists()) {
- throw new RuntimeException("Invalid token cache specified: " + tokenCacheFile);
- };
- } else {
- cacheFile = getDefaultTokenCache();
- if (!cacheFile.exists()) {
- throw new RuntimeException("No token cache available by default");
- };
- }
-
- String token = null;
- try {
- BufferedReader reader = new BufferedReader(new FileReader(cacheFile));
- String line = reader.readLine();
- reader.close();
- if (line != null) {
- token = line;
- }
- } catch (IOException ex) {
- //NOP
- }
-
- return token;
- }
-
- public static void writeToken(String token) {
- File cacheFile = getDefaultTokenCache();
-
- try {
- Writer writer = new FileWriter(cacheFile);
- writer.write(token.toString());
- writer.close();
- // sets read-write permissions to owner only
- cacheFile.setReadable(false, false);
- cacheFile.setReadable(true, true);
- cacheFile.setWritable(true, true);
- }
- catch (IOException ioe) {
- // if case of any error we just delete the cache, if user-only
- // write permissions are not properly set a security exception
- // is thrown and the file will be deleted.
- cacheFile.delete();
- }
- }
-
- public static File getDefaultTokenCache() {
- String homeDir = System.getProperty("user.home", DEFAULT_TOKEN_CACHE_PATH);
- return new File(homeDir, TOKEN_CACHE_FILE);
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenExtractor.java
----------------------------------------------------------------------
diff --git a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenExtractor.java b/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenExtractor.java
deleted file mode 100644
index 8e43384..0000000
--- a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenExtractor.java
+++ /dev/null
@@ -1,101 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.token;
-
-import com.sun.security.jgss.AuthorizationDataEntry;
-import com.sun.security.jgss.ExtendedGSSContext;
-import com.sun.security.jgss.InquireType;
-import org.apache.kerby.asn1.type.Asn1SequenceOf;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSException;
-
-import java.io.IOException;
-import java.util.List;
-
-public class TokenExtractor {
- static final int JWT_AUTHZ_DATA_TYPE = 81;
- public static final int AD_IF_RELEVANT_TYPE = 1;
-
- /**
- AuthorizationData ::= SEQUENCE OF SEQUENCE {
- ad-type [0] Int32,
- ad-data [1] OCTET STRING
- }
- */
- public static class AuthorizationData extends Asn1SequenceOf<AuthzDataEntry> {
-
- }
-
- public static KerbToken checkAuthzData(GSSContext context) throws GSSException, IOException {
- System.out.println("Looking for token from authorization data in GSSContext");
-
- Object authzData = null;
- if (context instanceof ExtendedGSSContext) {
- ExtendedGSSContext ex = (ExtendedGSSContext)context;
- authzData = ex.inquireSecContext(
- InquireType.KRB5_GET_AUTHZ_DATA);
- }
-
- if (authzData != null) {
- AuthorizationDataEntry[] authzEntries = (AuthorizationDataEntry[]) authzData;
- KerbToken resultToken = null;
- for (int i = 0; i < authzEntries.length; ++i) {
- resultToken = getAuthzToken(authzEntries[i]);
- if (resultToken != null) {
- return resultToken;
- }
- }
- }
- return null;
- }
-
- public static KerbToken getAuthzToken(AuthorizationDataEntry authzDataEntry) throws IOException {
- if (authzDataEntry.getType() == AD_IF_RELEVANT_TYPE) {
- String token = getToken(authzDataEntry);
- if (token == null) {
- return null;
- }
-
- try {
- return TokenTool.fromJwtToken(token);
- } catch (Exception e) {
- // noop when not jwt token
- }
- }
-
- return null;
- }
-
- public static String getToken(AuthorizationDataEntry authzDataEntry) throws IOException {
- List<AuthzDataEntry> entries = decode(authzDataEntry);
- for (AuthzDataEntry entry : entries) {
- if (entry.getAuthzType() == JWT_AUTHZ_DATA_TYPE) {
- return new String(entry.getAuthzData());
- }
- }
- return null;
- }
-
- public static List<AuthzDataEntry> decode(AuthorizationDataEntry authzDataEntry) throws IOException {
- AuthorizationData authzData = new AuthorizationData();
- authzData.decode(authzDataEntry.getData());
- return authzData.getElements();
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenTool.java
----------------------------------------------------------------------
diff --git a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenTool.java b/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenTool.java
deleted file mode 100644
index 2de1973..0000000
--- a/lib/kerby-token/src/main/java/org/apache/kerby/token/TokenTool.java
+++ /dev/null
@@ -1,124 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.token;
-
-import com.nimbusds.jose.PlainHeader;
-import com.nimbusds.jwt.JWT;
-import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.PlainJWT;
-
-import java.text.ParseException;
-import java.util.*;
-
-public class TokenTool {
-
- public static JWT issueToken(String principal, String group, String role) {
- // must have for kerb-token
- String krbPrincipal = principal + "@SH.INTEL.COM";
-
- PlainHeader header = new PlainHeader();
- //header.setCustomParameter("krbPrincipal", krbPrincipal);
-
- JWTClaimsSet jwtClaims = new JWTClaimsSet();
-
- String iss = "token-service";
- jwtClaims.setIssuer(iss);
-
- String sub = principal;
- jwtClaims.setSubject(sub);
-
- // must have for kerb-token
- jwtClaims.setSubject(krbPrincipal);
-
- jwtClaims.setClaim("group", group);
- if (role != null) {
- jwtClaims.setClaim("role", role);
- }
-
- List<String> aud = new ArrayList<String>();
- aud.add("krb5kdc-with-token-extension");
- jwtClaims.setAudience(aud);
-
- // Set expiration in 60 minutes
- final Date NOW = new Date(new Date().getTime() / 1000 * 1000);
- Date exp = new Date(NOW.getTime() + 1000 * 60 * 60);
- jwtClaims.setExpirationTime(exp);
-
- Date nbf = NOW;
- jwtClaims.setNotBeforeTime(nbf);
-
- Date iat = NOW;
- jwtClaims.setIssueTime(iat);
-
- String jti = UUID.randomUUID().toString();
- jwtClaims.setJWTID(jti);
-
- PlainJWT jwt = new PlainJWT(header, jwtClaims);
- return jwt;
- }
-
- public static JWT decodeToken(String token) throws ParseException {
- PlainJWT jwt = PlainJWT.parse(token);
-
- return jwt;
- }
-
- public static KerbToken fromJwtToken(String token) throws ParseException {
- Map<String, Object> attrs = decodeAndExtractTokenAttributes(token);
- return new KerbToken(attrs);
- }
-
- public static Map<String, Object> decodeAndExtractTokenAttributes(String token) throws ParseException {
- PlainJWT jwt = PlainJWT.parse(token);
-
- Map<String, Object> attrs = new HashMap<String, Object>();
- attrs.putAll(jwt.getJWTClaimsSet().getAllClaims());
- //attrs.putAll(jwt.getHeader().getCustomParameters());
-
- return attrs;
- }
-
- public static void main(String[] args) throws ParseException {
- String principal, group, role = null;
-
- if (args.length != 2 && args.length != 3) {
- System.out.println("This is a simple token issuing tool just for kerb-token PoC usage\n");
- System.out.println("tokeninit <username> <group> [role]\n");
- System.exit(1);
- }
- principal = args[0];
- group = args[1];
- if (args.length > 2) {
- role = args[2];
- }
-
- JWT jwt = issueToken(principal, group, role);
- String token = jwt.serialize();
-
- TokenCache.writeToken(token);
- System.out.println("Issued token: " + token);
-
- /*
- JWT jwt2 = decodeToken(token);
- String krbPrincipal = (String) jwt2.getHeader().getCustomParameter("krbPrincipal");
- System.out.println("Decoded token with krbprincipal: " + krbPrincipal);
- */
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bffabdc7/lib/pom.xml
----------------------------------------------------------------------
diff --git a/lib/pom.xml b/lib/pom.xml
index a514a61..2185fdd 100644
--- a/lib/pom.xml
+++ b/lib/pom.xml
@@ -30,7 +30,6 @@
<module>kerby-config</module>
<module>kerby-event</module>
<module>kerby-pkix</module>
- <module>kerby-token</module>
<module>kerby-util</module>
</modules>