You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2017/07/24 11:26:59 UTC
directory-kerby git commit: Adding GSS JAAS integration tests
Repository: directory-kerby
Updated Branches:
refs/heads/trunk 025cd534d -> 7a33acebb
Adding GSS JAAS integration tests
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/7a33aceb
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/7a33aceb
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/7a33aceb
Branch: refs/heads/trunk
Commit: 7a33acebb97b9676ce4b284a2ea3f6004a4317ca
Parents: 025cd53
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jul 24 12:26:46 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jul 24 12:26:46 2017 +0100
----------------------------------------------------------------------
.../integration/test/gss/GssJAASAppClient.java | 127 +++++++++++++++++++
.../kerberos/kerb/integration/test/AppTest.java | 17 +--
.../kerb/integration/test/GssAppTest.java | 44 +++++--
.../kerb/integration/test/KerbyGssAppTest.java | 6 +
.../test/NamePasswordCallbackHandler.java | 52 ++++++++
.../kerb/integration/test/SaslAppTest.java | 21 ++-
.../src/test/resources/kerberos.jaas | 3 +
7 files changed, 240 insertions(+), 30 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7a33aceb/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/gss/GssJAASAppClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/gss/GssJAASAppClient.java b/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/gss/GssJAASAppClient.java
new file mode 100644
index 0000000..3296408
--- /dev/null
+++ b/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/gss/GssJAASAppClient.java
@@ -0,0 +1,127 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.integration.test.gss;
+
+import org.apache.kerby.kerberos.kerb.integration.test.AppClient;
+import org.apache.kerby.kerberos.kerb.integration.test.Transport;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.MessageProp;
+import org.ietf.jgss.Oid;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.PrivilegedExceptionAction;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
+
+/**
+ * A variant of GssAppClient that uses JAAS to get a tgt.
+ */
+public class GssJAASAppClient extends AppClient {
+ private String serverPrincipal;
+ private GSSManager manager;
+ private String contextName;
+ private CallbackHandler callbackHandler;
+
+ public GssJAASAppClient(String[] args, CallbackHandler callbackHandler) throws Exception {
+ super(args);
+
+ serverPrincipal = args[2];
+ contextName = args[3];
+ this.callbackHandler = callbackHandler;
+ this.manager = GSSManager.getInstance();
+ }
+
+ @Override
+ protected void withConnection(final Transport.Connection conn) throws Exception {
+ Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
+
+ GSSName serverName = manager.createName(serverPrincipal, GSSName.NT_USER_NAME);
+
+ LoginContext lc = new LoginContext(contextName, null, callbackHandler, null);
+ lc.login();
+ Subject subject = lc.getSubject();
+
+ GSSContext context = manager.createContext(serverName,
+ krb5Oid, null, GSSContext.DEFAULT_LIFETIME);
+ context.requestMutualAuth(true);
+ context.requestConf(true);
+ context.requestInteg(true);
+
+ byte[] token = (byte[]) Subject.doAs(subject, new CreateServiceTicketAction(context, conn));
+
+ //System.out.println("Context Established! ");
+ //System.out.println("Client is " + context.getSrcName());
+ //System.out.println("Server is " + context.getTargName());
+
+ //if (context.getMutualAuthState()) {
+ //System.out.println("Mutual authentication took place!");
+ //}
+
+ byte[] messageBytes = "Hello There!\0".getBytes(StandardCharsets.UTF_8);
+ MessageProp prop = new MessageProp(0, true);
+ token = context.wrap(messageBytes, 0, messageBytes.length, prop);
+ //System.out.println("Will send wrap token of size " + token.length);
+ conn.sendToken(token);
+
+ token = conn.recvToken();
+ context.verifyMIC(token, 0, token.length,
+ messageBytes, 0, messageBytes.length, prop);
+ setTestOK(true);
+
+ //System.out.println("Verified received MIC for message.");
+ context.dispose();
+ lc.logout();
+ }
+
+ private static final class CreateServiceTicketAction implements PrivilegedExceptionAction<byte[]> {
+ private final GSSContext context;
+ private Transport.Connection conn;
+
+ private CreateServiceTicketAction(GSSContext context, final Transport.Connection conn) {
+ this.context = context;
+ this.conn = conn;
+ }
+
+ public byte[] run() throws GSSException {
+ byte[] token = new byte[0];
+ while (!context.isEstablished()) {
+ token = context.initSecContext(token, 0, token.length);
+ try {
+ if (token != null) {
+ conn.sendToken(token);
+ }
+ if (!context.isEstablished()) {
+ token = conn.recvToken();
+ }
+ } catch (IOException ex) {
+ throw new GSSException(GSSException.FAILURE);
+ }
+ }
+
+ return token;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7a33aceb/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/AppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/AppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/AppTest.java
index 9c7abc4..82186b9 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/AppTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/AppTest.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.integration.test;
@@ -33,7 +33,6 @@ import java.security.PrivilegedAction;
public abstract class AppTest extends LoginTestBase {
private static final Logger LOG = LoggerFactory.getLogger(AppTest.class);
private int serverPort;
- protected AppClient appClient;
protected AppServer appServer;
@Before
@@ -58,7 +57,7 @@ public abstract class AppTest extends LoginTestBase {
try {
appServer = createAppServer();
appServer.start();
- } catch (Exception ex) {
+ } catch (Exception ex) {
LOG.error(ex.toString());
}
@@ -69,15 +68,14 @@ public abstract class AppTest extends LoginTestBase {
protected abstract AppServer createAppServer() throws Exception;
- protected void runAppClient() throws Exception {
+ protected void runAppClient(final AppClient appClient) throws Exception {
Subject subject = loginClientUsingTicketCache();
Subject.doAs(subject, new PrivilegedAction<Object>() {
@Override
public Object run() {
try {
- appClient = createAppClient();
appClient.run();
- } catch (Exception ex) {
+ } catch (Exception ex) {
LOG.error(ex.toString());
}
return null;
@@ -88,5 +86,4 @@ public abstract class AppTest extends LoginTestBase {
appClient.isTestOK());
}
- protected abstract AppClient createAppClient() throws Exception;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7a33aceb/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/GssAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/GssAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/GssAppTest.java
index 0a045eb..1bcce92 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/GssAppTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/GssAppTest.java
@@ -6,21 +6,24 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.integration.test;
+import java.io.File;
+
import org.apache.kerby.kerberos.kerb.integration.test.gss.GssAppClient;
import org.apache.kerby.kerberos.kerb.integration.test.gss.GssAppServer;
+import org.apache.kerby.kerberos.kerb.integration.test.gss.GssJAASAppClient;
import org.junit.Test;
public class GssAppTest extends AppTest {
@@ -33,8 +36,27 @@ public class GssAppTest extends AppTest {
});
}
- @Override
- protected AppClient createAppClient() throws Exception {
+ @Test
+ public void test() throws Exception {
+ runAppClient(createAppClient());
+ }
+
+ @Test
+ public void testJAAS() throws Exception {
+ String basedir = System.getProperty("basedir");
+ if (basedir == null) {
+ basedir = new File(".").getCanonicalPath();
+ }
+
+ try {
+ System.setProperty("java.security.auth.login.config", basedir + "/target/test-classes/kerberos.jaas");
+ runAppClient(createAppJAASClient());
+ } finally {
+ System.clearProperty("java.security.auth.login.config");
+ }
+ }
+
+ private AppClient createAppClient() throws Exception {
return new GssAppClient(new String[] {
getHostname(),
String.valueOf(getServerPort()),
@@ -43,8 +65,12 @@ public class GssAppTest extends AppTest {
});
}
- @Test
- public void test() throws Exception {
- runAppClient();
+ private AppClient createAppJAASClient() throws Exception {
+ return new GssJAASAppClient(new String[] {
+ getHostname(),
+ String.valueOf(getServerPort()),
+ getServerPrincipal(),
+ "drankye"
+ }, new NamePasswordCallbackHandler(super.getClientPrincipalName(), super.getClientPassword()));
}
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7a33aceb/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
index fbb3f3f..ef5be9f 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
@@ -39,4 +39,10 @@ public class KerbyGssAppTest extends GssAppTest {
public void test() throws Exception {
super.test();
}
+
+ @Test
+ @org.junit.Ignore
+ public void testJAAS() throws Exception {
+ super.testJAAS();
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7a33aceb/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/NamePasswordCallbackHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/NamePasswordCallbackHandler.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/NamePasswordCallbackHandler.java
new file mode 100644
index 0000000..5643ada
--- /dev/null
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/NamePasswordCallbackHandler.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.integration.test;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+public class NamePasswordCallbackHandler implements CallbackHandler {
+
+ private String username;
+ private String password;
+
+ public NamePasswordCallbackHandler(String username, String password) {
+ this.username = username;
+ this.password = password;
+ }
+
+ @Override
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (Callback callback : callbacks) {
+ if (callback instanceof NameCallback) {
+ ((NameCallback) callback).setName(username);
+ } else if (callback instanceof PasswordCallback) {
+ ((PasswordCallback) callback).setPassword(password.toCharArray());
+ }
+ }
+
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7a33aceb/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/SaslAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/SaslAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/SaslAppTest.java
index e7e6dba..b85ea36 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/SaslAppTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/SaslAppTest.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.integration.test;
@@ -34,8 +34,12 @@ public class SaslAppTest extends AppTest {
});
}
- @Override
- protected AppClient createAppClient() throws Exception {
+ @Test
+ public void test() throws Exception {
+ runAppClient(createAppClient());
+ }
+
+ private AppClient createAppClient() throws Exception {
return new SaslAppClient(new String[] {
getHostname(),
String.valueOf(getServerPort()),
@@ -43,9 +47,4 @@ public class SaslAppTest extends AppTest {
getHostname()
});
}
-
- @Test
- public void test() throws Exception {
- runAppClient();
- }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7a33aceb/kerby-kerb/integration-test/src/test/resources/kerberos.jaas
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/resources/kerberos.jaas b/kerby-kerb/integration-test/src/test/resources/kerberos.jaas
new file mode 100644
index 0000000..f20f65f
--- /dev/null
+++ b/kerby-kerb/integration-test/src/test/resources/kerberos.jaas
@@ -0,0 +1,3 @@
+drankye {
+ com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=false principal="drankye";
+};