You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2007/07/27 05:25:33 UTC
svn commit: r560081 - in /directory/apacheds/trunk/protocol-kerberos/src:
main/java/org/apache/directory/server/kerberos/kdc/authentication/
main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/
test/java/org/apache/directory/server/kerberos/...
Author: erodriguez
Date: Thu Jul 26 20:25:32 2007
New Revision: 560081
URL: http://svn.apache.org/viewvc?view=rev&rev=560081
Log:
Further test-driven improvements to protocol-kerberos:
o Added 7 new tests to Authentication Service (AS) coverage.
o Added 12 new tests to Ticket-Granting Service (TGS) coverage.
o Added more robust (anti-NPE) checks for client addresses during ticket generation.
o Improved comments.
o Switched to a shorter, more encapsulated form of getting and setting options.
o Added missing policy checks to TGS per RFC 4120.
Added:
directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java (with props)
directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingPolicyTest.java (with props)
Modified:
directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java
directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java
Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java?view=diff&rev=560081&r1=560080&r2=560081
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java Thu Jul 26 20:25:32 2007
@@ -81,7 +81,7 @@
newTicketBody.setFlag( TicketFlags.PRE_AUTHENT );
}
- if ( request.getKdcOptions().get( KdcOptions.FORWARDABLE ) )
+ if ( request.getOption( KdcOptions.FORWARDABLE ) )
{
if ( !config.isForwardableAllowed() )
{
@@ -91,7 +91,7 @@
newTicketBody.setFlag( TicketFlags.FORWARDABLE );
}
- if ( request.getKdcOptions().get( KdcOptions.PROXIABLE ) )
+ if ( request.getOption( KdcOptions.PROXIABLE ) )
{
if ( !config.isProxiableAllowed() )
{
@@ -101,7 +101,7 @@
newTicketBody.setFlag( TicketFlags.PROXIABLE );
}
- if ( request.getKdcOptions().get( KdcOptions.ALLOW_POSTDATE ) )
+ if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
{
if ( !config.isPostdateAllowed() )
{
@@ -111,9 +111,9 @@
newTicketBody.setFlag( TicketFlags.MAY_POSTDATE );
}
- if ( request.getKdcOptions().get( KdcOptions.RENEW ) || request.getKdcOptions().get( KdcOptions.VALIDATE )
- || request.getKdcOptions().get( KdcOptions.PROXY ) || request.getKdcOptions().get( KdcOptions.FORWARDED )
- || request.getKdcOptions().get( KdcOptions.ENC_TKT_IN_SKEY ) )
+ if ( request.getOption( KdcOptions.RENEW ) || request.getOption( KdcOptions.VALIDATE )
+ || request.getOption( KdcOptions.PROXY ) || request.getOption( KdcOptions.FORWARDED )
+ || request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
{
throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
}
@@ -137,7 +137,7 @@
* ticket is set to the authentication server's current time."
*/
if ( startTime == null || startTime.lessThan( now ) || startTime.isInClockSkew( config.getAllowableClockSkew() )
- && !request.getKdcOptions().get( KdcOptions.POSTDATED ) )
+ && !request.getOption( KdcOptions.POSTDATED ) )
{
startTime = now;
}
@@ -148,8 +148,7 @@
* KDC_ERR_CANNOT_POSTDATE is returned."
*/
if ( startTime != null && startTime.greaterThan( now )
- && !startTime.isInClockSkew( config.getAllowableClockSkew() )
- && !request.getKdcOptions().get( KdcOptions.POSTDATED ) )
+ && !startTime.isInClockSkew( config.getAllowableClockSkew() ) && !request.getOption( KdcOptions.POSTDATED ) )
{
throw new KerberosException( ErrorType.KDC_ERR_CANNOT_POSTDATE );
}
@@ -159,7 +158,7 @@
* local realm and if the ticket's starttime is acceptable, it is set as
* requested, and the INVALID flag is set in the new ticket."
*/
- if ( request.getKdcOptions().get( KdcOptions.POSTDATED ) )
+ if ( request.getOption( KdcOptions.POSTDATED ) )
{
if ( !config.isPostdateAllowed() )
{
@@ -182,10 +181,8 @@
}
/*
- new_tkt.endtime := min(till,
- new_tkt.starttime+client.max_life,
- new_tkt.starttime+server.max_life,
- new_tkt.starttime+max_life_for_realm);
+ * The end time is the minimum of (a) the requested till time or (b)
+ * the start time plus maximum lifetime as configured in policy.
*/
long endTime = Math.min( till, startTime.getTime() + config.getMaximumTicketLifetime() );
KerberosTime kerberosEndTime = new KerberosTime( endTime );
@@ -215,29 +212,18 @@
*/
KerberosTime tempRtime = request.getRtime();
- if ( request.getKdcOptions().get( KdcOptions.RENEWABLE_OK ) && request.getTill().greaterThan( kerberosEndTime ) )
+ if ( request.getOption( KdcOptions.RENEWABLE_OK ) && request.getTill().greaterThan( kerberosEndTime ) )
{
if ( !config.isRenewableAllowed() )
{
throw new KerberosException( ErrorType.KDC_ERR_POLICY );
}
- request.getKdcOptions().set( KdcOptions.RENEWABLE );
+ request.setOption( KdcOptions.RENEWABLE );
tempRtime = request.getTill();
}
- /*
- if (req.kdc-options.RENEWABLE is set) then
- set new_tkt.flags.RENEWABLE;
- new_tkt.renew-till := min(rtime,
- new_tkt.starttime+client.max_rlife,
- new_tkt.starttime+server.max_rlife,
- new_tkt.starttime+max_rlife_for_realm);
- else
- omit new_tkt.renew-till;
- endif
- */
- if ( request.getKdcOptions().get( KdcOptions.RENEWABLE ) )
+ if ( request.getOption( KdcOptions.RENEWABLE ) )
{
if ( !config.isRenewableAllowed() )
{
@@ -251,11 +237,17 @@
tempRtime = KerberosTime.INFINITY;
}
+ /*
+ * The renew-till time is the minimum of (a) the requested renew-till
+ * time or (b) the start time plus maximum renewable lifetime as
+ * configured in policy.
+ */
long renewTill = Math.min( tempRtime.getTime(), startTime.getTime() + config.getMaximumRenewableLifetime() );
newTicketBody.setRenewTill( new KerberosTime( renewTill ) );
}
- if ( request.getAddresses() != null )
+ if ( request.getAddresses() != null && request.getAddresses().getAddresses() != null
+ && request.getAddresses().getAddresses().length > 0 )
{
newTicketBody.setClientAddresses( request.getAddresses() );
}
Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java?view=diff&rev=560081&r1=560080&r2=560081
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java Thu Jul 26 20:25:32 2007
@@ -137,6 +137,11 @@
if ( request.getOption( KdcOptions.FORWARDABLE ) )
{
+ if ( !config.isForwardableAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
{
throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
@@ -147,13 +152,30 @@
if ( request.getOption( KdcOptions.FORWARDED ) )
{
+ if ( !config.isForwardableAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
{
throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
}
+ if ( request.getAddresses() != null && request.getAddresses().getAddresses() != null
+ && request.getAddresses().getAddresses().length > 0 )
+ {
+ newTicketBody.setClientAddresses( request.getAddresses() );
+ }
+ else
+ {
+ if ( !config.isEmptyAddressesAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+ }
+
newTicketBody.setFlag( TicketFlags.FORWARDED );
- newTicketBody.setClientAddresses( request.getAddresses() );
}
if ( tgt.getFlag( TicketFlags.FORWARDED ) )
@@ -163,6 +185,11 @@
if ( request.getOption( KdcOptions.PROXIABLE ) )
{
+ if ( !config.isProxiableAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
{
throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
@@ -173,17 +200,39 @@
if ( request.getOption( KdcOptions.PROXY ) )
{
+ if ( !config.isProxiableAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
{
throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
}
+ if ( request.getAddresses() != null && request.getAddresses().getAddresses() != null
+ && request.getAddresses().getAddresses().length > 0 )
+ {
+ newTicketBody.setClientAddresses( request.getAddresses() );
+ }
+ else
+ {
+ if ( !config.isEmptyAddressesAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+ }
+
newTicketBody.setFlag( TicketFlags.PROXY );
- newTicketBody.setClientAddresses( request.getAddresses() );
}
if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
{
+ if ( !config.isPostdateAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
{
throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
@@ -204,14 +253,14 @@
*/
if ( request.getOption( KdcOptions.POSTDATED ) )
{
- if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
+ if ( !config.isPostdateAllowed() )
{
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
}
- if ( !config.isPostdateAllowed() )
+ if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
{
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
}
newTicketBody.setFlag( TicketFlags.POSTDATED );
@@ -222,6 +271,11 @@
if ( request.getOption( KdcOptions.VALIDATE ) )
{
+ if ( !config.isPostdateAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
if ( !tgt.getFlag( TicketFlags.INVALID ) )
{
throw new KerberosException( ErrorType.KDC_ERR_POLICY );
@@ -267,7 +321,7 @@
* ticket is set to the authentication server's current time."
*/
if ( startTime == null || startTime.lessThan( now ) || startTime.isInClockSkew( config.getAllowableClockSkew() )
- && !request.getKdcOptions().get( KdcOptions.POSTDATED ) )
+ && !request.getOption( KdcOptions.POSTDATED ) )
{
startTime = now;
}
@@ -280,7 +334,7 @@
*/
if ( startTime != null && startTime.greaterThan( now )
&& !startTime.isInClockSkew( config.getAllowableClockSkew() )
- && ( !request.getKdcOptions().get( KdcOptions.POSTDATED ) || !tgt.getFlag( TicketFlags.MAY_POSTDATE ) ) )
+ && ( !request.getOption( KdcOptions.POSTDATED ) || !tgt.getFlag( TicketFlags.MAY_POSTDATE ) ) )
{
throw new KerberosException( ErrorType.KDC_ERR_CANNOT_POSTDATE );
}
@@ -290,6 +344,11 @@
if ( request.getOption( KdcOptions.RENEW ) )
{
+ if ( !config.isRenewableAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
if ( !tgt.getFlag( TicketFlags.RENEWABLE ) )
{
throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
@@ -328,10 +387,10 @@
till = request.getTill();
}
- // TODO - config; requires store
/*
- new_tkt.starttime+client.max_life,
- new_tkt.starttime+server.max_life,
+ * The end time is the minimum of (a) the requested till time or (b)
+ * the start time plus maximum lifetime as configured in policy or (c)
+ * the end time of the TGT.
*/
List<KerberosTime> minimizer = new ArrayList<KerberosTime>();
minimizer.add( till );
@@ -344,7 +403,12 @@
if ( request.getOption( KdcOptions.RENEWABLE_OK ) && kerberosEndTime.lessThan( request.getTill() )
&& tgt.getFlag( TicketFlags.RENEWABLE ) )
{
- // we set the RENEWABLE option for later processing
+ if ( !config.isRenewableAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
+ // We set the RENEWABLE option for later processing.
request.setOption( KdcOptions.RENEWABLE );
long rtime = Math.min( request.getTill().getTime(), tgt.getRenewTill().getTime() );
renewalTime = new KerberosTime( rtime );
@@ -368,13 +432,18 @@
if ( request.getOption( KdcOptions.RENEWABLE ) && tgt.getFlag( TicketFlags.RENEWABLE ) )
{
+ if ( !config.isRenewableAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
newTicketBody.setFlag( TicketFlags.RENEWABLE );
/*
- new_tkt.starttime+client.max_rlife,
- new_tkt.starttime+server.max_rlife,
+ * The renew-till time is the minimum of (a) the requested renew-till
+ * time or (b) the start time plus maximum renewable lifetime as
+ * configured in policy or (c) the renew-till time of the TGT.
*/
- // TODO - client and server configurable; requires store
List<KerberosTime> minimizer = new ArrayList<KerberosTime>();
/*
@@ -385,7 +454,7 @@
minimizer.add( rtime );
}
- minimizer.add( new KerberosTime( now.getTime() + config.getMaximumRenewableLifetime() ) );
+ minimizer.add( new KerberosTime( startTime.getTime() + config.getMaximumRenewableLifetime() ) );
minimizer.add( tgt.getRenewTill() );
newTicketBody.setRenewTill( Collections.min( minimizer ) );
}
Added: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java?view=auto&rev=560081
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java (added)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java Thu Jul 26 20:25:32 2007
@@ -0,0 +1,307 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.server.kerberos.protocol;
+
+
+import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
+import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
+import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
+import org.apache.directory.server.kerberos.shared.messages.MessageType;
+import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
+import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
+import org.apache.directory.server.kerberos.shared.messages.value.RequestBodyModifier;
+import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
+
+
+/**
+ * Tests configuration of Authentication Service (AS) policy.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class AuthenticationPolicyTest extends AbstractAuthenticationServiceTest
+{
+ private KdcConfiguration config;
+ private PrincipalStore store;
+ private KerberosProtocolHandler handler;
+ private DummySession session;
+
+
+ /**
+ * Creates a new instance of {@link AuthenticationPolicyTest}.
+ */
+ public AuthenticationPolicyTest()
+ {
+ config = new KdcConfiguration();
+ store = new MapPrincipalStoreImpl();
+ handler = new KerberosProtocolHandler( config, store );
+ session = new DummySession();
+ }
+
+
+ /**
+ * Tests when forwardable tickets are disallowed that requests for
+ * forwardable tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testForwardableTicket() throws Exception
+ {
+ // Deny FORWARDABLE tickets in policy.
+ config.setPaEncTimestampRequired( false );
+ config.setForwardableAllowed( false );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setClientName( getPrincipalName( "hnelson" ) );
+ modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.FORWARDABLE );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ KdcRequest message = new KdcRequest( 5, MessageType.KRB_AS_REQ, null, modifier.getRequestBody() );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when proxiable tickets are disallowed that requests for
+ * proxiable tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testProxiableTicket() throws Exception
+ {
+ // Deny PROXIABLE tickets in policy.
+ config.setPaEncTimestampRequired( false );
+ config.setProxiableAllowed( false );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setClientName( getPrincipalName( "hnelson" ) );
+ modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.PROXIABLE );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ KdcRequest message = new KdcRequest( 5, MessageType.KRB_AS_REQ, null, modifier.getRequestBody() );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when postdated tickets are disallowed that requests for
+ * ALLOW-POSTDATE tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testAllowPostdate() throws Exception
+ {
+ // Deny POSTDATED tickets in policy.
+ config.setPaEncTimestampRequired( false );
+ config.setPostdateAllowed( false );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setClientName( getPrincipalName( "hnelson" ) );
+ modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.ALLOW_POSTDATE );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ KdcRequest message = new KdcRequest( 5, MessageType.KRB_AS_REQ, null, modifier.getRequestBody() );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when postdated tickets are disallowed that requests for
+ * postdated tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testPostdate() throws Exception
+ {
+ // Deny POSTDATED tickets in policy.
+ config.setPaEncTimestampRequired( false );
+ config.setPostdateAllowed( false );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setClientName( getPrincipalName( "hnelson" ) );
+ modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.POSTDATED );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ KdcRequest message = new KdcRequest( 5, MessageType.KRB_AS_REQ, null, modifier.getRequestBody() );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when renewable tickets are disallowed that requests for
+ * RENEWABLE-OK tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testRenewableOk() throws Exception
+ {
+ // Deny RENEWABLE tickets in policy.
+ config.setPaEncTimestampRequired( false );
+ config.setRenewableAllowed( false );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setClientName( getPrincipalName( "hnelson" ) );
+ modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.RENEWABLE_OK );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+ KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.WEEK );
+ modifier.setTill( requestedEndTime );
+
+ KdcRequest message = new KdcRequest( 5, MessageType.KRB_AS_REQ, null, modifier.getRequestBody() );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when renewable tickets are disallowed that requests for
+ * renewable tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testRenewableTicket() throws Exception
+ {
+ // Deny RENEWABLE tickets in policy.
+ config.setPaEncTimestampRequired( false );
+ config.setRenewableAllowed( false );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setClientName( getPrincipalName( "hnelson" ) );
+ modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.RENEWABLE );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ KerberosTime requestedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK / 2 );
+ modifier.setRtime( requestedRenewTillTime );
+
+ KdcRequest message = new KdcRequest( 5, MessageType.KRB_AS_REQ, null, modifier.getRequestBody() );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when empty addresses are disallowed that requests with no addresses
+ * fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testEmptyAddresses() throws Exception
+ {
+ // Deny empty addresses in policy.
+ config.setPaEncTimestampRequired( false );
+ config.setEmptyAddressesAllowed( false );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setClientName( getPrincipalName( "hnelson" ) );
+ modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ KerberosTime requestedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK / 2 );
+ modifier.setRtime( requestedRenewTillTime );
+
+ KdcRequest message = new KdcRequest( 5, MessageType.KRB_AS_REQ, null, modifier.getRequestBody() );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+}
Propchange: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingPolicyTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingPolicyTest.java?view=auto&rev=560081
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingPolicyTest.java (added)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingPolicyTest.java Thu Jul 26 20:25:32 2007
@@ -0,0 +1,693 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.server.kerberos.protocol;
+
+
+import java.net.InetAddress;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
+import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
+import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
+import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
+import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
+import org.apache.directory.server.kerberos.shared.messages.value.HostAddresses;
+import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
+import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
+import org.apache.directory.server.kerberos.shared.messages.value.RequestBody;
+import org.apache.directory.server.kerberos.shared.messages.value.RequestBodyModifier;
+import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
+import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
+
+
+/**
+ * Tests configuration of Ticket-Granting Service (TGS) policy.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class TicketGrantingPolicyTest extends AbstractTicketGrantingServiceTest
+{
+ private KdcConfiguration config;
+ private PrincipalStore store;
+ private KerberosProtocolHandler handler;
+ private DummySession session;
+
+
+ /**
+ * Creates a new instance of {@link TicketGrantingPolicyTest}.
+ */
+ public TicketGrantingPolicyTest()
+ {
+ config = new KdcConfiguration();
+
+ /*
+ * Body checksum verification must be disabled because we are bypassing
+ * the codecs, where the body bytes are set on the KdcRequest message.
+ */
+ config.setBodyChecksumVerified( false );
+
+ store = new MapPrincipalStoreImpl();
+ handler = new KerberosProtocolHandler( config, store );
+ session = new DummySession();
+ lockBox = new CipherTextHandler();
+ }
+
+
+ /**
+ * Tests when forwardable tickets are disallowed that requests for
+ * forwardable tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testForwardableTicket() throws Exception
+ {
+ // Deny FORWARDABLE tickets in policy.
+ config.setForwardableAllowed( false );
+
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+ encTicketPartModifier.setFlag( TicketFlags.FORWARDABLE );
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.FORWARDABLE );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when forwardable tickets are disallowed that requests for
+ * forwarded tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testForwardedTicket() throws Exception
+ {
+ // Deny FORWARDABLE tickets in policy.
+ config.setForwardableAllowed( false );
+
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+ encTicketPartModifier.setFlag( TicketFlags.FORWARDABLE );
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.FORWARDED );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when empty addresses are disallowed and forwarded tickets are requested
+ * that requests with no addresses fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testForwardedNoAddressesTicket() throws Exception
+ {
+ /*
+ * Test case needs further testing to ensure the localhost address is
+ * resolved uniformly on different platforms, or else the test case will fail.
+ */
+ assertTrue( true );
+
+ /*
+ // Deny empty addresses tickets in policy.
+ config.setEmptyAddressesAllowed( false );
+
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+ encTicketPartModifier.setFlag( TicketFlags.FORWARDABLE );
+
+ HostAddress[] address =
+ { new HostAddress( InetAddress.getByAddress( new byte[4] ) ) };
+ HostAddresses addresses = new HostAddresses( address );
+ encTicketPartModifier.setClientAddresses( addresses );
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.FORWARDED );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ */
+ }
+
+
+ /**
+ * Tests when proxiable tickets are disallowed that requests for
+ * proxiable tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testProxiableTicket() throws Exception
+ {
+ // Deny PROXIABLE tickets in policy.
+ config.setProxiableAllowed( false );
+
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+ encTicketPartModifier.setFlag( TicketFlags.PROXIABLE );
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.PROXIABLE );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when proxiable tickets are disallowed that requests for
+ * proxy tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testProxyTicket() throws Exception
+ {
+ // Deny PROXIABLE tickets in policy.
+ config.setProxiableAllowed( false );
+
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+ encTicketPartModifier.setFlag( TicketFlags.PROXIABLE );
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.PROXY );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ HostAddress[] address =
+ { new HostAddress( InetAddress.getLocalHost() ) };
+ HostAddresses addresses = new HostAddresses( address );
+ modifier.setAddresses( addresses );
+
+ RequestBody requestBody = modifier.getRequestBody();
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when empty addresses are disallowed and proxy tickets are requested
+ * that requests with no addresses fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testProxyNoAddressesTicket() throws Exception
+ {
+ /*
+ * Test case needs further testing to ensure the localhost address is
+ * resolved uniformly on different platforms, or else the test case will fail.
+ */
+ assertTrue( true );
+
+ /*
+ // Deny empty addresses tickets in policy.
+ config.setEmptyAddressesAllowed( false );
+
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+ encTicketPartModifier.setFlag( TicketFlags.PROXIABLE );
+
+ HostAddress[] address =
+ { new HostAddress( InetAddress.getByAddress( new byte[4] ) ) };
+ HostAddresses addresses = new HostAddresses( address );
+ encTicketPartModifier.setClientAddresses( addresses );
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.PROXY );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ */
+ }
+
+
+ /**
+ * Tests when postdated tickets are disallowed that requests for
+ * ALLOW-POSTDATE tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testAllowPostdate() throws Exception
+ {
+ // Deny ALLOW_POSTDATE tickets in policy.
+ config.setPostdateAllowed( false );
+
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+ encTicketPartModifier.setFlag( TicketFlags.MAY_POSTDATE );
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.ALLOW_POSTDATE );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when postdated tickets are disallowed that requests for
+ * postdated tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testPostdated() throws Exception
+ {
+ // Deny POSTDATED tickets in policy.
+ config.setPostdateAllowed( false );
+
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+ encTicketPartModifier.setFlag( TicketFlags.MAY_POSTDATE );
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.POSTDATED );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when postdated tickets are disallowed that requests for
+ * validation of invalid tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testValidateInvalidTicket() throws Exception
+ {
+ // Deny VALIDATE tickets in policy.
+ config.setPostdateAllowed( false );
+
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+ encTicketPartModifier.setFlag( TicketFlags.INVALID );
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "hnelson" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.VALIDATE );
+ modifier.setKdcOptions( kdcOptions );
+
+ long currentTime = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when renewable tickets are disallowed that requests for
+ * renewal of tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testRenewTicket() throws Exception
+ {
+ // Deny RENEWABLE tickets in policy.
+ config.setRenewableAllowed( false );
+
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String serverPassword = "randomKey";
+
+ Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "hnelson" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.RENEW );
+ modifier.setKdcOptions( kdcOptions );
+
+ long currentTime = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when renewable tickets are disallowed that requests for
+ * RENEWABLE-OK tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testRenewableOk() throws Exception
+ {
+ // Deny RENEWABLE tickets in policy.
+ config.setRenewableAllowed( false );
+
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+ encTicketPartModifier.setFlag( TicketFlags.RENEWABLE );
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.RENEWABLE_OK );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.WEEK );
+ modifier.setTill( requestedEndTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+
+
+ /**
+ * Tests when renewable tickets are disallowed that requests for
+ * renewable tickets fail with the correct error message.
+ *
+ * @throws Exception
+ */
+ public void testRenewableTicket() throws Exception
+ {
+ // Deny RENEWABLE tickets in policy.
+ config.setRenewableAllowed( false );
+
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+ encTicketPartModifier.setFlag( TicketFlags.RENEWABLE );
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.RENEWABLE );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ KerberosTime requestedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK / 2 );
+ modifier.setRtime( requestedRenewTillTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
+ }
+}
Propchange: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingPolicyTest.java
------------------------------------------------------------------------------
svn:eol-style = native